Commit Graph

3133 Commits

Author SHA1 Message Date
Hans Dedecker
04e0e4167e ppp: update to latest git HEAD
af30be0 Fix setting prefix for IPv6 link-local addresss
0314df4 Disable asking password again when prompt program returns 128

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-09-05 20:13:40 +02:00
David Bauer
7f676b5ed6 firewall: bump to latest HEAD
8c2f9fa fw3: zones: limit zone names to 11 bytes
78d52a2 options: fix parsing of boolean attributes

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-09-05 15:43:16 +02:00
Daniel Golle
80a194b100 hostapd: add hs20 variant
Add hostapd variant compiled with support for Hotspot 2.0 AP features.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-01 21:37:35 +01:00
Tony Ambardar
2f0d672088 bpftools: add utility and library packages supporting eBPF usage
Add support for building bpftool and libbpf from the latest 5.8.3 kernel
sources, ensuring up-to-date functionality and fixes. Both are written to
be backwards compatible, which simplfies build and usage across different
OpenWRT image kernels.

'bpftool' is the primary userspace tool widely used for introspection and
manipulation of eBPF programs and maps. Two variants are built: a 'full'
version which supports object disassembly and depends on libbfd/libopcodes
(total ~500KB); and a 'minimal' version without disassembly functions and
dependencies. The default 'minimal' variant is otherwise fully functional,
and both are compiled using LTO for further (~30KB) size reductions.

'libbpf' provides shared/static libraries and dev files needed for building
userspace programs that perform eBPF interaction.

Several cross-compilation and build-failure problems are addressed by new
patches and ones backported from farther upstream:

  * 001-libbpf-ensure-no-local-symbols-counted-in-ABI-check.patch
  * 002-libbpf-fix-build-failure-from-uninitialized-variable.patch
  * 003-bpftool-allow-passing-BPFTOOL_VERSION-to-make.patch
  * 004-v5.9-bpftool-use-only-ftw-for-file-tree-parsing.patch

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2020-08-31 12:23:59 +01:00
Hauke Mehrtens
4e2a994d2d ethtool: Update to version 5.8
The ipk sizes for mips_24Kc change like this:
old:
ethtool_5.4-1_mips_24kc.ipk	101.909

new:
ethtool_5.8-1_mips_24kc.ipk	109.699

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-by: Hans Dedecker <dedeckeh@gmail.com>
2020-08-30 22:21:34 +02:00
Hauke Mehrtens
0b2f97beed iproute2: Update to version 5.8
The ipk sizes for mips_24Kc change like this:
old:
ip-full_5.7.0-2_mips_24kc.ipk	165.786
ip-tiny_5.7.0-2_mips_24kc.ipk	117.730
tc_5.7.0-2_mips_24kc.ipk	144.405

new:
ip-full_5.8.0-1_mips_24kc.ipk	169.775
ip-tiny_5.8.0-1_mips_24kc.ipk	119.808
tc_5.8.0-1_mips_24kc.ipk	149.053

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-30 22:21:34 +02:00
Aaron Goodman
47b2ee2d9a wireguard-tools: add tunlink option for hostroute
In a multi-wan setup, netifd may need guidance on which wan device to
use to create the route to the remote peer.

This commit adds a 'tunlink' option similar to other tunneling interfaces
such as 6in4, 6rd, gre, etc.

Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
2020-08-30 21:47:13 +02:00
Paul Spooren
a5d030a54f curl: move package to packages.git
curl is replaced by uclient-fetch within the OpenWrt build system and we
can therefore move curl to packages.git. This is based on the Hamburg
2019 decision that non essential packages should move outside base.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-08-27 21:18:21 +02:00
Hauke Mehrtens
bc19481826 hostapd: Fix compile errors after wolfssl update
This fixes the following compile errors after the wolfssl 4.5.0 update:
  LD  wpa_cli
../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject':
../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
    type = GEN_EMAIL;
           ^~~~~~~~~
           ENAVAIL
../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in
../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function)
    type = GEN_DNS;
           ^~~~~~~
../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function)
    type = GEN_URI;
           ^~~~~~~
../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event':
../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
   if (gen->type != GEN_EMAIL &&
                    ^~~~~~~~~
                    ENAVAIL
../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function)
       gen->type != GEN_DNS &&
                    ^~~~~~~
../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function)
       gen->type != GEN_URI)
                    ^~~~~~~
Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed

Fixes: 00722a720c ("wolfssl: Update to version 4.5.0")
Reported-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-27 12:11:47 +02:00
Hauke Mehrtens
2745f6afe6 curl: Use wolfssl by default
Instead of using mbedtls by default use wolfssl. We now integrate
wolfssl in the default build so use it also as default ssl library for
curl.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-26 21:00:43 +02:00
Hauke Mehrtens
b5191f3366 curl: Fix build with wolfssl
Backport a commit from upstream curl to fix a problem in configure with
wolfssl.

checking size of time_t... configure: error: cannot determine a size for time_t

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-26 21:00:42 +02:00
Hauke Mehrtens
a69949a13f firewall: Fix PKG_MIRROR_HASH
Fixes: 6c57fb7aa9 ("firewall: bump to version 2020-07-05")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-24 18:54:00 +02:00
Josef Schlehofer
e742a31f07 ipset: update to version 7.6
Changelog:
https://ipset.netfilter.org/changelog.html

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2020-08-24 18:53:59 +02:00
Hans Dedecker
4358373e69 curl: disable zstd support
Fixes package libcurl build issue :

Package libcurl is missing dependencies for the following libraries:
libzstd.so.1

Suggested-by: Syrone Wong <wong.syrone@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-08-23 11:03:40 +02:00
Josef Schlehofer
17d16e093f curl: update to version 7.72.0
Changes in this version can be found here:
https://curl.haxx.se/changes.html#7_72_0

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2020-08-21 21:25:56 +02:00
David Bauer
aa403a440a dnsmasq: abort dhcp_check on interface state
Abort the dhcp-check based on the interface instead of the carrier
state. In cases where the interface is up but the carrier is down,
netifd won't cause a dnsmasq reload, thus dhcp won't become active
on this interface.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-08-20 23:45:26 +02:00
Remi NGUYEN VAN
bcf0704bd2 map: rename type to maptype (FS#3287)
"type" is already used as a common option for all protocols types, so
using the same option name for the map type makes the configuration
ambiguous. Luci in particular adds controls for both options and sees
errors when reading the resulting configuration.

Use "maptype" instead, but still fallback to "type" if "maptype" is not
set. This allows configurations to migrate without breaking old
configurations.

This addresses FS#3287.

Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-08-19 21:14:00 +02:00
Adrian Schmutzler
18ab496c32 ltq-dsl-base: remove useless echos in lantiq_dsl.sh
The is no reason to catch the output by $() and then echo it again.

Remove the useless echos.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-17 23:25:41 +02:00
Remi NGUYEN VAN
1e696c6ced map: add a legacymap option
The legacy map version based on the IPv6 Interface Identifier in
draft-ietf-softwire-map-03 was typically used by uncommenting the LEGACY
variable in the map.sh file, which is not ideal. A proper configuration
option is needed instead.

The IPv6 Interface Identifier format described in the draft was
eventually changed in RFC7597, but is still used by some major ISPs,
including in Japan.

Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-08-15 20:37:02 +02:00
Rui Salvaterra
763ce13b0b dropbear: allow disabling support for scp
If not needed, disabling scp allows for a nice size reduction.

Dropbear executable size comparison:

153621 bytes (baseline)
133077 bytes (without scp)

In other words, we trim a total of 20544 bytes.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-08-15 20:25:08 +02:00
Daniel Golle
0709f6e798 iproute2: disable SELinux for now
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 14:03:07 +01:00
Rui Salvaterra
e5eeb34a8c dropbear: fix ssh alternative when dbclient isn't built
The ssh symlink was still being created even when dbclient was disabled in the
build configuration. Fix this annoyance.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-08-12 21:57:37 +02:00
Hans Dedecker
5e512cc9c1 ppp: update to latest git HEAD
677aa53 Fix -W option for pppoe-discovery utility (#157)
115c419 Accept Malformed Windows Success Message (#156)
5bdb148 pppd: Add documentation of stop-bits option to pppd man page (#154)
2a7981f Add ipv6cp-accept-remote option
0678d3b pppd: Fix the default value for ipv6cp-accept-local to false

Refresh patches

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-08-11 21:27:07 +02:00
Jo-Philipp Wich
bc1c9fdc20 hostapd: recognize option "key" as alias for "auth_secret"
The hostapd configuration logic is supposed to accept "option key" as
legacy alias for "option auth_secret". This particular fallback option
failed to work though because "key" was not a registered configuration
variable.

Fix this issue by registering the "key" option as well, similar to the
existing "server" nad "port" options.

Ref: https://github.com/openwrt/openwrt/pull/3282
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-07 21:19:29 +02:00
Jo-Philipp Wich
321503dbf3 hostapd: make "key" option optional if "wpa_psk_file" is provided
If an existing "wpa_psk_file" is passed to hostapd, the "key" option may
be omitted.

While we're at it, also improve the passphrase length checking to ensure
that it is either exactly 64 bytes or 8 to 63 bytes.

Fixes: FS#2689
Ref: https://github.com/openwrt/openwrt/pull/3283
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-07 21:04:02 +02:00
Petr Štetiar
c487cf8e94 hostapd: add wpad-basic-wolfssl variant
Add package which provides size optimized wpad with support for just
WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
[adapt to recent changes, add dependency for WPA_WOLFSSL config]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-07 12:02:19 +02:00
Yousong Zhou
064dc1e81b dnsmasq: abort when dnssec requested but not available
Before this commit, if uci option "dnssec" was set, we pass "--dnssec"
and friends to dnsmasq, let it start and decide whether to quit and
whether to emit message for diagnosis

  # dnsmasq --dnssec; echo $?
  dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h
  1

DNSSEC as a feature is different from others like dhcp, tftp in that
it's a security feature.  Better be explicit.  With this change
committed, we make it so by not allowing it in the first in the
initscript, should dnsmasq later decides to not quit (not likely) or
quit without above explicit error (unlikely but less so ;)

So this is just being proactive.  on/off choices with uci option
"dnssec" are still available like before

Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2020-08-07 15:56:30 +08:00
Jo-Philipp Wich
11ea7ba698 Revert "dsaconfig: introduce package for UCI configuration of VLAN filter rules"
This reverts commit 96b87196b0.

This commit was not meant to go into master.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 19:13:43 +02:00
Jo-Philipp Wich
f85bc0d77d Revert "add vfconfig"
This reverts commit 34553e8cc9.

This commit was not meant to go into master.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 19:13:21 +02:00
Jo-Philipp Wich
b92f54b919 openvpn: fix arguments passing to wrapped up and down scripts
With the introduction of the generic OpenVPN hotplug mechanism, wrapped
--up and --down scripts got the wrong amount and order of arguments passed,
breaking existing configurations and functionality.

Fix this issue by passing the same amount of arguments in the same expected
order as if the scripts were executed by the OpenVPN daemon directly.

Ref: https://github.com/openwrt/openwrt/pull/1596#issuecomment-668935156
Fixes: 8fe9940db6 ("openvpn: add generic hotplug mechanism")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 08:34:31 +02:00
Jo-Philipp Wich
34553e8cc9 add vfconfig
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 08:34:19 +02:00
Jo-Philipp Wich
96b87196b0 dsaconfig: introduce package for UCI configuration of VLAN filter rules
This package provides the necessary files to translate `config dsa_vlan`
and `config dsa_port` sections  of `/etc/config/network` into appropriate
bridge vlan filter rules.

The approach of the configuration is to bridge all DSA ports into a logical
bridge device, called "switch0" by default, and to set VLAN port membership,
tagging state and PVID as specified by UCI on each port and on the switch
bridge device itself, allowing logical interfaces to reference port VLAN
groups by using "switch0.N" as ifname, where N denotes the VLAN ID.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 08:34:19 +02:00
Rafał Miłecki
3d167ed805 uhttpd: update to the latest master
212f836 ubus: rename JSON-RPC format related functions
628341f ubus: use local "blob_buf" in uh_ubus_handle_request_object()
9d663e7 ubus: use BLOBMSG_TYPE_UNSPEC for "params" JSON attribute
77d345e ubus: drop unused "obj" arguments
8d9e1fc ubus: parse "call" method params only for relevant call

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2020-08-05 15:49:03 +02:00
Jason A. Donenfeld
80a6d3d4a2 wireguard: bump to 1.0.20200729
* compat: rhel 8.3 beta removed nf_nat_core.h
* compat: ipv6_dst_lookup_flow was ported to rhel 7.9 beta

This compat tag adds support for RHEL 8.3 beta and RHEL 7.9 beta, in addition
to RHEL 8.2 and RHEL 7.8. It also marks the first time that
<https://www.wireguard.com/build-status/> is all green for all RHEL kernels.
After quite a bit of trickery, we've finally got the RHEL kernels building
automatically.

* compat: allow override of depmod basedir

When building in an environment with a different modules install path, it's
not possible to override the depmod basedir flag by setting the DEPMODBASEDIR
environment variable.

* compat: add missing headers for ip_tunnel_parse_protocol

This fixes compilation with some unusual configurations.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-08-03 23:14:24 +02:00
Adrian Schmutzler
50413e1ec8 package: replace remaining occurrences of ifconfig with ip
ifconfig is effectively deprecated for quite some time now. Let's
replace the remaining occurrences for packages by the
corresponding ip commands now.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-03 10:42:35 +02:00
Magnus Kroken
48a9d99a21 openvpn: revise sample configuration
Update the openvpn sample configurations to use modern options in favor
of deprecated ones, suggest more sane default settings and add some
warnings.

* Add tls_crypt and ncp_disable to the sample configuration
* Replace nsCertType with remote_cert_tls in client sample configuration
* Comment out "option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2020-08-01 14:54:39 +01:00
Rui Salvaterra
f2af32c20c wireguard-tools: allow compiling with MIPS16 instructions
The wg utility compiles and runs without issues in MIPS16 mode, despite setting
PKG_USE_MIPS16:=0 in the makefile. Let's remove this, allowing for a substantial
size reduction of the wg executable. Since wg is a just a configuration utility,
it shouldn't be performance-critical, as the crypto heavy-lifting is done on the
kernel side.

wg sizes for both modes:

MIPS32: 64309 bytes
MIPS16: 42501 bytes

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-08-01 14:54:39 +01:00
David Bauer
8b3e170526 hostapd: fix incorrect service name
When retrieving the PID for hostapd and wpa_supplicant via ubus the
wrong service name is currently used. This leads to the following error
in the log:

netifd: radio0 (1409): WARNING (wireless_add_process):
executable path /usr/sbin/wpad does not match process  path (/proc/exe)

Fixing the service name retrieves the correct PID and therefore the
warning won't occur.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-07-31 19:51:51 +02:00
Adrian Schmutzler
c4dd7fc23b hostapd: reorganize config selection hierarchy for WPA3
The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is
exceptionally hard to read. This tries to make things a little
easier by inverting the hierarchy of the conditions, so SSL_VARIANT
is checked first and LOCAL_VARIANT is checked second.

This exploits the fact that some of the previous conditions were
unnecessary, e.g. there is no hostapd-mesh*, so we don't need
to exclude this combination.

It also should make it a little easier to see which options are
actually switched by SSL_VARIANT and which by LOCAL_VARIANT.

The patch is supposed to be cosmetic.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-31 11:40:15 +02:00
Adrian Schmutzler
917980fd8a hostapd: improve TITLE for packages
For a few packages, the current TITLE is too long, so it is not
displayed at all when running make menuconfig. Despite, there is
no indication of OpenSSL vs. wolfSSL in the titles.

Thus, this patch adjusts titles to be generally shorter, and adds
the SSL variant to it.

While at it, make things easier by creating a shared definition for
eapol-test like it's done already for all the other flavors.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-30 16:27:44 +01:00
Daniel Golle
34705946e2 hostapd: update mesh DFS patches and add mesh HE support
Drop outdated and by now broken patchset originally supplied by
Peter Oh in August 2018 but never merged upstream.
Instead add the more promissing rework recently submitted by
Markus Theil who picked up Peter's patchset, fixed and completed it
and added support for HE (802.11ax) in mesh mode.

This is only compile tested and needs some real-life testing.

Fixes: FS#3214
Fixes: 167028b750 ("hostapd: Update to version 2.9 (2019-08-08)")
Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Fixes: 017320ead3 ("hostapd: bring back mesh patches")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-30 16:27:44 +01:00
Yousong Zhou
6c57fb7aa9 firewall: bump to version 2020-07-05
Changes since last source version

  e9b90df zones: apply tcp mss clamping also on ingress path
  050816a redirects: fix segmentation fault
  f62a52b treewide: replace unsafe string functions
  23cc543 improve reload logic
  9d7f49d redurects: add support to define multiple zones for dnat reflection rules
  f87d0b0 firewall3: defaults: fix uci flow_offloading option
  fe9602c rules: fix typo
  7cc2a84 defaults: robustify flow table detection.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2020-07-26 18:10:52 +08:00
Hauke Mehrtens
ed2015c386 mac80211: Update to version 5.8-rc2-1
The following patches:
* 972-ath10k_fix-crash-due-to-wrong-handling-of-peer_bw_rxnss_override-parameter.patch
* 973-ath10k_fix-band_center_freq-handling-for-VHT160-in-recent-firmwares.patch
are replaced by this commit in the upstream kernel:
* 3db24065c2c8 ("ath10k: enable VHT160 and VHT80+80 modes")

The following patches were applied upstream:
* 001-rt2800-enable-MFP-support-unconditionally.patch
* 090-wireless-Use-linux-stddef.h-instead-of-stddef.h.patch

The rtw88 driver is now split into multiple kernel modules, just put it
all into one OpenWrt kernel package.

rtl8812au-ct was patched to compile against the mac80211 from kernel
5.8, but not runtime tested.

Add a patch which fixes ath10k on IPQ40XX, this patch was send upstream
and fixes a crash when loading ath10k on this SoC.

Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq40xx/ map-ac2200]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-07-23 23:39:56 +02:00
Michal Hrusecky
cdb25bcef3 openvpn: Allow override of interface name
If using a configuration file for OpenVPN, allow overriding name of the
interface. The reason is that then people could use configuration file
provided by VPN provider directly and override the name of the interface
to include it in correct firewall zone without need to alter the
configuration file.

Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit c93667358515ec078ef4ac96393623ac084e5c9e)
2020-07-23 13:10:09 +02:00
Michal Hrusecky
8483bf3126 openpvn: Split out config parsing code for reuse
Split out code that parses openvpn configuration file into separate file
that can be later included in various scripts and reused.

Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit 86d8467c8ab792c79809a08c223dd9d40da6da2e)
2020-07-23 13:10:09 +02:00
Kevin Darbyshire-Bryant
017cd5bfb0 umdns: fix compiling using gcc 10
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-07-22 15:59:54 +01:00
David Bauer
93bbd998aa hostapd: enter DFS state if no available channel is found
Previously hostapd would not stop transmitting when a DFS event was
detected and no available channel to switch to was available.

Disable and re-enable the interface to enter DFS state. This way, TX
does not happen until the kernel notifies hostapd about the NOP
expiring.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-07-20 15:08:19 +02:00
Johannes Kimmel
65e9de3c33 vxlan: add capability for multiple fdb entries
Similar to wireguard, vxlan can configure multiple peers or add specific
entries to the fdb for a single mac address.

While you can still use peeraddr/peer6addr option within the proto
vxlan/vxlan6 section to not break existing configurations, this patch
allows to add multiple sections that conigure fdb entries via the bridge
command. As such, the bridge command is now a dependency of the vxlan
package. (To be honest without the bridge command available, vxlan isn't
very much fun to use or debug at all)

Field names are taken direclty from the bridge command.

Example with all supported parameters, since this hasn't been documented so
far:

  config interface 'vx0'
      option proto     'vxlan6'      # use vxlan over ipv6

      # main options
      option ip6addr   '2001:db8::1' # listen address
      option tunlink   'wan6'        # optional if listen address given
      option peer6addr '2001:db8::2' # now optional
      option port      '8472'        # this is the standard port under linux
      option vid       '42'          # VXLAN Network Identifier to use
      option mtu       '1430'        # vxlan6 has 70 bytes overhead

      # extra options
      option rxcsum  '0'  # allow receiving packets without checksum
      option txcsum  '0'  # send packets without checksum
      option ttl     '16' # specifies the TTL value for outgoing packets
      option tos     '0'  # specifies the TOS value for outgoing packets
      option macaddr '11:22:33:44:55:66' # optional, manually specify mac
                                         # default is a random address

Single peer with head-end replication. Corresponds to the following call
to bridge:

  $ bridge fdb append 00:00:00:00:00:00 dev vx0 dst 2001:db8::3

  config vxlan_peer
      option vxlan 'vx0'
      option dst '2001:db8::3' # always required

For multiple peers, this section can be repeated for each dst address.

It's possible to specify a multicast address as destination. Useful when
multicast routing is available or within one lan segment:

  config vxlan_peer
      option vxlan 'vx0'
      option dst 'ff02::1337' # multicast group to join.
                              # all bum traffic will be send there
      option via 'eth1'       # for multicast, an outgoing interface needs
                              # to be specified

All available peer options for completeness:

  config vxlan_peer
      option vxlan   'vx0'               # the interface to configure
      option lladdr  'aa:bb:cc:dd:ee:ff' # specific mac,
      option dst     '2001:db8::4'       # connected to this peer
      option via     'eth0.1'            # use this interface only
      option port    '4789'              # use different port for this peer
      option vni     '23'                # override vni for this peer
      option src_vni '123'               # see man 3 bridge

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
2020-07-20 13:43:36 +02:00
Johannes Kimmel
5222aadbf3 vxlan: remove mandatory peeraddr
vxlan can be configured without a peer address. This is used to prepare
an interface and add peers later.

Fixes: FS#2743

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Acked-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-07-20 13:43:36 +02:00
Kevin Darbyshire-Bryant
a197fa093c dnsmasq: bump to 2.82
This fixes a nasty problem introduced in 2.81 which causes random
crashes on systems where there's significant DNS activity over TCP. It
also fixes DNSSEC validation problems with zero-TTL DNSKEY and DS
records.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-07-20 10:38:35 +01:00