Commit Graph

3266 Commits

Author SHA1 Message Date
Jason A. Donenfeld
2fedf023e4 wireguard: bump to 0.0.20191127
* messages: recalculate rekey max based on a one minute flood
* allowedips: safely dereference rcu roots
* socket: remove redundant check of new4
* allowedips: avoid double lock in selftest error case
* tools: add syncconf command

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-27 20:20:31 +01:00
Kevin Darbyshire-Bryant
f1ca277405 dnsmasq: correct sense & usage of dnsseccheckunsigned
dnsmasq v2.80 made 'dnssec-check-unsigned' the default, thus the uci
option was rendered ineffectual: we checked unsigned zones no matter the
setting.

Disabling the checking of unsigned zones is now achieve with the
"--dnssec-check-unsigned=no" dnsmasq option.

Update init script to pass required option in the disabled case.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-11-23 08:29:15 +00:00
Jo-Philipp Wich
482114d3f7 firewall: update to latest Git HEAD
8174814 utils: persist effective extra_src and extra_dest options in state file
72a486f zones: fix emitting match rules for zones with only "extra" options

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-11-22 18:53:57 +01:00
Kevin Darbyshire-Bryant
3cee6f3f24 netifd: dhcp proto convert release to norelease
Change dhcp no/release on shutdown to 'norelease' uci option to match
existing proto dhcpv6 usage.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2019-11-20 10:52:57 +00:00
John Crispin
60fb4c92b6 hostapd: add ubus reload
Add ubus interface to hostapd and wpa_supplicant to allow dynamically
reloading wiface configuration without having to restart the hostapd
process.
As a consequence, both hostapd and wpa_supplicant are now started
persistently on boot for each wifi device in the system and then
receive ubus calls adding, modifying or removing interface
configuration.
At a later stage it would be desirable to reduce the services to one
single instance managing all radios.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-11-12 11:52:26 +01:00
Daniel Golle
155ede4f1f netifd: add dynamic wireless reconfiguration
7a723d0 wireless: add ubus method for reloading configuration
 e15147c wireless: make reconf opt-in and allow serializing configuration

Set new option 'reconf' in 'wifi-device' section to enable dynamic
re-configuration on that radio.
If necessary, also set option 'serialize' which forced netifd to
configure interfaces of wireless devices one-by-one.
Both options are disabled by default.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-11-12 11:51:36 +01:00
DENG Qingfang
2ea8cd73fe ipset: update to 7.4
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-11-09 14:33:42 +01:00
Hauke Mehrtens
e926681387 swconfig: Activate LTO compile option
This decreases the size of the swconfig application by 25% on MIPS BE.

old:
16,916 /sbin/swconfig

new:
12,565 /sbin/swconfig

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-08 23:57:53 +01:00
Hauke Mehrtens
6596c95eca dnsmasq: Activate LTO
This decreases the binary size when PIE ASLR is activated by 8% on MIPS BE.

old:
202,020 /usr/sbin/dnsmasq

new:
185,676 /usr/sbin/dnsmasq

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-08 23:57:51 +01:00
David Bauer
3034f8c3b8 hostapd: enable PMKSA and OK caching for WPA3-Personal
This enables PMKSA and opportunistic key caching by default for
WPA2/WPA3-Personal, WPA3-Personal and OWE auth types.
Otherwise, Apple devices won't connect to the WPA3 network.

This should not degrade security, as there's no external authentication
provider.

Tested with OCEDO Koala and iPhone 7 (iOS 13.1).

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-11-04 18:46:54 +01:00
Kyle Copperfield
87f9292300 hostapd: add IEEE 802.11k support
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Enables radio resource management to be reported by hostapd to clients.

Ref: https://github.com/lede-project/source/pull/1430
Co-developed-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2019-11-02 20:51:52 +01:00
Hauke Mehrtens
ddab758997 lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
When ASLR_PIE was activated globally these drivers failed to build
because the user space LDFLAGS leaked into the kernel build process.
This was fixed in upstream Linux kernel commit ce99d0bf312d ("kbuild:
clear LDFLAGS in the top Makefile") which went into Linux 4.17. The
lantiq target is now on Linux 4.19 only and these exceptions are not
needed any more.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-01 21:19:40 +01:00
Yousong Zhou
289d532ddd dropbear: rebuild libs on config change
Required as dependency on dropbear config headers is not tracked in
dropbear build system

Fixes FS#2275

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-11-01 06:59:51 +00:00
Hauke Mehrtens
e6cadb215c mac80211: Update to version 5.4-rc2
This updates mac80211 to backports based on kernel 5.4-rc2

ath10k-ct was updated to match the API changes and iw now uses the new
nl80211.h header file.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-10-19 12:35:55 +02:00
Florian Eckert
c7c14aaad3 wwan: Double quote to prevent globbing and word splitting
Fix some shellcheck warnings.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:48:41 +02:00
Florian Eckert
a78a539afd wwan: add ec25 to database
Add ec25 to database.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:48:21 +02:00
Florian Eckert
68b1b0bb39 wwan: add mc7304 to database
Add mc7304 to database.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:47:58 +02:00
Florian Eckert
c45c7606cc wwan: check new uci bus option on proto setup event
If system has more then one and different wwan interface (modem). Then the
wwan protohandler will always take the modem which is discovered first.
The protohandler will always setup the same interface. To fix this add a
new usb "bus" option which is associated with wwan device and so will set
the specified interface up. With this change more then one interface
could be mananged by the wwan protohandler.

If the "bus" option is not set in the uci network config then the protohandler
behaves as before the change. The protohanldler will take the first
interface which he founds.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-10-18 19:46:21 +02:00
Sean Kenny
9105057cc0 6in4: add rfc1918 check function
This is a precursor to adding proper support for multiple
6in4 tunnels with the already programmed tunlink parameter.
This is an essential sanity check so as to not break existing
and working behind NAT setups.

Signed-off-by: Sean Kenny <skenny@wfap.ca>

6in4: add myip he.net api parameter logic

This is to add proper support for multiple 6in4 tunnels
with the already programmed tunlink parameter.
As it stands before this commit, if there is a multi wan setup that
consists of dynamic ips, there is no way to use the
dynamic update feature as the he.net api is implicitly using
the ip address of the caller. This will explicitly use the
ipaddr specified in the interface config OR the ip of the
tunlink interface specified in the dynamic update api call instead
ONLY if the final resolved ipaddr variable is not an rfc1918 address.

Signed-off-by: Sean Kenny <skenny@wfap.ca>
2019-10-18 19:23:07 +02:00
Kevin Darbyshire-Bryant
9d5e266cb1 wireguard: bump to latest snapshot 20191012
8eb8443 version: bump snapshot
be09cf5 wg-quick: android: use Binder for setting DNS on Android 10
4716f85 noise: recompare stamps after taking write lock
54db197 netlink: allow preventing creation of new peers when updating
f1b87d1 netns: add test for failing 5.3 FIB changes
a3539c4 qemu: bump default version

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-10-16 16:13:39 +01:00
Jo-Philipp Wich
bc61458b73 iwinfo: update to latest Git HEAD
07315b6 nl80211: handle hidden SSIDs in wpa_supplicant scan results
3ac846e lua: fix string description of mixed WPA3 modes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-16 16:48:40 +02:00
Martin Schiller
71e04091a9 lantiq: fix dsl_control status handling.
Commit 7519a36774 ("base-files,procd: add generic service status")
introduced the generic 'status' command which broke the previous
dsl_control status output. To fix this, let's rename the "old" command
to "dslstat".

Fixes: 7519a36774 ("base-files,procd: add generic service status")
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2019-10-15 23:23:08 +02:00
Jo-Philipp Wich
57b834281b iwinfo: update to latest Git HEAD
a29b7d4 nl80211: align path to phy mapping logic with mac80211.sh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-15 15:52:01 +02:00
Hans Dedecker
34c4741da0 odhcpd: update to latest git HEAD
9a4531a ndp: fix endian issue

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-14 21:35:09 +02:00
Eneas U de Queiroz
ee5a3f6d60 hostapd: adjust to removal of WOLFSSL_HAS_AES_GCM
WolfSSL is always built with AES-GCM support now.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-10-12 23:43:08 +02:00
DENG Qingfang
394273c066 tcpdump: update to 4.9.3
Fixed CVEs:
	CVE-2017-16808
	CVE-2018-10103
	CVE-2018-10105
	CVE-2018-14461
	CVE-2018-14462
	CVE-2018-14463
	CVE-2018-14464
	CVE-2018-14465
	CVE-2018-14466
	CVE-2018-14467
	CVE-2018-14468
	CVE-2018-14469
	CVE-2018-14470
	CVE-2018-14879
	CVE-2018-14880
	CVE-2018-14881
	CVE-2018-14882
	CVE-2018-16227
	CVE-2018-16228
	CVE-2018-16229
	CVE-2018-16230
	CVE-2018-16300
	CVE-2018-16301
	CVE-2018-16451
	CVE-2018-16452
	CVE-2019-15166
	CVE-2019-15167

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-10-12 23:37:00 +02:00
Hans Dedecker
f8b58757d0 ppp: update to version 2.4.7.git-2019-10-04
0d004db Revert "pppd: Include time.h before using time_t"
e400854 pppdump: Eliminate printf format warning by using %zd
7f2f0de pppd: Refactor setjmp/longjmp with pipe pair in event wait loop
4e71317 make: Avoid using host include for cross-compiling
3202f89 pppoe: Remove the use of cdefs
d8e8d7a pppd: Remove unused rcsid variables
486f854 pppd: Fix GLIBC version test for non-glibc toolchains
b6cd558 pppd: Include time.h before using time_t
ef8ec11 radius: Fix compiler warning
f6330ec magic: Remove K&R style of arguments
347904e Add Submitting-patches.md

Remove patches 130-no_cdefs_h.patch, 131-missing_prototype_macro.patch,
132-fix_linux_includes.patch as fixed upstream
Refresh patches

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-10 22:37:10 +02:00
Hans Dedecker
27bf8abe69 firewall: update to latest git HEAD
daed0cf utils: fix resource leak

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-04 20:42:26 +02:00
Hans Dedecker
1ed5c1b146 odhcpd: update to latest git HEAD
e76ad06 netlink: fix potential infinite loops

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-04 20:42:17 +02:00
Hauke Mehrtens
9a4fb78e7c iw: Update to version 5.3
Wifi HE (ieee80211ax) parsing is currently only activated in the full
version because it increases the compressed size by 2.5KBytes.

This also activates link time optimization (LTO) again, the problem was
fixed upstream

This increases the uncompressed binary size of iw-tiny by about 1.7%

old:
34446 iw_5.0.1-1_mipsel_24kc.ipk
new:
35064 iw_5.3-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-10-03 17:59:19 +02:00
Hans Dedecker
6077cde98a ethtool: bump to 5.3
76c4682 Release version 5.3.
3870efc ethtool: dump nested registers
7c06fa8 gitignore: ignore vim swapfiles and patches
49d1401 ethtool: igb: dump RR2DCDELAY register

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-30 21:53:35 +02:00
Jo-Philipp Wich
f2b9181bb1 iwinfo: update to latest Git HEAD
2a95086 nl80211: recognize SAE encrypted mesh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-30 12:44:13 +02:00
Felix Fietkau
d25cc3207d iw: add patch to include local BSS rx time in survey information
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-09-29 22:16:27 +02:00
DENG Qingfang
eddbd68b6d iproute2: update to 5.3.0
Update iproute2 to 5.3.0

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-09-28 21:26:53 +02:00
Brandy Krueger
1fe1a200d9 wireguard: bump to 0.0.20190913
Changes since 0.0.20190702:

define conversion constants for ancient kernels
android: refactor and add incoming allow rules
enforce that unused bits of flags are zero
immediately rekey all peers after changing device private key
support running in OpenVZ environments
do not run bc on clean target
skip peers with invalid keys
account for upstream configuration maze changes
openbsd: fix alternate routing table syntax
account for android-4.9 backport of addr_gen_mode
don't fail down when using systemd-resolved
allow specifying kernel release
enforce named pipe ownership and use protected prefix
work around ubuntu breakage
support newer PaX
don't rewrite siphash when it's from compat
squelch warnings for stack limit on broken kernel configs
support rhel/centos 7.7

Signed-off-by: Brandy Krueger <krueger.brandy24@gmail.com>
2019-09-28 21:01:53 +02:00
Jo-Philipp Wich
ced4c0e635 iwinfo: update to latest Git HEAD
313e827 nl80211: keep awaiting wpa_supplicant scan results on busy response
a766751 nl80211: fix parsing of mixed wpa encryption in wpa_supp scan results
f096bfd utils: support parsing SAE and OWE key management suites from IEs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-22 18:58:50 +02:00
Hauke Mehrtens
49cc712b44 hostapd: Add mesh support for wpad full
This increases the size of the binary slightly:

old:
427722 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
431696 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

new:
442109 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
445997 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
998686364d hostapd: use getrandom syscall
hostapd will not use the getrandom() syscall and as a fallback use
/dev/random, the syscall is supported since Linux 3.17 and in the musl,
glibc and uclibc version used by OpenWrt.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
0d86bf518a hostapd: Remove unneeded patch
All the content of this function is proceeded by IEEE8021X_EAPOL no code
accesses the ssid variable outside of this ifdef.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
9b4a27455c hostapd: use config option CONFIG_NO_LINUX_PACKET_SOCKET_WAR
Instead of patching the workaround away, just use the config option.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
167028b750 hostapd: Update to version 2.9 (2019-08-08)
The size of the ipkgs increase a bit (between 0.7% and 1.1%):

old 2019-04-21 (2.8):
288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk
256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk
427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk
423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk

new 2019-08-08 (2.9):
290217 wpad-basic_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
258745 wpad-mini_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
431732 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
427641 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:38 +02:00
Hauke Mehrtens
8af79550e6 hostapd: Update to version 2.8 (2019-04-21)
This also syncs the configuration files with the default configuration
files, but no extra options are activated or deactivated.

The mesh patches were partially merged into hostapd 2.8, the remaining
patches were extracted from patchwork and are now applied by OpenWrt.
The patches still have open questions which are not fixed by the author.
They were taken from this page:
https://patchwork.ozlabs.org/project/hostap/list/?series=62725&state=*

The changes in 007-mesh-apply-channel-attributes-before-running-Mesh.patch
where first applied to hostapd, but later reverted in hostapd commit
3e949655ccc5 because they caused memory leaks.

The size of the ipkgs increase a bit (between 1.3% and 2.3%):

old 2018-12-02 (2.7):
283337 wpad-basic_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
252857 wpad-mini_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
417473 wpad-openssl_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
415105 wpad-wolfssl_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk

new 2019-04-21 (2.8):
288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk
256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk
427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk
423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2019-09-22 17:39:26 +02:00
Hauke Mehrtens
a6981604b3 hostapd: Fix AP mode PMF disconnection protection bypass
This fixes
* CVE-2019-16275 AP mode PMF disconnection protection bypass
https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-21 01:12:35 +02:00
Jo-Philipp Wich
d6bd3fd5c4 iwinfo: update to latest Git HEAD
02112f9 cli: fix reporting of mixed WPA2/WPA3 versions
7faeaea nl80211: properly detect WEP encryption in wpa_supp scan results
629b5ff nl80211: do not confuse open connections with WEP ones
3d47ddd nl80211: rework hostapd and wpa_supplicant wpa suite parsing

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:32:49 +02:00
Jo-Philipp Wich
abb4f4075e hostapd: mirror ieee80211w ap mode defaults in station mode
For AP mode, OpenWrt automatically sets ieee80211w to either 1 or 2, depending
on whether the encryption is set to sae-mixed, or sae/owe/eap suite-b.

Mirror the same defaults for client mode connections, in order to allow an
OpenWrt station to associate to an OpenWrt ap with SAE, OWE or Suite-B encryption
without the need to manually specify "option ieee80211w" on the station.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:27:28 +02:00
Jo-Philipp Wich
4209b28d23 hostapd: fix OWE settings in client mode
This changes fixes the generation of the wpa_supplicant client configuration
in WPA3 OWE client mode. Instead of incorrectly emitting key_mgmt=NONE, use
the proper key_mgmt=OWE setting instead.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:27:21 +02:00
Leon M. George
f974f8213b hostapd: declare struct wpa_bss early
wps_supplicant.h assumes that 'struct wpa_bss' is forward declared if
CONFIG_WPS is not defined.  With the later inclusion of
600-ubus_support, the issue manifests in warnings like these:

wps_supplicant.h:113:15: warning: 'struct wpa_bss' declared inside parameter list will not be visible outside of this definition or declaration
        struct wpa_bss *bss)
               ^~~~~~~

This patch forward declares 'struct wpa_bss' regardless.

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit message facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-19 23:43:27 +02:00
Leon M. George
a123df2758 hostapd: revert signature change in patch
The original wpa_hexdump uses a 'void *' for the payload.  With patch
410-limit_debug_messages, the signature changes and compiler warnings
occur at various places.  One such warning is:

 wpa_debug.h:106:20: note: expected 'const u8 * {aka const unsigned char *}' but argument is of type 'struct wpa_eapol_key *'

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit message facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-19 23:43:27 +02:00
Hans Dedecker
71cf4a272c curl: bump to 7.66.0
Refresh patches, for changes in version 7.66.0 see https://curl.haxx.se/changes.html#7_66_0

Fixes CVEs:
    CVE-2019-5481
    CVE-2019-5482

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-19 22:23:01 +02:00
Jo-Philipp Wich
5ef9e4f107 firewall: update to latest Git HEAD
383eb58 ubus: do not overwrite ipset name attribute

Ref: https://forum.openwrt.org/t/fw3-ipset-procd-objects/44044
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-18 10:51:24 +02:00
Petr Štetiar
2cf209ce91 firewall: update to latest git HEAD
c26f8907d1d2 firewall3: fix typo that affects ICMPv6 rules with numeric icmp_type

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-15 22:56:09 +02:00
Petr Štetiar
296e1f253c netifd,lldpd,rpcd,log: use generic service_running
commit eb204d14f75c ("base-files: implement generic service_running")
introduced generic service_running so it's not needed to copy&paste same
3 lines over and over again.

I've removed service_running from netifd/network init script as well,
because it was not working properly, looked quite strange and I didn't
understand the intention:

 $ /etc/init.d/network stop
 $ service network running && echo "yes" || echo "nope"
     ( have to wait for 30s )
 Command failed: Request timed out
 yes

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-15 22:53:01 +02:00
Hans Dedecker
a33d60c896 odhcpd: update to latest git HEAD
1d24009 netlink: rename netlink callback handlers
91a28e4 ndp: answer global-addressed NS manually
fd93e36 dhcpv6: retry failed PD assignments on addrlist change

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-15 20:43:14 +02:00
Hans Dedecker
ce6311d301 odhcpd: fix update to git HEAD
Fixes commit 7ff5b12e90

e73bf11 config: ra_management compatibility support
d818380 odhcpd: router: Fix out of scope memory access
94a1c94 dhcpv6-ia: free assignment when validity timer expires
752fc2c router: speed up initial router advertisements
09aa022 router: close socket upon NETEV_IFINDEX_CHANGE fixed
79eb160 router: fix previous commit
6034b5c router: close socket upon NETEV_IFINDEX_CHANGE
000182f router: fix lingering uloop socket descriptor
f6c2242 router: support ra_lifetime being 0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-12 22:37:54 +02:00
Ingo Feinerer
ca0ad9e0e9 umbim: update to latest git HEAD
184b707 umbim: add home provider query support

Signed-off-by: Ingo Feinerer <feinerer@logic.at>
2019-09-12 22:29:47 +02:00
Hans Dedecker
7ff5b12e90 odhcpd: update to latest git HEAD (FS#2019)
e73bf11 config: ra_management compatibility support
d818380 odhcpd: router: Fix out of scope memory access
94a1c94 dhcpv6-ia: free assignment when validity timer expires
752fc2c router: speed up initial router advertisements
09aa022 router: close socket upon NETEV_IFINDEX_CHANGE fixed
79eb160 router: fix previous commit
6034b5c router: close socket upon NETEV_IFINDEX_CHANGE
000182f router: fix lingering uloop socket descriptor
f6c2242 router: support ra_lifetime being 0
d111809 router: make RA flags configurable (FS#2019)

Update odhcpd defaults according to the new RA flags implementation

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-12 22:22:29 +02:00
David Bauer
7db2f1a71f iwinfo: update to latest Git HEAD
a88fb42 iwinfo: add device id for Qualcomm Atheros QCA9886
1b69d86 iwinfo: add device id for Qualcomm Atheros QCA9887

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-09-12 15:38:08 +02:00
Hauke Mehrtens
7bed9bf10f hostapd: SAE/EAP-pwd side-channel attack update
Fixes this security problem:
* SAE/EAP-pwd side-channel attack update
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-10 21:51:41 +02:00
Hauke Mehrtens
9f34bf51d6 hostapd: Fix security problem
This fixes:
CVE-2019-11555 "EAP-pwd message reassembly issue with unexpected fragment"
https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt

This shouöld not affect OpenWrt in the default settings as we do not use
EAP-pwd.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-10 21:51:26 +02:00
Hauke Mehrtens
359bff6052 firewall: update to latest git HEAD
487bd0d utils: Fix string format message

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-08 18:39:13 +02:00
Hans Dedecker
7db6559914 firewal: update to latest git HEAD
4d0c703 firewall3: Fix some format string problems
8c404ef iptables.c: lock the xtables.lock
c1d3a4d utils: implement fw3_lock_path() & fw3_unlock_path()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-07 21:23:43 +02:00
Hans Dedecker
1855c23794 odhcp6c: update to latest git HEAD
e199804 dhcpv6: sanitize oro options

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-07 13:11:53 +02:00
Hauke Mehrtens
6658447534 iwinfo: update to latest Git HEAD
f599a8d iwinfo: Fix rate buffer size
71ec9be iwinfo: Fix buffer size
f8ef450 iwinfo: Add support for WPA3

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-01 19:48:43 +02:00
Konstantin Demin
b74f1f335a nftables: bump to version 0.9.2
- exclude Python-related stuff from build
- drop patches:
  * 010-uclibc-ng.patch, applied upstream

ipkg size decrease by 2.8%:
old:
194.851 nftables_0.9.0-2_arm_cortex-a7_neon-vfpv4.ipk
new:
189.581 nftables_0.9.2-1_arm_cortex-a7_neon-vfpv4.ipk

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-09-01 18:38:04 +02:00
Eneas U de Queiroz
7f2b230b3b uhttpd: add support to generate EC keys
This adds the key_type and ec_curve options to enable the generation of
EC keys during initialization, using openssl or the new options added to
px5g.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-09-01 00:35:11 +02:00
Jo-Philipp Wich
b13f3300d5 iwinfo: update to latest Git HEAD
a9f9557 nl80211: support reading hardware id from phy directly
c586cd3 iwinfo: add device id for MediaTek MT7612E
d4382dd iwinfo: add device id for Atheros AR9390

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-08-28 12:09:14 +02:00
DENG Qingfang
bd098231ba iproute2: update to 5.2.0
Remove upstream patches

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-08-24 21:58:13 +02:00
Kevin Darbyshire-Bryant
bd01346bb4 firewall: update to latest git HEAD
bf29c1e firewall3: ipset: Handle reload_set properly

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-22 09:31:57 +01:00
Christian Lamparter
cfd0748497 iftop: update to HEAD of 2018-10-03 - 77901c
Update iftop to commit 77901c8c53e01359d83b8090aacfe62214658183

git log --pretty=oneline --abbrev-commit 949ed0f7..77901c8c

77901c8 Support scales beyond 1Gbps

Created with the help of the make-package-update-commit.sh script.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-08-18 20:56:41 +02:00
Jo-Philipp Wich
d1f207ecc9 uhttpd: update to latest Git HEAD
6b03f96 ubus: increase maximum ubus request size to 64KB

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-08-18 20:00:06 +02:00
Alin Nastac
a6da3f9ef7 iproute2: add libcap support, enabled in ip-full
Preserve optionality of libcap by having configuration script follow the
HAVE_CAP environment variable, used similarly to the HAVE_ELF variable.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase/refresh patches]
2019-08-18 14:44:10 +02:00
Hauke Mehrtens
928e893a11 mac80211: Update to version 5.3-rc4-1
The removed patches were applied upstream.
The type of the RT2X00_LIB_EEPROM config option was changed to bool,
because boolean is an invalid value and the new kconfig system
complained about this.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 13:41:16 +02:00
Hauke Mehrtens
1d4df52c21 hostapd: Allow CONFIG_IEEE80211W for all but mini variant
This commit will activate CONFIG_IEEE80211W for all, but the mini
variant when at least one driver supports it. This will add ieee80211w
support for the mesh variant for example.

Fixes: FS#2397
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 00:16:08 +02:00
Hauke Mehrtens
f34e825834 hostapd: Remove ROBO switch support
The driver was removed from OpenWrt a long time ago.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 00:16:08 +02:00
Kevin Darbyshire-Bryant
51ffce0694 firewall: improve ipset support
Bump to latest git HEAD

509e673 firewall3: Improve ipset support

The enabled option did not work properly for ipsets, as it was not
checked on create/destroy of a set. After this commit, sets are only
created/destroyed if enabled is set to true.

Add support for reloading, or recreating, ipsets on firewall reload.  By
setting "reload_set" to true, the set will be destroyed and then
re-created when the firewall is reloaded.

Add support for the counters and comment extensions. By setting
"counters" or "comment" to true, then counters or comments are added to
the set.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-16 11:27:24 +01:00
Hans Dedecker
63ced14048 dnsmasq: use nettle ecc_curve access functions
Fixes compile issues with nettle 3.5.1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-09 21:40:13 +02:00
Vincent Wiemann
ccb4b96b8a comgt-ncm: add driver dependencies again
In the commit 623716dd43 ("comgt-ncm: Fix NCM protocol")
the dependencies to vendor NCM drivers were removed, because:

> comgt-ncm should not depend on the USB-serial-related kernel modules,
> as the cdc-wdm control device works without them. There is also no need
> to depend on kmod-huawei-cdc-ncm, since other manufacturers (like
> Ericsson and Samsung) which use other kernel modules should also be
> supported.

From a user-perspective this does not make sense, as installing comgt-ncm
(or luci-proto-ncm) should install all needed dependencies for using such
a device.

Furthermore depending on kmod-huawei-cdc-ncm does not mean that Ericsson
and Samsung devices can't be supported. By the way it seems that Ericsson
and Samsung devices never used NCM, but act as serial modems.

Thus this commit adds the dependencies again.

Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
[fixed title capitalization, formatted commit message,
renamed Sony-Ericsson to Ericsson]
Signed-off-by: David Bauer <mail@david-bauer.net>
2019-08-08 21:33:34 +02:00
Hans Dedecker
d70a35c365 netifd: update to latest git HEAD
5e02f94 system-linux: fix resource leak

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-07 13:55:52 +02:00
Rosen Penev
1b1c47577b linux-atm: Add missing headers
This fixes compilation with -Werror=implicit-function-declaration.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-08-05 23:22:26 +02:00
Jeffery To
e545fac8d9 build: include BUILD_VARIANT in PKG_BUILD_DIR
This changes the default PKG_BUILD_DIR to take BUILD_VARIANT into
account (if set), so that packages do not need to manually override
PKG_BUILD_DIR just to handle variants.

This also updates most base packages with variants to use the updated
default PKG_BUILD_DIR.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-08-05 23:22:26 +02:00
Hans Dedecker
018395392c ethtool: bump to 5.2
379c096 Release version 5.2.
2bce6d9 ethtool: Add 100BaseT1 and 1000BaseT1 link modes
67ffbf5 ethtool: sync ethtool-copy.h with linux-next from 30/05/2019
687152b ethtool.spec: Use standard file location macros

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-05 21:04:44 +02:00
Hans Dedecker
efb7b7a12a firewall: update to latest git HEAD
de94097 utils: coverity resource leak warning

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-05 14:18:27 +02:00
DENG Qingfang
edd9b39fab ipset: update to 7.3
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-08-05 09:42:09 +02:00
Kevin Darbyshire-Bryant
fc5d46dc62 Revert "dnsmasq: backport latest patches"
This reverts commit e9eec39aac.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-03 20:55:52 +01:00
Kevin Darbyshire-Bryant
a275466729 Revert "dnsmasq: improve insecure DS warning"
This reverts commit cd91f2327f.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-03 20:55:45 +01:00
Kevin Darbyshire-Bryant
4bc02a421f iptables: fix connmark savedscp build
Add <strings.h> for ffs() definition.

Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-29 20:23:13 +01:00
Kevin Darbyshire-Bryant
cd91f2327f dnsmasq: improve insecure DS warning
Log the failing domain in the insecure DS warning.

Patch has been sent upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-25 12:29:08 +01:00
Kevin Darbyshire-Bryant
e9eec39aac dnsmasq: backport latest patches
Backport upstream patches pre 2.81rc for testing purposes.

Let's see what falls out!

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-25 12:23:46 +01:00
Kevin Darbyshire-Bryant
1aad1d17ed iptables: add connmark savedscp support
iptables: connmark - add savedscp option

Naive user space front end to xt_connmark 'savedscp' option.

e.g.

iptables -A QOS_MARK_eth0 -t mangle -j CONNMARK --savedscp-mark 0xfc000000/0x01000000

Will save DSCP into the top 6 bits and OR 0x01 (ie set) the least
significant bit of most significant byte.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-25 10:18:23 +01:00
Hans Dedecker
11617bcb3b netifd: update to latest git HEAD
899f168 system-linux: Coverity fixes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-07-22 21:48:34 +02:00
Hans Dedecker
fc2df4f705 curl: update to 7.65.3
For changes in 7.65.3; see https://curl.haxx.se/changes.html#7_65_3

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-07-21 23:30:27 +02:00
Hauke Mehrtens
0b2c42ced2 mac80211: Update to version 5.2-rc7
This updates mac80211 to version 5.2-rc7, this contains all the changes
to the wireless subsystem up to Linux 5.2-rc7.

* The removed patches are applied upstream
* b43 now uses kmod-lib-cordic
* Update the nl80211.h file in iw to match backports version.
* Remove the two backports from kernel 4.9, they were needed for mt76,
  but that can use the version from backports now, otherwise they
  collide and cause compile errors.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-07-18 00:22:04 +02:00
Martin Schiller
261df949fa openvpn: add new list option tls_ciphersuites
To configure the list of allowable TLS 1.3 ciphersuites, the option
tls_ciphersuites is used instead of tls_ciphers.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2019-07-17 22:59:29 +02:00
DENG Qingfang
42b3a3a89b iperf3: update to 3.7
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-07-08 16:28:47 +02:00
Eneas U de Queiroz
94d131332b hostapd: adjust removed wolfssl options
This edjusts the selection of recently removed wolfssl options which
have always been built into the library even in their abscence.
Also remove the selection of libwolfssl itself, allowing the library to
be built as a module.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-07-07 13:02:05 +02:00
Deng Qingfang
917eeaf26b iproute2: update to 5.1.0
Update iproute2 to 5.1.0
Remove upstream patch 010-cake-fwmark.patch
Backport a patch to fix struct sysinfo redefinition error

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-07-04 21:40:12 +02:00
Matt Merhar
1d4c4cbd20 openvpn: fix handling of list options
This addresses an issue where the list option specified in
/etc/config/openvpn i.e. 'tls_cipher' would instead show up in the
generated openvpn-<name>.conf as 'ncp-ciphers'. For context,
'ncp_ciphers' appears after 'tls_cipher' in OPENVPN_LIST from
openvpn.options.

Also, the ordering of the options in the UCI config file is now
preserved when generating the OpenVPN config. The two currently
supported list options deal with cipher preferences.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
2019-07-03 07:45:00 +02:00
Florian Eckert
313444a79e comgt: add delay option for 3g proto
All protos for wwan (ncm,qmi,mbim) do have a delay option.
To standardize that add also the missing delay option to the 3g proto.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-07-03 07:45:00 +02:00
Florian Eckert
c06f2a2dcb uqmi: fix indentation style and boundary
Fix indentation style and boundary.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-07-03 07:45:00 +02:00
Florian Eckert
8eb63cb7df uqmi: add mtu config option possibility
There are mobile carrier who have different MTU size in their network.
With this change it is now possible to configure this with the qmi
proto handler.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-07-03 07:45:00 +02:00
Jason A. Donenfeld
7c23f741e9 wireguard: bump to 0.0.20190702
* curve25519: not all linkers support bmi2 and adx

This should allow WireGuard to build on older toolchains.

* global: switch to coarse ktime

Our prior use of fast ktime before meant that sometimes, depending on how
broken the motherboard was, we'd wind up calling into the HPET slow path. Here
we move to coarse ktime which is always super speedy. In the process we had to
fix the resolution of the clock, as well as introduce a new interface for it,
landing in 5.3. Older kernels fall back to a fast-enough mechanism based on
jiffies.

https://lore.kernel.org/lkml/tip-e3ff9c3678b4d80e22d2557b68726174578eaf52@git.kernel.org/
https://lore.kernel.org/lkml/20190621203249.3909-3-Jason@zx2c4.com/

* netlink: cast struct over cb->args for type safety

This follow recent upstream changes such as:

https://lore.kernel.org/lkml/20190628144022.31376-1-Jason@zx2c4.com/

* peer: use LIST_HEAD macro

Style nit.

* receive: queue dead packets to napi queue instead of empty rx_queue

This mitigates a WARN_ON being triggered by the workqueue code. It was quite
hard to trigger, except sporadically, or reliably with a PC Engines ALIX, an
extremely slow board with an AMD LX800 that Ryan Whelan of Axatrax was kind
enough to mail me.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-07-02 22:06:42 +02:00
Deng Qingfang
299f6cb2da iptables: update to 1.8.3
Update iptables to 1.8.3

ChangeLog:
  https://netfilter.org/projects/iptables/files/changes-iptables-1.8.3.txt

Removed upstream patches:
- 001-extensions_format-security_fixes_in_libip.patch
- 002-include_fix_build_with_kernel_headers_before_4_2.patch
- 003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch

Altered patches:
- 200-configurable_builtin.patch
- 600-shared-libext.patch

No notable size changes

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [lipibtc ABI_VERSION fix]
2019-07-02 21:50:54 +02:00
Koen Vandeputte
1ffca55456 uqmi: bump to latest git HEAD
1965c7139374 uqmi: add explicit check for message type when expecting a response
01944dd7089b uqmi_add_command: fixed command argument assignment

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-27 14:16:32 +02:00
Joseph Tingiris
8a5a01a677 rssileds: change rssileds.init STOP index
This patch is in a series to allow additional STOP indexes after
umount, so that other block devices may stop cleanly.

rssileds.init is now STOP=89

Signed-off-by: Joseph Tingiris <joseph.tingiris@gmail.com>
2019-06-24 20:22:24 +02:00
Deng Qingfang
6762e72524 package/network: add PKGARCH:=all to non-binary packages
Packages such as xfrm contain only script files, add PKGARCH:=all

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-06-22 12:55:30 +02:00
Kevin Darbyshire-Bryant
a8f0c02f80 iproute2: update ctinfo support
Follow upstream changes - header file changes only
no functional or executable changes, hence no package bump
required

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-06-20 21:12:24 +01:00
Christian Lamparter
99bf9a1ac2 hostapd: remove stale WPA_SUPPLICANT_NO_TIMESTAMP_CHECK option
Support to disable the timestamp check for certificates in
wpa_supplicant (Useful for devices without RTC that cannot
reliably get the real date/time) has been accepted in the
upstream hostapd. It's implemented in wpa_supplicant as a
per-AP flag tls_disable_time_checks=[0|1].

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-06-20 20:02:29 +02:00
Jo-Philipp Wich
a95ddaba02 uhttpd: add direct dependency on libjson-c
The OpenWrt buildroot ABI version rebuild tracker does not handle
transient dependencies, therefor add all libraries linked by uhttpd
as direct dependencies to the corresponding binary package definition.

This ensures that uhttpd is automatically rebuilt and relinked if any
of these libraries has its ABI_VERSION updated in the future.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-06-20 18:09:48 +02:00
Hauke Mehrtens
3c401f45c9 uhttpd: Fix format string build problems
91fcac34ac uhttpd: Fix multiple format string problems

Fixes: fc454ca153 libubox: update to latest git HEAD
Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-06-16 22:57:39 +02:00
Hans Dedecker
1fd900ddc2 netifd: xfrm fixes
9932ed0 netifd: fix xfrm interface deletion and standardize netlink call

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-06-15 21:27:01 +02:00
Christian Lamparter
dec686fbc6 iwinfo: update PKG_MIRROR_HASH
This patch updates the PKG_MIRROR_HASH to match the one
of the current version.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-06-15 19:55:32 +02:00
André Valentin
f6dab98044 network/config/xfrm: add host-dependency for xfrm interface parent
Add proto_add_host_dependency to add a dependency to the tunlink interface

Signed-off-by: André Valentin <avalentin@marcant.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2019-06-15 13:41:39 +02:00
Hans Dedecker
55fcc77072 netifd: update to latest git HEAD
42a3878 interface-ip: fix possible null pointer dereference
c1964d8 system-linux: remove superfluous dev check

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-06-13 22:18:57 +02:00
Koen Vandeputte
c12bd3a21b iwinfo: update to latest git HEAD
1372f47eff34 iwinfo: Add Mikrotik R11e-5HnDr2

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-12 15:04:09 +02:00
Yousong Zhou
04b45d3a31 dnsmasq: move feature detection inside a shell func
Resolves openwrt/packages#9219

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-06-11 08:32:54 +00:00
André Valentin
452d88e8f7 config: add xfrm interface support scripts
This package adds scripts for xfrm interfaces support.
Example configuration via /etc/config/network:

config interface 'xfrm0'
        option proto 'xfrm'
        option mtu '1300'
        option zone 'VPN'
        option tunlink 'wan'
        option ifid 30

config interface 'xfrm0_static'
        option proto 'static'
        option ifname '@xfrm0'
        option ip6addr 'fe80::1/64'
        option ipaddr '10.0.0.1/30'

Now set in strongswan IPsec policy:
 	if_id_in = 30
	if_id_out = 30

Signed-off-by: André Valentin <avalentin@marcant.net>
2019-06-10 10:07:24 +02:00
Hans Dedecker
cc092a285a curl: update to 7.65.1
For changes in 7.65.1; see https://curl.haxx.se/changes.html#7_65_1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-06-10 10:06:05 +02:00
Yousong Zhou
0299a4b73e dnsmasq: skip options that are not compiled in
This is to make life easier for users with customized build of
dnsmasq-full variant.  Currently dnsmasq config generated by current
service script will be rejected by dnsmasq build lacking DHCP feature

 - Options like --dhcp-leasefile have default values.  Deleting them
   from uci config or setting them to empty value will make them take on
   default value in the end
 - Options like --dhcp-broadcast are output unconditionally

Tackle this by

 - Check availablility of features from output of "dnsmasq --version"
 - Make a list of options guarded by HAVE_xx macros in src/options.c of
   dnsmasq source code
 - Ignore these options in xappend()

Two things to note in this implementation

 - The option list is not exhaustive.  Supposedly only those options that
   may cause dnsmasq to reject with "unsupported option (check that
   dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support)" are taken
   into account here
 - This provides a way out but users' cooperation is still needed.  E.g.
   option dnssec needs to be turned off, otherwise the service script
   will try to add --conf-file pointing to dnssec specific anchor file
   which dnsmasq lacking dnssec support will reject

Resolves FS#2281

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-06-09 08:17:52 +00:00
Hans Dedecker
6b762dd75f netifd: xfrm tunnel support
8c6358b netifd: add xfrm tunnel interface support

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-06-08 21:51:37 +02:00
Kevin Darbyshire-Bryant
021a9b4cb9 iproute2: add tc action ctinfo support
Add the userspace control portion of the backported kernelspace
act_ctinfo.

ctinfo is a tc action restoring data stored in conntrack marks to
various fields.  At present it has two independent modes of operation,
restoration of DSCP into IPv4/v6 diffserv and restoration of conntrack
marks into packet skb marks.

It understands a number of parameters specific to this action in
additional to the usual action syntax.  Each operating mode is
independent of the other so all options are optional, however not
specifying at least one mode is a bit pointless.

Usage: ... ctinfo [dscp mask [statemask]] [cpmark [mask]] [zone ZONE]
		  [CONTROL] [index <INDEX>]

DSCP mode

dscp enables copying of a DSCP stored in the conntrack mark into the
ipv4/v6 diffserv field.  The mask is a 32bit field and specifies where
in the conntrack mark the DSCP value is located.  It must be 6
contiguous bits long. eg. 0xfc000000 would restore the DSCP from the
upper 6 bits of the conntrack mark.

The DSCP copying may be optionally controlled by a statemask.  The
statemask is a 32bit field, usually with a single bit set and must not
overlap the dscp mask.  The DSCP restore operation will only take place
if the corresponding bit/s in conntrack mark ANDed with the statemask
yield a non zero result.

eg. dscp 0xfc000000 0x01000000 would retrieve the DSCP from the top 6
bits, whilst using bit 25 as a flag to do so.  Bit 26 is unused in this
example.

CPMARK mode

cpmark enables copying of the conntrack mark to the packet skb mark.  In
this mode it is completely equivalent to the existing act_connmark
action.  Additional functionality is provided by the optional mask
parameter, whereby the stored conntrack mark is logically ANDed with the
cpmark mask before being stored into skb mark.  This allows shared usage
of the conntrack mark between applications.

eg. cpmark 0x00ffffff would restore only the lower 24 bits of the
conntrack mark, thus may be useful in the event that the upper 8 bits
are used by the DSCP function.

Usage: ... ctinfo [dscp mask [statemask]] [cpmark [mask]] [zone ZONE]
		  [CONTROL] [index <INDEX>]
where :
	dscp MASK is the bitmask to restore DSCP
	     STATEMASK is the bitmask to determine conditional restoring
	cpmark MASK mask applied to restored packet mark
	ZONE is the conntrack zone
	CONTROL := reclassify | pipe | drop | continue | ok |
		   goto chain <CHAIN_INDEX>

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-06-07 12:05:32 +01:00
Yangbo Lu
9ad7c53383 layerscape: update restool to LSDK 19.03
Update restool to LSDK 19.03.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2019-06-06 15:40:08 +02:00
Jason A. Donenfeld
593b487538 wireguard: bump to 0.0.20190601
There was an issue with the backport compat layer in yesterday's snapshot,
causing issues on certain (mostly Atom) Intel chips on kernels older than
4.2, due to the use of xgetbv without checking cpu flags for xsave support.
This manifested itself simply at module load time. Indeed it's somewhat tricky
to support 33 different kernel versions (3.10+), plus weird distro
frankenkernels.

If OpenWRT doesn't support < 4.2, you probably don't need to apply this.
But it also can't hurt, and probably best to stay updated.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-06-01 14:00:51 +02:00
Jason A. Donenfeld
a1210f8888 wireguard: bump to 0.0.20190531
* tools: add wincompat layer to wg(8)

Consistent with a lot of the Windows work we've been doing this last cycle,
wg(8) now supports the WireGuard for Windows app by talking through a named
pipe. You can compile this as `PLATFORM=windows make -C src/tools` with mingw.
Because programming things for Windows is pretty ugly, we've done this via a
separate standalone wincompat layer, so that we don't pollute our pretty *nix
utility.

* compat: udp_tunnel: force cast sk_data_ready

This is a hack to work around broken Android kernel wrapper scripts.

* wg-quick: freebsd: workaround SIOCGIFSTATUS race in FreeBSD kernel

FreeBSD had a number of kernel race conditions, some of which we can vaguely
work around. These are in the process of being fixed upstream, but probably
people won't update for a while.

* wg-quick: make darwin and freebsd path search strict like linux

Correctness.

* socket: set ignore_df=1 on xmit

This was intended from early on but didn't work on IPv6 without the ignore_df
flag. It allows sending fragments over IPv6.

* qemu: use newer iproute2 and kernel
* qemu: build iproute2 with libmnl support
* qemu: do not check for alignment with ubsan

The QEMU build system has been improved to compile newer versions. Linking
against libmnl gives us better error messages. As well, enabling the alignment
check on x86 UBSAN isn't realistic.

* wg-quick: look up existing routes properly
* wg-quick: specify protocol to ip(8), because of inconsistencies

The route inclusion check was wrong prior, and Linux 5.1 made it break
entirely. This makes a better invocation of `ip route show match`.

* netlink: use new strict length types in policy for 5.2
* kbuild: account for recent upstream changes
* zinc: arm64: use cpu_get_elf_hwcap accessor for 5.2

The usual churn of changes required for the upcoming 5.2.

* timers: add jitter on ack failure reinitiation

Correctness tweak in the timer system.

* blake2s,chacha: latency tweak
* blake2s: shorten ssse3 loop

In every odd-numbered round, instead of operating over the state
    x00 x01 x02 x03
    x05 x06 x07 x04
    x10 x11 x08 x09
    x15 x12 x13 x14
we operate over the rotated state
    x03 x00 x01 x02
    x04 x05 x06 x07
    x09 x10 x11 x08
    x14 x15 x12 x13
The advantage here is that this requires no changes to the 'x04 x05 x06 x07'
row, which is in the critical path. This results in a noticeable latency
improvement of roughly R cycles, for R diagonal rounds in the primitive. As
well, the blake2s AVX implementation is now SSSE3 and considerably shorter.

* tools: allow setting WG_ENDPOINT_RESOLUTION_RETRIES

System integrators can now specify things like
WG_ENDPOINT_RESOLUTION_RETRIES=infinity when building wg(8)-based init
scripts and services, or 0, or any other integer.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-31 21:01:33 +02:00
Hans Dedecker
678ee30ee4 ppp: add config options to tune discovery timeout and attempts
Upstream PPP project has added in commit 8e77984 options to tune discovery
timeout and attempts in the rp-pppoe plugin.

Expose these options in the uci datamodel for pppoe:
	padi_attempts: Number of discovery attempts
	padi_timeout: Initial timeout for discovery packets in seconds

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-31 09:43:10 +02:00
Hans Dedecker
42977978e2 ppp: update to version 2.4.7.git-2019-05-25
8e77984 rp-pppoe plugin: Add options to tune discovery timeout and number of attempts

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-31 09:43:03 +02:00
Fabian Bläse
0f8b9addfc gre: introduce 'nohostroute' option
It is not always necessary to add a host route for the gre peer address.

This introduces a new config option 'nohostroute' (similar to the
option introduced for wireguard in d8e2e19) to allow to disable
the creation of those routes explicitely.

Signed-off-by: Fabian Bläse <fabian@blaese.de>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2019-05-31 09:42:32 +02:00
Hans Dedecker
6636171bed netifd: fix missing ip rules after network reload (FS#2296)
beb810d iprule: fix missing ip rules after a reload (FS#2296)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-28 10:21:02 +02:00
Hans Dedecker
7d77879236 curl: bump to 7.65.0
For changes in 7.65.0; see https://curl.haxx.se/changes.html#7_65_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-26 21:51:04 +02:00
Hans Dedecker
f54611b06d map: don't set default firewall zone to wan
Don't set the default firewall zone to wan if not specified to keep the
behavior aligned with other tunnel protocols like gre and 6rd.
If the interface zone is not specified try to get it from the firewall config
when constructing the procd firewall rule.
While at it only add procd inbound/outbound firewall rules if a zone is specified.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-26 09:44:37 +02:00
Hans Dedecker
470f5b31e3 464xlat: don't set default firewall zone to wan
Don't set the default firewall zone to wan if not specified to keep the
behavior aligned with other tunnel protocols like gre and 6rd.
If the interface zone is not specified try to get it from the firewall config
when constructing the procd firewall rule.
While at it only add a procd inbound firewall rule if a zone is specified.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-26 09:43:57 +02:00
Petr Štetiar
ace241014c ethtool: bump to 5.1
* Feature: Add support for 200Gbps (50Gbps per lane) link mode
 * Feature: simplify handling of PHY tunable downshift
 * Feature: add support for PHY tunable Fast Link Down
 * Feature: add PHY Fast Link Down tunable to man page
 * Feature: Add a 'start N' option when specifying the Rx flow hash indirection table.
 * Feature: Add bash-completion script
 * Feature: add 10000baseR_FEC link mode name
 * Fix: qsfp: fix special value comparison
 * Feature: move option parsing related code into function
 * Feature: move cmdline_coalesce out of do_scoalesce
 * Feature: introduce new ioctl for per-queue settings
 * Feature: support per-queue sub command --show-coalesce
 * Feature: support per-queue sub command --coalesce
 * Fix: fix up dump_coalesce output to match actual option names
 * Feature: fec: add pretty dump

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-05-25 13:44:43 +02:00
Koen Vandeputte
4da5ba4a6b iwinfo: update to latest git HEAD
073a838891e5 iwinfo: Complete device IDs for Ubiquiti airOS XM/XW devices
04f5a7d3a431 iwinfo: Add Mikrotik R11e-5HnD
c2cfe9d96c9a iwinfo: Fix 802.11ad channel to frequency

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-05-21 14:24:18 +02:00
Petr Štetiar
2c26dc7b41 netifd: add support for the new ar8xxx MIB counters settings
Commit "generic: ar8216: add mib_poll_interval switch attribute" has added
mib_poll_interval global config option and commit "generic: ar8216: group
MIB counters and use two basic ones only by default" has added mib_type
config option.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-05-20 21:19:48 +02:00
Hans Dedecker
a7967bada9 ppp: update to version 2.4.7.git-2019-05-18
c9d9dbf pppoe: Custom host-uniq tag
44012ae plugins/rp-pppoe: Fix compile errors

Refresh patches
Drop 520-uniq patch as upstream accepted
Drop 150-debug_compile_fix patch as fixed upstream

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-18 21:39:19 +02:00
Hans Dedecker
7b58c58733 netifd: update to latest git HEAD
22e8e58 interface-ip: use ptp address as well to find local address target
f1aa0f9 treewide: pass bool as second argument of blobmsg_check_attr

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-18 09:35:25 +02:00
Hans Dedecker
5546fe9fc3 odhcpd: update to latest git HEAD (FS#2242)
41a74cb config: remove 'ignore' config option
c0c8034 treewide: init assignment lists head
f98b7ee config: use list safe iterator in lease_delete
3c9810b dhcpv4: fix lease ordering by ip address
b60c384 config: use multi-stage parsing of uci sections
a2dd8d6 treewide: always init interface list heads during initialization
a17665e dhcpv4: do not allow pool end address to overlap with broadcast address
6b951c5 treewide: give file descriptors safe initial value
39e11ed dhcpv4: DHCP pool size is off-by-one
4a600ce dhcpv4: add support for Parameter Request List option 55
09e5eca dhcpv4: fix DHCP packet size
3cd4876 ndp: fix syslog flooding (FS#2242)
79fbba1 config: set default loglevel to LOG_WARNING

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-17 08:54:30 +02:00
Rosen Penev
2f97797471 nftables: Fix compilation with uClibc-ng
Missing header for va_list.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[updated with upstream version of the patch]
2019-05-15 13:34:23 +02:00
Hauke Mehrtens
02d4d36d4b iperf: Update to version 2.0.13
The removed patches are already integrated in the upstream version.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-05-14 20:28:18 +02:00
Hans Dedecker
06403981e1 ppp: update to version 2.4.7.git-2019-05-06
fcb076c Various fixes for errors found by coverity static analysis (#109)
d98ab38 Merge branch 'pppd_print_changes' of https://github.com/nlhintz/ppp into nlhintz-pppd_print_changes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-13 15:34:42 +02:00
Lucian Cristian
4582fe7c14 lldpd: add option to edit hostname
also fixes the annoying repeating syslog
lldp[]: unable to get system name

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
2019-05-11 16:37:11 +02:00
Lucian Cristian
cb30971a44 lldpd: update to 1.0.3
Support for CDP PD PoE

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
2019-05-11 16:37:11 +02:00
Hans Dedecker
165d598521 netifd: update to latest git HEAD
f6fb700 interface-ip: fine tune IPv6 mtu warning
975a5c4 interface: tidy ipv6 mtu warning

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-08 22:15:19 +02:00
Jo-Philipp Wich
f00a4ae6e0 Revert "uhttpd: disable concurrent requests by default"
This reverts commit c6aa9ff388.

Further testing has revealed that we will need to allow concurrent
requests after all, especially for situations where CGI processes
initiate further HTTP requests to the local host.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-04-23 08:15:46 +02:00
Hans Dedecker
399aa0b933 odhcpd: update to latest git HEAD (FS#2243, FS#2244)
6633efe router: fix dns search list option

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-19 19:24:39 +02:00
Rosy Song
524810ce6d dropbear: allow build without dbclient
This can save ~16KBytes size for the ipk

Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-04-18 22:34:19 +02:00
Hans Dedecker
e20c2909a5 odhcpd: update to latest git HEAD (FS#2206)
38bc630 router: use ra_lifetime as lifetime for RA options (FS#2206)
0523bdd router: improve code readibility
0a3b279 Revert "router:"
207f8e0 treewide: align syslog loglevels
f1d7da9 router:
0e048ac treewide: fix compiler warnings
83698f6 CMakeList.txt: enable extra compiler checks

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-17 14:43:38 +02:00
Hans Dedecker
3e803499c3 netifd: update to latest git HEAD
666c14f system-linux: remove debug tracing
08989e4 interface: add neighbor config support
bfd4de3 interface: fix "if-down" hotplug event handling

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-15 23:20:20 +02:00
Petr Štetiar
ecdd26fe2b umbim: update to latest git HEAD
24f9dc7 Iron out all extra compiler warnings
9d8dbc9 Enable extra compiler checks
ff8d356 mbim-proxy support
ccca03f umbim: add registration set support

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-04-15 00:01:57 +02:00
Stefan Lippers-Hollmann
8f17c019a1 hostapd: fix CVE-2019-9497, CVE-2019-9498, CVE-2019-9499
EAP-pwd missing commit validation

Published: April 10, 2019
Identifiers:
- CVE-2019-9497 (EAP-pwd server not checking for reflection attack)
- CVE-2019-9498 (EAP-pwd server missing commit validation for
  scalar/element)
- CVE-2019-9499 (EAP-pwd peer missing commit validation for
  scalar/element)

Latest version available from: https://w1.fi/security/2019-4/

Vulnerability

EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
peer) was discovered not to validate the received scalar and element
values in EAP-pwd-Commit messages properly. This could result in attacks
that would be able to complete EAP-pwd authentication exchange without
the attacker having to know the used password.

A reflection attack is possible against the EAP-pwd server since the
hostapd EAP server did not verify that the EAP-pwd-Commit contains
scalar/element values that differ from the ones the server sent out
itself. This allows the attacker to complete EAP-pwd authentication
without knowing the password, but this does not result in the attacker
being able to derive the session key (MSK), i.e., the attacker would not
be able to complete the following key exchange (e.g., 4-way handshake in
RSN/WPA).

An attack using invalid scalar/element values is possible against both
the EAP-pwd server and peer since hostapd and wpa_supplicant did not
validate these values in the received EAP-pwd-Commit messages. If the
used crypto library does not implement additional checks for the element
(EC point), this could result in attacks where the attacker could use a
specially crafted commit message values to manipulate the exchange to
result in deriving a session key value from a very small set of possible
values. This could further be used to attack the EAP-pwd server in a
practical manner. An attack against the EAP-pwd peer is slightly more
complex, but still consider practical. These invalid scalar/element
attacks could result in the attacker being able to complete
authentication and learn the session key and MSK to allow the key
exchange to be completed as well, i.e., the attacker gaining access to
the network in case of the attack against the EAP server or the attacker
being able to operate a rogue AP in case of the attack against the EAP
peer.

While similar attacks might be applicable against SAE, it should be
noted that the SAE implementation in hostapd and wpa_supplicant does
have the validation steps that were missing from the EAP-pwd
implementation and as such, these attacks do not apply to the current
SAE implementation. Old versions of wpa_supplicant/hostapd did not
include the reflection attack check in the SAE implementation, though,
since that was added in June 2015 for v2.5 (commit 6a58444d27fd 'SAE:
Verify that own/peer commit-scalar and COMMIT-ELEMENT are different').

Vulnerable versions/configurations

All hostapd versions with EAP-pwd support (CONFIG_EAP_PWD=y in the build
configuration and EAP-pwd being enabled in the runtime configuration)
are vulnerable against the reflection attack.

All wpa_supplicant and hostapd versions with EAP-pwd support
(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
in the runtime configuration) are vulnerable against the invalid
scalar/element attack when built against a crypto library that does not
have an explicit validation step on imported EC points. The following
list indicates which cases are vulnerable/not vulnerable:
- OpenSSL v1.0.2 or older: vulnerable
- OpenSSL v1.1.0 or newer: not vulnerable
- BoringSSL with commit 38feb990a183 ('Require that EC points are on the
  curve.') from September 2015: not vulnerable
- BoringSSL without commit 38feb990a183: vulnerable
- LibreSSL: vulnerable
- wolfssl: vulnerable

Acknowledgments

Thanks to Mathy Vanhoef (New York University Abu Dhabi) for discovering
and reporting the issues and for proposing changes to address them in
the implementation.

Possible mitigation steps

- Merge the following commits to wpa_supplicant/hostapd and rebuild:

  CVE-2019-9497:
  EAP-pwd server: Detect reflection attacks

  CVE-2019-9498:
  EAP-pwd server: Verify received scalar and element
  EAP-pwd: Check element x,y coordinates explicitly

  CVE-2019-9499:
  EAP-pwd client: Verify received scalar and element
  EAP-pwd: Check element x,y coordinates explicitly

  These patches are available from https://w1.fi/security/2019-4/

- Update to wpa_supplicant/hostapd v2.8 or newer, once available

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-04-11 11:26:01 +02:00
Stefan Lippers-Hollmann
57ab9e3add hostapd: fix CVE-2019-9496
hostapd: fix SAE confirm missing state validation

Published: April 10, 2019
Identifiers:
- CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
Latest version available from: https://w1.fi/security/2019-3/

Vulnerability

When hostapd is used to operate an access point with SAE (Simultaneous
Authentication of Equals; also known as WPA3-Personal), an invalid
authentication sequence could result in the hostapd process terminating
due to a NULL pointer dereference when processing SAE confirm
message. This was caused by missing state validation steps when
processing the SAE confirm message in hostapd/AP mode.

Similar cases against the wpa_supplicant SAE station implementation had
already been tested by the hwsim test cases, but those sequences did not
trigger this specific code path in AP mode which is why the issue was
not discovered earlier.

An attacker in radio range of an access point using hostapd in SAE
configuration could use this issue to perform a denial of service attack
by forcing the hostapd process to terminate.

Vulnerable versions/configurations

All hostapd versions with SAE support (CONFIG_SAE=y in the build
configuration and SAE being enabled in the runtime configuration).

Possible mitigation steps

- Merge the following commit to hostapd and rebuild:

  SAE: Fix confirm message validation in error cases

  These patches are available from https://w1.fi/security/2019-3/

- Update to hostapd v2.8 or newer, once available

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-04-11 11:26:01 +02:00
Stefan Lippers-Hollmann
262229e924 hostapd: fix CVE-2019-9495
EAP-pwd side-channel attack

Published: April 10, 2019
Identifiers:
- CVE-2019-9495 (cache attack against EAP-pwd)
Latest version available from: https://w1.fi/security/2019-2/

Vulnerability

Number of potential side channel attacks were recently discovered in the
SAE implementations used by both hostapd and wpa_supplicant (see
security advisory 2019-1 and VU#871675). EAP-pwd uses a similar design
for deriving PWE from the password and while a specific attack against
EAP-pwd is not yet known to be tested, there is no reason to believe
that the EAP-pwd implementation would be immune against the type of
cache attack that was identified for the SAE implementation. Since the
EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP
peer) does not support MODP groups, the timing attack described against
SAE is not applicable for the EAP-pwd implementation.

A novel cache-based attack against SAE handshake would likely be
applicable against the EAP-pwd implementation. Even though the
wpa_supplicant/hostapd PWE derivation iteration for EAP-pwd has
protections against timing attacks, this new cache-based attack might
enable an attacker to determine which code branch is taken in the
iteration if the attacker is able to run unprivileged code on the victim
machine (e.g., an app installed on a smart phone or potentially a
JavaScript code on a web site loaded by a web browser). This depends on
the used CPU not providing sufficient protection to prevent unprivileged
applications from observing memory access patterns through the shared
cache (which is the most likely case with today's designs).

The attacker could use information about the selected branch to learn
information about the password and combine this information from number
of handshake instances with an offline dictionary attack. With
sufficient number of handshakes and sufficiently weak password, this
might result in full recovery of the used password if that password is
not strong enough to protect against dictionary attacks.

This attack requires the attacker to be able to run a program on the
target device. This is not commonly the case on an authentication server
(EAP server), so the most likely target for this would be a client
device using EAP-pwd.

The commits listed in the end of this advisory change the EAP-pwd
implementation shared by hostapd and wpa_supplicant to perform the PWE
derivation loop using operations that use constant time and memory
access pattern to minimize the externally observable differences from
operations that depend on the password even for the case where the
attacker might be able to run unprivileged code on the same device.

Vulnerable versions/configurations

All wpa_supplicant and hostapd versions with EAP-pwd support
(CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled
in the runtime configuration).

It should also be noted that older versions of wpa_supplicant/hostapd
prior to v2.7 did not include additional protection against certain
timing differences. The definition of the EAP-pwd (RFC 5931) does not
describe such protection, but the same issue that was addressed in SAE
earlier can be applicable against EAP-pwd as well and as such, that
implementation specific extra protection (commit 22ac3dfebf7b, "EAP-pwd:
Mask timing of PWE derivation") is needed to avoid showing externally
visible timing differences that could leak information about the
password. Any uses of older wpa_supplicant/hostapd versions with EAP-pwd
are recommended to update to v2.7 or newer in addition to the mitigation
steps listed below for the more recently discovered issue.

Possible mitigation steps

- Merge the following commits to wpa_supplicant/hostapd and rebuild:

  OpenSSL: Use constant time operations for private bignums
  Add helper functions for constant time operations
  OpenSSL: Use constant time selection for crypto_bignum_legendre()
  EAP-pwd: Use constant time and memory access for finding the PWE

  These patches are available from https://w1.fi/security/2019-2/

- Update to wpa_supplicant/hostapd v2.8 or newer, once available

- Use strong passwords to prevent dictionary attacks

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-04-11 11:26:01 +02:00
Stefan Lippers-Hollmann
af606d077f hostapd: fix CVE-2019-9494
SAE side-channel attacks

Published: April 10, 2019
Identifiers:
- VU#871675
- CVE-2019-9494 (cache attack against SAE)
Latest version available from: https://w1.fi/security/2019-1/

Vulnerability

Number of potential side channel attacks were discovered in the SAE
implementations used by both hostapd (AP) and wpa_supplicant
(infrastructure BSS station/mesh station). SAE (Simultaneous
Authentication of Equals) is also known as WPA3-Personal. The discovered
side channel attacks may be able to leak information about the used
password based on observable timing differences and cache access
patterns. This might result in full password recovery when combined with
an offline dictionary attack and if the password is not strong enough to
protect against dictionary attacks.

Cache attack

A novel cache-based attack against SAE handshake was discovered. This
attack targets SAE with ECC groups. ECC group 19 being the mandatory
group to support and the most likely used group for SAE today, so this
attack applies to the most common SAE use case. Even though the PWE
derivation iteration in SAE has protections against timing attacks, this
new cache-based attack enables an attacker to determine which code
branch is taken in the iteration if the attacker is able to run
unprivileged code on the victim machine (e.g., an app installed on a
smart phone or potentially a JavaScript code on a web site loaded by a
web browser). This depends on the used CPU not providing sufficient
protection to prevent unprivileged applications from observing memory
access patterns through the shared cache (which is the most likely case
with today's designs).

The attacker can use information about the selected branch to learn
information about the password and combine this information from number
of handshake instances with an offline dictionary attack. With
sufficient number of handshakes and sufficiently weak password, this
might result in full discovery of the used password.

This attack requires the attacker to be able to run a program on the
target device. This is not commonly the case on access points, so the
most likely target for this would be a client device using SAE in an
infrastructure BSS or mesh BSS.

The commits listed in the end of this advisory change the SAE
implementation shared by hostapd and wpa_supplicant to perform the PWE
derivation loop using operations that use constant time and memory
access pattern to minimize the externally observable differences from
operations that depend on the password even for the case where the
attacker might be able to run unprivileged code on the same device.

Timing attack

The timing attack applies to the MODP groups 22, 23, and 24 where the
PWE generation algorithm defined for SAE can have sufficient timing
differences for an attacker to be able to determine how many rounds were
needed to find the PWE based on the used password and MAC
addresses. When the attack is repeated with multiple times, the attacker
may be able to gather enough information about the password to be able
to recover it fully using an offline dictionary attack if the password
is not strong enough to protect against dictionary attacks. This attack
could be performed by an attacker in radio range of an access point or a
station enabling the specific MODP groups.

This timing attack requires the applicable MODP groups to be enabled
explicitly in hostapd/wpa_supplicant configuration (sae_groups
parameter). All versions of hostapd/wpa_supplicant have disabled these
groups by default.

While this security advisory lists couple of commits introducing
additional protection for MODP groups in SAE, it should be noted that
the groups 22, 23, and 24 are not considered strong enough to meet the
current expectation for a secure system. As such, their use is
discouraged even if the additional protection mechanisms in the
implementation are included.

Vulnerable versions/configurations

All wpa_supplicant and hostapd versions with SAE support (CONFIG_SAE=y
in the build configuration and SAE being enabled in the runtime
configuration).

Acknowledgments

Thanks to Mathy Vanhoef (New York University Abu Dhabi) and Eyal Ronen
(Tel Aviv University) for discovering the issues and for discussions on
how to address them.

Possible mitigation steps

- Merge the following commits to wpa_supplicant/hostapd and rebuild:

  OpenSSL: Use constant time operations for private bignums
  Add helper functions for constant time operations
  OpenSSL: Use constant time selection for crypto_bignum_legendre()
  SAE: Minimize timing differences in PWE derivation
  SAE: Avoid branches in is_quadratic_residue_blind()
  SAE: Mask timing of MODP groups 22, 23, 24
  SAE: Use const_time selection for PWE in FFC
  SAE: Use constant time operations in sae_test_pwd_seed_ffc()

  These patches are available from https://w1.fi/security/2019-1/

- Update to wpa_supplicant/hostapd v2.8 or newer, once available

- In addition to either of the above alternatives, disable MODP groups
  1, 2, 5, 22, 23, and 24 by removing them from hostapd/wpa_supplicant
  sae_groups runtime configuration parameter, if they were explicitly
  enabled since those groups are not considered strong enough to meet
  current security expectations. The groups 22, 23, and 24 are related
  to the discovered side channel (timing) attack. The other groups in
  the list are consider too weak to provide sufficient security. Note
  that all these groups have been disabled by default in all
  hostapd/wpa_supplicant versions and these would be used only if
  explicitly enabled in the configuration.

- Use strong passwords to prevent dictionary attacks

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-04-11 11:26:01 +02:00
Florian Eckert
2101002b3d wireguard: remove obvious comments
Remove obvious comments to save disk space.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-04-09 22:25:11 +02:00
Florian Eckert
78b6931a1a wireguard: converted whitespaces from space to tab
With this change, the file is reduced from 5186 bytes to 4649 bytes that
its approximately 10.5 percent less memory consumption. For small
devices, sometimes every byte counts.
Also, all other protocol handler use tabs instead of spaces.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-04-09 22:25:02 +02:00
Hans Dedecker
c8a8294f6e ethtool: bump to 5.0
170d821 Release version 5.0.
909f8c0 Revert "ethtool: change to new sane powerpc64 kernel headers"
a484274 ethtool: dsa: mv88e6xxx: add pretty dump for others
034a17b ethtool: dsa: mv88e6xxx: add pretty dump for 88E6390
7f1cc44 ethtool: dsa: mv88e6xxx: add pretty dump for 88E6352
a13a053 ethtool: dsa: mv88e6xxx: add pretty dump for 88E6161
4e98029 ethtool: dsa: mv88e6xxx: add pretty dump for 88E6185
ff99e46 ethtool: dsa: mv88e6xxx: add pretty dump
cb8e980 ethtool: dsa: add pretty dump
4df55c8 ethtool: change to new sane powerpc64 kernel headers
0cb963e ethtool: zero initialize coalesce struct
8f05538 ethtool: don't report UFO on kernels v4.14 and above

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-09 14:27:59 +02:00
Hans Dedecker
80568e5854 dropbear: bump to 2019.78
Fix dbclient regression in 2019.77. After exiting the terminal would be left
in a bad state. Reported by Ryan Woodsmall

drop patch applied upstream:
	010-tty-modes-werent-reset-for-client.patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-07 20:32:55 +02:00
Michael Heimpold
32a6c252db wpan-tools: clean up Makefile
When we only call the default, we do not need to define it explicitly.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2019-04-06 19:14:06 +02:00
Jason A. Donenfeld
549d44736a wireguard: bump to 0.0.20190406
* allowedips: initialize list head when removing intermediate nodes

Fix for an important regression in removing allowed IPs from the last
snapshot. We have new test cases to catch these in the future as well.

* tools: warn if an AllowedIP has a nonzero host part

If you try to run `wg set wg0 peer ... allowed-ips 192.168.1.82/24`, wg(8)
will now print a warning. Even though we mask this automatically down to
192.168.1.0/24, usually when people specify it like this, it's a mistake.

* wg-quick: add 'strip' subcommand

The new strip subcommand prints the config file to stdout after stripping
it of all wg-quick-specific options. This enables tricks such as:
`wg addconf $DEV <(wg-quick strip $DEV)`.

* tools: avoid unneccessary next_peer assignments in sort_peers()

Small C optimization the compiler was probably already doing.

* peerlookup: rename from hashtables
* allowedips: do not use __always_inline
* device: use skb accessor functions where possible

Suggested tweaks from Dave Miller.

* blake2s: simplify
* blake2s: remove outlen parameter from final

The blake2s implementation has been simplified, since we don't use any of the
fancy tree hashing parameters or the like. We also no longer separate the
output length at initialization time from the output length at finalization
time.

* global: the _bh variety of rcu helpers have been unified
* compat: nf_nat_core.h was removed upstream
* compat: backport skb_mark_not_on_list

The usual assortment of compat fixes for Linux 5.1.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-04-06 17:26:47 +02:00
Daniel Engberg
de3eb0d8a0 curl: Update to 7.64.1
Update curl to 7.64.1
Remove deprecated patch

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-04-06 13:40:29 +02:00
Hans Dedecker
f483274422 odhcpd: update to latest git HEAD
65a9519 ndp: create ICMPv6 socket per interface
c6dae8e router: create ICMPv6 socket per interface
e7b1d4b treewide: initialize properly file descriptors

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-05 12:04:01 +02:00
Magnus Kroken
701b8d0050 openvpn: openssl: explicitly depend on deprecated APIs
OpenVPN as of 2.4.7 uses some OpenSSL APIs that are deprecated in
OpenSSL >= 1.1.0.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [white space fix]
2019-04-03 10:00:39 +02:00
Hans Dedecker
848d85d13b netifd: update to latest git HEAD
361b3e4 proto-shell: return error in case setup fails
a97297d interface: set interface in TEARDOWN state when checking link state

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-01 23:12:29 +02:00
Magnus Kroken
4376c06e80 openvpn: update to 2.4.7
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2019-04-01 11:23:43 +02:00
Hans Dedecker
6df5ab89cf odhcpd: update to latest git HEAD
7798d50 netlink: rework IPv4 address refresh logic
0b20876 netlink: rework IPv6 address refresh logic

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-03-29 15:55:08 +01:00
Daniel Golle
b0395cfc56 iwinfo: Fix 802.11ad channel to frequency
c2cfe9d iwinfo: Fix 802.11ad channel to frequency

Fixes 9725aa271a ("iwinfo: update to latest git HEAD")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-03-28 15:20:58 +01:00
Daniel Golle
28920330f8 wireguard: introduce 'nohostroute' option
Instead of creating host-routes depending on fwmark as (accidentally)
pushed by commit
1e8bb50b93 ("wireguard: do not add host-dependencies if fwmark is set")
use a new config option 'nohostroute' to explicitely prevent creation
of the route to the endpoint.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-03-27 22:59:03 +01:00
Daniel Golle
1e8bb50b93 wireguard: do not add host-dependencies if fwmark is set
The 'fwmark' option is used to define routing traffic to
wireguard endpoints to go through specific routing tables.
In that case it doesn't make sense to setup routes for
host-dependencies in the 'main' table, so skip setting host
dependencies if 'fwmark' is set.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-03-27 22:53:14 +01:00
Hans Dedecker
b2152c8e6b odhcpd: update to latest git HEAD (FS#2204)
420945c netlink: fix IPv6 address updates (FS#2204)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-03-27 21:05:07 +01:00
Konstantin Demin
01964148c6 dropbear: split ECC support to basic and full
- limit ECC support to ec*-sha2-nistp256:
  * DROPBEAR_ECC now provides only basic support for ECC
- provide full ECC support as an option:
  * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521}
- update feature costs in binary size

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:35 +01:00
Konstantin Demin
5eb7864aad dropbear: rewrite init script startup logic to handle both host key files
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:34 +01:00
Konstantin Demin
6145e59881 dropbear: change type of config option "Port" to scalar type "port"
it was never used anywhere, even LuCI works with "Port" as scalar type.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:34 +01:00
Konstantin Demin
5d27b10c61 dropbear: introduce config option "keyfile" (replacement for "rsakeyfile")
* option "keyfile" is more generic than "rsakeyfile".
* option "rsakeyfile" is considered to be deprecated and should be removed
  in future releases.
* warn user (in syslog) if option "rsakeyfile" is used
* better check options ("rsakeyfile" and "keyfile"): don't append
  "-r keyfile" to command line if file is absent (doesn't exist or empty),
  warn user (in syslog) about such files

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:34 +01:00
Konstantin Demin
efc533cc2f dropbear: add initial support for ECC host key
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:33 +01:00
Konstantin Demin
c40a84cc15 dropbear: fix regression where TTY modes weren't reset for client
cherry-pick upstream commit 7bc6280613f5ab4ee86c14c779739070e5784dfe

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:33 +01:00
Konstantin Demin
ddf1a06326 dropbear: honour CFLAGS while building bundled libtomcrypt/libtommath
Felix Fietkau pointed out that bundled libtomcrypt/libtommath do funny stuff with CFLAGS.
fix this with checking environment variable OPENWRT_BUILD in both libs.
change in dropbear binary size is drastical: 221621 -> 164277.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:33 +01:00
Konstantin Demin
9c3bfd0906 dropbear: fix hardening flags during configure
compiler complains about messed up CFLAGS in build log:
  <command-line>: warning: "_FORTIFY_SOURCE" redefined
  <command-line>: note: this is the location of the previous definition

and then linker fails:
  mips-openwrt-linux-musl-gcc [...] -o dropbearmulti [...]
  collect2: fatal error: ld terminated with signal 11 [Segmentation fault]
  compilation terminated.
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans0.ltrans.o: relocation R_MIPS_HI16 against `cipher_descriptor' can not be used when making a shared object; recompile with -fPIC
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans1.ltrans.o: relocation R_MIPS_HI16 against `ses' can not be used when making a shared object; recompile with -fPIC
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans2.ltrans.o: relocation R_MIPS_HI16 against `cipher_descriptor' can not be used when making a shared object; recompile with -fPIC
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: BFD (GNU Binutils) 2.31.1 assertion fail elfxx-mips.c:6550
  [...]
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: BFD (GNU Binutils) 2.31.1 assertion fail elfxx-mips.c:6550
  make[3]: *** [Makefile:198: dropbearmulti] Error 1
  make[3]: *** Deleting file 'dropbearmulti'
  make[3]: Leaving directory '/build_dir/target-mips_24kc_musl/dropbear-2018.76'
  make[2]: *** [Makefile:158: /build_dir/target-mips_24kc_musl/dropbear-2018.76/.built] Error 2
  make[2]: Leaving directory '/package/network/services/dropbear'

This FTBFS issue was caused by hardening flags set up by dropbear's configure script.

By default, Dropbear offers hardening via CFLAGS and LDFLAGS,
but this may break or confuse OpenWrt settings.

Remove most Dropbear's hardening settings in favour of precise build,
but preserve Spectre v2 mitigations:
* -mfunction-return=thunk
* -mindirect-branch=thunk

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:33 +01:00
Konstantin Demin
a1099edf32 dropbear: bump to 2019.77
- drop patches applied upstream:
  * 010-runtime-maxauthtries.patch
  * 020-Wait-to-fail-invalid-usernames.patch
  * 150-dbconvert_standalone.patch
  * 610-skip-default-keys-in-custom-runs.patch
- refresh patches
- move OpenWrt configuration from patch to Build/Configure recipe,
  thus drop patch 120-openwrt_options.patch

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:32 +01:00
Hauke Mehrtens
94ffb7be4d netifd: update to latest git HEAD
a8cf037 netifd: wireless: Add support for GCMP cipher
34a70b6 netifd: wireless: Add support for 802.11ad

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-03-21 17:07:52 +01:00
Hauke Mehrtens
9725aa271a iwinfo: update to latest git HEAD
ce1814b iwinfo: Add device ID for Wilocity Wil6210
a8e8275 iwinfo: Add support for 802.11ad

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-03-21 17:07:43 +01:00
Hans Dedecker
1ca69003fd odhcpd: update to latest git HEAD (FS#2160)
6d23385 dhcpv6: extra syslog tracing
b076916 dhcpv6/router: add support for mutiple master interfaces
e4a24dc ndp: fix adding proxy neighbor entries
4ca7f7e router: add extra syslog tracing
8318e93 netlink: fix neighbor event handling (FS#2160)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-03-21 16:06:10 +01:00
Deng Qingfang
31078dbc76 iproute2: update to 5.0.0
Update iproute2 to 5.0.0
Remove upstream patch 001-tc-fix-undefined-XATTR_SIZE_MAX
Alter patch 170-ip_tiny as support for IPX and DECnet is dropped
Update patch 010-cake-fwmark to match upstream commit

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-03-20 21:48:04 +01:00
Ryan Mounce
ffb2a3aa2a iproute2: add cake fwmark support
Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
2019-03-20 07:07:15 +10:30
Deng Qingfang
89c8232f78 ipset: size optimizations
ipset utility was linked statically to libipset. Disable static library for dynamic linking to save space.
Add -Wl,--gc-sections,--as-needed for further reduction

MIPS ipk size:
ipset: 29KiB -> 2KiB
libipset: 39KiB -> 38KiB

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-03-17 22:17:48 +01:00
Felix Fietkau
04e4b779cc mac80211: backport the txq scheduling / airtime fairness API
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-03-16 19:59:02 +01:00
Felix Fietkau
fd8ca8deb3 netifd: add support for suppressing the DHCP request hostname by setting it to *
dnsmasq (and probably other DHCP servers as well) does not like to hand out
leases with duplicate host names.
Adding support for skipping the hostname makes it easier to deploy setups
where it is not guaranteed to be unique

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-03-16 19:59:02 +01:00
Tony Ambardar
b61495409b iproute2: tc: reduce size of dynamic symbol table
In the case of SHARED_LIBS=y, don't use -export-dynamic to place *all*
symbols into the dynamic symbol table. Instead, use --dynamic-list to
export a smaller set of symbols similar to that defined in static-syms.h
in the case of SHARED_LIBS=n, avoiding an 11 KB tc package size increase.
The symbol set is based on that required by the only plugin, m_xt.so.

Also increment PKG_RELEASE.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE fixup]
2019-03-14 22:55:06 +01:00
Tony Ambardar
0b57a2165a iproute2: tc: enable and fix support for using .so plugins
This enables using the tc module m_xt.so, which uses the act_ipt kernel
module to allow tc actions based on iptables targets. e.g.

   tc filter add dev eth0 parent 1: prio 10 protocol ip \
   u32 match u32 0 0 action xt -j DSCP --set-dscp-class BE

Make the SHARED_LIBS parameter configurable and based on tc package
selection.

Fix a problem using the tc m_xt.so plugin as also described in
https://bugs.debian.org/868059:

  Sync include/xtables.h from iptables to make sure the right offset is
  used when accessing structure members defined in libxtables. One could
  get “Extension does not know id …” otherwise. (See also: #868059)

Patch to sync the included xtables.h with system iptables 1.6.x. This
continues to work with iptables 1.8.2.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-03-14 22:54:59 +01:00
Tony Ambardar
f61359e16e iproute2: support eBFP/XDP object file loading, simplify linking libelf
Add build and runtime dependencies on libelf, allowing tc and ip-full
to load BPF and XDP object files respectively.

Define package 'tc' as a singleton package variant, which can be used to
enable additional functionality limited only to tc. Also set ip-tiny
as the default 'ip' variant.

Preserve optionality of libelf by having configuration script follow the
HAVE_ELF environment variable, used similarly to the HAVE_MNL variable.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-03-14 22:54:50 +01:00
Hans Dedecker
127d38f219 netifd: update to latest git HEAD (FS#2087)
81ac3bc interface-ip: fix delegate config update on reload (FS#2087)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-03-14 13:50:51 +01:00
Hauke Mehrtens
26af8e48d3 linux-atm: Fix compile problem with kernel 4.20
This fixes the following compile problem with kernel 4.20:

In file included from arp.c:20:0:
include/linux/if_arp.h:121:16: error: 'IFNAMSIZ' undeclared here (not in a function)
  char  arp_dev[IFNAMSIZ];
                ^~~~~~~~
make[7]: *** [Makefile:459: arp.o] Error 1

This is caused by commit 6a12709da354 ("net: if_arp: use define instead
of hard-coded value") in the upstream Linux kernel which is integrated
in Linux 4.20.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-03-10 19:04:30 +01:00
Vieno Hakkerinen
c3425be082 6to4: update OpenWrt documentation URL
Signed-off-by: Vieno Hakkerinen <txt.file@txtfile.eu>
2019-03-09 18:19:18 +01:00
Jo-Philipp Wich
64bb88841f uqmi: inherit firewall zone membership to virtual sub interfaces
Fix an issue where subinterfaces were not added to the same
firewall zone as their parent.

Fixes: FS#2122
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-03-05 13:19:43 +01:00
Daniel Golle
e882d5bf31 iwinfo: update to latest git
b514490 iwinfo: add device id for MediaTek MT7603E
e9e1400 iwinfo: more Ralink and MediaTek WiSoC and PCIe chips
cb108c5 iwinfo: fix capitalization of vendor name

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-03-01 23:25:59 +01:00
Jason A. Donenfeld
2e9b92da1f wireguard: bump to 0.0.20190227
* wg-quick: freebsd: allow loopback to work

FreeBSD adds a route for point-to-point destination addresses. We don't
really want to specify any destination address, but unfortunately we
have to. Before we tried to cheat by giving our own address as the
destination, but this had the unfortunate effect of preventing
loopback from working on our local ip address. We work around this with
yet another kludge: we set the destination address to 127.0.0.1. Since
127.0.0.1 is already assigned to an interface, this has the same effect
of not specifying a destination address, and therefore we accomplish the
intended behavior. Note that the bad behavior is still present in Darwin,
where such workaround does not exist.

* tools: remove unused check phony declaration
* highlighter: when subtracting char, cast to unsigned
* chacha20: name enums
* tools: fight compiler slightly harder
* tools: c_acc doesn't need to be initialized
* queueing: more reasonable allocator function convention

Usual nits.

* systemd: wg-quick should depend on nss-lookup.target

Since wg-quick(8) calls wg(8) which does hostname lookups, we should
probably only run this after we're allowed to look up hostnames.

* compat: backport ALIGN_DOWN
* noise: whiten the nanoseconds portion of the timestamp

This mitigates unrelated sidechannel attacks that think they can turn
WireGuard into a useful time oracle.

* hashtables: decouple hashtable allocations from the main device allocation

The hashtable allocations are quite large, and cause the device allocation in
the net framework to stall sometimes while it tries to find a contiguous
region that can fit the device struct. To fix the allocation stalls, decouple
the hashtable allocations from the device allocation and allocate the
hashtables with kvmalloc's implicit __GFP_NORETRY so that the allocations fall
back to vmalloc with little resistance.

* chacha20poly1305: permit unaligned strides on certain platforms

The map allocations required to fix this are mostly slower than unaligned
paths.

* noise: store clamped key instead of raw key

This causes `wg show` to now show the right thing. Useful for doing
comparisons.

* compat: ipv6_stub is sometimes null

On ancient kernels, ipv6_stub is sometimes null in cases where IPv6 has
been disabled with a command line flag or other failures.

* Makefile: don't duplicate code in install and modules-install
* Makefile: make the depmod path configurable

* queueing: net-next has changed signature of skb_probe_transport_header

A 5.1 change. This could change again, but for now it allows us to keep this
snapshot aligned with our upstream submissions.

* netlink: don't remove allowed ips for new peers
* peer: only synchronize_rcu_bh and traverse trie once when removing all peers
* allowedips: maintain per-peer list of allowedips

This is a rather big and important change that makes it much much faster to do
operations involving thousands of peers. Batch peer/allowedip addition and
clearing is several orders of magnitude faster now.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-28 08:50:19 +01:00
Hans Dedecker
c8153722a2 odhcpd: update to latest git HEAD
16c5b6c ubus: always trigger an update if interface is not found

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-27 12:12:48 +01:00
David Santamaría Rogado
e9b2a1e382 omcproxy: define configuration file
omcproxy's configuration is lost on every update or installation.
Avoid it by defining the configuration file.

Signed-off-by: David Santamaría Rogado <howl.nsp@gmail.com>
2019-02-27 10:26:14 +01:00
Mantas Pucka
abf445f189 Revert "iw: compile with LTO enabled"
After update to 5.0.1 iw-full package failed to display command list on
ipq40xx arch. Root cause was found to be LTO reordering causing
incorrect detection of command struct size in:

iw.c:552
	cmd_size = labs((long)&__section_set - (long)&__section_get);

This reverts commit ef16a394d2.

Signed-off-by: Mantas Pucka <mantas@8devices.com>
2019-02-26 23:20:04 +01:00
Hans Dedecker
0b4b1027c6 odhcpd: update to latest git HEAD (FS#2142)
9e9389c dhcpv4: fix adding assignment in list (FS#2142)
e69265b dhcpv4: fix static lease lookup
afbd7dd dhcp: rework assignment free logic

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-25 12:07:52 +01:00
Alexander Couzens
b7f2adbdd3
package/dnsmasq: add max_ttl/min_cache_ttl/max_cache_ttl
max_ttl - limit the ttl in the dns answer if greater as $max_ttl
min_cache_ttl - force caching of dns answers even the ttl in the answer
		is lower than the $min_cache_ttl
max_cache_ttl - cache only dns answer for $max_cache_ttl.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2019-02-24 01:48:25 +01:00
Yousong Zhou
c17a68cc61 dnsmasq: prefer localuse over resolvfile guesswork
This makes it clear that localuse when explicitly specified in the
config will have its final say on whether or not the initscript should
touch /etc/resolv.conf, no matter whatever the result of previous
guesswork would be

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-02-23 01:58:20 +00:00
Daniel Golle
0b373bf4d6 uqmi: fix PIN_STATUS_FAILED error with MC7455 WCDMA/LTE modem
Apparently this modem replies differently to attempted --get-pin-status
which makes the script fail if a pincode is set. Fix this.

Manufacturer: Sierra Wireless, Incorporated
Model: MC7455
Revision: SWI9X30C_02.24.05.06 r7040 CARMD-EV-FRMWR2 2017/05/19 06:23:09

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-02-20 15:16:24 +01:00
Arnout Vandecappelle (Essensium/Mind)
2e0f41e73a hostapd: add Multi-AP patches and config options
Cherry-pick Multi-AP commits from uptream:
 9c06f0f6a hostapd: Add Multi-AP protocol support
 5abc7823b wpa_supplicant: Add Multi-AP backhaul STA support
 a1debd338 tests: Refactor test_multi_ap
 bfcdac1c8 Multi-AP: Don't reject backhaul STA on fronthaul BSS
 cb3c156e7 tests: Update multi_ap_fronthaul_on_ap to match implementation
 56a2d788f WPS: Add multi_ap_subelem to wps_build_wfa_ext()
 83ebf5586 wpa_supplicant: Support Multi-AP backhaul STA onboarding with WPS
 66819b07b hostapd: Support Multi-AP backhaul STA onboarding with WPS
 8682f384c hostapd: Add README-MULTI-AP
 b1daf498a tests: Multi-AP WPS provisioning

Add support for Multi-AP to the UCI configuration. Every wifi-iface gets
an option 'multi_ap'. For APs, its value can be 0 (multi-AP support
disabled), 1 (backhaul AP), 2 (fronthaul AP), or 3 (fronthaul + backhaul
AP). For STAs, it can be 0 (not a backhaul STA) or 1 (backhaul STA, can
only associate with backhaul AP).

Also add new optional parameter to wps_start ubus call of
wpa_supplicant to indicate that a Multi-AP backhaul link is required.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-02-20 13:17:11 +01:00
Hans Dedecker
1bdd3b5f7d Revert "iproute2: use tc package variant to limit other package sizes"
This reverts commit e6d84fa886 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Hans Dedecker
de14f4301e Revert "iproute2: simplify linking libelf for eBFP/XDP object file support"
This reverts commit 26681fa6a6 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Hans Dedecker
566bfa417e Revert "iproute2: tc: enable and fix support for using .so plugins"
This reverts commit fc80ef3613 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and
rdma for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Hans Dedecker
96060b3018 Revert "iproute2: tc: reduce size of dynamic symbol table"
This reverts commit 248797834b as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Yousong Zhou
ec2a2a2aea dnsmasq: allow using dnsmasq as the sole resolver
Currently it seems impossible to configure /etc/config/dhcp to achieve
the following use case

 - run dnsmasq with no-resolv
 - re-generate /etc/resolv.conf with "nameserver 127.0.0.1"

Before this change, we have to set resolvfile to /tmp/resolv.conf.auto
to achive the 2nd effect above, but setting resolvfile requires noresolv
being false.

A new boolean option "localuse" is added to indicate that we intend to
use dnsmasq as the local dns resolver.  It's false by default and to
align with old behaviour it will be true automatically if resolvfile is
set to /tmp/resolv.conf.auto

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 13:06:06 +00:00
Hans Dedecker
331963717b odhcpd: update to latest git HEAD
1f01299 config: fix build failure in case DHCPv4 support is disabled
67b3a14 dhcpv4: fix assignment of requested IP address
ca8ba91 dhcp: rework static lease logic
36833ea dhcpv6: rapid commit support
1ae316e dhcpv6: fix parsing of DHCPv6 relay messages
80157e1 dhcpv4: fix compile issue
671ccaa dhcpv6-ia: move function definitions to odhcpd.h
0db69b0 dhcpv6: improve code readibility
7847b27 treewide: unify dhcpv6 and dhcpv4 assignments
a54cee0 netlink: rework handling of netlink messages
9f25dd8 treewide: use avl tree to store interfaces
f21a0a7 treewide: align syslog tracing
edc5fb0 dhcpv6-ia: add full CONFIRM support
9d6eadf dhcpv6-ia: rework append_reply()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-18 16:11:32 +01:00
Rosy Song
93b984b78a samba36: allow build with no ipv6 support
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-02-17 19:22:39 +01:00
Deng Qingfang
f5db5742e4 iw: update to 5.0.1
Refresh patches

MIPS IPK size increases:
iw-tiny: +3k
iw-full: +10k

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
[Remove sha256, nan, bloom, measurements and ftm from tiny version]
[sync nl80211 between backports and iw]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-02-17 17:33:18 +01:00
Jonas Gorski
c8a30172f8 dnsmasq: ensure test and rc order as older than final releases
Opkg treats text after a version number as higher than without:

 ~# opkg compare-versions "2.80rc1" "<<" "2.80"; echo $?
 1
 ~# opkg compare-versions "2.80rc1" ">>" "2.80"; echo $?
 0

This causes opkg not offering final release as upgradable version, and
even refusing to update, since it thinks the installed version is
higher.

This can be mitigated by adding ~ between the version and the text, as ~
will order as less than everything except itself. Since 'r' < 't', to
make sure that test will be treated as lower than rc we add a second ~
before the test tag. That way, the ordering becomes

  2.80~~test < 2.80~rc < 2.80

which then makes opkg properly treat prerelease versions as lower.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2019-02-17 16:55:24 +01:00
Felix Fietkau
5b6997dcb3 hostapd: update the fix for a race condition in mesh new peer handling
Prevent the mesh authentication state machine from getting reset on bogus
new peer discovery

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-17 16:06:44 +01:00
Felix Fietkau
f948aa4d4f hostapd: enable CONFIG_DEBUG_SYSLOG for wpa_supplicant
It was already enabled for wpad builds and since commit 6a15077e2d
the script relies on it. Size impact is minimal (2 kb on MIPS .ipk).

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-17 13:05:14 +01:00
Hans Dedecker
880f8e6d32 dnsmasq: add rapid commit config option
Add config option rapidcommit to enable support for DHCPv4 rapid
commit (RFC4039)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-13 10:37:36 +01:00
Felix Fietkau
db93949aa3 hostapd: fix race condition in mesh new peer handling
Avoid trying to add the same station to the driver multiple times

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 15:12:35 +01:00
Felix Fietkau
6a15077e2d hostapd: send wpa_supplicant logging output to syslog
Helpful for debugging network connectivity issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 15:12:35 +01:00
Tony Ambardar
248797834b iproute2: tc: reduce size of dynamic symbol table
In the case of SHARED_LIBS=y, don't use -export-dynamic to place *all*
symbols into the dynamic symbol table. Instead, use --dynamic-list to
export a smaller set of symbols similar to that defined in static-syms.h
in the case of SHARED_LIBS=n, avoiding an 11 KB tc package size increase.

Also increment PKG_RELEASE.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
fc80ef3613 iproute2: tc: enable and fix support for using .so plugins
This enables using the tc module m_xt.so, which uses the act_ipt kernel
module to allow tc actions based on iptables targets. e.g.

   tc filter add dev eth0 parent 1: prio 10 protocol ip \
   u32 match u32 0 0 action xt -j DSCP --set-dscp-class BE

Make the SHARED_LIBS parameter configurable and based on tc package
selection.

Fix a problem using the tc m_xt.so plugin as also described in
https://bugs.debian.org/868059:

  Sync include/xtables.h from iptables to make sure the right offset is
  used when accessing structure members defined in libxtables. One could
  get “Extension does not know id …” otherwise. (See also: #868059)

Patch to sync the included xtables.h with system iptables 1.6.x. This
continues to work with iptables 1.8.2.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
26681fa6a6 iproute2: simplify linking libelf for eBFP/XDP object file support
Simplify build and runtime dependencies on libelf, which allows tc and ip
to load BPF and XDP object files respectively.

Preserve optionality of libelf by having configuration script follow the
HAVE_ELF environment variable, used similarly to the HAVE_MNL variable.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
e6d84fa886 iproute2: use tc package variant to limit other package sizes
Replace the old 'tc' with a singleton package variant which will be used
to enable additional functionality and limit it only to tc. Non-variant
packages will only be installed during 'tiny' variant builds, hence will
be configured without extra features, thus preserving previously limited
functionality and reduced package sizes.

Also set ip-tiny as the default variant, and install 'tiny' versions of
development libraries.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
bc86da377c iproute2: simplify Makefile, patches and fix feature detection
Compile-based feature detection (e.g. xtables, ipset support) was broken
due to silent compilation errors in the configure script, caused by a
Makefile variable KERNEL_INCLUDE referring to kernel build headers. Use
userspace headers by setting the same "user_headers" kernel include path
as used for the iptables build.

Remove redundant or unused Build/Configure definitions from package
Makefile, including KERNEL_INCLUDE, LIBC_INCLUDE and DBM includes.

Don't pass LDFLAGS within MAKE_FLAGS as this interferes with LDFLAGS in
tc/Makefile and masks a link parameter ("-Wl,-export-dynamic"). Instead,
use standard TARGET_LDFLAGS.

Replace EXTRA_CCOPTS in MAKE_FLAGS with cleaner TARGET_CPPFLAGS, and also
drop now unneeded patch 150-extra-ccopts.patch.

Enable defining XT_LIB_DIR from Makefile, needed to set the iptables
modules directory to something other than /lib/xtables, and also add
libxtables dependency. Both are needed with working xtables detection.
Note that libxtables is also pulled in by iptables, firewall or luci, so
this change has no size impact in most cases.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
43e14a2f9e iproute2: fix broken configuration patch
Since v4.13, iproute2 switched to a config.mk file with greater use of
pkg-config for library/feature detection. Replace the old Config patch
with one modifying the configure script but enabling the same changes:
 - explicitly disable TC_CONFIG_ATM
 - rely on feature detection for IP_CONFIG_SETNS and TC_CONFIG_XT

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Hans Dedecker
630a363936 vti: remove setting default firewall zone to wan
Same reasoning as in bdedb798150a58ad7ce3c4741f2f31df97e84c3f; don't set
default firewall zone to wan as the firewall zone for the vti interface
can be configured in the firewall config or it makes it impossible not to
specify a firewall zone for the vti interface.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-09 21:04:36 +01:00
Hans Dedecker
7f33f3d712 ipip: remove setting default firewall zone to wan
Same reasoning as in bdedb798150a58ad7ce3c4741f2f31df97e84c3f; don't set
default firewall zone to wan as the firewall zone for the ipip interface
can be configured in the firewall config or it makes it impossible not to
specify a firewall zone for the ipip interface.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-09 21:04:08 +01:00
Deng Qingfang
39273b849f curl: bump to 7.64.0
Fixed CVEs:

CVE-2018-16890
CVE-2019-3822
CVE-2019-3823

For other changes in version 7.64.0 see https://curl.haxx.se/changes.html#7_64_0

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-02-08 08:37:24 +01:00
Florian Eckert
bdedb79815 gre: remove setting default firewall zone to wan
There are two problems with this behaviour that the zone is set to wan
if no zone config option is defined in the interface section.

* The zone for the interface is "normally" specified in the firewall
config file. So if we have defined "no" zone for this interface zone
option is set now to "wan" additonaly if we add the interface in the firewall
config section to the "lan" zone, the interface is added to lan and wan at once.

iptables-save | grep <iface>

This is not what I expect.

* If I do not want to set a zone to this interface it is not possible.

Remove the default assigment to wan if no zone option is defined.
If some one need the option it stil possible to define this option.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2019-02-07 21:58:07 +01:00
Hans Dedecker
8399ee4543 netifd: handle hotplug event socket errors
5cd7215 system-linux: handle hotplug event socket ENOBUFS errors

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-31 22:14:55 +01:00
Kevin Darbyshire-Bryant
352db3e62a dnsmasq: latest pre-2.81 patches
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-01-31 10:13:05 +00:00
Jo-Philipp Wich
c6aa9ff388 uhttpd: disable concurrent requests by default
In order to avoid straining CPU and memory resources on lower end devices,
avoid running multiple CGI requests in parallel.

Ref: https://forum.openwrt.org/t/high-load-fix-on-openwrt-luci/29006
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-30 10:12:00 +01:00
Hans Dedecker
a3ccac6b1d iproute2: drop libbsd dependency
As the usage of libbsd is no longer limited to glibc, prevent libbsd
being picked up by removing the dependency on libbsd.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-29 14:00:13 +01:00
Felix Fietkau
4443804b54 wpa_supplicant: fix calling channel switch via wpa_cli on mesh interfaces
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-01-29 11:27:13 +01:00
Felix Fietkau
ae6b5815cd hostapd: add support for passing CSA events from sta/mesh to AP interfaces
Fixes handling CSA when using AP+STA or AP+Mesh

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-01-29 11:27:06 +01:00
Hans Dedecker
617e414643 map: depend on nat46, provide map-t
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-27 18:39:55 +01:00
Hans Dedecker
633cac0cb4 464xlat: import from routing, add myself as maintainer
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-27 18:39:18 +01:00
Martin Schiller
eaaee181d1 ppp: update to version 2.4.7.git-2018-06-23
This bumps ppp to latest git version.

There is one upstream commit, which changes DES encryption calls from
libcrypt / glibc to openssl.

As long as we don't use glibc-2.28, revert this commit.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2019-01-25 14:55:46 +01:00
Jo-Philipp Wich
b1781d5841 iproute2: replace libelf1 dependency with libelf
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 12:56:31 +01:00
Jo-Philipp Wich
0e70f69a35 treewide: revise library packaging
- Annotate versionless libraries (such as libubox, libuci etc.) with a fixed
  ABI_VERSION resembling the source date of the last incompatible change
- Annotate packages shipping versioned library objects with ABI_VERSION
- Stop shipping unversioned library symlinks for packages with ABI_VERSION

Ref: https://openwrt.org/docs/guide-developer/package-policies#shared_libraries
Ref: https://github.com/KanjiMonster/maintainer-tools/blob/master/check-abi-versions.pl
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 10:39:30 +01:00
Jason A. Donenfeld
bbcd0634f8 wireguard: bump to 0.0.20190123
* tools: curve25519: handle unaligned loads/stores safely

This should fix sporadic crashes with `wg pubkey` on certain architectures.

* netlink: auth socket changes against namespace of socket

In WireGuard, the underlying UDP socket lives in the namespace where the
interface was created and doesn't move if the interface is moved. This
allows one to create the interface in some privileged place that has
Internet access, and then move it into a container namespace that only
has the WireGuard interface for egress. Consider the following
situation:

1. Interface created in namespace A. Socket therefore lives in namespace A.
2. Interface moved to namespace B. Socket remains in namespace A.
3. Namespace B now has access to the interface and changes the listen
port and/or fwmark of socket. Change is reflected in namespace A.

This behavior is arguably _fine_ and perhaps even expected or
acceptable. But there's also an argument to be made that B should have
A's cred to do so. So, this patch adds a simple ns_capable check.

* ratelimiter: build tests with !IPV6

Should reenable building in debug mode for systems without IPv6.

* noise: replace getnstimeofday64 with ktime_get_real_ts64
* ratelimiter: totalram_pages is now a function
* qemu: enable FP on MIPS

Linux 5.0 support.

* keygen-html: bring back pure javascript implementation

Benoît Viguier has proofs that values will stay well within 2^53. We
also have an improved carry function that's much simpler. Probably more
constant time than emscripten's 64-bit integers.

* contrib: introduce simple highlighter library

This is the highlighter library being used in:
- https://twitter.com/EdgeSecurity/status/1085294681003454465
- https://twitter.com/EdgeSecurity/status/1081953278248796165

It's included here as a contrib example, so that others can paste it into
their own GUI clients for having the same strictly validating highlighting.

* netlink: use __kernel_timespec for handshake time

This readies us for Y2038. See https://lwn.net/Articles/776435/ for more info.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23 18:06:49 +01:00
Deng Qingfang
752bd72668 iproute2: update to 4.20.0
Update to the latest version of iproute2; see https://lwn.net/Articles/776174/
for a full overview of the changes in 4.20.
Remove upstream patch 001-fix-print_0xhex-on-32-bit.patch and 002-tc-fix-xtables-incorrect-usage-of-LDFLAGS.patch
Introduce a patch to include <linux/limits.h> for XATTR_SIZE_MAX in tc

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-01-23 17:55:21 +01:00
Jeffery To
d13e86d4c2 procd: Add wrapper for uci_validate_section()
This adds a wrapper (uci_load_validate) for uci_validate_section() that
allows callers (through a callback function) to access the values set by
uci_validate_section(), without having to manually declare a
(potentially long) list of local variables.

The callback function receives two arguments when called, the config
section name and the return value of uci_validate_section().

If no callback function is given, then the wrapper exits with the value
returned by uci_validate_section().

This also updates several init scripts to use the new wrapper function.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-01-22 09:05:59 +01:00
Carsten Wolff
2bf22b1fb7 iputils: install ping, ping6, traceroute6 with setuid root
these utilities need to run with uid 0 to be useful. Thus,
install them setuid root like other distros do, too.

Signed-off-by: Carsten Wolff <carsten@wolffcarsten.de>
[use INSTALL_SUID macro]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 09:05:59 +01:00
Jo-Philipp Wich
62fbdcaf06 conntrack-tools: relocated to packages feed
In order to prepare the switch from librpc to libtirpc, we need to relocate
conntrack-tools to the packages feed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 08:14:00 +01:00
Jo-Philipp Wich
797e5c1c48 packages: set more explicit ABI_VERSION values
In the case of upstream libraries, set the ABI_VERSION variable to the
soname value of the first version version after the last backwards
incompatible change.

For custom OpenWrt libraries, set the ABI_VERSION to the date of the
last Git commit doing backwards incompatible changes to the source,
such as changing function singatures or dropping exported symbols.

The soname values have been determined by either checking
https://abi-laboratory.pro/index.php?view=tracker or - in the case
of OpenWrt libraries - by carefully reviewing the changes made to
header files thorough the corresponding Git history.

In the future, the ABI_VERSION values must be bumped whenever the
library is updated to an incpompatible version but not with every
package update, in order to reduce the dependency churn in the
binary package repository.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-19 14:31:51 +01:00
Rosy Song
27be78ef46 dnsmasq: allow building without tftp server support
It saves 2871 bytes on package size while 4 bytes on memory size.

Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-01-17 22:07:06 +01:00
Hans Dedecker
76cc766521 odhcpd: fix onlink IA check (FS#2060)
0a36768 dhcpv6-ia: fix compiler warning
1893905 dhcpv6-ia: fix onlink IA check (FS#2060)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-16 23:01:05 +01:00
Kevin Darbyshire-Bryant
7541d30c9c dnsmasq: backport latest pre2.81 patches
f52bb5b fix previous commit
18eac67 Fix entries in /etc/hosts disabling static leases.
f8c77ed Fix removal of DHCP_CLIENT_MAC options from DHCPv6 relay replies.
4bf62f6 Tidy cache_blockdata_free()
9c0d445 Fix e7bfd556c079c8b5e7425aed44abc35925b24043 to actually work.
2896e24 Check for not(DS or DNSKEY) in is_outdated_cname_pointer()
a90f09d Fix crash freeing negative SRV cache entries.
5b99eae Cache SRV records.
2daca52 Fix typo in ra-param man page section.
2c59473 File logic bug in cache-marshalling code. Introduced a couple of commits back.
cc921df Remove nested struct/union in cache records and all_addr.
ab194ed Futher address union tidying.
65a01b7 Tidy address-union handling: move class into explicit argument.
bde4647 Tidy all_addr union, merge log and rcode fields.
e7bfd55 Alter DHCP address selection after DECLINE in consec-addr mode. Avoid offering the same address after a recieving a DECLINE message to stop an infinite protocol loop. This has long been done in default address allocation mode: this adds similar behaviour when allocaing addresses consecutively.

The most relevant fix for openwrt is 18eac67 (& my own local f52bb5b
which fixes a missing bracket silly) To quote the patch:

It is possible for a config entry to have one address family specified by a
dhcp-host directive and the other added from /etc/hosts. This is especially
common on OpenWrt because it uses odhcpd for DHCPv6 and IPv6 leases are
imported into dnsmasq via a hosts file.

To handle this case there need to be separate *_HOSTS flags for IPv4 and IPv6.
Otherwise when the hosts file is reloaded it will clear the CONFIG_ADDR(6) flag
which was set by the dhcp-host directive.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-01-16 15:39:54 +00:00
Hans Dedecker
4029788ff3 odhcpd: update to latest git HEAD (FS#2020)
7abbed4 dhcpv6: add setting to choose IA_NA, IA_PD or both
dd1aefd router: add syslog tracing for skipped routes
0314d58 router: filter route information option
5e99738 router: make announcing DNS info configurable (FS#2020)
1fe77f3 router: check return code of odhcpd_get_interface_dns_addr()
8f49804 config: check for invalid DNS addresses

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-15 14:02:21 +01:00
Hans Dedecker
70ffcb947c odhcp6c: update to latest git HEAD
d2e247d odhcp6c: align further with RFC8415
ce83a23 dhcpv6: avoid parsing unncessary IAs
b079733 dhcpv6: set cnt to correct IOV enum
41494da dhcpv6: get rid of request_prefix
f7437e4 dhcpv6: sanitize option request list

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-11 15:26:06 +01:00
Rafał Miłecki
ef1efa756e samba36: add package with hotplug.d script for auto sharing
The new samba36-hotplug package provides a hotplug.d script for the
"mount" subsystem. It automatically shares every mounted block device.

It works by updating /var/run/config/samba file which:
1) Is read by procd init script
2) Gets wiped on reboot providing a consistent state
3) Can be safely updated without flash wearing or conflicting with user
   changes being made in /etc/config/samba

Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-01-10 10:33:40 +01:00
Rafał Miłecki
5a59e2c059 samba36: append config from /var/run/config/ for runtime shares
This will allow automation/hotplug.d scripts to store runtime shares in
the /var/run/config/samba. It's useful e.g. for USB drives that user
wants to be automatically shared.

Using /var/run/config/ provides:
1) Automated cleaning on reboots
   It's important for consistency (to avoid sharing non-existing drives)
2) Safety for user non-commited changes
   Automated scripts should never call "uci [foo] commit" as that could
   flush incomplete config.

Another minor gain is avoiding flash wearing for runtime setup.

Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-01-10 10:33:40 +01:00
Hans Dedecker
fd5f0606fd firewall: update to latest git HEAD
70f8785 zones: add zone identifying local traffic in raw OUTPUT chain
6920de7 utils: Free args in __fw3_command_pipe()
6ba9105 options: redirects: Fix possible buffer overflows

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-03 17:09:51 +01:00
Hauke Mehrtens
99956528df hostapd: update to version 2018-12-02 (2.7)
This updates hostapd to version the git version from 2018-12-02 which
matches the 2.7 release.

The removed patches were are already available in the upstream code, one
additional backport is needed to fix a compile problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-01-02 15:47:13 +01:00
Mathias Kresin
213c0e78fa iwinfo: fix PKG_MIRROR_HASH
The PKG_MIRROR_HASH was for some reason wrong.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-12-30 20:33:49 +01:00
Hans Dedecker
d405edb481 omcproxy: optimize interface triggers
Before installing an interface triggger check if an interface
trigger for the interface is already in place.
This avoids installing identical interface triggers for a given
interface

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-29 16:08:31 +01:00
David Santamaría Rogado
df8f8bad08 omcproxy: fix installation of interface triggers (FS#1972)
omcproxy will not start up if either the downlink or uplink interface is
not up at boottime as the interface triggers are not correctly
installed.

Further rework omcproxy init to make use of network functions defined
in network.sh; set proper family and proto options in procd firewall
rules.

Signed-off-by: David Santamaría Rogado <howl.nsp@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-29 16:07:51 +01:00
Mathias Kresin
a5030f8b10 iwinfo: update to latest git
dd508af iwinfo: fix QCA9984 vendor id
0eaabf1 iwinfo: add device id for Atheros AR9287
6e998ec iwinfo: add device id for MediaTek MT7612E
5aa8c54 libiwinfo: nl80211: add mesh stats on assoclist.
77a9e98 iwinfo: Add Mikrotik R11e-2HPnD and R11e-5HacT to hardware list

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-12-29 12:35:47 +01:00
Rafał Miłecki
ae622c93b3 Revert "samba36: add hotplug support"
This reverts commit fd569e5e9d.

After an extra review & discussion few concerns were raised regarding
that feature:
1) It reacts to hotplug.d "block" events instead of more accurate (but
   currently unavailable) "mount" events.
2) It requires *something* to mount block device before samba hotplug.d
   gets fired. Otherwise samba_add_section() will just return.
3) It doesn't reload Samba which some users may expect
4) It operates on /etc/ which is not a right place for autogenerated
   ephemeral config.
5) It doesn't include any cleanup for non-existing shares.

Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2018-12-28 23:09:38 +01:00
Stijn Tintel
c5b89abe2a lldpd: consolidate CONFIGURE_VARS
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-12-28 12:19:32 +02:00
Daniel Engberg
9a37c95431 wireguard: Update to snapshot 0.0.20181218
Update WireGuard to 0.0.20181218

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-12-24 12:58:22 +01:00
Deng Qingfang
0babdf2d2b curl: bump to 7.63.0
Refresh patches, for changes in version 7.63.0 see https://curl.haxx.se/changes.html#7_63_0

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2018-12-24 09:46:06 +01:00
Hans Dedecker
f36bc3f9b1 odhcpd: use PKG_VERSION default value
Instrad of defining PKG_VERSION in the Makefile use the PKG_VERSION
default value

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-21 18:30:01 +01:00
Hans Dedecker
9b8ea3623b odhcpd: add PKG_VERSION again
Fixes commit 63d0752ca8

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-20 16:50:08 +01:00
Hans Dedecker
63d0752ca8 odhcpd: update to latest git HEAD
2d2a3b8 odhcpd: switch to libubox container_of implementation
2a71c1e treewide: switch to libubox ARRAY_SIZE immplementation

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-20 15:43:31 +01:00
Jo-Philipp Wich
de7ae9a0ef iproute2: require nls infrastructure due to libelf linking
Depending on the global nls support configuration in the buildroot, the
linked libelf.so library might depend on libintl.so.

Import the nls.mk helper to set library prefixes and flags accordingly
in this case.

Ref: https://github.com/openwrt/packages/issues/7728#issuecomment-448760140
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-12-20 08:13:24 +01:00
Jo-Philipp Wich
386803a006 iproute2: only link libelf where needed
The iproute2 build system links libelf support to every utility while only
the tc program actually requires libelf specific functionality.

Unfortunately the BPF ELF functionality is not confined into an own
compilation unit but added to the existing bpf.c sources of the shared
static libutil.a, causing every iproute2 applet to pick up an implicit
libelf.so dependency.

In order to avoid this requirement, patch the iproute2 build system to
create both a libutil.a and a libutil-elf.a, with the former being built
without libelf functionality and to only link the tc applet with the libelf
enabled libutil.

Finally, make the tc package depend on libelf to solve compilation errors.

Ref: https://github.com/openwrt/packages/issues/7728
Fixes: FS#2011
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-12-19 10:50:02 +01:00
Hans Dedecker
83109450ce dropbear: fix dropbear startup issue
Interface triggers are installed by the dropbear init script in case an
interface is configured for a given dropbear uci section.
As dropbear is started after network the interface trigger event can be
missed during a small window; this is especially the case if lan is
specified as interface.
Fix this by starting dropbear before network so no interface trigger
is missed. As dropbear is started earlier than netifd add a boot function
to avoid the usage of network.sh functions as call to such functions will
fail at boottime.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2018-12-18 19:43:22 +01:00
Syrone Wong
6263a9baa3 ipset: update to 7.1
Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
2018-12-17 21:57:22 +01:00
Kevin Darbyshire-Bryant
3f7de917be netifd: fix ipv6 multicast check in previous commit
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-17 19:05:07 +00:00
Kevin Darbyshire-Bryant
d112d095a9 netifd: support configuring class e 240.0.0.0/4 addresses
cd089c5 proto: Support class-e addressing in netifd

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-17 09:27:53 +00:00
Hans Dedecker
3262fce1cd omcproxy: use PROJECT_GIT in PKG_SOURCE_URL
Switch PKG_SOURCE_URL to git.openwrt.org

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-16 19:23:36 +01:00
Hans Dedecker
0074a5e67e omcproxy: switch to OpenWrt github repo
Switch to OpenWrt github repo in PKG_SOURCE_URL so we can
remove the out of tree patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-16 18:09:23 +01:00
Hauke Mehrtens
835947ce64 hostapd: Make eapol-test depend on libubus
The eapol-test application also uses the code with the newly activated
ubus support, add the missing dependency.

Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-16 14:25:41 +01:00
Rosen Penev
1e98d985bb swconfig: Add missing include
Fixes these warnings:

swlib.c:455:18: warning: implicit declaration of function 'isspace'
swlib.c:461:9: warning: implicit declaration of function 'isdigit'

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-16 00:57:19 +01:00
Eneas U de Queiroz
cb4d00d184 omcproxy: fix compilation on little-endian CPUs
Don't use cpu_to_be32 outside of a function.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-12-16 00:57:19 +01:00
Kevin Darbyshire-Bryant
9048b22e67 dnsmasq: Fix dhcp-boot, dhcp-reply-delay and pxe-prompt regressions
The above options were incorrectly changed to required tags.  Make them
optional again.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-14 17:51:42 +00:00
Hans Dedecker
6ff27cf0f5 iproute2: backport patch fixing incorrect usage of LDFLAGS
Backport upstream patch fixing incorrect passing of -lxtables to
LDFLAGS instead of LDLIBS in the tc/Makefile

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-14 09:57:15 +01:00
Hans Dedecker
81bb9189e4 netifd: update to latest git HEAD
1ac1c78 system-linux: get rid of SIOCSDEVPRIVATE

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-13 22:05:40 +01:00
Martin Schiller
3850b41f01 openvpn: re-add option comp_lzo
This option is deprecated but needs to be kept for backward compatibility. [0]

[0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--comp-lzo

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2018-12-12 17:15:01 +01:00
Kevin Darbyshire-Bryant
ad8a5aa06a dnsmasq: fix ipv6 ipset bug
During upstream removal of conditional ipv6 support an order swap error
was made in a ternary operator usage.

This patch sent upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-12 11:54:49 +00:00
Hans Dedecker
1ff98ddff7 iproute2: backport upstream patch to fix print_0xhex on 32 bit
The argument to print_0xhex is converted to unsigned long long
so the format string give for normal printout has to be some
variant of %llx. Backport the patch as otherwise, bogus values
will be printed on 32 bit platforms.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-12 12:38:54 +01:00
Daniel Golle
f5753aae23 hostapd: add support for WPS pushbutton station
similar to hostapd, also add a ubus interface for wpa_supplicant
which will allow handling WPS push-button just as it works for hostapd.
In order to have wpa_supplicant running without any network
configuration (so you can use it to retrieve credentials via WPS),
configure wifi-iface in /etc/config/wireless:

  config wifi-iface 'default_radio0'
      option device 'radio0'
      option network 'wwan'
      option mode 'sta'
      option encryption 'wps'

This section will automatically be edited if credentials have
successfully been acquired via WPS.

Size difference (mips_24kc): roughly +4kb for the 'full' variants of
wpa_supplicant and wpad which do support WPS.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-12-12 09:37:23 +01:00
Kevin Darbyshire-Bryant
8c0f6a010a dnsmasq: follow upstream dnsmasq pre-v2.81 v2
Backport upstream commits.  Most interesting 122392e which changes how
SERVFAIL is handled especially in event of genuine server down/failure
scenarios with multiple servers.  a799ca0 also interesting in that
answered received via TCP are now cached, DNSSEC typically using TCP
meant until now answers weren't cached, hence reducing performance.

59e4703 Free config file values on parsing errors.
48d12f1 Remove the NO_FORK compile-time option, and support for uclinux.
122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e
3a5a84c Fix Makefile lines generating UBUS linker config.
24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant.
6f7812d Fix spurious AD flags in some DNS replies from local config.
cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab
cf59843 Don't forward *.bind/*.server queries upstream
ee87504 Remove ability to compile without IPv6 support.
a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>.
a799ca0 Impove cache behaviour for TCP connections.

Along with an additional patch to fix compilation without DHCPv6, sent
upstream.

I've been running this for aaaages without obvious issue hence brave
step of opening to wider openwrt community.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 10:38:49 +00:00
Kevin Darbyshire-Bryant
18e02fa20c Revert "dnsmasq: follow upstream dnsmasq pre-v2.81"
This reverts commit a6a8fe0be5.

buildbot found an error
option.c: In function 'dhcp_context_free':
option.c:1042:15: error: 'struct dhcp_context' has no member named 'template_interface'
       free(ctx->template_interface);

revert for the moment

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 09:57:19 +00:00
Kevin Darbyshire-Bryant
a6a8fe0be5 dnsmasq: follow upstream dnsmasq pre-v2.81
Backport upstream commits.  Most interesting 122392e which changes how
SERVFAIL is handled especially in event of genuine server down/failure
scenarios with multiple servers.  a799ca0 also interesting in that
answered received via TCP are now cached, DNSSEC typically using TCP
meant until now answers weren't cached, hence reducing performance.

59e4703 Free config file values on parsing errors.
48d12f1 Remove the NO_FORK compile-time option, and support for uclinux.
122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e
3a5a84c Fix Makefile lines generating UBUS linker config.
24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant.
6f7812d Fix spurious AD flags in some DNS replies from local config.
cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab
cf59843 Don't forward *.bind/*.server queries upstream
ee87504 Remove ability to compile without IPv6 support.
a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>.
a799ca0 Impove cache behaviour for TCP connections.

I've been running this for aaaages without obvious issue hence brave
step of opening to wider openwrt community.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 09:14:07 +00:00
Kevin Darbyshire-Bryant
7b083bbb82 dnsmasq: drop dnssec timestamp file patch
Openwrt no longer uses and has not used since 5acfe55d71 Jun 2016 the
timestamp file (/etc/dnsmasq.time) method of resolving the dnssec/ntp
dnslookup chicken/egg problem, having used signals from ntp since that
change.

Drop the 'dnssec-improve-timestamp-heuristic' patch since it is neither
used nor sent upstream.  One less thing to refresh & maintain.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 09:14:06 +00:00
Hans Dedecker
929c448a6d firewall: update to latest git HEAD
14589c8 redirects: properly handle src_dport in SNAT rules

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-09 17:36:12 +01:00
Ansuel Smith
f939598b7a iptables: fix ebtables vlan compile issue (FS#1990)
Backport an upstream patch which fixes an userspace/kernel headers
collison

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2018-12-08 21:50:14 +01:00
Ansuel Smith
1286c55302 iptables: bump to 1.8.2
Drop 030-extensions-libxt_bpf-Fix-build-with-old-kernel-versi.patch as pushed upstream
Added patches :
001-extensions_format-security_fixes_in_libip.patch
002-include_fix_build_with_kernel_headers_before_4_2.patch
101-remove-register-check.patch

The first and the second patch are upsteam fixes for compilation errors.
The third patch remove check if one target lib is already registred; this is caused by
shared libs that are loaded before the iptables execution.

Iptables changelog:

bba6bc6 (tag: v1.8.2) configure: bump versions for 1.8.2 release
61d6c38 xtables: add 'printf' attribute to xlate_add
5edb249 libxtables: xlate: init buffer to zero
9afd2a6 tests: shell: fix expected arptables-save output
6387941 arptables: fix --version info
d703c1f arptables: ignore --table argument.
d5754e3 arptables: make uni/multicast mac masks static
1b63e66 arptables: add test cases
5aecb2d arptables: pre-init hlen and ethertype
9677ed1 arptables: fix src/dst mac handling
ab0b6d5 arptables: fix target ip offset
c0c75ce arptables: fix -s/-d handling for negation and mask
3ac65af arptables: add basic test infra for arptables-nft
e31564f arptables: fix rule deletion/compare
2345ff6 arptables: remove code that is also commented-out in original arptables
50c2397 arptables-save: add -c option, like xtables-save
d9a518e arptables: use ->save for arptables-save, like xtables
5a52e6a extensions: test protocol and interface negation
85d7df9 xtables: Fix error return code in nft_chain_user_rename()
3ccb443 xtables: Clarify error message when deleting by index
95db364 xtables: Fix typo in do_command() error message
5f508b7 ebtables: use extrapositioned negation consistently
583b27e ebtables-save: add -c option, using xtables-style counters
e6723ab nft: add NFT_TABLE_* enumeration
21ec111 nft: replace nft_chain_dump() by nft_chain_list_get()
05947c8 iptables-nft: fix -f fragment option
7bd9feb libxtables: add and use mac print helpers
a10eb88 extensions: libebt_ip: fix tos negation
9b127b7 extensions: libebt_ip6: fix ip6-dport negation
c59ba1b xtables-nft: make -Z option work
1bf4a13 nft: add missing error string
a9f9377 iptables-tests: add % to run iptables commands
b81c8da iptables-tests: do not append xtables-multi to external commands
edf2b7c ebtables-nft: add arpreply target
2d1372e ebtables: add redirect test case
c3e8dbd ebtables: add test cases
cd90cef ebtables: relax -t table restriction, add snat/dnat test cases
fd95f1f ebtables: fix -j CONTINUE handling for add/delete
fb747f8 tests: add basic ebtables test support
d4bc5a3 iptables-nft: fix bogus handling of zero saddr/daddr
9ff9915 iptables-test: fix netns test
8c918db xtables: Fix for matching rules with wildcard interfaces
b2fc2a3 extensions: limit: unbreak build without libnftnl
682f39a xtables: Fix for spurious errors from iptables-translate
90f7dc3 (tag: v1.8.1) configure: bump versions for 1.8.1 release
0123183 iptables-test: add -N option to exercise netns removal path
abae556 libxtables: expose new etherdb lookup function through libxtables API
c2d9ed9 libxtables: prefix exported new functions for etherdb lookups
5a44360 Revert "extensions: libxt_quota: Allow setting the remaining quota"
2673faf xtables: Remove target_maxnamelen field
8ca3436 extensions: cgroup: fix option parsing for v2
0a8f2bc extensions: libxt_quota: Allow setting the remaining quota
b373a91 nft-shared: Use xtables_calloc()
5a40961 arptables: Use the shared nft_ipv46_parse_target()
9f07503 Combine parse_target() and command_jump() implementations
7373297 Combine command_match() implementations
a76ba54 libiptc: NULL-terminate errorname
a3716cc libxtables: Check extension real_name length
0195b64 iptables: Gitignore xtables-{legacy, nft}-multi scripts
671e40a xtables: Drop pointless check
7c9a152 arptables: Fix incorrect strcmp() in nft_arp_rule_find()
11e91a4 xtables: Don't read garbage in nft_ipv4_parse_payload()
d95c1e8 libxtables: Use posix_spawn() instead of vfork()
7e50eba Fix a few cases of pointless assignments
f40ce2d extensions: libebt_ip{, 6}: Drop pointless error checking
47fb86c nft-arp: Drop ineffective conditional
80aae9b iptables: Use print_ifaces() from xtables
8da04ff Share print_ipv{4,6}_addr() from xtables
b686594 iptables-apply: Replace signal numbers by names
f175dee iptables-apply: Quote strings passed to echo
52aa150 nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()
61ebf3f libxtables: Don't read garbage in xtables_strtoui()
ab639f2 libxtables: Avoid calling memcpy() with NULL source
22ef371 libiptc: Simplify alloc_handle() function signature
6b7145f libxt_time: Drop initialization of variable 'year'
749d3c2 libxt_ipvs: Avoid potential buffer overrun
8e798e0 libxt_conntrack: Avoid potential buffer overrun
74eb239 libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTION
d0c1f1b libxt_LED: Avoid string overrun while parsing led-trigger-id
23ef6f0 xtables: Remove unused variable in nft_is_table_compatible()
4e499d5 ip{, 6}tables-restore: Fix for uninitialized array 'curtable'
1788f54 Mark fall through cases in switch() statements
31f1434 libxtables: Integrate getethertype.c from xtables core
7ae4fb1 xtables: Fix for wrong assert() in __nft_table_flush()
8c786a3 nfnl_osf: Drop pointless check in xt_osf_strchr()
6fc7762 libxt_string: Fix array out of bounds check
2a68be1 xtables-save: Ignore uninteresting tables
f9efc8c extensions: add cgroup revision 2
9b8cb16 extensions: REJECT: Merge reject tables
56d7ab4 libxt_string: Avoid potential array out of bounds access
bfd41c8 ebtables: Fix for potential array boundary overstep
e6f9867 libiptc: Avoid side-effect in memset() calls
4144571 libxtables: Fix potential array overrun in xtables_option_parse()
9242b5d xtables: Accept --wait in iptables-nft-restore
c9f4f04 xtables: Don't check all rules for being compatible
15606f2 doc: Improve layout of u32 instructions
7345037 xtables-restore: Fix flushing referenced custom chains
7df11d1 xtables: Drop use of IP6T_F_PROTO
b6a06c1 xtables: Align return codes with legacy iptables
3bb497c xtables: Fix for deleting rules with comment
0800d9b ip6tables-translate: Fix libip6t_mh.txlate test
4cf650c ebtables-translate: Fix for libebt_limit.txlate
783e9c2 xtables: Add missing deinitialization
9771d06 ebtables: Review match/target lookup once more
85ed1ab extensions: libebt_mark: Drop mark_supplied check
6a46ca0 xtables: Add a few missing exit calls
acde6be ebtables-translate: Fix segfault while parsing extension options
2c4e4d2 ebtables: trivial: Leverage C99-style initializers a bit more
9f5b28a xlate-test: Fix for calling wrong command name
1a878a7 extensions: AUDIT: Provide translation
5ee03e6 xtables: Use meta l4proto for -p match
37b68b2 xtables: Fix for segfault when registering hashlimit extension
92f7b04 xtables: Fix for segfault in iptables-nft
294f9ef ebtables: Fix entries count in chain listing
6f29aa8 xtables: Make 'iptables -S nonexisting' return non-zero
7bccf30 ebtables: Fix for listing of non-existent chains
3d9a13d xtables: Fix for no output in iptables-nft -S
a33c6fd arptables: Drop extensions/libxt_mangle.c
02b8097 ebtables: Merge libebt_limit.c into libxt_limit.c
5de8dcf xtables: Use native nftables limit expression
514de48 ebtables: Remove flags misinterpretations
528cbf9 xtables: Fix for wrong counter format in -S output
9ca32c4 xtables: Don't pass full invflags to add_compat()
e055aeb xtables: Improve xtables-monitor first impression
b925733 tests: Fix skipping for recent nft-only tests
277f374 xtables: Spelling fixes in xtables-monitor
a9d9f64 xtables: Fix potential segfault in nft_rule_append()
fbf0bf7 tests: Add ebtables-{save,restore} testcases
f1d8508 tests: Add arptables-{save,restore} testcases
63c3dae xtables: Implement arptables-{save,restore}
aa7fb04 ebtables: Review match/target lookup
3f123dc ebtables-restore: Use xtables_restore_parse()
295d5a8 xtables-restore: Make COMMIT support configurable
1679b2c xtables-restore: Improve user-defined chain detection
2ce9f65 xtables: Match verbose ip{,6}tables output with legacy
cd79556 xtables: Reserve space for 'opt' column in ip6tables output
0357254 xtables: Print error when listing non-existent chains
206033e xtables: Fix for no output on first iptables-nft invocation
a0698de xtables: Do not count rules as chain references
d11b6b8 arptables: Fix jumps into user-defined chains
3f27955 arptables: Fix opcode printing in numeric output
f988fe4 xtables: Fix symlinks/names for ebtables-{save, restore}
3319c61 ebtables: Support --init-table command
3ec8aac arptables: Print policy only for base chains
83bc189 arptables: Fix for trailing spaces in output
aaed1b6 arptables: Fix memleaks in do_commandarp()
d67d85d ebtables: Print non-standard target parameters
2e478e9 ebtables: Fix match_list insertion
a192f03 ebtables: Fix for wrong program name in error messages
a2ed880 xshared: Consolidate argv construction routines
1cc0918 xshared: Consolidate parse_counters()
78b9d43 Consolidate DEBUGP macros
14ad525 xtables: Fix program name in xtables_error()
f7bbdb0 xtables: Use correct built-in chain count
ae574b2 xtables: Fix compilation with NLDEBUG defined
82d278c xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs
c2895ea xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs
89d3443 xtables: Fix for nft_rule_flush() returning garbage
c259447 xtables: Allocate rule cache just once
ed30b93 nft: don't print rule counters unless verbose
31e4b59 iptables-restore: free the table lock when skipping a table
f8e29a1 xtables: avoid bogus 'is incompatible' warning
6ea7579 nft: decode meta l4proto
922508e xtables: implement ebtables-{save,restore}
25ef908 xtables: introduce nft_init_eb()
de8574a xtables: parameter to add_argv() may be const
6f60f22 xtables: pass format to nft_rule_save()
f3b772c xtables: introduce save_chain callback
fa1681f xtables: rename {print,save}_rule functions
444d581 xtables: get rid of nft_ipv{4,6}_save_counters()
34e1e23 xtables: eliminate nft_ipv{4,6}_rule_find()
de782e8 xtables: merge nft_ipv{4,6}_parse_target()
ae8eece xtables: get rid of nft_ipv{4,6}_print_header()
2687794 xtables: arp: make rule_to_cs callback private
1bf73c4 xtables: Use new callbacks in nft_rule_print_save()
1866625 xtables: introduce rule_to_cs/clear_cs callbacks
0589457 xtables: simplify struct nft_xt_ctx
d9c6a5d xtables: merge {ip,arp}tables_command_state structs
87b5b9e iptables: replace memset by c99-style initializers
907da5c xtables: fix crash if nft_rule_list_get() fails
565a223 xtables: Support nft suffix for arptables and ebtables
c468f01 tests: check iptables retval, not echo
47d1484 iptables: tests: add test for iptables-save and iptables-restore
e4e0704 extensions: don't bother to build libebt/libarp extensions if nft backend was disabled
17c66a5 iptables: tests: shell: Add README
6c2118c (tag: v1.8.0) configure: bump version and libnftnl dependency
7b66fc2 man: clarify translate tools do not modify any state
f7fec51 xtables-monitor: add --version option
b470b8e xtables-legacy: fix argv0 name for ip6tables-legacy
2028e54 xtables: display legacy/nf_tables flavor in error messages, too
fd8d7d7 ebtables-nft: add stp match
f15639b tests: add script that mimics firewalld startup
27f7db2 tests: fix variable name to multi-binary
2a89ec5 tests: add a few simple tests for list/new/delete
37d9d5b ebtables-nft: make -L, -X CHAINNAME work
816bd1f ebtables-nft: remove exec_style
b81708f ebtables-nft: don't crash on ebtables -X
de02a75 doc: fix some spellos and the dash escape
dcf4529 tests: add firewalld default ruleset from fedora 27
f23abd5 tests: add another ipv4 only ruleset
ed9cfe1 tests: add initial save/restore test cases
9933dc5 tests: adapt test suite to run with legacy+nftables based binaries
be70918 xtables: rename xt-multi binaries to -nft, -legacy
d49ba50 xtables-restore: init table before processing policies
344c6eb doc: Fix spelling error in hashlimit section
e063873 tests: make duplicate test work
d26c538 xtables: add xtables-monitor
db84371 xtables: translate nft meta trace set 1 to -j TRACE
20eac2a xtables: warn in case old-style (set/getsockopt) tables exist
c9f5e18 xtables: add nf_tables vs. legacy postfix to version strings
e5fed16 iptables8.in: Update coreteam names
672accf include: update kernel netfilter header files
856a875 xtables: silence two compiler warnings
ae6e159 xtables: remove dead code inherited from ebtables
107b7eb configure: add -Wlogical-op warning to cflags
bc7f49d ebtables-translate: remove --change-counters code
38b4166 iptables: tests: shell: add shell test-suite
1e6427a xtables-compat: skip invalid tables
cb368b6 xtables: more error printing fixes
b1b828f xtables: homogenize error message
4caa559 xtables: initialize basechains for rule flush command too
9b89622 xtables: rework rule cache logic
01e25e2 xtables: add chain cache
8d190e9 xtables: initialize basechains only once on ruleset restore
0a86351 xtables-compat: ignore '+' interface name
125d1ce xtables-compat: append all errors into single line
437746c xtables: extended error reporting
d1c79cd xtables: allocate struct xt_comment_info for comments
4e20209 xtables: use libnftnl batch API
49709e2 xtables-compat: remove nft_is_ruleset_compatible
03e1377 xtables: allow dumping of chains in specific table
94fd83d xtables: inconsistent error reporting for -X and no empty chain
c4f1622 ebtables-compat: add arp match extension
24ce746 ebtables-compat: add redirect match extension
84c04e3 ebtables-compat: add nat match extensions
14ec998 xtables-compat: ebtables: prefer snprintf to strncpy
5e2b473 xtables-compat: extend generic tests for masks and wildcards
1a696c9 libxtables: store all requested match types
bb436ce xtables-compat: ip6table-save: fix save of ip6 address masks
6454d7d ebtables-translate: suppress redundant protocols
07f4ca9 xtables-compat: ebtables: allow checking for zero-mac
0ca2d2a xtables-compat: ebtables: add helpers to print interface and mac addresses
3d9f300 xtables-compat: ebtables: remove interface masks from ebt_entry struct
20e2758 xtables-compat: ebtables: fix logical interface negation
2682bb0 xtables-compat: ebtables: add and use helper to parse all interface names
564862d xtables-compat: ebtables: split match/target print from nft_bridge_print_firewall
0ae81d0 xtables-compat: ebtables: kill ebtables_command_state
651cfee xtables-compat: pass correct table skeleton
652b98e xtables-compat: fix wildcard detection
49f4993 extensions: libip6t_srh.t: Add test cases for psid, nsid, and lsid
429143b extensions: libxt_CONNMARK: incorrect translation after v2
db7b4e0 extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark
155e1c0 extensions: libip6t_srh: support matching previous, next and last SID
f4ffda1 extensions: libipt_DNAT: tests added for shifted portmap range
6a9ffb1 xtables-compat-restore: flush table and its content with no -n
07ae37c xtables-compat: fix bogus error with -X and no user-defined chains
df3d92b xtables-compat-restore: flush user-defined chains with -n
ca16584 xtables-compat-restore: flush rules and delete user-defined chains
ac1e85a extensions: libipt_DNAT: use size of nf_nat_range2 for rev2
e25d99a xtables-compat: pass larger socket buffer
838746e xtables-compat: xtables-save: don't return 1
2211679 xtables-compat: ebtables: support concurrent option
a77a7d8 iptables-test: fix bug with rateest
de87405 xtables-compat: fix ipv4 frag (-f)
c7b2fd6 xtables-compat: also check tg2->userspacesize
5685938 xtables-compat: avoid unneeded bitwise ops
b9d7b49 xtables-compat: restore: sync options with iptables-restore
c0ef861 extensions: add xlate test for ipables -f
d79a7f1 xtables-compat: output -s,d first during save, just like iptables
d1eb4d5 iptables-compat: chains are purge out already from table flush
09f0d47 iptables-compat: do not fail on restore if user chain exists
8798eb8 iptables-compat: remove non-batching routines
b633ef9 xtables.conf: fix hook skeletons
7af2178 xtables-compat: fall back to comment match in case name is too long
e9aeecf xlate-test: use locally installed xlate tools
0ab58e3 xtables-compat: ebtables: handle mac masks properly
734ad40 xtables-compat: nft-arp: fix warning wrt. sprintf-out-of-bounds
fb7ae9f xtables-compat: truncate comments to 254 bytes
36976c4 extensions: libipt_DNAT: support shifted portmap ranges
d7ac61b iptables-test: add nft switch and test binaries from git
992e17d xtables-compat: only fetch revisions for ip/ip6
12a52ff xtables: Fix rules print/save after iptables update
1197c5e xtables: Register all match/target revisions supported by us and kernel
e3bb24c xtables: Check match/target size vs XT_ALIGN(size) at register time
3b2530c xtables: Do not register matches/targets with incompatible revision
d3f1437 xtables: Introduce and use common function to print val[/mask] arguments
29b1d97 xtables: Introduce and use common function to parse val[/mask] arguments
56aadc0 extensions: Initialize linear mapping of symbols in _init() of extension
79c2da9 extensions: ULOG: remove test
a0956ce ebtables-translate: turn off useless compat queries
9840869 nft: arptables: remove obsolete forward hook definition
7a37d14 iptables-compat: statify nft_restart()
a3aac1d iptables-compat: handle netlink dump EINTR errors
a567dc3 ebtables-compat: add 'vlan' match extension
7564bba ebtables-compat: add 'pkttype' match extension
4d40904 ebtables-translate: update table name on -t
5c8ce9c ebtables-compat: add 'ip6' match extension
8a85a14 libebt_ip: fix translations for tos and icmp
b6f0bec libebt_ip: add icmp support
f38ed1e xt-translate: quote interface names in translated output
71a6e37 icmp: split icmp type printing to header file
e67c088 ebtables-translate: add initial test cases
207dd5e xt-compat: add ebtables-translate
d988274 xlate-translate: split common parts into helper
1650806 xtables-eb: export 3 functions
6b2041c nft-bridge: add eb-translate backend functions
3063c37 nft-bridge: fix mac address printing
394a400 nft: fix crash when getprotobynumber() returns 0
6a1dbdf ebtables-compat: support intra-positioned negations
3e94f0a nft-bridge: add forward declaration for struct nftnl_rule
5024efe libebt_limit: print 'minute' and 'seconds', not 'min' and 'secs'
ce3c780 nft: make nft_init self-contained
cb151d5 xtables-translate: rm duplicate includes
69c089b xt-compat: constify a few struct members
03ecffe ebtables-compat: add initial translations
57af67d iptables: constify option struct
88231c4 ebtables-compat: load mark target
6b4e167 ebtables-compat: don't make failing extension load fatal
24110b5 libxt_comment: silence truncation warning
98fc8ce xtables-compat: only validate the xtables builtin tables
9d9b724 xtables-compat: skip unsupported tables
59d15cf xtables-compat: also validate priorities and hook points match expected values
eb35854 xtables-compat: fix snprintf truncation warnings
fc04c8a extensions: CLUSTERIP: do not allow --local-node 0
eb2c052 extensions: CLUSTERIP: add tests
ca3c397 iptables: add xtables-translate.8 manpage
5beb158 extensions: libxt_bpf: Fix build with old kernel versions
147a891 extenstions: ecn: add tcp ecn/cwr translation
ed928a8 extensions: add tests for comp match options
632ace7 xtables-compat-multi.c: Allow symlink of ebtables
d7ccc68 iptables: add xtables-compat.8 manpage
043da5b extensions: connmark: remove non-working translation
a93b502 extensions: prefer plain 'set' over 'set mark and'
577b7e2 xtables-compat-restore: use correct hook priorities

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2018-12-08 10:54:09 +01:00
Rosen Penev
26dcaf58ee comgt: Fix 3g.sh permissions
3g.sh needs to be executable. 600 is not correct for that.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-06 08:42:39 +01:00
Florian Eckert
675eb747aa openvpn: add list element parsing
For the parameters tls-cipher and ncp-ciphers more than one option can
be used in the OpenVPN configuration, separated by a colon, which should
be implemented as a list in order to configure it more clearly. By
adding the new OPENVPN_LIST option to the openvpn.options file with the
tls-cipher and ncp-cipher parameters, uci can now add this option as a
"list" and the init script will generate the appropriate OpenVPN
configuration from it.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-12-03 09:54:03 +01:00
Hans Dedecker
493c1d1766 odhcpd: update to latest git HEAD
d404c7e netlink: fix triggering of NETEV_ADDR6LIST_CHANGE event
ae6cf80 config: correctly break string for prefix filter

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-29 21:46:12 +01:00
Jo-Philipp Wich
3082370551 openvpn: update to 2.4.6
Update the OpenVPN package to version 2.4.6, refresh patches and drop
menuconfig options which are not supported upstream anymore.

Also fix the x509-alt-username configure flag - it is not supported
by mbedtls and was syntactically wrong in the Makefile - and the
port-share option which has been present in menuconfig but not been
used in the Makefile.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-11-28 22:10:19 +01:00
Jo-Philipp Wich
56378bc12d uhttpd: update to latest Git head
cdfc902 cgi: escape url in 403 error output
0bba1ce uhttpd: fix building without TLS and Lua support
2ed3341 help: document -A option
fa5fd45 file: fix CPP syntax error
77b774b build: avoid redefining _DEFAULT_SOURCE

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-11-28 12:55:50 +01:00
Hans Dedecker
533f7673ae netifd: update to latest git HEAD
dfa4ede interface: fix return code of __interface_add()
a82a8f6 netifd: fix resource leak on error in netifd_add_dynamic()
fa2403d config: fix resource leaks on error in config_parse_interface()
85de9de interface: fix memory leak on error in __interface_add()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-26 15:33:45 +01:00
Jason A. Donenfeld
48d8d46d33 wireguard: bump to 0.0.20181119
* chacha20,poly1305: fix up for win64
* poly1305: only export neon symbols when in use
* poly1305: cleanup leftover debugging changes
* crypto: resolve target prefix on buggy kernels
* chacha20,poly1305: don't do compiler testing in generator and remove xor helper
* crypto: better path resolution and more specific generated .S
* poly1305: make frame pointers for auxiliary calls
* chacha20,poly1305: do not use xlate

This should fix up the various build errors, warnings, and insertion errors
introduced by the previous snapshot, where we added some significant
refactoring. In short, we're trying to port to using Andy Polyakov's original
perlasm files, and this means quite a lot of work to re-do that had stableized
in our old .S.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-11-19 22:15:02 +01:00
Hans Dedecker
8e409f476b netifd: update to latest git HEAD
4b83102 treewide: switch to C-code style comments
70506bf treewide: make some functions static
d9872db interface: fix removal of dynamic interfaces
2f7ef7d interface: rework code to get rid of interface_set_dynamic

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-19 10:15:26 +01:00
Jason A. Donenfeld
bf52c968e8 wireguard: bump to 0.0.20181115
* Zinc no longer ships generated assembly code. Rather, we now
  bundle in the original perlasm generator for it. The primary purpose
  of this snapshot is to get testing of this.
* Clarify the peer removal logic and make lifetimes more precise.
* Use READ_ONCE for is_valid and is_dead.
* No need to use atomic when the recounter is mutex protected.
* Fix up macros and annotations in allowedips.
* Increment drop counter when staged packets are dropped.
* Use static constants instead of enums for 64-bit values in selftest.
* Mark large constants as ULL in poly1305-donna64.
* Fix sparse warnings in allowedips debugging code.
* Do not use wg_peer_get_maybe_zero in timer callbacks, since we now can
  carefully control the lifetime of these functions and ensure they never
  execute after dropping the last reference.
* Cleanup hashing in ratelimiter.
* Do not guard timer removals, since del_timer is always okay.
* We now check for PM_AUTOSLEEP, which makes the clear*on-suspend decision a
  bit more general.
* Set csum_level to ~0, since the poly1305 authenticator certainly means
  that no data was modified in transit.
* Use CHECKSUM_PARTIAL check for skb_checksum_help instead of
  skb_checksum_setup check.
* wg.8: specify that wg(8) shows runtime info too
* wg.8: AllowedIPs isn't actually required
* keygen-html: add missing glue macro
* wg-quick: android: do not choke on empty allowed-ips

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-11-16 09:23:02 +01:00
Kevin Darbyshire-Bryant
3a6bddd7f7 hostapd: add utf8_ssid flag & enable as default
SSIDs may contain UTF8 characters but ideally hostapd should be told
this is the case so it can advertise the fact. Default enable this
option.

add uci option utf8_ssid '0'/'1' for disable/enable e.g.

config wifi-iface
	option utf8_ssid '0'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-11-14 17:41:18 +00:00
Petr Štetiar
1b4b942bce Revert "iptables: fix dependency for libip6tc on IPV6"
This patch reverts commit 2dc1f54b12 as it
breaks the build for me on x86-64 if I've IPV6 support disabled. Same config
builds fine on `openwrt-18.06` branch at 55d078b2.

  $ grep IPV6 .config

  # CONFIG_KERNEL_IPV6 is not set
  # CONFIG_IPV6 is not set

Build errors out on:

  Package libiptc is missing dependencies for the following libraries:
  libip6tc.so.0

Looking at iptables-1.6.2/libiptc/Makefile.am:

  libiptc_la_LIBADD   = libip4tc.la libip6tc.la

and to iptables-1.6.2/libiptc/libiptc.pc.in:

  Requires:	libip4tc libip6tc

It seems that libiptc needs v4/v6 libs, so v6 isn't optional.

Cc: Rosy Song <rosysong@rosinson.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2018-11-10 18:50:29 +01:00
Hans Dedecker
5617e138bd ethtool: update to 4.19
8a1ad80 Release version 4.19.
ecdf295 ethtool: Fix uninitialized variable use at qsfp dump
98c148e ethtool: better syntax for combinations of FEC modes
d4b9f3f ethtool: support combinations of FEC modes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-10 13:44:09 +01:00
Hans Dedecker
559635dbb6 iproute2: update to 4.19.0
Update to the latest version of iproute2; see https://lwn.net/Articles/769354/
for a full overview of the changes in 4.19.
Remove 190-add-cake-to-tc patch as CAKE qdisc is now supported in 4.19.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-08 11:09:13 +01:00
Alexander Couzens
900005ee75
iperf: allow non-ipv6 builds
Add configure argument --disable-ipv6 when ipv6 is deselected.
Add fix-non-ipv6-builds.patch as long there is no new upstream
release.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2018-11-03 02:36:24 +01:00
Hans Dedecker
c9f5934c71 curl: noop commit to refer CVEs fixed in 7.62.0
When bumping Curl to 7.62.0 in commit 278e4eba09 I did not include the fixed
CVEs in the commit message; this commit fixes this.

The following CVEs were fixed in 7.62.0 :

CVE-2018-16839
CVE-2018-16840
CVE-2018-16842

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-02 13:16:13 +01:00
Hans Dedecker
278e4eba09 curl: bump to 7.62.0
Refresh patches, for changes in version 7.62.0 see https://curl.haxx.se/changes.html#7_62_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-31 23:06:42 +01:00
Kevin Darbyshire-Bryant
3dba852547 dnsmasq: tighten config file permissions
Install following as config files (600) perms instead of as data (644)

/usr/share/dnsmasq/dhcpbogushostname.conf
/usr/share/dnsmasq/trust-anchors.conf
/usr/share/dnsmasq/rfc6761.conf
/etc/hotplug.d/ntp/25-dnsmasqsec
/etc/config/dhcp
/etc/dnsmasq.conf

dnsmasq reads relevant config files before dropping root privilege and
running as dnsmasq:dnsmasq

ntpd runs as root so the hotplug script is still accessible

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-30 09:25:32 +00:00
Kevin Darbyshire-Bryant
6c4d3d705a dnsmasq: bump to v2.80
dnsmasq v2.80 release

Change from rc1:

91421cb Fix compiler warning.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-19 17:36:02 +01:00
Hans Dedecker
15a59e3e08 iproute2: install ip-tiny and ip-full in /usr/libexec
Install the ip-tiny and ip-full variants in /usr/libexec as the suffixed
ip variants are not meant to be called directly

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-18 17:15:51 +02:00
Jason A. Donenfeld
4653818dab wireguard: bump to 0.0.20181018
ba2ab5d version: bump snapshot
5f59c76 tools: wg-quick: wait for interface to disappear on freebsd
ac7e7a3 tools: don't fail if a netlink interface dump is inconsistent
8432585 main: get rid of unloaded debug message
139e57c tools: compile on gnu99
d65817c tools: use libc's endianness macro if no compiler macro
f985de2 global: give if statements brackets and other cleanups
b3a5d8a main: change module description
296d505 device: use textual error labels always
8bde328 allowedips: swap endianness early on
a650d49 timers: avoid using control statements in macro
db4dd93 allowedips: remove control statement from macro by rewriting
780a597 global: more nits
06b1236 global: rename struct wireguard_ to struct wg_
205dd46 netlink: do not stuff index into nla type
2c6b57b qemu: kill after 20 minutes
6f2953d compat: look in Kbuild and Makefile since they differ based on arch
a93d7e4 create-patch: blacklist instead of whitelist
8d53657 global: prefix functions used in callbacks with wg_
123f85c compat: don't output for grep errors

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-18 08:55:01 +02:00
Hans Dedecker
db6f9d5598 netifd: update to latest git HEAD
841b5d1 system-linux: enable by default ignore encaplimit for grev6 tunnels
125cbee system-linux: fix a typo in gre tunnel data parsing logic

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-17 11:18:30 +02:00
Hans Dedecker
3d015e971f gre: make encaplimit support configurable
Make inclusion of the destination option header containing the tunnel
encapsulation limit configurable for IPv6 GRE packets.
Setting the uci parameter encaplimit to ignore; allows to disable the
insertion of the destination option header in the IPv6 GRE packets.
Otherwise the tunnel encapsulation limit value can be set to a value
from 0 till 255 by setting the encaplimit uci parameter accordingly.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-17 11:18:20 +02:00
Kevin Darbyshire-Bryant
1063d904b7 hostapd: add basic variant
Add a basic variant which provides WPA-PSK only, 802.11r and 802.11w and
is intended to support 11r & 11w (subject to driver support) out of the
box.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-16 15:07:41 +01:00
Rosy Song
fd09e251e9 ppp: don't start ppp with IPv6 support if ipv6 is not supported
Signed-off-by: Rosy Song <rosysong@rosinson.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-16 14:31:45 +02:00
Jo-Philipp Wich
3e633bb370 hostapd: fix MAC filter related log spam
Backport two upstream fixes to address overly verbose logging of MAC ACL
rejection messages.

Fixes: FS#1468
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-10-16 12:11:20 +02:00
Christian Lamparter
583466bb5b dnsmasq: fix dnsmasq failure to start when ujail'd
This patch fixes jailed dnsmasq running into the following issue:

|dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory
|dnsmasq[1]: FAILED to start up
|procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash

Fixes: a45f4f50e1 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349")

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[bump package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-16 10:39:59 +01:00
Kevin Darbyshire-Bryant
b8bc672f24 dnsmasq: bump to v2.80rc1
53792c9 fix typo
df07182 Update German translation.

Remove local patch 001-fix-typo which is a backport of the above 53792c9

There is no practical difference between our test8 release and this rc
release, but this does at least say 'release candidate'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-16 08:39:21 +01:00
Hans Dedecker
39e5e17045 dnsmasq: fix compile issue
Fix compile issue in case HAVE_BROKEN_RTC is enabled

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-15 13:42:55 +02:00
Hauke Mehrtens
4c3fae4adc hostapd: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise)
This adds support for the WPA3-Enterprise mode authentication.

The settings for the WPA3-Enterpriese mode are defined in
WPA3_Specification_v1.0.pdf. This mode also requires ieee80211w and
guarantees at least 192 bit of security.

This does not increase the ipkg size by a significant size.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
18c6c93a3b hostapd: Activate Opportunistic Wireless Encryption (OWE)
OWE is defined in RFC 8110 and provides encryption and forward security
for open networks.

This is based on the requirements in the Wifi alliance document
Opportunistic_Wireless_Encryption_Specification_v1.0_0.pdf
The wifi alliance requires ieee80211w for the OWE mode.
This also makes it possible to configure the OWE transission mode which
allows it operate an open and an OWE BSSID in parallel and the client
should only show one network.

This increases the ipkg size by 5.800 Bytes.
Old: 402.541 Bytes
New: 408.341 Bytes

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
4a009a16d2 hostapd: Activate Simultaneous Authentication of Equals (SAE)
This build the full openssl and wolfssl versions with SAE support which
is the main part of WPA3 PSK.

This needs elliptic curve cryptography which is only provided by these
two external cryptographic libraries and not by the internal
implementation.

The WPA3_Specification_v1.0.pdf file says that in SAE only mode
Protected Management Frames (PMF) is required, in mixed mode with
WPA2-PSK PMF should be required for clients using SAE, and optional for
clients using WPA2-PSK. The defaults are set now accordingly.

This increases the ipkg size by 8.515 Bytes.
Old: 394.026 Bytes
New: 402.541 Bytes

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
a1ad1144b6 hostapd: SAE: Do not ignore option sae_require_mfp
This patch was send for integration into the hostapd project.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:14 +02:00
Hauke Mehrtens
779773a0de hostapd: backport build fix when OWE is activated
This backports a compile fix form the hostapd project.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:14 +02:00
Hauke Mehrtens
4b93b03577 hostapd: sync config with default configuration
This replaces the configuration files with the versions from the hostapd
project and the adaptions done by OpenWrt.

The resulting binaries should be the same.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:14 +02:00
Hauke Mehrtens
8f7a2bd084 netifd: update to latest git HEAD
22476ff wireless: Add Simultaneous Authentication of Equals (SAE)
c6c3a0d wireless: Add Opportunistic Wireless Encryption (OWE)
a117e41 wireless: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise)

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:08 +02:00
Florian Eckert
71865200c9 uqmi: fix variable initilization for timeout handling
Also add logging output for SIM initilization.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-12 09:36:05 +02:00
Florian Eckert
4cabda8b7d uqmi: update PKG_RELEASE version
update PKG_RELEASE

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
0c9d06b5b2 uqmi: stop proto handler if verify pin count is not 3
Check pin count value from pin status and stop verification the pin if
the value is less then 3. This should prevent the proto-handler to
lock the SIM. If SIM is locked then the PUK is needed.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
4b80bd878d uqmi: evaluate pin-status output in qmi_setup function
Load the json output from uqmi --get-pin-status command and evaluate the
"pin1_status" value.

The following uqmi "pin1_status" values are evaluated:

- disabled
  Do not verify PIN because SIM verification is disabled on this SIM

- blocked
  Stop qmi_setup because SIM is locked and a PUK is required

- not_verified
  SIM is not yet verified. Do a uqmi --verify-pin1 command if a SIM is
  specified

- verified:
  Do not verify the PIN because this was already done before

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
f171a86d06 uqmi: do not block proto handler if SIM is uninitialized
QMI proto setup-handler will wait forever if SIM does not get initialized.
To fix this stop polling pin status and notify netifd. Netifd will generate
then a "ifup-failed" ACTION.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
dec1bfa0f4 uqmi: do not block proto handler if modem is unable to registrate
QMI proto setup-handler will wait forever if it is unable to registrate to
the mobile network. To fix this stop polling network registration status
and notify netifd. Netifd will generate then a "ifup-failed" ACTION.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
dee93def39 uqmi: add timeout option value
This value will be used for now during following situations:
* Ask the sim with the uqmi --get-pin-status command.
* Wait for network registration with the uqmi --get-serving-system command.

This two commands wait forever in a while loop. Add a timeout to stop
waiting and so inform netifd.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
2d57aa9c4c uqmi: redirect uqmi commands output to /dev/null
Move uqmi std and error output on commands without using them to /dev/null.
This will remove useless outputs in the syslog.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
692c6d9a5d uqmi: fix indenting
fix indenting

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
John Crispin
3e8ef61c01 package/: fix $(PROJECT_GIT) usage
Signed-off-by: John Crispin <john@phrozen.org>
2018-10-11 08:42:52 +02:00
Rosen Penev
4572d996a4 linux-atm: Install hotplug file as 600
The hotplug files is only used by procd, which runs as root.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:35 +02:00
Rosen Penev
c7144ec688 comgt: Install hotplug and netifd files as 600
procd and netifd both run as root. These files are not used elsewhere.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:28 +02:00
Rosen Penev
f5ddbd695b samba36: Install several config files as 600
Hotplug is managed by procd, which runs as root. The other files are used
by root as well.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:18 +02:00
Rosen Penev
745c3acd64 soloscli: Install hotplug file as 600
Hotplug is managed by procd, which runs as root.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:09 +02:00
Rosen Penev
49065d227a firewall: Install config files as 600
None of the files in firewall are used by non-root.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:05:41 +02:00
Kevin Darbyshire-Bryant
a45f4f50e1 dnsmasq: add dhcp-ignore-names support - CERT VU#598349
dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for
specific hostnames.  Clients claiming certain hostnames and thus
claiming DNS namespace represent a potential security risk. e.g. a
malicious host could claim 'wpad' for itself and redirect other web
client requests to it for nefarious purpose. See CERT VU#598349 for more
details.

Some Samsung TVs are claiming the hostname 'localhost', it is believed
not (yet) for nefarious purposes.

/usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames
in correct syntax to be excluded. e.g.

dhcp-name-match=set:dhcp_bogus_hostname,localhost

Inclusion of this file is controlled by uci option dhcpbogushostname
which is enabled by default.

To be absolutely clear, DHCP leases to these requesting hosts are still
permitted, but they do NOT get to claim ownership of the hostname
itself and hence put into DNS for other hosts to be confused/manipulate by.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-09 09:45:16 +01:00
Kevin Darbyshire-Bryant
3925298f3c wireguard: bump to 0.0.20181007
64750c1 version: bump snapshot
f11a2b8 global: style nits
4b34b6a crypto: clean up remaining .h->.c
06d9fc8 allowedips: document additional nobs
c32b5f9 makefile: do more generic wildcard so as to avoid rename issues
20f48d8 crypto: use BIT(i) & bitmap instead of (bitmap >> i) & 1
b6e09f6 crypto: disable broken implementations in selftests
fd50f77 compat: clang cannot handle __builtin_constant_p
bddaca7 compat: make asm/simd.h conditional on its existence
b4ba33e compat: account for ancient ARM assembler

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-09 09:11:58 +01:00
Kevin Darbyshire-Bryant
30cc5b0bf4 dnsmasq: bump to v2.80test8
e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.
0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN.
ee1df06 Tweak strategy for confirming SLAAC addresses.
1e87eba Clarify manpage for --auth-sec-servers
0893347 Make interface spec optional in --auth-server.
7cbf497 Example config file fix for CERT Vulnerability VU#598349.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-07 16:42:12 +01:00
Rafał Miłecki
87cd118794 iperf: fix --daemon option
Support for -D got broken in the 2.0.11 release by the upstream commit
218d8c667944 ("first pass L2 mode w/UDP checks, v4 only"). After that
commit clients were still able to connect but no traffic was passed.
It was reported and is fixed now in the upstream git repository.

Backport two patches to fix this. The first one is just a requirement
for the later to apply. The second one is the real fix and it needed
only a small adjustment to apply without backporing the commit
10887b59c7e7 ("fix --txstart-time report messages").

Fixes: 457e6d5a27 ("iperf: bump to 2.0.12")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2018-10-07 17:13:39 +02:00
Hans Dedecker
af78e90d4c odhcpd: update to latest git HEAD (FS#1853)
57f639e (HEAD -> master, origin/master, origin/HEAD) odhcpd: make DHCPv6/RA/NDP support optional
402c274 dhcpv6: check return code of dhcpv6_ia_init()
ee7472a router: don't leak RA message in relay mode (FS#1853)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-07 15:11:36 +02:00
Felix Fietkau
518fb345e1 iw: strip a few more non-essential features from iw-tiny
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-10-07 12:45:41 +02:00
Felix Fietkau
7999282f7f iw: fix filtering linked object files for iw-tiny
It was broken by the recent commit that added iw-full

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-10-07 12:45:41 +02:00
Jason A. Donenfeld
b665856450 wireguard: bump to 0.0.20181006
* Account for big-endian 2^26 conversion in Poly1305.
  * Account for big-endian NEON in Curve25519.
  * Fix macros in big-endian AArch64 code so that this will actually run there
    at all.
  * Prefer if (IS_ENABLED(...)) over ifdef mazes when possible.
  * Call simd_relax() within any preempt-disabling glue code every once in a
    while so as not to increase latency if folks pass in super long buffers.
  * Prefer compiler-defined architecture macros in assembly code, which puts us
    in closer alignment with upstream CRYPTOGAMS code, and is cleaner.
  * Non-static symbols are prefixed with wg_ to avoid polluting the global
    namespace.
  * Return a bool from simd_relax() indicating whether or not we were
    rescheduled.
  * Reflect the proper simd conditions on arm.
  * Do not reorder lines in Kbuild files for the simd asm-generic addition,
    since we don't want to cause merge conflicts.
  * WARN() if the selftests fail in Zinc, since if this is an initcall, it won't
    block module loading, so we want to be loud.
  * Document some interdependencies beside include statements.
  * Add missing static statement to fpu init functions.
  * Use union in chacha to access state words as a flat matrix, instead of
    casting a struct to a u8 and hoping all goes well. Then, by passing around
    that array as a struct for as long as possible, we can update counter[0]
    instead of state[12] in the generic blocks, which makes it clearer what's
    happening.
  * Remove __aligned(32) for chacha20_ctx since we no longer use vmovdqa on x86,
    and the other implementations do not require that kind of alignment either.
  * Submit patch to ARM tree for adjusting RiscPC's cflags to be -march=armv3 so
    that we can build code that uses umull.
  * Allow CONFIG_ARM[64] to imply [!]CONFIG_64BIT, and use zinc arch config
    variables consistently throughout.
  * Document rationale for the 2^26->2^64/32 conversion in code comments.
  * Convert all of remaining BUG_ON to WARN_ON.
  * Replace `bxeq lr` with `reteq lr` in ARM assembler to be compatible with old
    ISAs via the macro in <asm/assembler.h>.
  * Do not allow WireGuard to be a built-in if IPv6 is a module.
  * Writeback the base register and reorder multiplications in the NEON x25519
    implementation.
  * Try all combinations of different implementations in selftests, so that
    potential bugs are more immediately unearthed.
  * Self tests and SIMD glue code work with #include, which lets the compiler
    optimize these. Previously these files were .h, because they were included,
    but a simple grep of the kernel tree shows 259 other files that carry out
    this same pattern. Only they prefer to instead name the files with a .c
    instead of a .h, so we now follow the convention.
  * Support many more platforms in QEMU, especially big endian ones.
  * Kernels < 3.17 don't have read_cpuid_part, so fix building there.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-06 20:49:11 +02:00
Felix Fietkau
8c647e873f iw: add iw-full package without size reduction hacks
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-10-06 13:02:29 +02:00
Alexander Couzens
6ef1c978ba package/lldp: don't link against libbsd on !USE_GLIBC builds
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2018-10-05 00:44:55 +02:00
Syrone Wong
68f109609b ipset: update to 6.38
dropped already upstream patch

Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
2018-10-04 13:15:22 +02:00
Hans Dedecker
c8e2edfd9e netifd: update to latest git HEAD (FS#1875)
83428fa iprule: coding style fixes
aeec2a0 iprule: fix segfault (FS#1875)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-02 13:34:04 +02:00
Rosy Song
456df06071 odhcpd-ipv6only: fix dependency for IPV6
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-30 21:05:42 +02:00
Hans Dedecker
8e604dea31 netifd: update to latest git HEAD
94e156f scripts: fix previous commit
3c8ac1c netifd: fix wpa mixed mode matching

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-30 21:05:35 +02:00
Enrique Giraldo
61454a0a8c hostapd: add acs feature indication
Signed-off-by: Enrique Giraldo <enrique.giraldo@galgus.net>
2018-09-29 17:23:11 +02:00
Kevin Darbyshire-Bryant
37961f12ba wireguard: bump to 0.0.20180925
33523a5 version: bump snapshot
0759480 curve25519-hacl64: reduce stack usage under KASAN
b9ab0fc chacha20: add bounds checking to selftests
2e99d19 chacha20-mips32r2: reduce stack and branches in loop, refactor jumptable handling
d6ac367 qemu: bump musl
28d8b7e crypto: make constant naming scheme consistent
56c4ea9 hchacha20: keep in native endian in words
0c3c0bc chacha20-arm: remove unused preambles
3dcd246 chacha20-arm: updated scalar code from Andy
6b9d5ca poly1305-mips64: remove useless preprocessor error
3ff3990 crypto-arm: rework KERNEL_MODE_NEON handling again
dd2f91e crypto: flatten out makefile
67a3cfb curve25519-fiat32: work around m68k compiler stack frame bug
9aa2943 allowedips: work around kasan stack frame bug in selftest
317b318 chacha20-arm: use new scalar implementation
b715e3b crypto-arm: rework KERNEL_MODE_NEON handling
77b07d9 global: reduce stack frame size
ddc2bd6 chacha20: add chunked selftest and test sliding alignments and hchacha20
2eead02 chacha20-mips32r2: reduce jumptable entry size and stack usage
a0ac620 chacha20-mips32r2: use simpler calling convention
09247c0 chacha20-arm: go with Ard's version to optimize for Cortex-A7
a329e0a chacha20-mips32r2: remove reorder directives
3b22533 chacha20-mips32r2: fix typo to allow reorder again
d4ac6bb poly1305-mips32r2: remove all reorder directives
197a30c global: put SPDX identifier on its own line
305806d ratelimiter: disable selftest with KASAN
4e06236 crypto: do not waste space on selftest items
5e0fd08 netlink: reverse my christmas trees
a61ea8b crypto: explicitly dual license
b161aff poly1305: account for simd being toggled off midway
470a0c5 allowedips: change from BUG_ON to WARN_ON
aa9e090 chacha20: prefer crypto_xor_cpy to avoid memmove
1b0adf5 poly1305: no need to trick gcc 8.1
a849803 blake2s: simplify final function
073f3d1 poly1305: better module description

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-27 21:19:38 +01:00
Kevin Darbyshire-Bryant
d9a37d8d1e dnsmasq: bump to v2.80test7
Bump to latest test release:

3a610a0 Finesse allocation of memory for "struct crec" cache entries.
48b090c Fix b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely).
4139298 Change behavior when RD bit unset in queries.
51cc10f Add warning about 0.0.0.0 and :: addresses to man page.
ea6cc33 Handle memory allocation failure in make_non_terminals()
ad03967 Add debian/tmpfiles.conf
f4fd07d Debian bugfix.
e3c08a3 Debian packaging fix. (restorecon)
118011f Debian packaging fix. (tmpfiles.d)

Delete our own backports of ea6cc33 & 4139298, so the only real changes
here, since we don't care about the Debian stuff are 48b090c & 3a610a0

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-27 16:13:40 +01:00
Rosy Song
2dc1f54b12 iptables: fix dependency for libip6tc on IPV6
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-26 22:40:37 +02:00
Hauke Mehrtens
02e7fa6f8a iw: update nl80211.h
Now this file matches the version in backports.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-09-26 16:39:44 +02:00
Rosy Song
a6add47869 netifd: do not validate relevant section when ipv6 is not supported
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-25 22:35:38 +02:00
David Yang
aaf46a8fe2 dante: disable sched_getscheduler() - not implemented in musl
musl doesn't come with an valid implementation of `sched_getscheduler()`;
it simply returns -ENOSYS for it. Without this option (and compile dante
with `sched_getscheduler()` enabled), you will get

    error: serverinit(): sched_getscheduler(2): failed to retrieve current
    cpuscheduling policy: Function not implemented

and dante won't start at all.

Ref: http://lists.alpinelinux.org/alpine-devel/3932.html
Ref: http://lists.alpinelinux.org/alpine-devel/3936.html
Signed-off-by: David Yang <mmyangfl@gmail.com>
[slightly reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-09-24 19:04:47 +02:00
Jo-Philipp Wich
4f277eb640 lldpd: inhibit linking of libbsd on !GLIBC
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-09-24 08:36:10 +02:00
Yangbo Lu
db30adc931 layerscape: fix get_device_file() function of restool
The restool failed to work with current gcc-7.3.0-musl.
This patch is to add a restool fix-up patch to fix
multiple problems encountered in the get_device_file()
function:
 - The deprecated atoi() function is replaced by strtoul
 - An invalid memory access was being performed by using
 memory from dir->d_name even after closedir(). This is
 fixed by a strdup() on the device filename.
 - Also, error prints now print any relevant error code.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2018-09-22 21:20:58 +02:00
Yangbo Lu
5c325c2b63 layerscape: update restool to LSDK-18.06
The restool source code had been migrated to codeaurora
for LSDK-18.06 release and the future release. This patch
is to update restool to LSDK-18.06 release.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2018-09-22 21:20:56 +02:00
Kevin Darbyshire-Bryant
6c4cbe94bd dnsmasq: Change behavior when RD bit unset in queries.
Backport upstream commit

Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-21 09:59:03 +01:00
Rosen Penev
7651e254d5 dropbear: Install /etc/config as 600
/etc/config/dropbear is used by the init script which only runs as root.

Small whitespace change.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-19 09:41:28 +01:00
Rosen Penev
add4871582 lldpd: Install /etc/config file as 600
/etc/config/lldpd is only used by the init script, which only runs as root

Adjusted homepage and download URLs to use HTTPS.

-std=c99 is useful for GCC versions less than 6. Current OpenWrt uses 7.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-19 09:41:28 +01:00
Hans Dedecker
6cd41ca673 netifd: update to latest git HEAD
23941d7 system-linux: enable by default ignore encaplimit for ip6 tunnels

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-19 10:09:25 +02:00
Hans Dedecker
d9691b66e2 map: drop default encaplimit value
Setting encaplimit to a numerical value results into the value being
included as tunnel encapsulation limit in the destination option header
for tunneled packets.
Several users have reported interop issues as not all ISPs support the
destination option header containing the tunnel encapsulation limit
resulting into broken map connectivity.
Therefore drop the default encaplimit value for map tunnels so
no destination option header is included by default.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-19 09:42:45 +02:00
Hans Dedecker
1241707b40 ds-lite: drop default encaplimit value
Setting encaplimit to a numerical value results into the value being
included as tunnel encapsulation limit in the destination option header
for tunneled packets.
Several users have reported interop issues as not all ISPs support the
destination option header containing the tunnel encapsulation limit
resulting into broken ds-lite connectivity.
Therefore drop the default encaplimit value for ds-lite tunnels so
no destination option header is included by default.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-19 09:42:28 +02:00
Jason A. Donenfeld
f07a94da50 wireguard: bump to 0.0.20180918
* blake2s-x86_64: fix whitespace errors
* crypto: do not use compound literals in selftests
* crypto: make sure UML is properly disabled
* kconfig: make NEON depend on CPU_V7
* poly1305: rename finish to final
* chacha20: add constant for words in block
* curve25519-x86_64: remove useless define
* poly1305: precompute 5*r in init instead of blocks
* chacha20-arm: swap scalar and neon functions
* simd: add __must_check annotation
* poly1305: do not require simd context for arch
* chacha20-x86_64: cascade down implementations
* crypto: pass simd by reference
* chacha20-x86_64: don't activate simd for small blocks
* poly1305-x86_64: don't activate simd for small blocks
* crypto: do not use -include trick
* crypto: turn Zinc into individual modules
* chacha20poly1305: relax simd between sg chunks
* chacha20-x86_64: more limited cascade
* crypto: allow for disabling simd in zinc modules
* poly1305-x86_64: show full struct for state
* chacha20-x86_64: use correct cut off for avx512-vl
* curve25519-arm: only compile if symbols will be used
* chacha20poly1305: add __init to selftest helper functions
* chacha20: add independent self test

Tons of improvements all around the board to our cryptography library,
including some performance boosts with how we handle SIMD for small packets.

* send/receive: reduce number of sg entries

This quells a powerpc stack usage warning.

* global: remove non-essential inline annotations

We now allow the compiler to determine whether or not to inline certain
functions, while still manually choosing so for a few performance-critical
sections.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-19 08:30:13 +01:00
Kevin Darbyshire-Bryant
687168ccd9 dnsmasq: Handle memory allocation failure in make_non_terminals()
Backport upstream commit:

ea6cc33 Handle memory allocation failure in make_non_terminals()

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-19 07:43:02 +01:00
Daniel Golle
e51aa699f7 uqmi: pass-through ipXtable to child interfaces
Allow setting specific routing tables via the ip4table and ip6table
options also when ${ifname}_4 and ${ifname}_6 child interfaces are
being created.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-09-15 19:18:42 +02:00
Kevin Darbyshire-Bryant
033f02b9b5 iproute2: q_cake: Also print nonat, nowash and no-ack-filter keywords
Pull in latest upstream tweaks:
Similar to the previous patch for no-split-gso, the negative keywords for
'nat', 'wash' and 'ack-filter' were not printed either. Add those as well.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-15 08:46:32 +01:00
Rosy Song
918ec4d549 odhcpd: enable ipv6 server mode only when it is supported
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-12 21:47:33 +02:00
Kevin Darbyshire-Bryant
8cac857289 iproute2: q_cake: Add printing of no-split-gso option
When the GSO splitting was turned into dual split-gso/no-split-gso options,
the printing of the latter was left out. Add that, so output is consistent
with the options passed

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-12 09:13:44 +01:00
Florian Fainelli
4fca0e8896 netifd: update to latest HEAD
0059335c5b60 CMakeList: Check that compiler supports -Wimplicit-fallthrough

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2018-09-11 17:19:51 -07:00
Jason A. Donenfeld
a54f492d0c wireguard: bump to 0.0.20180910
* curve25519: arm: do not modify sp directly
* compat: support neon.h on old kernels
* compat: arch-namespace certain includes
* compat: move simd.h from crypto to compat since it's going upstream

This fixes a decent amount of compat breakage and thumb2-mode breakage
introduced by our move to Zinc.

* crypto: use CRYPTOGAMS license

Rather than using code from OpenSSL, use code directly from AndyP.

* poly1305: rewrite self tests from scratch
* poly1305: switch to donna

This makes our C Poly1305 implementation a bit more intensely tested and also
faster, especially on 64-bit systems. It also sets the stage for moving to a
HACL* implementation when that's ready.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-11 11:34:23 +02:00
Rosen Penev
f78e07ad2a hostapd: Fix compile with OpenSSL 1.1.0 + no deprecated APIs
Patch was accepted upsteam:

https://w1.fi/cgit/hostap/commit/?id=373c796948599a509bad71695b5b72eef003f661

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-10 09:01:37 +02:00
Hans Dedecker
43d4b8e89e dnsmasq: bump to dnsmasq 2.80test6
Refresh patches

Changes since latest bump:

af3bd07 Man page typo.
d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789
47b45b2 Fix lengths of interface names
2b38e38 Minor improvements in lease-tools
282eab7 Mark die function as never returning
c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8
03212e5 Manpage typo.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-09 22:02:45 +02:00
Daniel Engberg
9cfa5f2cec curl: Update to 7.61.1
Update curl to 7.61.1

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-09-09 21:38:10 +02:00
pacien
ef01c1d308 odhcp6c: add client fqdn and reconfigure options
Allowing DHCPV6_CLIENT_FQDN and DHCPV6_ACCEPT_RECONFIGURE to be turned off.
Defaulting to false, former behavior remains unchanged.

Signed-off-by: pacien <pacien.trangirard@pacien.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2018-09-08 21:36:30 +02:00
Henrique de Moraes Holschuh
ca1b347691 dnsmasq: allow dnsmasq variants to be included in image
The dnsmasq variants should provide dnsmasq, otherwise it is impossible
to include them in the image.

This change allows one to have CONFIG_PACKAGE_dnsmasq=m and
CONFIG_PACKAGE_dnsmasq-full=y, e.g. because you want DNSSEC support, or
IPSETs suport on your 3000-devices fleet ;-)

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
2018-09-06 17:57:59 +02:00
Hans Dedecker
3d377f4375 dnsmasq: bump to dnsmasq v2.80test5
Refresh patches
Remove 240-ubus patch as upstream accepted.
Add uci option ubus which allows to enable/disable ubus support (enabled
by default)

Upstream commits since last bump:

da8b651 Implement --address=/example.com/#
c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c
974a6d0 Add --caa-record
b758b67 Improve logging of RRs from --dns-rr.
9bafdc6 Tidy up file parsing code.
97f876b Properly deal with unaligned addresses in DHCPv6 packets.
cbfbd17 Fix broken DNSSEC records in previous.
b6f926f Don't return NXDOMAIN to empty non-terminals.
c822620 Add --dhcp-name-match
397c050 Handle case of --auth-zone but no --auth-server.
1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/
dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c
c16d966 Add copyright to src/metrics.h
1dfed16 Remove C99 only code.
6f835ed Format fixes - ubus.c
9d6fd17 dnsmasq.c fix OPT_UBUS option usage
8c1b6a5 New metrics and ubus files.
8dcdb33 Add --enable-ubus option.
aba8bbb Add collection of metrics
caf4d57 Add OpenWRT ubus patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-06 15:48:13 +02:00
Hans Dedecker
ecc3165cbc odhcpd: bump to git HEAD (detect broken hostnames)
881f66b odhcpd: detect broken hostnames
3e17fd9 config: fix odhcpd_attrs array size

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-05 11:04:19 +02:00
Jason A. Donenfeld
4ccbe7de6c wireguard: bump to 0.0.20180904
* Kconfig: use new-style help marker
* global: run through clang-format
* uapi: reformat
* global: satisfy check_patch.pl errors
* global: prefer sizeof(*pointer) when possible
* global: always find OOM unlikely

Tons of style cleanups.

* crypto: use unaligned helpers

We now avoid unaligned accesses for generic users of the crypto API.

* crypto: import zinc

More style cleanups and a rearrangement of the crypto routines to fit how this
is going to work upstream. This required some fairly big changes to our build
system, so there may be some build errors we'll have to address in subsequent
snapshots.

* compat: rng_is_initialized made it into 4.19

We therefore don't need it in the compat layer anymore.

* curve25519-hacl64: use formally verified C for comparisons

The previous code had been proved in Z3, but this new code from upstream
KreMLin is directly generated from the F*, which is preferable. The
assembly generated is identical.

* curve25519-x86_64: let the compiler decide when/how to load constants

Small performance boost.

* curve25519-arm: reformat
* curve25519-arm: cleanups from lkml
* curve25519-arm: add spaces after commas
* curve25519-arm: use ordinary prolog and epilogue
* curve25519-arm: do not waste 32 bytes of stack
* curve25519-arm: prefix immediates with #

This incorporates ASM nits from upstream review.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-05 08:52:36 +02:00
Alexander Couzens
967d6460c0
hostapd: fix build of wpa-supplicant-p2p
VARIANT:= got removed by accident.

Fixes: 3838b16943 ("hostapd: fix conflicts hell")
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2018-09-03 21:51:06 +02:00
Kevin Darbyshire-Bryant
dc9388ac55 iproute2: update cake man page
CAKE supports overriding of its internal classification of
packets through the tc filter mechanism.

Update the man page in our package, even though we don't
build them.  Someone may find the documentation useful.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 30598a05385b0ac2380dd4f30037a9f9d0318cf2)
2018-08-31 15:30:28 +07:00
Jo-Philipp Wich
555c592304 ppp: remove hardcoded lcp-echo-failure, lcp-echo-interval values
OpenWrt used to ship hardcoded defaults for lcp-echo-failure and
lcp-echo-interval in the non-uci /etc/ppp/options file.

These values break uci support for *disabling* LCP echos through
the use of "option keepalive 0" as either omitting the keepalive
option or setting it to 0 will result in no lcp-echo-* flags
getting passed to the pppd cmdline, causing the pppd process to
revert to the defaults in /etc/ppp/options.

Address this issue by letting the uci "keepalive" option default
to the former hardcoded values "5, 1" and by removing the fixed
lcp-echo-failure and lcp-echo-interval settings from the
/etc/ppp/options files.

Ref: https://github.com/openwrt/luci/issues/2112
Ref: https://dev.archive.openwrt.org/ticket/2373.html
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=854
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=1259
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-30 15:19:45 +02:00
Thomas Equeter
acedce1d79 uqmi: wait for the control device too
The control device /dev/cdc-wdm0 is not available immediately on the
D-Link DWR-921 Rev.C3, therefore the wwan interface fails to start at
boot with a "The specified control device does not exist" error.

This patch alters /lib/netifd/proto/qmi.sh to wait for
network.wwan.delay earlier, before checking for the control device,
instead of just before interacting with the modem.

One still has to use network.wwan.proto='qmi', as the "wwan" proto
performs that sort of check before any delay is possible, failing with a
"No valid device was found" error.

Signed-off-by: Thomas Equeter <tequeter@users.noreply.github.com>
2018-08-29 13:10:12 +02:00
Giuseppe Lippolis
774d7fc9f2 comgt: increase timeout on runcommands
Some combination of modem/wireless operator requires more time to
execute the commands.
Tested on DWR-512 embedded wwan modem and italian operator iliad (new
virtual operator).

Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
2018-08-29 08:34:10 +02:00
Robert Marko
a9d7353192 ethtool: Update to 4.18
Tested on 8devices Jalapeno(ipq40xx)
Introduces following changes:
Feature: Add support for WAKE_FILTER (WoL using filters)
Feature: Add support for action value -2 (wake-up filter)
Fix: document WoL filters option also in help message
Feature: ixgbe dump strings for security registers

Signed-off-by: Robert Marko <robimarko@gmail.com>
2018-08-28 13:46:16 +02:00
Hans Dedecker
8fd8e79143 iproute2: update to 4.18.0
Update to the latest version of iproute2; see https://lwn.net/Articles/762515/
for a full overview of the changes in 4.18.
Remove upstream patch 001-rdma-sync-some-IP-headers-with-glibc

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-25 20:54:00 +02:00
Hans Dedecker
2211ee0037 dropbear: backport upstream fix for CVE-2018-15599
CVE description :
The recv_msg_userauth_request function in svr-auth.c in Dropbear through
2018.76 is prone to a user enumeration vulnerability because username
validity affects how fields in SSH_MSG_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-24 15:25:26 +02:00
Jo-Philipp Wich
214146c6f2 uhttpd: support multiple Lua prefixes
Update to latest git HEAD in order to support configuring multiple
concurrent Lua prefixes in a single uhttpd instance:

  b741dec lua: support multiple Lua prefixes

Additionally rework the init script and update the default configuration
example to treat the lua_prefix option as key=value uci list, similar to
the interpreter extension mapping. Support for the old "option lua_prefix"
plus "option lua_handler" notation is still present.

Finally drop the sed postinstall hack in uhttpd-mod-lua to avoid mangling
files belonging to other packages. Since Lua prefixes have precedence
over CGI prefixes, simply register `/cgi-bin/luci` as Lua handler which
will only become active if both luci-base and uhttpd-mod-lua is installed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-23 09:18:04 +02:00
Rosen Penev
499773f8ef samba36: Enable umdnsd support
Allows discovery without having to use NetBIOS. Useful for mobile devices.

Could eventually throw nbmd away. But that requires Windows 10...

Tested on Fedora 28 with avahi-discover.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-08-22 11:23:02 +02:00
Jo-Philipp Wich
e5f56c07d7 iptables: make iptables-mod-conntrack-extra depend on kmod-ipt-raw
Since kernel 4.14 there is no auto assignment of conntrack helpers anymore
so fw3 needs raw table support in order to stage ct helper assignment rules.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-22 07:14:45 +02:00
Hans Dedecker
6c227e45cb dnsmasq: remove creation of /etc/ethers
Remove creation of file /etc/ethers in dnsmasq init script as the
file is now created by default in the base-files package by
commit fa3301a28e

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-21 15:55:10 +02:00
Jo-Philipp Wich
22681cdef2 uhttpd: update to latest Git head
952bf9d build: use _DEFAULT_SOURCE
30a18cb uhttpd: recognize PATCH, PUT and DELETE HTTP methods

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-21 14:48:47 +02:00
Hans Dedecker
40eb9bda44 netifd: update to latest git HEAD
7454d12 interface: let interface_set_down() return void
32f11a8 interface: make __interface_set_down() static
b9d5a8c interface: extend interface error messages in interface_set_up()
de394b3 interface: ensure NO_DEVICE error is always reported

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-20 16:27:38 +02:00
Yury Shvedov
cad9519eba hostapd: process all CSA parameters
This adds processing of all CSA arguments from ubus switch_chan request
in the same manner as in the control interface API.

Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
2018-08-20 09:24:43 +02:00
Hans Dedecker
e2791e80cb netifd: update to latest git HEAD
522456b device: gracefully handle device names exceeding IFNAMESIZ

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-14 22:56:31 +02:00
Stijn Tintel
03e5dcbf10 firewall: bump to git HEAD
12a7cf9 Add support for DSCP matches and target
06fa692 defaults: use a generic check_kmod() function
1c4d5bc defaults: fix check_kmod() function

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-08-13 22:05:46 +03:00
Jason A. Donenfeld
42dc0e2594 wireguard: bump to 0.0.20180809
* send: switch handshake stamp to an atomic

Rather than abusing the handshake lock, we're much better off just using
a boring atomic64 for this. It's simpler and performs better. Also, while
we're at it, we set the handshake stamp both before and after the
calculations, in case the calculations block for a really long time waiting
for the RNG to initialize.

* compat: better atomic acquire/release backport

This should fix compilation and correctness on several platforms.

* crypto: move simd context to specific type

This was a suggestion from Andy Lutomirski on LKML.

* chacha20poly1305: selftest: use arrays for test vectors

We no longer have lines so long that they're rejected by SMTP servers.

* qemu: add easy git harness

This makes it a bit easier to use our qemu harness for testing our mainline
integration tree.

* curve25519-x86_64: avoid use of r12

This causes problems with RAP and KERNEXEC for PaX, as r12 is a
reserved register.

* chacha20: use memmove in case buffers overlap

A small correctness fix that we never actually hit in WireGuard but is
important especially for moving this into a general purpose library.

* curve25519-hacl64: simplify u64_eq_mask
* curve25519-hacl64: correct u64_gte_mask

Two bitmath fixes from Samuel, which come complete with a z3 script proving
their correctness.

* timers: include header in right file

This fixes compilation in some environments.

* netlink: don't start over iteration on multipart non-first allowedips

Matt Layher found a bug where a netlink dump of peers would never terminate in
some circumstances, causing wg(8) to keep trying forever. We now have a fix as
well as a unit test to mitigate this, and we'll be looking to create a fuzzer
out of Matt's nice library.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-12 16:12:01 +02:00
John Crispin
1961948585 wpa_supplicant: fix CVE-2018-14526
Unauthenticated EAPOL-Key decryption in wpa_supplicant

Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/

Vulnerability

A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.

When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.

Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.

Vulnerable versions/configurations

All wpa_supplicant versions.

Acknowledgments

Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.

Possible mitigation steps

- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.

- Merge the following commits to wpa_supplicant and rebuild:

WPA: Ignore unauthenticated encrypted EAPOL-Key data

This patch is available from https://w1.fi/security/2018-1/

- Update to wpa_supplicant v2.7 or newer, once available

Signed-off-by: John Crispin <john@phrozen.org>
2018-08-10 15:48:21 +02:00
Hans Dedecker
2e02fdb363 odhcp6c: apply IPv6/ND configuration earlier
Apply IPv6/ND configuration before proto_send_update so that all config info
is available when netifd is handling the notify_proto ubus call.
In particular this fixes an issue when netifd is updating the downstream IPv6 mtu
as netifd was still using the not yet updated upstream IPv6 mtu to set the
downstream IPv6 mtu

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-09 18:46:57 +02:00
Hans Dedecker
e0fbf62821 iproute2: remove libutil from InstallDev section
Commit 4d961538f6 added libutil to the iproute2 InstallDev section
but lead to compile issues with packages picking up the wrong libutil
since libutil is quite a generic name ...
Further libutil is rather meant for internal usage in iproute2 than a
public API; therefore let's remove it from the InstallDev section together
with ll_map.h

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-09 17:48:03 +02:00
Hans Dedecker
6579af7a77 netifd: update to latest git HEAD
115a694 interface-ip: always override downstream IPv6 mtu

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-09 17:39:24 +02:00
Hans Dedecker
4d961538f6 iproute2: add libutil to InstallDev section
In iproute2 v4.17 ll_map has been moved from the libnetlink to the libutil
library; add libutil as well to the staging dir in order to keep support
for ll_map

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-08 14:29:08 +02:00
Jason A. Donenfeld
68e2ebe64a wireguard: bump to 0.0.20180802
Changelog taken from the version announcement

> == Changes ==
>
>   * chacha20poly1305: selftest: split up test vector constants
>
>   The test vectors are encoded as long strings -- really long strings -- and
>   apparently RFC821 doesn't like lines longer than 998.
>   https://cr.yp.to/smtp/message.html
>
>   * queueing: keep reference to peer after setting atomic state bit
>
>   This fixes a regression introduced when preparing the LKML submission.
>
>   * allowedips: prevent double read in kref
>   * allowedips: avoid window of disappeared peer
>   * hashtables: document immediate zeroing semantics
>   * peer: ensure resources are freed when creation fails
>   * queueing: document double-adding and reference conditions
>   * queueing: ensure strictly ordered loads and stores
>   * cookie: returned keypair might disappear if rcu lock not held
>   * noise: free peer references on failure
>   * peer: ensure destruction doesn't race
>
>   Various fixes, as well as lots of code comment documentation, for a
>   small variety of the less obvious aspects of object lifecycles,
>   focused on correctness.
>
>   * allowedips: free root inside of RCU callback
>   * allowedips: use different macro names so as to avoid confusion
>
>   These incorporate two suggestions from LKML.
>
> This snapshot contains commits from: Jason A. Donenfeld and Jann Horn.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-08-04 04:04:34 +00:00
Kevin Darbyshire-Bryant
13c66f8820 iproute2: cake: make gso/gro splitting configurable
This patch makes sch_cake's gso/gro splitting configurable
from userspace.

To disable breaking apart superpackets in sch_cake:

tc qdisc replace dev whatever root cake no-split-gso

to enable:

tc qdisc replace dev whatever root cake split-gso

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Dave Taht <dave.taht@gmail.com>
[pulled from netdev list - no API/ABI change]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-08-02 22:00:19 +01:00
Koen Vandeputte
457e6d5a27 iperf: bump to 2.0.12
Fixes the annoying 'feature' were TTL was set to "1" by default ..
Users had to specify -T manually to test outside the own network.

2.0.12 change set (as of June 25th 2018)

o Change the unicast TTL default value from 1 to the system default (to be compatable with previous versions.) Multicast still defaults to 1.
o adpative formatting bug fix: crash occurs when values exceed 1 Tera. Add support for Tera and Peta and eliminate the potential crash condition
o configure default compile to include isochronous support (use configure --disable-isochronous to remove support)
o replace 2.0.11's --vary-load option with a more general -b option to include <mean>,<stdev>, e.g. -b 100m,40m, which will pull from a log normal distribution every 0.1 seconds
o fixes for windows cross compile (using mingw32)
o compile flags of -fPIE for android
o configure --enable-checkprograms to compile ancillary binaries used to test things such as delay, isoch, pdf generation
o compile tests when trying to use 64b seq numbers on a 32b platform
o Fix GCC ver 8 warnings

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-08-02 15:03:21 +02:00
Rosy Song
f30583c41d nftables: allow to build with json support
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-08-01 11:25:04 +02:00
Jo-Philipp Wich
fdd6c556ab iwinfo: update to latest Git HEAD
a514139 build: compile with -ffunction-sections, -fdata-sections and LTO
3c30b17 wl: only invoke nvram executable if it exists
65b8333 Revert "build: compile with -ffunction-sections, -fdata-sections and LTO"

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-31 20:40:33 +02:00
John Crispin
3c4eeb5d21 netifd: update to latest git HEAD
fix a compile error

Signed-off-by: John Crispin <john@phrozen.org>
2018-07-30 23:56:14 +02:00
Hans Dedecker
929eac5b82 netifd: update to latest git HEAD (FS#1668)
75ee790 interface-ip: fix eui64 ifaceid generation (FS#1668)
ca97097 netifd: make sure the vlan ifname fits into the buffer
b8c1bca iprule: remove bogus assert calls
a2f952d iprule: fix broken in_dev/out_dev checks
263631a vlan: use alloca to get rid of IFNAMSIZE in vlan_dev_set_name()
291ccbb ubus: display correct prefix size for IPv6 prefix address
908a9f4 CMakeLists.txt: add -Wimplicit-fallthrough to the compiler flags
b06b011 proto-shell.c: add a explicit "fall through" comment to make the compiler happy
60293a7 replace fall throughs in switch/cases where possible with simple code changes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-30 23:01:55 +02:00
Stijn Tintel
50c5fdd54d tcpdump: explicitly disable libcap-ng support
When libcap-ng is detected during build, support for it is enabled. This
will cause a build failure due to a missing dependency. Explicitly
disable libcap-ng support to avoid this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-07-30 23:27:55 +03:00
Nick Hainke
abefb4fda3 hostapd: add ht and vht support in handle event function Add ht and vht capabilities. If a device sends a probe request, the capabilities are added.
Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-07-30 11:01:04 +02:00
Nick Hainke
74ac742277 hostapd: add ubus call for ap features
The call "get_features" allows to gather hostapd config options
via ubus. As first infos we add the ht and vht support.
Although nl80211 supports to gather informations about
ht and vht capabilities, the hostapd configuration can disable
vht and ht. However, it is possible that the iw output is not
representing the actual hostapd configuration.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-07-30 10:59:25 +02:00
Luiz Angelo Daros de Luca
f1bef0596f openvpn-easy-rsa: update to 3.0.4
Upstream renamed openssl-1.0.cnf to openssl-easyrsa.cnf.
However, pkg kept using openssl-1.0.cnf.

Upstream easyrsa searchs for vars, openssl-*, x509-types in the
same directory as easyrsa script. This was patched to revert
back to static /etc/easy-rsa/ directory (as does OpenSUSE).
EASYRSA_PKI still depends on $PWD.

Move easyrsa from /usr/sbin to /usr/bin as root is not needed.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2018-07-30 10:43:38 +02:00
Martin Strobel
7d7323bccd iptables: add ip[6|]tables-compat packages + libxtables-compat depends on IPTABLES_NFTABLES
allows iptables-compat to use nft packet filtering
allows to translate iptables-style to nft-style

Signed-off-by: Martin Strobel <arctus@crza.de>
2018-07-30 10:43:36 +02:00
Dmitry Tunin
c128371124 igmpproxy: drop SSDP packets
It is insecure to let this type of packets inside
They can e.g. open ports on some other routers with UPnP, etc

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
2018-07-30 10:43:36 +02:00
Nick Hainke
296ae7ab89 iwinfo: update to version 2018-07-24
Update to new iwinfo version.
Adds support for channel survey.
Adds ubus support.
Etc.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-07-30 10:43:31 +02:00
Daniel Engberg
5647cc7bd4 treewide: Bump PKG_RELEASE due to mbedtls update
Bump PKG_RELEASE on packages that depends on (lib)mbedtls to avoid library
mismatch.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-30 10:35:12 +02:00
Rosen Penev
fc89831ae8 thc-ipv6: Update URLs
Development has moved to GitHub. Found using UScan.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-07-29 12:11:31 +02:00
Dmitry Tunin
7a6b2badfa igmpproxy: add a silent logging option
[0-3](none, minimal[default], more, maximum)

It is not 100% backward compatible, because now 0 disables logging

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
2018-07-28 15:20:39 +01:00
Kevin Darbyshire-Bryant
1e93ef8498 dnsmasq: bump to dnsmasq v2.80test3
Refresh patches

Upstream commits since last bump:

3b6eb19 Log DNSSEC trust anchors at startup.
f3e5787 Trivial comment change.
c851c69 Log failure to confirm an address in DHCPv6.
a3bd7e7 Fix missing fatal errors when parsing some command-line/config options.
ab5ceaf Document the --help option in the french manual
1f2f69d Fix recurrent minor spelling mistake in french manual
f361b39 Fix some mistakes in french translation of the manual
eb1fe15 When replacing cache entries, preserve CNAMES which target them.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-28 11:16:41 +01:00
Masashi Honma
d05967baec wwan: Fix teardown for sierra_net driver
The sierra_net driver is using proto_directip_setup for setup. So use
proto_directip_teardown for teardown.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2018-07-27 11:17:20 +02:00
Syrone Wong
7dfd72dfff ead: use new protocol setting API since libpcap 1.9.0
Dropped the protocol API specific symbol: HAS_PROTO_EXTENSION and
switch to the official API

Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
2018-07-27 11:17:20 +02:00
Jo-Philipp Wich
88c88823d5 odhcpd: update to latest git HEAD
44cce31 ubus: avoid dumping interface state with NULL message

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-26 14:53:05 +02:00
Jo-Philipp Wich
3ee2c76ae0 firewall: update to latest git HEAD
aa8846b ubus: avoid dumping interface state with NULL message

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-26 08:44:53 +02:00
Daniel Engberg
f486f81c64 utils/curl: Disable libpsl
Disabled libpsl to fix build issue reported by buildbots

Package libcurl is missing dependencies for the following libraries:
libpsl.so.5


Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-24 15:35:51 +02:00
Aleksandr V. Piskunov
20c4819c7b wireguard-tools: add wireguard_watchdog script
This watchdog script tries to re-resolve hostnames for inactive WireGuard peers.
Use it for peers with a frequently changing dynamic IP.
persistent_keepalive must be set, recommended value is 25 seconds.
Run this script from cron every minute:
echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root

Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>
[bump the package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-22 21:52:20 +01:00
Jason A. Donenfeld
57b808ec88 wireguard: bump to 0.0.20180718
80b41cd version: bump snapshot
fe5f0f6 recieve: disable NAPI busy polling
e863f40 device: destroy workqueue before freeing queue
81a2e7e wg-quick: allow link local default gateway
95951af receive: use gro call instead of plain call
d9501f1 receive: account for zero or negative budget
e80799b tools: only error on wg show if all interfaces failk

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
[Added commit log to commit description]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-22 21:01:34 +01:00
Felix Fietkau
f0ac9afe69 hostapd: remove unused struct hostapd_ubus_iface
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-22 17:17:20 +02:00
Kevin Darbyshire-Bryant
03fce62c09 iproute2: tc: backport canonical cake support
iproute2's tc was updated to support the recently upstreamed cake qdisc.
Backport this canonical support from upstream into iproute2 v4.17

There is no kernel kmod/userspace tc ABI change in this release from the
previous package bump, so everyone can breath a sigh of relief.

This is largely a code style change, the exception to prove the rule:
option 'autorate_ingress' has been changed to 'autorate-ingress' to fit
in with upstream option naming expectations.

No openwrt package (e.g. sqm-scripts) has knowledge of
'autorate_ingress' thus only users who made their own scripts or used
it within the 'dangerous configuration' options of sqm-scripts will be
affected.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-21 08:47:40 +01:00
Mathias Kresin
3838b16943 hostapd: fix conflicts hell
Add each variant to the matching PROVIDERS variables after evaluating
the respective hostapd*, wpad* and wpa* variant.

Each package providing the same feature will automatically conflict with
all prior packages providing the same feature.

This way we can handle the conflicts automatically without introducing
recursive dependencies.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-07-18 19:17:46 +02:00
Mathias Kresin
8af8ceb1c8 hostapd: cleanup package definition
Move common variables and/or values to the package (variant) default.
Add additional values in variant packages if necessary. Remove further
duplicates by introducing new templates.

Remove the ANY_[HOSTAPD|SUPPLICANT_PROVIDERS]_PROVIDERS. The are the
same as the variables without the any prefix. No need to maintain both
variables.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-07-18 19:17:46 +02:00
Kevin Darbyshire-Bryant
9d5a246930 igmpproxy: run in foreground for procd
procd needs processes to stay in foreground to remain under its gaze and
control.  Failure to do so means service stop commands fail to actually
stop the process (procd doesn't think it's running 'cos the process has
exited already as part of its forking routing)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-18 18:00:42 +01:00
Hans Dedecker
1e83f775a3 firewall3: update to latest git HEAD
d2bbeb7 firewall3: make reject types selectable by user

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-17 22:15:03 +02:00
Hans Dedecker
2336b942b3 dnsmasq: don't use network functions at boottime (FS#1542)
As dnsmasq is started earlier than netifd usage of network.sh functions
at boottime will fail; therefore don't call at boottime the functions
which construct the dhcp pool/relay info.
As interface triggers are installed the dhcp pool/relay info will be
constructed when the interface gets reported as up by netifd.
At the same time also register interface triggers based on DHCP relay
config.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-17 21:32:20 +02:00
Jo-Philipp Wich
9019323ec1 ppp: fix building pptp plugin
The pptp.so plugin needs to be built with -fPIC as well in order to be
linkable again.

Fixes 888a15ff83 ("ppp: add missing -fPIC to rp-pppoe.so CFLAGS")
Fixes e7397eef69 ("ppp: compile with LTO enabled")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-17 21:21:44 +02:00
Jo-Philipp Wich
28d3a1b54b openvpn: increase procd termination timeout to 15s
Increase the termination timeout to 15s to let OpenVPN properly tear down
its connections, especially when weak links or complex down scripts are
involved.

Fixes FS#859.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-17 16:03:56 +02:00
Christian Schoenebeck
1e177844bc dropbear: close all active clients on shutdown
Override the default shutdown action (stop) and close all processes
of dropbear

Since commit 498fe85, the stop action only closes the process
that's listening for new connections, maintaining the ones with
existing clients.
This poses a problem when restarting or shutting-down a device,
because the connections with existing SSH clients, like OpenSSH,
are not properly closed, causing them to hang.

This situation can be avoided by closing all dropbear processes when
shutting-down the system, which closes properly the connections with
current clients.

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
[Luis: Rework commit message]
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
2018-07-16 08:40:51 +02:00
Daniel Engberg
49bdd43da2 curl: Update to 7.61.0
Update curl to 7.61.0

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-15 22:35:22 +02:00
Hans Dedecker
def5b7f285 odhcp6c: add noserverunicast config option for broken DHCPv6 servers
Fix broken DHCPv6 servers which provide the server unicast option but
do not reply on DHCPv6 renew messages directed to the IPv6 address
contained in the server unicast option whihc results in broken IPv6
connectivity.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-15 22:19:10 +02:00
Felix Fietkau
888a15ff83 ppp: add missing -fPIC to rp-pppoe.so CFLAGS
Fixes build error with LTO

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-14 11:00:23 +02:00
Felix Fietkau
47b42137ce dropbear: compile with LTO enabled
Reduces size of the .ipk on MIPS from 87k to 84k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau
ef96d1e34a firewall: compile with LTO enabled
Reduces .ipk size on MIPS from 41.6k to 41.1k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau
ef16a394d2 iw: compile with LTO enabled
Reduces .ipk size on MIPS from 34k to 33k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau
e7397eef69 ppp: compile with LTO enabled
Reduces .ipk size on MIPS from 98.5k to 98k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau
dfbd49bd22 ppp: fix linker flags for the radius plugin
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00