Commit Graph

2864 Commits

Author SHA1 Message Date
Hans Dedecker
1bdd3b5f7d Revert "iproute2: use tc package variant to limit other package sizes"
This reverts commit e6d84fa886 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Hans Dedecker
de14f4301e Revert "iproute2: simplify linking libelf for eBFP/XDP object file support"
This reverts commit 26681fa6a6 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Hans Dedecker
566bfa417e Revert "iproute2: tc: enable and fix support for using .so plugins"
This reverts commit fc80ef3613 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and
rdma for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Hans Dedecker
96060b3018 Revert "iproute2: tc: reduce size of dynamic symbol table"
This reverts commit 248797834b as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Yousong Zhou
ec2a2a2aea dnsmasq: allow using dnsmasq as the sole resolver
Currently it seems impossible to configure /etc/config/dhcp to achieve
the following use case

 - run dnsmasq with no-resolv
 - re-generate /etc/resolv.conf with "nameserver 127.0.0.1"

Before this change, we have to set resolvfile to /tmp/resolv.conf.auto
to achive the 2nd effect above, but setting resolvfile requires noresolv
being false.

A new boolean option "localuse" is added to indicate that we intend to
use dnsmasq as the local dns resolver.  It's false by default and to
align with old behaviour it will be true automatically if resolvfile is
set to /tmp/resolv.conf.auto

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 13:06:06 +00:00
Hans Dedecker
331963717b odhcpd: update to latest git HEAD
1f01299 config: fix build failure in case DHCPv4 support is disabled
67b3a14 dhcpv4: fix assignment of requested IP address
ca8ba91 dhcp: rework static lease logic
36833ea dhcpv6: rapid commit support
1ae316e dhcpv6: fix parsing of DHCPv6 relay messages
80157e1 dhcpv4: fix compile issue
671ccaa dhcpv6-ia: move function definitions to odhcpd.h
0db69b0 dhcpv6: improve code readibility
7847b27 treewide: unify dhcpv6 and dhcpv4 assignments
a54cee0 netlink: rework handling of netlink messages
9f25dd8 treewide: use avl tree to store interfaces
f21a0a7 treewide: align syslog tracing
edc5fb0 dhcpv6-ia: add full CONFIRM support
9d6eadf dhcpv6-ia: rework append_reply()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-18 16:11:32 +01:00
Rosy Song
93b984b78a samba36: allow build with no ipv6 support
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-02-17 19:22:39 +01:00
Deng Qingfang
f5db5742e4 iw: update to 5.0.1
Refresh patches

MIPS IPK size increases:
iw-tiny: +3k
iw-full: +10k

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
[Remove sha256, nan, bloom, measurements and ftm from tiny version]
[sync nl80211 between backports and iw]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-02-17 17:33:18 +01:00
Jonas Gorski
c8a30172f8 dnsmasq: ensure test and rc order as older than final releases
Opkg treats text after a version number as higher than without:

 ~# opkg compare-versions "2.80rc1" "<<" "2.80"; echo $?
 1
 ~# opkg compare-versions "2.80rc1" ">>" "2.80"; echo $?
 0

This causes opkg not offering final release as upgradable version, and
even refusing to update, since it thinks the installed version is
higher.

This can be mitigated by adding ~ between the version and the text, as ~
will order as less than everything except itself. Since 'r' < 't', to
make sure that test will be treated as lower than rc we add a second ~
before the test tag. That way, the ordering becomes

  2.80~~test < 2.80~rc < 2.80

which then makes opkg properly treat prerelease versions as lower.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2019-02-17 16:55:24 +01:00
Felix Fietkau
5b6997dcb3 hostapd: update the fix for a race condition in mesh new peer handling
Prevent the mesh authentication state machine from getting reset on bogus
new peer discovery

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-17 16:06:44 +01:00
Felix Fietkau
f948aa4d4f hostapd: enable CONFIG_DEBUG_SYSLOG for wpa_supplicant
It was already enabled for wpad builds and since commit 6a15077e2d
the script relies on it. Size impact is minimal (2 kb on MIPS .ipk).

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-17 13:05:14 +01:00
Hans Dedecker
880f8e6d32 dnsmasq: add rapid commit config option
Add config option rapidcommit to enable support for DHCPv4 rapid
commit (RFC4039)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-13 10:37:36 +01:00
Felix Fietkau
db93949aa3 hostapd: fix race condition in mesh new peer handling
Avoid trying to add the same station to the driver multiple times

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 15:12:35 +01:00
Felix Fietkau
6a15077e2d hostapd: send wpa_supplicant logging output to syslog
Helpful for debugging network connectivity issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 15:12:35 +01:00
Tony Ambardar
248797834b iproute2: tc: reduce size of dynamic symbol table
In the case of SHARED_LIBS=y, don't use -export-dynamic to place *all*
symbols into the dynamic symbol table. Instead, use --dynamic-list to
export a smaller set of symbols similar to that defined in static-syms.h
in the case of SHARED_LIBS=n, avoiding an 11 KB tc package size increase.

Also increment PKG_RELEASE.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
fc80ef3613 iproute2: tc: enable and fix support for using .so plugins
This enables using the tc module m_xt.so, which uses the act_ipt kernel
module to allow tc actions based on iptables targets. e.g.

   tc filter add dev eth0 parent 1: prio 10 protocol ip \
   u32 match u32 0 0 action xt -j DSCP --set-dscp-class BE

Make the SHARED_LIBS parameter configurable and based on tc package
selection.

Fix a problem using the tc m_xt.so plugin as also described in
https://bugs.debian.org/868059:

  Sync include/xtables.h from iptables to make sure the right offset is
  used when accessing structure members defined in libxtables. One could
  get “Extension does not know id …” otherwise. (See also: #868059)

Patch to sync the included xtables.h with system iptables 1.6.x. This
continues to work with iptables 1.8.2.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
26681fa6a6 iproute2: simplify linking libelf for eBFP/XDP object file support
Simplify build and runtime dependencies on libelf, which allows tc and ip
to load BPF and XDP object files respectively.

Preserve optionality of libelf by having configuration script follow the
HAVE_ELF environment variable, used similarly to the HAVE_MNL variable.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
e6d84fa886 iproute2: use tc package variant to limit other package sizes
Replace the old 'tc' with a singleton package variant which will be used
to enable additional functionality and limit it only to tc. Non-variant
packages will only be installed during 'tiny' variant builds, hence will
be configured without extra features, thus preserving previously limited
functionality and reduced package sizes.

Also set ip-tiny as the default variant, and install 'tiny' versions of
development libraries.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
bc86da377c iproute2: simplify Makefile, patches and fix feature detection
Compile-based feature detection (e.g. xtables, ipset support) was broken
due to silent compilation errors in the configure script, caused by a
Makefile variable KERNEL_INCLUDE referring to kernel build headers. Use
userspace headers by setting the same "user_headers" kernel include path
as used for the iptables build.

Remove redundant or unused Build/Configure definitions from package
Makefile, including KERNEL_INCLUDE, LIBC_INCLUDE and DBM includes.

Don't pass LDFLAGS within MAKE_FLAGS as this interferes with LDFLAGS in
tc/Makefile and masks a link parameter ("-Wl,-export-dynamic"). Instead,
use standard TARGET_LDFLAGS.

Replace EXTRA_CCOPTS in MAKE_FLAGS with cleaner TARGET_CPPFLAGS, and also
drop now unneeded patch 150-extra-ccopts.patch.

Enable defining XT_LIB_DIR from Makefile, needed to set the iptables
modules directory to something other than /lib/xtables, and also add
libxtables dependency. Both are needed with working xtables detection.
Note that libxtables is also pulled in by iptables, firewall or luci, so
this change has no size impact in most cases.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
43e14a2f9e iproute2: fix broken configuration patch
Since v4.13, iproute2 switched to a config.mk file with greater use of
pkg-config for library/feature detection. Replace the old Config patch
with one modifying the configure script but enabling the same changes:
 - explicitly disable TC_CONFIG_ATM
 - rely on feature detection for IP_CONFIG_SETNS and TC_CONFIG_XT

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Hans Dedecker
630a363936 vti: remove setting default firewall zone to wan
Same reasoning as in bdedb798150a58ad7ce3c4741f2f31df97e84c3f; don't set
default firewall zone to wan as the firewall zone for the vti interface
can be configured in the firewall config or it makes it impossible not to
specify a firewall zone for the vti interface.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-09 21:04:36 +01:00
Hans Dedecker
7f33f3d712 ipip: remove setting default firewall zone to wan
Same reasoning as in bdedb798150a58ad7ce3c4741f2f31df97e84c3f; don't set
default firewall zone to wan as the firewall zone for the ipip interface
can be configured in the firewall config or it makes it impossible not to
specify a firewall zone for the ipip interface.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-09 21:04:08 +01:00
Deng Qingfang
39273b849f curl: bump to 7.64.0
Fixed CVEs:

CVE-2018-16890
CVE-2019-3822
CVE-2019-3823

For other changes in version 7.64.0 see https://curl.haxx.se/changes.html#7_64_0

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-02-08 08:37:24 +01:00
Florian Eckert
bdedb79815 gre: remove setting default firewall zone to wan
There are two problems with this behaviour that the zone is set to wan
if no zone config option is defined in the interface section.

* The zone for the interface is "normally" specified in the firewall
config file. So if we have defined "no" zone for this interface zone
option is set now to "wan" additonaly if we add the interface in the firewall
config section to the "lan" zone, the interface is added to lan and wan at once.

iptables-save | grep <iface>

This is not what I expect.

* If I do not want to set a zone to this interface it is not possible.

Remove the default assigment to wan if no zone option is defined.
If some one need the option it stil possible to define this option.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2019-02-07 21:58:07 +01:00
Hans Dedecker
8399ee4543 netifd: handle hotplug event socket errors
5cd7215 system-linux: handle hotplug event socket ENOBUFS errors

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-31 22:14:55 +01:00
Kevin Darbyshire-Bryant
352db3e62a dnsmasq: latest pre-2.81 patches
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-01-31 10:13:05 +00:00
Jo-Philipp Wich
c6aa9ff388 uhttpd: disable concurrent requests by default
In order to avoid straining CPU and memory resources on lower end devices,
avoid running multiple CGI requests in parallel.

Ref: https://forum.openwrt.org/t/high-load-fix-on-openwrt-luci/29006
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-30 10:12:00 +01:00
Hans Dedecker
a3ccac6b1d iproute2: drop libbsd dependency
As the usage of libbsd is no longer limited to glibc, prevent libbsd
being picked up by removing the dependency on libbsd.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-29 14:00:13 +01:00
Felix Fietkau
4443804b54 wpa_supplicant: fix calling channel switch via wpa_cli on mesh interfaces
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-01-29 11:27:13 +01:00
Felix Fietkau
ae6b5815cd hostapd: add support for passing CSA events from sta/mesh to AP interfaces
Fixes handling CSA when using AP+STA or AP+Mesh

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-01-29 11:27:06 +01:00
Hans Dedecker
617e414643 map: depend on nat46, provide map-t
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-27 18:39:55 +01:00
Hans Dedecker
633cac0cb4 464xlat: import from routing, add myself as maintainer
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-27 18:39:18 +01:00
Martin Schiller
eaaee181d1 ppp: update to version 2.4.7.git-2018-06-23
This bumps ppp to latest git version.

There is one upstream commit, which changes DES encryption calls from
libcrypt / glibc to openssl.

As long as we don't use glibc-2.28, revert this commit.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2019-01-25 14:55:46 +01:00
Jo-Philipp Wich
b1781d5841 iproute2: replace libelf1 dependency with libelf
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 12:56:31 +01:00
Jo-Philipp Wich
0e70f69a35 treewide: revise library packaging
- Annotate versionless libraries (such as libubox, libuci etc.) with a fixed
  ABI_VERSION resembling the source date of the last incompatible change
- Annotate packages shipping versioned library objects with ABI_VERSION
- Stop shipping unversioned library symlinks for packages with ABI_VERSION

Ref: https://openwrt.org/docs/guide-developer/package-policies#shared_libraries
Ref: https://github.com/KanjiMonster/maintainer-tools/blob/master/check-abi-versions.pl
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 10:39:30 +01:00
Jason A. Donenfeld
bbcd0634f8 wireguard: bump to 0.0.20190123
* tools: curve25519: handle unaligned loads/stores safely

This should fix sporadic crashes with `wg pubkey` on certain architectures.

* netlink: auth socket changes against namespace of socket

In WireGuard, the underlying UDP socket lives in the namespace where the
interface was created and doesn't move if the interface is moved. This
allows one to create the interface in some privileged place that has
Internet access, and then move it into a container namespace that only
has the WireGuard interface for egress. Consider the following
situation:

1. Interface created in namespace A. Socket therefore lives in namespace A.
2. Interface moved to namespace B. Socket remains in namespace A.
3. Namespace B now has access to the interface and changes the listen
port and/or fwmark of socket. Change is reflected in namespace A.

This behavior is arguably _fine_ and perhaps even expected or
acceptable. But there's also an argument to be made that B should have
A's cred to do so. So, this patch adds a simple ns_capable check.

* ratelimiter: build tests with !IPV6

Should reenable building in debug mode for systems without IPv6.

* noise: replace getnstimeofday64 with ktime_get_real_ts64
* ratelimiter: totalram_pages is now a function
* qemu: enable FP on MIPS

Linux 5.0 support.

* keygen-html: bring back pure javascript implementation

Benoît Viguier has proofs that values will stay well within 2^53. We
also have an improved carry function that's much simpler. Probably more
constant time than emscripten's 64-bit integers.

* contrib: introduce simple highlighter library

This is the highlighter library being used in:
- https://twitter.com/EdgeSecurity/status/1085294681003454465
- https://twitter.com/EdgeSecurity/status/1081953278248796165

It's included here as a contrib example, so that others can paste it into
their own GUI clients for having the same strictly validating highlighting.

* netlink: use __kernel_timespec for handshake time

This readies us for Y2038. See https://lwn.net/Articles/776435/ for more info.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23 18:06:49 +01:00
Deng Qingfang
752bd72668 iproute2: update to 4.20.0
Update to the latest version of iproute2; see https://lwn.net/Articles/776174/
for a full overview of the changes in 4.20.
Remove upstream patch 001-fix-print_0xhex-on-32-bit.patch and 002-tc-fix-xtables-incorrect-usage-of-LDFLAGS.patch
Introduce a patch to include <linux/limits.h> for XATTR_SIZE_MAX in tc

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-01-23 17:55:21 +01:00
Jeffery To
d13e86d4c2 procd: Add wrapper for uci_validate_section()
This adds a wrapper (uci_load_validate) for uci_validate_section() that
allows callers (through a callback function) to access the values set by
uci_validate_section(), without having to manually declare a
(potentially long) list of local variables.

The callback function receives two arguments when called, the config
section name and the return value of uci_validate_section().

If no callback function is given, then the wrapper exits with the value
returned by uci_validate_section().

This also updates several init scripts to use the new wrapper function.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-01-22 09:05:59 +01:00
Carsten Wolff
2bf22b1fb7 iputils: install ping, ping6, traceroute6 with setuid root
these utilities need to run with uid 0 to be useful. Thus,
install them setuid root like other distros do, too.

Signed-off-by: Carsten Wolff <carsten@wolffcarsten.de>
[use INSTALL_SUID macro]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 09:05:59 +01:00
Jo-Philipp Wich
62fbdcaf06 conntrack-tools: relocated to packages feed
In order to prepare the switch from librpc to libtirpc, we need to relocate
conntrack-tools to the packages feed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 08:14:00 +01:00
Jo-Philipp Wich
797e5c1c48 packages: set more explicit ABI_VERSION values
In the case of upstream libraries, set the ABI_VERSION variable to the
soname value of the first version version after the last backwards
incompatible change.

For custom OpenWrt libraries, set the ABI_VERSION to the date of the
last Git commit doing backwards incompatible changes to the source,
such as changing function singatures or dropping exported symbols.

The soname values have been determined by either checking
https://abi-laboratory.pro/index.php?view=tracker or - in the case
of OpenWrt libraries - by carefully reviewing the changes made to
header files thorough the corresponding Git history.

In the future, the ABI_VERSION values must be bumped whenever the
library is updated to an incpompatible version but not with every
package update, in order to reduce the dependency churn in the
binary package repository.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-19 14:31:51 +01:00
Rosy Song
27be78ef46 dnsmasq: allow building without tftp server support
It saves 2871 bytes on package size while 4 bytes on memory size.

Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-01-17 22:07:06 +01:00
Hans Dedecker
76cc766521 odhcpd: fix onlink IA check (FS#2060)
0a36768 dhcpv6-ia: fix compiler warning
1893905 dhcpv6-ia: fix onlink IA check (FS#2060)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-16 23:01:05 +01:00
Kevin Darbyshire-Bryant
7541d30c9c dnsmasq: backport latest pre2.81 patches
f52bb5b fix previous commit
18eac67 Fix entries in /etc/hosts disabling static leases.
f8c77ed Fix removal of DHCP_CLIENT_MAC options from DHCPv6 relay replies.
4bf62f6 Tidy cache_blockdata_free()
9c0d445 Fix e7bfd556c079c8b5e7425aed44abc35925b24043 to actually work.
2896e24 Check for not(DS or DNSKEY) in is_outdated_cname_pointer()
a90f09d Fix crash freeing negative SRV cache entries.
5b99eae Cache SRV records.
2daca52 Fix typo in ra-param man page section.
2c59473 File logic bug in cache-marshalling code. Introduced a couple of commits back.
cc921df Remove nested struct/union in cache records and all_addr.
ab194ed Futher address union tidying.
65a01b7 Tidy address-union handling: move class into explicit argument.
bde4647 Tidy all_addr union, merge log and rcode fields.
e7bfd55 Alter DHCP address selection after DECLINE in consec-addr mode. Avoid offering the same address after a recieving a DECLINE message to stop an infinite protocol loop. This has long been done in default address allocation mode: this adds similar behaviour when allocaing addresses consecutively.

The most relevant fix for openwrt is 18eac67 (& my own local f52bb5b
which fixes a missing bracket silly) To quote the patch:

It is possible for a config entry to have one address family specified by a
dhcp-host directive and the other added from /etc/hosts. This is especially
common on OpenWrt because it uses odhcpd for DHCPv6 and IPv6 leases are
imported into dnsmasq via a hosts file.

To handle this case there need to be separate *_HOSTS flags for IPv4 and IPv6.
Otherwise when the hosts file is reloaded it will clear the CONFIG_ADDR(6) flag
which was set by the dhcp-host directive.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-01-16 15:39:54 +00:00
Hans Dedecker
4029788ff3 odhcpd: update to latest git HEAD (FS#2020)
7abbed4 dhcpv6: add setting to choose IA_NA, IA_PD or both
dd1aefd router: add syslog tracing for skipped routes
0314d58 router: filter route information option
5e99738 router: make announcing DNS info configurable (FS#2020)
1fe77f3 router: check return code of odhcpd_get_interface_dns_addr()
8f49804 config: check for invalid DNS addresses

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-15 14:02:21 +01:00
Hans Dedecker
70ffcb947c odhcp6c: update to latest git HEAD
d2e247d odhcp6c: align further with RFC8415
ce83a23 dhcpv6: avoid parsing unncessary IAs
b079733 dhcpv6: set cnt to correct IOV enum
41494da dhcpv6: get rid of request_prefix
f7437e4 dhcpv6: sanitize option request list

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-11 15:26:06 +01:00
Rafał Miłecki
ef1efa756e samba36: add package with hotplug.d script for auto sharing
The new samba36-hotplug package provides a hotplug.d script for the
"mount" subsystem. It automatically shares every mounted block device.

It works by updating /var/run/config/samba file which:
1) Is read by procd init script
2) Gets wiped on reboot providing a consistent state
3) Can be safely updated without flash wearing or conflicting with user
   changes being made in /etc/config/samba

Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-01-10 10:33:40 +01:00
Rafał Miłecki
5a59e2c059 samba36: append config from /var/run/config/ for runtime shares
This will allow automation/hotplug.d scripts to store runtime shares in
the /var/run/config/samba. It's useful e.g. for USB drives that user
wants to be automatically shared.

Using /var/run/config/ provides:
1) Automated cleaning on reboots
   It's important for consistency (to avoid sharing non-existing drives)
2) Safety for user non-commited changes
   Automated scripts should never call "uci [foo] commit" as that could
   flush incomplete config.

Another minor gain is avoiding flash wearing for runtime setup.

Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-01-10 10:33:40 +01:00
Hans Dedecker
fd5f0606fd firewall: update to latest git HEAD
70f8785 zones: add zone identifying local traffic in raw OUTPUT chain
6920de7 utils: Free args in __fw3_command_pipe()
6ba9105 options: redirects: Fix possible buffer overflows

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-03 17:09:51 +01:00
Hauke Mehrtens
99956528df hostapd: update to version 2018-12-02 (2.7)
This updates hostapd to version the git version from 2018-12-02 which
matches the 2.7 release.

The removed patches were are already available in the upstream code, one
additional backport is needed to fix a compile problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-01-02 15:47:13 +01:00
Mathias Kresin
213c0e78fa iwinfo: fix PKG_MIRROR_HASH
The PKG_MIRROR_HASH was for some reason wrong.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-12-30 20:33:49 +01:00
Hans Dedecker
d405edb481 omcproxy: optimize interface triggers
Before installing an interface triggger check if an interface
trigger for the interface is already in place.
This avoids installing identical interface triggers for a given
interface

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-29 16:08:31 +01:00
David Santamaría Rogado
df8f8bad08 omcproxy: fix installation of interface triggers (FS#1972)
omcproxy will not start up if either the downlink or uplink interface is
not up at boottime as the interface triggers are not correctly
installed.

Further rework omcproxy init to make use of network functions defined
in network.sh; set proper family and proto options in procd firewall
rules.

Signed-off-by: David Santamaría Rogado <howl.nsp@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-29 16:07:51 +01:00
Mathias Kresin
a5030f8b10 iwinfo: update to latest git
dd508af iwinfo: fix QCA9984 vendor id
0eaabf1 iwinfo: add device id for Atheros AR9287
6e998ec iwinfo: add device id for MediaTek MT7612E
5aa8c54 libiwinfo: nl80211: add mesh stats on assoclist.
77a9e98 iwinfo: Add Mikrotik R11e-2HPnD and R11e-5HacT to hardware list

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-12-29 12:35:47 +01:00
Rafał Miłecki
ae622c93b3 Revert "samba36: add hotplug support"
This reverts commit fd569e5e9d.

After an extra review & discussion few concerns were raised regarding
that feature:
1) It reacts to hotplug.d "block" events instead of more accurate (but
   currently unavailable) "mount" events.
2) It requires *something* to mount block device before samba hotplug.d
   gets fired. Otherwise samba_add_section() will just return.
3) It doesn't reload Samba which some users may expect
4) It operates on /etc/ which is not a right place for autogenerated
   ephemeral config.
5) It doesn't include any cleanup for non-existing shares.

Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2018-12-28 23:09:38 +01:00
Stijn Tintel
c5b89abe2a lldpd: consolidate CONFIGURE_VARS
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-12-28 12:19:32 +02:00
Daniel Engberg
9a37c95431 wireguard: Update to snapshot 0.0.20181218
Update WireGuard to 0.0.20181218

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-12-24 12:58:22 +01:00
Deng Qingfang
0babdf2d2b curl: bump to 7.63.0
Refresh patches, for changes in version 7.63.0 see https://curl.haxx.se/changes.html#7_63_0

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2018-12-24 09:46:06 +01:00
Hans Dedecker
f36bc3f9b1 odhcpd: use PKG_VERSION default value
Instrad of defining PKG_VERSION in the Makefile use the PKG_VERSION
default value

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-21 18:30:01 +01:00
Hans Dedecker
9b8ea3623b odhcpd: add PKG_VERSION again
Fixes commit 63d0752ca8

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-20 16:50:08 +01:00
Hans Dedecker
63d0752ca8 odhcpd: update to latest git HEAD
2d2a3b8 odhcpd: switch to libubox container_of implementation
2a71c1e treewide: switch to libubox ARRAY_SIZE immplementation

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-20 15:43:31 +01:00
Jo-Philipp Wich
de7ae9a0ef iproute2: require nls infrastructure due to libelf linking
Depending on the global nls support configuration in the buildroot, the
linked libelf.so library might depend on libintl.so.

Import the nls.mk helper to set library prefixes and flags accordingly
in this case.

Ref: https://github.com/openwrt/packages/issues/7728#issuecomment-448760140
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-12-20 08:13:24 +01:00
Jo-Philipp Wich
386803a006 iproute2: only link libelf where needed
The iproute2 build system links libelf support to every utility while only
the tc program actually requires libelf specific functionality.

Unfortunately the BPF ELF functionality is not confined into an own
compilation unit but added to the existing bpf.c sources of the shared
static libutil.a, causing every iproute2 applet to pick up an implicit
libelf.so dependency.

In order to avoid this requirement, patch the iproute2 build system to
create both a libutil.a and a libutil-elf.a, with the former being built
without libelf functionality and to only link the tc applet with the libelf
enabled libutil.

Finally, make the tc package depend on libelf to solve compilation errors.

Ref: https://github.com/openwrt/packages/issues/7728
Fixes: FS#2011
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-12-19 10:50:02 +01:00
Hans Dedecker
83109450ce dropbear: fix dropbear startup issue
Interface triggers are installed by the dropbear init script in case an
interface is configured for a given dropbear uci section.
As dropbear is started after network the interface trigger event can be
missed during a small window; this is especially the case if lan is
specified as interface.
Fix this by starting dropbear before network so no interface trigger
is missed. As dropbear is started earlier than netifd add a boot function
to avoid the usage of network.sh functions as call to such functions will
fail at boottime.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2018-12-18 19:43:22 +01:00
Syrone Wong
6263a9baa3 ipset: update to 7.1
Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
2018-12-17 21:57:22 +01:00
Kevin Darbyshire-Bryant
3f7de917be netifd: fix ipv6 multicast check in previous commit
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-17 19:05:07 +00:00
Kevin Darbyshire-Bryant
d112d095a9 netifd: support configuring class e 240.0.0.0/4 addresses
cd089c5 proto: Support class-e addressing in netifd

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-17 09:27:53 +00:00
Hans Dedecker
3262fce1cd omcproxy: use PROJECT_GIT in PKG_SOURCE_URL
Switch PKG_SOURCE_URL to git.openwrt.org

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-16 19:23:36 +01:00
Hans Dedecker
0074a5e67e omcproxy: switch to OpenWrt github repo
Switch to OpenWrt github repo in PKG_SOURCE_URL so we can
remove the out of tree patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-16 18:09:23 +01:00
Hauke Mehrtens
835947ce64 hostapd: Make eapol-test depend on libubus
The eapol-test application also uses the code with the newly activated
ubus support, add the missing dependency.

Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-16 14:25:41 +01:00
Rosen Penev
1e98d985bb swconfig: Add missing include
Fixes these warnings:

swlib.c:455:18: warning: implicit declaration of function 'isspace'
swlib.c:461:9: warning: implicit declaration of function 'isdigit'

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-16 00:57:19 +01:00
Eneas U de Queiroz
cb4d00d184 omcproxy: fix compilation on little-endian CPUs
Don't use cpu_to_be32 outside of a function.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-12-16 00:57:19 +01:00
Kevin Darbyshire-Bryant
9048b22e67 dnsmasq: Fix dhcp-boot, dhcp-reply-delay and pxe-prompt regressions
The above options were incorrectly changed to required tags.  Make them
optional again.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-14 17:51:42 +00:00
Hans Dedecker
6ff27cf0f5 iproute2: backport patch fixing incorrect usage of LDFLAGS
Backport upstream patch fixing incorrect passing of -lxtables to
LDFLAGS instead of LDLIBS in the tc/Makefile

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-14 09:57:15 +01:00
Hans Dedecker
81bb9189e4 netifd: update to latest git HEAD
1ac1c78 system-linux: get rid of SIOCSDEVPRIVATE

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-13 22:05:40 +01:00
Martin Schiller
3850b41f01 openvpn: re-add option comp_lzo
This option is deprecated but needs to be kept for backward compatibility. [0]

[0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--comp-lzo

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2018-12-12 17:15:01 +01:00
Kevin Darbyshire-Bryant
ad8a5aa06a dnsmasq: fix ipv6 ipset bug
During upstream removal of conditional ipv6 support an order swap error
was made in a ternary operator usage.

This patch sent upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-12 11:54:49 +00:00
Hans Dedecker
1ff98ddff7 iproute2: backport upstream patch to fix print_0xhex on 32 bit
The argument to print_0xhex is converted to unsigned long long
so the format string give for normal printout has to be some
variant of %llx. Backport the patch as otherwise, bogus values
will be printed on 32 bit platforms.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-12 12:38:54 +01:00
Daniel Golle
f5753aae23 hostapd: add support for WPS pushbutton station
similar to hostapd, also add a ubus interface for wpa_supplicant
which will allow handling WPS push-button just as it works for hostapd.
In order to have wpa_supplicant running without any network
configuration (so you can use it to retrieve credentials via WPS),
configure wifi-iface in /etc/config/wireless:

  config wifi-iface 'default_radio0'
      option device 'radio0'
      option network 'wwan'
      option mode 'sta'
      option encryption 'wps'

This section will automatically be edited if credentials have
successfully been acquired via WPS.

Size difference (mips_24kc): roughly +4kb for the 'full' variants of
wpa_supplicant and wpad which do support WPS.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-12-12 09:37:23 +01:00
Kevin Darbyshire-Bryant
8c0f6a010a dnsmasq: follow upstream dnsmasq pre-v2.81 v2
Backport upstream commits.  Most interesting 122392e which changes how
SERVFAIL is handled especially in event of genuine server down/failure
scenarios with multiple servers.  a799ca0 also interesting in that
answered received via TCP are now cached, DNSSEC typically using TCP
meant until now answers weren't cached, hence reducing performance.

59e4703 Free config file values on parsing errors.
48d12f1 Remove the NO_FORK compile-time option, and support for uclinux.
122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e
3a5a84c Fix Makefile lines generating UBUS linker config.
24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant.
6f7812d Fix spurious AD flags in some DNS replies from local config.
cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab
cf59843 Don't forward *.bind/*.server queries upstream
ee87504 Remove ability to compile without IPv6 support.
a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>.
a799ca0 Impove cache behaviour for TCP connections.

Along with an additional patch to fix compilation without DHCPv6, sent
upstream.

I've been running this for aaaages without obvious issue hence brave
step of opening to wider openwrt community.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 10:38:49 +00:00
Kevin Darbyshire-Bryant
18e02fa20c Revert "dnsmasq: follow upstream dnsmasq pre-v2.81"
This reverts commit a6a8fe0be5.

buildbot found an error
option.c: In function 'dhcp_context_free':
option.c:1042:15: error: 'struct dhcp_context' has no member named 'template_interface'
       free(ctx->template_interface);

revert for the moment

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 09:57:19 +00:00
Kevin Darbyshire-Bryant
a6a8fe0be5 dnsmasq: follow upstream dnsmasq pre-v2.81
Backport upstream commits.  Most interesting 122392e which changes how
SERVFAIL is handled especially in event of genuine server down/failure
scenarios with multiple servers.  a799ca0 also interesting in that
answered received via TCP are now cached, DNSSEC typically using TCP
meant until now answers weren't cached, hence reducing performance.

59e4703 Free config file values on parsing errors.
48d12f1 Remove the NO_FORK compile-time option, and support for uclinux.
122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e
3a5a84c Fix Makefile lines generating UBUS linker config.
24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant.
6f7812d Fix spurious AD flags in some DNS replies from local config.
cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab
cf59843 Don't forward *.bind/*.server queries upstream
ee87504 Remove ability to compile without IPv6 support.
a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>.
a799ca0 Impove cache behaviour for TCP connections.

I've been running this for aaaages without obvious issue hence brave
step of opening to wider openwrt community.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 09:14:07 +00:00
Kevin Darbyshire-Bryant
7b083bbb82 dnsmasq: drop dnssec timestamp file patch
Openwrt no longer uses and has not used since 5acfe55d71 Jun 2016 the
timestamp file (/etc/dnsmasq.time) method of resolving the dnssec/ntp
dnslookup chicken/egg problem, having used signals from ntp since that
change.

Drop the 'dnssec-improve-timestamp-heuristic' patch since it is neither
used nor sent upstream.  One less thing to refresh & maintain.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 09:14:06 +00:00
Hans Dedecker
929c448a6d firewall: update to latest git HEAD
14589c8 redirects: properly handle src_dport in SNAT rules

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-09 17:36:12 +01:00
Ansuel Smith
f939598b7a iptables: fix ebtables vlan compile issue (FS#1990)
Backport an upstream patch which fixes an userspace/kernel headers
collison

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2018-12-08 21:50:14 +01:00
Ansuel Smith
1286c55302 iptables: bump to 1.8.2
Drop 030-extensions-libxt_bpf-Fix-build-with-old-kernel-versi.patch as pushed upstream
Added patches :
001-extensions_format-security_fixes_in_libip.patch
002-include_fix_build_with_kernel_headers_before_4_2.patch
101-remove-register-check.patch

The first and the second patch are upsteam fixes for compilation errors.
The third patch remove check if one target lib is already registred; this is caused by
shared libs that are loaded before the iptables execution.

Iptables changelog:

bba6bc6 (tag: v1.8.2) configure: bump versions for 1.8.2 release
61d6c38 xtables: add 'printf' attribute to xlate_add
5edb249 libxtables: xlate: init buffer to zero
9afd2a6 tests: shell: fix expected arptables-save output
6387941 arptables: fix --version info
d703c1f arptables: ignore --table argument.
d5754e3 arptables: make uni/multicast mac masks static
1b63e66 arptables: add test cases
5aecb2d arptables: pre-init hlen and ethertype
9677ed1 arptables: fix src/dst mac handling
ab0b6d5 arptables: fix target ip offset
c0c75ce arptables: fix -s/-d handling for negation and mask
3ac65af arptables: add basic test infra for arptables-nft
e31564f arptables: fix rule deletion/compare
2345ff6 arptables: remove code that is also commented-out in original arptables
50c2397 arptables-save: add -c option, like xtables-save
d9a518e arptables: use ->save for arptables-save, like xtables
5a52e6a extensions: test protocol and interface negation
85d7df9 xtables: Fix error return code in nft_chain_user_rename()
3ccb443 xtables: Clarify error message when deleting by index
95db364 xtables: Fix typo in do_command() error message
5f508b7 ebtables: use extrapositioned negation consistently
583b27e ebtables-save: add -c option, using xtables-style counters
e6723ab nft: add NFT_TABLE_* enumeration
21ec111 nft: replace nft_chain_dump() by nft_chain_list_get()
05947c8 iptables-nft: fix -f fragment option
7bd9feb libxtables: add and use mac print helpers
a10eb88 extensions: libebt_ip: fix tos negation
9b127b7 extensions: libebt_ip6: fix ip6-dport negation
c59ba1b xtables-nft: make -Z option work
1bf4a13 nft: add missing error string
a9f9377 iptables-tests: add % to run iptables commands
b81c8da iptables-tests: do not append xtables-multi to external commands
edf2b7c ebtables-nft: add arpreply target
2d1372e ebtables: add redirect test case
c3e8dbd ebtables: add test cases
cd90cef ebtables: relax -t table restriction, add snat/dnat test cases
fd95f1f ebtables: fix -j CONTINUE handling for add/delete
fb747f8 tests: add basic ebtables test support
d4bc5a3 iptables-nft: fix bogus handling of zero saddr/daddr
9ff9915 iptables-test: fix netns test
8c918db xtables: Fix for matching rules with wildcard interfaces
b2fc2a3 extensions: limit: unbreak build without libnftnl
682f39a xtables: Fix for spurious errors from iptables-translate
90f7dc3 (tag: v1.8.1) configure: bump versions for 1.8.1 release
0123183 iptables-test: add -N option to exercise netns removal path
abae556 libxtables: expose new etherdb lookup function through libxtables API
c2d9ed9 libxtables: prefix exported new functions for etherdb lookups
5a44360 Revert "extensions: libxt_quota: Allow setting the remaining quota"
2673faf xtables: Remove target_maxnamelen field
8ca3436 extensions: cgroup: fix option parsing for v2
0a8f2bc extensions: libxt_quota: Allow setting the remaining quota
b373a91 nft-shared: Use xtables_calloc()
5a40961 arptables: Use the shared nft_ipv46_parse_target()
9f07503 Combine parse_target() and command_jump() implementations
7373297 Combine command_match() implementations
a76ba54 libiptc: NULL-terminate errorname
a3716cc libxtables: Check extension real_name length
0195b64 iptables: Gitignore xtables-{legacy, nft}-multi scripts
671e40a xtables: Drop pointless check
7c9a152 arptables: Fix incorrect strcmp() in nft_arp_rule_find()
11e91a4 xtables: Don't read garbage in nft_ipv4_parse_payload()
d95c1e8 libxtables: Use posix_spawn() instead of vfork()
7e50eba Fix a few cases of pointless assignments
f40ce2d extensions: libebt_ip{, 6}: Drop pointless error checking
47fb86c nft-arp: Drop ineffective conditional
80aae9b iptables: Use print_ifaces() from xtables
8da04ff Share print_ipv{4,6}_addr() from xtables
b686594 iptables-apply: Replace signal numbers by names
f175dee iptables-apply: Quote strings passed to echo
52aa150 nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()
61ebf3f libxtables: Don't read garbage in xtables_strtoui()
ab639f2 libxtables: Avoid calling memcpy() with NULL source
22ef371 libiptc: Simplify alloc_handle() function signature
6b7145f libxt_time: Drop initialization of variable 'year'
749d3c2 libxt_ipvs: Avoid potential buffer overrun
8e798e0 libxt_conntrack: Avoid potential buffer overrun
74eb239 libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTION
d0c1f1b libxt_LED: Avoid string overrun while parsing led-trigger-id
23ef6f0 xtables: Remove unused variable in nft_is_table_compatible()
4e499d5 ip{, 6}tables-restore: Fix for uninitialized array 'curtable'
1788f54 Mark fall through cases in switch() statements
31f1434 libxtables: Integrate getethertype.c from xtables core
7ae4fb1 xtables: Fix for wrong assert() in __nft_table_flush()
8c786a3 nfnl_osf: Drop pointless check in xt_osf_strchr()
6fc7762 libxt_string: Fix array out of bounds check
2a68be1 xtables-save: Ignore uninteresting tables
f9efc8c extensions: add cgroup revision 2
9b8cb16 extensions: REJECT: Merge reject tables
56d7ab4 libxt_string: Avoid potential array out of bounds access
bfd41c8 ebtables: Fix for potential array boundary overstep
e6f9867 libiptc: Avoid side-effect in memset() calls
4144571 libxtables: Fix potential array overrun in xtables_option_parse()
9242b5d xtables: Accept --wait in iptables-nft-restore
c9f4f04 xtables: Don't check all rules for being compatible
15606f2 doc: Improve layout of u32 instructions
7345037 xtables-restore: Fix flushing referenced custom chains
7df11d1 xtables: Drop use of IP6T_F_PROTO
b6a06c1 xtables: Align return codes with legacy iptables
3bb497c xtables: Fix for deleting rules with comment
0800d9b ip6tables-translate: Fix libip6t_mh.txlate test
4cf650c ebtables-translate: Fix for libebt_limit.txlate
783e9c2 xtables: Add missing deinitialization
9771d06 ebtables: Review match/target lookup once more
85ed1ab extensions: libebt_mark: Drop mark_supplied check
6a46ca0 xtables: Add a few missing exit calls
acde6be ebtables-translate: Fix segfault while parsing extension options
2c4e4d2 ebtables: trivial: Leverage C99-style initializers a bit more
9f5b28a xlate-test: Fix for calling wrong command name
1a878a7 extensions: AUDIT: Provide translation
5ee03e6 xtables: Use meta l4proto for -p match
37b68b2 xtables: Fix for segfault when registering hashlimit extension
92f7b04 xtables: Fix for segfault in iptables-nft
294f9ef ebtables: Fix entries count in chain listing
6f29aa8 xtables: Make 'iptables -S nonexisting' return non-zero
7bccf30 ebtables: Fix for listing of non-existent chains
3d9a13d xtables: Fix for no output in iptables-nft -S
a33c6fd arptables: Drop extensions/libxt_mangle.c
02b8097 ebtables: Merge libebt_limit.c into libxt_limit.c
5de8dcf xtables: Use native nftables limit expression
514de48 ebtables: Remove flags misinterpretations
528cbf9 xtables: Fix for wrong counter format in -S output
9ca32c4 xtables: Don't pass full invflags to add_compat()
e055aeb xtables: Improve xtables-monitor first impression
b925733 tests: Fix skipping for recent nft-only tests
277f374 xtables: Spelling fixes in xtables-monitor
a9d9f64 xtables: Fix potential segfault in nft_rule_append()
fbf0bf7 tests: Add ebtables-{save,restore} testcases
f1d8508 tests: Add arptables-{save,restore} testcases
63c3dae xtables: Implement arptables-{save,restore}
aa7fb04 ebtables: Review match/target lookup
3f123dc ebtables-restore: Use xtables_restore_parse()
295d5a8 xtables-restore: Make COMMIT support configurable
1679b2c xtables-restore: Improve user-defined chain detection
2ce9f65 xtables: Match verbose ip{,6}tables output with legacy
cd79556 xtables: Reserve space for 'opt' column in ip6tables output
0357254 xtables: Print error when listing non-existent chains
206033e xtables: Fix for no output on first iptables-nft invocation
a0698de xtables: Do not count rules as chain references
d11b6b8 arptables: Fix jumps into user-defined chains
3f27955 arptables: Fix opcode printing in numeric output
f988fe4 xtables: Fix symlinks/names for ebtables-{save, restore}
3319c61 ebtables: Support --init-table command
3ec8aac arptables: Print policy only for base chains
83bc189 arptables: Fix for trailing spaces in output
aaed1b6 arptables: Fix memleaks in do_commandarp()
d67d85d ebtables: Print non-standard target parameters
2e478e9 ebtables: Fix match_list insertion
a192f03 ebtables: Fix for wrong program name in error messages
a2ed880 xshared: Consolidate argv construction routines
1cc0918 xshared: Consolidate parse_counters()
78b9d43 Consolidate DEBUGP macros
14ad525 xtables: Fix program name in xtables_error()
f7bbdb0 xtables: Use correct built-in chain count
ae574b2 xtables: Fix compilation with NLDEBUG defined
82d278c xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs
c2895ea xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs
89d3443 xtables: Fix for nft_rule_flush() returning garbage
c259447 xtables: Allocate rule cache just once
ed30b93 nft: don't print rule counters unless verbose
31e4b59 iptables-restore: free the table lock when skipping a table
f8e29a1 xtables: avoid bogus 'is incompatible' warning
6ea7579 nft: decode meta l4proto
922508e xtables: implement ebtables-{save,restore}
25ef908 xtables: introduce nft_init_eb()
de8574a xtables: parameter to add_argv() may be const
6f60f22 xtables: pass format to nft_rule_save()
f3b772c xtables: introduce save_chain callback
fa1681f xtables: rename {print,save}_rule functions
444d581 xtables: get rid of nft_ipv{4,6}_save_counters()
34e1e23 xtables: eliminate nft_ipv{4,6}_rule_find()
de782e8 xtables: merge nft_ipv{4,6}_parse_target()
ae8eece xtables: get rid of nft_ipv{4,6}_print_header()
2687794 xtables: arp: make rule_to_cs callback private
1bf73c4 xtables: Use new callbacks in nft_rule_print_save()
1866625 xtables: introduce rule_to_cs/clear_cs callbacks
0589457 xtables: simplify struct nft_xt_ctx
d9c6a5d xtables: merge {ip,arp}tables_command_state structs
87b5b9e iptables: replace memset by c99-style initializers
907da5c xtables: fix crash if nft_rule_list_get() fails
565a223 xtables: Support nft suffix for arptables and ebtables
c468f01 tests: check iptables retval, not echo
47d1484 iptables: tests: add test for iptables-save and iptables-restore
e4e0704 extensions: don't bother to build libebt/libarp extensions if nft backend was disabled
17c66a5 iptables: tests: shell: Add README
6c2118c (tag: v1.8.0) configure: bump version and libnftnl dependency
7b66fc2 man: clarify translate tools do not modify any state
f7fec51 xtables-monitor: add --version option
b470b8e xtables-legacy: fix argv0 name for ip6tables-legacy
2028e54 xtables: display legacy/nf_tables flavor in error messages, too
fd8d7d7 ebtables-nft: add stp match
f15639b tests: add script that mimics firewalld startup
27f7db2 tests: fix variable name to multi-binary
2a89ec5 tests: add a few simple tests for list/new/delete
37d9d5b ebtables-nft: make -L, -X CHAINNAME work
816bd1f ebtables-nft: remove exec_style
b81708f ebtables-nft: don't crash on ebtables -X
de02a75 doc: fix some spellos and the dash escape
dcf4529 tests: add firewalld default ruleset from fedora 27
f23abd5 tests: add another ipv4 only ruleset
ed9cfe1 tests: add initial save/restore test cases
9933dc5 tests: adapt test suite to run with legacy+nftables based binaries
be70918 xtables: rename xt-multi binaries to -nft, -legacy
d49ba50 xtables-restore: init table before processing policies
344c6eb doc: Fix spelling error in hashlimit section
e063873 tests: make duplicate test work
d26c538 xtables: add xtables-monitor
db84371 xtables: translate nft meta trace set 1 to -j TRACE
20eac2a xtables: warn in case old-style (set/getsockopt) tables exist
c9f5e18 xtables: add nf_tables vs. legacy postfix to version strings
e5fed16 iptables8.in: Update coreteam names
672accf include: update kernel netfilter header files
856a875 xtables: silence two compiler warnings
ae6e159 xtables: remove dead code inherited from ebtables
107b7eb configure: add -Wlogical-op warning to cflags
bc7f49d ebtables-translate: remove --change-counters code
38b4166 iptables: tests: shell: add shell test-suite
1e6427a xtables-compat: skip invalid tables
cb368b6 xtables: more error printing fixes
b1b828f xtables: homogenize error message
4caa559 xtables: initialize basechains for rule flush command too
9b89622 xtables: rework rule cache logic
01e25e2 xtables: add chain cache
8d190e9 xtables: initialize basechains only once on ruleset restore
0a86351 xtables-compat: ignore '+' interface name
125d1ce xtables-compat: append all errors into single line
437746c xtables: extended error reporting
d1c79cd xtables: allocate struct xt_comment_info for comments
4e20209 xtables: use libnftnl batch API
49709e2 xtables-compat: remove nft_is_ruleset_compatible
03e1377 xtables: allow dumping of chains in specific table
94fd83d xtables: inconsistent error reporting for -X and no empty chain
c4f1622 ebtables-compat: add arp match extension
24ce746 ebtables-compat: add redirect match extension
84c04e3 ebtables-compat: add nat match extensions
14ec998 xtables-compat: ebtables: prefer snprintf to strncpy
5e2b473 xtables-compat: extend generic tests for masks and wildcards
1a696c9 libxtables: store all requested match types
bb436ce xtables-compat: ip6table-save: fix save of ip6 address masks
6454d7d ebtables-translate: suppress redundant protocols
07f4ca9 xtables-compat: ebtables: allow checking for zero-mac
0ca2d2a xtables-compat: ebtables: add helpers to print interface and mac addresses
3d9f300 xtables-compat: ebtables: remove interface masks from ebt_entry struct
20e2758 xtables-compat: ebtables: fix logical interface negation
2682bb0 xtables-compat: ebtables: add and use helper to parse all interface names
564862d xtables-compat: ebtables: split match/target print from nft_bridge_print_firewall
0ae81d0 xtables-compat: ebtables: kill ebtables_command_state
651cfee xtables-compat: pass correct table skeleton
652b98e xtables-compat: fix wildcard detection
49f4993 extensions: libip6t_srh.t: Add test cases for psid, nsid, and lsid
429143b extensions: libxt_CONNMARK: incorrect translation after v2
db7b4e0 extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark
155e1c0 extensions: libip6t_srh: support matching previous, next and last SID
f4ffda1 extensions: libipt_DNAT: tests added for shifted portmap range
6a9ffb1 xtables-compat-restore: flush table and its content with no -n
07ae37c xtables-compat: fix bogus error with -X and no user-defined chains
df3d92b xtables-compat-restore: flush user-defined chains with -n
ca16584 xtables-compat-restore: flush rules and delete user-defined chains
ac1e85a extensions: libipt_DNAT: use size of nf_nat_range2 for rev2
e25d99a xtables-compat: pass larger socket buffer
838746e xtables-compat: xtables-save: don't return 1
2211679 xtables-compat: ebtables: support concurrent option
a77a7d8 iptables-test: fix bug with rateest
de87405 xtables-compat: fix ipv4 frag (-f)
c7b2fd6 xtables-compat: also check tg2->userspacesize
5685938 xtables-compat: avoid unneeded bitwise ops
b9d7b49 xtables-compat: restore: sync options with iptables-restore
c0ef861 extensions: add xlate test for ipables -f
d79a7f1 xtables-compat: output -s,d first during save, just like iptables
d1eb4d5 iptables-compat: chains are purge out already from table flush
09f0d47 iptables-compat: do not fail on restore if user chain exists
8798eb8 iptables-compat: remove non-batching routines
b633ef9 xtables.conf: fix hook skeletons
7af2178 xtables-compat: fall back to comment match in case name is too long
e9aeecf xlate-test: use locally installed xlate tools
0ab58e3 xtables-compat: ebtables: handle mac masks properly
734ad40 xtables-compat: nft-arp: fix warning wrt. sprintf-out-of-bounds
fb7ae9f xtables-compat: truncate comments to 254 bytes
36976c4 extensions: libipt_DNAT: support shifted portmap ranges
d7ac61b iptables-test: add nft switch and test binaries from git
992e17d xtables-compat: only fetch revisions for ip/ip6
12a52ff xtables: Fix rules print/save after iptables update
1197c5e xtables: Register all match/target revisions supported by us and kernel
e3bb24c xtables: Check match/target size vs XT_ALIGN(size) at register time
3b2530c xtables: Do not register matches/targets with incompatible revision
d3f1437 xtables: Introduce and use common function to print val[/mask] arguments
29b1d97 xtables: Introduce and use common function to parse val[/mask] arguments
56aadc0 extensions: Initialize linear mapping of symbols in _init() of extension
79c2da9 extensions: ULOG: remove test
a0956ce ebtables-translate: turn off useless compat queries
9840869 nft: arptables: remove obsolete forward hook definition
7a37d14 iptables-compat: statify nft_restart()
a3aac1d iptables-compat: handle netlink dump EINTR errors
a567dc3 ebtables-compat: add 'vlan' match extension
7564bba ebtables-compat: add 'pkttype' match extension
4d40904 ebtables-translate: update table name on -t
5c8ce9c ebtables-compat: add 'ip6' match extension
8a85a14 libebt_ip: fix translations for tos and icmp
b6f0bec libebt_ip: add icmp support
f38ed1e xt-translate: quote interface names in translated output
71a6e37 icmp: split icmp type printing to header file
e67c088 ebtables-translate: add initial test cases
207dd5e xt-compat: add ebtables-translate
d988274 xlate-translate: split common parts into helper
1650806 xtables-eb: export 3 functions
6b2041c nft-bridge: add eb-translate backend functions
3063c37 nft-bridge: fix mac address printing
394a400 nft: fix crash when getprotobynumber() returns 0
6a1dbdf ebtables-compat: support intra-positioned negations
3e94f0a nft-bridge: add forward declaration for struct nftnl_rule
5024efe libebt_limit: print 'minute' and 'seconds', not 'min' and 'secs'
ce3c780 nft: make nft_init self-contained
cb151d5 xtables-translate: rm duplicate includes
69c089b xt-compat: constify a few struct members
03ecffe ebtables-compat: add initial translations
57af67d iptables: constify option struct
88231c4 ebtables-compat: load mark target
6b4e167 ebtables-compat: don't make failing extension load fatal
24110b5 libxt_comment: silence truncation warning
98fc8ce xtables-compat: only validate the xtables builtin tables
9d9b724 xtables-compat: skip unsupported tables
59d15cf xtables-compat: also validate priorities and hook points match expected values
eb35854 xtables-compat: fix snprintf truncation warnings
fc04c8a extensions: CLUSTERIP: do not allow --local-node 0
eb2c052 extensions: CLUSTERIP: add tests
ca3c397 iptables: add xtables-translate.8 manpage
5beb158 extensions: libxt_bpf: Fix build with old kernel versions
147a891 extenstions: ecn: add tcp ecn/cwr translation
ed928a8 extensions: add tests for comp match options
632ace7 xtables-compat-multi.c: Allow symlink of ebtables
d7ccc68 iptables: add xtables-compat.8 manpage
043da5b extensions: connmark: remove non-working translation
a93b502 extensions: prefer plain 'set' over 'set mark and'
577b7e2 xtables-compat-restore: use correct hook priorities

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2018-12-08 10:54:09 +01:00
Rosen Penev
26dcaf58ee comgt: Fix 3g.sh permissions
3g.sh needs to be executable. 600 is not correct for that.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-06 08:42:39 +01:00
Florian Eckert
675eb747aa openvpn: add list element parsing
For the parameters tls-cipher and ncp-ciphers more than one option can
be used in the OpenVPN configuration, separated by a colon, which should
be implemented as a list in order to configure it more clearly. By
adding the new OPENVPN_LIST option to the openvpn.options file with the
tls-cipher and ncp-cipher parameters, uci can now add this option as a
"list" and the init script will generate the appropriate OpenVPN
configuration from it.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-12-03 09:54:03 +01:00
Hans Dedecker
493c1d1766 odhcpd: update to latest git HEAD
d404c7e netlink: fix triggering of NETEV_ADDR6LIST_CHANGE event
ae6cf80 config: correctly break string for prefix filter

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-29 21:46:12 +01:00
Jo-Philipp Wich
3082370551 openvpn: update to 2.4.6
Update the OpenVPN package to version 2.4.6, refresh patches and drop
menuconfig options which are not supported upstream anymore.

Also fix the x509-alt-username configure flag - it is not supported
by mbedtls and was syntactically wrong in the Makefile - and the
port-share option which has been present in menuconfig but not been
used in the Makefile.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-11-28 22:10:19 +01:00
Jo-Philipp Wich
56378bc12d uhttpd: update to latest Git head
cdfc902 cgi: escape url in 403 error output
0bba1ce uhttpd: fix building without TLS and Lua support
2ed3341 help: document -A option
fa5fd45 file: fix CPP syntax error
77b774b build: avoid redefining _DEFAULT_SOURCE

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-11-28 12:55:50 +01:00
Hans Dedecker
533f7673ae netifd: update to latest git HEAD
dfa4ede interface: fix return code of __interface_add()
a82a8f6 netifd: fix resource leak on error in netifd_add_dynamic()
fa2403d config: fix resource leaks on error in config_parse_interface()
85de9de interface: fix memory leak on error in __interface_add()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-26 15:33:45 +01:00
Jason A. Donenfeld
48d8d46d33 wireguard: bump to 0.0.20181119
* chacha20,poly1305: fix up for win64
* poly1305: only export neon symbols when in use
* poly1305: cleanup leftover debugging changes
* crypto: resolve target prefix on buggy kernels
* chacha20,poly1305: don't do compiler testing in generator and remove xor helper
* crypto: better path resolution and more specific generated .S
* poly1305: make frame pointers for auxiliary calls
* chacha20,poly1305: do not use xlate

This should fix up the various build errors, warnings, and insertion errors
introduced by the previous snapshot, where we added some significant
refactoring. In short, we're trying to port to using Andy Polyakov's original
perlasm files, and this means quite a lot of work to re-do that had stableized
in our old .S.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-11-19 22:15:02 +01:00
Hans Dedecker
8e409f476b netifd: update to latest git HEAD
4b83102 treewide: switch to C-code style comments
70506bf treewide: make some functions static
d9872db interface: fix removal of dynamic interfaces
2f7ef7d interface: rework code to get rid of interface_set_dynamic

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-19 10:15:26 +01:00
Jason A. Donenfeld
bf52c968e8 wireguard: bump to 0.0.20181115
* Zinc no longer ships generated assembly code. Rather, we now
  bundle in the original perlasm generator for it. The primary purpose
  of this snapshot is to get testing of this.
* Clarify the peer removal logic and make lifetimes more precise.
* Use READ_ONCE for is_valid and is_dead.
* No need to use atomic when the recounter is mutex protected.
* Fix up macros and annotations in allowedips.
* Increment drop counter when staged packets are dropped.
* Use static constants instead of enums for 64-bit values in selftest.
* Mark large constants as ULL in poly1305-donna64.
* Fix sparse warnings in allowedips debugging code.
* Do not use wg_peer_get_maybe_zero in timer callbacks, since we now can
  carefully control the lifetime of these functions and ensure they never
  execute after dropping the last reference.
* Cleanup hashing in ratelimiter.
* Do not guard timer removals, since del_timer is always okay.
* We now check for PM_AUTOSLEEP, which makes the clear*on-suspend decision a
  bit more general.
* Set csum_level to ~0, since the poly1305 authenticator certainly means
  that no data was modified in transit.
* Use CHECKSUM_PARTIAL check for skb_checksum_help instead of
  skb_checksum_setup check.
* wg.8: specify that wg(8) shows runtime info too
* wg.8: AllowedIPs isn't actually required
* keygen-html: add missing glue macro
* wg-quick: android: do not choke on empty allowed-ips

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-11-16 09:23:02 +01:00
Kevin Darbyshire-Bryant
3a6bddd7f7 hostapd: add utf8_ssid flag & enable as default
SSIDs may contain UTF8 characters but ideally hostapd should be told
this is the case so it can advertise the fact. Default enable this
option.

add uci option utf8_ssid '0'/'1' for disable/enable e.g.

config wifi-iface
	option utf8_ssid '0'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-11-14 17:41:18 +00:00
Petr Štetiar
1b4b942bce Revert "iptables: fix dependency for libip6tc on IPV6"
This patch reverts commit 2dc1f54b12 as it
breaks the build for me on x86-64 if I've IPV6 support disabled. Same config
builds fine on `openwrt-18.06` branch at 55d078b2.

  $ grep IPV6 .config

  # CONFIG_KERNEL_IPV6 is not set
  # CONFIG_IPV6 is not set

Build errors out on:

  Package libiptc is missing dependencies for the following libraries:
  libip6tc.so.0

Looking at iptables-1.6.2/libiptc/Makefile.am:

  libiptc_la_LIBADD   = libip4tc.la libip6tc.la

and to iptables-1.6.2/libiptc/libiptc.pc.in:

  Requires:	libip4tc libip6tc

It seems that libiptc needs v4/v6 libs, so v6 isn't optional.

Cc: Rosy Song <rosysong@rosinson.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2018-11-10 18:50:29 +01:00
Hans Dedecker
5617e138bd ethtool: update to 4.19
8a1ad80 Release version 4.19.
ecdf295 ethtool: Fix uninitialized variable use at qsfp dump
98c148e ethtool: better syntax for combinations of FEC modes
d4b9f3f ethtool: support combinations of FEC modes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-10 13:44:09 +01:00
Hans Dedecker
559635dbb6 iproute2: update to 4.19.0
Update to the latest version of iproute2; see https://lwn.net/Articles/769354/
for a full overview of the changes in 4.19.
Remove 190-add-cake-to-tc patch as CAKE qdisc is now supported in 4.19.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-08 11:09:13 +01:00
Alexander Couzens
900005ee75
iperf: allow non-ipv6 builds
Add configure argument --disable-ipv6 when ipv6 is deselected.
Add fix-non-ipv6-builds.patch as long there is no new upstream
release.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2018-11-03 02:36:24 +01:00
Hans Dedecker
c9f5934c71 curl: noop commit to refer CVEs fixed in 7.62.0
When bumping Curl to 7.62.0 in commit 278e4eba09 I did not include the fixed
CVEs in the commit message; this commit fixes this.

The following CVEs were fixed in 7.62.0 :

CVE-2018-16839
CVE-2018-16840
CVE-2018-16842

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-02 13:16:13 +01:00
Hans Dedecker
278e4eba09 curl: bump to 7.62.0
Refresh patches, for changes in version 7.62.0 see https://curl.haxx.se/changes.html#7_62_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-31 23:06:42 +01:00
Kevin Darbyshire-Bryant
3dba852547 dnsmasq: tighten config file permissions
Install following as config files (600) perms instead of as data (644)

/usr/share/dnsmasq/dhcpbogushostname.conf
/usr/share/dnsmasq/trust-anchors.conf
/usr/share/dnsmasq/rfc6761.conf
/etc/hotplug.d/ntp/25-dnsmasqsec
/etc/config/dhcp
/etc/dnsmasq.conf

dnsmasq reads relevant config files before dropping root privilege and
running as dnsmasq:dnsmasq

ntpd runs as root so the hotplug script is still accessible

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-30 09:25:32 +00:00
Kevin Darbyshire-Bryant
6c4d3d705a dnsmasq: bump to v2.80
dnsmasq v2.80 release

Change from rc1:

91421cb Fix compiler warning.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-19 17:36:02 +01:00
Hans Dedecker
15a59e3e08 iproute2: install ip-tiny and ip-full in /usr/libexec
Install the ip-tiny and ip-full variants in /usr/libexec as the suffixed
ip variants are not meant to be called directly

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-18 17:15:51 +02:00
Jason A. Donenfeld
4653818dab wireguard: bump to 0.0.20181018
ba2ab5d version: bump snapshot
5f59c76 tools: wg-quick: wait for interface to disappear on freebsd
ac7e7a3 tools: don't fail if a netlink interface dump is inconsistent
8432585 main: get rid of unloaded debug message
139e57c tools: compile on gnu99
d65817c tools: use libc's endianness macro if no compiler macro
f985de2 global: give if statements brackets and other cleanups
b3a5d8a main: change module description
296d505 device: use textual error labels always
8bde328 allowedips: swap endianness early on
a650d49 timers: avoid using control statements in macro
db4dd93 allowedips: remove control statement from macro by rewriting
780a597 global: more nits
06b1236 global: rename struct wireguard_ to struct wg_
205dd46 netlink: do not stuff index into nla type
2c6b57b qemu: kill after 20 minutes
6f2953d compat: look in Kbuild and Makefile since they differ based on arch
a93d7e4 create-patch: blacklist instead of whitelist
8d53657 global: prefix functions used in callbacks with wg_
123f85c compat: don't output for grep errors

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-18 08:55:01 +02:00
Hans Dedecker
db6f9d5598 netifd: update to latest git HEAD
841b5d1 system-linux: enable by default ignore encaplimit for grev6 tunnels
125cbee system-linux: fix a typo in gre tunnel data parsing logic

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-17 11:18:30 +02:00
Hans Dedecker
3d015e971f gre: make encaplimit support configurable
Make inclusion of the destination option header containing the tunnel
encapsulation limit configurable for IPv6 GRE packets.
Setting the uci parameter encaplimit to ignore; allows to disable the
insertion of the destination option header in the IPv6 GRE packets.
Otherwise the tunnel encapsulation limit value can be set to a value
from 0 till 255 by setting the encaplimit uci parameter accordingly.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-17 11:18:20 +02:00
Kevin Darbyshire-Bryant
1063d904b7 hostapd: add basic variant
Add a basic variant which provides WPA-PSK only, 802.11r and 802.11w and
is intended to support 11r & 11w (subject to driver support) out of the
box.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-16 15:07:41 +01:00
Rosy Song
fd09e251e9 ppp: don't start ppp with IPv6 support if ipv6 is not supported
Signed-off-by: Rosy Song <rosysong@rosinson.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-16 14:31:45 +02:00
Jo-Philipp Wich
3e633bb370 hostapd: fix MAC filter related log spam
Backport two upstream fixes to address overly verbose logging of MAC ACL
rejection messages.

Fixes: FS#1468
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-10-16 12:11:20 +02:00
Christian Lamparter
583466bb5b dnsmasq: fix dnsmasq failure to start when ujail'd
This patch fixes jailed dnsmasq running into the following issue:

|dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory
|dnsmasq[1]: FAILED to start up
|procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash

Fixes: a45f4f50e1 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349")

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[bump package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-16 10:39:59 +01:00
Kevin Darbyshire-Bryant
b8bc672f24 dnsmasq: bump to v2.80rc1
53792c9 fix typo
df07182 Update German translation.

Remove local patch 001-fix-typo which is a backport of the above 53792c9

There is no practical difference between our test8 release and this rc
release, but this does at least say 'release candidate'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-16 08:39:21 +01:00
Hans Dedecker
39e5e17045 dnsmasq: fix compile issue
Fix compile issue in case HAVE_BROKEN_RTC is enabled

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-15 13:42:55 +02:00
Hauke Mehrtens
4c3fae4adc hostapd: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise)
This adds support for the WPA3-Enterprise mode authentication.

The settings for the WPA3-Enterpriese mode are defined in
WPA3_Specification_v1.0.pdf. This mode also requires ieee80211w and
guarantees at least 192 bit of security.

This does not increase the ipkg size by a significant size.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
18c6c93a3b hostapd: Activate Opportunistic Wireless Encryption (OWE)
OWE is defined in RFC 8110 and provides encryption and forward security
for open networks.

This is based on the requirements in the Wifi alliance document
Opportunistic_Wireless_Encryption_Specification_v1.0_0.pdf
The wifi alliance requires ieee80211w for the OWE mode.
This also makes it possible to configure the OWE transission mode which
allows it operate an open and an OWE BSSID in parallel and the client
should only show one network.

This increases the ipkg size by 5.800 Bytes.
Old: 402.541 Bytes
New: 408.341 Bytes

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
4a009a16d2 hostapd: Activate Simultaneous Authentication of Equals (SAE)
This build the full openssl and wolfssl versions with SAE support which
is the main part of WPA3 PSK.

This needs elliptic curve cryptography which is only provided by these
two external cryptographic libraries and not by the internal
implementation.

The WPA3_Specification_v1.0.pdf file says that in SAE only mode
Protected Management Frames (PMF) is required, in mixed mode with
WPA2-PSK PMF should be required for clients using SAE, and optional for
clients using WPA2-PSK. The defaults are set now accordingly.

This increases the ipkg size by 8.515 Bytes.
Old: 394.026 Bytes
New: 402.541 Bytes

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
a1ad1144b6 hostapd: SAE: Do not ignore option sae_require_mfp
This patch was send for integration into the hostapd project.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:14 +02:00
Hauke Mehrtens
779773a0de hostapd: backport build fix when OWE is activated
This backports a compile fix form the hostapd project.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:14 +02:00
Hauke Mehrtens
4b93b03577 hostapd: sync config with default configuration
This replaces the configuration files with the versions from the hostapd
project and the adaptions done by OpenWrt.

The resulting binaries should be the same.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:14 +02:00
Hauke Mehrtens
8f7a2bd084 netifd: update to latest git HEAD
22476ff wireless: Add Simultaneous Authentication of Equals (SAE)
c6c3a0d wireless: Add Opportunistic Wireless Encryption (OWE)
a117e41 wireless: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise)

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:08 +02:00
Florian Eckert
71865200c9 uqmi: fix variable initilization for timeout handling
Also add logging output for SIM initilization.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-12 09:36:05 +02:00
Florian Eckert
4cabda8b7d uqmi: update PKG_RELEASE version
update PKG_RELEASE

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
0c9d06b5b2 uqmi: stop proto handler if verify pin count is not 3
Check pin count value from pin status and stop verification the pin if
the value is less then 3. This should prevent the proto-handler to
lock the SIM. If SIM is locked then the PUK is needed.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
4b80bd878d uqmi: evaluate pin-status output in qmi_setup function
Load the json output from uqmi --get-pin-status command and evaluate the
"pin1_status" value.

The following uqmi "pin1_status" values are evaluated:

- disabled
  Do not verify PIN because SIM verification is disabled on this SIM

- blocked
  Stop qmi_setup because SIM is locked and a PUK is required

- not_verified
  SIM is not yet verified. Do a uqmi --verify-pin1 command if a SIM is
  specified

- verified:
  Do not verify the PIN because this was already done before

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
f171a86d06 uqmi: do not block proto handler if SIM is uninitialized
QMI proto setup-handler will wait forever if SIM does not get initialized.
To fix this stop polling pin status and notify netifd. Netifd will generate
then a "ifup-failed" ACTION.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
dec1bfa0f4 uqmi: do not block proto handler if modem is unable to registrate
QMI proto setup-handler will wait forever if it is unable to registrate to
the mobile network. To fix this stop polling network registration status
and notify netifd. Netifd will generate then a "ifup-failed" ACTION.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
dee93def39 uqmi: add timeout option value
This value will be used for now during following situations:
* Ask the sim with the uqmi --get-pin-status command.
* Wait for network registration with the uqmi --get-serving-system command.

This two commands wait forever in a while loop. Add a timeout to stop
waiting and so inform netifd.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
2d57aa9c4c uqmi: redirect uqmi commands output to /dev/null
Move uqmi std and error output on commands without using them to /dev/null.
This will remove useless outputs in the syslog.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
692c6d9a5d uqmi: fix indenting
fix indenting

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
John Crispin
3e8ef61c01 package/: fix $(PROJECT_GIT) usage
Signed-off-by: John Crispin <john@phrozen.org>
2018-10-11 08:42:52 +02:00
Rosen Penev
4572d996a4 linux-atm: Install hotplug file as 600
The hotplug files is only used by procd, which runs as root.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:35 +02:00
Rosen Penev
c7144ec688 comgt: Install hotplug and netifd files as 600
procd and netifd both run as root. These files are not used elsewhere.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:28 +02:00
Rosen Penev
f5ddbd695b samba36: Install several config files as 600
Hotplug is managed by procd, which runs as root. The other files are used
by root as well.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:18 +02:00
Rosen Penev
745c3acd64 soloscli: Install hotplug file as 600
Hotplug is managed by procd, which runs as root.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:09 +02:00
Rosen Penev
49065d227a firewall: Install config files as 600
None of the files in firewall are used by non-root.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:05:41 +02:00
Kevin Darbyshire-Bryant
a45f4f50e1 dnsmasq: add dhcp-ignore-names support - CERT VU#598349
dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for
specific hostnames.  Clients claiming certain hostnames and thus
claiming DNS namespace represent a potential security risk. e.g. a
malicious host could claim 'wpad' for itself and redirect other web
client requests to it for nefarious purpose. See CERT VU#598349 for more
details.

Some Samsung TVs are claiming the hostname 'localhost', it is believed
not (yet) for nefarious purposes.

/usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames
in correct syntax to be excluded. e.g.

dhcp-name-match=set:dhcp_bogus_hostname,localhost

Inclusion of this file is controlled by uci option dhcpbogushostname
which is enabled by default.

To be absolutely clear, DHCP leases to these requesting hosts are still
permitted, but they do NOT get to claim ownership of the hostname
itself and hence put into DNS for other hosts to be confused/manipulate by.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-09 09:45:16 +01:00
Kevin Darbyshire-Bryant
3925298f3c wireguard: bump to 0.0.20181007
64750c1 version: bump snapshot
f11a2b8 global: style nits
4b34b6a crypto: clean up remaining .h->.c
06d9fc8 allowedips: document additional nobs
c32b5f9 makefile: do more generic wildcard so as to avoid rename issues
20f48d8 crypto: use BIT(i) & bitmap instead of (bitmap >> i) & 1
b6e09f6 crypto: disable broken implementations in selftests
fd50f77 compat: clang cannot handle __builtin_constant_p
bddaca7 compat: make asm/simd.h conditional on its existence
b4ba33e compat: account for ancient ARM assembler

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-09 09:11:58 +01:00
Kevin Darbyshire-Bryant
30cc5b0bf4 dnsmasq: bump to v2.80test8
e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.
0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN.
ee1df06 Tweak strategy for confirming SLAAC addresses.
1e87eba Clarify manpage for --auth-sec-servers
0893347 Make interface spec optional in --auth-server.
7cbf497 Example config file fix for CERT Vulnerability VU#598349.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-07 16:42:12 +01:00
Rafał Miłecki
87cd118794 iperf: fix --daemon option
Support for -D got broken in the 2.0.11 release by the upstream commit
218d8c667944 ("first pass L2 mode w/UDP checks, v4 only"). After that
commit clients were still able to connect but no traffic was passed.
It was reported and is fixed now in the upstream git repository.

Backport two patches to fix this. The first one is just a requirement
for the later to apply. The second one is the real fix and it needed
only a small adjustment to apply without backporing the commit
10887b59c7e7 ("fix --txstart-time report messages").

Fixes: 457e6d5a27 ("iperf: bump to 2.0.12")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2018-10-07 17:13:39 +02:00
Hans Dedecker
af78e90d4c odhcpd: update to latest git HEAD (FS#1853)
57f639e (HEAD -> master, origin/master, origin/HEAD) odhcpd: make DHCPv6/RA/NDP support optional
402c274 dhcpv6: check return code of dhcpv6_ia_init()
ee7472a router: don't leak RA message in relay mode (FS#1853)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-07 15:11:36 +02:00
Felix Fietkau
518fb345e1 iw: strip a few more non-essential features from iw-tiny
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-10-07 12:45:41 +02:00
Felix Fietkau
7999282f7f iw: fix filtering linked object files for iw-tiny
It was broken by the recent commit that added iw-full

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-10-07 12:45:41 +02:00
Jason A. Donenfeld
b665856450 wireguard: bump to 0.0.20181006
* Account for big-endian 2^26 conversion in Poly1305.
  * Account for big-endian NEON in Curve25519.
  * Fix macros in big-endian AArch64 code so that this will actually run there
    at all.
  * Prefer if (IS_ENABLED(...)) over ifdef mazes when possible.
  * Call simd_relax() within any preempt-disabling glue code every once in a
    while so as not to increase latency if folks pass in super long buffers.
  * Prefer compiler-defined architecture macros in assembly code, which puts us
    in closer alignment with upstream CRYPTOGAMS code, and is cleaner.
  * Non-static symbols are prefixed with wg_ to avoid polluting the global
    namespace.
  * Return a bool from simd_relax() indicating whether or not we were
    rescheduled.
  * Reflect the proper simd conditions on arm.
  * Do not reorder lines in Kbuild files for the simd asm-generic addition,
    since we don't want to cause merge conflicts.
  * WARN() if the selftests fail in Zinc, since if this is an initcall, it won't
    block module loading, so we want to be loud.
  * Document some interdependencies beside include statements.
  * Add missing static statement to fpu init functions.
  * Use union in chacha to access state words as a flat matrix, instead of
    casting a struct to a u8 and hoping all goes well. Then, by passing around
    that array as a struct for as long as possible, we can update counter[0]
    instead of state[12] in the generic blocks, which makes it clearer what's
    happening.
  * Remove __aligned(32) for chacha20_ctx since we no longer use vmovdqa on x86,
    and the other implementations do not require that kind of alignment either.
  * Submit patch to ARM tree for adjusting RiscPC's cflags to be -march=armv3 so
    that we can build code that uses umull.
  * Allow CONFIG_ARM[64] to imply [!]CONFIG_64BIT, and use zinc arch config
    variables consistently throughout.
  * Document rationale for the 2^26->2^64/32 conversion in code comments.
  * Convert all of remaining BUG_ON to WARN_ON.
  * Replace `bxeq lr` with `reteq lr` in ARM assembler to be compatible with old
    ISAs via the macro in <asm/assembler.h>.
  * Do not allow WireGuard to be a built-in if IPv6 is a module.
  * Writeback the base register and reorder multiplications in the NEON x25519
    implementation.
  * Try all combinations of different implementations in selftests, so that
    potential bugs are more immediately unearthed.
  * Self tests and SIMD glue code work with #include, which lets the compiler
    optimize these. Previously these files were .h, because they were included,
    but a simple grep of the kernel tree shows 259 other files that carry out
    this same pattern. Only they prefer to instead name the files with a .c
    instead of a .h, so we now follow the convention.
  * Support many more platforms in QEMU, especially big endian ones.
  * Kernels < 3.17 don't have read_cpuid_part, so fix building there.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-06 20:49:11 +02:00
Felix Fietkau
8c647e873f iw: add iw-full package without size reduction hacks
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-10-06 13:02:29 +02:00
Alexander Couzens
6ef1c978ba package/lldp: don't link against libbsd on !USE_GLIBC builds
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2018-10-05 00:44:55 +02:00
Syrone Wong
68f109609b ipset: update to 6.38
dropped already upstream patch

Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
2018-10-04 13:15:22 +02:00
Hans Dedecker
c8e2edfd9e netifd: update to latest git HEAD (FS#1875)
83428fa iprule: coding style fixes
aeec2a0 iprule: fix segfault (FS#1875)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-02 13:34:04 +02:00
Rosy Song
456df06071 odhcpd-ipv6only: fix dependency for IPV6
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-30 21:05:42 +02:00
Hans Dedecker
8e604dea31 netifd: update to latest git HEAD
94e156f scripts: fix previous commit
3c8ac1c netifd: fix wpa mixed mode matching

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-30 21:05:35 +02:00
Enrique Giraldo
61454a0a8c hostapd: add acs feature indication
Signed-off-by: Enrique Giraldo <enrique.giraldo@galgus.net>
2018-09-29 17:23:11 +02:00
Kevin Darbyshire-Bryant
37961f12ba wireguard: bump to 0.0.20180925
33523a5 version: bump snapshot
0759480 curve25519-hacl64: reduce stack usage under KASAN
b9ab0fc chacha20: add bounds checking to selftests
2e99d19 chacha20-mips32r2: reduce stack and branches in loop, refactor jumptable handling
d6ac367 qemu: bump musl
28d8b7e crypto: make constant naming scheme consistent
56c4ea9 hchacha20: keep in native endian in words
0c3c0bc chacha20-arm: remove unused preambles
3dcd246 chacha20-arm: updated scalar code from Andy
6b9d5ca poly1305-mips64: remove useless preprocessor error
3ff3990 crypto-arm: rework KERNEL_MODE_NEON handling again
dd2f91e crypto: flatten out makefile
67a3cfb curve25519-fiat32: work around m68k compiler stack frame bug
9aa2943 allowedips: work around kasan stack frame bug in selftest
317b318 chacha20-arm: use new scalar implementation
b715e3b crypto-arm: rework KERNEL_MODE_NEON handling
77b07d9 global: reduce stack frame size
ddc2bd6 chacha20: add chunked selftest and test sliding alignments and hchacha20
2eead02 chacha20-mips32r2: reduce jumptable entry size and stack usage
a0ac620 chacha20-mips32r2: use simpler calling convention
09247c0 chacha20-arm: go with Ard's version to optimize for Cortex-A7
a329e0a chacha20-mips32r2: remove reorder directives
3b22533 chacha20-mips32r2: fix typo to allow reorder again
d4ac6bb poly1305-mips32r2: remove all reorder directives
197a30c global: put SPDX identifier on its own line
305806d ratelimiter: disable selftest with KASAN
4e06236 crypto: do not waste space on selftest items
5e0fd08 netlink: reverse my christmas trees
a61ea8b crypto: explicitly dual license
b161aff poly1305: account for simd being toggled off midway
470a0c5 allowedips: change from BUG_ON to WARN_ON
aa9e090 chacha20: prefer crypto_xor_cpy to avoid memmove
1b0adf5 poly1305: no need to trick gcc 8.1
a849803 blake2s: simplify final function
073f3d1 poly1305: better module description

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-27 21:19:38 +01:00
Kevin Darbyshire-Bryant
d9a37d8d1e dnsmasq: bump to v2.80test7
Bump to latest test release:

3a610a0 Finesse allocation of memory for "struct crec" cache entries.
48b090c Fix b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely).
4139298 Change behavior when RD bit unset in queries.
51cc10f Add warning about 0.0.0.0 and :: addresses to man page.
ea6cc33 Handle memory allocation failure in make_non_terminals()
ad03967 Add debian/tmpfiles.conf
f4fd07d Debian bugfix.
e3c08a3 Debian packaging fix. (restorecon)
118011f Debian packaging fix. (tmpfiles.d)

Delete our own backports of ea6cc33 & 4139298, so the only real changes
here, since we don't care about the Debian stuff are 48b090c & 3a610a0

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-27 16:13:40 +01:00
Rosy Song
2dc1f54b12 iptables: fix dependency for libip6tc on IPV6
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-26 22:40:37 +02:00
Hauke Mehrtens
02e7fa6f8a iw: update nl80211.h
Now this file matches the version in backports.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-09-26 16:39:44 +02:00
Rosy Song
a6add47869 netifd: do not validate relevant section when ipv6 is not supported
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-25 22:35:38 +02:00
David Yang
aaf46a8fe2 dante: disable sched_getscheduler() - not implemented in musl
musl doesn't come with an valid implementation of `sched_getscheduler()`;
it simply returns -ENOSYS for it. Without this option (and compile dante
with `sched_getscheduler()` enabled), you will get

    error: serverinit(): sched_getscheduler(2): failed to retrieve current
    cpuscheduling policy: Function not implemented

and dante won't start at all.

Ref: http://lists.alpinelinux.org/alpine-devel/3932.html
Ref: http://lists.alpinelinux.org/alpine-devel/3936.html
Signed-off-by: David Yang <mmyangfl@gmail.com>
[slightly reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-09-24 19:04:47 +02:00
Jo-Philipp Wich
4f277eb640 lldpd: inhibit linking of libbsd on !GLIBC
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-09-24 08:36:10 +02:00
Yangbo Lu
db30adc931 layerscape: fix get_device_file() function of restool
The restool failed to work with current gcc-7.3.0-musl.
This patch is to add a restool fix-up patch to fix
multiple problems encountered in the get_device_file()
function:
 - The deprecated atoi() function is replaced by strtoul
 - An invalid memory access was being performed by using
 memory from dir->d_name even after closedir(). This is
 fixed by a strdup() on the device filename.
 - Also, error prints now print any relevant error code.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2018-09-22 21:20:58 +02:00
Yangbo Lu
5c325c2b63 layerscape: update restool to LSDK-18.06
The restool source code had been migrated to codeaurora
for LSDK-18.06 release and the future release. This patch
is to update restool to LSDK-18.06 release.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2018-09-22 21:20:56 +02:00
Kevin Darbyshire-Bryant
6c4cbe94bd dnsmasq: Change behavior when RD bit unset in queries.
Backport upstream commit

Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-21 09:59:03 +01:00
Rosen Penev
7651e254d5 dropbear: Install /etc/config as 600
/etc/config/dropbear is used by the init script which only runs as root.

Small whitespace change.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-19 09:41:28 +01:00
Rosen Penev
add4871582 lldpd: Install /etc/config file as 600
/etc/config/lldpd is only used by the init script, which only runs as root

Adjusted homepage and download URLs to use HTTPS.

-std=c99 is useful for GCC versions less than 6. Current OpenWrt uses 7.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-19 09:41:28 +01:00
Hans Dedecker
6cd41ca673 netifd: update to latest git HEAD
23941d7 system-linux: enable by default ignore encaplimit for ip6 tunnels

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-19 10:09:25 +02:00
Hans Dedecker
d9691b66e2 map: drop default encaplimit value
Setting encaplimit to a numerical value results into the value being
included as tunnel encapsulation limit in the destination option header
for tunneled packets.
Several users have reported interop issues as not all ISPs support the
destination option header containing the tunnel encapsulation limit
resulting into broken map connectivity.
Therefore drop the default encaplimit value for map tunnels so
no destination option header is included by default.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-19 09:42:45 +02:00
Hans Dedecker
1241707b40 ds-lite: drop default encaplimit value
Setting encaplimit to a numerical value results into the value being
included as tunnel encapsulation limit in the destination option header
for tunneled packets.
Several users have reported interop issues as not all ISPs support the
destination option header containing the tunnel encapsulation limit
resulting into broken ds-lite connectivity.
Therefore drop the default encaplimit value for ds-lite tunnels so
no destination option header is included by default.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-19 09:42:28 +02:00
Jason A. Donenfeld
f07a94da50 wireguard: bump to 0.0.20180918
* blake2s-x86_64: fix whitespace errors
* crypto: do not use compound literals in selftests
* crypto: make sure UML is properly disabled
* kconfig: make NEON depend on CPU_V7
* poly1305: rename finish to final
* chacha20: add constant for words in block
* curve25519-x86_64: remove useless define
* poly1305: precompute 5*r in init instead of blocks
* chacha20-arm: swap scalar and neon functions
* simd: add __must_check annotation
* poly1305: do not require simd context for arch
* chacha20-x86_64: cascade down implementations
* crypto: pass simd by reference
* chacha20-x86_64: don't activate simd for small blocks
* poly1305-x86_64: don't activate simd for small blocks
* crypto: do not use -include trick
* crypto: turn Zinc into individual modules
* chacha20poly1305: relax simd between sg chunks
* chacha20-x86_64: more limited cascade
* crypto: allow for disabling simd in zinc modules
* poly1305-x86_64: show full struct for state
* chacha20-x86_64: use correct cut off for avx512-vl
* curve25519-arm: only compile if symbols will be used
* chacha20poly1305: add __init to selftest helper functions
* chacha20: add independent self test

Tons of improvements all around the board to our cryptography library,
including some performance boosts with how we handle SIMD for small packets.

* send/receive: reduce number of sg entries

This quells a powerpc stack usage warning.

* global: remove non-essential inline annotations

We now allow the compiler to determine whether or not to inline certain
functions, while still manually choosing so for a few performance-critical
sections.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-19 08:30:13 +01:00
Kevin Darbyshire-Bryant
687168ccd9 dnsmasq: Handle memory allocation failure in make_non_terminals()
Backport upstream commit:

ea6cc33 Handle memory allocation failure in make_non_terminals()

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-19 07:43:02 +01:00
Daniel Golle
e51aa699f7 uqmi: pass-through ipXtable to child interfaces
Allow setting specific routing tables via the ip4table and ip6table
options also when ${ifname}_4 and ${ifname}_6 child interfaces are
being created.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-09-15 19:18:42 +02:00
Kevin Darbyshire-Bryant
033f02b9b5 iproute2: q_cake: Also print nonat, nowash and no-ack-filter keywords
Pull in latest upstream tweaks:
Similar to the previous patch for no-split-gso, the negative keywords for
'nat', 'wash' and 'ack-filter' were not printed either. Add those as well.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-15 08:46:32 +01:00
Rosy Song
918ec4d549 odhcpd: enable ipv6 server mode only when it is supported
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-12 21:47:33 +02:00
Kevin Darbyshire-Bryant
8cac857289 iproute2: q_cake: Add printing of no-split-gso option
When the GSO splitting was turned into dual split-gso/no-split-gso options,
the printing of the latter was left out. Add that, so output is consistent
with the options passed

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-12 09:13:44 +01:00
Florian Fainelli
4fca0e8896 netifd: update to latest HEAD
0059335c5b60 CMakeList: Check that compiler supports -Wimplicit-fallthrough

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2018-09-11 17:19:51 -07:00
Jason A. Donenfeld
a54f492d0c wireguard: bump to 0.0.20180910
* curve25519: arm: do not modify sp directly
* compat: support neon.h on old kernels
* compat: arch-namespace certain includes
* compat: move simd.h from crypto to compat since it's going upstream

This fixes a decent amount of compat breakage and thumb2-mode breakage
introduced by our move to Zinc.

* crypto: use CRYPTOGAMS license

Rather than using code from OpenSSL, use code directly from AndyP.

* poly1305: rewrite self tests from scratch
* poly1305: switch to donna

This makes our C Poly1305 implementation a bit more intensely tested and also
faster, especially on 64-bit systems. It also sets the stage for moving to a
HACL* implementation when that's ready.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-11 11:34:23 +02:00
Rosen Penev
f78e07ad2a hostapd: Fix compile with OpenSSL 1.1.0 + no deprecated APIs
Patch was accepted upsteam:

https://w1.fi/cgit/hostap/commit/?id=373c796948599a509bad71695b5b72eef003f661

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-10 09:01:37 +02:00
Hans Dedecker
43d4b8e89e dnsmasq: bump to dnsmasq 2.80test6
Refresh patches

Changes since latest bump:

af3bd07 Man page typo.
d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789
47b45b2 Fix lengths of interface names
2b38e38 Minor improvements in lease-tools
282eab7 Mark die function as never returning
c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8
03212e5 Manpage typo.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-09 22:02:45 +02:00
Daniel Engberg
9cfa5f2cec curl: Update to 7.61.1
Update curl to 7.61.1

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-09-09 21:38:10 +02:00
pacien
ef01c1d308 odhcp6c: add client fqdn and reconfigure options
Allowing DHCPV6_CLIENT_FQDN and DHCPV6_ACCEPT_RECONFIGURE to be turned off.
Defaulting to false, former behavior remains unchanged.

Signed-off-by: pacien <pacien.trangirard@pacien.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2018-09-08 21:36:30 +02:00
Henrique de Moraes Holschuh
ca1b347691 dnsmasq: allow dnsmasq variants to be included in image
The dnsmasq variants should provide dnsmasq, otherwise it is impossible
to include them in the image.

This change allows one to have CONFIG_PACKAGE_dnsmasq=m and
CONFIG_PACKAGE_dnsmasq-full=y, e.g. because you want DNSSEC support, or
IPSETs suport on your 3000-devices fleet ;-)

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
2018-09-06 17:57:59 +02:00
Hans Dedecker
3d377f4375 dnsmasq: bump to dnsmasq v2.80test5
Refresh patches
Remove 240-ubus patch as upstream accepted.
Add uci option ubus which allows to enable/disable ubus support (enabled
by default)

Upstream commits since last bump:

da8b651 Implement --address=/example.com/#
c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c
974a6d0 Add --caa-record
b758b67 Improve logging of RRs from --dns-rr.
9bafdc6 Tidy up file parsing code.
97f876b Properly deal with unaligned addresses in DHCPv6 packets.
cbfbd17 Fix broken DNSSEC records in previous.
b6f926f Don't return NXDOMAIN to empty non-terminals.
c822620 Add --dhcp-name-match
397c050 Handle case of --auth-zone but no --auth-server.
1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/
dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c
c16d966 Add copyright to src/metrics.h
1dfed16 Remove C99 only code.
6f835ed Format fixes - ubus.c
9d6fd17 dnsmasq.c fix OPT_UBUS option usage
8c1b6a5 New metrics and ubus files.
8dcdb33 Add --enable-ubus option.
aba8bbb Add collection of metrics
caf4d57 Add OpenWRT ubus patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-06 15:48:13 +02:00
Hans Dedecker
ecc3165cbc odhcpd: bump to git HEAD (detect broken hostnames)
881f66b odhcpd: detect broken hostnames
3e17fd9 config: fix odhcpd_attrs array size

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-05 11:04:19 +02:00
Jason A. Donenfeld
4ccbe7de6c wireguard: bump to 0.0.20180904
* Kconfig: use new-style help marker
* global: run through clang-format
* uapi: reformat
* global: satisfy check_patch.pl errors
* global: prefer sizeof(*pointer) when possible
* global: always find OOM unlikely

Tons of style cleanups.

* crypto: use unaligned helpers

We now avoid unaligned accesses for generic users of the crypto API.

* crypto: import zinc

More style cleanups and a rearrangement of the crypto routines to fit how this
is going to work upstream. This required some fairly big changes to our build
system, so there may be some build errors we'll have to address in subsequent
snapshots.

* compat: rng_is_initialized made it into 4.19

We therefore don't need it in the compat layer anymore.

* curve25519-hacl64: use formally verified C for comparisons

The previous code had been proved in Z3, but this new code from upstream
KreMLin is directly generated from the F*, which is preferable. The
assembly generated is identical.

* curve25519-x86_64: let the compiler decide when/how to load constants

Small performance boost.

* curve25519-arm: reformat
* curve25519-arm: cleanups from lkml
* curve25519-arm: add spaces after commas
* curve25519-arm: use ordinary prolog and epilogue
* curve25519-arm: do not waste 32 bytes of stack
* curve25519-arm: prefix immediates with #

This incorporates ASM nits from upstream review.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-05 08:52:36 +02:00
Alexander Couzens
967d6460c0
hostapd: fix build of wpa-supplicant-p2p
VARIANT:= got removed by accident.

Fixes: 3838b16943 ("hostapd: fix conflicts hell")
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2018-09-03 21:51:06 +02:00
Kevin Darbyshire-Bryant
dc9388ac55 iproute2: update cake man page
CAKE supports overriding of its internal classification of
packets through the tc filter mechanism.

Update the man page in our package, even though we don't
build them.  Someone may find the documentation useful.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 30598a05385b0ac2380dd4f30037a9f9d0318cf2)
2018-08-31 15:30:28 +07:00
Jo-Philipp Wich
555c592304 ppp: remove hardcoded lcp-echo-failure, lcp-echo-interval values
OpenWrt used to ship hardcoded defaults for lcp-echo-failure and
lcp-echo-interval in the non-uci /etc/ppp/options file.

These values break uci support for *disabling* LCP echos through
the use of "option keepalive 0" as either omitting the keepalive
option or setting it to 0 will result in no lcp-echo-* flags
getting passed to the pppd cmdline, causing the pppd process to
revert to the defaults in /etc/ppp/options.

Address this issue by letting the uci "keepalive" option default
to the former hardcoded values "5, 1" and by removing the fixed
lcp-echo-failure and lcp-echo-interval settings from the
/etc/ppp/options files.

Ref: https://github.com/openwrt/luci/issues/2112
Ref: https://dev.archive.openwrt.org/ticket/2373.html
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=854
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=1259
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-30 15:19:45 +02:00
Thomas Equeter
acedce1d79 uqmi: wait for the control device too
The control device /dev/cdc-wdm0 is not available immediately on the
D-Link DWR-921 Rev.C3, therefore the wwan interface fails to start at
boot with a "The specified control device does not exist" error.

This patch alters /lib/netifd/proto/qmi.sh to wait for
network.wwan.delay earlier, before checking for the control device,
instead of just before interacting with the modem.

One still has to use network.wwan.proto='qmi', as the "wwan" proto
performs that sort of check before any delay is possible, failing with a
"No valid device was found" error.

Signed-off-by: Thomas Equeter <tequeter@users.noreply.github.com>
2018-08-29 13:10:12 +02:00
Giuseppe Lippolis
774d7fc9f2 comgt: increase timeout on runcommands
Some combination of modem/wireless operator requires more time to
execute the commands.
Tested on DWR-512 embedded wwan modem and italian operator iliad (new
virtual operator).

Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
2018-08-29 08:34:10 +02:00
Robert Marko
a9d7353192 ethtool: Update to 4.18
Tested on 8devices Jalapeno(ipq40xx)
Introduces following changes:
Feature: Add support for WAKE_FILTER (WoL using filters)
Feature: Add support for action value -2 (wake-up filter)
Fix: document WoL filters option also in help message
Feature: ixgbe dump strings for security registers

Signed-off-by: Robert Marko <robimarko@gmail.com>
2018-08-28 13:46:16 +02:00
Hans Dedecker
8fd8e79143 iproute2: update to 4.18.0
Update to the latest version of iproute2; see https://lwn.net/Articles/762515/
for a full overview of the changes in 4.18.
Remove upstream patch 001-rdma-sync-some-IP-headers-with-glibc

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-25 20:54:00 +02:00
Hans Dedecker
2211ee0037 dropbear: backport upstream fix for CVE-2018-15599
CVE description :
The recv_msg_userauth_request function in svr-auth.c in Dropbear through
2018.76 is prone to a user enumeration vulnerability because username
validity affects how fields in SSH_MSG_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-24 15:25:26 +02:00
Jo-Philipp Wich
214146c6f2 uhttpd: support multiple Lua prefixes
Update to latest git HEAD in order to support configuring multiple
concurrent Lua prefixes in a single uhttpd instance:

  b741dec lua: support multiple Lua prefixes

Additionally rework the init script and update the default configuration
example to treat the lua_prefix option as key=value uci list, similar to
the interpreter extension mapping. Support for the old "option lua_prefix"
plus "option lua_handler" notation is still present.

Finally drop the sed postinstall hack in uhttpd-mod-lua to avoid mangling
files belonging to other packages. Since Lua prefixes have precedence
over CGI prefixes, simply register `/cgi-bin/luci` as Lua handler which
will only become active if both luci-base and uhttpd-mod-lua is installed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-23 09:18:04 +02:00
Rosen Penev
499773f8ef samba36: Enable umdnsd support
Allows discovery without having to use NetBIOS. Useful for mobile devices.

Could eventually throw nbmd away. But that requires Windows 10...

Tested on Fedora 28 with avahi-discover.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-08-22 11:23:02 +02:00
Jo-Philipp Wich
e5f56c07d7 iptables: make iptables-mod-conntrack-extra depend on kmod-ipt-raw
Since kernel 4.14 there is no auto assignment of conntrack helpers anymore
so fw3 needs raw table support in order to stage ct helper assignment rules.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-22 07:14:45 +02:00
Hans Dedecker
6c227e45cb dnsmasq: remove creation of /etc/ethers
Remove creation of file /etc/ethers in dnsmasq init script as the
file is now created by default in the base-files package by
commit fa3301a28e

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-21 15:55:10 +02:00
Jo-Philipp Wich
22681cdef2 uhttpd: update to latest Git head
952bf9d build: use _DEFAULT_SOURCE
30a18cb uhttpd: recognize PATCH, PUT and DELETE HTTP methods

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-21 14:48:47 +02:00
Hans Dedecker
40eb9bda44 netifd: update to latest git HEAD
7454d12 interface: let interface_set_down() return void
32f11a8 interface: make __interface_set_down() static
b9d5a8c interface: extend interface error messages in interface_set_up()
de394b3 interface: ensure NO_DEVICE error is always reported

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-20 16:27:38 +02:00
Yury Shvedov
cad9519eba hostapd: process all CSA parameters
This adds processing of all CSA arguments from ubus switch_chan request
in the same manner as in the control interface API.

Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
2018-08-20 09:24:43 +02:00
Hans Dedecker
e2791e80cb netifd: update to latest git HEAD
522456b device: gracefully handle device names exceeding IFNAMESIZ

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-14 22:56:31 +02:00
Stijn Tintel
03e5dcbf10 firewall: bump to git HEAD
12a7cf9 Add support for DSCP matches and target
06fa692 defaults: use a generic check_kmod() function
1c4d5bc defaults: fix check_kmod() function

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-08-13 22:05:46 +03:00
Jason A. Donenfeld
42dc0e2594 wireguard: bump to 0.0.20180809
* send: switch handshake stamp to an atomic

Rather than abusing the handshake lock, we're much better off just using
a boring atomic64 for this. It's simpler and performs better. Also, while
we're at it, we set the handshake stamp both before and after the
calculations, in case the calculations block for a really long time waiting
for the RNG to initialize.

* compat: better atomic acquire/release backport

This should fix compilation and correctness on several platforms.

* crypto: move simd context to specific type

This was a suggestion from Andy Lutomirski on LKML.

* chacha20poly1305: selftest: use arrays for test vectors

We no longer have lines so long that they're rejected by SMTP servers.

* qemu: add easy git harness

This makes it a bit easier to use our qemu harness for testing our mainline
integration tree.

* curve25519-x86_64: avoid use of r12

This causes problems with RAP and KERNEXEC for PaX, as r12 is a
reserved register.

* chacha20: use memmove in case buffers overlap

A small correctness fix that we never actually hit in WireGuard but is
important especially for moving this into a general purpose library.

* curve25519-hacl64: simplify u64_eq_mask
* curve25519-hacl64: correct u64_gte_mask

Two bitmath fixes from Samuel, which come complete with a z3 script proving
their correctness.

* timers: include header in right file

This fixes compilation in some environments.

* netlink: don't start over iteration on multipart non-first allowedips

Matt Layher found a bug where a netlink dump of peers would never terminate in
some circumstances, causing wg(8) to keep trying forever. We now have a fix as
well as a unit test to mitigate this, and we'll be looking to create a fuzzer
out of Matt's nice library.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-12 16:12:01 +02:00
John Crispin
1961948585 wpa_supplicant: fix CVE-2018-14526
Unauthenticated EAPOL-Key decryption in wpa_supplicant

Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/

Vulnerability

A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.

When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.

Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.

Vulnerable versions/configurations

All wpa_supplicant versions.

Acknowledgments

Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.

Possible mitigation steps

- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.

- Merge the following commits to wpa_supplicant and rebuild:

WPA: Ignore unauthenticated encrypted EAPOL-Key data

This patch is available from https://w1.fi/security/2018-1/

- Update to wpa_supplicant v2.7 or newer, once available

Signed-off-by: John Crispin <john@phrozen.org>
2018-08-10 15:48:21 +02:00
Hans Dedecker
2e02fdb363 odhcp6c: apply IPv6/ND configuration earlier
Apply IPv6/ND configuration before proto_send_update so that all config info
is available when netifd is handling the notify_proto ubus call.
In particular this fixes an issue when netifd is updating the downstream IPv6 mtu
as netifd was still using the not yet updated upstream IPv6 mtu to set the
downstream IPv6 mtu

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-09 18:46:57 +02:00
Hans Dedecker
e0fbf62821 iproute2: remove libutil from InstallDev section
Commit 4d961538f6 added libutil to the iproute2 InstallDev section
but lead to compile issues with packages picking up the wrong libutil
since libutil is quite a generic name ...
Further libutil is rather meant for internal usage in iproute2 than a
public API; therefore let's remove it from the InstallDev section together
with ll_map.h

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-09 17:48:03 +02:00
Hans Dedecker
6579af7a77 netifd: update to latest git HEAD
115a694 interface-ip: always override downstream IPv6 mtu

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-09 17:39:24 +02:00
Hans Dedecker
4d961538f6 iproute2: add libutil to InstallDev section
In iproute2 v4.17 ll_map has been moved from the libnetlink to the libutil
library; add libutil as well to the staging dir in order to keep support
for ll_map

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-08 14:29:08 +02:00
Jason A. Donenfeld
68e2ebe64a wireguard: bump to 0.0.20180802
Changelog taken from the version announcement

> == Changes ==
>
>   * chacha20poly1305: selftest: split up test vector constants
>
>   The test vectors are encoded as long strings -- really long strings -- and
>   apparently RFC821 doesn't like lines longer than 998.
>   https://cr.yp.to/smtp/message.html
>
>   * queueing: keep reference to peer after setting atomic state bit
>
>   This fixes a regression introduced when preparing the LKML submission.
>
>   * allowedips: prevent double read in kref
>   * allowedips: avoid window of disappeared peer
>   * hashtables: document immediate zeroing semantics
>   * peer: ensure resources are freed when creation fails
>   * queueing: document double-adding and reference conditions
>   * queueing: ensure strictly ordered loads and stores
>   * cookie: returned keypair might disappear if rcu lock not held
>   * noise: free peer references on failure
>   * peer: ensure destruction doesn't race
>
>   Various fixes, as well as lots of code comment documentation, for a
>   small variety of the less obvious aspects of object lifecycles,
>   focused on correctness.
>
>   * allowedips: free root inside of RCU callback
>   * allowedips: use different macro names so as to avoid confusion
>
>   These incorporate two suggestions from LKML.
>
> This snapshot contains commits from: Jason A. Donenfeld and Jann Horn.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-08-04 04:04:34 +00:00
Kevin Darbyshire-Bryant
13c66f8820 iproute2: cake: make gso/gro splitting configurable
This patch makes sch_cake's gso/gro splitting configurable
from userspace.

To disable breaking apart superpackets in sch_cake:

tc qdisc replace dev whatever root cake no-split-gso

to enable:

tc qdisc replace dev whatever root cake split-gso

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Dave Taht <dave.taht@gmail.com>
[pulled from netdev list - no API/ABI change]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-08-02 22:00:19 +01:00
Koen Vandeputte
457e6d5a27 iperf: bump to 2.0.12
Fixes the annoying 'feature' were TTL was set to "1" by default ..
Users had to specify -T manually to test outside the own network.

2.0.12 change set (as of June 25th 2018)

o Change the unicast TTL default value from 1 to the system default (to be compatable with previous versions.) Multicast still defaults to 1.
o adpative formatting bug fix: crash occurs when values exceed 1 Tera. Add support for Tera and Peta and eliminate the potential crash condition
o configure default compile to include isochronous support (use configure --disable-isochronous to remove support)
o replace 2.0.11's --vary-load option with a more general -b option to include <mean>,<stdev>, e.g. -b 100m,40m, which will pull from a log normal distribution every 0.1 seconds
o fixes for windows cross compile (using mingw32)
o compile flags of -fPIE for android
o configure --enable-checkprograms to compile ancillary binaries used to test things such as delay, isoch, pdf generation
o compile tests when trying to use 64b seq numbers on a 32b platform
o Fix GCC ver 8 warnings

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-08-02 15:03:21 +02:00
Rosy Song
f30583c41d nftables: allow to build with json support
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-08-01 11:25:04 +02:00
Jo-Philipp Wich
fdd6c556ab iwinfo: update to latest Git HEAD
a514139 build: compile with -ffunction-sections, -fdata-sections and LTO
3c30b17 wl: only invoke nvram executable if it exists
65b8333 Revert "build: compile with -ffunction-sections, -fdata-sections and LTO"

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-31 20:40:33 +02:00
John Crispin
3c4eeb5d21 netifd: update to latest git HEAD
fix a compile error

Signed-off-by: John Crispin <john@phrozen.org>
2018-07-30 23:56:14 +02:00
Hans Dedecker
929eac5b82 netifd: update to latest git HEAD (FS#1668)
75ee790 interface-ip: fix eui64 ifaceid generation (FS#1668)
ca97097 netifd: make sure the vlan ifname fits into the buffer
b8c1bca iprule: remove bogus assert calls
a2f952d iprule: fix broken in_dev/out_dev checks
263631a vlan: use alloca to get rid of IFNAMSIZE in vlan_dev_set_name()
291ccbb ubus: display correct prefix size for IPv6 prefix address
908a9f4 CMakeLists.txt: add -Wimplicit-fallthrough to the compiler flags
b06b011 proto-shell.c: add a explicit "fall through" comment to make the compiler happy
60293a7 replace fall throughs in switch/cases where possible with simple code changes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-30 23:01:55 +02:00
Stijn Tintel
50c5fdd54d tcpdump: explicitly disable libcap-ng support
When libcap-ng is detected during build, support for it is enabled. This
will cause a build failure due to a missing dependency. Explicitly
disable libcap-ng support to avoid this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-07-30 23:27:55 +03:00
Nick Hainke
abefb4fda3 hostapd: add ht and vht support in handle event function Add ht and vht capabilities. If a device sends a probe request, the capabilities are added.
Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-07-30 11:01:04 +02:00
Nick Hainke
74ac742277 hostapd: add ubus call for ap features
The call "get_features" allows to gather hostapd config options
via ubus. As first infos we add the ht and vht support.
Although nl80211 supports to gather informations about
ht and vht capabilities, the hostapd configuration can disable
vht and ht. However, it is possible that the iw output is not
representing the actual hostapd configuration.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-07-30 10:59:25 +02:00
Luiz Angelo Daros de Luca
f1bef0596f openvpn-easy-rsa: update to 3.0.4
Upstream renamed openssl-1.0.cnf to openssl-easyrsa.cnf.
However, pkg kept using openssl-1.0.cnf.

Upstream easyrsa searchs for vars, openssl-*, x509-types in the
same directory as easyrsa script. This was patched to revert
back to static /etc/easy-rsa/ directory (as does OpenSUSE).
EASYRSA_PKI still depends on $PWD.

Move easyrsa from /usr/sbin to /usr/bin as root is not needed.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2018-07-30 10:43:38 +02:00
Martin Strobel
7d7323bccd iptables: add ip[6|]tables-compat packages + libxtables-compat depends on IPTABLES_NFTABLES
allows iptables-compat to use nft packet filtering
allows to translate iptables-style to nft-style

Signed-off-by: Martin Strobel <arctus@crza.de>
2018-07-30 10:43:36 +02:00
Dmitry Tunin
c128371124 igmpproxy: drop SSDP packets
It is insecure to let this type of packets inside
They can e.g. open ports on some other routers with UPnP, etc

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
2018-07-30 10:43:36 +02:00
Nick Hainke
296ae7ab89 iwinfo: update to version 2018-07-24
Update to new iwinfo version.
Adds support for channel survey.
Adds ubus support.
Etc.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-07-30 10:43:31 +02:00
Daniel Engberg
5647cc7bd4 treewide: Bump PKG_RELEASE due to mbedtls update
Bump PKG_RELEASE on packages that depends on (lib)mbedtls to avoid library
mismatch.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-30 10:35:12 +02:00
Rosen Penev
fc89831ae8 thc-ipv6: Update URLs
Development has moved to GitHub. Found using UScan.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-07-29 12:11:31 +02:00
Dmitry Tunin
7a6b2badfa igmpproxy: add a silent logging option
[0-3](none, minimal[default], more, maximum)

It is not 100% backward compatible, because now 0 disables logging

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
2018-07-28 15:20:39 +01:00
Kevin Darbyshire-Bryant
1e93ef8498 dnsmasq: bump to dnsmasq v2.80test3
Refresh patches

Upstream commits since last bump:

3b6eb19 Log DNSSEC trust anchors at startup.
f3e5787 Trivial comment change.
c851c69 Log failure to confirm an address in DHCPv6.
a3bd7e7 Fix missing fatal errors when parsing some command-line/config options.
ab5ceaf Document the --help option in the french manual
1f2f69d Fix recurrent minor spelling mistake in french manual
f361b39 Fix some mistakes in french translation of the manual
eb1fe15 When replacing cache entries, preserve CNAMES which target them.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-28 11:16:41 +01:00
Masashi Honma
d05967baec wwan: Fix teardown for sierra_net driver
The sierra_net driver is using proto_directip_setup for setup. So use
proto_directip_teardown for teardown.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2018-07-27 11:17:20 +02:00
Syrone Wong
7dfd72dfff ead: use new protocol setting API since libpcap 1.9.0
Dropped the protocol API specific symbol: HAS_PROTO_EXTENSION and
switch to the official API

Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
2018-07-27 11:17:20 +02:00
Jo-Philipp Wich
88c88823d5 odhcpd: update to latest git HEAD
44cce31 ubus: avoid dumping interface state with NULL message

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-26 14:53:05 +02:00
Jo-Philipp Wich
3ee2c76ae0 firewall: update to latest git HEAD
aa8846b ubus: avoid dumping interface state with NULL message

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-26 08:44:53 +02:00
Daniel Engberg
f486f81c64 utils/curl: Disable libpsl
Disabled libpsl to fix build issue reported by buildbots

Package libcurl is missing dependencies for the following libraries:
libpsl.so.5


Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-24 15:35:51 +02:00
Aleksandr V. Piskunov
20c4819c7b wireguard-tools: add wireguard_watchdog script
This watchdog script tries to re-resolve hostnames for inactive WireGuard peers.
Use it for peers with a frequently changing dynamic IP.
persistent_keepalive must be set, recommended value is 25 seconds.
Run this script from cron every minute:
echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root

Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>
[bump the package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-22 21:52:20 +01:00
Jason A. Donenfeld
57b808ec88 wireguard: bump to 0.0.20180718
80b41cd version: bump snapshot
fe5f0f6 recieve: disable NAPI busy polling
e863f40 device: destroy workqueue before freeing queue
81a2e7e wg-quick: allow link local default gateway
95951af receive: use gro call instead of plain call
d9501f1 receive: account for zero or negative budget
e80799b tools: only error on wg show if all interfaces failk

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
[Added commit log to commit description]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-22 21:01:34 +01:00
Felix Fietkau
f0ac9afe69 hostapd: remove unused struct hostapd_ubus_iface
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-22 17:17:20 +02:00
Kevin Darbyshire-Bryant
03fce62c09 iproute2: tc: backport canonical cake support
iproute2's tc was updated to support the recently upstreamed cake qdisc.
Backport this canonical support from upstream into iproute2 v4.17

There is no kernel kmod/userspace tc ABI change in this release from the
previous package bump, so everyone can breath a sigh of relief.

This is largely a code style change, the exception to prove the rule:
option 'autorate_ingress' has been changed to 'autorate-ingress' to fit
in with upstream option naming expectations.

No openwrt package (e.g. sqm-scripts) has knowledge of
'autorate_ingress' thus only users who made their own scripts or used
it within the 'dangerous configuration' options of sqm-scripts will be
affected.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-21 08:47:40 +01:00
Mathias Kresin
3838b16943 hostapd: fix conflicts hell
Add each variant to the matching PROVIDERS variables after evaluating
the respective hostapd*, wpad* and wpa* variant.

Each package providing the same feature will automatically conflict with
all prior packages providing the same feature.

This way we can handle the conflicts automatically without introducing
recursive dependencies.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-07-18 19:17:46 +02:00
Mathias Kresin
8af8ceb1c8 hostapd: cleanup package definition
Move common variables and/or values to the package (variant) default.
Add additional values in variant packages if necessary. Remove further
duplicates by introducing new templates.

Remove the ANY_[HOSTAPD|SUPPLICANT_PROVIDERS]_PROVIDERS. The are the
same as the variables without the any prefix. No need to maintain both
variables.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-07-18 19:17:46 +02:00
Kevin Darbyshire-Bryant
9d5a246930 igmpproxy: run in foreground for procd
procd needs processes to stay in foreground to remain under its gaze and
control.  Failure to do so means service stop commands fail to actually
stop the process (procd doesn't think it's running 'cos the process has
exited already as part of its forking routing)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-18 18:00:42 +01:00
Hans Dedecker
1e83f775a3 firewall3: update to latest git HEAD
d2bbeb7 firewall3: make reject types selectable by user

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-17 22:15:03 +02:00
Hans Dedecker
2336b942b3 dnsmasq: don't use network functions at boottime (FS#1542)
As dnsmasq is started earlier than netifd usage of network.sh functions
at boottime will fail; therefore don't call at boottime the functions
which construct the dhcp pool/relay info.
As interface triggers are installed the dhcp pool/relay info will be
constructed when the interface gets reported as up by netifd.
At the same time also register interface triggers based on DHCP relay
config.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-17 21:32:20 +02:00
Jo-Philipp Wich
9019323ec1 ppp: fix building pptp plugin
The pptp.so plugin needs to be built with -fPIC as well in order to be
linkable again.

Fixes 888a15ff83 ("ppp: add missing -fPIC to rp-pppoe.so CFLAGS")
Fixes e7397eef69 ("ppp: compile with LTO enabled")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-17 21:21:44 +02:00
Jo-Philipp Wich
28d3a1b54b openvpn: increase procd termination timeout to 15s
Increase the termination timeout to 15s to let OpenVPN properly tear down
its connections, especially when weak links or complex down scripts are
involved.

Fixes FS#859.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-17 16:03:56 +02:00
Christian Schoenebeck
1e177844bc dropbear: close all active clients on shutdown
Override the default shutdown action (stop) and close all processes
of dropbear

Since commit 498fe85, the stop action only closes the process
that's listening for new connections, maintaining the ones with
existing clients.
This poses a problem when restarting or shutting-down a device,
because the connections with existing SSH clients, like OpenSSH,
are not properly closed, causing them to hang.

This situation can be avoided by closing all dropbear processes when
shutting-down the system, which closes properly the connections with
current clients.

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
[Luis: Rework commit message]
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
2018-07-16 08:40:51 +02:00
Daniel Engberg
49bdd43da2 curl: Update to 7.61.0
Update curl to 7.61.0

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-15 22:35:22 +02:00
Hans Dedecker
def5b7f285 odhcp6c: add noserverunicast config option for broken DHCPv6 servers
Fix broken DHCPv6 servers which provide the server unicast option but
do not reply on DHCPv6 renew messages directed to the IPv6 address
contained in the server unicast option whihc results in broken IPv6
connectivity.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-15 22:19:10 +02:00
Felix Fietkau
888a15ff83 ppp: add missing -fPIC to rp-pppoe.so CFLAGS
Fixes build error with LTO

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-14 11:00:23 +02:00
Felix Fietkau
47b42137ce dropbear: compile with LTO enabled
Reduces size of the .ipk on MIPS from 87k to 84k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau
ef96d1e34a firewall: compile with LTO enabled
Reduces .ipk size on MIPS from 41.6k to 41.1k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau
ef16a394d2 iw: compile with LTO enabled
Reduces .ipk size on MIPS from 34k to 33k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau
e7397eef69 ppp: compile with LTO enabled
Reduces .ipk size on MIPS from 98.5k to 98k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau
dfbd49bd22 ppp: fix linker flags for the radius plugin
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau
07940acc34 netifd: compile with LTO enabled
Reduces .ipk size from 65k to 63k on MIPS

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Hans Dedecker
af70d86d62 netifd: update to latest git HEAD
5cf7975 iprule: rework interface based rules to handle dynamic interfaces
57f87ad Introduce new interface event "create" (IFEV_CREATE)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-11 21:55:23 +02:00