4fbf6d7 ruleset.uc: log forwarded traffic not matched by zone policies
c7201a3 main.uc: reintroduce set reload restriction
756f1e2 ruleset: fix emitting set_mark/set_xmark rules with masks
3db4741 ruleset: properly handle zone names starting with a digit
43d8ef5 fw4: fix formatting of default log prefix
592ba45 main.uc: remove uneeded/wrong set reload restrictions
b0a6bff tests: fix testcases
145e159 fw4: recognize `option log` and `option counter` in `config nat` sections
ce050a8 fw4: fall back to device if l3_device is not available in ifstatus
Fixes: #10639, #10965
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit fdfa9d8f7469626d2dc8e4b46a6ad56a3b27c16b)
4ae7072 fs: use `getline()` for line wise read operations
21ace5e lexer: fixes for regex literal parsing
00965fa lib: implement slice() function
76d396d main: implement print mode
7bbba78 compiler: optimize function return opcode generation
a45f2a3 lexer: improve regex literal handling
d64d5d6 vm: maintain export symbol tables per program
f4b4ded uloop: task: gracefully handle absent output callback
a58fe47 ubus: hold reference to underlying connection until deferred is concluded
e23b58a lib: uc_system(): retry waitpid() on EINTR
cc4eb79 ubus: support obtaining numeric error code
01c412c ubus: add toplevel constants for ubus status codes
8e240fa ubus: allow object method call handlers to return a numeric status code
5cdddd3 lib: add limit support to split() and replace()
0ba9c3e fs: add optional third permission argument to fs.open()
c1f7b3b lib: remove fixed capture group limit in match() and regex replace()
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commits 639754e36d849553e288f8e34f51f793761c07db
and 5110dcb1fa44fc1aac737c63b31474daa471de89)
Hardware
--------
CPU: Mediatek MT7621
RAM: 256M DDR3
FLASH: 128M NAND
ETH: 1x Gigabit Ethernet
WiFi: Mediatek MT7915 (2.4/5GHz 802.11ax 2x2 DBDC)
BTN: 1x Reset (NWA50AX only)
LED: 1x Multi-Color (NWA50AX only)
UART Console
------------
NWA50AX:
Available below the rubber cover next to the ethernet port.
NWA55AXE:
Available on the board when disassembling the device.
Settings: 115200 8N1
Layout:
<12V> <LAN> GND-RX-TX-VCC
Logic-Level is 3V3. Don't connect VCC to your UART adapter!
Installation Web-UI
-------------------
Upload the Factory image using the devices Web-Interface.
As the device uses a dual-image partition layout, OpenWrt can only
installed on Slot A. This requires the current active image prior
flashing the device to be on Slot B.
If the currently installed image is started from Slot A, the device will
flash OpenWrt to Slot B. OpenWrt will panic upon first boot in this case
and the device will return to the ZyXEL firmware upon next boot.
If this happens, first install a ZyXEL firmware upgrade of any version
and install OpenWrt after that.
Installation TFTP
-----------------
This installation routine is especially useful in case
* unknown device password (NWA55AXE lacks reset button)
* bricked device
Attach to the UART console header of the device. Interrupt the boot
procedure by pressing Enter.
The bootloader has a reduced command-set available from CLI, but more
commands can be executed by abusing the atns command.
Boot a OpenWrt initramfs image available on a TFTP server at
192.168.1.66. Rename the image to owrt.bin
$ atnf owrt.bin
$ atna 192.168.1.88
$ atns "192.168.1.66; tftpboot; bootm"
Upon booting, set the booted image to the correct slot:
$ zyxel-bootconfig /dev/mtd10 get-status
$ zyxel-bootconfig /dev/mtd10 set-image-status 0 valid
$ zyxel-bootconfig /dev/mtd10 set-active-image 0
Copy the OpenWrt ramboot-factory image to the device using scp.
Write the factory image to NAND and reboot the device.
$ mtd write ramboot-factory.bin firmware
$ reboot
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit a0b7fef0ffe4cd9cca39a652a37e4f3ce8f0a681)
On machines with a coarse monotonic clock (here: TP-Link RE200 powered
by a MediaTek MT7620A) it can happen that the two DNS requests (for A
and AAAA) share the same transaction ID. If this happens the second
reply is wrongly dropped and nslookup reports "No answer".
Fix this by ensuring that the transaction IDs are unique.
Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
(cherry picked from commit 63e5ba8e69f03a584b707520db0a0821eda3024f)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This mainly affects scanning and beacon parsing, especially with MBSSID enabled
Fixes: CVE-2022-41674
Fixes: CVE-2022-42719
Fixes: CVE-2022-42720
Fixes: CVE-2022-42721
Fixes: CVE-2022-42722
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 26f400210d6b3780fcc0deb89b9741837df9c8b8)
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit f1b7e1434f66a3cb09cb9e70b40add354a22e458)
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.
This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.
Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.
Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable
Fixes: CVE-2022-39173
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Tested-by: Kien Truong <duckientruong@gmail.com>
Reported-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit ec8fb542ec3e4f584444a97de5ac05dbc2a9cde5)
If you would like to compile the newest version of U-boot together with the stable
OpenWrt version, which does not have LibreSSL >= 3.5, which was updated
in the master branch by commit 5451b03b7ceb2315445c683fe174e28bbdd49c2f
("tools/libressl: bump to v3.5.3"), then you need these two patches to
fix it. They are backported from U-boot repository.
This should be backported to stable OpenWrt versions.
Reported-by: Michal Vasilek <michal.vasilek@nic.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 185541f50ff59c0a5e0663ad612f0f5eb31926cf)
This issue was reported by @paper42, who is using Void Linux with musl
to compile OpenWrt and its packages and found out it is not possible to
compile U-boot for Turris Omnia (neither any other).
It fixes following output:
```
HOSTCC tools/kwboot
tools/kwboot.c: In function 'kwboot_tty_change_baudrate':
tools/kwboot.c:662:6: error: 'struct termios' has no member named 'c_ospeed'
662 | tio.c_ospeed = tio.c_ispeed = baudrate;
| ^
tools/kwboot.c:662:21: error: 'struct termios' has no member named 'c_ispeed'
662 | tio.c_ospeed = tio.c_ispeed = baudrate;
| ^
tools/kwboot.c:690:31: error: 'struct termios' has no member named 'c_ospeed'
690 | if (!_is_within_tolerance(tio.c_ospeed, baudrate, 3))
| ^
tools/kwboot.c:693:31: error: 'struct termios' has no member named 'c_ispeed'
693 | if (!_is_within_tolerance(tio.c_ispeed, baudrate, 3))
|
```
Tested-by: Michal Vasilek <michal.vasilek@nic.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 9c7472950b01c5b3a461f4e29b3b62bac9e35b46)
- fix including modules.mk when a target is being replaced
- fix calling make targets from target/linux
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 3a8825ad6acbf18b2b472ace56be58868af78be7)
Fixes: ebc36ebb2349 ("scripts/feeds: install targets to target/linux/feeds and support overriding")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 00094efec33f07c9dc16cce23be492430c40b3cc)
This change was included in the original pull request but later omitted
for some reason:
https://github.com/openwrt/openwrt/pull/4936
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
(cherry picked from commit 4cccea02a60aee0dd77c4db35672c92e2fe384a1)
Serge Vasilugin reports:
To improve mt7620 built-in wifi performance some changes:
1. Correct BW20/BW40 switching (see comments with mark (1))
2. Correct TX_SW_CFG1 MAC reg from v3 of vendor driver see
https://gitlab.com/dm38/padavan-ng/-/blob/master/trunk/proprietary/rt_wifi/rtpci/3.0.X.X/mt76x2/chips/rt6352.c#L531
3. Set bbp66 for all chains.
4. US_CYC_CNT init based on Programming guide, default value was 33 (pci),
set chipset bus clock with fallback to cpu clock/3.
5. Don't overwrite default values for mt7620.
6. Correct some typos.
7. Add support for external LNA:
a) RF and BBP regs never be corrected for this mode
b) eLNA is driven the same way as ePA with mt7620's pin PA
but vendor driver explicitly pin PA to gpio mode (for forrect calibration?)
so I'm not sure that request for pa_pin in dts-file will be enough
First 5 changes (really 2) improve performance for boards w/o eLNA/ePA.
Changes 7 add support for eLNA
Configuration w/o eLAN/ePA and with eLNA show results
tx/rx (from router point of view) for each stream:
35-40/30-35 Mbps for HT20
65-70/60-65 Mbps for HT40
Yes. Max results for 2T2R client is 140-145/135-140
with peaks 160/150, It correspond to mediatek driver results.
Boards with ePA untested.
Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[directly include v3 of the patchset submitted upstream]
(cherry picked from commit 31a6605de04218e1c04bd5c2436c24d7d1c07506)
(cherry picked from commit e785ca05e9f0502894772f5df92192b816ba5d7c)
(cherry picked from commit 412fcf3d4400f84551f3ead0514834c62d94a251)
Add missing semicolon and refresh patches.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit d826c91704d2baa5e389c225791740e4c61d62c4)
Prepare patches for sending upstream by adding patch descriptions
generated from the original OpenWrt commits adding each patch.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d4feb66048f6a8f387eedfb162a1184cdae9d756)
Package kernel module providing ESSIV support for block encryption.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4133102898502c9bb453e8603b6c891aa103bce4)
Re-introduce the queue wake fix that was reverted due to a regression,
but this time with the follow-up fixes that take care of the regression.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 9a93b62f315ad4c9f021c414ed80ba337ab4a01e)
(cherry-picked from commit 8b804cae5e039142bc63896a75f15146eca3bebc)
(cherry-picked from commit 8b06e06832ebe757246582b65306ad2a2537741f)
There are two feature currently altered by the multicast_to_unicast option.
1. bridge level multicast_to_unicast via IGMP snooping
2. hostapd/mac80211 config multicast_to_unicast setting
The hostapd/mac80211 setting has the side effect of converting *all* multicast
or broadcast traffic into per-station duplicated unicast traffic, which can
in some cases break expectations of various protocols.
It also has been observed to cause ARP lookup failure between stations
connected to the same interface.
The bridge level feature is much more useful, since it only covers actual
multicast traffic managed by IGMP, and it implicitly defaults to 1 already.
Renaming the hostapd/mac80211 option to multicast_to_unicast_all should avoid
unintentionally enabling this feature
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 09ea1db93b53d2c1e4a081f20fbbddd4bffd451d)
Import patch which removes the default pinctrl of uart0 to suppress
the unwanted warning. Apply also to downstream boards.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Import pending patch "arm: dts: mt7622: force high-speed mode for uart"
from Weijie Gao <weijie.gao@mediatek.com> fixing the UART problems on
MT7622 which made it hard to use the U-Boot menu on devices with this
SoC.
This patch is also contained in commit
c09eb08dad ("uboot-mediatek: add support for MT798x platforms")
in the development branch.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Treat missing compression node in FIT image as IH_COMP_NONE.
This is implicentely already happening in most places, but for now
was still triggering an annoying warning about initramfs compression
being obsolete despite compression note being absent.
Fix this.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0a18456ffc25d6a26911fca6f9079090243c2284)
Truncating a UBI volume using `ubi write 0x0 volname 0x0` results in
segfault on newer U-Boot. Write 1MB of 0s instead.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d118cbdfece181994a96d1bcb1868bd807d481bf)
Use 4k sectors when accessing the U-Boot environment on the 64MiB
SPI-NOR flash chip found in the UniFi 6 LR. The speeds up environment
write access as only 4kB instead of 64kB have to be written.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit f0adf253fdcf78ce005dad9652b405a4ad2726e6)
Image names as well as the calculation of the padded image size did
not work as intended. Fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0bc8889e7b4f19d7e33a9be6c3db918fed051501)
Commit 0b7c66c ("at91bootstrap: add sama5d27_som1_eksd1_uboot as
default defconfig") changed default booting media for sama5d27_som1_ek
board w/o any reason. Changed it back to sdmmc0 as it is for all the
other Microchip supported distributions for this board (Buildroot,
Yocto Project). The initial commit cannot be cleanly reverted.
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
(cherry picked from commit e9f12931e60ee291cd7d2c8fd19a14682dae0197)
Commit adc69fe (""uboot-at91: changed som1 ek default defconfigs")
changed the booting media to sdmmc1 as default booting w/o any reason.
The Microchip releases for the rest of supported distributions (Buildroot,
Yocto Project) uses sdmmc0 as default booting media for this board.
Thus change it back to sdmmc0. With this remove references to sdmmc1
config. The initial commit cannot be cleanly reverted.
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
(cherry picked from commit 9a49788008c18fd4fe6fefe9697962c102fb14c6)
f5fcdcf cli: introduce test mode and refuse firewall restart on errors
a540f6d fw4: fix cosmetic issue with per-ruleset and per-table include paths
695e821 doc: fix swapped include positions in nftables.d README
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit ab31ffc425b59afc102f8a3275791c153f39c8f4)
Testing has shown it to be very unreliable in variety of configurations.
It is not mandatory, so let's disable it by default until we have a better
solution.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 2984a0420649733662ff95b0aff720b8c2c19f8a)
35fec487e30f05c81bd135326a993dad7f861812 fixed opkg usage,
but when using buildroot we were still defaulting to
ip(6)tables-legacy
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 0c8d7e34ab35f6b41f034fd94fec740970e0125b)
WPA3 enterprise requires group_mgmt_cipher=BIP-GMAC-256 and if 802.11r is
active also wpa_key_mgmt FT-EAP-SHA384. This commit also requires
corresponding changes in netifd.
Signed-off-by: Joerg Werner <schreibubi@gmail.com>
(cherry picked from commit 9fbb76c0470fd54f1f34909b1098d0f76078878f)
0dad3e6 Add support for CCMP-256 and GCMP-256 ciphers
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit cc6a323e2328176b732b13f1f09745354270cd39)
In the SDK the folder $(LINUX_DIR)/user_headers/include does not exist,
but it more or less contains the same content as
$(LINUX_DIR)/include/uapi which also exists in the SDK.
Since iproute2 commit 1d819dcc741e ("configure: fix parsing issue on
include_dir option") it checks if this folder exists and aborts the
build if it does not exists.
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=1d819dcc741e25958190e31f8186c940713fa0a8
With this commit the KERNEL_INCLUDE variable points to a valid folder
with the kernel include headers. I am not sure if they are actually
needed because the build worked before even with an invalid path.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 60738fedede1746922a8b227f24ad5c733661585)
