This update only adds one commit:
b102f19bcc53 tests: Opportunistic Wireless Encryption - SA Query
The main reason for the bump is to have a newer PKG_SOURCE_DATE,
so we can reset PKG_RELEASE to 1 (this has not been done for the
most recent bump), and replace it with AUTORELEASE.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Channel 100 is a valid channel to choose for 80MHz operation. However,
it's assigned to 5500 MHz, not 5550MHz. In fact, there is no channel
assigned to this frequency.
Fix this obbvious typo to allow ACS to select channel 100 for 80 MHz
operation again.
Signed-off-by: David Bauer <mail@david-bauer.net>
This fixes `iw dev wlan0-mesh station dump`.
8fab0c9 iw: fix ftm_request missing arguments segfault
e816fbc iw: fix mgmt dump missing arguments segfault
5d9d1b8 iw: Fix timestamp output on 32-bit architectures
4b25ae3 iw: fix pointer arithmetic in __print_he_capa
c3df363 iw: add option to print human readable event time
cd64525 iw: print ctrl port tx status event
0ba98b9 iw: use correct type in policy check for mesh
9e38dee iw: scan: fixup HE caps whitespace
17e8564 iw: scan: parse HE capabilities
5735e58 iw: util: factor out HE capability parser
6d8d507 iw: scan: add extension tag parsing
b4e1ec4 man: update wikipage URL, reformat SEE ALSO section
c56036a iw: enable 80MHz support for 6GHz band 11s mesh
fa72728 iw: handle positive error codes gracefully
7ba9093 iw: scan: add flag for scanning colocated ap
5ec60ed iw: Add 'coloc' and 'flush' options to sched_scan
f8ade75 iw: update wikipage URL
b6f2dac iw: Add support for specifying the 160MHz bandwidth when setting the channel/frequency
Signed-off-by: Andre Heider <a.heider@gmail.com>
Instead of requiring the user to call it on each BSS individually,
run it on all BSSs internally.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
899c2a4 interface: support "device" attribute and deprecate "ifname"
62e3cb5 scripts/netifd-wireless.sh: add support for specifying the operating band
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This marks all packages which depend on a target with @TARGET nonshared.
If they are not marked nonshared they would be build by the SDK build
and if this happens with a different SDK, then the SDK from the target
the package depends on, the package would not be added to the index.
This should fix the image builder for some of these packages.
This should fix the image builder at least for bcm27xx/bcm2710 and
bcm4908/generic.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Since upstream commit 6467de5a8840 ("Randomize z ordinates in
scalar mult when timing resistant") WolfSSL requires a RNG for
the EC key when built hardened which is the default.
Set the RNG for the EC key to fix connections for OWE clients.
Signed-off-by: David Bauer <mail@david-bauer.net>
02dd2f2df7cb fix unannotated fall-through warnings
3052f2f67686 extdev: remove unused function
2a97fd006c3b device: add support for configuring devices with external auth handler
87e469be0c08 wireless: fix memory corruption bug when using vlans/station entries in the config
7277764bf817 bridge: rename "ifname" attribute to "ports"
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This can be used to handle network configuration of dynamically created vlan
interfaces in a more flexible way
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if
make TOPDIR="$(pwd)" -C "$pkgdir" compile
was called manually. In most of the cases, I just saw warnings like this:
make: Entering directory '/home/.../package/gluon-status-page'
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
[...]
While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.
After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
With some debug in qmi.sh using following patch, some errors are visible
in the registration step
@@ -29,6 +29,7 @@ proto_qmi_init_config() {
}
proto_qmi_setup() {
+ set -x
local interface="$1"
local dataformat connstat plmn_mode mcc mnc
local device apn auth username password pincode delay modes pdptype
@@ -224,6 +225,8 @@ proto_qmi_setup() {
fi
done
+ registration=$(uqmi -s -d "$device" --get-serving-system)
+
[ -n "$modes" ] && uqmi -s -d "$device" --set-network-modes "$modes" > /dev/null 2>&1
echo "Starting network $interface"
During the boot of the system, modem could not start automatically its
network registration.
netifd: wan (9235): + echo 'Waiting for network registration'
netifd: wan (9235): Waiting for network registration
netifd: wan (9235): + local 'registration_timeout=0'
netifd: wan (9235): + uqmi -s -d /dev/cdc-wdm1 --get-serving-system
netifd: wan (9235): + grep '"searching"'
netifd: wan (9235): + uqmi -s -d /dev/cdc-wdm1 --get-serving-system
netifd: wan (9235): + registration='{"registration":"not_registered","plmn_mcc":208,"plmn_mnc":20,"plmn_description":"","roaming":true}'
netifd: wan (9235): + '[' -n ]
netifd: wan (9235): + echo 'Starting network wan'
As the while loop checks only "searching" pattern, uqmi.sh script quits
searching loop and continues whereas the modem is not registered
Other issue, after X seconds modem stops searching.
netifd: wan (9213): + uqmi -s -d /dev/cdc-wdm0 --get-serving-system
netifd: wan (9213): + grep '"searching"'
netifd: wan (9213): + '[' -e /dev/cdc-wdm0 ]
netifd: wan (9213): + '[' 3 -lt 0 -o 0 '=' 0 ]
netifd: wan (9213): + let registration_timeout++
netifd: wan (9213): + sleep 1
netifd: wan (9213): + uqmi -s -d /dev/cdc-wdm0 --get-serving-system
netifd: wan (9213): + grep '"searching"'
netifd: wan (9213): + uqmi -s -d /dev/cdc-wdm0 --get-serving-system
netifd: wan (9213): + registration='{"registration":"not_registered"}'
netifd: wan (9213): + '[' -n ]
netifd: wan (9213): + echo 'Starting network wan'
netifd: wan (9213): Starting network wan
If registration_timeout is not expired, registration can be restarted
Signed-off-by: Thomas Richard <thomas.richard@kontron.com>
Tested-by: Florian Eckert <fe@dev.tdt.de>
Fixes issue with merged DNS requests in 2.83/2.84 not being
retried on the firsts failed request causing lookup failures.
Also fixes the following security problem in dnsmasq:
* CVE-2021-3448:
If specifiying the source address or interface to be used
when contacting upstream name servers such as:
server=8.8.8.8@1.2.3.4, server=8.8.8.8@1.2.3.4#66 and
server=8.8.8.8@eth0 then all would use the same socket
bound to the explicitly configured port. Now only
server=8.8.8.8@1.2.3.4#66 will use the explicitly
configured port and the others random source ports.
Remove upstreamed patches and update remaining patch.
Signed-off-by: Alan Swanson <reiver@improbability.net>
[refreshed old runtime support patch]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This package depends on the lantiq target and is only build for that
target. A normal package would be build by the SDK builder probably
under a different target and then this package will not be selected.
Mark it as nonshared to build it when the lantiq target gets build.
Fixes: FS#3773, FS#3774
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
When running multiple instances of dnsmasq, for example one being for the lan
and another for a guest network, it might not be desirable to have the same dns names
configured in both networks
Signed-off-by: João Henriques <joaoh88@gmail.com>
Update to the latest stable upstream version.
Drop unneeded make variables to remove redundant assignments seen during
invocation of package Makefile.
Also remove the following patch now included upstream:
* 200-fix-install-param-order-on-macos.patch
Compile and run-tested on malta/mips32be, using bpftool directly and also
libbpf (linked with tc) to inspect and load simple eBPF programs.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Rename feature variable clang-bpf-global-var following upstream changes.
This restores the HAVE_CLANG feature override and should avoid rare build
errors where a recent host clang and BTF-enabled host kernel are present.
Fixes: 23be333401 ("bpftools: update to 5.10.10")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Skip building Makefile targets that aren't packaged: tipc, dcb, ifstat,
rtacct, lnstat, and man. Also, only compile targets needed for the current
build variant i.e. don't compile 'tc' when building an 'ip' variant and
vice versa.
These changes reduce typical build times by over 30%:
$ make package/iproute2/clean && time make -j8 package/iproute2/compile
(old)
...
real 2m24.985s
user 3m12.537s
sys 0m26.677s
(new)
...
real 1m36.945s
user 2m8.734s
sys 0m20.046s
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
With the old ubus dsl API, the numbers for the individual line_states and
power_states were also returned. These were not ported to the new DSL
C-API. This commit adds the missing information.
For this the internal values are mapped to numbers.
* additional JSON output for state_num:
"state_num": <map_state_number>
Since not all values are meaningful only the following values are
implemented, this can be extended if the future.
* LSTATE_MAP_NOT_INITIALIZED
* LSTATE_MAP_EXCEPTION
* LSTATE_MAP_IDLE
* LSTATE_MAP_SILENT
* LSTATE_MAP_HANDSHAKE
* LSTATE_MAP_FULL_INIT
* LSTATE_MAP_SHOWTIME_NO_SYNC
* LSTATE_MAP_SHOWTIME_TC_SYNC
* LSTATE_MAP_RESYNC
* additinal JSON output for power_level:
"power_state_num": <map_power_satte_number>,
Since there are not so many here, all are mapped.
* PSTATE_MAP_NA,
* PSTATE_MAP_L0,
* PSTATE_MAP_L1,
* PSTATE_MAP_L2,
* PSTATE_MAP_L3,
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
v6:
Add state LSTATE_MAP_NOT_INITILIZED at the beginning of the list
Start the list LSTATE_MAP with -1
Reviewed-by: Andre Heider <a.heider@gmail.com>
Placeholder DHCP user scripts were added recently.
These files make package-based installations of such scripts more difficult.
Pull user callbacks from directories instead to allow packages and users to
install co-existing scripts more easily.
References:
b4f3d93b5 odhcp6c: add a odhcp6c.user placeholder script
Signed-off-by: Leon M. George <leon@georgemail.eu>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
Placeholder DHCP user scripts were added recently.
These files make package-based installations of such scripts more difficult.
Pull user callbacks from directories instead to allow packages and users to
install co-existing scripts more easily.
References:
130118f7a netifd: add a udhcpc.user placeholder script
Signed-off-by: Leon M. George <leon@georgemail.eu>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
Looks like 'openat', 'pipe2' and 'ppoll' are now needed, possibly due
to changes on libraries used by umdns now using slightly different
calls.
Found using
/etc/init.d/umdns trace
now use umdns, ie. cover all ubus call etc., then
/etc/init.d/umdns stop
find list of syscalls traced in /tmp/umdns.*.json
Fixes: FS#3355 ("UMDNS: does not start on master with seccomp")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Now that libcap is in OpenWrt base, we can drop our custom patch to
disable libcap support and have lldpd depend on it instead. This will
allow the monitor process to drop its privileges instead of running as
root, improving security.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
f8899b9 netifd: bridge: set default value for igmp_snoop
327da98 netifd: add possibility to switch off route config
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Airtime policy configuration is extremely useful in multiple BSS scenarios.
Since nowadays most people configure both private and guest networks (at
least), it makes sense to enable it by default, except for the most limited
of the variants.
Size of the hostapd-basic-openssl binary (mipsel 24Kc -O2):
543944 bytes (airtime policy disabled)
548040 bytes (airtime policy enabled)
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Acked-by: Daniel Golle <daniel@makrotopia.org>
Switch to Actual Net Data Rate (ACTNDR) for speed reporting on lantiq VDSL modems
Refer to ITU-T G.997.1 chapter 7.5.2.8
Independent whether retransmission is used or not in a given transmit direction:
- In L0 state, this parameter reports the Net Data Rate (as specified in G.992.3, G.992.5 or G.993.2) at which the bearer channel is operating.
- In L2 state, the parameter contains the Net Data Rate (as specified in G.992.3, G.992.5 or G.993.2) in the previous L0 state.
Signed-off-by: Jeroen Peelaerts <jeroen.peelaerts@gmail.com>
Reviewed-by: Andre Heider <a.heider@gmail.com>
This commit adds monitoring for a couple of DSL line features that are
present in the lantiq firmware blobs.
* G.INP ON/OFF
* Trellis encoding ON/OFF
* Virtaul Noise ON/OFF
* Bitswap ON/OFF
Difference in size for ltq-vdsl-app = 1k
Difference in size for kmod-ltq-vdsl-vr9 < 1k
Reviewed-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Jeroen Peelaerts <jeroen.peelaerts@gmail.com>
Upstream iproute2 detects libbpf using a one-line $CC test-compile, which
normally ignores LDFLAGS. With NLS enabled however, LDFLAGS includes an
"rpath-link" linker option needed to resolve libintl.so. Its absence
causes both the compile and libbpf detection to fail:
ld: warning: libintl.so.8, needed by libbpf.so, not found (try using
-rpath or -rpath-link)
ld: libelf.so.1: undefined reference to `libintl_dgettext'
collect2: error: ld returned 1 exit status
Fix this by directly including $LDFLAGS in the test-compile command.
Reported-by: Ian Cooper <iancooper@hotmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
There is no direct linking of libintl from bpftools, only secondary linking
through libelf, so remove "-lintl" from TARGET_LDFLAGS.
Fixes: 5582fbd613 ("bpftools: support NLS, fix ppc build and update to 5.8.9")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
a4355a6 firewall3: clean up the flow table detection logic
edd0dc5 firewall3: create a common helper to find strings in files
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This includes several improvements and fixes:
61db17e rules: fix device and chain usage for DSCP/MARK targets
7b844f4 zone: avoid duplicates in devices list
c2c72c6 firewall3: remove last remaining sprintf()
12f6f14 iptables: fix serializing multiple weekdays
00f27ab firewall3: fix duplicate defaults section detection
e8f2d8f ipsets: allow blank/commented lines with loadfile
8c2f9fa fw3: zones: limit zone names to 11 bytes
78d52a2 options: fix parsing of boolean attributes
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Moved to packages repo because it was considered
non-essential for most router configurations.
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[shorten commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Instead of doing uci commit and reload_config for each setting do it
only once when one of these options was changed. This should make it a
little faster when both conditions are taken.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Without this change the config is only committed, but the uhttpd daemon
is not reloaded. This reload is needed to apply the config. Without the
reload of uhttpd, the ubus server is not available over http and returns
a Error 404.
This caused problems when installing luci on the snapshots and
accessing it without reloading uhttpd.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Now that ujail supports seccomp also on Aarch64, add missing syscall
'fstat' to the list of allowed syscalls.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This change was investigated previously [1] but not deemed necessary. With
the recent addition [2] of modern BPF loader support, however, tc gained
dependencies on libelf and libbpf, with a larger installation footprint.
Similar to ip-tiny/ip-full, split tc into tc-full and tc-tiny variants,
where the latter excludes the eBPF loader, uses a smaller executable, and
avoids libelf and libbpf package dependencies. Both variants provide the
'tc' virtual package, with tc-tiny as the default.
The previous tc package included a loadable module for iptables actions.
Separate this out into a common package, tc-mod-iptables, which both
variants depend on. Some package sizes on mips_24kc:
Before:
148343 tc_5.11.0-1_mips_24kc.ipk
After:
144833 tc-full_5.11.0-2_mips_24kc.ipk
138430 tc-tiny_5.11.0-2_mips_24kc.ipk (and no libelf or libbpf)
4115 tc-mod-iptables_5.11.0-2_mips_24kc.ipk
Also fix up some Makefile indentation.
[1] https://github.com/openwrt/openwrt/pull/1627#issuecomment-447619962
[2] b048a305a3 ("iproute2: update to 5.11.0")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The link equalizer sch_teql.ko of package kmod-sched relies on a hotplug
script historically included in iproute2's tc package. In previous
discussion [1], consensus was the hotplug script is best located together
with the module in kmod-sched, but this change was deferred at the time.
Relocate the hotplug script now. This change also simplifies adding a tc
variant for minimal size with reduced functionality.
[1] https://github.com/openwrt/openwrt/pull/1627#issuecomment-447923636
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This patch has been submitted upstream to fix an error reported by a few
users. One instance seen using gcc 10.2.0, binutils 2.35.1 and musl 1.1.24:
bpf_glue.c: In function 'get_libbpf_version':
bpf_glue.c:46:11: error: 'PATH_MAX' undeclared (first use in this function);
did you mean 'AF_MAX'?
46 | char buf[PATH_MAX], *s;
| ^~~~~~~~
| AF_MAX
Reported-by: Rui Salvaterra <rsalvaterra@gmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
If the environment variable FILTER is set before compilation,
compilation of the ppp-package will fail with the error message
Package ppp is missing dependencies for the following libraries:
libpcap.so.1
The reason is that the OpenWrt-patch for the Makefile only comments
out the line FILTER=y. Hence the pcap-library will be dynamically
linked if the environment variable FILTER is set elsewhere, which
causes compilation to fail. The fix consists on explicitly unsetting
the variable FILTER instead.
Signed-off-by: Eike Ritter <git@rittere.co.uk>
[ -d /sys/module/xfrm_interface ] is enough to check if
CONFIG_XFRM_INTERFACE support was enabled in kernel.
Signed-off-by: Alin Nastac <alin.nastac@technicolor.com>
Document the existence of this feature. This allows the user to execute a script
at each DHCPv4 event. This is useful, for example, as an ad-hoc way to update a
DDNS entry when (and only when) required.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Document the existence of this feature. This allows the user to execute a script
at each DHCPv6 event. This is useful, for example, as an ad-hoc way to update a
DDNS entry when (and only when) required.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Fix: bpftools 5.11.2 does not compile on macOS, because the -m option
was placed between src and dst. Corrected by moving -m 644 before src.
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
The pkgconfig file hardcodes a host library directory which cannot be
overridden by OpenWrt during builds. Use SED to fix this and potential
include directory problems, as is done with several other packages.
This fixes a strange issue intermittently seen building iproute2 on the
oxnas target:
iptables modules directory: /usr/lib/iptables
libc has setns: yes
SELinux support: no
libbpf support: no
libbpf version 0.3.0 is too low, please update it to at least 0.1.0
LIBBPF_FORCE=on set, but couldn't find a usable libbpf
Fixes: 2f0d672088 ("bpftools: add utility and library packages
supporting eBPF usage")
Reported-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This will use the new application led trigger backend. For now this is
the only package that uses leds trigger in user space to configure the
kernel led triggers.
The callback script only emmits a message for now, so that this LED is now
managed by the rssileds service. Until now a generic warning was emitted that
this LED trigger is not supported. But that is not true.
-> Skipping trigger 'rssileds' for led '<name>' due to missing kernel module
I think this callback should be changed in the future to restart the
service.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.
Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.
This fixes the following security vulnerabilities/bugs:
- CVE-2021-27803 - A vulnerability was discovered in how p2p/p2p_pd.c
in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision
discovery requests. It could result in denial of service or other
impact (potentially execution of arbitrary code), for an attacker
within radio range.
Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Changes:
- Remove custom Build/Compile because it's no longer needed
- Remove std=gnu99 which is added automaticaly by igmpproxy if needed
- Remove -Dlog from CFLAGS because igmpproxy doesn't have log function
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
Compile and run-tested on malta/mip32be, using bpftool directly and also
libbpf (linked with tc) to inspect and load simple eBPF programs.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The latest iproute2 version brings various improvements and fixes:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?qt=range&q=v5.10.0..v5.11.0
In particular, ip and tc now use libbpf as the standard way to load BPF
programs, rather than the old, limited custom loader. This allows more
consistent and featureful BPF program handling e.g. support for global
initialized variables.
Also fix a longstanding problem with iproute2 builds where unneeded DSO
dependencies are added to most utilities, bloating their installation
footprint. From research and testing, explicitly using a "--as-needed"
linker flag avoids the issue. Update accordingly and drop extra package
dependencies from Makefile.
Additional build and packaging updates include:
- install missing development header to iproute2/bpf_elf.h
- propagate OpenWrt verbose flag during build
- update and refresh patches
Compile and run tested: QEMU/malta-mips32be on kernels 5.4 & 5.10.
All iproute2 packages were built and installed to the test image. Some
regression testing using ip-full and tc was successfully performed to
exercise several kmods, tc modules, and simple BPF programs.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The following warnings are shown during build:
/usr/include/vdsl/cmv_message_format.h:33:6: warning: "MEI_SUPPORT_DEBUG_STREAMS" is not defined, evaluates to 0 [-Wundef]
#if (MEI_SUPPORT_DEBUG_STREAMS == 1)
^~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/vdsl/drv_mei_cpe_interface.h:2256:6: warning: "MEI_SUPPORT_OPTIMIZED_FW_DL" is not defined, evaluates to 0 [-Wundef]
#if (MEI_SUPPORT_OPTIMIZED_FW_DL == 1)
^~~~~~~~~~~~~~~~~~~~~~~~~~~
The headers are provided by the MEI driver, but the defines are never
set by the vdsl app. While the struct with the
MEI_SUPPORT_OPTIMIZED_FW_DL conditional isn't used by the vdsl app,
however CMV_USED_PAYLOAD_8BIT_SIZE which value depends on
MEI_SUPPORT_DEBUG_STREAMS is.
Since the MEI driver doesn't provide an autogenerated header with
compile flags, the flags are hardcoded for the vdsl app.
Set them for the MEI driver as well, to indicate a relation to the
values used for the vdsl app and to be not surprised by a changed
default in case the MEI driver gets updated. Use the current default
values defined in the MEI driver.
Signed-off-by: Mathias Kresin <dev@kresin.me>
To the vast majority of the users, wireguard-tools are not useful
without the underlying kernel module. The cornercase of only generating
keys and not using the secure tunnel is something that won't be done on
an embedded OpenWrt system often. On the other hand, maintaining a
separate meta-package only for this use case introduces extra
complexity. WireGuard changes for Linux 5.10 remove the meta-package.
So let's make wireguard-tools depend on kmod-wireguard
to make WireGuard easier to use without having to install multiple
packages.
Fixes: ea980fb9 ("wireguard: bump to 20191226")
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
On Linux 5.4, build WireGuard from backports. Linux 5.10 contains
wireguard in-tree.
Add in-kernel crypto libraries required by WireGuard along with
arch-specific optimizations.
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Upstream integrated multiple patches from Distributions and did other
changes:
* rp-pppoe.so was renamed to pppoe.so
* Converted to ANSI C
The following patches were applied upstream:
* 100-debian_ip-ip_option.patch
* 101-debian_close_dev_ppp.patch
* 103-debian_fix_link_pidfile.patch
* 106-debian_stripMSdomain.patch
* 107-debian_pppoatm_wildcard.patch
* 110-debian_defaultroute.patch
* 202-no_strip.patch
Compilation with musl libc was fixed upstream so
140-pppoe_compile_fix.patch is not needed any more
Parts of the 203-opt_flags.patch patch were applied in a different way
upstream.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
There are efforts underway to bring wireguard in-tree for Linux 5.4 and
to have a common build infrastructure for both 5.4 and 5.10 for
kmod-wireguard[0]. Until then, restrict kmod-wireguard to build only on
Linux 5.4, because the wireguard-compat package will not build on Linux
5.10.
[0]: https://github.com/openwrt/openwrt/pull/3885
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
This is a backport of the upstream commit 58bbbb598144 ("nl80211: Ignore
4addr mode enabling error if it was already enabled") which fixes same
issue as in the current fix contained in '130-wpa_supplicant-multi_ap_roam.patch',
but in a different way:
nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on
an interface that is in a bridge and has 4addr mode already enabled.
This operation would not have been necessary in the first place and this
failure results in disconnecting, e.g., when roaming from one backhaul
BSS to another BSS with Multi AP.
Avoid this issue by ignoring the nl80211 command failure in the case
where 4addr mode is being enabled while it has already been enabled.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[bump PKG_RELEASE, more verbose commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Automatically setup dhcpv4 server just like it's done for dhcpv6.
To select whether odhcpd or dnsmasq are serving DHCPv4 requests there
still is the 'maindhcp' option. To make things less confusing, make
sure things really work out-of-the-box in case dnsmasq is not even
installed at the time the uci-defaults script is being run.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The removed patches were applied upstream.
This adapts ath10k-ct and mt76 to changed APIs.
nl80211.h in iw is updated to match the version from backports.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
5a2dd18 iwinfo: add hardware description for MediaTek MT7622
4a32b33 iwinfo: add PCI ID for MediaTek MT7613BE
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This patch is required to be able to roam from one backhaul AP to
another one in the same ESS.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(daniel@makrotopia.org: PKG_REVISION bump and refreshed patches)
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
This patch allows other applications to get events management
frames (for example: association requests).
This is useful in Multi-AP context to be able to save association
requests from stations.
It has been sent to upstream hostapd in this series:
https://patchwork.ozlabs.org/project/hostap/list/?series=217500
'700-wifi-reload.patch' is updated due to the introduction of
'110-notify-mgmt-frames.patch'.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
luci now uses ubus directly, so remove 'lucistat'.
For manual usage just print the ubus output, use luci for a pretty
version.
Signed-off-by: Andre Heider <a.heider@gmail.com>
luci now uses ubus directly, so remove 'lucistat'.
For manual usage just print the ubus output, use luci for a pretty
version.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Martin Schiller <ms@dev.tdt.de>
procd sends sigterm to stop daemons, hook it up.
This speeds up the shutdown sequence and gets rid of the following message:
daemon.info procd: Instance dsl_control::instance1 pid 15408 not stopped on SIGTERM, sending SIGKILL instead
Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Martin Schiller <ms@dev.tdt.de>
dnsmasq v2.84rc2 has been promoted to release.
No functional difference between v2.83test3 and v2.84/v2.84rc2
Backport 2 patches to fix the version reporting
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Use new ubus-based hotplug call in dhcp-script.sh
As sysntpd now makes use of the new ubus-based hotplug calls, dnsmasq
no longer needs to ship ACL to cover ntpd-hotplug.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Multiple sources are hosted on OpenWrts source server only. The source
URLs to point to the server vary based on different epochs in OpenWrts
history.
Replace all by @OPENWRT which is an "empty" mirror, therefore using the
fallback servers sources.cdn.openwrt.org and sources.openwrt.org.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Commit 7c8c4f1be6 ("hostapd: fix P2P group information processing
vulnerability") was missing the actual patch for the vulnerability.
Fixes: 7c8c4f1be6 ("hostapd: fix P2P group information processing vulnerability")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Use the latest stable kernel since the previous 5.8.x series is EOL.
Also drop the following patches recently accepted upstream:
* 001-libbpf-ensure-no-local-symbols-counted-in-ABI-check.patch
* 002-libbpf-fix-build-failure-from-uninitialized-variable.patch
* 003-bpftool-allow-passing-BPFTOOL_VERSION-to-make.patch
* 004-v5.9-bpftool-use-only-ftw-for-file-tree-parsing.patch
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
dnsmasq v2.83 has a bug in handling duplicate queries which means it may
try to reply using the incorrect network socket. This is especially
noticeable in dual stack environments where replies may be mis-directed to
IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket.
This results in system log spam such as:
dnsmasq[16020]: failed to send packet: Network unreachable
dnsmasq[16020]: failed to send packet: Address family not supported by protocol
dnsmasq v2.84test3 resolves these issues.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This is a helpful utility, but it does not have any dependencies
in this repository. Move it to packages feed.
The package does not seem to have a maintainer.
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Nick Hainke <vincent@systemli.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This is a helpful utility, but it does not have any dependencies
in this repository. Move it to packages feed.
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Nick Hainke <vincent@systemli.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The "cidr_contains6" functions clones the given cidr. The contains4
does not clone the cidr. Both functions do not behave the same.
I see no reason to push the cidr. I think that we get only a negligible
performance gain, but it makes ipv4 and ipv6 equal again.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
overflow in sort_rrset() when DNSSEC is used. This can allow a remote
attacker to write arbitrary data into target device's memory that can
lead to memory corruption and other unexpected behaviors on the target
device.
* CVE-2020-25682:
Dnsmasq versions before 2.83 is susceptible to buffer overflow in
extract_name() function due to missing length check, when DNSSEC is
enabled. This can allow a remote attacker to cause memory corruption
on the target device.
* CVE-2020-25683:
Dnsmasq version before 2.83 is susceptible to a heap-based buffer
overflow when DNSSEC is enabled. A remote attacker, who can create
valid DNS replies, could use this flaw to cause an overflow in a heap-
allocated memory. This flaw is caused by the lack of length checks in
rtc1035.c:extract_name(), which could be abused to make the code
execute memcpy() with a negative size in get_rdata() and cause a crash
in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
A lack of proper address/port check implemented in Dnsmasq version <
2.83 reply_query function makes forging replies easier to an off-path
attacker.
* CVE-2020-25685:
A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
versions before 2.83 reply_query function allows remote attackers to
spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
Multiple DNS query requests for the same resource name (RRNAME) by
Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
traffic, using a birthday attack (RFC 5452), that can lead to DNS
cache poisoning.
* CVE-2020-25687:
Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
remote attacker, who can create valid DNS replies, could use this flaw
to cause an overflow in a heap-allocated memory. This flaw is caused
by the lack of length checks in rtc1035.c:extract_name(), which could
be abused to make the code execute memcpy() with a negative size in
sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
Service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
53f07e9 ra: fix routing loop on point to point links
2b6959d ra: align ifindex resolving
Tested-by: Karl Vogel <karl.vogel@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
With encryption disabled, it was intended to set wpa_state=1 (enabled,
not configured) through the 'wps_not_configured' flag.
The flag is set appropriately but the condition using it is broken.
Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled,
configured). Fix it by using the correct variable name.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit title/message improvements]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The cidr_parse6 function parses a string to an ipv6-address.
The cidr struct contains a union called buf for the ipv4 and ipv6
address. Since it is a char pointer and the struct is initialized with
the maximum size (so ipv6 string) it does not make any difference.
However, we should access the buffer using the v6 name, since it could
be confusing otherwise.
Signed-off-by: Nick Hainke <vincent@systemli.org>
The key_mgmt variable was mistyped when checking against "WPS", so
the if clause was never entered.
Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")
Signed-off-by: Leon M. George <leon@georgemail.eu>
[add commit message, bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
'base' was never used.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
'enc_str' was never used.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This allows configuration of multicast_to_unicast and per_sta_vif options.
- multicast_to_unicast requests multicast-to-unicast conversion.
- per_sta_vif assigns each station its own AP_VLAN interface.
Signed-off-by: Etan Kissling <etan_kissling@apple.com>
Currently PHY information obtained from "iw phy" lacks information about
a PHYs HE capabilities when using the by default installed iw-tiny.
As there are already 802.11ax supported devices, enabled printing this
information for the by-default installed iw variant.
Signed-off-by: David Bauer <mail@david-bauer.net>
To simplify the way netifd acquires the PIDs of wpa_supplicant and
hostapd let the config_add method of both of them return the PID of the
called process. Use the returned PID instead of querying procd when
adding wpa_supplicant configuration.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
- Encode ABI version in compiled shared object file
- Only ship versioned shared library
a17f561 iwinfo: detect QCA IPQ4019 WiSoC from FDT
ea28dfb iwinfo: export ht and vht operation in scan results
4e22953 iwinfo: export center_chan info for local wifi
74d13fb cli: account for additional digit for frequencies above 10GHz
8bfd8d8 iwinfo: add support for GCMP cipher
618c1e8 iwinfo: add hardware description for QCA MIPS WiSoCs
0702f32 iwinfo: improve center channel handling
51c1336 iwinfo: set center chan unsupported for not-nl80211 driver
23d2722 build: add ability to specify shared object version
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This reverts commit f1620630e9.
This update introduces potentially remote exploitable buffer overreads
in IE parsing logic.
It also breaks the ABI without introdcing SOVERSION library versioning.
Furthermore, HT information is incorrectly added for non-HT BSSes.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
a17f561 iwinfo: detect QCA IPQ4019 WiSoC from FDT
ea28dfb iwinfo: export ht and vht operation in scan results
4e22953 iwinfo: export center_chan info for local wifi
74d13fb cli: account for additional digit for frequencies above 10GHz
8bfd8d8 iwinfo: add support for GCMP cipher
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This patch enables hostapd.sh to properly configure wpa_supplicant
for when GCMP is used as cipher in station mode.
Without this wpa_supplicant will be unable to connect to AP.
This is needed for wil6210 as it does not support CCMP.
Signed-off-by: Robert Marko <robimarko@gmail.com>
This adds an option "hostapd_bss_options" that does the same as
"hostapd_options" but on a per-BSS level, instead of a per-device level.
This can be used, for example, to configure different per-devce sae_passwords
per BSS or to augment some of the existing per-BSS options.
Signed-off-by: Florian Beverborg <flo@beverb.org>
[remove whitespace errors, bump release]
Signed-off-by: Paul Spooren <mail@aparcar.org>
This patch was already applied upstream and not needed here.
Fixes: 06403981e1 ("ppp: update to version 2.4.7.git-2019-05-06")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
By setting 'auto', the zero address or the empty string as source
address (option ipaddr, option ip6addr), vxlan will choose one
dynamically. This helps in setups where a wan ip or prefix changes.
This corresponse to setting up an vxlan tunnel with:
proto vxlan6:
# ip link add vx0 type vxlan id ID local :: ...
proto vxlan:
# ip link add vx0 type vxlan id ID local 0.0.0.0 ...
While it is possible to not specify a source ip at all, the kernel will
default to setting up a ipv4 tunnel. The kernel will take any hint from
source and peer ips to figure out, what tunnel type to use. To make sure
we setup an ipv6 tunnel for proto vxlan6, this workaround is needed.
This will not change the behaviour of currently working configurations.
However this will allow former broken configurations, namely those not
specifying both a source address and tunnel interface, to setup a
tunnel interface. Previously those configurations weren't reporting an
error and were stueck in a setup loop like in Bug FS#3426.
This change lifts the currently very strict behaviour and should fix the
following bug:
Fixes: FS#3426
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3426
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
b75bcad dhcpv6-ia: remove assignment equal to 0 checks
d1ae052 dhcpv6-ia: fix logic to include IA_PD prefix with lifetimes set to 0
9d5e379 dhcpv6-ia: fix prefix delegation behavior
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
As of hostapd upstream commit 7d2ed8ba "Remove CONFIG_IEEE80211W build parameter"
https://w1.fi/cgit/hostap/commit?id=7d2ed8bae86a31dd2df45c24b3f7281d55315482
802.11w feature is always enabled in the build time.
It doesn't make sense to opt-in 802.11w per driver as hostapd will always
be compiled with this feature enabled.
As suggested by Hauke Mehrtens, for now keep 11w enabled in build_features.h
for compatibility reasons. This option will be dropped when LuCI is adjusted.
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
When hostapd gets restarted to often/quickly will cause procd to not restart it
anymore. it will think that hapd is in a crash loop.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [adjust respawn time]
Currently, EAPOLv2 (802.1X-2004) is used by default for legacy clients that
are not WPA2 (RSN) capable. These legacy clients are often intolerant to this
EAPOL version and fail to connect.
hostapd.conf upstream documents for eapol_version the following and that this
is a known compatibility issue with version 2:
// IEEE 802.1X/EAPOL version
// hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
// version 2. However, there are many client implementations that do not handle
// the new version number correctly (they seem to drop the frames completely).
// In order to make hostapd interoperate with these clients, the version number
// can be set to the older version (1) with this configuration value.
// Note: When using MACsec, eapol_version shall be set to 3, which is
// defined in IEEE Std 802.1X-2010.
//eapol_version=2
For the wpa parameter, hostapd.conf upstream documents that this is a bitfield,
configured as follows:
// Enable WPA. Setting this variable configures the AP to require WPA (either
// WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
// wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
// Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice.
// For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
// RADIUS authentication server must be configured, and WPA-EAP must be included
// in wpa_key_mgmt.
// This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
// and/or WPA2 (full IEEE 802.11i/RSN):
// bit0 = WPA
// bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
// Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2.
// In other words, for WPA3, wpa=2 is used the configuration (and
// wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
//wpa=2
For client compatibility therefore:
EAPOLv1 (802.1X-2001) should be used by default where WPA is enabled.
EAPOLv2 (802.1X-2004) should be used by default where WPA is disabled.
To fix this, we can therefore change in the script:
set_default eapol_version 0
To the following:
set_default eapol_version $((wpa & 1))
This therefore:
1) Sets eapol_version to 1 where WPA has been enabled via wpa bit0 being set.
2) Sets eapol_version to 0 where WPA has been disabled via wpa bit0 being unset.
For usual configurations that only have WPA2 enabled, EAPOLv2 is then used.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
The patch removes a libpcap check to avoid a problem with libpcap. Fix
libpcap instead.
Modernize Makefile:
Use a normal autoconf bool instead of checking for CONFIG_IPV6.
Remove old configure and MAKE_FLAGS hacks. Removing them results in
compilation continuing to work without a problem.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
hostapd.sh does not parse skip_inactivity_poll boolean from
/etc/config/wireless despite being mentioned in the documentation [1].
This change fixes this, and by default sets its value to 0 [1].
[1] https://openwrt.org/docs/guide-user/network/wifi/basic
Signed-off-by: Nadim Atiya <nadim.atiya@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[fix and reformat commit message, make patch apply]
So we can ship px5g-wolfssl by default in the release image, but still
make the HTTPS for LuCI optional. This small change with addition of
`CONFIG_PACKAGE_px5g-wolfssl=y` into the buildbot's seed config for the
next release should provide optional HTTPS in the next release.
Disabling the current default automatic uhttpd's redirect to HTTPS
should make the HTTPS optional. That's it, user would either need to
switch to HTTPS by manually switching to https:// protocol in the URL or
by issuing the following commands to make the HTTPS automatic redirect
permanent:
$ uci set uhttpd.main.redirect_https=1
$ uci commit uhttpd
$ service uhttpd reload
Signed-off-by: Petr Štetiar <ynezz@true.cz>