Commit Graph

3068 Commits

Author SHA1 Message Date
John Crispin
a3dd95ef63 dropbear: fix compile error
Fixes: 0da193ee69 ("dropbear: move failsafe code out of base-files")
Signed-off-by: John Crispin <john@phrozen.org>
2020-01-15 21:31:12 +01:00
Florian Eckert
7151054abd wireguard: skip peer config if public key of the peer is not defined
If a config section of a peer does not have a public key defined, the
whole interface does not start. The following log is shown

daemon.notice netifd: test (21071): Line unrecognized: `PublicKey='
daemon.notice netifd: test (21071): Configuration parsing erro

The command 'wg show' does only show the interface name.

With this change we skip the peer for this interface and emit a log
message. So the other peers get configured.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-01-15 21:19:01 +01:00
Florian Eckert
ee2014e680 uhttpd: add enable instance option
With this change it is now possible to switch off single instances of
the uhttpd config. Until now it was only possible to switch all
instances of uhttpd on or off.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-01-15 20:16:42 +01:00
Kyle Copperfield
0fcb4a3981 hostapd: add wpa_strict_rekey support
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Rekey GTK on STA disassociate

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:13:49 +01:00
Kyle Copperfield
30c64825c7 hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Allows dtim_period to be configurable, the default is from hostapd.
Adds additional regulatory tunables for power constraint and spectrum
managment.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:13:44 +01:00
Kyle Copperfield
0da193ee69 dropbear: move failsafe code out of base-files
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Failsafe code of dropbear should be in the dropbear package not the
base-files package.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:04:06 +01:00
David Lam
22b07ff73e hostapd: add support for subject validation
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.

From the documentation:

subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com

subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.

altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI

altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.

domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.

domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

Signed-off-by: David Lam <david@thedavid.net>
2020-01-14 17:46:27 +01:00
Petr Štetiar
2b28358a37 odhcpd: activate PIE ASLR by default
This activates PIE ASLR support by default when the regular option is
selected.

Size increase on x86/64:

 odhcpd-ipv6only Installed-Size: 36821 -> 38216

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-14 00:06:40 +01:00
Hauke Mehrtens
a2571f3c81 uhttpd: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 39% uncompressed and 21% compressed
on MIPS BE.

old:
33,189 /usr/sbin/uhttpd
23,016 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk

new:
46,212 /usr/sbin/uhttpd
27,979 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
6b2379d048 hostapd: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 26% uncompressed and 16% compressed
on MIPS BE.

old:
460,933 /usr/sbin/wpad
283,891 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk

new:
584,508 /usr/sbin/wpad
330,281 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
7ab6613026 dropbear: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 18% uncompressed and 17% compressed
on MIPS BE.

old:
164,261 /usr/sbin/dropbear
 85,648 dropbear_2019.78-2_mips_24kc.ipk

new:
194,492 /usr/sbin/dropbear
100,309 dropbear_2019.78-2_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
dae0ac7770 dnsmasq: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 37% uncompressed and 18% compressed
on MIPS BE.

old:
146,933 /usr/sbin/dnsmasq
101,837 dnsmasq_2.80-14_mips_24kc.ipk

new:
202,020 /usr/sbin/dnsmasq
120,577 dnsmasq_2.80-14_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hans Dedecker
3446702cdb ethtool: bump to 5.4
7dc0af7 Release version 5.4.
914912e ethtool: add 0x16 and 0x1c extended compliance codes
600b779 ethtool: mark 10G Base-ER as SFF-8472 revision 10.4 onwards
696565d ethtool: correctly interpret bitrate of 255
2941970 fix unused parameter warning in e1000_get_mac_type()
5e814f2 fix unused parameter warning in fjes_dump_regs()
b1a5279 fix unused parameter warning in ixgb_dump_regs()
6608751 fix unused parameter warning in ibm_emac_dump_regs()
1c30119 fix unused parameter warning in et131x_dump_regs()
a56aba4 fix unused parameter warning in amd8111e_dump_regs()
f40d32d fix unused parameter warning in fec_dump_regs()
8b84f1a fix unused parameter warning in at76c50x_usb_dump_regs()
f725f5a fix unused parameter warning in smsc911x_dump_regs()
a12cd66 fix unused parameter warning in e1000_dump_regs()
e058656 fix unused parameter warning in igb_dump_regs()
debac02 fix unused parameter warning in de2104[01]_dump_regs()
d434eea fix unused parameter warning in e100_dump_regs()
8df12f3 fix unused parameter warning in vioc_dump_regs()
92d716b fix unused parameter warning in tg3_dump_{eeprom, regs}()
211c99e fix unused parameter warning in fec_8xx_dump_regs()
362fb8b fix unused parameter warning in ixgbevf_dump_regs()
87903c2 fix unused parameter warning in st_{mac100, gmac}_dump_regs()
c1eaddf fix unused parameter warning in vmxnet3_dump_regs()
313c9f8 fix unused parameter warning in dsa_dump_regs()
183e8a2 fix unused parameter warning in {skge, sky2}_dump_regs()
7f84c13 fix unused parameter warning in lan78xx_dump_regs()
02d0aaa fix unused parameter warning in realtek_dump_regs()
726d607 fix unused parameter warning in ixgbe_dump_regs()
967177c fix unused parameter warning in netsemi_dump_eeprom()
710a414 fix unused parameter warning in natsemi_dump_regs()
283398a fix unused parameter warning in print_simple_table()
0404267 fix unused parameter warning in sfc_dump_regs()
57c7298 fix unused parameter warning in altera_tse_dump_regs()
302e91a fix unused parameter warning in dump_eeprom()
2054a8c fix unused parameter warning in find_option()
d5432a9 fix unused parameter warnings in do_version() and show_usage()
c430e75 fix arithmetic on pointer to void is a GNU extension warning
e568431 ethtool: implement support for Energy Detect Power Down
e391f4c ethtool: sync ethtool-copy.h: adds support for EDPD

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-01-12 22:19:37 +01:00
Jason A. Donenfeld
7936cb94a9 wireguard-tools: bump to 1.0.20200102
* systemd: update documentation URL
* global: bump copyright

Usual house keeping.

* Makefile: DEBUG_TOOLS -> DEBUG and document
* Makefile: port static analysis check
* dns-hatchet: adjust path for new repo layout
* Makefile: rework automatic version.h mangling

These are some important-ish cleanups for downstream package maintainers that
should make packaging this a lot smoother.

* man: add documentation about removing explicit listen-port

Documentation improvement.

* wg-quick: linux: quote ifname for nft

This should fix issues with weirdly named ifnames and odd versions of nft(8).

* fuzz: find bugs in the config syntax parser
* fuzz: find bugs when parsing uapi input

These are two fuzzers that have been laying around without a repo for a while.
Perhaps somebody with enough compute power will find bugs with them.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-09 18:54:24 +01:00
Jason A. Donenfeld
62c2199bd8 wireguard: bump to 0.0.20200105
* socket: mark skbs as not on list when receiving via gro

Certain drivers will pass gro skbs to udp, at which point the udp driver
simply iterates through them and passes them off to encap_rcv, which is
where we pick up. At the moment, we're not attempting to coalesce these
into bundles, but we also don't want to wind up having cascaded lists of
skbs treated separately. The right behavior here, then, is to just mark
each incoming one as not on a list. This can be seen in practice, for
example, with Qualcomm's rmnet_perf driver. This lead to crashes on
OnePlus devices and possibly other Qualcomm 4.14 devices. But I fear
that it could lead to issues on other drivers on weird OpenWRT routers.

This commit is upstream in net-next as:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=736775d06bac60d7a353e405398b48b2bd8b1e54

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-09 18:54:24 +01:00
Daniel Golle
6a28552120 dnsmasq: add uci-defaults script for config migration
When running sysupgrade from an existing configuration, UCI option
dhcp.@dnsmasq[0].resolvfile needs to be modified in case it has not
been changed from it's original value.
Accomplish that using a uci-defaults script.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-09 15:37:53 +02:00
David Bauer
ab16adf80b hostapd: disable ft_psk_generate_local for non-PSK networks
Without this commit, ft_psk_generate_local is enabled for non-PSK
networks by default. This breaks 802.11r for EAP networks.

Disable ft_psk_generate_local by default for non-PSK networks resolves
this misbehavior.

Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Martin Weinelt <martin@darmstadt.freifunk.net>
2020-01-09 01:01:20 +01:00
Matthias Schiffer
41c19dd542
ethtool: fix PKG_CONFIG_DEPENDS
Add missing CONFIG_ prefix.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-01-07 20:53:31 +01:00
Matthias Schiffer
9924db5b37
iperf: fix PKG_CONFIG_DEPENDS
Fix typo in PKG_CONFIG_DEPENDS and missing CONFIG_ prefix.

Fixes: e98e046f06 ("iperf: Allow enabling multicast support")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-01-07 20:52:23 +01:00
Daniel Golle
2e3cf4500b dnsmasq: bump PKG_RELEASE
Previous commit should have bumped PKG_RELEASE, but git add was
forgotten... Add it now.

Fixes: cd48d8d342 ("dnsmasq: switch to /tmp/resolv.conf.d/resolv.conf.auto")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:44:16 +02:00
Daniel Golle
cd48d8d342 dnsmasq: switch to /tmp/resolv.conf.d/resolv.conf.auto
Mount-bind directory instead of resolv.conf.auto file in jail to
avoid problems when the file is deleted/replaced.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:37:22 +02:00
Daniel Golle
5e1604477a netifd: move /tmp/resolv.conf.auto to /tmp/resolv.conf.d/
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:36:59 +02:00
Daniel Golle
fedc5d30ae base-files: move /tmp/resolv.conf.auto to /tmp/resolv.conf.d/
Having it in a directory it more friendly for mount-bind.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:36:03 +02:00
Hauke Mehrtens
414d054138 dnsmasq: Fix potential dnsmasq crash with TCP
This is a backport from the dnsmasq master which should fix a bug which
could cause a crash in dnsmasq.

I saw the following crashes in my log:
[522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450
[522413.124464] epc = 004197f1 in dnsmasq[400000+23000]
[522413.129459] ra  = 004197ef in dnsmasq[400000+23000]
This is happening in blockdata_write() when block->next is
dereferenced, but I am not sure if this is related to this problem or if
this is a different problem. I am unable to reproduce this problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-06 17:44:22 +01:00
Hauke Mehrtens
8fb6be73b5 iwinfo: Update to version 2020-01-05
bf2c106 nl80211: add htmode to iwinfo_ops

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-05 20:19:37 +01:00
Andrea Dalla Costa
52f0b0913d ead: fix resource leak in tinysrp
Add call to fclose for file pointer fp in function t_openpw.
The resource leak could happen during an error handling.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-05 19:36:46 +01:00
DENG Qingfang
983605e61f pppd: update to 2.4.8
78cd384 Update README and patchlevel.h for 2.4.8 release
5d03403 pppd: Avoid use of strnlen (and strlen) in vslprintf
a1e950a pppd: Fix IPv6 default route code for Solaris
ca5e61b plugins/rp-pppoe: Make tag parsing loop condition more accurate
c10c3c7 pppd: Make sure word read from options file is null-terminated
b311e98 pppd: Limit memory accessed by string formats with max length specified
3ea9de9 pppd: Eliminate some more compiler warnings
57edb1a pppd: Include time.h header before using time_t
09f695f pppd: Don't free static string
03104ba pppd.h: Add missing headers
388597e pppd: Add defaultroute6 and related options
66ce4ba pppd: Avoid declarations within statements in main.c
5637180 pppd: Fix `ifname` option in case of multilink (#105)
d00f8a0 pppd: Fix variable reference syntax in Makefile.linux
b6b4d28 pppd: Check tdb pointer before closing

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-01-05 19:36:45 +01:00
Matt Merhar
3d7f76383f dropbear: add missing zlib dependency for dropbearconvert
If CONFIG_DROPBEAR_ZLIB is set, building fails at the packaging stage
due to an undeclared dependency on libz.so.1.

As is already done for the main dropbear package, conditionally add a
dependency on zlib.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
2020-01-05 19:36:45 +01:00
Rosen Penev
121ad10601 lldpd: Fix compilation without fortify-headers
Upstream backport.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-01-05 19:36:45 +01:00
Florian Fainelli
e98e046f06 iperf: Allow enabling multicast support
iperf2 is useful for testing UDP over multicast, add an option to permit
the enabling/disabling of multicast support.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2020-01-03 20:30:09 -08:00
Jo-Philipp Wich
0590d74db2 Revert "iptables: update to 1.8.4"
This reverts commit 10cbc896c0.

The updated iptables package does not build due to the following error
encountered on the buildbots:

    cp: cannot stat '.../iptables-1.8.4/ipkg-install/usr/lib/libiptc.so.*': No such file or directory

The changelog mentions "build: remove -Wl,--no-as-needed and libiptc.so" so
it appears as if further packaging changes are needed beyond a simple
version bump.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-12-30 23:07:29 +01:00
DENG Qingfang
10cbc896c0 iptables: update to 1.8.4
Update iptables to 1.8.4

ChangeLog:
  https://netfilter.org/projects/iptables/files/changes-iptables-1.8.4.txt

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-12-30 21:14:31 +01:00
David Bauer
3026cfe172 iwinfo: update to 2019-12-27
a6f6c05 nl80211: properly handle netdev names starting with "radio"
31dcef3 iwinfo: add several QC/A device ids

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-12-30 15:09:30 +01:00
Jason A. Donenfeld
ea980fb9c6 wireguard: bump to 20191226
As announced on the mailing list, WireGuard will be in Linux 5.6. As a
result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is
moving to its own wireguard-tools repo. Meanwhile, the out-of-tree
kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux-
compat repo. Yesterday, releases were cut out of these repos, so this
commit bumps packages to match. Since wg(8) and the compat kernel module
are versioned and released separately, we create a wireguard-tools
Makefile to contain the source for the new tools repo. Later, when
OpenWRT moves permanently to Linux 5.6, we'll drop the original module
package, leaving only the tools. So this commit shuffles the build
definition around a bit but is basically the same idea as before.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-27 16:34:27 +01:00
Eneas U de Queiroz
3018c4c02f curl: rename cyassl->wolfssl
The old name was dropped and no longer works.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-12-26 23:30:33 +01:00
Kevin Darbyshire-Bryant
9cf9f903a3 wireguard: bump to 20191219
edad0d6 version: bump snapshot
0e38a3c compat: ipv6_dst_lookup_flow was backported to 5.3 and 5.4
2e52c41 wg-quick: linux: use already configured addresses instead of in-memory
3721521 tools: adjust wg.8 syntax for consistency in COMMANDS section
21a1498 wg-quick: linux: try both iptables(8) and nft(8) on teardown

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-12-24 20:53:32 +00:00
Rosen Penev
fd211e1677 iperf: Fix compilation with libcxx
Avoids redefining bool.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-12-23 00:22:07 +01:00
Jo-Philipp Wich
97af1fc979 uhttpd: reset PKG_RELEASE
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-12-22 23:03:59 +01:00
Jo-Philipp Wich
f34f9a414d uhttpd: update to latest Git HEAD
5f9ae57 client: fix invalid data access through invalid content-length values

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-12-22 22:50:00 +01:00
Magnus Kroken
bf43e5bbf9 openvpn: update to 2.4.8
Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.

Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2019-12-22 10:45:09 +01:00
Petr Štetiar
98b3526bf2 iputils: move iputils tools to packages feed
iputils has moved from the master tree to the packages feed, and is
switching from the abandoned skbuff.net upstream to
github.com/iputils/iputils.

Ref: https://git.openwrt.org/556698cedf9e86a0ffe9f148d4e8e733676c26f6
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-19 22:41:57 +01:00
Kevin Darbyshire-Bryant
ca7ed1712e wireguard: bump to 0.0.20191212
1ec6ece version: bump snapshot
e13de91 main: remove unused include <linux/version.h>
72eb17c wg-quick: linux: support older nft(8)
1d8e978 global: fix up spelling
e02713e wg-quick: linux: add support for nft and prefer it
b4e3a83 compat: support building for RHEL-8.1 instead of RHEL-8.0
f29e3ac socket: convert to ipv6_dst_lookup_flow for 5.5

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-12-17 19:46:41 +00:00
Hans Dedecker
a15f658ed0 odhcpd: update to latest git HEAD
d60f0a6 treewide: optimize syslog priority values

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-12-15 20:54:25 +01:00
Daniel Golle
24b97579d2 hostapd: re-introduce process tracking
Before commit 60fb4c92b6 ("hostapd: add ubus reload") netifd was
tracking hostapd/wpa_supplicant and restarting wifi in case of a
process crash. Restore this behaviour by tracking the PIDs of
hostapd and wpa_supplicant.
Also make sure hostapd and/or wpa_supplicant have been started before
emmitting ubus calls to them using ubus wait_for.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-12-08 19:52:39 +01:00
Felix Fietkau
c888e17e06 hostapd: manage instances via procd instead of pidfile
Allows graceful restart of crashing hostapd/wpa_supplicant instances

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: attempt to launch only present services]
2019-12-08 19:52:38 +01:00
Felix Fietkau
4225b83a76 hostapd: fix crash regression triggered by mesh mode
Fixes: 60fb4c92b6 ("hostapd: add ubus reload")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: polish commit message]
2019-12-08 19:51:53 +01:00
David Bauer
1ccf4bb93b hostapd: enable CTRL_IFACE_MIB for hostapd-full
This enables the CTRL_IFACE_MIB symbol for wpad-full and hostapd-full.
If it is not enabled, statistic outputs such as "hostapd_cli all_sta"
are empty.

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-12-08 12:49:09 +01:00
Hans Dedecker
39d9010c20 iproute2: update to 5.4.0
Update iproute2 to latest stable version, see https://lwn.net/Articles/805654/
for the changes in 5.4.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-12-06 18:35:55 +01:00
Jason A. Donenfeld
82a8f91c89 wireguard: bump to 0.0.20191205
* wg-quick: linux: suppress error when finding unused table

This fixes a spurious warning messages seen with recent versions of iproute2
and kernels.

* wg-quick: linux: ensure postdown hooks execute
* wg-quick: linux: have remove_iptables return true
* wg-quick: linux: iptables-* -w is not widely supported

Adding in iptables had some hiccups. For the record, I'm very unhappy about
having to put any firewalling code into wg-quick(8). We'll of course need to
support nftables too at some point if this continues. I'm investigating with
upstream the possibility of adding a sysctl to patch the issue that iptables
is handling now, so hopefully at somepoint down the line we'll be able to shed
this dependency once again.

* send: use kfree_skb_list
* device: prepare skb_list_walk_safe for upstreaming
* send: avoid touching skb->{next,prev} directly

Suggestions from LKML.

* ipc: make sure userspace communication frees wgdevice

Free things properly on error paths.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 12:11:40 +01:00
Alin Nastac
416d2cc71e gre: add ipv6 parameter to gre interfaces
IPv6 protocol is enabled on all gre interfaces, but gre(v6)tap
interfaces are usually added to a bridge interface, in which case
IPv6 should be enabled only on the bridge interface.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2019-12-02 21:52:33 +01:00
Hans Dedecker
806339a4cc curl: bump to 7.67.0
For changes in 7.67.0; see https://curl.haxx.se/changes.html#7_67_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-12-02 20:50:57 +01:00
Hans Dedecker
f573e5756a netifd: update to latest git HEAD
e45b140 interface: warn if ip6hint is truncated

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-11-29 21:56:42 +01:00
Jason A. Donenfeld
2fedf023e4 wireguard: bump to 0.0.20191127
* messages: recalculate rekey max based on a one minute flood
* allowedips: safely dereference rcu roots
* socket: remove redundant check of new4
* allowedips: avoid double lock in selftest error case
* tools: add syncconf command

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-27 20:20:31 +01:00
Kevin Darbyshire-Bryant
f1ca277405 dnsmasq: correct sense & usage of dnsseccheckunsigned
dnsmasq v2.80 made 'dnssec-check-unsigned' the default, thus the uci
option was rendered ineffectual: we checked unsigned zones no matter the
setting.

Disabling the checking of unsigned zones is now achieve with the
"--dnssec-check-unsigned=no" dnsmasq option.

Update init script to pass required option in the disabled case.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-11-23 08:29:15 +00:00
Jo-Philipp Wich
482114d3f7 firewall: update to latest Git HEAD
8174814 utils: persist effective extra_src and extra_dest options in state file
72a486f zones: fix emitting match rules for zones with only "extra" options

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-11-22 18:53:57 +01:00
Kevin Darbyshire-Bryant
3cee6f3f24 netifd: dhcp proto convert release to norelease
Change dhcp no/release on shutdown to 'norelease' uci option to match
existing proto dhcpv6 usage.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2019-11-20 10:52:57 +00:00
John Crispin
60fb4c92b6 hostapd: add ubus reload
Add ubus interface to hostapd and wpa_supplicant to allow dynamically
reloading wiface configuration without having to restart the hostapd
process.
As a consequence, both hostapd and wpa_supplicant are now started
persistently on boot for each wifi device in the system and then
receive ubus calls adding, modifying or removing interface
configuration.
At a later stage it would be desirable to reduce the services to one
single instance managing all radios.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-11-12 11:52:26 +01:00
Daniel Golle
155ede4f1f netifd: add dynamic wireless reconfiguration
7a723d0 wireless: add ubus method for reloading configuration
 e15147c wireless: make reconf opt-in and allow serializing configuration

Set new option 'reconf' in 'wifi-device' section to enable dynamic
re-configuration on that radio.
If necessary, also set option 'serialize' which forced netifd to
configure interfaces of wireless devices one-by-one.
Both options are disabled by default.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-11-12 11:51:36 +01:00
DENG Qingfang
2ea8cd73fe ipset: update to 7.4
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-11-09 14:33:42 +01:00
Hauke Mehrtens
e926681387 swconfig: Activate LTO compile option
This decreases the size of the swconfig application by 25% on MIPS BE.

old:
16,916 /sbin/swconfig

new:
12,565 /sbin/swconfig

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-08 23:57:53 +01:00
Hauke Mehrtens
6596c95eca dnsmasq: Activate LTO
This decreases the binary size when PIE ASLR is activated by 8% on MIPS BE.

old:
202,020 /usr/sbin/dnsmasq

new:
185,676 /usr/sbin/dnsmasq

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-08 23:57:51 +01:00
David Bauer
3034f8c3b8 hostapd: enable PMKSA and OK caching for WPA3-Personal
This enables PMKSA and opportunistic key caching by default for
WPA2/WPA3-Personal, WPA3-Personal and OWE auth types.
Otherwise, Apple devices won't connect to the WPA3 network.

This should not degrade security, as there's no external authentication
provider.

Tested with OCEDO Koala and iPhone 7 (iOS 13.1).

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-11-04 18:46:54 +01:00
Kyle Copperfield
87f9292300 hostapd: add IEEE 802.11k support
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Enables radio resource management to be reported by hostapd to clients.

Ref: https://github.com/lede-project/source/pull/1430
Co-developed-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2019-11-02 20:51:52 +01:00
Hauke Mehrtens
ddab758997 lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
When ASLR_PIE was activated globally these drivers failed to build
because the user space LDFLAGS leaked into the kernel build process.
This was fixed in upstream Linux kernel commit ce99d0bf312d ("kbuild:
clear LDFLAGS in the top Makefile") which went into Linux 4.17. The
lantiq target is now on Linux 4.19 only and these exceptions are not
needed any more.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-01 21:19:40 +01:00
Yousong Zhou
289d532ddd dropbear: rebuild libs on config change
Required as dependency on dropbear config headers is not tracked in
dropbear build system

Fixes FS#2275

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-11-01 06:59:51 +00:00
Hauke Mehrtens
e6cadb215c mac80211: Update to version 5.4-rc2
This updates mac80211 to backports based on kernel 5.4-rc2

ath10k-ct was updated to match the API changes and iw now uses the new
nl80211.h header file.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-10-19 12:35:55 +02:00
Florian Eckert
c7c14aaad3 wwan: Double quote to prevent globbing and word splitting
Fix some shellcheck warnings.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:48:41 +02:00
Florian Eckert
a78a539afd wwan: add ec25 to database
Add ec25 to database.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:48:21 +02:00
Florian Eckert
68b1b0bb39 wwan: add mc7304 to database
Add mc7304 to database.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:47:58 +02:00
Florian Eckert
c45c7606cc wwan: check new uci bus option on proto setup event
If system has more then one and different wwan interface (modem). Then the
wwan protohandler will always take the modem which is discovered first.
The protohandler will always setup the same interface. To fix this add a
new usb "bus" option which is associated with wwan device and so will set
the specified interface up. With this change more then one interface
could be mananged by the wwan protohandler.

If the "bus" option is not set in the uci network config then the protohandler
behaves as before the change. The protohanldler will take the first
interface which he founds.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-10-18 19:46:21 +02:00
Sean Kenny
9105057cc0 6in4: add rfc1918 check function
This is a precursor to adding proper support for multiple
6in4 tunnels with the already programmed tunlink parameter.
This is an essential sanity check so as to not break existing
and working behind NAT setups.

Signed-off-by: Sean Kenny <skenny@wfap.ca>

6in4: add myip he.net api parameter logic

This is to add proper support for multiple 6in4 tunnels
with the already programmed tunlink parameter.
As it stands before this commit, if there is a multi wan setup that
consists of dynamic ips, there is no way to use the
dynamic update feature as the he.net api is implicitly using
the ip address of the caller. This will explicitly use the
ipaddr specified in the interface config OR the ip of the
tunlink interface specified in the dynamic update api call instead
ONLY if the final resolved ipaddr variable is not an rfc1918 address.

Signed-off-by: Sean Kenny <skenny@wfap.ca>
2019-10-18 19:23:07 +02:00
Kevin Darbyshire-Bryant
9d5e266cb1 wireguard: bump to latest snapshot 20191012
8eb8443 version: bump snapshot
be09cf5 wg-quick: android: use Binder for setting DNS on Android 10
4716f85 noise: recompare stamps after taking write lock
54db197 netlink: allow preventing creation of new peers when updating
f1b87d1 netns: add test for failing 5.3 FIB changes
a3539c4 qemu: bump default version

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-10-16 16:13:39 +01:00
Jo-Philipp Wich
bc61458b73 iwinfo: update to latest Git HEAD
07315b6 nl80211: handle hidden SSIDs in wpa_supplicant scan results
3ac846e lua: fix string description of mixed WPA3 modes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-16 16:48:40 +02:00
Martin Schiller
71e04091a9 lantiq: fix dsl_control status handling.
Commit 7519a36774 ("base-files,procd: add generic service status")
introduced the generic 'status' command which broke the previous
dsl_control status output. To fix this, let's rename the "old" command
to "dslstat".

Fixes: 7519a36774 ("base-files,procd: add generic service status")
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2019-10-15 23:23:08 +02:00
Jo-Philipp Wich
57b834281b iwinfo: update to latest Git HEAD
a29b7d4 nl80211: align path to phy mapping logic with mac80211.sh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-15 15:52:01 +02:00
Hans Dedecker
34c4741da0 odhcpd: update to latest git HEAD
9a4531a ndp: fix endian issue

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-14 21:35:09 +02:00
Eneas U de Queiroz
ee5a3f6d60 hostapd: adjust to removal of WOLFSSL_HAS_AES_GCM
WolfSSL is always built with AES-GCM support now.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-10-12 23:43:08 +02:00
DENG Qingfang
394273c066 tcpdump: update to 4.9.3
Fixed CVEs:
	CVE-2017-16808
	CVE-2018-10103
	CVE-2018-10105
	CVE-2018-14461
	CVE-2018-14462
	CVE-2018-14463
	CVE-2018-14464
	CVE-2018-14465
	CVE-2018-14466
	CVE-2018-14467
	CVE-2018-14468
	CVE-2018-14469
	CVE-2018-14470
	CVE-2018-14879
	CVE-2018-14880
	CVE-2018-14881
	CVE-2018-14882
	CVE-2018-16227
	CVE-2018-16228
	CVE-2018-16229
	CVE-2018-16230
	CVE-2018-16300
	CVE-2018-16301
	CVE-2018-16451
	CVE-2018-16452
	CVE-2019-15166
	CVE-2019-15167

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-10-12 23:37:00 +02:00
Hans Dedecker
f8b58757d0 ppp: update to version 2.4.7.git-2019-10-04
0d004db Revert "pppd: Include time.h before using time_t"
e400854 pppdump: Eliminate printf format warning by using %zd
7f2f0de pppd: Refactor setjmp/longjmp with pipe pair in event wait loop
4e71317 make: Avoid using host include for cross-compiling
3202f89 pppoe: Remove the use of cdefs
d8e8d7a pppd: Remove unused rcsid variables
486f854 pppd: Fix GLIBC version test for non-glibc toolchains
b6cd558 pppd: Include time.h before using time_t
ef8ec11 radius: Fix compiler warning
f6330ec magic: Remove K&R style of arguments
347904e Add Submitting-patches.md

Remove patches 130-no_cdefs_h.patch, 131-missing_prototype_macro.patch,
132-fix_linux_includes.patch as fixed upstream
Refresh patches

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-10 22:37:10 +02:00
Hans Dedecker
27bf8abe69 firewall: update to latest git HEAD
daed0cf utils: fix resource leak

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-04 20:42:26 +02:00
Hans Dedecker
1ed5c1b146 odhcpd: update to latest git HEAD
e76ad06 netlink: fix potential infinite loops

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-04 20:42:17 +02:00
Hauke Mehrtens
9a4fb78e7c iw: Update to version 5.3
Wifi HE (ieee80211ax) parsing is currently only activated in the full
version because it increases the compressed size by 2.5KBytes.

This also activates link time optimization (LTO) again, the problem was
fixed upstream

This increases the uncompressed binary size of iw-tiny by about 1.7%

old:
34446 iw_5.0.1-1_mipsel_24kc.ipk
new:
35064 iw_5.3-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-10-03 17:59:19 +02:00
Hans Dedecker
6077cde98a ethtool: bump to 5.3
76c4682 Release version 5.3.
3870efc ethtool: dump nested registers
7c06fa8 gitignore: ignore vim swapfiles and patches
49d1401 ethtool: igb: dump RR2DCDELAY register

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-30 21:53:35 +02:00
Jo-Philipp Wich
f2b9181bb1 iwinfo: update to latest Git HEAD
2a95086 nl80211: recognize SAE encrypted mesh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-30 12:44:13 +02:00
Felix Fietkau
d25cc3207d iw: add patch to include local BSS rx time in survey information
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-09-29 22:16:27 +02:00
DENG Qingfang
eddbd68b6d iproute2: update to 5.3.0
Update iproute2 to 5.3.0

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-09-28 21:26:53 +02:00
Brandy Krueger
1fe1a200d9 wireguard: bump to 0.0.20190913
Changes since 0.0.20190702:

define conversion constants for ancient kernels
android: refactor and add incoming allow rules
enforce that unused bits of flags are zero
immediately rekey all peers after changing device private key
support running in OpenVZ environments
do not run bc on clean target
skip peers with invalid keys
account for upstream configuration maze changes
openbsd: fix alternate routing table syntax
account for android-4.9 backport of addr_gen_mode
don't fail down when using systemd-resolved
allow specifying kernel release
enforce named pipe ownership and use protected prefix
work around ubuntu breakage
support newer PaX
don't rewrite siphash when it's from compat
squelch warnings for stack limit on broken kernel configs
support rhel/centos 7.7

Signed-off-by: Brandy Krueger <krueger.brandy24@gmail.com>
2019-09-28 21:01:53 +02:00
Jo-Philipp Wich
ced4c0e635 iwinfo: update to latest Git HEAD
313e827 nl80211: keep awaiting wpa_supplicant scan results on busy response
a766751 nl80211: fix parsing of mixed wpa encryption in wpa_supp scan results
f096bfd utils: support parsing SAE and OWE key management suites from IEs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-22 18:58:50 +02:00
Hauke Mehrtens
49cc712b44 hostapd: Add mesh support for wpad full
This increases the size of the binary slightly:

old:
427722 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
431696 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

new:
442109 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
445997 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
998686364d hostapd: use getrandom syscall
hostapd will not use the getrandom() syscall and as a fallback use
/dev/random, the syscall is supported since Linux 3.17 and in the musl,
glibc and uclibc version used by OpenWrt.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
0d86bf518a hostapd: Remove unneeded patch
All the content of this function is proceeded by IEEE8021X_EAPOL no code
accesses the ssid variable outside of this ifdef.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
9b4a27455c hostapd: use config option CONFIG_NO_LINUX_PACKET_SOCKET_WAR
Instead of patching the workaround away, just use the config option.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
167028b750 hostapd: Update to version 2.9 (2019-08-08)
The size of the ipkgs increase a bit (between 0.7% and 1.1%):

old 2019-04-21 (2.8):
288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk
256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk
427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk
423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk

new 2019-08-08 (2.9):
290217 wpad-basic_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
258745 wpad-mini_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
431732 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
427641 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:38 +02:00
Hauke Mehrtens
8af79550e6 hostapd: Update to version 2.8 (2019-04-21)
This also syncs the configuration files with the default configuration
files, but no extra options are activated or deactivated.

The mesh patches were partially merged into hostapd 2.8, the remaining
patches were extracted from patchwork and are now applied by OpenWrt.
The patches still have open questions which are not fixed by the author.
They were taken from this page:
https://patchwork.ozlabs.org/project/hostap/list/?series=62725&state=*

The changes in 007-mesh-apply-channel-attributes-before-running-Mesh.patch
where first applied to hostapd, but later reverted in hostapd commit
3e949655ccc5 because they caused memory leaks.

The size of the ipkgs increase a bit (between 1.3% and 2.3%):

old 2018-12-02 (2.7):
283337 wpad-basic_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
252857 wpad-mini_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
417473 wpad-openssl_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
415105 wpad-wolfssl_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk

new 2019-04-21 (2.8):
288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk
256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk
427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk
423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2019-09-22 17:39:26 +02:00
Hauke Mehrtens
a6981604b3 hostapd: Fix AP mode PMF disconnection protection bypass
This fixes
* CVE-2019-16275 AP mode PMF disconnection protection bypass
https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-21 01:12:35 +02:00
Jo-Philipp Wich
d6bd3fd5c4 iwinfo: update to latest Git HEAD
02112f9 cli: fix reporting of mixed WPA2/WPA3 versions
7faeaea nl80211: properly detect WEP encryption in wpa_supp scan results
629b5ff nl80211: do not confuse open connections with WEP ones
3d47ddd nl80211: rework hostapd and wpa_supplicant wpa suite parsing

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:32:49 +02:00
Jo-Philipp Wich
abb4f4075e hostapd: mirror ieee80211w ap mode defaults in station mode
For AP mode, OpenWrt automatically sets ieee80211w to either 1 or 2, depending
on whether the encryption is set to sae-mixed, or sae/owe/eap suite-b.

Mirror the same defaults for client mode connections, in order to allow an
OpenWrt station to associate to an OpenWrt ap with SAE, OWE or Suite-B encryption
without the need to manually specify "option ieee80211w" on the station.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:27:28 +02:00
Jo-Philipp Wich
4209b28d23 hostapd: fix OWE settings in client mode
This changes fixes the generation of the wpa_supplicant client configuration
in WPA3 OWE client mode. Instead of incorrectly emitting key_mgmt=NONE, use
the proper key_mgmt=OWE setting instead.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:27:21 +02:00
Leon M. George
f974f8213b hostapd: declare struct wpa_bss early
wps_supplicant.h assumes that 'struct wpa_bss' is forward declared if
CONFIG_WPS is not defined.  With the later inclusion of
600-ubus_support, the issue manifests in warnings like these:

wps_supplicant.h:113:15: warning: 'struct wpa_bss' declared inside parameter list will not be visible outside of this definition or declaration
        struct wpa_bss *bss)
               ^~~~~~~

This patch forward declares 'struct wpa_bss' regardless.

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit message facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-19 23:43:27 +02:00
Leon M. George
a123df2758 hostapd: revert signature change in patch
The original wpa_hexdump uses a 'void *' for the payload.  With patch
410-limit_debug_messages, the signature changes and compiler warnings
occur at various places.  One such warning is:

 wpa_debug.h:106:20: note: expected 'const u8 * {aka const unsigned char *}' but argument is of type 'struct wpa_eapol_key *'

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit message facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-19 23:43:27 +02:00
Hans Dedecker
71cf4a272c curl: bump to 7.66.0
Refresh patches, for changes in version 7.66.0 see https://curl.haxx.se/changes.html#7_66_0

Fixes CVEs:
    CVE-2019-5481
    CVE-2019-5482

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-19 22:23:01 +02:00
Jo-Philipp Wich
5ef9e4f107 firewall: update to latest Git HEAD
383eb58 ubus: do not overwrite ipset name attribute

Ref: https://forum.openwrt.org/t/fw3-ipset-procd-objects/44044
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-18 10:51:24 +02:00
Petr Štetiar
2cf209ce91 firewall: update to latest git HEAD
c26f8907d1d2 firewall3: fix typo that affects ICMPv6 rules with numeric icmp_type

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-15 22:56:09 +02:00
Petr Štetiar
296e1f253c netifd,lldpd,rpcd,log: use generic service_running
commit eb204d14f75c ("base-files: implement generic service_running")
introduced generic service_running so it's not needed to copy&paste same
3 lines over and over again.

I've removed service_running from netifd/network init script as well,
because it was not working properly, looked quite strange and I didn't
understand the intention:

 $ /etc/init.d/network stop
 $ service network running && echo "yes" || echo "nope"
     ( have to wait for 30s )
 Command failed: Request timed out
 yes

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-15 22:53:01 +02:00
Hans Dedecker
a33d60c896 odhcpd: update to latest git HEAD
1d24009 netlink: rename netlink callback handlers
91a28e4 ndp: answer global-addressed NS manually
fd93e36 dhcpv6: retry failed PD assignments on addrlist change

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-15 20:43:14 +02:00
Hans Dedecker
ce6311d301 odhcpd: fix update to git HEAD
Fixes commit 7ff5b12e90

e73bf11 config: ra_management compatibility support
d818380 odhcpd: router: Fix out of scope memory access
94a1c94 dhcpv6-ia: free assignment when validity timer expires
752fc2c router: speed up initial router advertisements
09aa022 router: close socket upon NETEV_IFINDEX_CHANGE fixed
79eb160 router: fix previous commit
6034b5c router: close socket upon NETEV_IFINDEX_CHANGE
000182f router: fix lingering uloop socket descriptor
f6c2242 router: support ra_lifetime being 0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-12 22:37:54 +02:00
Ingo Feinerer
ca0ad9e0e9 umbim: update to latest git HEAD
184b707 umbim: add home provider query support

Signed-off-by: Ingo Feinerer <feinerer@logic.at>
2019-09-12 22:29:47 +02:00
Hans Dedecker
7ff5b12e90 odhcpd: update to latest git HEAD (FS#2019)
e73bf11 config: ra_management compatibility support
d818380 odhcpd: router: Fix out of scope memory access
94a1c94 dhcpv6-ia: free assignment when validity timer expires
752fc2c router: speed up initial router advertisements
09aa022 router: close socket upon NETEV_IFINDEX_CHANGE fixed
79eb160 router: fix previous commit
6034b5c router: close socket upon NETEV_IFINDEX_CHANGE
000182f router: fix lingering uloop socket descriptor
f6c2242 router: support ra_lifetime being 0
d111809 router: make RA flags configurable (FS#2019)

Update odhcpd defaults according to the new RA flags implementation

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-12 22:22:29 +02:00
David Bauer
7db2f1a71f iwinfo: update to latest Git HEAD
a88fb42 iwinfo: add device id for Qualcomm Atheros QCA9886
1b69d86 iwinfo: add device id for Qualcomm Atheros QCA9887

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-09-12 15:38:08 +02:00
Hauke Mehrtens
7bed9bf10f hostapd: SAE/EAP-pwd side-channel attack update
Fixes this security problem:
* SAE/EAP-pwd side-channel attack update
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-10 21:51:41 +02:00
Hauke Mehrtens
9f34bf51d6 hostapd: Fix security problem
This fixes:
CVE-2019-11555 "EAP-pwd message reassembly issue with unexpected fragment"
https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt

This shouöld not affect OpenWrt in the default settings as we do not use
EAP-pwd.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-10 21:51:26 +02:00
Hauke Mehrtens
359bff6052 firewall: update to latest git HEAD
487bd0d utils: Fix string format message

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-08 18:39:13 +02:00
Hans Dedecker
7db6559914 firewal: update to latest git HEAD
4d0c703 firewall3: Fix some format string problems
8c404ef iptables.c: lock the xtables.lock
c1d3a4d utils: implement fw3_lock_path() & fw3_unlock_path()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-07 21:23:43 +02:00
Hans Dedecker
1855c23794 odhcp6c: update to latest git HEAD
e199804 dhcpv6: sanitize oro options

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-07 13:11:53 +02:00
Hauke Mehrtens
6658447534 iwinfo: update to latest Git HEAD
f599a8d iwinfo: Fix rate buffer size
71ec9be iwinfo: Fix buffer size
f8ef450 iwinfo: Add support for WPA3

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-01 19:48:43 +02:00
Konstantin Demin
b74f1f335a nftables: bump to version 0.9.2
- exclude Python-related stuff from build
- drop patches:
  * 010-uclibc-ng.patch, applied upstream

ipkg size decrease by 2.8%:
old:
194.851 nftables_0.9.0-2_arm_cortex-a7_neon-vfpv4.ipk
new:
189.581 nftables_0.9.2-1_arm_cortex-a7_neon-vfpv4.ipk

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-09-01 18:38:04 +02:00
Eneas U de Queiroz
7f2b230b3b uhttpd: add support to generate EC keys
This adds the key_type and ec_curve options to enable the generation of
EC keys during initialization, using openssl or the new options added to
px5g.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-09-01 00:35:11 +02:00
Jo-Philipp Wich
b13f3300d5 iwinfo: update to latest Git HEAD
a9f9557 nl80211: support reading hardware id from phy directly
c586cd3 iwinfo: add device id for MediaTek MT7612E
d4382dd iwinfo: add device id for Atheros AR9390

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-08-28 12:09:14 +02:00
DENG Qingfang
bd098231ba iproute2: update to 5.2.0
Remove upstream patches

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-08-24 21:58:13 +02:00
Kevin Darbyshire-Bryant
bd01346bb4 firewall: update to latest git HEAD
bf29c1e firewall3: ipset: Handle reload_set properly

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-22 09:31:57 +01:00
Christian Lamparter
cfd0748497 iftop: update to HEAD of 2018-10-03 - 77901c
Update iftop to commit 77901c8c53e01359d83b8090aacfe62214658183

git log --pretty=oneline --abbrev-commit 949ed0f7..77901c8c

77901c8 Support scales beyond 1Gbps

Created with the help of the make-package-update-commit.sh script.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-08-18 20:56:41 +02:00
Jo-Philipp Wich
d1f207ecc9 uhttpd: update to latest Git HEAD
6b03f96 ubus: increase maximum ubus request size to 64KB

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-08-18 20:00:06 +02:00
Alin Nastac
a6da3f9ef7 iproute2: add libcap support, enabled in ip-full
Preserve optionality of libcap by having configuration script follow the
HAVE_CAP environment variable, used similarly to the HAVE_ELF variable.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase/refresh patches]
2019-08-18 14:44:10 +02:00
Hauke Mehrtens
928e893a11 mac80211: Update to version 5.3-rc4-1
The removed patches were applied upstream.
The type of the RT2X00_LIB_EEPROM config option was changed to bool,
because boolean is an invalid value and the new kconfig system
complained about this.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 13:41:16 +02:00
Hauke Mehrtens
1d4df52c21 hostapd: Allow CONFIG_IEEE80211W for all but mini variant
This commit will activate CONFIG_IEEE80211W for all, but the mini
variant when at least one driver supports it. This will add ieee80211w
support for the mesh variant for example.

Fixes: FS#2397
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 00:16:08 +02:00
Hauke Mehrtens
f34e825834 hostapd: Remove ROBO switch support
The driver was removed from OpenWrt a long time ago.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 00:16:08 +02:00
Kevin Darbyshire-Bryant
51ffce0694 firewall: improve ipset support
Bump to latest git HEAD

509e673 firewall3: Improve ipset support

The enabled option did not work properly for ipsets, as it was not
checked on create/destroy of a set. After this commit, sets are only
created/destroyed if enabled is set to true.

Add support for reloading, or recreating, ipsets on firewall reload.  By
setting "reload_set" to true, the set will be destroyed and then
re-created when the firewall is reloaded.

Add support for the counters and comment extensions. By setting
"counters" or "comment" to true, then counters or comments are added to
the set.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-16 11:27:24 +01:00
Hans Dedecker
63ced14048 dnsmasq: use nettle ecc_curve access functions
Fixes compile issues with nettle 3.5.1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-09 21:40:13 +02:00
Vincent Wiemann
ccb4b96b8a comgt-ncm: add driver dependencies again
In the commit 623716dd43 ("comgt-ncm: Fix NCM protocol")
the dependencies to vendor NCM drivers were removed, because:

> comgt-ncm should not depend on the USB-serial-related kernel modules,
> as the cdc-wdm control device works without them. There is also no need
> to depend on kmod-huawei-cdc-ncm, since other manufacturers (like
> Ericsson and Samsung) which use other kernel modules should also be
> supported.

From a user-perspective this does not make sense, as installing comgt-ncm
(or luci-proto-ncm) should install all needed dependencies for using such
a device.

Furthermore depending on kmod-huawei-cdc-ncm does not mean that Ericsson
and Samsung devices can't be supported. By the way it seems that Ericsson
and Samsung devices never used NCM, but act as serial modems.

Thus this commit adds the dependencies again.

Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
[fixed title capitalization, formatted commit message,
renamed Sony-Ericsson to Ericsson]
Signed-off-by: David Bauer <mail@david-bauer.net>
2019-08-08 21:33:34 +02:00
Hans Dedecker
d70a35c365 netifd: update to latest git HEAD
5e02f94 system-linux: fix resource leak

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-07 13:55:52 +02:00
Rosen Penev
1b1c47577b linux-atm: Add missing headers
This fixes compilation with -Werror=implicit-function-declaration.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-08-05 23:22:26 +02:00
Jeffery To
e545fac8d9 build: include BUILD_VARIANT in PKG_BUILD_DIR
This changes the default PKG_BUILD_DIR to take BUILD_VARIANT into
account (if set), so that packages do not need to manually override
PKG_BUILD_DIR just to handle variants.

This also updates most base packages with variants to use the updated
default PKG_BUILD_DIR.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-08-05 23:22:26 +02:00
Hans Dedecker
018395392c ethtool: bump to 5.2
379c096 Release version 5.2.
2bce6d9 ethtool: Add 100BaseT1 and 1000BaseT1 link modes
67ffbf5 ethtool: sync ethtool-copy.h with linux-next from 30/05/2019
687152b ethtool.spec: Use standard file location macros

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-05 21:04:44 +02:00
Hans Dedecker
efb7b7a12a firewall: update to latest git HEAD
de94097 utils: coverity resource leak warning

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-05 14:18:27 +02:00
DENG Qingfang
edd9b39fab ipset: update to 7.3
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-08-05 09:42:09 +02:00
Kevin Darbyshire-Bryant
fc5d46dc62 Revert "dnsmasq: backport latest patches"
This reverts commit e9eec39aac.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-03 20:55:52 +01:00
Kevin Darbyshire-Bryant
a275466729 Revert "dnsmasq: improve insecure DS warning"
This reverts commit cd91f2327f.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-08-03 20:55:45 +01:00
Kevin Darbyshire-Bryant
4bc02a421f iptables: fix connmark savedscp build
Add <strings.h> for ffs() definition.

Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-29 20:23:13 +01:00
Kevin Darbyshire-Bryant
cd91f2327f dnsmasq: improve insecure DS warning
Log the failing domain in the insecure DS warning.

Patch has been sent upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-25 12:29:08 +01:00
Kevin Darbyshire-Bryant
e9eec39aac dnsmasq: backport latest patches
Backport upstream patches pre 2.81rc for testing purposes.

Let's see what falls out!

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-25 12:23:46 +01:00
Kevin Darbyshire-Bryant
1aad1d17ed iptables: add connmark savedscp support
iptables: connmark - add savedscp option

Naive user space front end to xt_connmark 'savedscp' option.

e.g.

iptables -A QOS_MARK_eth0 -t mangle -j CONNMARK --savedscp-mark 0xfc000000/0x01000000

Will save DSCP into the top 6 bits and OR 0x01 (ie set) the least
significant bit of most significant byte.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-25 10:18:23 +01:00
Hans Dedecker
11617bcb3b netifd: update to latest git HEAD
899f168 system-linux: Coverity fixes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-07-22 21:48:34 +02:00
Hans Dedecker
fc2df4f705 curl: update to 7.65.3
For changes in 7.65.3; see https://curl.haxx.se/changes.html#7_65_3

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-07-21 23:30:27 +02:00
Hauke Mehrtens
0b2c42ced2 mac80211: Update to version 5.2-rc7
This updates mac80211 to version 5.2-rc7, this contains all the changes
to the wireless subsystem up to Linux 5.2-rc7.

* The removed patches are applied upstream
* b43 now uses kmod-lib-cordic
* Update the nl80211.h file in iw to match backports version.
* Remove the two backports from kernel 4.9, they were needed for mt76,
  but that can use the version from backports now, otherwise they
  collide and cause compile errors.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-07-18 00:22:04 +02:00
Martin Schiller
261df949fa openvpn: add new list option tls_ciphersuites
To configure the list of allowable TLS 1.3 ciphersuites, the option
tls_ciphersuites is used instead of tls_ciphers.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2019-07-17 22:59:29 +02:00
DENG Qingfang
42b3a3a89b iperf3: update to 3.7
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-07-08 16:28:47 +02:00
Eneas U de Queiroz
94d131332b hostapd: adjust removed wolfssl options
This edjusts the selection of recently removed wolfssl options which
have always been built into the library even in their abscence.
Also remove the selection of libwolfssl itself, allowing the library to
be built as a module.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-07-07 13:02:05 +02:00
Deng Qingfang
917eeaf26b iproute2: update to 5.1.0
Update iproute2 to 5.1.0
Remove upstream patch 010-cake-fwmark.patch
Backport a patch to fix struct sysinfo redefinition error

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-07-04 21:40:12 +02:00
Matt Merhar
1d4c4cbd20 openvpn: fix handling of list options
This addresses an issue where the list option specified in
/etc/config/openvpn i.e. 'tls_cipher' would instead show up in the
generated openvpn-<name>.conf as 'ncp-ciphers'. For context,
'ncp_ciphers' appears after 'tls_cipher' in OPENVPN_LIST from
openvpn.options.

Also, the ordering of the options in the UCI config file is now
preserved when generating the OpenVPN config. The two currently
supported list options deal with cipher preferences.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
2019-07-03 07:45:00 +02:00
Florian Eckert
313444a79e comgt: add delay option for 3g proto
All protos for wwan (ncm,qmi,mbim) do have a delay option.
To standardize that add also the missing delay option to the 3g proto.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-07-03 07:45:00 +02:00
Florian Eckert
c06f2a2dcb uqmi: fix indentation style and boundary
Fix indentation style and boundary.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-07-03 07:45:00 +02:00
Florian Eckert
8eb63cb7df uqmi: add mtu config option possibility
There are mobile carrier who have different MTU size in their network.
With this change it is now possible to configure this with the qmi
proto handler.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-07-03 07:45:00 +02:00
Jason A. Donenfeld
7c23f741e9 wireguard: bump to 0.0.20190702
* curve25519: not all linkers support bmi2 and adx

This should allow WireGuard to build on older toolchains.

* global: switch to coarse ktime

Our prior use of fast ktime before meant that sometimes, depending on how
broken the motherboard was, we'd wind up calling into the HPET slow path. Here
we move to coarse ktime which is always super speedy. In the process we had to
fix the resolution of the clock, as well as introduce a new interface for it,
landing in 5.3. Older kernels fall back to a fast-enough mechanism based on
jiffies.

https://lore.kernel.org/lkml/tip-e3ff9c3678b4d80e22d2557b68726174578eaf52@git.kernel.org/
https://lore.kernel.org/lkml/20190621203249.3909-3-Jason@zx2c4.com/

* netlink: cast struct over cb->args for type safety

This follow recent upstream changes such as:

https://lore.kernel.org/lkml/20190628144022.31376-1-Jason@zx2c4.com/

* peer: use LIST_HEAD macro

Style nit.

* receive: queue dead packets to napi queue instead of empty rx_queue

This mitigates a WARN_ON being triggered by the workqueue code. It was quite
hard to trigger, except sporadically, or reliably with a PC Engines ALIX, an
extremely slow board with an AMD LX800 that Ryan Whelan of Axatrax was kind
enough to mail me.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-07-02 22:06:42 +02:00
Deng Qingfang
299f6cb2da iptables: update to 1.8.3
Update iptables to 1.8.3

ChangeLog:
  https://netfilter.org/projects/iptables/files/changes-iptables-1.8.3.txt

Removed upstream patches:
- 001-extensions_format-security_fixes_in_libip.patch
- 002-include_fix_build_with_kernel_headers_before_4_2.patch
- 003-ebtables-vlan-fix_userspace_kernel_headers_collision.patch

Altered patches:
- 200-configurable_builtin.patch
- 600-shared-libext.patch

No notable size changes

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [lipibtc ABI_VERSION fix]
2019-07-02 21:50:54 +02:00
Koen Vandeputte
1ffca55456 uqmi: bump to latest git HEAD
1965c7139374 uqmi: add explicit check for message type when expecting a response
01944dd7089b uqmi_add_command: fixed command argument assignment

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-27 14:16:32 +02:00
Joseph Tingiris
8a5a01a677 rssileds: change rssileds.init STOP index
This patch is in a series to allow additional STOP indexes after
umount, so that other block devices may stop cleanly.

rssileds.init is now STOP=89

Signed-off-by: Joseph Tingiris <joseph.tingiris@gmail.com>
2019-06-24 20:22:24 +02:00
Deng Qingfang
6762e72524 package/network: add PKGARCH:=all to non-binary packages
Packages such as xfrm contain only script files, add PKGARCH:=all

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-06-22 12:55:30 +02:00
Kevin Darbyshire-Bryant
a8f0c02f80 iproute2: update ctinfo support
Follow upstream changes - header file changes only
no functional or executable changes, hence no package bump
required

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-06-20 21:12:24 +01:00
Christian Lamparter
99bf9a1ac2 hostapd: remove stale WPA_SUPPLICANT_NO_TIMESTAMP_CHECK option
Support to disable the timestamp check for certificates in
wpa_supplicant (Useful for devices without RTC that cannot
reliably get the real date/time) has been accepted in the
upstream hostapd. It's implemented in wpa_supplicant as a
per-AP flag tls_disable_time_checks=[0|1].

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-06-20 20:02:29 +02:00
Jo-Philipp Wich
a95ddaba02 uhttpd: add direct dependency on libjson-c
The OpenWrt buildroot ABI version rebuild tracker does not handle
transient dependencies, therefor add all libraries linked by uhttpd
as direct dependencies to the corresponding binary package definition.

This ensures that uhttpd is automatically rebuilt and relinked if any
of these libraries has its ABI_VERSION updated in the future.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-06-20 18:09:48 +02:00
Hauke Mehrtens
3c401f45c9 uhttpd: Fix format string build problems
91fcac34ac uhttpd: Fix multiple format string problems

Fixes: fc454ca153 libubox: update to latest git HEAD
Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-06-16 22:57:39 +02:00
Hans Dedecker
1fd900ddc2 netifd: xfrm fixes
9932ed0 netifd: fix xfrm interface deletion and standardize netlink call

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-06-15 21:27:01 +02:00
Christian Lamparter
dec686fbc6 iwinfo: update PKG_MIRROR_HASH
This patch updates the PKG_MIRROR_HASH to match the one
of the current version.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-06-15 19:55:32 +02:00
André Valentin
f6dab98044 network/config/xfrm: add host-dependency for xfrm interface parent
Add proto_add_host_dependency to add a dependency to the tunlink interface

Signed-off-by: André Valentin <avalentin@marcant.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2019-06-15 13:41:39 +02:00
Hans Dedecker
55fcc77072 netifd: update to latest git HEAD
42a3878 interface-ip: fix possible null pointer dereference
c1964d8 system-linux: remove superfluous dev check

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-06-13 22:18:57 +02:00
Koen Vandeputte
c12bd3a21b iwinfo: update to latest git HEAD
1372f47eff34 iwinfo: Add Mikrotik R11e-5HnDr2

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-06-12 15:04:09 +02:00
Yousong Zhou
04b45d3a31 dnsmasq: move feature detection inside a shell func
Resolves openwrt/packages#9219

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-06-11 08:32:54 +00:00
André Valentin
452d88e8f7 config: add xfrm interface support scripts
This package adds scripts for xfrm interfaces support.
Example configuration via /etc/config/network:

config interface 'xfrm0'
        option proto 'xfrm'
        option mtu '1300'
        option zone 'VPN'
        option tunlink 'wan'
        option ifid 30

config interface 'xfrm0_static'
        option proto 'static'
        option ifname '@xfrm0'
        option ip6addr 'fe80::1/64'
        option ipaddr '10.0.0.1/30'

Now set in strongswan IPsec policy:
 	if_id_in = 30
	if_id_out = 30

Signed-off-by: André Valentin <avalentin@marcant.net>
2019-06-10 10:07:24 +02:00
Hans Dedecker
cc092a285a curl: update to 7.65.1
For changes in 7.65.1; see https://curl.haxx.se/changes.html#7_65_1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-06-10 10:06:05 +02:00
Yousong Zhou
0299a4b73e dnsmasq: skip options that are not compiled in
This is to make life easier for users with customized build of
dnsmasq-full variant.  Currently dnsmasq config generated by current
service script will be rejected by dnsmasq build lacking DHCP feature

 - Options like --dhcp-leasefile have default values.  Deleting them
   from uci config or setting them to empty value will make them take on
   default value in the end
 - Options like --dhcp-broadcast are output unconditionally

Tackle this by

 - Check availablility of features from output of "dnsmasq --version"
 - Make a list of options guarded by HAVE_xx macros in src/options.c of
   dnsmasq source code
 - Ignore these options in xappend()

Two things to note in this implementation

 - The option list is not exhaustive.  Supposedly only those options that
   may cause dnsmasq to reject with "unsupported option (check that
   dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support)" are taken
   into account here
 - This provides a way out but users' cooperation is still needed.  E.g.
   option dnssec needs to be turned off, otherwise the service script
   will try to add --conf-file pointing to dnssec specific anchor file
   which dnsmasq lacking dnssec support will reject

Resolves FS#2281

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-06-09 08:17:52 +00:00
Hans Dedecker
6b762dd75f netifd: xfrm tunnel support
8c6358b netifd: add xfrm tunnel interface support

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-06-08 21:51:37 +02:00
Kevin Darbyshire-Bryant
021a9b4cb9 iproute2: add tc action ctinfo support
Add the userspace control portion of the backported kernelspace
act_ctinfo.

ctinfo is a tc action restoring data stored in conntrack marks to
various fields.  At present it has two independent modes of operation,
restoration of DSCP into IPv4/v6 diffserv and restoration of conntrack
marks into packet skb marks.

It understands a number of parameters specific to this action in
additional to the usual action syntax.  Each operating mode is
independent of the other so all options are optional, however not
specifying at least one mode is a bit pointless.

Usage: ... ctinfo [dscp mask [statemask]] [cpmark [mask]] [zone ZONE]
		  [CONTROL] [index <INDEX>]

DSCP mode

dscp enables copying of a DSCP stored in the conntrack mark into the
ipv4/v6 diffserv field.  The mask is a 32bit field and specifies where
in the conntrack mark the DSCP value is located.  It must be 6
contiguous bits long. eg. 0xfc000000 would restore the DSCP from the
upper 6 bits of the conntrack mark.

The DSCP copying may be optionally controlled by a statemask.  The
statemask is a 32bit field, usually with a single bit set and must not
overlap the dscp mask.  The DSCP restore operation will only take place
if the corresponding bit/s in conntrack mark ANDed with the statemask
yield a non zero result.

eg. dscp 0xfc000000 0x01000000 would retrieve the DSCP from the top 6
bits, whilst using bit 25 as a flag to do so.  Bit 26 is unused in this
example.

CPMARK mode

cpmark enables copying of the conntrack mark to the packet skb mark.  In
this mode it is completely equivalent to the existing act_connmark
action.  Additional functionality is provided by the optional mask
parameter, whereby the stored conntrack mark is logically ANDed with the
cpmark mask before being stored into skb mark.  This allows shared usage
of the conntrack mark between applications.

eg. cpmark 0x00ffffff would restore only the lower 24 bits of the
conntrack mark, thus may be useful in the event that the upper 8 bits
are used by the DSCP function.

Usage: ... ctinfo [dscp mask [statemask]] [cpmark [mask]] [zone ZONE]
		  [CONTROL] [index <INDEX>]
where :
	dscp MASK is the bitmask to restore DSCP
	     STATEMASK is the bitmask to determine conditional restoring
	cpmark MASK mask applied to restored packet mark
	ZONE is the conntrack zone
	CONTROL := reclassify | pipe | drop | continue | ok |
		   goto chain <CHAIN_INDEX>

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-06-07 12:05:32 +01:00
Yangbo Lu
9ad7c53383 layerscape: update restool to LSDK 19.03
Update restool to LSDK 19.03.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2019-06-06 15:40:08 +02:00
Jason A. Donenfeld
593b487538 wireguard: bump to 0.0.20190601
There was an issue with the backport compat layer in yesterday's snapshot,
causing issues on certain (mostly Atom) Intel chips on kernels older than
4.2, due to the use of xgetbv without checking cpu flags for xsave support.
This manifested itself simply at module load time. Indeed it's somewhat tricky
to support 33 different kernel versions (3.10+), plus weird distro
frankenkernels.

If OpenWRT doesn't support < 4.2, you probably don't need to apply this.
But it also can't hurt, and probably best to stay updated.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-06-01 14:00:51 +02:00
Jason A. Donenfeld
a1210f8888 wireguard: bump to 0.0.20190531
* tools: add wincompat layer to wg(8)

Consistent with a lot of the Windows work we've been doing this last cycle,
wg(8) now supports the WireGuard for Windows app by talking through a named
pipe. You can compile this as `PLATFORM=windows make -C src/tools` with mingw.
Because programming things for Windows is pretty ugly, we've done this via a
separate standalone wincompat layer, so that we don't pollute our pretty *nix
utility.

* compat: udp_tunnel: force cast sk_data_ready

This is a hack to work around broken Android kernel wrapper scripts.

* wg-quick: freebsd: workaround SIOCGIFSTATUS race in FreeBSD kernel

FreeBSD had a number of kernel race conditions, some of which we can vaguely
work around. These are in the process of being fixed upstream, but probably
people won't update for a while.

* wg-quick: make darwin and freebsd path search strict like linux

Correctness.

* socket: set ignore_df=1 on xmit

This was intended from early on but didn't work on IPv6 without the ignore_df
flag. It allows sending fragments over IPv6.

* qemu: use newer iproute2 and kernel
* qemu: build iproute2 with libmnl support
* qemu: do not check for alignment with ubsan

The QEMU build system has been improved to compile newer versions. Linking
against libmnl gives us better error messages. As well, enabling the alignment
check on x86 UBSAN isn't realistic.

* wg-quick: look up existing routes properly
* wg-quick: specify protocol to ip(8), because of inconsistencies

The route inclusion check was wrong prior, and Linux 5.1 made it break
entirely. This makes a better invocation of `ip route show match`.

* netlink: use new strict length types in policy for 5.2
* kbuild: account for recent upstream changes
* zinc: arm64: use cpu_get_elf_hwcap accessor for 5.2

The usual churn of changes required for the upcoming 5.2.

* timers: add jitter on ack failure reinitiation

Correctness tweak in the timer system.

* blake2s,chacha: latency tweak
* blake2s: shorten ssse3 loop

In every odd-numbered round, instead of operating over the state
    x00 x01 x02 x03
    x05 x06 x07 x04
    x10 x11 x08 x09
    x15 x12 x13 x14
we operate over the rotated state
    x03 x00 x01 x02
    x04 x05 x06 x07
    x09 x10 x11 x08
    x14 x15 x12 x13
The advantage here is that this requires no changes to the 'x04 x05 x06 x07'
row, which is in the critical path. This results in a noticeable latency
improvement of roughly R cycles, for R diagonal rounds in the primitive. As
well, the blake2s AVX implementation is now SSSE3 and considerably shorter.

* tools: allow setting WG_ENDPOINT_RESOLUTION_RETRIES

System integrators can now specify things like
WG_ENDPOINT_RESOLUTION_RETRIES=infinity when building wg(8)-based init
scripts and services, or 0, or any other integer.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-31 21:01:33 +02:00
Hans Dedecker
678ee30ee4 ppp: add config options to tune discovery timeout and attempts
Upstream PPP project has added in commit 8e77984 options to tune discovery
timeout and attempts in the rp-pppoe plugin.

Expose these options in the uci datamodel for pppoe:
	padi_attempts: Number of discovery attempts
	padi_timeout: Initial timeout for discovery packets in seconds

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-31 09:43:10 +02:00
Hans Dedecker
42977978e2 ppp: update to version 2.4.7.git-2019-05-25
8e77984 rp-pppoe plugin: Add options to tune discovery timeout and number of attempts

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-31 09:43:03 +02:00
Fabian Bläse
0f8b9addfc gre: introduce 'nohostroute' option
It is not always necessary to add a host route for the gre peer address.

This introduces a new config option 'nohostroute' (similar to the
option introduced for wireguard in d8e2e19) to allow to disable
the creation of those routes explicitely.

Signed-off-by: Fabian Bläse <fabian@blaese.de>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2019-05-31 09:42:32 +02:00
Hans Dedecker
6636171bed netifd: fix missing ip rules after network reload (FS#2296)
beb810d iprule: fix missing ip rules after a reload (FS#2296)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-28 10:21:02 +02:00
Hans Dedecker
7d77879236 curl: bump to 7.65.0
For changes in 7.65.0; see https://curl.haxx.se/changes.html#7_65_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-26 21:51:04 +02:00
Hans Dedecker
f54611b06d map: don't set default firewall zone to wan
Don't set the default firewall zone to wan if not specified to keep the
behavior aligned with other tunnel protocols like gre and 6rd.
If the interface zone is not specified try to get it from the firewall config
when constructing the procd firewall rule.
While at it only add procd inbound/outbound firewall rules if a zone is specified.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-26 09:44:37 +02:00
Hans Dedecker
470f5b31e3 464xlat: don't set default firewall zone to wan
Don't set the default firewall zone to wan if not specified to keep the
behavior aligned with other tunnel protocols like gre and 6rd.
If the interface zone is not specified try to get it from the firewall config
when constructing the procd firewall rule.
While at it only add a procd inbound firewall rule if a zone is specified.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-26 09:43:57 +02:00
Petr Štetiar
ace241014c ethtool: bump to 5.1
* Feature: Add support for 200Gbps (50Gbps per lane) link mode
 * Feature: simplify handling of PHY tunable downshift
 * Feature: add support for PHY tunable Fast Link Down
 * Feature: add PHY Fast Link Down tunable to man page
 * Feature: Add a 'start N' option when specifying the Rx flow hash indirection table.
 * Feature: Add bash-completion script
 * Feature: add 10000baseR_FEC link mode name
 * Fix: qsfp: fix special value comparison
 * Feature: move option parsing related code into function
 * Feature: move cmdline_coalesce out of do_scoalesce
 * Feature: introduce new ioctl for per-queue settings
 * Feature: support per-queue sub command --show-coalesce
 * Feature: support per-queue sub command --coalesce
 * Fix: fix up dump_coalesce output to match actual option names
 * Feature: fec: add pretty dump

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-05-25 13:44:43 +02:00
Koen Vandeputte
4da5ba4a6b iwinfo: update to latest git HEAD
073a838891e5 iwinfo: Complete device IDs for Ubiquiti airOS XM/XW devices
04f5a7d3a431 iwinfo: Add Mikrotik R11e-5HnD
c2cfe9d96c9a iwinfo: Fix 802.11ad channel to frequency

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-05-21 14:24:18 +02:00
Petr Štetiar
2c26dc7b41 netifd: add support for the new ar8xxx MIB counters settings
Commit "generic: ar8216: add mib_poll_interval switch attribute" has added
mib_poll_interval global config option and commit "generic: ar8216: group
MIB counters and use two basic ones only by default" has added mib_type
config option.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-05-20 21:19:48 +02:00
Hans Dedecker
a7967bada9 ppp: update to version 2.4.7.git-2019-05-18
c9d9dbf pppoe: Custom host-uniq tag
44012ae plugins/rp-pppoe: Fix compile errors

Refresh patches
Drop 520-uniq patch as upstream accepted
Drop 150-debug_compile_fix patch as fixed upstream

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-18 21:39:19 +02:00
Hans Dedecker
7b58c58733 netifd: update to latest git HEAD
22e8e58 interface-ip: use ptp address as well to find local address target
f1aa0f9 treewide: pass bool as second argument of blobmsg_check_attr

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-18 09:35:25 +02:00
Hans Dedecker
5546fe9fc3 odhcpd: update to latest git HEAD (FS#2242)
41a74cb config: remove 'ignore' config option
c0c8034 treewide: init assignment lists head
f98b7ee config: use list safe iterator in lease_delete
3c9810b dhcpv4: fix lease ordering by ip address
b60c384 config: use multi-stage parsing of uci sections
a2dd8d6 treewide: always init interface list heads during initialization
a17665e dhcpv4: do not allow pool end address to overlap with broadcast address
6b951c5 treewide: give file descriptors safe initial value
39e11ed dhcpv4: DHCP pool size is off-by-one
4a600ce dhcpv4: add support for Parameter Request List option 55
09e5eca dhcpv4: fix DHCP packet size
3cd4876 ndp: fix syslog flooding (FS#2242)
79fbba1 config: set default loglevel to LOG_WARNING

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-17 08:54:30 +02:00
Rosen Penev
2f97797471 nftables: Fix compilation with uClibc-ng
Missing header for va_list.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[updated with upstream version of the patch]
2019-05-15 13:34:23 +02:00
Hauke Mehrtens
02d4d36d4b iperf: Update to version 2.0.13
The removed patches are already integrated in the upstream version.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-05-14 20:28:18 +02:00
Hans Dedecker
06403981e1 ppp: update to version 2.4.7.git-2019-05-06
fcb076c Various fixes for errors found by coverity static analysis (#109)
d98ab38 Merge branch 'pppd_print_changes' of https://github.com/nlhintz/ppp into nlhintz-pppd_print_changes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-13 15:34:42 +02:00
Lucian Cristian
4582fe7c14 lldpd: add option to edit hostname
also fixes the annoying repeating syslog
lldp[]: unable to get system name

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
2019-05-11 16:37:11 +02:00
Lucian Cristian
cb30971a44 lldpd: update to 1.0.3
Support for CDP PD PoE

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
2019-05-11 16:37:11 +02:00
Hans Dedecker
165d598521 netifd: update to latest git HEAD
f6fb700 interface-ip: fine tune IPv6 mtu warning
975a5c4 interface: tidy ipv6 mtu warning

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-05-08 22:15:19 +02:00
Jo-Philipp Wich
f00a4ae6e0 Revert "uhttpd: disable concurrent requests by default"
This reverts commit c6aa9ff388.

Further testing has revealed that we will need to allow concurrent
requests after all, especially for situations where CGI processes
initiate further HTTP requests to the local host.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-04-23 08:15:46 +02:00
Hans Dedecker
399aa0b933 odhcpd: update to latest git HEAD (FS#2243, FS#2244)
6633efe router: fix dns search list option

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-19 19:24:39 +02:00
Rosy Song
524810ce6d dropbear: allow build without dbclient
This can save ~16KBytes size for the ipk

Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-04-18 22:34:19 +02:00
Hans Dedecker
e20c2909a5 odhcpd: update to latest git HEAD (FS#2206)
38bc630 router: use ra_lifetime as lifetime for RA options (FS#2206)
0523bdd router: improve code readibility
0a3b279 Revert "router:"
207f8e0 treewide: align syslog loglevels
f1d7da9 router:
0e048ac treewide: fix compiler warnings
83698f6 CMakeList.txt: enable extra compiler checks

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-17 14:43:38 +02:00
Hans Dedecker
3e803499c3 netifd: update to latest git HEAD
666c14f system-linux: remove debug tracing
08989e4 interface: add neighbor config support
bfd4de3 interface: fix "if-down" hotplug event handling

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-15 23:20:20 +02:00
Petr Štetiar
ecdd26fe2b umbim: update to latest git HEAD
24f9dc7 Iron out all extra compiler warnings
9d8dbc9 Enable extra compiler checks
ff8d356 mbim-proxy support
ccca03f umbim: add registration set support

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-04-15 00:01:57 +02:00