Commit Graph

1039 Commits

Author SHA1 Message Date
John Crispin
1e3c4f763c openvpn: cacert does not exist
cacert is really called ca and already in the script

Signed-off-by: John Crispin <john@phrozen.org>
2016-10-27 19:53:01 +02:00
John Crispin
0ec48b883c openvpn: add handling for capath and cafile
Signed-off-by: John Crispin <john@phrozen.org>
2016-10-27 15:19:59 +02:00
Hans Dedecker
a35f9bbc43 dnsmasq: Multiple dnsmasq instances support
Adds support in uci for configuring multiple dnsmasq instances via
multiple dnsmasq sections.
The uci sections host, boot, mac, tag, vendorclass, userclass,
circuitid, ... will refer to a dnsmasq instance via the instance
parameter defined in the section; if the instance parameter is
not specified backwards compatibility is preserved.

Start/Stopping a dnsmasq instance can be achieved by passing the
dnsmasq instance name as argument to start/stop via the init script.

Multiple dnsmasq instances is usefull in scenarios where you want to
bind a dnsmasq instance to an interface in order to isolate networks.

This patch is a rework of a multiple dnsmasq instance patch by Daniel Dickinson

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-10-26 17:53:53 +02:00
Hannu Nyman
9097dc5ad8 uhttpd: create self-signed certificates with unique subjects
Add a partially random O= item to the certificate subject in order
to make the automatically generated certificates' subjects unique.

Firefox has problems when several self-signed certificates
with CA:true attribute and identical subjects have been
seen (and stored) by the browser. Reference to upstream bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1147544
https://bugzilla.mozilla.org/show_bug.cgi?id=1056341
https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34

Certificates created by the OpenSSL one-liner fall into that category.

Avoid identical certificate subjects by including a new 'O=' item
with CommonName + a random part (8 chars). Example:
/CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ

That ensures that the browser properly sees the accumulating
certificates as separate items and does not spend time
trying to form a trust chain from them.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-26 15:16:52 +02:00
Hannu Nyman
82132540a3 uhttpd: prefer px5g for certificate creation
Prefer the old default 'px5g' for certificate creation
as Firefox seems to dislike OpenSSL-created certs.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-26 15:16:51 +02:00
Jo-Philipp Wich
81b256ee00 uhttpd: fix handling of special "/" prefix when matching handlers
The special prefix of "/" should match any url by definition but the final
assertion which ensures that the matched prefix ends in '\0' or '/' is causing
matches against the "/" prefix to fail.

Update to current HEAD in order to fix this particular case.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-25 16:38:50 +02:00
Alexandru Ardelean
598722956b network/services/ead: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean
58cf9a2476 network/services/hostapd: move whole files outside of patches and drop Build/Prepare rule in favor of default one
This more of a demo for the previous commit that comes with
this one, where I added support for copying source from 'src' to
the build dir(s).

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:51 +02:00
Daniel Engberg
49ee771e6b package/network/services/lldpd: Update to 0.9.5
Updates lldpd to 0.9.5

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-15 11:36:51 +02:00
Hans Dedecker
1341b88732 odhcpd: Upstep to git HEAD version
Adds per-host leasetime support
Various bugfixes :
	-Prioritize ifname resolving via ubus
	-Free interface if ifindex cannot be resolved
	-...

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [update mirror sha256]
2016-10-13 17:05:21 +02:00
Felix Fietkau
175b59c59b uhttpd: update to the latest version, adds a small json handler fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-08 13:50:54 +02:00
Daniel Engberg
9edfe7dd13 source: Switch to xz for packages and tools where possible
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-06 12:16:56 +02:00
Jo-Philipp Wich
eb75b6ac1f uhttpd: rename certificate defaults section
Now that the uhttpd init script can generate certificates using openssl as
well, update the section name and related comment to be more generic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-06 11:29:24 +02:00
Felix Fietkau
73c87a3cad hostapd: make -mesh and -p2p variants depend on the cfg80211 symbol
Avoids build failures when the nl80211 driver is disabled

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-05 23:02:13 +02:00
Hannu Nyman
3c4858eeb2 uhttpd: support using OpenSSL for certificate generation
Support the usage of the OpenSSL command-line tool for generating
the SSL certificate for uhttpd. Traditionally 'px5g' based on
PolarSSL (or mbedTLS in LEDE), has been used for the creation.

uhttpd init script is enhanced by adding detection of an installed
openssl command-line binary (provided by 'openssl-util' package),
and if found, the tool is used for certificate generation.

Note: After this patch the script prefers to use the OpenSSL tool
if both it and px5g are installed.

This enables creating a truly OpenSSL-only version of LuCI
without dependency to PolarSSL/mbedTLS based px5g.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-05 00:48:19 +02:00
Matthias Schiffer
77f54eae45
config: enable shadow passwords unconditionally
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.

The config symbol is kept (for a while), as packages from feeds depend on
it.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Hans Dedecker
32f4777530 dnsmasq: Add match section support
Match sections allow to set a tag specified by the option networkid if the client
sends an option and optionally the option value specified by the match option.
The force option will convert the dhcp-option to force-dhcp-option if set to 1 in
the dnsmasq config if options are specified in the dhcp_option option.

config match
    option networkid tag
    option match 12,myhost
    option force 1
    list dhcp_option '3,192.168.1.1'

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-09-19 15:30:32 +02:00
Rafał Miłecki
e70e3c544a hostapd: fix regression breaking brcmfmac
The latest update of hostapd broke brcmfmac due to upstream regression.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2016-09-13 12:06:42 +02:00
Kevin Darbyshire-Bryant
591755ad1a dnsmasq: make NO_ID optional in full variant
Permit users of the full variant to disable the NO_ID *.bind pseudo
domain masking.

Defaulted 'on' in all variants.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-10 12:17:39 +02:00
Kevin Darbyshire-Bryant
96f0bbe91d dropbear: hide dropbear version
As security precaution and to limit the attack surface based on
the version reported by tools like nmap mask out the dropbear
version so the version is not visible anymore by snooping on the
wire. Version is still visible by 'dropbear -V'

Based on a patch by Hans Dedecker <dedeckeh@gmail.com>

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove trailing _]
2016-09-10 12:17:39 +02:00
Kevin Darbyshire-Bryant
03cd416795 dnsmasq: Don't expose *.bind data incl version
Don't expose dnsmasq version & other data to clients via the *.bind
pseudo domain.  This uses a new 'NO_ID' compile time option which has been
discussed and submitted upstream.

This is an alternate to replacing version with 'unknown' which affects
the version reported to syslog and 'dnsmasq --version'

Run time tested with & without NO_ID on Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-08 15:28:38 +02:00
Felix Fietkau
859d940c79 hostapd: update to version 2016-09-05
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-09-08 15:28:38 +02:00
Kevin Darbyshire-Bryant
9209f4304b dnsmasq: fix remove pidfile on shutdown regression
Regression introduced by 3481d0d dnsmasq: run as dedicated UID/GID

dnsmasq is unable to remove its own pidfile as /var/run/dnsmasq is owned
by root and now dnsmasq runs as dnsmasq:dnsmasq.  Change directory
ownership to match.

dnsmasq initially starts as root, creates the pidfile, then drops to
requested non-root user.  Until this fix dnsmasq had insufficient
privilege to remove its own pidfile.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-06 11:26:05 +02:00
Johannes Römer
e8cb7d30e9 hostapd: fix typo and indentation in ap_sta_support.patch
Signed-off-by: Johannes Römer <jroemer@posteo.net>
2016-09-05 18:03:24 +02:00
Karl Palsson
a4dc9ff934 dropbear: mdns flag is a bool, not integer
Effectively the same for most purposes, but more accurate.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2016-09-05 07:27:16 +02:00
Magnus Kroken
2653a12c4d openvpn: update to 2.3.12
300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream.
Replaced 101-remove_polarssl_debug_call.patch with upstream backport.

Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-08-24 00:33:08 +02:00
Ash Benz
798cd261ab hostapd: use printf to improve portability.
Signed-off-by: Ash Benz <ash.benz@bk.ru>
2016-08-23 12:15:41 +02:00
Hans Dedecker
d7c249fa1c ppp: Extend uci datamodel with persistency sypport
PPP daemon can be put into persist mode meaning the
daemon will not exit after a connection gets terminated
but will instead try to reopen the connection.
The re-initiation after the link has been terminated
can be controlled via holdoff; this is helpfull in
scenarios where a BRAS is in denial of service mode
due to link setup requests after a BRAS has gone down

Following uci parameters have been added :
persist (boolean) : Puts the ppp daemon in persist mode
maxfail (integer) : Number of consecutive fail attempts which
puts the PPP daemon in exit mode
holdoff (interget) : Specifies how many seconds to wait
before re-initiating link setup after it has been terminated

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-08-18 09:49:18 +02:00
Conn O'Griofa
63f6fc5c16 samba: add file/interface reload triggers & filter interfaces
* Only parse interfaces that are up during init_config (as the
  script depends on this to determine the proper IP/subnet range)
* Add reload interface triggers for samba-designated interfaces
* Force full service restart upon config change to ensure Samba
  binds to new interfaces (sending HUP signal doesn't work)
* Rename "interface" variable to "samba_iface" and move into
  global scope

Needed to fix Samba connectivity for clients connecting from a
different LAN subnet (e.g. pseudobridge configurations) due to the
'bind interfaces only' setting.

Signed-off-by: Conn O'Griofa <connogriofa@gmail.com>
2016-08-15 15:18:35 +02:00
Jo-Philipp Wich
4e8c6f3407 dropbear: security update to 2016.74
- Security: Message printout was vulnerable to format string injection.

  If specific usernames including "%" symbols can be created on a system
  (validated by getpwnam()) then an attacker could run arbitrary code as root
  when connecting to Dropbear server.

  A dbclient user who can control username or host arguments could potentially
  run arbitrary code as the dbclient user. This could be a problem if scripts
  or webpages pass untrusted input to the dbclient program.

- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
  the local dropbearconvert user when parsing malicious key files

- Security: dbclient could run arbitrary code as the local dbclient user if
  particular -m or -c arguments are provided. This could be an issue where
  dbclient is used in scripts.

- Security: dbclient or dropbear server could expose process memory to the
  running user if compiled with DEBUG_TRACE and running with -v

  The security issues were reported by an anonymous researcher working with
  Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-12 11:45:47 +02:00
Petko Bordjukov
dff6df9625 hostapd: Allow RADIUS accounting without 802.1x
RADIUS accounting can be used even when RADIUS authentication is not
used. Move the accounting configuration outside of the EAP-exclusive
sections.

Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
2016-08-11 10:45:33 +02:00
Felix Fietkau
51e70267bd hostapd: remove unused hostapd-common-old package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-05 11:02:57 +02:00
Felix Fietkau
9201e88f51 kernel: remove hostap driver
It has been marked as broken for well over a month now and nobody has
complained.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-31 12:25:24 +02:00
Felix Fietkau
b2ddfbc1c7 dnsmasq: drop --interface and --except-interface options when the interface cannot be found
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 20:58:14 +02:00
Felix Fietkau
5cd88f4812 dnsmasq: remove use of uci state for getting network ifname
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 19:48:22 +02:00
Felix Fietkau
a1681ce39b dnsmasq: replace the iface hotplug script with a procd trigger
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Felix Fietkau
6916ca8d33 dnsmasq: make the check for existing DHCP servers more reliable
If there is no carrier yet, wait for 2 seconds (STP forwarding delay)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Ulrich Weber
712b6fdc5c dnsmasq: write atomic config file
multiple invocation of dnsmasq script (e.g. by procd and hotplugd)
might cause procd to restart dnsmasq with an incomplete config file.
Config file generation might take quite a long time on larger configs
due ubus calls for each listening interface...

Signed-off-by: Ulrich Weber <ulrich.weber@riverbed.com>
2016-07-29 16:41:09 +02:00
Felix Fietkau
c02f41c1d2 igmpproxy: remove procd_open_trigger/procd_close_trigger calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Felix Fietkau
8299737428 dropbear: remove procd_open_trigger/procd_close_trigger calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:08 +02:00
Felix Fietkau
da328f2865 hostapd: backport mesh/ibss HT20/HT40 related fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-27 17:22:39 +02:00
Felix Fietkau
c7a5bb5a7e samba36: avoid picking up a dependency on libunwind (fixes GH #212)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-21 17:33:17 +02:00
Felix Fietkau
ca6375ac51 hostapd: fix an error on parsing radius_das_client
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-21 16:58:50 +02:00
Felix Fietkau
56f686b710 samba36: disable local browse master by default
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-18 13:37:12 +02:00
Felix Fietkau
75329fc161 hostapd: fix VLAN support in full wpad builds
Suppress -DCONFIG_NO_VLAN if CONFIG_IBSS_RSN is enabled

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-18 13:37:10 +02:00
Kevin Darbyshire-Bryant
17f4d3967e samba: update smb template socket options defaults
Removed socket options = TCP_NODELAY IPTOS_LOWDELAY

TCP_NODELAY (disables Nagle algorithm) is default since samba2.
IPTOS_LOWDELAY sets DSCP 0x10 coding (CS2)
The alternate IPTOS_THROUGHPUT sets DSCP 0x08 coding (CS1)

CS1 is a scavenger class, whilst CS2 is more OAM/interactive
(SNMP,SSH,syslog)

Using CS2 is definitely an abuse of DSCP classification, CS1 less so
however even if the ISP takes note of DSCP codings having a default that
sets traffic to CS2 is wrong.  Better to use the default Best Effort
class.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-07-11 14:19:47 +02:00
Kevin Darbyshire-Bryant
527696674a igmpproxy: logging options - make work & improve
Move logging command line option to uci:
option verbose [0]/1/2 - mono-syllabic/verbose/noisy

Previously handled as 'OPTIONS' in .init script however variable
was ignored so never worked.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-07-11 14:19:47 +02:00
Felix Fietkau
ad430c1080 hostapd: add a WDS AP fix for reconnecting clients
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-06 10:12:37 +02:00
neheb
a3e7d5e7ae samba: Update smb.conf.template
Removed some options which are default anyway and added bind interfaces
only which causes the interfaces line to actually have an effect. Can be
verified with netstat.

Signed-off by: Rosen Penev <rosenp@gmail.com>
2016-07-05 22:59:14 +02:00
Hans Dedecker
c2bd469521 dnsmasq: Add broken realtime clock build switch in full variant
By default dnsmasq uses the time function; which returns the time since
Epoch; to retrieve the current time. On boards which have no realtime
clock this can lead to side effects when the time is synced via ntp
as the "time wrap" forces dhcp leases to be considered as expired.
By enabling the broken realtime clock build switch dnsmasq uses the
times utility which returns the number of clock tick.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
[Jo-Philipp Wich: change symbol name, add sym to PKG_CONFIG_DEPENDS]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-30 00:42:46 +02:00
Jo-Philipp Wich
f98f4601de openvpn: fix missing cipher list for polarssl in v2.3.11
Upstream OpenSSL hardening work introduced a change in shared code that
causes polarssl / mbedtls builds to break when no --tls-cipher is specified.

Import the upstream fix commit as patch until the next OpenVPN release gets
released and packaged.

Reported-by: Sebastian Koch <seb@metafly.info>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-28 10:47:22 +02:00
Daniel Dickinson
4a3b8e0596 lldpd: Use /etc/os-release instead of /etc/openwrt_*
With the addition of /etc/os-release patching lldpd to use
/etc/openwrt_release and to have the initscript use
/etc/openwrt_release and/or /etc/openwrt_version becomes
unnecessary.

Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
2016-06-27 15:16:01 +02:00
Kevin Darbyshire-Bryant
5acfe55d71 dnsmasq: dnssec time handling uses ntpd hotplug
Change dnsmasq's dnssec time check handling to use time validity
indicated by ntpd rather than maintaining a cross boot/upgrade
/etc/dnsmasq.time timestamp file.  This saves flash device wear.

If ntpd client is configured in uci and you're using dnssec, then
dnsmasq will not check dnssec timestamp validity until ntpd hotplug
indicates sync via a stratum change. The ntpd hotplug leaves a status
flag file to indicate to dnsmasq.init that time is valid and that it
should now start in 'check dnssec timestamp valid' mode.

If ntpd client is not configured and you're using dnssec, then it is
presumed you're using an alternate time sync mechanism and that time is
correct, thus dnsmasq checks dnssec timestamps are valid from 1st start.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

V2 - stratum & step ntp changes indicate time is valid
V3 - on initial flag file step signal dnsmasq with SIGHUP if running
V4 - only accept step ntp changes. Accepting both stratum & step could
result in unpleasant script race conditions
V5 - Actually only accepting stratum is the correct thing to do after
further testing
V6 - improve handling of non busybox ntpd
if sysntpd not executable
  dnsmasq checks dnssec timestamps
else
  sysntp script disabled - look for timestamp file - allows external mechanism to use hotplug flag file
  sysntp script enabled & uci ntp enabled  - look for timestamp file
  sysntp script enabled & uci ntp disabled - dnsmasq checks dnssec
timestamps
fi
2016-06-24 13:53:39 +02:00
Hauke Mehrtens
3f38356893 packages: prefer http over git for git protocol
In company networks everything except the http and https protocol is
often causes problems, because the network administrators try to block
everything else. To make it easier to use LEDE in company networks use
the https/http protocol for git access when possible.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-06-22 19:32:06 +02:00
Felix Fietkau
475e94b1d2 uhttpd: update to the latest version, adds some extensions to handler script support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-16 19:00:16 +02:00
Felix Fietkau
4e0a533f60 hostapd: fix breakage with non-nl80211 drivers
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 19:28:55 +02:00
Jo-Philipp Wich
e2a9c638e7 hostapd: fix compilation error in wext backend
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-15 19:10:32 +02:00
Felix Fietkau
ef74d5cbf8 hostapd: implement fallback for incomplete survey data
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:31:48 +02:00
Felix Fietkau
13b44abcff hostapd: update to version 2016-06-15
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:11:43 +02:00
Michal Hrusecky
b67af71181 hostapd: Update to version 2016-05-05
Fixes CVE-2016-4476 and few possible memory leaks.

Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
2016-06-15 17:11:18 +02:00
Magnus Kroken
4260d11e8b openvpn: update to 2.3.11
Security fixes:
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data

Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-06-13 22:51:43 +02:00
John Crispin
62dc9831d3 package/*: update git urls for project repos
Signed-off-by: John Crispin <john@phrozen.org>
2016-06-13 22:51:41 +02:00
Kevin Darbyshire-Bryant
e815036460 dnsmasq: support hostid ipv6 address suffix option
Add support for hostid dhcp config entry to dnsmasq. This allows
specification of dhcpv6 hostid suffix and works in the same way as
odhcpd.

Entries in auto generated dnsmasq.conf should conform to:

dhcp-host=mm:mm:mm:mm:mm:mm,IPv4addr,[::V6su:ffix],hostname

example based on sample config/dhcp entry:

config host
        option name 'Kermit'
        option mac 'E0:3F:49:A1:D4:AA'
        option ip '192.168.235.4'
        option hostid '4'

dhcp-host=E0:3F:49:A1:D4:AA,192.168.235.4,[::0:4],Kermit

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-06-10 18:16:47 +02:00
Hans Dedecker
7eaacd4d23 dnsmasq: Add option --max-port
By default dnsmasq uses random ports for outbound dns queries;
when the maxport UCI option is specified the ports used will
always be smaller than the specified value.
This is usefull for systems behind firewalls.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-06-10 18:05:07 +02:00
Matteo Panella
20c608db0a openvpn: add support for tls-version-min
Currently, the uci data model does not provide support for specifying
the minimum TLS version supported in an OpenVPN instance (be it server
or client).

This patch adds support for writing the relevant option to the openvpn
configuration file at service startup.

Signed-off-by: Matteo Panella <morpheus@level28.org>
[Jo-Philipp Wich: shorten commit title, bump pkg release]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-07 23:02:58 +02:00
Jo-Philipp Wich
24a7ccb056 treewide: replace jow@openwrt.org with jo@mein.io
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-07 11:42:52 +02:00
Felix Fietkau
7eeb254cc4 treewide: replace nbd@openwrt.org with nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-07 08:58:42 +02:00
Dirk Neukirchen
04cb722e9f openvpn: remove unrecognized option
removed upstream in
9ffd00e754
now its always on

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
2016-06-01 15:18:42 +02:00
Dario Ernst
4d1c75c601 dropbear: Fix incorrect CONFIG_TARGET_INIT_PATH.
Fix a „semantic typo“ introduced in b78aae793e,
where TARGET_INIT_PATH was used instead of CONFIG_TARGET_INIT_PATH.

Signed-off-by: Dario Ernst <Dario.Ernst@riverbed.com>
2016-05-24 16:31:17 +02:00
Daniel Dickinson
2ac21bd793 dnsmasq: Set the default dhcp lease file and resolv file
Instead of making assumptions about the leasefile and resolv file make sure
we use what the user configures, but fall back to defaults if no configuration
is specified

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
2016-05-24 13:30:58 +02:00
Kevin Darbyshire-Bryant
a6e96998fb dnsmasq: update to dnsmasq v2.76
Update to dnsmasq2.76.  Refresh patches.  Add new patch to fix musl
'poll.h' location warning.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-05-24 13:30:58 +02:00
John Crispin
31293752c8 mdns: update to latest git HEAD
* fixes loopback handling

Signed-off-by: John Crispin <john@phrozen.org>
2016-05-23 10:26:32 +02:00
Felix Fietkau
b570c0c88e uhttpd: use configured distribution name for SSL certificate CN
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-05-21 12:42:44 +02:00
Kevin Darbyshire-Bryant
7938e8d60a dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time
conditionally save dnsmasq.time across sysupgrade
dnsmasq uses /etc/dnsmasq.time as record of the last known good
system time to aid its validation of dnssec timestamps.  dnsmasq
updates the timestamp on process start/stop once it considers the system
time as valid. The timestamp file should be preserved across system
upgrade but should not be included as part of normal configuration
backups to prevent restores corrupting the current timestamp.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-05-19 10:28:18 +02:00
Jo-Philipp Wich
85a59127a7 Revert "dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time"
This reverts commit d830cb0882.

Reverting this commit due to a missing Signed-off-by.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-05-19 10:28:17 +02:00
Kevin Darbyshire-Bryant
d830cb0882 dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time
conditionally save dnsmasq.time across sysupgrade
dnsmasq uses /etc/dnsmasq.time as record of the last known good
system time to aid its validation of dnssec timestamps.  dnsmasq
updates the timestamp on process start/stop once it considers the system
time as valid. The timestamp file should be preserved across system
upgrade but should not be included as part of normal configuration
backups to prevent restores corrupting the current timestamp.
2016-05-18 22:17:33 +02:00
Jo-Philipp Wich
1c61b21489 dropbear: update to 2016.73
Update the dropbear package to version 2016.73, refresh patches.
The measured .ipk sizes on an x86_64 build are:

  94588	dropbear_2015.71-3_x86_64.ipk
  95316	dropbear_2016.73-1_x86_64.ipk

This is an increase of roughly 700 bytes after compression.

Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-05-13 10:23:52 +02:00
John Crispin
b8ab6af1a9 global: change my email address
Signed-off-by: John Crispin <john@phrozen.org>
2016-05-12 03:29:36 +02:00
Hans Dedecker
861266c9ec dropbear: Add --disable-utmpx again
The option --disable-utmpx was deleted by accident in commit 7545c1d;
add it again to the CONFIGURE_ARGS list

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-05-12 03:29:35 +02:00
Hans Dedecker
ec9f6fe04d ppp: Add ppp-mod-passwordfd subpackage to ppp
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:50:41 +02:00
Hans Dedecker
ce9e5e16ff dnsmasq: Add conntrack support in the full variant
Conntrack support reads the connection track mark associated with
incoming DNS queries and sets the same mark value on the upstream
forwarded DNS query. This can be usefull to track traffic generated
by dnsmasq to associate it with the clients who generate the queries,
usefull for bandwidth accouting and firewall.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:50:20 +02:00
Hans Dedecker
16122117a5 dropbear: Add procd interface triggers when interface config is specified
A dropbear instance having an interface config won't start if the interface is down as no
IP address is available.
Adding interface triggers for each configured interface executing the dropbear reload script
will start the dropbear instance when the interface is up.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:49:37 +02:00
Hans Dedecker
7545c1d96b dropbear: Make utmp and putuline support configurable via seperate config options
Utmp support tracks who is currenlty logged in by logging info to the file /var/run/utmp (supported by busybox)
Putuline support will use the utmp structure to write to the utmp file

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:47:48 +02:00
John Crispin
fa69553900 branding: add LEDE branding
Signed-off-by: John Crispin <blogic@openwrt.org>
2016-03-24 22:40:13 +01:00
John Crispin
3481d0d793 dnsmasq: run as dedicated UID/GID
Running dnsmasq in a dedicated user/group allows matching its outgoing
traffic more easily using iptables' owner match.
Add UID/GID to the package metadata and append the user/group
parameters to the init script.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 49252
2016-04-26 11:44:10 +00:00
Hauke Mehrtens
3fabbb814d dnsmasq: Add enable parameter in the UCI DHCP host section
Parameter allows to enable/disable static leases; by default the value is 1
to keep backwards compatibility

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49187
2016-04-17 12:52:54 +00:00
Hauke Mehrtens
3830200d6a hostapd.sh: Add support for "anonymous_identity" config field
The wpa_supplicant supports an "anonymous_identity" field, which some
EAP networks require.  From the documentation:

anonymous_identity: Anonymous identity string for EAP (to be used as the
    unencrypted identity with EAP types that support different tunnelled
    identity, e.g., EAP-TTLS).

This change modifies the hostapd.sh script to propagate this field
from the UCI config to the wpa_supplicant.conf file.

Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Reviewed-by: Manuel Munz <freifunk@somakoma.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49181
2016-04-17 12:50:55 +00:00
Hauke Mehrtens
1414f1647d samba: fix some security problems
This fixes the following security problems:
* CVE-2015-7560
* CVE-2015-5370
* CVE-2016-2110
* CVE-2016-2111
* CVE-2016-2112
* CVE-2016-2115
* CVE-2016-2118

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49175
2016-04-16 20:06:34 +00:00
John Crispin
0ca7071632 openvpn: add support for X.509 name options
x509-username-field was added in OpenVPN 2.2, and verify-x509-name was
added in 2.3. This fixes ticket #18807.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

SVN-Revision: 48969
2016-03-08 18:12:02 +00:00
John Crispin
b5bfb3534b dnsmasq: add host-specific lease time option for static hosts
Enable setting a host-specific lease time for static hosts.
The new option is called "leasetime" and the format is similar
as for the default lease time: e.g. 12h, 3d, infinite

Default lease time is used for all hosts for which there is
no host-specific definition.

The option is added to /etc/config/dhcp for the selected hosts:
  config host
        option name 'Nexus'
        option mac 'd8:50:66:55:59:7c'
        option ip '192.168.1.245'
        option leasetime '2h'

It gets appended to /var/etc/dnsmasq.conf like this:
  dhcp-host=d8:50:66:55:59:7c,192.168.1.245,Nexus,2h

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 48801
2016-02-26 09:13:03 +00:00
John Crispin
c503984876 dnsmasq: add dhcp relay option
Signed-off-by: dbugnar <dnbugnar@ocedo.com>

SVN-Revision: 48800
2016-02-26 08:35:48 +00:00
Felix Fietkau
b4a1bd8992 dnsmasq: export tftp root to the procd jail
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48761
2016-02-25 09:24:31 +00:00
Felix Fietkau
5e84051a0f dnsmasq: only enable tftp if the tftp root exists
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48760
2016-02-25 09:24:24 +00:00
John Crispin
7a29f7c22d lldp: Upgrade to 0.9.0
Signed-off-by: Ben Kelly <ben@benjii.net>

SVN-Revision: 48738
2016-02-18 08:22:07 +00:00
Jo-Philipp Wich
b78aae793e dropbear: honor CONFIG_TARGET_INIT_PATH
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 48679
2016-02-08 14:28:57 +00:00
Felix Fietkau
d8684c7068 relayd: update to the latest version, fixes some more connectivity issues (#21817)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48655
2016-02-08 08:03:06 +00:00
Felix Fietkau
2d7840b505 relayd: update to the latest version, fixes route table issues when connecting to the router
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48635
2016-02-05 15:59:41 +00:00
Felix Fietkau
eb47ddd557 hostapd: remove useless TLS provider selection override for wpad-mesh/wpa_supplicant-mesh
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48537
2016-01-28 22:42:14 +00:00
Felix Fietkau
18b2f2d694 hostapd: fix mesh interface bridge handling
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48529
2016-01-28 17:20:10 +00:00
Felix Fietkau
b4ef1fca48 hostapd: fix wpad-mesh and wpa-supplicant-mesh configuration issues
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48528
2016-01-28 17:19:48 +00:00
Felix Fietkau
924407b253 hostapd: update to version 2016-01-15
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48527
2016-01-28 17:19:13 +00:00
Jo-Philipp Wich
d8da5c5630 dnsmasq: Don't add local hostname if ula prefix is not specified
Commit 6a7e56b adds support for adding local hostname for own lan ula adress
but if ula prefix is not specified results into an invalid config (address=/OpenWrt.lan/1)
causing dnsmasq not to start up.
Use lanaddr6 when adding local hostname as the lan ula address is constructed based on the
UCI parameters ip6hint and ip6ifaceid and thus not always ula prefix suffixed with 1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 48495
2016-01-25 17:47:22 +00:00
Felix Fietkau
565570cfd5 package/uhttpd: generate 2048 bit RSA key
RSA keys should be generated with sufficient length.
Using 1024 bits is considered unsafe.
In other packages the used key length is 2048 bits.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

SVN-Revision: 48494
2016-01-25 17:42:25 +00:00
Felix Fietkau
208b96cacd uhttpd: fix typo in default config for px5g
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48385
2016-01-19 23:27:14 +00:00
Felix Fietkau
faad8b68a4 wpa_supplicant: add support for EAP-TLS phase2
Introduce config options client_cert2, priv_key2 and priv_key2_pwd
used for EAP-TLS phase2 authentication in WPA-EAP client mode.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48345
2016-01-19 10:06:29 +00:00
Felix Fietkau
3b15eb0ade hostap/wpa_supplicant: enable EAP-FAST in -full builds
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48344
2016-01-19 10:06:23 +00:00
Felix Fietkau
808a605453 uhttpd: add option for mbedtls
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48343
2016-01-19 10:06:18 +00:00
Felix Fietkau
e4cf25cfab wpa_supplicant: improve generating phase2 config line for WPA-EAP
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...

The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.

Examples:
  eap_type   auth
  'ttls'     'EAP-MSCHAPV2'     -> phase2="autheap=MSCHAPV2"
  'ttls'     'MSCHAPV2'         -> phase2="auth=MSCHAPV2"
  'peap'     'EAP-GTC'          -> phase2="auth=GTC"

Deprecated syntax supported for compatibility:
  'ttls'     'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"

I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48309
2016-01-18 11:40:44 +00:00
Felix Fietkau
56f6d35716 dnsmasq: Add option --min-port
By default dnsmasq uses random ports for outbound dns queries;
when the minport UCI option is specified the ports used will
always be larger than the specified value.
This is usefull for systems behind firewalls.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 48244
2016-01-15 11:24:15 +00:00
Felix Fietkau
64c23711ea dropbear: update version to 2015.71
Update dropbear to version 2015.71, released on 3 Dec 2015.
Refresh patches.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 48243
2016-01-15 11:24:09 +00:00
Jo-Philipp Wich
722badfa82 dnsmasq: add local hostname record for own lan ula address as well
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 48214
2016-01-12 10:03:50 +00:00
Rafał Miłecki
2611a5538e hostapd: fix disassociation with FullMAC drivers and multi-BSS
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 48202
2016-01-11 18:51:47 +00:00
Felix Fietkau
37a57c1d71 openvpn: update to version 2.3.10
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48201
2016-01-11 18:37:28 +00:00
Felix Fietkau
4c7983a00a dropbear: enable curve25519 support by default, increases compressed binary size by ~5 kb
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48196
2016-01-10 22:38:59 +00:00
Felix Fietkau
1455b5b89a dropbear: split out curve25519 support into a separate config option
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48195
2016-01-10 22:38:53 +00:00
Felix Fietkau
6c40914c0c hostapd: fix post v2.4 security issues
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
  (CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>

SVN-Revision: 48185
2016-01-10 17:03:37 +00:00
Felix Fietkau
1aa774053b openvpn: added service_triggers() to init script
Follow up of #21469
This patch enables autoreloading openvpn via procd.

Signed-off-by: Federico Capoano <nemesis@ninux.org>

SVN-Revision: 48150
2016-01-07 21:08:05 +00:00
Felix Fietkau
44b6a5e549 samba36: add three CVE patches from 2015-12-16
This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A
patchset for these vulnerabilities was published on 16th December 2015.

Signed-off-by: Jan Čermák <jan.cermak@nic.cz>

SVN-Revision: 48133
2016-01-05 10:42:52 +00:00
Felix Fietkau
f500c8f3ac relayd: move to git.openwrt.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48129
2016-01-04 15:13:17 +00:00
Felix Fietkau
a5dc438274 uhttpd: move to git.openwrt.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48122
2016-01-04 15:12:21 +00:00
Felix Fietkau
9cd6162b63 packages: use OPENWRT_GIT to point at the main openwrt git repo
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48118
2016-01-04 15:11:49 +00:00
Felix Fietkau
74c36b9d20 wpa_supplicant: set regulatory domain the same way as hostapd
In sta-only configuration, wpa_supplicant needs correct regulatory
domain because otherwise it may skip channel of its AP during scan.

Another alternative is to fix "iw reg set" in mac80211 netifd script.
Currently it fails if some phy has private regulatory domain which
matches configured one.

Signed-off-by: Dmitry Ivanov <dima@ubnt.com>

SVN-Revision: 48099
2016-01-03 20:56:57 +00:00
John Crispin
7029ee5abe openvpn: fix configure options
- eurephia:
commit: Remove the --disable-eurephia configure option

- fix option name:
http proxy option is now called http-proxy (see configure.ac)

fixes:
configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>

SVN-Revision: 47979
2015-12-23 14:44:24 +00:00
John Crispin
fde2ac3537 package/lldpd: Remove extraneous select
Only the conditional dependency ought to be required;
if build fails with JSON there is some other problem
at work.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>

SVN-Revision: 47976
2015-12-23 14:44:05 +00:00
John Crispin
a621edbb0a dnsmasq: Add option --no-ping
By default dnsmasq sends an ICMP echo request before allocating
an IP address to a host; the uci option noping allows to disable
this check.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 47974
2015-12-23 14:43:41 +00:00
Felix Fietkau
f45697d904 dnsmasq: changed option nonwildcard to --bind-dynamic
Changed option nonwildcard from --bind-interfaces into --bind-dynamic.
With this, Dnsmasq binds the address of individual interfaces, allowing multiple
dnsmasq instances, but if new interfaces or addresses appear, it automatically
listens on those. This makes dynamically created interfaces work in the same way as
the default, but allows also use of other DNS-servers (like Named) at the same time
on diffirent interfaces where Dnsmasq is NOT configured, whereas with
--bind-interfaces will still reserve every interface even if not used and thus
disallowing use of any other DNS-program even on unused interfaces.

Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi>
Signed-off-by: Sami Olmari <sami@olmari.fi>

SVN-Revision: 47953
2015-12-19 13:18:26 +00:00
John Crispin
fa532b839f network/services/lldpd: Fix missing dependency when using JSON
Using the JSON output option depends on json library so
add select json-c library when JSON output is selected.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>

SVN-Revision: 47928
2015-12-17 09:30:16 +00:00
John Crispin
725fc09cec dnsmasq: Add option "--all-servers"
Add the option "--all-servers" which forces dnsmasq to send all
queries to all servers and then take the first answer.

Signed-off-by: Andréas Gustafsson <gurgalof@gmail.com>

SVN-Revision: 47857
2015-12-11 15:06:59 +00:00
Felix Fietkau
b580ebb5a8 lldpd: add STOP=01 param in init script
This should ensure that lldpd is among the first processes to stop,
so that it has time to send the shutdown LLDPU to the other side,
before the network goes down.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 47786
2015-12-05 09:57:19 +00:00
John Crispin
3afe39af72 wpa-supplicant: Get 802.11s ssid information from option mesh_id
The scripts for authsae and iw use the option mesh_id to get set the
"meshid" during a mesh join. But the script for wpad-mesh ignores the
option mesh_id and instead uses the option ssid. Unify the mesh
configuration and let the wpa_supplicant script also use the mesh_id from
the configuration.

Signed-off-by: Sven Eckelmann <sven@open-mesh.com>

SVN-Revision: 47615
2015-11-24 18:28:44 +00:00
John Crispin
939175e9f2 authsae: Use kbit/s as mcast_rate unit like wpad
The OpenWrt wireless configuration for mcast_rate is defined as Kbit/s when
using wpa_supplicant for IBSS/802.11s and iw for unencrypted IBSS/802.11s.
But when using authsae, the unit for the same option is redefined as
Mbit/s. Better use the same unit for this option independent of the backend
which is used.

Old values for mcast_rate (< 1000) are still interpreted Mbit/s to avoid
problems during upgrades from older versions.

Signed-off-by: Sven Eckelmann <sven@open-mesh.com>

SVN-Revision: 47614
2015-11-24 18:28:35 +00:00
John Crispin
b816d6276d authsae: Fix meshid in authsae config
The variable $mesh_id was never defined in authsae_start_interface and thus
the option meshid in $authsae_conf_file was always set to "".

Signed-off-by: Sven Eckelmann <sven@open-mesh.com>

SVN-Revision: 47613
2015-11-24 18:28:19 +00:00
Steven Barth
0c450f1f47 odhcpd: correctly handle netlink congestion case
Thanks to @ktgeek and @willmo for diagnosing

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 47514
2015-11-19 11:49:21 +00:00
Felix Fietkau
047f9ef8eb hostapd: Use network_get_device instead of uci_get_state
This fixes the IAPP functionality.

Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>

SVN-Revision: 47455
2015-11-11 08:34:59 +00:00
Luka Perkov
b18c9d271e uhttpd: add support for configuration option ubus_cors
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 47448
2015-11-10 22:28:45 +00:00
Felix Fietkau
b613c96d94 openvpn: enable options consistency check even in the small build
Only costs about 3k compressed, but significantly improves handling of
configuration mismatch

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47439
2015-11-10 12:04:04 +00:00
Felix Fietkau
1d6a530fe6 uhttpd: update to the latest version, adds support for redirect helper scripts
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47419
2015-11-08 20:39:09 +00:00
Felix Fietkau
322de4101a lldpd: implement a reload hook
Seems the default one is not working as expected.
The way that reload should work is that the 'start' service
call should return 1 (if lldpd is running) and then a normal
restart would be called.

However, for lldpd a reload would mean just clearing all custom TLVs
(if they're configured) and reloading the configuration.

So, this patch adds a reload hook, which would:
 - 'start' lldpd if it's not running (because we return 1 if not running)
 - reload configuration if it is running (also previously
    clearing custom TLVs if present)

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 47367
2015-11-03 11:59:09 +00:00
Felix Fietkau
460640b6d7 hostapd: add default value to eapol_version (#20641)
r46861 introduced a new option eapol_version to hostapd, but did not
provide a default value. When the option value is evaluated,
the non-existing value causes errors to the systen log:
"netifd: radio0: sh: out of range"

Add a no-op default value 0 for eapol_version. Only values 1 or 2 are
actually passed on, so 0 will not change the default action in hostapd.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 47361
2015-11-02 18:12:54 +00:00
Felix Fietkau
0a95179556 samba: convert init script to procd, add reload support
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47292
2015-10-30 15:32:54 +00:00
Felix Fietkau
f79bae2fc0 relayd: update to the latest version, fixes some issues found by Coverity
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47285
2015-10-30 15:17:47 +00:00
John Crispin
4725cde867 omcproxy: fix PKG_LICENSE string
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 47264
2015-10-26 09:01:48 +00:00
John Crispin
27002c207e uhttpd: update to latest git HEAD
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 47240
2015-10-20 18:16:05 +00:00
John Crispin
00df239f60 uhttpd: update to latest git revision
adds URL alias support

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 47206
2015-10-19 10:08:01 +00:00
Luka Perkov
75078acd93 cosmetic: remove trailing whitespaces
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 47197
2015-10-15 22:12:13 +00:00
Jo-Philipp Wich
b345461070 uhttpd: fix keep-alive bug (#20607, #20661)
The two commits

  5162e3b0ee7bd1d0fd6e75e1ca7993a1834b5291
	"allow request handlers to disable chunked reponses"

and

  618493e378e2239f0d30902e47adfa134e649fdc
	"file: disable chunked encoding for file responses"

broke the chunked transfer encoding handling for proc responses in keep-alive
connections that followed a file response with http status 204 or 304.

The effect of this bug is that cgi responses following a 204 or 304 one where
sent neither in chunked encoding nor with a content-length header, causing
browsers to stall until the keep alive timeout was reached.

Fix the logic flaw by inverting the chunk prevention flag in the client state
and by testing the chunked encoding preconditions every time instead of
once upon client (re-)initialization.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 47161
2015-10-07 22:14:48 +00:00
Felix Fietkau
8aa110f7a2 hostapd: wait longer for inactive client probe (empty data frame)
One second is not enough for some devices to ackowledge null data frame
which is sent at the end of ap_max_inactivity interval. In particular,
this causes severe Wi-Fi instability with Apple iPhone which may take
up to 3 seconds to respond.

Signed-off-by: Dmitry Ivanov <dima@ubnt.com>

SVN-Revision: 47149
2015-10-06 12:33:10 +00:00
John Crispin
8181976067 lldpd: wrap procd command args in separate quotes
Seems the match pattern was being adapted from 'eth0' to ' eth0'
because of the way I added the procd command args.

This did not seem to be a problem when there were multiple interfaces,
just on devices with single interfaces for lldpd to listen on.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 47136
2015-10-05 10:29:01 +00:00
John Crispin
af2429f104 openvpn: add handling for route-pre-down option
OpenVPN 2.3 added a route-pre-down option, to run a command before
routes are removed upon disconnection.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

SVN-Revision: 47134
2015-10-05 10:28:47 +00:00
Rafał Miłecki
b6320a63a2 hostapd: check for banned client on association event
When using FullMAC drivers (e.g. brcmfmac) we don't get mgmt frames so
check for banned client in probe request handler won't ever be used.
Since cfg80211 provides us info about STA associating let's put a check
there.

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 47064
2015-09-28 09:09:00 +00:00
Felix Fietkau
4e4b4c8cb5 igmpproxy: fix spurious restarts on interface events, pass used netdevs to procd instead
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47055
2015-09-26 23:27:23 +00:00
Felix Fietkau
68f5382407 dropbear: add respawn param in case dropbear crashes
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 47033
2015-09-24 08:37:40 +00:00
Steven Barth
836d462b10 package: Remove dependencies to kmod-ipv6
Since r46834, IPv6 support is builtin if selected. Therefor, dependencies
on kmod-ipv6 can no longer be fulfilled, since it is not a module anymore.

Signed-off-by: Arjen de Korte <arjen+openwrt@de-korte.org>

SVN-Revision: 47022
2015-09-21 21:15:41 +00:00
John Crispin
251b58a0a5 lldpd: add extra respawn params
Signed-off-by: Alexandru Ardelean <aa@ocedo.com>

SVN-Revision: 46969
2015-09-16 08:32:41 +00:00
John Crispin
9885e32521 lldpd: conversion of init script to procd format
And add respawn param (the main reason for this conversion).

Signed-off-by: Alexandru Ardelean <aa@ocedo.com>

SVN-Revision: 46968
2015-09-16 08:32:33 +00:00
John Crispin
fc19ec21e4 lldpd: move /var/run creation + chmod earlier
Signed-off-by: Alexandru Ardelean <aa@ocedo.com>

SVN-Revision: 46967
2015-09-16 08:32:27 +00:00
John Crispin
5007f488bb lldpd: remove obsolete/unsupported lldpctl call
This call is no longer supported.
Maybe a come-back for it would be to use a config /etc/lldpd.conf
or /etc/lldpd.d/<some-file>.conf

Signed-off-by: Alexandru Ardelean <aa@ocedo.com>

SVN-Revision: 46966
2015-09-16 08:32:18 +00:00
Steven Barth
3c335bb439 ppp: use more reliable way to set script environment
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46942
2015-09-15 14:52:47 +00:00
Steven Barth
76ed9f3dbd omcproxy: use 100ms query response interval by default
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46940
2015-09-15 07:54:55 +00:00
Felix Fietkau
42a3d7811f mac80211/hostapd: rework 802.11w driver support selection, do not hardcode drivers in hostapd makefile
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 46903
2015-09-14 06:51:10 +00:00
Felix Fietkau
9abc02479e hostapd: Add eapol_version config option
Add eapol_version to the openwrt wireless config ssid section.
Only eapol_version=1 and 2 will get passed to hostapd, the default
in hostapd is 2.

This is only useful for really old client devices that don't
accept eapol_version=2.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>

SVN-Revision: 46861
2015-09-11 16:33:54 +00:00
Felix Fietkau
beabe8af46 openvpn: remove __DATE__ from options output
reported by:
https://reproducible.debian.net/openwrt/dbd/ar71xx/base/openvpn-nossl_2.3.7-1_ar71xx.ipk.html

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>

SVN-Revision: 46860
2015-09-11 16:33:39 +00:00
Felix Fietkau
3adce75a67 hostapd: work around unconditional libopenssl build dependency
As the OpenWrt build system only resolves build dependencies per directory,
all hostapd variants were causing libopenssl to be downloaded and built,
not only wpad-mesh. Fix this by applying the same workaround as in
ustream-ssl.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>

SVN-Revision: 46851
2015-09-11 16:31:18 +00:00
Steven Barth
0c8f0186d5 linux: make IPv6 builtin if selected (saves >30KB)
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46834
2015-09-09 12:20:36 +00:00
Steven Barth
e07959cade package: replace ifconfig-usage with ip
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46832
2015-09-08 17:44:24 +00:00
Steven Barth
8a7a939470 dropbear: remove generation and configuration of DSS keys
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46815
2015-09-08 08:59:40 +00:00
Felix Fietkau
a4cf4c35af dropbear: disable 3des, cbc mode, dss support, saves about 5k gzipped
While technically required by the RFC, they are usually completely
unused (DSA), or have security issues (3DES, CBC)

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 46814
2015-09-08 08:55:10 +00:00
Steven Barth
d196b1fc2e Disable telnet in favor of passwordless SSH
This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46809
2015-09-07 19:29:25 +00:00
Felix Fietkau
b850e1e59f uhttpd: update to the latest version, fixes deferred cgi script processing (#20458)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 46807
2015-09-07 19:18:58 +00:00
Steven Barth
8ac42ac28b odhcpd: fix parsing of host entries without duid
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46803
2015-09-07 13:31:36 +00:00
Steven Barth
60e786c4cd odhcpd: various bugfixes
* ra: don't announce as default router if we aren't (regression)
* ra: reduce maximum announced dns lifetimes due to buggy clients
* dhcpv6: fix mac-based lease-matching

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46802
2015-09-07 09:49:35 +00:00
Steven Barth
f96bf30dc6 comgt/umbim/uqmi: enable RFC 7278 for 3g/4g by default
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46780
2015-09-03 15:53:40 +00:00
Felix Fietkau
f5ba6aad34 mdns: update to the latest version, fixes a spurious build error
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 46778
2015-09-03 13:15:19 +00:00
Steven Barth
fc41846248 dnsmasq: make /tmp/dnsmasq.d and /tmp/hosts preferred over UCI settings
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46770
2015-09-02 11:49:00 +00:00
Steven Barth
a0d06f65ae dropbear: bump to 2015.68
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46769
2015-09-02 11:48:57 +00:00
Felix Fietkau
c8b481e0c1 mdns: fix having mulitple network entries in uci
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 46764
2015-09-02 09:23:52 +00:00
Steven Barth
750a344a55 odhcpd: fix incorrect address assignment for DHCPv6
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46761
2015-09-01 13:31:00 +00:00
Felix Fietkau
5da52afa79 hostapd: properly enable 802.11w support
Add CONFIG_IEEE80211W variable to DRIVER_MAKEOPTS so that 802.11w
support is properly compiled in full variant.

This fixes #20179

Signed-off-by: Janusz Dziemidowicz <rraptorr@nails.eu.org>

SVN-Revision: 46737
2015-08-27 12:43:22 +00:00
Steven Barth
ab71e84084 omcproxy: fix last commit
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46717
2015-08-24 08:53:16 +00:00
Steven Barth
e81f860bca omcproxy: add new igmpv3 & mldv2 multicast proxy
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46716
2015-08-24 08:28:11 +00:00
Steven Barth
c154130ebd odhcpd: various RA improvements
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46694
2015-08-20 12:43:45 +00:00
Imre Kaloz
996399ba08 uhttpd: we don't know where the device is located, so reflect that in the cert
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>

SVN-Revision: 46688
2015-08-19 08:20:11 +00:00
Jo-Philipp Wich
241d151b9c uhttpd: pass X-HTTP-Method-Override header to cgi scripts
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 46677
2015-08-17 16:17:36 +00:00
John Crispin
e5488123e6 hostapd: Add vlan_file option to netifd.sh
Other VLAN related options are already being processed in netifd.sh
but the vlan_file option is missing. This option allows the mapping
of vlan IDs to network interfaces and will be used in dynamic VLAN
feature for binding stations to interfaces based on VLAN
assignments. The change is done similarly to the wpa_psk_file
option.

Signed-off-by: Gong Cheng <chengg11@yahoo.com>

SVN-Revision: 46652
2015-08-17 06:17:13 +00:00
Hauke Mehrtens
c9d7aa8704 samba36: preserve smbpasswd across sysupgrade
Add /etc/samba/smbpasswd to list of samba conffiles
thus preserving samba passwords across sysupgrade
by default.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

SVN-Revision: 46606
2015-08-15 14:49:06 +00:00
Hauke Mehrtens
186c711ccd dnsmasq: Bump to dnsmasq2.75
Fixes a 100% cpu usage issue if using dhcp-script.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 46550
2015-08-03 20:33:57 +00:00
Steven Barth
677f0e3e72 dnsmasq: Bump to dnsmasq2.74
Bump to dnsmasq2.74 & refresh patches to fix fuzz

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

SVN-Revision: 46522
2015-07-30 08:53:43 +00:00
Steven Barth
fefb6758f9 odhcpd: fix RA lifetimes
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46479
2015-07-24 13:51:43 +00:00
John Crispin
e7b34b2b0d buttons: make all button handler scripts return 0
this is required by the new button timeout feature

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 46471
2015-07-24 09:11:35 +00:00
John Crispin
027230ade2 dnsmasq: add some missing files to the jail
found with strace, not sure we got all of them though

Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>

SVN-Revision: 46467
2015-07-24 09:11:06 +00:00
Steven Barth
56e7ba4a1e odhcpd: fix last commit
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46393
2015-07-17 11:09:13 +00:00
Steven Barth
9a977c2b11 odhcpd: fix dhcpv6 relay forwarding
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46392
2015-07-17 08:47:48 +00:00
Felix Fietkau
e23c3bb339 wpa-supplicant: add 802.11r client support
Add 802.11r client support to wpa_supplicant. It's only enabled in
wpa_supplicant-full. hostapd gained 802.11r support in commit r45051.

Tested on a TP-Link TL-WR710N sta psk client with two 802.11r enabled
openwrt accesspoints (TP-Link TL-WDR3600).

Signed-off-by: Stefan Hellermann <stefan@the2masters.de>

SVN-Revision: 46377
2015-07-15 08:16:22 +00:00
Steven Barth
f08895d0e9 odhcpd: also unify router and DNS lifetimes
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46376
2015-07-15 07:38:54 +00:00
Steven Barth
d8e082c593 odhcpd: fix RA lifetime calculation
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46375
2015-07-15 06:57:43 +00:00
Steven Barth
a5641a6444 odhcpd: use 65535s as default lifetime and make interval configurable
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46370
2015-07-14 20:10:46 +00:00
Steven Barth
63ef3540d1 odhcpd: unsolicited unicast RAs + fix NDP-relay
odhcpd now sends unsolicited RAs also via unicast to known link-local
neighbors. This is an attempt to work-around common smartphone issues
https://code.google.com/p/android/issues/detail?id=32662

Also NDP-relay should now work more reliably now

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46357
2015-07-14 09:12:29 +00:00
Steven Barth
59f5eefe8c dnsmasq: Add sequential_ip UCI parameter
When enabled the dnsmasq DHCP server allocates the IP addresses sequentially
starting from the lowest available IP address.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 46211
2015-07-07 08:13:22 +00:00
Steven Barth
c5c819c494 dnsmasq: enable extra tracing by default when UCI parameter logqueries is set
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 46210
2015-07-07 08:13:16 +00:00
Felix Fietkau
a9c39a27b5 mdns: fix ubus wait_for command
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 46156
2015-07-02 11:26:12 +00:00
Steven Barth
23633249c8 ppp: honor LDFLAGS
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 46068
2015-06-19 17:07:11 +00:00
Felix Fietkau
63cb31d9ec openvpn: bump to 2.3.7.
Two patches are dropped as they were already applied upstream.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

SVN-Revision: 46027
2015-06-18 06:41:49 +00:00
Steven Barth
54bbebc633 Update dnsmasq to v2.73.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>

SVN-Revision: 45988
2015-06-15 08:10:59 +00:00
Felix Fietkau
7afbd4fc36 openvpn: bump PKG_RELEASE.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

SVN-Revision: 45962
2015-06-14 17:41:54 +00:00
Felix Fietkau
2c9fbdf0bc openvpn: let instances drop to nobody in default config.
This is for security precautions.  As persist_tun and persist_key are
already there, this should not cause compatibility issue.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

SVN-Revision: 45961
2015-06-14 17:41:43 +00:00
Felix Fietkau
3f726e7b2e openvpn: fix handling option auth_retry.
As reported in ticket #19104, auth_retry takes a <type> argument with 3
choices: none, nointeract, interact.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

SVN-Revision: 45960
2015-06-14 17:41:38 +00:00
Felix Fietkau
32055c0833 samba36: remove host build paths
- fix iconv detection because it adds host paths
- disable python detection (host python-config is found)

iconv issue is reported by buildbot config.log + replicated locally
see config.log in logs.tar.gz
python issue observed locally on Arch Linux

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>

SVN-Revision: 45953
2015-06-14 17:40:52 +00:00
Steven Barth
cd89dbd91d ppp: bump PKG_RELEASE
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45949
2015-06-12 07:38:00 +00:00
Steven Barth
48a95eff38 ppp : Unnumbered support
Adds PPP unnumbered support via the parameter unnumbered which points to a logical OpenWRT interface.
The PPP proto shell handler will "borrow" an IP address from the unnumbered interface (if multiple
IP addresses are present the longest prefix different from 32 will be "borrowed") for which a host
interface dependency will be created. Due to the host interface dependency the PPP unnumbered interface
will only "borrow" an IP address from an interface which is up.
The borrowed IP address will be shared as local IP address by the PPP daemon and no other local IP
will be accepted from the peer in the IPCP negotiation.

A typical use case is the usage of a public IP subnet on the Lan interface which will be shared
by the PPP interface as local IP address.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 45948
2015-06-12 07:37:53 +00:00
Steven Barth
73fb57ada4 dnsmasq: bump to 2.73rc9
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45924
2015-06-08 04:48:16 +00:00
Steven Barth
c6a6f75436 dnsmasq: fix config file typo
s/loclal/local/

Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com>

SVN-Revision: 45923
2015-06-08 04:48:08 +00:00
Felix Fietkau
ecaacad14d hostapd: move ht_coex variable to mac80211.sh, guarded by 802.11n support
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45917
2015-06-06 23:09:43 +00:00
Hauke Mehrtens
5621a56d25 ppp: fix download URL
The file is not available at the older path any more.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 45910
2015-06-06 13:50:00 +00:00
John Crispin
281cb95a9d lldpd: add option to disable custom TLVs
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 45884
2015-06-03 13:59:14 +00:00
Felix Fietkau
91467cec6f hostapd: add a new option to control HT coexistance separate from noscan
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45873
2015-06-02 08:39:19 +00:00
John Crispin
2bc9e8e50c lldpd: disable xml explicitly
This prevents auto-detection of libxml2 and thus the error:
Package lldpd is missing dependencies for the following libraries:
libxml2.so.2

Preventing a dependency to libxml2 is preferred, since libxml2
would be a out-of-(core-)tree dependency.

Reported-by: Buildbot
Signed-off-by: Michael Heimpold <mhei@heimpold.de>

SVN-Revision: 45859
2015-05-31 17:46:09 +00:00
Jo-Philipp Wich
531a7e469a uhttpd: use 307 for HTTPS redirections to retain request method
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45853
2015-05-30 21:14:33 +00:00
Jo-Philipp Wich
4f58248a7d uhttpd: add support for enforcing https
Also set HTTPS environment variable for CGI programs on SSL connections.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45852
2015-05-30 20:55:14 +00:00
Jo-Philipp Wich
be16b184e2 uhttpd: inhibit chunked transfer encoding for static file responses
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45850
2015-05-30 14:05:40 +00:00
Jo-Philipp Wich
8df45565e9 lldpd: update to v0.7.15 and add support for parsing /etc/openwrt_release
Also drop superseded patches.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45810
2015-05-28 16:19:38 +00:00
Felix Fietkau
27aada7658 ppp: do not warn if connect() before close() on pppoe terminate fails (fixes #19651)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45755
2015-05-26 07:02:49 +00:00
Steven Barth
8304c0c04d odhcpd: fix DHCPv6 downstream PD
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45707
2015-05-21 15:07:54 +00:00
Steven Barth
51d97db185 dnsmasq: bump to dnsmasq2.73rc8 Important.
Bump dnsmasq to v2.73rc8

Important - fixes remotely exploitable buffer overflow introduced in all v2.73 test/release candidates.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

SVN-Revision: 45693
2015-05-17 08:06:45 +00:00
Steven Barth
a11d2f1cb2 odhcpd: ignore /64 on interface when doing PD
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45679
2015-05-13 12:31:06 +00:00
Steven Barth
e9999a7168 odhcpd: remove invalid call to free()
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45675
2015-05-11 19:49:03 +00:00
Felix Fietkau
53a5647414 ppp: remove the persist option, netifd handles reconnects
Significantly reduces reconnect delay

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45654
2015-05-09 21:14:46 +00:00
Felix Fietkau
06556a8e6b hostapd: fix remote denial of service vulnerability in WMM action frame parsing
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45619
2015-05-06 09:45:39 +00:00
Felix Fietkau
a503023ec2 hostapd: enable 802.11w only for the full variants
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45616
2015-05-06 00:59:36 +00:00
Felix Fietkau
5533a67e3a openvpn: replace polarssl run-time version check with a compile-time one
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45608
2015-05-05 10:09:16 +00:00
Jo-Philipp Wich
a28deda590 openvpn: disable CBC record splitting in PolarSSL/mbedTLS (#19101)
OpenVPN assumes that its control channel messages are sent and received
unfragmented, this assumption is broken when CBC record splitting is
enabled in mbedTLS.

The record splitting is intended as countermeasure against BEAST attacks
which do not apply to OpenVPN, therefore we simply disable it until
upstream OpenVPN gains the ability to process fragmented control
messages.

Disabling the splitting also works around a (not remotely triggerable)
segmentation fault in mbedTLS.

References:

 * https://dev.openwrt.org/ticket/19101
 * https://community.openvpn.net/openvpn/ticket/524
 * https://github.com/ARMmbed/mbedtls/pull/185

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45602
2015-05-04 08:49:21 +00:00
Steven Barth
fc84123c2f dnsmasq: bump to 2.73rc7
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45587
2015-04-29 07:19:24 +00:00
Steven Barth
4fb99ec22f odhcpd: Remove prefix class config option as not supported anymore by odhcpd
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 45586
2015-04-28 14:58:54 +00:00
Steven Barth
62e7f07615 dnsmasq: bump to 2.73rc6
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45572
2015-04-23 13:05:15 +00:00
Felix Fietkau
eba659cbba hostapd: backport fix for CVE-2015-1863, refresh patches
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45567
2015-04-23 08:01:51 +00:00
Nicolas Thill
05d28c47e8 hostapd: mark wpa-supplicant & wpad-mesh as broken on uml
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 45561
2015-04-22 15:36:00 +00:00
Steven Barth
c6cd1f1632 odhcpd: minor fixes
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45539
2015-04-21 07:45:49 +00:00
Felix Fietkau
ce0eddc2fb hostapd/netifd: encrypted mesh with wpa_supplicant
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 45519
2015-04-20 15:00:07 +00:00
Steven Barth
af4d04ed36 dropbear: update to 2015.67
fixes dbclient login into OpenSSH 6.8p1
error: "Bad hostkey signature"

reported on irc, replicated with Arch Linux

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>

SVN-Revision: 45493
2015-04-18 11:25:01 +00:00
John Crispin
125b2ced63 hostapd: Fix wps button hotplug script to handle multiple radios
Hostapd's control file location was changed in 2013, and that has apparently
broken the wps button hotplug script in cases where there are multiple radios
and wps is possibly configured also for the second radio. The current wps
button hotplug script always handles only the first radio.

https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/files/wps-hotplug.sh

The reason is that the button hotplug script seeks directories like
/var/run/hostapd*, as the hostapd-phy0.conf files were earlier in
per-interface subdirectories.

Currently the *.conf files are directly in /var/run and the control sockets
are in /var/run/hostapd, but there is no subdirectory for each radio.

root@OpenWrt:/# ls /var/run/hostapd*
/var/run/hostapd-phy0.conf  /var/run/hostapd-phy1.conf

/var/run/hostapd:
wlan0  wlan1

The hotplug script was attempted to be fixed after the hostapd change by
r38986 in Dec2013, but that change only unbroke the script for the first
radio, but left it broken for multiple radios.
https://dev.openwrt.org/changeset/38986/

The script fails to find subdirectories with [ -d "$dir" ], and passes just
the only found directory /var/run/hostapd, leading into activating only the
first radio, as hostapd_cli defaults to first socket found inthe passed
directory:
root@OpenWrt:/# hostapd_cli -?
...
usage: hostapd_cli [-p<path>] [-i<ifname>] [-hvB] [-a<path>] \
                    [-G<ping interval>] [command..]
...
    -p<path>     path to find control sockets (default: /var/run/hostapd)
...
    -i<ifname>   Interface to listen on (default: first interface found in the
                 socket path)

Below is a run with the default script and with my proposed solution.

Default script (with logging added):
==================================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh

if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
         for dir in /var/run/hostapd*; do
                 [ -d "$dir" ] || continue
                 logger "WPS activated for: $dir"
                 hostapd_cli -p "$dir" wps_pbc
         done
fi

 >>>> WPS BUTTON PRESSED <<<<<

root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Timed-out
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:38:50 2015 user.notice root: WPS activated for: /var/run/hostapd

wlan0 got WPS activated, while wlan1 remained inactive.

I have modified the script to search for sockets instead of directories and
to use the "-i" option with hostapd_cli, and now the script properly
activates wps for both radios. As "-i" needs the interface name instead of
the full path, the script first changes dir to /var/run/hostapd to get simply
the interface names.

Modified script (with logging):
===============================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh

if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
         cd /var/run/hostapd
         for dir in *; do
                 [ -S "$socket" ] || continue
                 logger "WPS activated for: $socket"
                 hostapd_cli -i "$socket" wps_pbc
         done
fi

 >>>> WPS BUTTON PRESSED <<<<<

root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan0
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan1

Both radios got their WPS activated properly.

I am not sure if my solution is optimal, but it seems to work. WPS button is
maybe not that often used functionality, but it might be fixed in any case.
Routers with multiple radios are common now, so the bug is maybe more
prominent than earlier.

The modified script has been in a slightly different format in my community
build since r42420 in September 2014.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 45492
2015-04-18 10:19:37 +00:00
Steven Barth
0d1b5a1fd2 network: also shorten virtual interface names of ppp and 3g/4g connections
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45479
2015-04-17 14:47:12 +00:00
Steven Barth
6fad3d5524 odhcpd: fix accidental logic inversion
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45435
2015-04-14 14:21:52 +00:00
Steven Barth
7e5bf40cac odhcpd: avoid illegal memory access in some corner cases
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45428
2015-04-14 08:31:53 +00:00
Steven Barth
3633523ba6 dnsmasq: fix dnssec timestamp logic, backport crashfix
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45410
2015-04-13 07:49:29 +00:00
Felix Fietkau
e8a45bfc15 netifd: fix ieee80211r 'sh: bad number' in mac80211 setup (bug #19345)
Two errors "netifd: radio0: sh: bad number" have recently surfaced in system
log in trunk when wifi interfaces come up. I tracked the errors to checking
numerical values of some config options without ensuring that the option has
any value.

The errors I see have apparently been introduced by r45051 (ieee80211r in
hostapd) and r45326 (start_disabled in mac80211). My patches fix two
instances of "bad number", but there may be a third one, as the original
report in bug 19345 pre-dates r45326 and already has two "bad number" errors
for radio0.

https://dev.openwrt.org/ticket/19345

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 45380
2015-04-11 10:52:01 +00:00
Steven Barth
f9b0423836 odhcpd: send current hop-limit by default in RAs
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45359
2015-04-10 11:52:42 +00:00
Steven Barth
747c33859b dnsmasq: bump to 2.73rc4
Fix crash caused by malformed DNS requests
Improved DNSSEC handling

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45354
2015-04-10 10:19:17 +00:00
John Crispin
2b95d21fdb hostapd: remove unused asprintf parameter
r45270 removed ieee80211n=%d from the format string but didn't remove
the parameter itself. Though this probably doesn't cause any harm, it's
quite confusing and unneeded.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 45351
2015-04-10 08:31:26 +00:00
John Crispin
4b0211b547 ppp: Detailed last error support
Enables last error support for the PPP protocol handlers.
In generic teardown the PPP daemon exit code is translated into
a self explaining error string which is set as interface error
by proto_notify_error in case of failure.

Signed-off-by: Johan Peeters <johan.peeters111@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 45333
2015-04-09 10:32:54 +00:00
John Crispin
88fa9a8422 dnsmasq: Add option '--servers-file'
The option '--servers-file' is available since dnsmasq v2.69.

Signed-off-by: Lars Kruse <lists@sumpfralle.de>

SVN-Revision: 45332
2015-04-09 10:32:46 +00:00
John Crispin
ff211def3e hostapd: add update_beacon to ubus binding
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45325
2015-04-09 10:31:45 +00:00
Steven Barth
6f5bbfa181 odhcpd: fix infinite lifetime handling in dhcpv6
thanks to Arjen de Korte

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45279
2015-04-06 10:50:54 +00:00
Felix Fietkau
fe8d9f59da hostapd: when running AP+STA, preserve the AP 802.11n-enabled setting
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45270
2015-04-04 17:51:46 +00:00
John Crispin
16d291e2c9 ppp: Fix missing arg argument when using option flag OPT_A2STRVAL
The arg argument is missing to the printer call in the print_option
utility when the option flag OPT_A2STRVAL is set.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 45264
2015-04-03 19:06:56 +00:00
John Crispin
9ccfbb841c ppp: Fix seg fault when using pppol2tp
PPPD crashes (SEGV) when the dump or dryrun options are specified and an option
is internally defined as "o_special" with an option flag of "OPT_A2STRVAL".
As the option value is not saved when the parameter is processed, a reference
to the option will result into a crash (e.g. when printing).

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 45263
2015-04-03 19:06:45 +00:00
John Crispin
4bb94e5b2d samba36: add smb.conf.template to conffiles
User might have modified/extended template direct or by LuCI application.
So do not overwrite on update/upgrade.

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>

SVN-Revision: 45258
2015-04-03 19:06:06 +00:00
Nicolas Thill
d1070a6330 mdns: add conffiles section
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 45241
2015-04-02 14:53:07 +00:00
John Crispin
546ba7a39f samba: use INSTALL_CONF for the uci file
sorry about the broken commit earlier

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45226
2015-04-01 16:12:43 +00:00
Nicolas Thill
b7130aff21 samba36: fix typo in package/samba36-server/install
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 45225
2015-04-01 15:59:14 +00:00
John Crispin
26a27231e6 samba: don't overwrite config file
fixes #19087

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45220
2015-04-01 13:39:23 +00:00
John Crispin
8acbb5783d dnsmasq: backport --tftp-no-fail to ignore missing tftp root
This patch backports the option --tftp-no-fail to dnsmasq and prevents the
service from aborting if the specified TFTP root directory is not available;
this might be the case if TFTP files are located on external media that might
occasionally not be present at startup.

Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>

SVN-Revision: 45213
2015-04-01 08:33:10 +00:00
Steven Barth
78552c24ba odhcpd: compile fixes
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45192
2015-03-31 17:30:56 +00:00
John Crispin
6aff392bff uhttpd: properly handle return codes
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45153
2015-03-30 12:35:13 +00:00
Steven Barth
24be294d8e odhcpd: fix default dhcpv6 behavior for non-/64
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45148
2015-03-30 08:53:22 +00:00
Steven Barth
0a0dec1c4a odhcpd: fix musl build, change default DHCPv6 behavior
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 45147
2015-03-30 08:49:47 +00:00
Felix Fietkau
e0e8900edd ead: clean up, fix musl build
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45110
2015-03-29 04:30:05 +00:00
Felix Fietkau
9f8be0befc authsae: remove bogus #include
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45107
2015-03-29 04:29:26 +00:00
Felix Fietkau
89abb27f2c hostapd: fix compile errors with nl80211 disabled (#19325)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45063
2015-03-27 14:55:01 +00:00
Felix Fietkau
44218424f1 hostapd: fix a compiler warning in ap+station patch
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45062
2015-03-27 14:54:53 +00:00
Felix Fietkau
8905eb39b6 hostapd: disable the bridge packet receive workaround, it is unnecessary on openwrt and could potentially harm performance
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45060
2015-03-27 14:54:41 +00:00
John Crispin
d8fc4d31d0 dnsmasq: we dont want to run in debug mode
a left over from the dnsmasq jail testing

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45058
2015-03-27 09:11:56 +00:00
Felix Fietkau
23b4bf6507 hostapd: add 802.11r support
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

SVN-Revision: 45051
2015-03-26 23:34:33 +00:00
Felix Fietkau
07b17c6b25 hostapd: allow multiple key management algorithms
To enable 802.11r, wpa_key_mgmt should contain FT-EAP or FT-PSK. Allow
multiple key management algorithms to make this possible.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

SVN-Revision: 45050
2015-03-26 23:34:24 +00:00
Felix Fietkau
4482d10a04 hostapd: append nasid to config for all WPA types
The 802.11r implementation in hostapd uses nas_identifier as PMK-R0 Key
Holder identifier. As 802.11r can also be used with WPA Personal, nasid
should be appended to the hostapd config for all WPA types.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

SVN-Revision: 45049
2015-03-26 23:34:10 +00:00
Felix Fietkau
eedf17dc9e hostapd: add dependency to hostapd-common
'hostapd-common' is needed by all of the variants for wifi to function
correctly (a number of the target profiles simply select 'wpad-mini').

Signed-off-by: Nathan Hintz <nlhintz@hotmail.com>

SVN-Revision: 45048
2015-03-26 23:34:01 +00:00
Felix Fietkau
cec80c7267 hostapd: package wpad-mesh and wpa_supplicant-mesh variants
These new variants include support for mesh mode and SAE crypto.
They always depend on openssl as EC operations are not provided by
the internal crypto implementation.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 45047
2015-03-26 23:33:56 +00:00
Felix Fietkau
184bac2707 hostapd: add switch_chan and set_vendor_elements ubus methods
Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45046
2015-03-26 23:33:52 +00:00
Felix Fietkau
9c7784e5f3 hostapd: update hostapd to 2015-03-25
madwifi was dropped upstream, can't find it anywhere in OpenWrt
either, thus finally burrying madwifi.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45045
2015-03-26 23:33:47 +00:00
John Crispin
eadb51fa98 mdns: add jail and seccomp support
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45012
2015-03-26 10:58:44 +00:00
John Crispin
f5e2b62ab7 dnsmasq: add jail support
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45011
2015-03-26 10:58:30 +00:00
Jo-Philipp Wich
437d710546 lldpd: add option to disable privilege separation
Helpful to disable when debugging lldpd crashes (when working on it).
When privilege separation is on, some crashes are stack-traced to
some privilege separation code.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 44967
2015-03-24 10:13:08 +00:00
Felix Fietkau
5d9eeab64a build: remove obsolete references to cris and avr32
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44965
2015-03-24 10:07:40 +00:00
John Crispin
1312cd9263 lldpd: add Build/InstallDev rule
For using liblldpctl to talk to lldpd (via unix sockets).

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 44924
2015-03-21 21:47:34 +00:00
Felix Fietkau
f88687aaf9 igmpproxy: add names for default config lan/wan phyint sections to make it easier to refer to them from scripts
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44896
2015-03-19 20:37:40 +00:00
John Crispin
29c3611294 igmpproxy: Multiple downlink interfaces fix.
from Erik Tews <erik@datenzone.de>

This patch has two effects. First, the quickleave feature/behaviour is
disabled for all groups that are used on more than one interface. The
idea of quickleave is to leave a group fast and later figure out whether
there is still somebody interested in that group. For groups used on
more than one interface, it is already known that there is still
somebody interested in that group.

Second, when a leave is received for a group that is used on more than
one interface, igmpproxy sends queries on all interface to discover
remeining listeners for that group. Previously these queries were only
send on the interface the leave was received on, so that listeners on
the other interfaces were not discovered and the group might be left on
the upstream router incorrectly.

This patch can be improved by sending the queries only on the interface
the leave was received on and adapting the algorithm in
internAgeRoute(...) in rttable.c in a way that only one interface is
actually processed and all other interfaces of the route are silently
assumed to be still active.

Signed-off-by: Erik Tews <erik@datenzone.de>

SVN-Revision: 44859
2015-03-17 09:43:07 +00:00
Nicolas Thill
81ff0511df packages: more (e)glibc fixes after r44701
_GNU_SOURCE has been declared "deprecated" in favor of _DEFAULT_SOURCE in glibc

Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 44843
2015-03-16 12:32:22 +00:00
Nicolas Thill
4b382a440b packages: some (e)glibc fixes after r44701
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 44842
2015-03-16 12:25:06 +00:00
Felix Fietkau
83cdd1623c uhttpd: make generating SSL keys more reliable against interrupted boots
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44772
2015-03-15 10:32:10 +00:00
John Crispin
ba21cbae3e dnsmasq: enable pxe-prompt, pxe-service config options
DNSMASQ has the ability to provide a menu to a pxeboot system, using
the --pxe-prompt and --pxe-service configuration options.  The current
init.d script converting the "dhcp" file to "dnsmasq.conf" does not
find these options, but they are supported.  This patch thus enables
the options.

Signed-off-by: Derek LaHousse <dlahouss@mtu.edu>

SVN-Revision: 44747
2015-03-13 08:39:08 +00:00
John Crispin
f728bfdae0 relayd: bump to latest git HEAD
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 44745
2015-03-13 08:38:46 +00:00
John Crispin
fb60dd2ae6 dnsmasq: Make parameters optional in dhcpboot config
The --dhcp-boot option of dnsmasq does not require servername and serveraddress
arguments if the builtin tftp server is used.

Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>

SVN-Revision: 44744
2015-03-13 08:38:35 +00:00
John Crispin
31b8de4587 lldpd: make LLDP-MED, DOT1 and DOT3 extensions disable-able
The names for the config options were taken from lldpd's
configure.ac file.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 44743
2015-03-13 08:38:25 +00:00
John Crispin
470e89f977 lldpd: add support for 'readonly_mode'
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 44689
2015-03-12 10:06:08 +00:00
John Crispin
e69626901e uhttp: update to latest git HEAD
this add json-c 0.12, sorry forgot to push this earlier today

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 44682
2015-03-11 17:58:47 +00:00
Steven Barth
8dc388f769 odhcpd: improvements for DHCPv4 and compile fixes
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 44619
2015-03-06 14:41:07 +00:00
Jo-Philipp Wich
c20e46f792 lldpd: fix passing multiple ifnames to the daemon
Instead of multiple -I arguments, lldpd expects a comma separated list.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44585
2015-03-01 12:25:02 +00:00
Jo-Philipp Wich
b977134dc7 uhttpd: relay stderr to syslog
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44548
2015-02-26 13:44:05 +00:00
Felix Fietkau
ae9999a766 samba36: update to 3.6.25, fixes remote code execution bug (CVE-2015-0240)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44515
2015-02-24 07:21:25 +00:00
John Crispin
5e7d004633 ppp: Allow PPTP over a specified interface
In a dual-WAN setup, it's useful to specify an interface over which to
have PPTP.

Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>

SVN-Revision: 44507
2015-02-22 08:29:34 +00:00
Nicolas Thill
4b8ebb5d50 packages: remove uneeded PKG_BUILD_DIR overrides
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 44498
2015-02-22 01:31:21 +00:00
John Crispin
ef87acc6a5 hostapd: fix c&p typo
https://dev.openwrt.org/ticket/19010

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 44484
2015-02-17 15:59:28 +00:00
John Crispin
8f3e9c91a8 hostapd: backport BSSID black/whitelists
This change adds the configuration options "bssid_whitelist" and
"bssid_blacklist" used to limit the AP selection of a network to a
specified (finite) set or discard certain APs.

This can be useful for environments where multiple networks operate
using the same SSID and roaming between those is not desired. It is also
useful to ignore a faulty or otherwise unwanted AP.

In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).

This is especially useful if an OpenWrt device with two radios is used to
retransmit the same network (one in AP mode for other clients, one as STA for
the uplink); the following configuration prevents the device from associating
with itself, given that the own AP to be avoided is using the bssid
'C0:FF:EE:D0:0D:42':

config wifi-iface
	option device 'radio2'
	option network 'uplink'
	option mode 'sta'
	option ssid 'MyNetwork'
	option encryption 'none'
	list bssid_blacklist 'C0:FF:EE:D0:0D:42/00:FF:FF:FF:FF:FF'

This change consists of the following cherry-picked upstream commits:

b3d6a0a8259002448a29f14855d58fe0a624ab76
b83e455451a875ba233b3b8ac29aff8b62f064f2
79cd993a623e101952b81fa6a29c674cd858504f
(squashed to implement bssid_{white,black}lists)

0047306bc9ab7d46e8cc22ff9a3e876c47626473
(Add os_snprintf_error() helper)

Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>

SVN-Revision: 44438
2015-02-13 10:53:54 +00:00
Felix Fietkau
658a33688e relayd: update to the latest version, adds fixes by Alejandro Enrique
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44389
2015-02-11 10:09:57 +00:00
Jo-Philipp Wich
ccc33238a4 openvpn: autostart openvpn instances for each .conf file in /etc/openvpn
Align init behaviour with other distros by starting an OpenVPN instance
for each config file found in /etc/openvpn/. This removes the additional
requirement to "register" the configs with uci and thus simplifies the
setup.

Make sure to respect the disabled state in uci to not suddenly autostart
instances which have been previously set to disabled, also skip configs
which are already started due to uci configuration.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44310
2015-02-07 21:01:28 +00:00
Jo-Philipp Wich
a7c27877e2 uhttpd: fix another remaining relro issue in the Lua plugin
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44143
2015-01-25 20:43:17 +00:00
Jo-Philipp Wich
634c8c215c uhttpd: fix time_t type mismatch on 32bit systems
The previous update introducing LFS support unconditionally changed the
sprintf() pattern used to print the file modification time to use PRIx64.

Explicitely convert the st_mtime member of the stat struct to uint64_t in
order to avoid type mismatch errors when building for non-64bit targets.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44138
2015-01-25 17:59:08 +00:00
Jo-Philipp Wich
b82bd94b62 uhttpd: fix crash with enabled relro, memory leak in dirlists and lfs
* Fix the ubus plugin to not make its uhttpd_plugin entry symbol
   constant as uhttpd needs to modify its list_head member
 * Make sure that uhttpd supports large files by using 64bit ints
   where appropriate and by passing _FILE_OFFSET_BITS=64 to the build
 * Plug a possible memleak in the directory listing code

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44135
2015-01-25 17:23:26 +00:00
Jo-Philipp Wich
8f5c0708ed uhttpd: fix exit code of mod-ubus postinstall script
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44132
2015-01-25 15:54:43 +00:00
Felix Fietkau
768d09be87 mac80211/hostapd: fix HT mode setup for RSN ad-hoc networks
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44100
2015-01-24 19:27:22 +00:00
Felix Fietkau
c180e8df1e relayd: prevent start for disabled interfaces
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44099
2015-01-24 18:12:09 +00:00
Felix Fietkau
929559c946 ppp: on PPPoE, always send PADT when shutting down the connection
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44097
2015-01-24 13:41:10 +00:00
Jo-Philipp Wich
639f388fc2 ppp: rework host-uniq support to take hex encoded strings
The previous implementation of the "host-uniq" option used plain strings for
passing the value to pppd which made it impossible to specify binary data.

Switch the format to a hex encoded string to support binary data.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44094
2015-01-24 11:30:45 +00:00
Felix Fietkau
2f43d3dcba igmpproxy: add patch to silence unnecessary logging of downstream igmp traffic
This patch adds a simple check to silence logging of messages about
unrecognized igmp packets which originate from devices in local network.

Without this patch igmpproxy floods openwrt syslog with messages such as:
  user.warn igmpproxy[19818]: The source address 192.168.1.175 for group
  239.255.250.250, is not in any valid net for upstream VIF.

Signed-off-by: Antti Seppälä <a.seppala@gmail.com>

SVN-Revision: 44020
2015-01-18 00:42:43 +00:00
John Crispin
16b45d21c6 dnsmasq: add option --quiet-dhcp
The --quiet-dhcp setting increases privacy by omitting DHCP lease logs including MAC addresses.

Signed-off-by: Lars Kruse <devel@sumpfralle.de>

SVN-Revision: 44006
2015-01-17 14:38:55 +00:00
John Crispin
491f3fc048 Support for building an hardened OpenWRT
Introduce configuration options to build an "hardened" OpenWRT.

Options to enable Stack-Smashing Protection, FORTIFY_SOURCE and RELRO
have been introduced.

uClibc makefile now automatically detects if SSP support is necessary.

hostapd makefile has been fixed to use "^" as sed separator since
using a comma was problematic when using "-Wl,-z,now" and the like in
TARGET_CFLAGS.

Currently enabling SSP on user space depends on enabling SSP kernel
side, this is due to the fact that TARGET_CFLAGS are used to build
kernel modules (at least). Suggestions on how to avoid this are welcome.
Using "select" instead of "depends on" doesn't seem to work with choice
entries.

Tested with a lantiq (WBMR) router, GCC 4.8, uClibc and a subset of
the available packages.
Needs to be tested with GCC 4.9 and the remaining packages.
PIE not currently included.

Signed-off-by: Alessandro Di Federico <ale+owrt@clearmind.me>

SVN-Revision: 44005
2015-01-17 14:31:30 +00:00
Jo-Philipp Wich
59cab6dd48 dnsmasq: support and use local-service by default (#14951)
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 43982
2015-01-16 19:04:19 +00:00
Luka Perkov
5b0849b97f mdns: install uci package as config
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>

SVN-Revision: 43967
2015-01-14 09:59:26 +00:00
Rafał Miłecki
adaac86c7f hostapd: backport patch fixing handling new stations
This patch fixes adding new stations for some specific drivers when
using more than 1 BSS.

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 43951
2015-01-12 22:10:00 +00:00
Jo-Philipp Wich
39d0b8fea8 lldpd: update to v0.7.13
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 43891
2015-01-09 12:35:09 +00:00
John Crispin
52c949e448 openvpn: procd_set_param respawn
Makes sure that the openvpn instance gets restarted in case of a crash.

Intentional stops using /etc/init.d/openvpn stop will not result in
respawning. Anything else will, e.g. killall openvpn.

Signed-off-by: Lars Gierth <larsg@systemli.org>

SVN-Revision: 43886
2015-01-08 20:26:41 +00:00
Jo-Philipp Wich
a0fb139369 openvpn: bump PKG_REVISION and copyright year
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 43859
2015-01-06 12:41:22 +00:00
Felix Fietkau
6493328c8f dnsmasq: fix dependency problems of the dnsmasq-full variant.
This patch tries to

 - Let the DHCPv6 feature depend on CONFIG_IPV6.
 - Conditionally select libnettle, kmod-ipv6, kmod-ipt-ipset only if the
   corresponding features are enabled.
 - Install `trust-anchors.conf` only if DNSSEC is selected.
 - Add PKG_CONFIG_DEPENDS for the configurable options.
 - Add a patch to let the Makefile of dnsmasq be aware of changes in
   COPTS variable.

Big thanks goes to Frank Schäfer <fschaefer.oss@googlemail.com> for
providing necessary information on connections and dependency relations
between these CONFIGs and packages.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

SVN-Revision: 43851
2015-01-05 13:03:48 +00:00
Felix Fietkau
4ea1edf840 hostapd: Add uapsd option to netifd.sh
The uapsd option sets the uapsd_advertisement_enabled flag in hostapd.

The check for phy support is already implemented here in hostapd since 2011:
http://w1.fi/cgit/hostap/commit/?id=70619a5d8a3d32faa43d66bcb1b670cacf0c243e

So this can be safely set to 1 as default.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>

SVN-Revision: 43846
2015-01-05 13:03:12 +00:00
Felix Fietkau
8bd2c446d4 openvpn: backport an upstream fix for a regression in using --cipher none (fixes #18676)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43823
2015-01-04 12:03:29 +00:00
Felix Fietkau
b2de18bea4 hostapd: add support for configuring supported rates
patch by Wilco Baan Hofman from #18627

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43782
2014-12-27 12:59:47 +00:00
Steven Barth
d945d7d647 dnsmasq: also add the actual patches...
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 43759
2014-12-22 09:52:19 +00:00
Steven Barth
1472eaec65 dnsmasq: backport some dnssec fixes
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 43758
2014-12-22 09:51:22 +00:00
Steven Barth
d9011ad6be dnsmasq: allow de-selecting features from -full variant.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

SVN-Revision: 43733
2014-12-17 05:59:12 +00:00
Felix Fietkau
8afce572b7 igmpproxy: do not attempt to ifstatus error messages as json
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43660
2014-12-12 14:52:29 +00:00
Felix Fietkau
f48b7aa6e4 igmpproxy: do not start instance if no upstream interface is available
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43659
2014-12-12 14:52:24 +00:00
Felix Fietkau
b37dc7e7ce igmpproxy: fix init script indentation
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43658
2014-12-12 14:52:18 +00:00
Felix Fietkau
fe05893ffb openvpn: update to 2.3.6, fixes CVE-2014-8104
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43482
2014-12-01 19:49:59 +00:00
John Crispin
d40842d180 hostapd: improve 802.1x dynamic vlan support with bridge names
In r41872 and r42787 Dynamic VLAN support was reintroduced, but the vlan_bridge
parameter is not read while setting up the config, so the default is used which
is undesirable for some uses.

Signed-off-by: Ben Franske <ben.mm@franske.com>

SVN-Revision: 43473
2014-12-01 16:15:20 +00:00
Felix Fietkau
ed5ed9cf6f hostapd: fix build error on some variants with CONFIG_WPA_RFKILL_SUPPORT=y (#17765)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43345
2014-11-23 14:16:47 +00:00
Felix Fietkau
6c1c3cac55 hostapd: switch dependency from mac80211 to cfg80211
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 43339
2014-11-21 20:38:14 +00:00
Matteo Croce
9ee442d0f9 pppd: add option to set custom host-uniq pppoe tag
SVN-Revision: 43241
2014-11-14 16:39:59 +00:00
Jo-Philipp Wich
6966aa0d50 lldpd: allow discovery protocols to be disabled from menuconfig
Signed-off-by: Michel Stam <m.stam@fugro.nl>
[jow: fixed condition for CONFIG_LLDPD_WITH_JSON]
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 43233
2014-11-11 09:49:20 +00:00
Nicolas Thill
f4417f7ad8 package/*: replace occurences of 'ln -sf' to '$(LN)'
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 43205
2014-11-06 19:35:34 +00:00
Steven Barth
4e26b81c48 odhcpd: disable flash-renumbering hack for non-64 prefixes
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 43202
2014-11-06 13:37:50 +00:00
Steven Barth
c7ae195c9e mdnsd: add query / fetch methods, fix some bugs
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 43169
2014-11-03 19:35:53 +00:00
John Crispin
74a3a77bcd license info - revert r43155
turns out that r43155 adds duplicate info.

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 43167
2014-11-03 09:56:44 +00:00
John Crispin
c10d97484a Add more license tags with SPDX identifiers
Note, that licensing stuff is a nightmare: many packages does not clearly
state their licenses, and often multiple source files are simply copied
together - each with different licensing information in the file headers.

I tried hard to ensure, that the license information extracted into the OpenWRT's
makefiles fit the "spirit" of the packages, e.g. such small packages which
come without a dedicated source archive "inherites" the OpenWRT's own license
in my opinion.

However, I can not garantee that I always picked the correct information
and/or did not miss license information.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

SVN-Revision: 43155
2014-11-03 08:01:08 +00:00
Steven Barth
bec9d38fa4 Add a few SPDX tags
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 43151
2014-11-02 12:20:54 +00:00
Jo-Philipp Wich
bc356cef82 ppp: support adaptive LCP echos
Port Debians adaptive LCP echo patch to pppd, make it configurable with UCI
and enable it by default.

When adaptive LCP echo is enabled, LCP echo requests are only sent if the
link is idle, this avoids the common situation where a congested PPP link
(e.g. during torrenting) is falsely detected as disconnected because the
LCP replies are not received in time.

Also bump the copyright year in the Makefile, remove a redundant maintainer
entry and fix the shell processing of the keepalive option when the two-
value syntax is used.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 43143
2014-11-01 12:37:03 +00:00
Jo-Philipp Wich
ba48074622 uhttpd: fix HTTP incompatibilities in file handler
* Fixes sending an extraneous message body for 204 and 304 resoponses which
   breaks Chrome in keep-alive mode.

 * Adds mimetypes for JSON and JSONP.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 43078
2014-10-27 10:25:07 +00:00
Felix Fietkau
3c9fcd2526 hostapd: update to 2014-10-25
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43059
2014-10-25 16:48:45 +00:00
John Crispin
d5b734e145 hostapd: Add wpa_psk_file option to netifd.sh
The wpa_psk_file option offers the possibility to use a different WPA-PSK key for each client. The directive points to a file with the following syntax:

mac_address wpa_passphrase_or_hex_key

Example:

00:11:22:33:44:55 passphrase_for_client_1
00:11:22:33:44:67 passphrase_for_client_2
00:11:22:33:44:89 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

So it is possible to specify both ASCII passphrases and raw 64-chars hex keys.

Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>

SVN-Revision: 43001
2014-10-20 11:19:21 +00:00
Felix Fietkau
6c2a017553 authsae: fix musl build
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 42980
2014-10-19 23:04:02 +00:00
Steven Barth
6d3fd947e4 odhcpd: fix regression in dhcpv6 t1 and t2 calculation
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42951
2014-10-18 15:47:31 +00:00
Steven Barth
f71f3afd20 odhcpd: multiple fixes
* Rewrite ndp proxy using kernel proxying
* Aid flash-renumbering in hybrid DHCPv6-mode
* Unicast RAs to RS senders
* Add support for router address

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42944
2014-10-17 11:18:52 +00:00
Steven Barth
99984eaeb3 hostapd: CVE-2014-3686 fixes
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42942
2014-10-17 06:15:35 +00:00
John Crispin
20940138ac scripts: fix wrong usage of '==' operator
[base-files] shell-scripting: fix wrong usage of '==' operator

normally the '==' is used for invoking a regex parser and is a bashism.
all of the fixes just want to compare a string. the used busybox-ash
will silently "ignore" this mistake, but make it portable/clean at least.

this patch does not change the behavior/logic of the scripts.

Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>

SVN-Revision: 42911
2014-10-14 12:21:11 +00:00
Steven Barth
aad6cb99cf ppp: add unconditional autoipv6-trigger
SVN-Revision: 42860
2014-10-09 07:38:25 +00:00
Steven Barth
3f700643fa ppp: remove ugly ipv6-workaround
This is not needed after all:

Omitting option ipv6 or setting it to 'auto' will
fire up a dhcpv6 subprotocol (this was added).

Setting ipv6 to 1 will only cause the IPv6 link to
be brought up and an accompanying dhcpv6 or static
interface with ifname @wan can be used to configure addresses.

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42859
2014-10-09 07:35:28 +00:00
Steven Barth
b2d099c11c dropbear: ensure the interface has an ip-address
Use network_get_ipaddrs_all to get all ip-addresses of an interface. If the
function fails, the interface does not exists or has not any suiteable ip
addresses assigned.

Use the returned ip-address(es) to construct the dropbear listen address.

Signed-off-by: Mathias Kresin <openwrt@kresin.me>

SVN-Revision: 42857
2014-10-09 07:16:35 +00:00
Steven Barth
c62b07b2ce ppp: allow auto-detecting and creation of ipv6 subinterface
this makes ipv6 with ppp a bit more comfortable

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42854
2014-10-08 20:37:15 +00:00
John Crispin
344a304524 lldp: make use of new USERID syntax
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 42839
2014-10-08 08:01:33 +00:00
John Crispin
70d56d749b hostapd: read missing parameter for dynamic VLANs
In r41872 Dynamic VLAN support was reintroduced, but the vlan_naming
parameter is not read while setting up the config, so it always
defaults to 1.

Signed-off-by: Reiner Herrmann <reiner@reiner-h.de>

SVN-Revision: 42787
2014-10-06 04:52:21 +00:00
Felix Fietkau
bf0305725a hostapd: add conflicts with wpad(-mini) to hostapd and wpa_supplicant
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 42772
2014-10-05 16:41:50 +00:00
Felix Fietkau
62e6e788dd relayd: update to the latest version, fixes a build error with the new gcc (#18010)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 42765
2014-10-05 11:01:49 +00:00
Felix Fietkau
281f40cef2 hostapd: allow using iapp for any encryption type (fixes #18022)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 42764
2014-10-05 10:55:55 +00:00
Felix Fietkau
cd80931e03 hostapd: merge an upstream patch for pmksa cache
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 42762
2014-10-05 10:26:26 +00:00
Steven Barth
e15f03e5de authsae: update to latest version
Send a netlink call to leave the mesh when meshd exits
Make hunting-and-pecking loop (more) resistant to side channel attack

Signed-off-by: Michel Stam <m.stam@fugro.nl>

SVN-Revision: 42750
2014-10-02 19:47:28 +00:00
Steven Barth
dd948b7990 dnsmasq: bump to 2.72
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42668
2014-09-26 08:57:36 +00:00
Steven Barth
71960baa7d odhcpd: fix segfault when parsing domain options in UCI
SVN-Revision: 42663
2014-09-25 11:53:12 +00:00
Steven Barth
2ccf88744c dnsmasq: fix lockup when interfaces disappear
SVN-Revision: 42648
2014-09-22 12:07:20 +00:00
John Crispin
ed2fff7452 hostapd: do not remove foreign wpa_supplicant sockets
https://dev.openwrt.org/ticket/17886

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 42586
2014-09-17 07:41:31 +00:00
Felix Fietkau
7ff276afd3 hostapd: remove bogus default setting for wps_pin (#17873)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 42553
2014-09-15 16:09:23 +00:00
Hauke Mehrtens
2c605ba1f1 ppp: update to version 2.4.7
This fixes: CVE-2014-3158 and some other bugs.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 42525
2014-09-13 20:56:13 +00:00
John Crispin
5920eac8ee lldp: remove calls to user/group_add/exists
use the new ipkg based mechanism

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 42472
2014-09-11 12:28:22 +00:00
Felix Fietkau
96b74d4eef hostapd: add ubus bindings for wps
With this patch WPS discovery can be started or canceled over ubus if
WPS is enabled in wireless configuration. This is equivalent of
'hostapd_cli wps_pbc' and 'hostapd_cli wps_cancel' commands.

Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>

SVN-Revision: 42459
2014-09-10 13:01:53 +00:00
John Crispin
f769949e72 mdns: update to latest git head
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 42407
2014-09-02 21:39:40 +00:00
John Crispin
7f260ef6b7 dropbear: add mdns support to the init.d script
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 42326
2014-08-29 18:16:41 +00:00
John Crispin
645ee59a2d mdns: update to latest git
* ipv6
* 4 bugs in the dns parser
* service announcement
* tx goodbye support
* proper handling of rx goodbye

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 42325
2014-08-29 18:16:32 +00:00
John Crispin
f65ff468f7 dnsmasq: Make the --dhcp-host logic easier to understand
Use an if/else statement to cover the two different syntaxes.  Add
comments explaining what the end results should look like.

This patch should not change the script's output.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

SVN-Revision: 42320
2014-08-28 06:27:57 +00:00
John Crispin
5046209312 dnsmasq: Fix hosts file format when MAC address is not specified
An entry like this in /etc/config/dhcp:

    config 'host'
        option 'name' 'pc2'
        option 'ip' '192.168.100.56'
        option 'dns' '1'

results in a /tmp/hosts/dhcp entry that looks like this:

    192.168.100.56 .lan

Obviously it should say "pc2.lan".

This happens because $name is set to "" in order to support the MAC-less
syntax: "--dhcp-host=lap,192.168.0.199".  Fix this by reordering the
operations.  Also, refuse to add a DNS entry if the hostname or IP is
missing.

Fixes #17683

Reported-by: Kostas Papadopoulos <kpapad75@travelguide.gr>
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

SVN-Revision: 42319
2014-08-28 06:27:53 +00:00
John Crispin
449994b8c2 dnsmasq: Create rDNS records for LuCI "Hostnames"
LuCI creates "domain" UCI config sections, which the dnsmasq init file
then, currently, translates into "address" config lines. This is not
the correct usage of "address" (see r36943), and also causes rDNS
records to not be created. This patches dnsmasq.init to utilize the
additional hosts file introduced in r40799 for such domain names,
resolving both issues.

Signed-off-by: Tyler Fenby <tylerf@securecominc.com>

SVN-Revision: 42318
2014-08-28 06:27:49 +00:00
Jo-Philipp Wich
730589281e uhttpd: do not configure TLS parameters if libustream-ssl is not present
A quite frequent problem after sysupgrading from an older, SSL enabled build
is that ustream-ssl is not installed so uhttpd fails to come up again due to
https listening directives in the preserved configuration.

Skip key/cert and ssl listen options when libustream-ssl.so is not present.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 42284
2014-08-25 12:39:34 +00:00
John Crispin
2ae05c57f8 package/*: remove useless explicit set of function returncode
somebody started to set a function returncode in the validation
stuff and everybody copies it, e.g.

myfunction()
{
	fire_command

	return $?
}

a function automatically returns with the last returncode,
so we can safely remove the command 'return $?'. reference:

http://tldp.org/LDP/abs/html/exit-status.html
"The last command executed in the function or script determines the exit status."

Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>

SVN-Revision: 42278
2014-08-25 06:35:50 +00:00
Steven Barth
befad7432b odhcpd: fix static lease behavior with dhcpv4
SVN-Revision: 42270
2014-08-24 08:12:57 +00:00
Jonas Gorski
bb6905bd23 dropbear: restore performance by disabling mips16
Disable MIPS16 to prevent it negatively affecting performance.
Observed was a increase of connection delay from ~6 to ~11 seconds
and a reduction of scp speed from 1.1MB/s to 710kB/s on brcm63xx.

Fixes #15209.

Signed-off-by: Jonas Gorski <jogo@openwrt.org>

SVN-Revision: 42250
2014-08-21 11:29:04 +00:00
Jonas Gorski
932305f854 dropbear: fix keepalive more
Add a further upstream commit to more closely match the keepalive
to OpenSSH.

Should now really fix #17523.

Signed-off-by: Jonas Gorski <jogo@openwrt.org>

SVN-Revision: 42249
2014-08-21 11:29:02 +00:00
Steven Barth
0f49b1940e dnsmasq: fix a race condition possibly leading to lockup
SVN-Revision: 42225
2014-08-20 09:52:29 +00:00
Steven Barth
fe3d4f2176 odhcpd: various DHCPv4 and DHCPv6 fixes
SVN-Revision: 42217
2014-08-19 05:58:51 +00:00
Steven Barth
c36e312647 dnsmasq: respect option dhcpv4 disabled in dhcp-config
SVN-Revision: 42216
2014-08-19 05:58:44 +00:00
Jonas Gorski
006cdbfdbc dropbear: fix keepalive with putty
Don't send SSH_MSG_UNIMPLEMENTED for keepalive responses, which broke
at least putty.

Fixes #17522 / #17523.

Signed-off-by: Jonas Gorski <jogo@openwrt.org>

SVN-Revision: 42162
2014-08-13 20:49:56 +00:00
Steven Barth
a8a07e5156 odhcpd: improve DHCPv6-PD detection
SVN-Revision: 42160
2014-08-13 14:57:07 +00:00
Steven Barth
af964cafc3 ppp: enable IPv6CP by default
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42158
2014-08-13 10:18:20 +00:00
Steven Barth
eba984b94b odhcpd: multiple DHCPv4 improvements (thx Christian Mehlis)
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42153
2014-08-12 13:30:04 +00:00
Steven Barth
ff6363dc19 dropbear: update to 2014.65
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42131
2014-08-11 13:02:43 +00:00
Luka Perkov
bc69ee8eab hostapd: fix some whitespaces
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 42111
2014-08-11 08:44:48 +00:00
Steven Barth
c1d698fce4 odhcpd: avoid logspam in certain corner cases
SVN-Revision: 42067
2014-08-08 08:45:33 +00:00
Steven Barth
74941a0d25 odhcpd: write host-entries for all leased IPv6 addresses
SVN-Revision: 42065
2014-08-08 05:30:59 +00:00
Steven Barth
28007326d4 odhcpd: update hostfile more often
SVN-Revision: 42042
2014-08-07 18:07:37 +00:00
Steven Barth
4659a5f920 odhcpd: correct incorrect commit-id in last commit
SVN-Revision: 42026
2014-08-07 05:50:44 +00:00
Steven Barth
7dbe0cb7b1 odhcpd: skip MSRs in RAs for prefixes with same size as DP
SVN-Revision: 42024
2014-08-07 05:34:02 +00:00
Felix Fietkau
44cb68c038 hostapd: revert bogus version that was added in r41872
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 41960
2014-08-03 10:53:40 +00:00
Felix Fietkau
3e0247b95f igmpproxy: add missing include
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 41957
2014-08-03 10:45:31 +00:00
John Crispin
8d3f839da7 ppp: fix a buffer overrun in the ms chap code
https://dev.openwrt.org/ticket/17296

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 41882
2014-07-29 12:18:52 +00:00
Jo-Philipp Wich
b6153f92ad hostapd: Reintroduce Full Dynamic VLAN support
This patch brings full dynamic vlan support to netifd that existed in hostapd.sh in Attitude Adjustment.

Signed-off-by: Joseph CG Walker <Joe@ChubbyPenguin.net>
[jow@openwrt.org: changed commit message, rebased on top of current hostapd.sh]
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 41872
2014-07-29 09:48:02 +00:00
Felix Fietkau
c6d1992701 hostapd: add more missing ifdefs
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 41863
2014-07-28 22:52:39 +00:00