Different from OPKG, APK uses a deterministic version schema which chips
the version into chunks and compares them individually. This enforces a
certain schema which was previously entirely flexible.
- Releases are added at the very and end prefixed with an `r` like
`1.2.3-r3`.
- Hashes are prefixed with a `~` like `1.2.3~abc123`.
- Dates become semantic versions, like `2024.04.01`
- Extra tags are possible like `_git`, `_alpha` and more.
For full details see the APK test list:
https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/master/test/version.data
Signed-off-by: Paul Spooren <mail@aparcar.org>
PKG_MIRROR_HASH was accidentally generated with already APK-adapted
version string in the filename. That can't work (yet). Regenerate and
hash the file with the currently used version scheme to fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
e91ed40 ubus: assume that the service iface can be NULL
4094a3c interface: remove unused peer field
8a0c9db interface: add missing cache cleanup on interface free
3b341f4 add the ability to announce additional hostnames
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Make sure /etc/umdns/ is accessiable for the umdns process if it
exists and umdns is run with umdns.@umdns[0].jail='1'.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
dnsmasq was recently updated to 2.90, but PKG_RELEASE was not reset to 1.
Fixes: 838a27f64f ("dnsmasq: version 2.90")
Signed-off-by: Robert Marko <robimarko@gmail.com>
For certain lldp_class scenarios (2 & 3) a policy must be set also.
Class 4 is default, although it's good to handle the policy eventuality.
Here, set a default lldp_policy for all lldp_class scenarios. Any
lldp_policy can now be set.
Depends on PR #14584 (which introduced an `if` block)
Tested on 22.03.5, 22.03.6
Signed-off-by: Paul Donald <newtwen@gmail.com>
Previously only partially implemented. After commit
5007f488bb lldp_location was never removed
Now, add the value of lldp_location to the generated config.
The location param has a few syntaxes, so the config acquires the first
usage from the man page: 'address country EU'
Supplementary fix for PR #14193 (this param was included in the original
PR #13018 but the lldp_location fixes were absent from PR #14193).
Tested on 22.03.5, 22.03.6
Signed-off-by: Paul Donald <newtwen@gmail.com>
from commit 3ce909914a
The lldpd man page says that "configure lldp tx-interval" can
specify an interval value in milliseconds by appending a "ms" suffix to
the figure. Thus mandating string handling, and not integer comparison.
Tested on 22.03.5
Signed-off-by: Paul Donald <newtwen@gmail.com>
from commit 909f063066
Now pass two params to get_config_cid_ifaces() for:
cid_interface
interface
Each of which is a CSV of interfaces.
Tested on 22.03.5
Signed-off-by: Paul Donald <newtwen@gmail.com>
from commit ac771313eb
portidsubtype takes 1 of 2 possible keywords which do not need quoting:
configure lldp portidsubtype ifname | macaddress
The third keyword 'local' is used in the syntax when individual ports
are being defined:
configure [ports ethX [,…]] lldp portidsubtype local value
When this syntax is used, quoting is useful (see test cases for lldpd).
In the init file, the 'local' syntax is unused.
Tested on 22.03.5
Signed-off-by: Paul Donald <newtwen@gmail.com>
from commit c98ee4dbb3
agent-type takes 1 of 3 possible keywords which do not require quoting:
configure lldp agent-type nearest-bridge | nearest-non-tpmr-bridge
| nearest-customer-bridge
Tested on 22.03.5
Signed-off-by: Paul Donald <newtwen@gmail.com>
Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387,
CVE-2023-50868) among many other goodies and fixes (notably, upstream
568fb024... fixes a UAF in cache_remove_uid that was routinely crashing
dnsmasq in my deployment).
Catch up our 200-ubus_dns.patch, too.
Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
In some situations (slow protocol or interfaces with auto 0), the
interfaces are not available during the dnsmasq initialization and
hence, the ignore setting will be skipped.
Install an interface trigger for ignored interfaces in case their
ifname cannot be resolved.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- introduce 'DirectInterface' option to bind exactly to specified interface;
fixes#9666 and late IPv4/IPv6 address assignment
- option 'DirectInterface' takes precedence over 'Interface'
- improve interface/address handling,
e.g. verify count of listening endpoints due to dropbear limit (10 for now)
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- correct maximum receive window size
- adjust receive window size against maximum allowed value
- warn about too high receive window size in syslog
improves f95eecfb
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
end users should have done this since OpenWrt 19.07.
if they didn't do this yet - perform auto-transition.
schedule 'rsakeyfile' removal for next year release.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
these options allow one to configure U2F/FIDO support in more granular way
inspired by upstream commit aa6559db
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
reduces binary/package size and increases overall performance
also:
- adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms.
A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1]
It has no place in a potentially internet-facing daemon like dropbear.
Upstream has acknowledged this and offered this solution to disable
these two until this is made to be the default in the next release
of dropbear next year. [2]
1. https://www.openssh.com/txt/release-8.2
2. https://github.com/mkj/dropbear/issues/138
Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- "default n" is not needed: options are not selected by default
- wrap config on 80 characters width (assuming tab is 8 characters long)
- add feature cost size and security notes for DROPBEAR_AGENTFORWARD
and DROPBEAR_DBCLIENT_AGENTFORWARD:
describe why and where it should be disabled
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- switch DB_OPT_COMMON and DB_OPT_CONFIG to comma-separated lists:
this allows to have values with "|" in DB_OPT_COMMON and DB_OPT_CONFIG
which is more likely to be than values with commas;
use $(comma) variable for values with commas.
- sort DB_OPT_COMMON and DB_OPT_CONFIG to have "overrides" on top of list.
- allow DB_OPT_COMMON to have values with commas.
- allow to replace multiline definitions in sysoptions.h.
improves e1bd9645
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- update dropbear to latest stable 2022.83;
for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop patches:
- 001-fix-MAX_UNAUTH_CLIENTS-regression.patch
- rework patches:
- 901-bundled-libs-cflags.patch
- refresh remaining patches
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Bind to the configured system interfaces only. Switchport interfaces
are no longer ignored and uci interface values for LLDPD are honored.
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
Init script reload with trigger to detect config file update.
Reload command added to attempt non-impactful lldpd reload where
lldpcli can be used to update config without process restart.
Config hash function used to track whether process restart is needed.
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
Bump PKG_RELEASE which should have been done by commit 7b1c3068b7
("uhttpd: restart when interface to listen becomes available").
Fixes: 7b1c3068b7 ("uhttpd: restart when interface to listen becomes available")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Currently uhttpd won't start with a listening interface configured if
the interface isn't already up at the time uhttpd starts. Make sure we
attempt to start uhttpd when it comes up.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
When wpa_psk_file is used, there is a chance that no PSK is set. This means
that the FT key will be generated using only the mobility domain which
could be considered a security vulnerability but only for a very specific
and niche config.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
802.11r can not be used when selecting WPA. It needs at least WPA2.
This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.
Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
[Upstream Backport]
The range for the 5 GHz channel 118 was encoded with an incorrect
channel number.
Fixes: ed8e13decc71 (ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan())
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Make the call deferred instead of blocking to avoid deadlock issues
Fixes: 3df9322771 ("hostapd: make ubus calls to wpa_supplicant asynchronous")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This reverts commit b7f9742da8.
There are several reports of regressions with this commit. Will be added
back once I've figured out and fixed the cause
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This fixes a deadlock issue where depending on the setup order, hostapd and
wpa_supplicant could end up waiting for each other
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Use postinst script to reload service instead of uci-defaults hack. It's
possible thanks to recent base-files change that executes postinst after
uci-defaults.
This fixes support for uhttpd customizations. It's possible (again) to
adjust uhttpd config with custom uci-defaults before it gets started.
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: d25d281fd6 ("uhttpd: Reload config after uhttpd-mod-ubus was added")
Ref: b799dd3c70 ("base-files: execute package's "postinst" after executing uci-defaults")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Increasing the receive window size improves throughout on higher-latency
links such as WAN connections. The current default of 24KB caps out at
around 500 KB/s.
Increasing the receive buffer to 256KB increases the throughput to at
least 11 MB/s.
Signed-off-by: David Bauer <mail@david-bauer.net>
Prior to this commit, "localuse" (which enables local resolving through
dnsmsasq) was off by "default". That default was in turn overridden when
"noresolv" was unset (which itself is the default for "noresolv") *and*
"resolvfile" was "/tmp/resolv.conf.d/resolv.conf.auto" (also the default
for this parameter).
In other words, the "default" unset value for "localuse" would only be
ever used in specific *non-default* configurations.
However, the problem with that logic is that a user who wants to ignore
their ISP-provided resolvers by setting "noresolv" to true ends up with
a device that will *only use* said resolvers for local DNS queries,
serving clients' queries via dnsmasq (which now ignores the ISP
resolvers). This can lead to confusion and break random setups as the
DNS lookup performed on clients behalf can differ in their replies from
DNS lookups performed locally on the router.
Furthermore, "localuse" is not configurable through Luci, contrary to
the other two involved settings, adding further confusion for the end
user.
To work around this situation, the logic that sets "localuse" is
inverted: "localuse" now defaults to on by default, and IFF "noresolv"
is unset (default) AND "resolvfile" is changed from default THEN
"localuse" gets turned back off, allowing for more sensible behaviour.
"localuse" value set in config/dhcp still overrides the logic in all
cases, as it did already.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
If the dnsmasq process forks to handle TCP connections, it closes the ubus
context. But instead of changing the daemon wide pointer to NULL, only the
local variable was adjusted - and this portion of the code was even dropped
(dead store) by some optimizing compilers.
It makes more sense to change the daemon->ubus pointer because various
functions are already checking it for NULL. It is also the behavior which
ubus_destroy() implements.
Fixes: d8b33dad0b ("dnsmasq: add support for monitoring and modifying dns lookup results via ubus")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
This is not activated by default and must be explicitly enabled via ubus
It supports reporting log messages and netlink packets
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The new rewritten ipcalc.sh understands 3 notations:
ipaddr/prefix ...
ipaddr/dotted-netmask ...
ipaddr dotted-netmask ...
meaning that the previous 4th non-standard notation of "ipaddr prefix"
will be dropped, alas that's the notation that dnsmasq currently uses.
This change has us using the first notation which is the most common.
This behavior came in as
eda27e8382
a long time ago.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Currently for 802.1s only, for wifi 2.4GHz in g/n mode, 40MHz is never
permitted.
This is probably due to the complexity of setting periodic check for the
intolerant bit. When noscan option is set, we ignore the presence of the
intoleran bit in near AP, so we can enable 40MHz and ignore any complex
logic for checking.
Fixes: #13112
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Also channel 7 for 2.4GHz can be set to HT40PLUS. Permit this and add it
to the list of the channels.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
noscan option for mesh was broken and actually never applied.
This is caused by a typo where ssid->noscan value is check instead of
conf->noscan resulting in the logic swapped and broken.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
It's already pulled in from /etc/rc.common.
Fixes: #13758
Fixes: 6b23836071 ("package: avoid the use of eval to parse ipcalc.sh output")
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl/ath11k
based adapters. The reason for it is hostapd tries to install additional
IEs for scanning while the driver does not support this.
The kernel indicates the maximum number of bytes for additional scan IEs
using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
only add additional scan IEs in case the driver can accommodate these
additional IEs.
Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
Bug-Debian: https://bugs.debian.org/1004524
Bug-ArchLinux: https://bugs.archlinux.org/task/73495
Upstream-Status: Changes Requested [https://patchwork.ozlabs.org/project/hostap/patch/20220130192200.10883-1-mail@david-bauer.net]
Reported-by: Étienne Morice <neon.emorice@mail.com>
Tested-by: Étienne Morice <neon.emorice@mail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The code for hostapd-mbedtls did not work when used for OWE association.
When handling association requests, the buffer offsets and length
assumptions were incorrect, leading to never calculating the y point,
thus denying association.
Also when crafting the association response, the buffer contained the
trailing key-type.
Fix up both issues to adhere to the specification and make
hostapd-mbedtls work with the OWE security type.
Signed-off-by: David Bauer <mail@david-bauer.net>
d8118f6 config: make sure timer is not on the timeouts list before freeing
4bbc6e7 add hostsfile output in addition to statefile
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The option 31 in the RA specifies the DNS search list, the support
to configure this via UCI is missing in case dnsmasq-dhcpv6 is used.
This commit uses the uci option domain (same as is done by odhcpd) to
read and pass the DNS search list to dnsmasq, which is then used by RA.
Hence, with this commit, we are able to configure DNS search list for the
RA messages via the uci config when dnsmsaq-dhcpv6 is used.
Signed-off-by: Rahul Thakur <rahul.thakur@iopsys.eu>
479c7f8676d9 cache: make record/hostname lookup case-insensitive
26c97a5a50bf ubus: add a browse flag for suppressing cached ip addresses
c286c51a9bd9 Fix AVL tree traversal in cache_record_find and cache_host_is_known
4035fe42df58 interface: use a global socket instead of per-interface ones
c63d465698c7 cache: dump hostname target from srv records
b42b22152d73 use hostname from SRV record to look up IP addresses
d45c443aa1e6 ubus: add array flag support for the hosts method
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Recent hostapd changes just edited the ucode files. It is required to
bump the PKG_RELEASE to include the newest changes in the latest builds.
Signed-off-by: Nick Hainke <vincent@systemli.org>
If the full interface is restarted while bringing up an AP, it can trigger a
wpa_supplicant interface start before wpa_supplicant is notified of the
allocated mac addresses.
Fix this by moving the iface_update_supplicant_macaddr call to just after
the point where mac addresses are allocated.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
In the dnsmasq init script, an off-by-one in the range calculation of
ipcalc.sh was mitigated by passing the limit as if its counting started
at zero. This patch removes the mitigation as the off-by-one has been
fixed.
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
