Commit Graph

1978 Commits

Author SHA1 Message Date
Felix Fietkau
b7f9742da8 mac80211: rework interface setup, fix race condition
Only tell netifd about vifs when the setup is complete and hostapd +
wpa_supplicant have been notified

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-11 10:40:43 +01:00
Felix Fietkau
3df9322771 hostapd: make ubus calls to wpa_supplicant asynchronous
This fixes a deadlock issue where depending on the setup order, hostapd and
wpa_supplicant could end up waiting for each other

Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-11 09:15:54 +01:00
Rafał Miłecki
1f11a4e283 uhttpd: handle reload after uhttpd-mod-ubus installation using postinst
Use postinst script to reload service instead of uci-defaults hack. It's
possible thanks to recent base-files change that executes postinst after
uci-defaults.

This fixes support for uhttpd customizations. It's possible (again) to
adjust uhttpd config with custom uci-defaults before it gets started.

Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: d25d281fd6 ("uhttpd: Reload config after uhttpd-mod-ubus was added")
Ref: b799dd3c70 ("base-files: execute package's "postinst" after executing uci-defaults")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-01-10 17:06:56 +01:00
Felix Fietkau
d864f68232 hostapd: add missing NULL pointer check on radar notification
Fixes a race condition that can lead to a hostapd crash

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-09 11:06:24 +01:00
David Bauer
f95eecfb21 dropbear: increase default receive window size
Increasing the receive window size improves throughout on higher-latency
links such as WAN connections. The current default of 24KB caps out at
around 500 KB/s.

Increasing the receive buffer to 256KB increases the throughput to at
least 11 MB/s.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-12-28 23:37:51 +01:00
Thibaut VARÈNE
8815a3114f dnsmasq: invert logic for "localuse"
Prior to this commit, "localuse" (which enables local resolving through
dnsmsasq) was off by "default". That default was in turn overridden when
"noresolv" was unset (which itself is the default for "noresolv") *and*
"resolvfile" was "/tmp/resolv.conf.d/resolv.conf.auto" (also the default
for this parameter).

In other words, the "default" unset value for "localuse" would only be
ever used in specific *non-default* configurations.

However, the problem with that logic is that a user who wants to ignore
their ISP-provided resolvers by setting "noresolv" to true ends up with
a device that will *only use* said resolvers for local DNS queries,
serving clients' queries via dnsmasq (which now ignores the ISP
resolvers). This can lead to confusion and break random setups as the
DNS lookup performed on clients behalf can differ in their replies from
DNS lookups performed locally on the router.

Furthermore, "localuse" is not configurable through Luci, contrary to
the other two involved settings, adding further confusion for the end
user.

To work around this situation, the logic that sets "localuse" is
inverted: "localuse" now defaults to on by default, and IFF "noresolv"
is unset (default) AND "resolvfile" is changed from default THEN
"localuse" gets turned back off, allowing for more sensible behaviour.

"localuse" value set in config/dhcp still overrides the logic in all
cases, as it did already.

Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
2023-12-16 15:28:21 +00:00
Felix Fietkau
f909059b74 hostapd: use new udebug ubus api to make debug rings configurable
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-30 20:08:56 +01:00
Sven Eckelmann
711dcb7763 dnsmasq: mark global ubus context as closed after fork
If the dnsmasq process forks to handle TCP connections, it closes the ubus
context. But instead of changing the daemon wide pointer to NULL, only the
local variable was adjusted - and this portion of the code was even dropped
(dead store) by some optimizing compilers.

It makes more sense to change the daemon->ubus pointer because various
functions are already checking it for NULL. It is also the behavior which
ubus_destroy() implements.

Fixes: d8b33dad0b ("dnsmasq: add support for monitoring and modifying dns lookup results via ubus")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
2023-11-26 19:58:35 +01:00
Felix Fietkau
0f283ab4c9 umdns: update to Git HEAD (2023-11-21)
9040335e102b interface: fix interface memory corruption
b1e023eda358 add udebug support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-21 07:36:08 +01:00
Felix Fietkau
2723f16dda hostapd: add missing acl entries for udebug
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-20 14:10:27 +01:00
Felix Fietkau
effc305cda hostapd: add udebug support
This is not activated by default and must be explicitly enabled via ubus
It supports reporting log messages and netlink packets

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-20 11:58:54 +01:00
Nazar Mokrynskyi
684d1a5c35 hostapd: fix undeclared variable iface_name
Signed-off-by: Nazar Mokrynskyi <nazar@mokrynskyi.com>
2023-11-19 19:10:42 +01:00
Philip Prindeville
af64898c26 dnsmasq: Invoke new ipcalc with CIDR notation
The new rewritten ipcalc.sh understands 3 notations:

ipaddr/prefix ...
ipaddr/dotted-netmask ...
ipaddr dotted-netmask ...

meaning that the previous 4th non-standard notation of "ipaddr prefix"
will be dropped, alas that's the notation that dnsmasq currently uses.

This change has us using the first notation which is the most common.

This behavior came in as
eda27e8382
a long time ago.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2023-11-15 20:36:35 +00:00
Christian Marangi
05e516b12d
hostapd: refresh patches
Refresh patches for hostapd using make package/hostapd/refresh.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-11-09 16:07:55 +01:00
Christian Marangi
6c9ac57d58
hostapd: permit 40MHz in 802.1s only also for 2.4GHz g/n with noscan
Currently for 802.1s only, for wifi 2.4GHz in g/n mode, 40MHz is never
permitted.

This is probably due to the complexity of setting periodic check for the
intolerant bit. When noscan option is set, we ignore the presence of the
intoleran bit in near AP, so we can enable 40MHz and ignore any complex
logic for checking.

Fixes: #13112
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-11-09 15:58:38 +01:00
Christian Marangi
b1c7b1bd67
hostapd: permit also channel 7 for 2.5GHz to be set to HT40PLUS
Also channel 7 for 2.4GHz can be set to HT40PLUS. Permit this and add it
to the list of the channels.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-11-09 15:58:37 +01:00
Christian Marangi
1b5ea2e199
hostapd: fix broke noscan option for mesh
noscan option for mesh was broken and actually never applied.

This is caused by a typo where ssid->noscan value is check instead of
conf->noscan resulting in the logic swapped and broken.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-11-09 15:58:37 +01:00
Felix Fietkau
c2a30b6e01 hostapd: use rtnl to set up interfaces
In wpa_supplicant, set up wlan interfaces before adding them

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-08 12:46:29 +01:00
Felix Fietkau
531314260d wifi: fix applying mesh parameters when wpa_supplicant is in use
Apply them directly using nl80211 after setting up the interface.
Use the same method in wdev.uc as well

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-08 12:46:29 +01:00
Philip Prindeville
ac199c57c5
dnsmasq: don't source functions.sh twice
It's already pulled in from /etc/rc.common.

Fixes: #13758

Fixes: 6b23836071 ("package: avoid the use of eval to parse ipcalc.sh output")

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2023-11-02 20:29:38 +01:00
Petr Štetiar
6dca88aa4a
hostapd: fix broken WPS on broadcom-wl and ath11k
Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl/ath11k
based adapters. The reason for it is hostapd tries to install additional
IEs for scanning while the driver does not support this.

The kernel indicates the maximum number of bytes for additional scan IEs
using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
only add additional scan IEs in case the driver can accommodate these
additional IEs.

Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
Bug-Debian: https://bugs.debian.org/1004524
Bug-ArchLinux: https://bugs.archlinux.org/task/73495
Upstream-Status: Changes Requested [https://patchwork.ozlabs.org/project/hostap/patch/20220130192200.10883-1-mail@david-bauer.net]
Reported-by: Étienne Morice <neon.emorice@mail.com>
Tested-by: Étienne Morice <neon.emorice@mail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2023-11-01 12:23:01 +00:00
David Bauer
39341f422f hostapd: fix OWE association with mbedtls
The code for hostapd-mbedtls did not work when used for OWE association.

When handling association requests, the buffer offsets and length
assumptions were incorrect, leading to never calculating the y point,
thus denying association.

Also when crafting the association response, the buffer contained the
trailing key-type.

Fix up both issues to adhere to the specification and make
hostapd-mbedtls work with the OWE security type.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-10-31 21:12:15 +01:00
Felix Fietkau
a2d8226c4f hostapd: do not trim trailing whitespace, except for newline
Fixes adding SSID or key with trailing whitespace

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-10-31 13:29:32 +01:00
Kevin Darbyshire-Bryant
0221b86032 odhcpd: Bump to latest commits
d8118f6 config: make sure timer is not on the timeouts list before freeing
4bbc6e7 add hostsfile output in addition to statefile

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2023-10-28 22:33:32 +01:00
Rahul Thakur
002f180a97
dnsmasq: add support for RA option 31
The option 31 in the RA specifies the DNS search list, the support
to configure this via UCI is missing in case dnsmasq-dhcpv6 is used.

This commit uses the uci option domain (same as is done by odhcpd) to
read and pass the DNS search list to dnsmasq, which is then used by RA.

Hence, with this commit, we are able to configure DNS search list for the
RA messages via the uci config when dnsmsaq-dhcpv6 is used.

Signed-off-by: Rahul Thakur <rahul.thakur@iopsys.eu>
2023-10-20 16:04:59 +02:00
Felix Fietkau
3e1ac00ccb umdns: update to the latest version
479c7f8676d9 cache: make record/hostname lookup case-insensitive
26c97a5a50bf ubus: add a browse flag for suppressing cached ip addresses
c286c51a9bd9 Fix AVL tree traversal in cache_record_find and cache_host_is_known
4035fe42df58 interface: use a global socket instead of per-interface ones
c63d465698c7 cache: dump hostname target from srv records
b42b22152d73 use hostname from SRV record to look up IP addresses
d45c443aa1e6 ubus: add array flag support for the hosts method

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-10-19 19:15:32 +02:00
Nick Hainke
91d2ead3c3 hostapd: increase PKG_RELEASE to fix builds
Recent hostapd changes just edited the ucode files. It is required to
bump the PKG_RELEASE to include the newest changes in the latest builds.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-09-29 11:26:49 +02:00
Felix Fietkau
abceef120d hostapd: fix wpa_supplicant mac address allocation on ap+sta
If the full interface is restarted while bringing up an AP, it can trigger a
wpa_supplicant interface start before wpa_supplicant is notified of the
allocated mac addresses.
Fix this by moving the iface_update_supplicant_macaddr call to just after
the point where mac addresses are allocated.

Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-28 10:30:14 +02:00
Felix Fietkau
0c43a48735 hostapd: fix mac address of interfaces created via wdev.uc
Use the wdev config with the generated MAC address

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-27 15:04:25 +02:00
Felix Fietkau
f1bb528ae7 hostapd: fix rare crash with AP+STA and ACS enabled
Ensure that the iface disable in uc_hostapd_iface_start also clears the ACS
state.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-25 18:46:22 +02:00
Leon M. Busch-George
9f52a57c99 package: dnsmasq: remove off-by-one mitigation for limit
In the dnsmasq init script, an off-by-one in the range calculation of
ipcalc.sh was mitigated by passing the limit as if its counting started
at zero. This patch removes the mitigation as the off-by-one has been
fixed.

Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
2023-09-25 15:02:49 +02:00
Leon M. Busch-George
6b23836071 package: avoid the use of eval to parse ipcalc.sh output
Add a function 'ipcalc' to /lib/functions.sh that sets variables more
safely using export.
With this new function, dnsmasq also handles the return value of ipcalc
correctly.

Fixes: e4bd3de1be ("dnsmasq: refuse to add empty DHCP range")
Co-Authored-By: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
2023-09-25 15:02:49 +02:00
Sebastian Pflieger
3ce909914a lldpd: add lldp_syscapabilities config option
allow to overwrite the detected system capabilities e.g. if devices
does not operate as bridge.

Signed-off-by: Sebastian Pflieger <sebastian@pflieger.email>
2023-09-24 17:07:28 +02:00
Felix Fietkau
3a5ad6e3d7 hostapd: fix patch rebase after a crash fix
The patch refresh accidentally moved the hostapd_ucode_free_iface call to
the wrong function

Fixes: e9722aef9e ("hostapd: fix a crash when disabling an interface during channel list update")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-22 20:00:13 +02:00
Felix Fietkau
fd6d7aafb2 hostapd: fix wpa_supplicant bringup with non-nl80211 drivers
Needed for wired 802.1x

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-22 07:59:27 +02:00
Felix Fietkau
4145ff4d8a hostapd: add missing NULL pointer check in uc_hostapd_iface_stop
Avoid crashing if the interface has already been removed

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-20 18:40:33 +02:00
Felix Fietkau
e9722aef9e hostapd: fix a crash when disabling an interface during channel list update
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-20 14:11:14 +02:00
Felix Fietkau
a511480368 hostapd: use phy name for hostapd interfaces instead of first-bss ifname
Improves reliability in error handling

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-19 11:56:30 +02:00
Felix Fietkau
93e147c9e6 hostapd: fix dynamically adding interfaces with 802.11ax support disabled in the build
Move an important code line outside of #ifdef CONFIG_IEEE80211AX

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-18 16:51:34 +02:00
Felix Fietkau
f5380184e6 hostapd: add missing ubus ACL entries for AP+client (#13449)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-15 20:42:56 +02:00
Felix Fietkau
50e16efd41 hostapd: support dynamic reload of vlan files when renaming interfaces
Avoids unnecessary AP restart on ifname changes when wifi-vlan sections
are present.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-15 14:25:27 +02:00
Felix Fietkau
4acbe4e336 hostapd: fix more AP+STA issues
When STA is disconnected, ensure that the interface is in a cleanly stopped
state:
 - if in regular enable/disable state, stop beacons if necessary
 - in any other state, disable the interface

When the STA is up, ignore repeated start commands for the same channel, in
order to avoid unnecessary AP restarts

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-14 19:13:36 +02:00
Felix Fietkau
a63e118f77 hostapd: fix more dynamic reload issues
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-14 19:13:36 +02:00
Felix Fietkau
6cf27094e9 hostapd: add missing return statement
Avoids crash due to uninitialized stack/register garbage

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-13 22:57:49 +02:00
Felix Fietkau
7365e8f1bb hostapd: do not modify hapd->started when stopping an AP
It can cause cleanup to be skipped on wifi restart, which can lead to
use-after-free bugs

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-13 17:07:21 +02:00
Felix Fietkau
a463bd8c99 hostapd: update to the latest version
8e6485a1bcb0 PEAP client: Update Phase 2 authentication requirements
de9a11f4dde9 TTLS client: Support phase2_auth=2
b2a1e7fe7ab9 tests: PEAP and TTLS phase2_auth behavior
518ae8c7cca8 P2P: Do not print control characters in debug
a4c133ea73c7 WPS: Optimize attribute parsing workaround
7a37a94eaa0d Check whether element parsing has failed
f80d83368818 ACS: Remove invalid debug print
fb2b7858a728 FILS: Fix HE MCS field initialization
50ee26fc7044 P2P: Check p2p_channel_select() return value
a50d1ea6a2b3 Add QCA vendor attributes for user defined power save parameters
4636476b7f22 Set RRM used config if the (Re)Association Request frame has RRM IE
e53d44ac63e8 AP MLD: Use STA assoc link address in external auth status to the driver
99a96b2f9df7 AP MLD: OWE when SME is offloaded to the driver
96deacf5d710 nl80211: Skip STA MLO link channel switch handling in AP mode
d320692d918a AP MLD: Handle new STA event when using SME offload to the driver
faee8b99e928 tests: Fix eht_mld_sae_legacy_client to restore sae_pwe
c3f465c56c94 wlantest: Handle variable length MIC field in EAPOL-Key with OWE
605034240e0c wlantest: Support multiple input files
053bd8af8ed2 Recognize FTE MLO subelements
43b5f11d969a Defragmentation of FTE
3973300b8ded FTE protected element check for MLO Reassociation Response frame
74e4a0a6f1e4 wlantest: Learn AP MLD MAC address from Beacon frames
a5a0b2cf7b1b wlantest: Find non-AP MLD only from affiliated BSSs of the AP MLD
74472758584d wlantest: Recognize non-AP MLD based on any link address for decryption
1ffabd697c67 wlantest: Learn non-AP MLD MAC address from (Re)Association Request frames
4e8e515f92b9 wlantest: Use MLO search for the STA in reassociation
49bf9f2df95a wlantest: Use the MLD MAC address as well for matching STA entries
5434a42ec69c wlantest: Search for FT Target AP using MLD MAC address as well
a19fcf685cae wlantest: Include the MLD MAC address of the AP MLD in new-STA prints
709d46da73da wlantest: Do not claim update to AP MD MAC address if no change
770760454f9e wlantest: Do not update BSS entries for other AP MLDs in PTK cloning
084745ffc508 Add QCA vendor attributes for NDP setup
bf9cbb462fd9 Fix writing of BIGTK in FT protocol
011775af9443 tests: Check for beacon loss when using beacon protection
8f148d51322f Fix a compiler warning on prototype mismatch
b7db495ad9c9 AP: Fix ieee802_1x_ml_set_sta_authorized()
232667eafe0d Fix CCMP test vector issues
30771e6e05ed Include PTID in PV1 nonce construction for CCMP test vector
34841cfd9aba Minor formatting changes to CCMP test vectors
a685d84139e6 BSS coloring: Fix CCA with multiple BSS
bc0636841a70 wpa_supplicant: Fix configuration parsing error for tx_queue_*
2763d1d97e66 hostapd: Fix AID assignment in multiple BSSID
763a19286e2f AP: Add configuration option to specify the desired MLD address
bd209633eb10 AP: Use is_zero_ether_addr() to check if BSSID is NULL
bc0268d053b4 wlantest: Guess SAE/OWE group from EAPOL-Key length mismatch
a94ba5322803 EHT: Support puncturing for 320 MHz channel bandwidth
7e1f5c44c97e EHT: 320 MHz DFS support
6f293b32112a QCA vendor attributes for updating roaming AP BSSID info
5856373554eb Extend QCA vendor command to include more parameters for netdev events
e080930aa0a5 Define QCA vendor roam control RSSI attributes
fe72afe713ad Define QCA vendor attribute for high RSSI roam trigger threshold
47a65ccbfde2 P2P: Clean wpa_s->last_ssid when removing a temporary group network
884125ab7d21 tests: P2P autonomous GO and clearing of networking information
7637d0f25053 P2P: Do not filter pref_freq_list if the driver does not provide one
dd1330b502ff Fix hostapd interface cleanup with multiple interfaces
0a6842d5030e nl80211: Fix beacon rate configuration for legacy rates 36, 48, 54 Mbps
d606efe054d5 tests: Beacon rate configuration for 54 Mbps
f91d10c0e6aa tests: Update RSA 3k certificates
07d3c1177bbb tests: Make sae_proto_hostapd_status_* more robust
1085e3bdc6f6 Update iface->current_mode when fetching new hw_features
338a78846b44 Add a QCA vendor sub command for transmit latency statistics
9318db7c38bc wlantest: Use local variables for AA/SPA in FT Request/Response processing
628b9f10223d wlantest: Derive PMK-R1 and PTK using AA/SPA for MLO FT over-the-DS
104aa291e5c8 wlantest: Fix FT over-the-DS decryption
37c87efecfe3 wlantest: Search SPA using MLO aware find for FT Request/Response frame
19f33d7929e8 wlantest: Learn the Link ID for AP MLD affiliated BSSs
6ae43bb10323 wlantest: Learn link address for assoc link from (Re)Association Request
4c079dcc64da Increment hmac_sha*_vector() maximum num_elem value to 25
e6f64a8e1daf FT: FTE MIC calculation for MLO Reassociation Request frame
a83575df5994 wlantest: FTE MIC calculation for MLO Reassociation Request frames
ff02f734baf8 wlantest: Allow specific link BSS to be found with bss_find_mld()
7381c60db8f0 FT: Make FTE MIC calculation more flexible
ac9bf1cc2a4c Decrement hmac_sha*_vector() maximum num_elem value to 11
aa08d9d76803 Fix use of defragmented FTE information
78b153f90a74 Calculate defragmented FTE length during IE parsing
8cf919ffd5c4 wlantest: FTE MIC calculation for MLO Reassociation Response frame
d12a3dce82a9 wlantest: Store and check SNonce/ANonce for FT Authentication
20febfd7838d wlantest: Dump MLO association information in debug
609864d6a8a1 Add QCA vendor attribute to configure MLD ID in ML probe request
12154861e24a Add support for conversion to little endian for 24 bits
c437665041c0 Add Non EHT SCS Capability in (Re)Association Request frames
33da386553b7 SCS: Add support for QoS Characteristics in SCS request
edfca280cbe8 SCS: Add support for optional QoS Charateristics parameters
32dcec9529ec Send actual MFP configuration when driver takes care of BSS selection
123d16d860fa Update hw_mode when CSA finishes
b3d852560bda Change QCA vendor configure attribution name of peer MAC address
12fabc4765c2 Add QCA vendor attribute for configuring max A-MPDU aggregation count
f6eaa7b729cb Add QCA vendor attribute for TTLM negotiation support type
f6dcd326fea7 wlantest: Indicate ToDS/FromDS values for BSS DATA entries
6ce745bb87d4 wlantest: MLO support for decrypting 4-address frames
850dc1482953 wlantest: Remove duplicated A1/A2/A3 override detection for MLO
770e5a808fbb wlantest: Determine whether A1 points to STA once in rx_data_bss_prot()
377d617b574a Define new BSS command info mask for AP MLD address
d3ab6e001f62 wlantest: Use non-AP MLD's MLD MAC address in FT over-the-air derivation
a845601ffe32 wlantest: Derive PTK in MLO using MLD MAC addresses for FT over-the-air
0cd2bfc8a402 wlantest: Fix FTE MIC calculation for MLO Reassociation Response frames
528abdeb673b wlantest: Learn group keys from MLO FT Reassociation Response frames
990600753dd9 wlantest: Defragment Basic MLE before processing
de043ec01ab5 wlantest: Defragment the Per-STA Profile subelement
bae1ec693c44 wlantest: Minimal parsing of Basic MLE STA Profile
ba1579f3bf7c Clear BIGTK values from wpa_supplicant state machine when not needed
b46c4b9a916a tests: Beacon protection and reconnection
3e71516936b7 Document per-ESS MAC address (mac_addr=3 and mac_value)
f85b2b2dee3b Extend wpa_parse_kde_ies() to include EHT capabilities
e3a68081bc1e driver: Add option for link ID to be specified for send_tdls_mgmt()
c7561502f2e8 nl80211: Use a QCA vendor command to set the link for TDLS Discovery Response
a41c8dbdd84e TDLS: Copy peer's EHT capabilities
626501434be1 TDLS: Learn MLD link ID from TDLS Discovery Response
5f30f62eead7 TDLS: Reply to Discovery Request on the link with matching BSSID
940ef9a05c0f TDLS: Use link-specific BSSID instead of sm->bssid for MLO cases
f429064189c3 TDLS: Set EHT/MLO information for TDLS STA into the driver
dd25885a9daa Remove space-before-tab in QCA vendor related definitions
af6e0306b2a9 Fix typos in QCA vendor related definitions
4c9af238c1e4 Fix inconsistent whitespace use in QCA vendor related definitions
e5ccbfc69ecf Split long comment lines in QCA vendor related definitions

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-13 12:37:44 +02:00
Felix Fietkau
20c667cc88 hostapd: rework reload support and MAC address handling
MAC address and interface name assigned by mac80211.sh depend on the order in
which interfaces are brought up. This order changes when interfaces get added
or removed, which can cause unnecessary reload churn.

One part of the fix it making MAC address allocation more dynamic in both
wpa_supplicant and hostapd, by ignoring the provided MAC address using
the next available one, whenever the config does not explicitly specify one.

The other part is making use of support for renaming netdevs at runtime and
preserving the MAC address for renamed netdevs.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-13 12:37:44 +02:00
Felix Fietkau
13c1080a3f hostapd: move mac address allocation from mac80211.sh to wdev.uc
Preparation for upcoming hostapd reload improvements

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-13 12:37:44 +02:00
Felix Fietkau
8566ddc8b3 hostapd: add internal API for renaming AP interfaces
Will be used for improving reload support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-13 12:37:44 +02:00
Felix Fietkau
ddd012d5ff hostapd: fix AP+STA configuration with autochannel enabled
Properly disable the interface when requested
Disable ACS when bringing it back up on the new channel

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-13 12:36:55 +02:00
Felix Fietkau
4871acef79 hostapd: update interface/bss list after set_config calls
set_config causes the ucode bss resource to be re-created and because of that
the bss list needs to be updated as well

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-13 10:47:35 +02:00
Felix Fietkau
499ca4cbe0 hostapd: fix bringing up AP in AP+mesh configurations
Pass the correct frequency + secondary channel offset to hostapd

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-12 14:09:59 +02:00
Felix Fietkau
ea1787b7bc hostapd: clear ucode interface/bss resource pointers
Avoids potential use-after-free bugs

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-12 14:09:58 +02:00
Felix Fietkau
36a9f8449c hostapd: fix applying gratuitous ARP settings with bridge-vlan
The arp_accept setting needs to be applied to the snoop_iface

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-12 12:58:26 +02:00
Felix Fietkau
4a0b1af905 hostapd: allow adding initial AP without breaking STA interface connection
When switching from a STA-only configuration to AP+STA on the same phy, the
STA was previously restarted in order to notify hostapd of the new frequency,
which might not match the AP configuration.
Fix the STA restart by querying the operating frequency from within hostapd
when bringing up the AP.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-03 09:51:28 +02:00
Felix Fietkau
d65354488d hostapd: fix config change detection on boolean values
Check for null instead of truish value

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-03 09:51:08 +02:00
Felix Fietkau
3b44e0a4c1 hostapd: fix parsing HT secondary channel offset
It returned the wrong value when using HT40-

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-02 19:39:24 +02:00
Felix Fietkau
2021ca0a02 hostapd: reset center_seg0_idx for 2.4 GHz
Fixes 40 MHz channel bandwidth on 2.4 GHz AP+STA

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-02 19:39:24 +02:00
Felix Fietkau
b460ec66ed hostapd: use proper helper functions for setting seg0/seg1 idx and chwidth
Simplifies code and removes #ifdef statements

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-02 19:39:24 +02:00
Felix Fietkau
821cf6dd38 hostapd: remove cfg80211 dependency
Always enable nl80211 driver support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-09-01 12:18:13 +02:00
Felix Fietkau
560965d582 hostapd: select libopenssl-legacy for openssl variants
Without it, a lot of authentication modes fail without obvious error messages

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-31 13:12:25 +02:00
Felix Fietkau
b0501d380f hostapd: remove eap-eap192 auth type value
It is no longer used

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-31 13:05:13 +02:00
Felix Fietkau
b63df6ce5d hostapd: support eap-eap2 and eap2 auth_type values
WPA3 Enterprise-transitional requires optional MFP support and SHA1+SHA256
WPA3 Enterprise-only requires SHA1 support disabled and mandatory MFP.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-31 13:05:13 +02:00
Felix Fietkau
f0d1349b52 hostapd: fix FILS key mgmt type for WPA3 Enterprise 192 bit
Use the SHA384 variant to account for longer keys with more security

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-31 13:05:13 +02:00
Felix Fietkau
22ca6fdeeb hostapd: fix bringing up AP+STA when the new channel is on a DFS channel
If a CAC is needed because the channel is not available yet, a full AP
interface restart is needed

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-24 18:29:36 +02:00
Felix Fietkau
f3eb998e7e hostapd: in AP/STA, shut down AP interfaces when STA enters scanning state
When the STA is brought up, it is set to DISABLED before adding the bss to ucode,
so the first trigger to disable the AP is missed.

Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-23 19:05:47 +02:00
Felix Fietkau
aa5f2cb63c hostapd: remove obsolete patch
It was only needed when hostapd was being started with one instance per PHY

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-23 19:05:46 +02:00
David Bauer
c46df4f1e2 hostapd: allow reduced neighbor report configuration
Reduced neighbor reports can be enabled by setting the "rnr" uci option
to 1.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-08-22 13:37:27 +02:00
Stijn Tintel
324673914d hostapd: revert upstream commit to fix #13156
Commit e978072baaca ("Do prune_association only after the STA is
authorized") causes issues when an STA roams from one interface to
another interface on the same PHY. The mt7915 driver is not able to
handle this properly. While the commits fixes a DoS, there are other
devices and drivers with the same limitation, so revert to the orginal
behavior for now, until we have a better solution in place.

Fixes: #13156
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2023-08-18 23:45:16 +02:00
Felix Fietkau
a61fd0f0bb hostapd: fix bringing up mesh without supplicant when mcast rate is specified
The iw command expects a specific command line argument

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-17 17:44:59 +02:00
Felix Fietkau
a0a5b97674 hostapd: do not store data in object prototype
It cannot be properly cloned, since it is attached to the resource type.
Use a separate registry for data. Fixes object confusion issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-12 08:42:12 +02:00
Felix Fietkau
f1c4751ba6 hostapd: restart wifi when the bssid of the first interface changes
Full restart is necessary, since the bss wdev is not re-created

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-11 23:29:22 +02:00
Felix Fietkau
c1600df91f hostapd: shut down client mode on the same phy while restarting AP
An active client mode interface could prevent the AP from claiming its channel
and mess up the bringup sequence order

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-11 23:29:22 +02:00
Felix Fietkau
c5988f4c01 hostapd: fix center frequency calculation for channel 149 and above
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-11 15:43:43 +02:00
Felix Fietkau
9c2c6d19f3 hostapd: add missing #ifdef for non-802.11ax builds
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-11 07:10:23 +02:00
Felix Fietkau
847984c773 hostapd: reimplement AP/STA support via ucode
Drop obsolete control interface patches.
This fixes some corner cases in the previous code where the segment 0 center
frequency was not adjusted properly, leading to logspam and non-working AP
interfaces.
Additionally, shutting down the AP was broken, because the next beacon update
would re-enable it, leading to a race condition on assoc.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-10 22:33:00 +02:00
Felix Fietkau
ed0ad7759c hostapd: remove config_id parameters from hostapd.conf
They are no longer used

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-10 22:27:59 +02:00
Felix Fietkau
fe8bf65d1d hostapd: add missing ucv_get call in wpa_supplicant
Should be harmless, but fix it just in case

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-10 19:09:42 +02:00
Felix Fietkau
6cb8bb1675 hostapd: clone prototypes of ucode bss/interface objects
Fixes an issue where lookup would return different objects than the ones intended

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-10 19:09:42 +02:00
Felix Fietkau
d198c77764 hostapd: fix typo in ssid variable for non-supplicant mesh interface bringup
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-09 10:51:46 +02:00
Felix Fietkau
9b56c27a8a hostapd: add extra sanity checks for config reload
Avoid getting stuck because of bad configurations

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-08 20:11:43 +02:00
Felix Fietkau
5ae3b195a1 hostapd: fix bss color CCA issue with multiple wifi interfaces
Fixes this error: hostapd: nl80211: kernel reports: integer out of range

Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-07 22:02:57 +02:00
Felix Fietkau
b8be20c7e8 hostapd: fix unused device removal on DBDC devices
Check the phy before removing unrelated netdevs on the same hw device

Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-03 18:51:00 +02:00
Felix Fietkau
150e6d28f2 hostapd: fix undeclared variable in common.uc
Fixes: https://github.com/openwrt/openwrt/issues/13210
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-02 13:30:26 +02:00
Felix Fietkau
4a4e0c636f hostapd: fix mesh supplicant build error
Include AP ucode source file

Fixes: e56c5f7b27 ("hostapd: add ucode support, use ucode for the main ubus object")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-01 13:43:56 +02:00
Felix Fietkau
e56c5f7b27 hostapd: add ucode support, use ucode for the main ubus object
This implements vastly improved dynamic configuration reload support.
It can handle configuration changes on individual wifi interfaces, as well
as adding/removing interfaces.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-01 10:08:03 +02:00
Felix Fietkau
33e4ad767e hostapd: switch to using uloop (integrated with built-in eloop)
Preparation for pulling in more code that uses uloop

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-01 10:06:29 +02:00
Felix Fietkau
9769655d1b hostapd: add support for querying assoc/probe IEs
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-01 10:06:28 +02:00
Felix Fietkau
57fbbf15cd hostapd: add experimental radius server
This can be used to run a standalone EAP server that can be used from
other APs. It uses json as user database format and can automatically
handle reload.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-01 10:05:13 +02:00
Etienne Champetier
6ac61dead9 dropbear: add ed25519 for failsafe key
At least Fedora and RHEL 9 set RSAMinSize=2048, so when trying to use
failsafe, we get 'Bad server host key: Invalid key length'
To workaround the issue, we can use: ssh -o RSAMinSize=1024 ...

Generating 2048 bits RSA is extremely slow, so add ed25519.
We keep RSA 1024 to be as compatible as possible.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2023-07-26 14:00:01 +02:00
Felix Fietkau
adfeda8491 hostapd: add fix for dealing with VHT 160 MHz via ext nss bw
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-07-14 10:09:34 +02:00
Andre Heider
cd804c1ebb hostapd: update to 2023-06-22
Removed, merged upstream:
- 170-wpa_supplicant-fix-compiling-without-IEEE8021X_EAPOL.patch

Manually refreshed:
- 040-mesh-allow-processing-authentication-frames-in-block.patch
- 600-ubus_support.patch
- 761-shared_das_port.patch

Fixes: #12661
Fixes: 304423a4 ("hostapd: update to 2023-03-29")
Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-07-07 14:26:58 +02:00
Hauke Mehrtens
7a6f6b8126 uhttpd: update to latest git HEAD
34a8a74 uhttpd/file: fix string out of buffer range on uh_defer_script

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-06-25 22:48:55 +02:00
Christian Marangi
acd9981b4e
odhcpd: bump to latest git HEAD
5211264 odhcpd: add support for dhcpv6_pd_min_len parameter
c6bff6f router: Add PREF64 (RFC 8781) support

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-06-24 19:09:14 +02:00
Stijn Tintel
b57703264f hostapd: add UCI option for Multiple BSSID
Add an UCI option to enable Multiple BSSID Advertisement. Enabling this
will announce all BSSIDS on a phy in a single beacon frame. The
interface that is brought up first will be the transmitting profile, all
others are non-transmitting profiles and will be advertised in the
Multiple BSSID element in Beacon and Probe Response frames of the first
interface.

This depends on driver and client support. Enabling this will result in
all but the first interface not being visible at all for clients that do
not support it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2023-06-16 02:42:04 +03:00
Christian Marangi
8c1bd9b6a5
ppp: backport patches improving ppp interface creation
Backport patches improving ppp interface creation. As a side effect this
also fix a bug from using netdev trigger that suffer from LED state
wrongly set due to using old ioctl for ppp creation.

Tested-by: Csaba Sipos <metro4@freemail.hu>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-06-14 05:40:26 +02:00
Felix Fietkau
7b1e898336 unetd: update to the latest version
412d03012f13 network: prevent adding endpoint routes for addresses on the network
faaf9cee6ef4 utils: fix ipv4 checksum issue
0e1c2fad3540 pex-msg: fix memory leak on fread fail in pex_msg_update_request_init
51be0ed659d0 host: fix crash parsing gateway when no endpoint is specified
ca17601dc24e wg-linux: add support for splitting netlink messages for allowed ips
7d3986b7a5a2 wg-linux: increase default messages size

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-06-04 16:54:52 +02:00
Felix Fietkau
67e8cc07f9 hostapd: remove unused legacy wireless extension support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-05-26 13:33:45 +02:00
Nick Hainke
17fbbafdcb lldpd: update to 1.0.17
Release Notes:
https://github.com/lldpd/lldpd/releases/tag/1.0.17

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-22 18:48:36 +02:00
Nozomi Miyamori
d728d05c6c dropbear: add ForceCommand uci option
adds ForceCommand option. If the command is specified,
it forces users to execute the command when they log in.

Signed-off-by: Nozomi Miyamori <inspc43313@yahoo.co.jp>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2023-05-20 23:24:50 +02:00
Mark Baker
ce81896769 umdns: Update to umdns HEAD
Update to umdns HEAD to include latest enhancements for browse method
filtering, return of TXT records as an array, dumping IPv4/6 as an
array, and including the interface name in a browse reply.

Signed-off-by: Mark Baker <mark@vpost.net>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> #ipq807x, mt7621, x86_64
2023-05-18 18:07:17 +02:00
Tianling Shen
48ed07bc0b treewide: replace AUTORELEASE with real PKG_RELEASE
Based on Paul Fertser <fercerpav@gmail.com>'s guidance:
Change AUTORELEASE in rules.mk to:
```
AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
```

then update all affected packages by:
```
for i in $(git grep -l PKG_RELEASE:=.*AUTORELEASE | sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
	make package/$i/clean
done
```

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-05-18 11:35:29 +02:00
Felix Fietkau
4e5aac4729 bridger: update to the latest version
d4f56f0e6971 add support for handling traffic to/from the bridge device
3ea579064c00 nl: add separate socket for netlink commands
4ec5a51c6d01 nl: fetch packet stats for offloaded flows
0319fd080bf5 add support for configuring a fixed output port for a bridge member port
5b730f0c2cf5 bridger-bpf: fix build on older kernels
00af6c6e8350 nl: process IFLA_MASTER in any nl events, but skip wireless events
a2794f95756e bridger-bpf: add bpf_skb_pull_data call
6974093eb036 nl: rework vlan code to use the iflink API
d0f79a16c749 nl: do not attempt to enable flow offload on older kernels

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-05-12 21:18:31 +02:00
Nick Hainke
304423a4ff
hostapd: update to 2023-03-29
Add patches:
- 170-wpa_supplicant-fix-compiling-without-IEEE8021X_EAPOL.patch

Remove upstreamed:
- 170-DPP-fix-memleak-of-intro.peer_key.patch
- 461-driver_nl80211-use-new-parameters-during-ibss-join.patch
- 800-acs-don-t-select-indoor-channel-on-outdoor-operation.patch
- 992-openssl-include-rsa.patch

Automatically refreshed:
- 011-mesh-use-deterministic-channel-on-channel-switch.patch
- 021-fix-sta-add-after-previous-connection.patch
- 022-hostapd-fix-use-of-uninitialized-stack-variables.patch
- 030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
- 040-mesh-allow-processing-authentication-frames-in-block.patch
- 050-build_fix.patch
- 110-mbedtls-TLS-crypto-option-initial-port.patch
- 120-mbedtls-fips186_2_prf.patch
- 140-tests-Makefile-make-run-tests-with-CONFIG_TLS.patch
- 150-add-NULL-checks-encountered-during-tests-hwsim.patch
- 160-dpp_pkex-EC-point-mul-w-value-prime.patch
- 200-multicall.patch
- 300-noscan.patch
- 310-rescan_immediately.patch
- 330-nl80211_fix_set_freq.patch
- 341-mesh-ctrl-iface-channel-switch.patch
- 360-ctrl_iface_reload.patch
- 381-hostapd_cli_UNKNOWN-COMMAND.patch
- 390-wpa_ie_cap_workaround.patch
- 410-limit_debug_messages.patch
- 420-indicate-features.patch
- 430-hostapd_cli_ifdef.patch
- 450-scan_wait.patch
- 460-wpa_supplicant-add-new-config-params-to-be-used-with.patch
- 463-add-mcast_rate-to-11s.patch
- 465-hostapd-config-support-random-BSS-color.patch
- 500-lto-jobserver-support.patch
- 590-rrm-wnm-statistics.patch
- 710-vlan_no_bridge.patch
- 720-iface_max_num_sta.patch
- 730-ft_iface.patch
- 750-qos_map_set_without_interworking.patch
- 751-qos_map_ignore_when_unsupported.patch
- 760-dynamic_own_ip.patch
- 761-shared_das_port.patch
- 990-ctrl-make-WNM_AP-functions-dependant-on-CONFIG_AP.patch

Manually refresh:
- 010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
- 301-mesh-noscan.patch
- 340-reload_freq_change.patch
- 350-nl80211_del_beacon_bss.patch
- 370-ap_sta_support.patch
- 380-disable_ctrl_iface_mib.patch
- 464-fix-mesh-obss-check.patch
- 470-survey_data_fallback.patch
- 600-ubus_support.patch
- 700-wifi-reload.patch
- 711-wds_bridge_force.patch
- 740-snoop_iface.patch

Tested-by: Packet Please <pktpls@systemli.org> [Fritzbox 4040 (ipq40xx),
           EAP225-Outdoor (ath79); 802.11s, WPA3 OWE, and WPA3 PSK]
Tested-by: Andrew Sim <andrewsimz@gmail.com> [mediatek/filogic]
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-22 23:18:15 +02:00
Christian Marangi
75f7e2d10b
odhcpd: bump to latest git HEAD
40ab806 config: use dedicated link local function to check interface
a84bff2 netlink: add support for getting interface linklocal
2ea065f Revert "config: recheck have_link_local on interface reload if already init"
4b38e6b config: fix feature for enabling service only when interface RUNNING

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-04-04 06:43:23 +02:00
Ian Dall
ed86454578 dnsmasq: configure dynamic dhcp6 and dhcp4 independently
Given ipv6 has SLAAC it is quite plausible to wish to use dynamic
dhcp4 but static dhcp6. This patch keeps dynamicdhcp as the default
option for both, but is overridden by dynamicdhcpv6 or dynamicdhcpv4

Signed-off-by: Ian Dall <ian@beware.dropbear.id.au>
2023-04-01 22:35:13 +02:00
Ruben Jenster
936df715de dnsmasq: add dhcphostsfile to ujail sandbox
The dhcphostsfile must be mounted into the (ujail) sandbox.
The file can not be accessed without this mount.

Signed-off-by: Ruben Jenster <rjenster@gmail.com>
2023-04-01 22:22:49 +02:00
Christian Marangi
eeaa71a3de
odhcpd: bump to latest git HEAD
29c934d config: recheck have_link_local on interface reload if already init

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-03-24 02:01:07 +01:00
Christian Marangi
d2fc620d0a
odhcpd: bump to latest git HEAD
7c0f603 router: skip RA and wait for LINK-LOCAL to be assigned
ba30afc config: skip interface setup if interface not IFF_RUNNING
06b111e Revert "odhcpd: Reduce error messages"
90d6cc9 odhcpd: Reduce error messages

Also drop AUTORELEASE since it got deprecated.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-03-22 06:39:51 +01:00
Andre Heider
07730ff346
treewide: add support for "lto" in PKG_BUILD_FLAGS
This reduces open coding and allows to easily add a knob to enable
it treewide, where chosen packages can still opt-out via "no-lto".

Some packages used LTO, but not the linker plugin. This unifies 'em
all to attempt to produce better code.
Quoting man gcc(1):
"This improves the quality of optimization by exposing more code to the
link-time optimizer."

Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed
that every buildsystem uses +$(MAKE) correctly.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Andre Heider
da3700988d
treewide: add support for "gc-sections" in PKG_BUILD_FLAGS
This reduces open coding and allows to easily add a knob to
enable it treewide, where chosen packages can still opt-out via
"no-gc-sections".

Note: libnl, mbedtls and opkg only used the CFLAGS part without the
LDFLAGS counterpart. That doesn't help at all if the goal is to produce
smaller binaries. I consider that an accident, and this fixes it.

Note: there are also packages using only the LDFLAGS part. I didn't
touch those, as gc might have been disabled via CFLAGS intentionally.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Andre Heider
5c545bdb36
treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16
Keep backwards compatibility via PKG_USE_MIPS16 for now, as this is
used in all package feeds.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Felix Fietkau
635d177ac9 hostapd: enable radius server support
This is useful in combination with the built-in eap server support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-07 10:24:05 +01:00
Felix Fietkau
cf992ca862 hostapd: add missing return code for the bss_mgmt_enable ubus method
Fixes bogus errors on ubus calls

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-07 10:24:05 +01:00
Felix Fietkau
d10e1b4a71 hostapd: add support for defining multiple acct/auth servers
This allows adding backup servers, in case the primary ones fail.
Assume that port and shared secret are going to be the same.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-07 10:24:05 +01:00
Kevin Darbyshire-Bryant
c9df2d5c64 dnsmasq: bump to v2.89
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2023-02-25 20:49:47 +00:00
Leon M. Busch-George
ae751535de
hostapd: always use sae_password for mesh/SAE auth
This patch fixes a corner case when using passwords that are exactly 64
characters in length with mesh mode or passwords longer than 63 characters
with SAE because 'psk' is used instead of 'sae_password'.
SAE is obligatory for 802.11s (mesh point).

The 'psk' option for hostapd is suited for WPA2 and enforces length
restrictions on passwords. Values of 64 characters are treated as PMKs.
With SAE, PMKs are always generated during the handshake and there are no
length restrictions.
The 'sae_password' option is more suited for SAE and should be used
instead.

Before this patch, the 'sae_password' option is only used with mesh mode
passwords that are not 64 characters long.
As a consequence:
- mesh passwords can't be 64 characters in length
- SAE only works with passwords with lengths >8 and <=63 (due to psk
  limitation).

Fix this by always using 'sae_password' with SAE/mesh and applying the PMK
differentiation only when PSK is used.

Fixes: #11324
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
[ improve commit description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-02-19 19:43:57 +01:00
Leon M. Busch-George
3c10c42ddd
hostapd: add quotes in assignments
It's generally advised to use quotes for variable assignments in bash.

Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
2023-02-19 19:43:54 +01:00
Stijn Tintel
65c9b5ffb0 odhcpd: bump to git HEAD
dfab0fa dhcpv4: detect noarp interfaces
  5a17751 router: improve RA logging
  edc5e17 router: always check ra_default

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2023-02-17 16:30:03 +02:00
Leon M. George
e4bd3de1be
dnsmasq: refuse to add empty DHCP range
Use ipcalc's return value to react to invalid range specifications.
By simply ignoring the range instead of aborting with an error code,
dnsmasq should still start when there's an error (best effort).
Aborting the config generation or working with invalid range specs leaves
dnsmasq crash-looping which is the right thing to do concerning that
particular interface but it also hinders DHCP service on other interfaces
and DNS on the router itself.

Signed-off-by: Leon M. George <leon@georgemail.eu>
2023-02-07 21:05:57 +01:00
Felix Fietkau
83d3e255f1 bridger: update to the latest version
8be8bb9df789 nl: fix accessing hairpin mode and isolated from the right attribute set

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-01-29 10:08:21 +01:00
Andre Heider
9902c8520b uhttpd: clean up Makefile
uhttpd's cmake options all default to ON. Either we set all of them or
none if the defaults need to be changed. Let's go with the latter.

Because support for all modules is always compiled in, remove two unused
and useless config toggles.

uhttpd detects and uses libcrypt itself, no need to add it here again.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-01-28 22:37:35 +01:00
Hauke Mehrtens
015c108755 relayd: bump to version 2023-01-28
f646ba4 route: Fix compile warning with glibc

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-01-28 20:24:22 +01:00
Hauke Mehrtens
d14559e9df uhttpd: update to latest Git HEAD
47561aa mimetypes: add audio/video support for apple airplay
6341357 ucode: respect all arguments passed to send()

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-01-28 19:31:42 +01:00
Hannu Nyman
a57796b137
dnsmasq: set an increased cachesize default value
Dnsmasq DNS cache size is only 150 by default.
Set the uci default value to 1000, so that cache gets used more
and unnecessary DNS queries to upstream can be avoided.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2023-01-21 11:13:44 +01:00
Christian Marangi
d9aa41dcda
lldpd: use release tar instead of codeload
There is currently a problem with making reproducible version of lldpd.
The tool version is generated based on 3 source:
1. .dist-version file in release tar
2. git hash with presence of .git directory
3. current date

Using the codeload tar from github results in getting the repo without
the .git directory and since they are not release tar, we don't have
.dist-version. This results in having lldpd bin with a version set to
the current build time.

Switch to release tar so that we correctly have a .dist-version file and
the version is not based on the build time.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Reviewed-by: Robert Marko <robimarko@gmail.com>
2023-01-12 14:55:07 +01:00
Felix Fietkau
4455ed65c6 bridger: update to the latest version
def7755c459d add missing copyright headers
f68307fd96d7 add hairpin mode support
9ee8f433ba4e nl: do not pass NDA_VLAN with vid=0
978c1f9eed07 add support for the bridge port isolated flag

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-01-03 13:28:47 +01:00
Hauke Mehrtens
ee47a28cec treewide: Trigger reinstall of all wolfssl dependencies
The ABI of the wolfssl library changed a bit between version 5.5.3 and
5.5.4. This release update will trigger a rebuild of all packages which
are using wolfssl to make sure they are adapted to the new ABI.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-01-01 21:06:54 +01:00
Hauke Mehrtens
f12bad6c19 tree-wide: Do not use package librt and libpthread
The libraries libpthread, libdl, libutil, libanl have been integrated
into the libc library in version 2.34. it is not needed to explicitly
link them any more.

Most of the functions have been moved from the librt.so into libc.so
some time ago already.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-12-29 18:50:24 +01:00
Felix Fietkau
090ad03343 hostapd: allow sharing the incoming DAS port across multiple interfaces
Use the NAS identifier to find the right receiver context on incoming messages

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-12-27 19:10:04 +01:00
Hauke Mehrtens
73dca49f35 uhttpd: update to latest Git HEAD
2397755 client: fix incorrectly emitting HTTP 413 for certain content lengths

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-12-26 15:18:08 +01:00
Kevin Darbyshire-Bryant
5c7e4a9d2e dnsmasq: bump to v2.88
Most relevant feature for openwrt in this release, supports dynamically
removing hosts from 'hostsdir' supplied host files.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-12-25 15:07:36 +00:00
Rosen Penev
6d1df35747 hostapd: add mbedtls variant
This adds the current WIP mbedtls patches for hostapd. The motivation
here is to reduce size.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-12-19 12:27:35 +00:00
Felix Fietkau
581f2b15b2 hostapd: enable coredumps
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-12-16 14:32:47 +01:00
Felix Fietkau
c2fde432b3 hostapd: always set a default for the nas identifier
It is used for both 802.11r and WPA enterprise.
Setting it when not needed is harmless

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-12-16 14:32:47 +01:00
Felix Fietkau
2fb38b77a2 hostapd: add support for automatically setting RADIUS own-ip dynamically
Some servers use the NAS-IP-Address attribute as a destination address

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-12-16 14:32:47 +01:00
Andre Heider
7c63295bf4 treewide: remove DRIVER_11N_SUPPORT
hostapd's compile time option CONFIG_IEEE80211N was removed almost 3 years
ago, 80.211n/HT is always included since then.

Noticed because `hostapd -v11n` confusingly returned an error.

See hostapd's commit:
f3bcd69603 "Remove CONFIG_IEEE80211N build option"

Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-12-13 10:54:50 +01:00
Andre Heider
2d36f60d88 hostapd: fix 350-nl80211_del_beacon_bss.patch
Pass the expected struct:

../src/drivers/driver_nl80211.c: In function 'wpa_driver_nl80211_del_beacon':
../src/drivers/driver_nl80211.c:2945:31: warning: passing argument 1 of 'nl80211_bss_msg' from incompatible pointer type [-Wincompatible-pointer-types]
 2945 |         msg = nl80211_bss_msg(drv, 0, NL80211_CMD_DEL_BEACON);
      |                               ^~~
      |                               |
      |                               struct wpa_driver_nl80211_data *
../src/drivers/driver_nl80211.c:695:50: note: expected 'struct i802_bss *' but argument is of type 'struct wpa_driver_nl80211_data *'
  695 | struct nl_msg * nl80211_bss_msg(struct i802_bss *bss, int flags, uint8_t cmd)
      |                                 ~~~~~~~~~~~~~~~~~^~~

Fixes: 35ff1affe8 "hostapd: update to 2022-05-08"
Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-12-13 10:54:50 +01:00
Andre Heider
3bc060440a hostapd: remove an unused function from ubus.c
eee80211_frequency_to_channel() isn't used anymore, which is a leftover from:
2a31e9ca97 "hostapd: add op-class to get_status output"

Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-12-13 10:54:50 +01:00
Felix Fietkau
a797f0e82a hostapd: use wpa_supplicant for unencrypted mesh connections
It's more reliable than using iw

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-12-10 12:38:46 +01:00
Daniel Golle
aa12a0fdd1
dnsmasq: add option to expose additional paths to jail
Add new UCI list 'addn_mount' allowing the expose additional filesystem
paths to the jailed dnsmasq process. This is useful e.g. in case of
manually configured includes to the configuration file or symlinks
pointing outside of the exposed paths as used by e.g. the safe-search
package in the packages feed.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-11-27 14:06:08 +00:00
Nick Hainke
c17b6343f3 lldpd: update to 1.0.16
Release Notes:
https://github.com/lldpd/lldpd/releases/tag/1.0.16

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-18 20:27:52 +01:00
Chen Minqiang
4979d16fb1 dnsmasq: add support for filter-AAAA/A
This add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
addresses from DNS answers. these options is supported since version 2.87.

Co-authored-by: NueXini <nuexini@alumni.tongji.edu.cn>
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2022-11-12 17:05:13 +01:00
Felix Fietkau
ddf736e543 hostapd: remove invalid dtim_period option processing
dtim_period is a bss property, not a device one.
It is already handled properly in mac80211.sh

Fixes: 30c64825c7 ("hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-11-10 13:09:18 +01:00
Kevin Darbyshire-Bryant
41691ce9ac dnsmasq: remove backported CVE patch
Patch no longer applies/required since bump to v2.87

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-11-06 23:04:27 +00:00
Kevin Darbyshire-Bryant
d7f378796f dnsmasq: Support nftables nftsets
Add build option for nftables sets. By default disable iptables ipset
support.  By default enable nftable nftset support since this is what
fw4 uses.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>

dnsmasq: nftset: serve from ipset config

Use existing ipset configs as source for nftsets to be compatible with
existing configs. As the OS can either have iptables XOR nftables
support, it's fine to provide both to dnsmasq. dnsmasq will silently
fail for the present one. Depending on the dnsmasq compile time options,
the ipsets or nftsets option will not be added to the dnsmasq config
file.

dnsmasq will try to add the IP addresses to all sets, regardless of the
IP version defined for the set. Adding an IPv6 to an IPv4 set and vice
versa will silently fail.

Signed-off-by: Mathias Kresin <dev@kresin.me>

dnsmasq: support populating nftsets in addition to ipsets

Tell dnsmasq to populate nftsets instead of ipsets, if firewall4 is present in
the system. Keep the same configuration syntax in /etc/config/dhcp, for
compatibility purposes.

Huge thanks to Jo-Philipp Wich for basically writing the function.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>

dnsmasq: obtain nftset ip family from nft

Unfortunately dnsmasq nft is noisy if an attempt to add a mismatched ip address
family to an nft set is made.

Heuristic to guess which ip family a nft set might belong by inferring
from the set name.

In order of preference:

If setname ends with standalone '4' or '6' use that, else
if setname has '4' or '6' delimited by '-' or '_' use that (eg
foo-4-bar) else
If setname begins with '4' or '6' standalone use that.

By standalone I mean not as part of a larger number eg. 24

If the above fails then use the existing nft set query mechanism and if
that fails, well you're stuffed!

With-thanks-to: Jo-Philipp Wich <jo@mein.io> who improved my regexp
knowledge.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>

dnsmasq: specify firewall table for nftset

Permit ipsets to specify an nftables table for the set.  New config
parameter is 'table'.  If not specified the default of 'fw4' is used.

config ipset
	list name 'BK_4,BK_6'
	option table 'dscpclassify'
	option table_family 'ip'
	option family '4'
	list domain 'ms-acdc.office.com'
	list domain 'windowsupdate.com'
	list domain 'update.microsoft.com'
	list domain 'graph.microsoft.com'
	list domain '1drv.ms'
	list domain '1drv.com'

The table family can also be specified, usually 'ip' or 'ip6' else the
default 'inet' capable of both ipv4 & ipv6 is used.

If the table family is not specified then finally a family option is
available to specify either '4' or '6' for ipv4 or ipv6 respectively.

This is all in addition to the existing heuristic that will look in the
nftset name for an ip family clue, or in total desperation, query the
value from the nftset itself.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-11-06 19:47:13 +00:00
Mathias Kresin
7cdf74e163 dnsmasq: add uci-defaults script for ipset migration
When running sysupgrade from an existing configuration, move existing
ipset definitions to a dedicated config section. Later on, it will allow
to serve ipset as well as nftable sets from the same configuration.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2022-11-06 19:47:13 +00:00
Kevin Darbyshire-Bryant
bf27d977f0 dnsmasq: bump to 2.87
Bump dnsmasq to 2.87 & refresh patches

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-11-06 19:47:13 +00:00
Hauke Mehrtens
002a99eccd dnsmasq: Backport DHCPv6 server fix (CVE-2022-0934)
This backports a commit from upstream dnsmasq to fix CVE-2022-0934.

CVE-2022-0934 description:
A single-byte, non-arbitrary write/use-after-free flaw was found in
dnsmasq. This flaw allows an attacker who sends a crafted packet
processed by dnsmasq, potentially causing a denial of service.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-11-05 22:05:47 +01:00
Glen Huang
46fbe55971 uhttpd: use procd to reload on acme renew
Calling /etc/init.d/uhttpd reload directly in the acme hotplug script
can inadvertently start a stopped instance.

Signed-off-by: Glen Huang <i@glenhuang.com>
2022-11-04 16:21:00 +01:00