Commit Graph

19146 Commits

Author SHA1 Message Date
Daniel Golle
2a801ee562
uqmi: update to git HEAD
44dd095 uqmi: corrected too short received SMS

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-03-12 11:07:27 +00:00
Lech Perczak
c8a88118af uqmi: set CID during 'query-data-status' operation
Modems used in ZTE mobile broadband routers require to query the data
session status using the same CID as one used to establish the session,
otherwise they will report the session as "disconnected" despite
reporting correct PDH in previous step. Without this change, IPv6
connection on these modems doesn't establish properly. In IPv4 this bug
is present as well, but for some reason querying of IPv4 status works
using temporary CID, this however seems noncompliant with QMI
specifications, so fix it as well.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-03-12 10:38:11 +00:00
Rafał Miłecki
0d45e1ea96 uboot-bcm4908: add package with BCM4908 U-Boot
New BCM4908 devices come with U-Boot instead of CFE. Firmwares for such
devices has to include U-Boot.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2022-03-11 08:02:30 +01:00
Yousong Zhou
289fbc5102 iptables: add iptables-mod-socket
Previously libxt_socket.so was included in iptables-mod-tproxy.  It was
missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy
separate packages

Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2022-03-10 10:43:32 +08:00
INAGAKI Hiroshi
98113220fa uboot-envtools: add support for I-O DATA BSH-G24MB
This patch adds the device-specific configuration to u-boot-envtools for
I-O DATA BSH-G24MB switch.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2022-03-07 21:44:53 +01:00
Josef Schlehofer
d71928c1e3 nftables: update to version 1.0.2
Changelog:
https://lwn.net/ml/netdev/YhO5Pn+6+dgAgSd9@salvia/

Patches:

removed:
- 001-parser-allow-quoted-string-in-flowtable_expr_member:
it is now part of upstream release [1]

added:
- 001-examples-compile-with-make-check.patch:
backported from [2], it fixes:

nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or directory
    3 | #include <nftables/libnftables.h>
      |          ^~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

[1] https://git.netfilter.org/nftables/commit/?h=v1.0.2&id=07af4429241c9832a613cb8620331ac54257d9df
[2] https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-03-07 21:44:53 +01:00
Hauke Mehrtens
baea8255e0 linux-firmware: Update to version 20220209
This switches the iwlwifi-firmware-ax200 file to API version 66, this is
the most recent version supported by our driver.

The following files used in OpenWrt changed:
 amdgpu-firmware/lib/firmware/amdgpu/yellow_carp_dmcub.bin
 ar3k-firmware/lib/firmware/qca/nvm_usb_00130201.bin
 ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_010a.bin
 ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_010b.bin
 ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_0303.bin
 ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf.bin
 ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf_010a.bin
 ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf_010b.bin
 ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf_0303.bin
 ar3k-firmware/lib/firmware/qca/rampatch_usb_00130200.bin
 ar3k-firmware/lib/firmware/qca/rampatch_usb_00130201.bin
 iwlwifi-firmware-ax200/lib/firmware/iwlwifi-cc-a0-66.ucode
 iwlwifi-firmware-ax210/lib/firmware/iwlwifi-ty-a0-gf-a0-66.ucode
 iwlwifi-firmware-ax210/lib/firmware/iwlwifi-ty-a0-gf-a0.pnvm
 iwlwifi-firmware-iwl9000/lib/firmware/iwlwifi-9000-pu-b0-jf-b0-46.ucode
 iwlwifi-firmware-iwl9260/lib/firmware/iwlwifi-9260-th-b0-jf-b0-46.ucode
 rtl8822ce-firmware/lib/firmware/rtw88/rtw8822c_fw.bin

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-03-07 18:07:29 +01:00
Felix Fietkau
1b46333895 bpf-headers: ship a modified version of stdarg.h from musl to fix ebpf build on glibc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-07 10:38:41 +01:00
Felix Fietkau
759149977e qosify: update to the latest version
3276aed81c73 move run_cmd() to main.c
558eabc13c64 map: move dns host based lookup code to a separate function
6ff06d66c36c dns: add code for snooping dns packets
a78bd43c4a54 ubus: remove dnsmasq subscriber
9773ffa70f1f map: process dns patterns in the order in which they were defined
f13b67c9a786 dns: allow limiting dns entry matching to cname name

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-06 23:01:24 +01:00
Hauke Mehrtens
921392e216 iproute2: Remove libxtables from some tc variants
This adds the new tc-bpf variant and removes libxtables dependency from
the tc-tiny variant. The tc-full variant stays like before and contains
everything.

This allows to use tc without libxtables.

The variants have the following sizes:
root@OpenWrt:/# ls -al /usr/libexec/tc-*
-rwxr-xr-x    1 root     root        282453 Mar  1 21:55 /usr/libexec/tc-bpf
-rwxr-xr-x    1 root     root        282533 Mar  1 21:55 /usr/libexec/tc-full
-rwxr-xr-x    1 root     root        266037 Mar  1 21:55 /usr/libexec/tc-tiny

They are linking the following shared libraries:
root@OpenWrt:/# ldd /usr/libexec/tc-tiny
        /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
root@OpenWrt:/# ldd /usr/libexec/tc-bpf
        /lib/ld-musl-mips-sf.so.1 (0x77da6000)
        libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000)
        libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000)
        libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000)
root@OpenWrt:/# ldd /usr/libexec/tc-full
        /lib/ld-musl-mips-sf.so.1 (0x77de8000)
        libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000)
        libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000)
        libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000)
        libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000)

This is based on a patch from Tiago Gaspar.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-03-05 21:06:35 +01:00
Langhua Ye
d15f9b9043 uboot-envtools: mt7622: add support for Ruijie RG-EW3200GX PRO
Add U-Boot environment settings for Ruijie RG-EW3200GX PRO to allow
users to access the bootloader environment using fw_printenv/fw_setenv
while running OpenWrt.

Signed-off-by: Langhua Ye <y1248289414@outlook.com>
2022-03-05 21:06:35 +01:00
Ansuel Smith
4393d8c090 libnetfilter-conntrack: backport patch fixing compilation with 5.15
Backport patch fixing compilation with 5.15 and musl provided by Robert Marko

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2022-03-05 21:05:45 +01:00
Oskari Rauta
ef4bf8b403 util-linux: add lsns
lsns lists system namespaces

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
2022-03-05 21:05:45 +01:00
Josef Schlehofer
0f432fa3a9 uboot-mvebu: backport patch to fix nvme detail crash
Steps to reproduce:
1. Insert NVMe disk with a reduction to Turris Omnia
2. Go to U-boot
3. Run these two commands:
a) ``nvme scan``
b) ``nvme detail``
4. Wait for crash

This is backported from U-boot upstream repository.
It should be included in the upcoming release - 2022.04 [1].

It was tested on Turris Omnia, mvebu, cortex-a9, OpenWrt master.

[1] https://patchwork.ozlabs.org/project/uboot/patch/20211209100639.21530-1-pali@kernel.org/

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[Export the patch from U-Boot git]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-03-05 21:05:24 +01:00
Stijn Tintel
c2d7896a65 qosify: bump to git HEAD
interface: disable autorate-ingress by default

Also change the example config to reflect this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-03-04 20:37:05 +02:00
Stijn Tintel
1848b25cdd qosify: add PKG_RELEASE
Without PKG_RELEASE, it's impossible to trigger package updates when
changing files included in the package that are not in the qosify git
repository.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Felix Fietkau <nbd@nbd.name>
2022-03-04 20:25:05 +02:00
Rui Salvaterra
247eaa4416 procd: remove support for mounting /tmp in zram
The /tmp directory is mounted as tmpfs. The tmpfs filesystem is backed by
anonymous memory, which means it can be swapped out at any time, if there is
memory pressure [1]. For this reason, a zram swap device is a much better
choice than mounting /tmp on zram, since it's able to compress all anonymous
memory, and not just the memory assigned to /tmp. We already have the zram-swap
package for this specific purpose, which means procd's tmp-on-zram is both
redundant and more limited.

A follow-up patch will remove support for mounting /tmp in zram from procd
itself.

[1] https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2022-03-03 20:22:25 +00:00
Catalin Toda
02e42f0650 kernel: kmod-tcp-scalable: add scalable tcp congestion algorithm
Signed-off-by: Catalin Toda <catalinii@gmail.com>
2022-03-01 21:25:47 +01:00
Florian Eckert
ba6a48366f ipset: update to 7.15
Update to the latest upstream version. In this version there is a new
tool with which you can convert ipsets into nftables sets. Since we are
now using nftables as default firewall, this could be a useful tool for
porting ipsets to nftables sets.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2022-03-01 21:17:30 +01:00
Paul Spooren
038d5bdab1 layerscape: use semantic versions for LSDK
PKG_VERSION should not contain the package name but the version only.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2022-03-01 00:01:18 +01:00
Etienne Champetier
d95b74f7c9 iptables: bump PKG_RELEASE
Following dependencies rework, bump PKG_RELEASE

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
39d50a2008 iptables: move libiptext* to their own packages
iptables-nft doesn't depend on libip{4,6}tc, so move
libiptext* libs in their own packages to clean up dependencies
Rename libxtables-nft to libiptext-nft

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
795e7155cb iptables: rename to ip(6)tables-legacy, add PROVIDES
Using PROVIDES allows to have other packages continue to
depend on iptables and users to pick between legacy and nft
version.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
316c406e62 iptables: move IPTABLES_{CONNLABEL,NFTABLES} to libxtables
Those 2 configs are not specific to iptables(-legacy)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
d35a573004 iptables: make mod depend on libxtables
'iptables-mod-' can be used directly by firewall3, by
iptables and by iptables-nft. They are not linked to
iptables but to libxtables, so fix the dependencies to allow
to remove iptables(-legacy)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
50d3271966 iptables: fix libnftnl/IPTABLES_NFTABLES dependency
libxtables doesn't depend on libnftnl, iptables-nft does,
so move the dependency to not pull libnftnl with firewall3/iptables-legacy

Also libxtables-nft depends on IPTABLES_NFTABLES

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Stijn Tintel
58212a6194 ubus: bump to git HEAD
66baa44 libubus: introduce new status messages
  b3cd5ab cli: use UBUS_STATUS_PARSE_ERROR
  584f56a cli: improve error logging for call command

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-28 16:18:37 +02:00
Yousong Zhou
43276b60c6 netfilter: add kmod-nft-tproxy
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2022-02-28 10:24:17 +08:00
Yousong Zhou
0225df1ec8 netfilter: add kmod-nft-socket
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2022-02-28 10:24:17 +08:00
Yousong Zhou
4f443c885d netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2022-02-28 10:24:17 +08:00
Piotr Dymacz
2d5b596b49 uboot-envtools: ath79: add support for ALFA Network Tube-2HQ
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2022-02-27 16:54:54 +01:00
Christian Lamparter
1753f8c14b firmware: intel-microcode: update to 20220207
Debians' changelog by Henrique de Moraes Holschuh <hmh@debian.org>:

* upstream changelog: new upstream datafile 20220207
    * Mitigates (*only* when loaded from UEFI firmware through the FIT)
      CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through
      debug port, on Pentium, Celeron and Atom processors with signatures
      0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8
      https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145
    * Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint
      may cause a system hang, on many processors.
    * Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due
      to improper sanitization of shared resources (fast-store forward
      predictor), on many processors.
    * Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some
      Atom Processors may allow information disclosure or denial of service
      via network access.
    * Fixes critical errata (functional issues) on many processors
    * Adds a MSR switch to enable RAPL filtering (default off, once enabled
      it can only be disabled by poweroff or reboot).  Useful to protect
      SGX and other threads from side-channel info leak.  Improves the
      mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many
      processors.
    * Disables TSX in more processor models.
    * Fixes issue with WBINDV on multi-socket (server) systems which could
      cause resets and unpredictable system behavior.
    * Adds a MSR switch to 10th and 11th-gen (Ice Lake, Tiger Lake, Rocket
      Lake) processors, to control a fix for (hopefully rare) unpredictable
      processor behavior when HyperThreading is enabled.  This MSR switch
      is enabled by default on *server* processors.  On other processors,
      it needs to be explicitly enabled by an updated UEFI/BIOS (with added
      configuration logic).  An updated operating system kernel might also
      be able to enable it.  When enabled, this fix can impact performance.
    * Updated Microcodes:
      sig 0x000306f2, pf_mask 0x6f, 2021-08-11, rev 0x0049, size 38912
      sig 0x000306f4, pf_mask 0x80, 2021-05-24, rev 0x001a, size 23552
      sig 0x000406e3, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 105472
      sig 0x00050653, pf_mask 0x97, 2021-05-26, rev 0x100015c, size 34816
      sig 0x00050654, pf_mask 0xb7, 2021-06-16, rev 0x2006c0a, size 43008
      sig 0x00050656, pf_mask 0xbf, 2021-08-13, rev 0x400320a, size 35840
      sig 0x00050657, pf_mask 0xbf, 2021-08-13, rev 0x500320a, size 36864
      sig 0x0005065b, pf_mask 0xbf, 2021-06-04, rev 0x7002402, size 28672
      sig 0x00050663, pf_mask 0x10, 2021-06-12, rev 0x700001c, size 28672
      sig 0x00050664, pf_mask 0x10, 2021-06-12, rev 0xf00001a, size 27648
      sig 0x00050665, pf_mask 0x10, 2021-09-18, rev 0xe000014, size 23552
      sig 0x000506c9, pf_mask 0x03, 2021-05-10, rev 0x0046, size 17408
      sig 0x000506ca, pf_mask 0x03, 2021-05-10, rev 0x0024, size 16384
      sig 0x000506e3, pf_mask 0x36, 2021-04-29, rev 0x00ec, size 108544
      sig 0x000506f1, pf_mask 0x01, 2021-05-10, rev 0x0036, size 11264
      sig 0x000606a6, pf_mask 0x87, 2021-12-03, rev 0xd000331, size 291840
      sig 0x000706a1, pf_mask 0x01, 2021-05-10, rev 0x0038, size 74752
      sig 0x000706a8, pf_mask 0x01, 2021-05-10, rev 0x001c, size 75776
      sig 0x000706e5, pf_mask 0x80, 2021-05-26, rev 0x00a8, size 110592
      sig 0x000806a1, pf_mask 0x10, 2021-09-02, rev 0x002d, size 34816
      sig 0x000806c1, pf_mask 0x80, 2021-08-06, rev 0x009a, size 109568
      sig 0x000806c2, pf_mask 0xc2, 2021-07-16, rev 0x0022, size 96256
      sig 0x000806d1, pf_mask 0xc2, 2021-07-16, rev 0x003c, size 101376
      sig 0x000806e9, pf_mask 0x10, 2021-04-28, rev 0x00ec, size 104448
      sig 0x000806e9, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 104448
      sig 0x000806ea, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 103424
      sig 0x000806eb, pf_mask 0xd0, 2021-04-28, rev 0x00ec, size 104448
      sig 0x000806ec, pf_mask 0x94, 2021-04-28, rev 0x00ec, size 104448
      sig 0x00090661, pf_mask 0x01, 2021-09-21, rev 0x0015, size 20480
      sig 0x000906c0, pf_mask 0x01, 2021-08-09, rev 0x2400001f, size 20480
      sig 0x000906e9, pf_mask 0x2a, 2021-04-29, rev 0x00ec, size 106496
      sig 0x000906ea, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 102400
      sig 0x000906eb, pf_mask 0x02, 2021-04-28, rev 0x00ec, size 104448
      sig 0x000906ec, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424
      sig 0x000906ed, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424
      sig 0x000a0652, pf_mask 0x20, 2021-04-28, rev 0x00ec, size 93184
      sig 0x000a0653, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 94208
      sig 0x000a0655, pf_mask 0x22, 2021-04-28, rev 0x00ee, size 94208
      sig 0x000a0660, pf_mask 0x80, 2021-04-28, rev 0x00ea, size 94208
      sig 0x000a0661, pf_mask 0x80, 2021-04-29, rev 0x00ec, size 93184
      sig 0x000a0671, pf_mask 0x02, 2021-08-29, rev 0x0050, size 102400
    * Removed Microcodes:
      sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
      sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
  * update .gitignore and debian/.gitignore.
    Add some missing items from .gitignore and debian/.gitignore.
  * ucode-blacklist: do not late-load 0x406e3 and 0x506e3.
    When the BIOS microcode is older than revision 0x7f (and perhaps in some
    other cases as well), the latest microcode updates for 0x406e3 and
    0x506e3 must be applied using the early update method.  Otherwise, the
    system might hang.  Also: there must not be any other intermediate
    microcode update attempts [other than the one done by the BIOS itself],
    either.  It must go from the BIOS microcode update directly to the
    latest microcode update.
  * source: update symlinks to reflect id of the latest release, 20220207

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-26 19:52:41 +01:00
Sergey V. Lobanov
e6a4f30ed7 iucode-tool: fix host-compile on macos and non-x86 linux
iucode-tool/host is used by intel-microcode to manipulate with
microcode.bin file. iucode-tool requires cpuid.h at compile time
for autodection feature, but non-x86 build hosts does not have
this header file (e.g. ubuntu 20.04 aarch64) or this header
generates compile time error (#error macro) (e.g. macos arm64).

This patch provides compat cpuid.h to build iucode-tool/host on
non-x86 linux hosts and macos. CPU autodectection is not required
for intel-microcode package build so compat cpuid.h is ok for
OpenWrt purposes.

glibc and argp lib are not present in macos so iucode-tool/host
build fails. This patch adds argp-standalone/host as build
dependency if host os is macos.

Generated ucode (intel-microcode package) is exactly the same on
Linux x86_64 (Ubuntu 20.04), Linux aarch64 (Ubuntu 20.04) and
Darwin arm64 (MacOS 11.6) build hosts.

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-02-26 19:52:41 +01:00
Sergey V. Lobanov
64d159cdad argp-standalone: add host-compile ability
This patch adds host-compile ability to argp-standalone for build
hosts without glibc and argp lib, e.g. MacOS.

iucode-tool/host can not be built on MacOS due to lack of argp.

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-02-26 19:52:41 +01:00
Lucian Cristian
fbf485e6c6 mbedtls: update to 2.28.0 LTS branch
<https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0>
"Mbed TLS 2.28 is a long-time support branch.
It will be supported with bug-fixes and security
fixes until end of 2024."

<https://github.com/ARMmbed/mbedtls/blob/development/BRANCHES.md>
"Currently, the only supported LTS branch is: mbedtls-2.28.
For a short time we also have the previous LTS, which has
recently ended its support period, mbedtls-2.16.
This branch will move into the archive namespace around the
time of the next release."

this will also add support for uacme ualpn support.

size changes
221586 libmbedtls12_2.28.0-1_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(remark about 2.16's EOS, slightly reworded)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-26 19:52:41 +01:00
Lech Perczak
7ac8da0060 ath79: support ZTE MF286A/R
ZTE MF286A and MF286R are indoor LTE category 6/7 CPE router with simultaneous
dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit
Ethernet switch, FXS and external USB 2.0 port.

Hardware highlights:
- CPU: QCA9563 SoC at 775MHz,
- RAM: 128MB DDR2,
- NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only,
- NAND Flash: W25N01GV 128MB SPI NAND-Flash, for all other data,
- Wi-Fi 5GHz: QCA9886 2x2 MIMO 802.11ac Wave2 radio,
- WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio,
- Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port,
- WWAN:
  [MF286A] MDM9230-based category 6 internal LTE modem
  [MF286R] PXA1826-based category 7 internal LTE modem
  in extended  mini-PCIE form factor, with 3 internal antennas and
  2 external antenna connections, single mini-SIM slot.
- FXS: one external ATA port (handled entirely by modem part) with two
  physical connections in parallel,
- USB: Single external USB 2.0 port,
- Switches: power switch, WPS, Wi-Fi and reset buttons,
- LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery,
  Signal state) handled entirely by modem. 4 link status LEDs handled by
  the switch on the backside.
- Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and
  monitoring handled by modem.
- Label MAC device: eth0

The device shares many components with previous model, MF286, differing
mostly by a Wave2 5GHz radio, flash layout and internal LED color.
In case of MF286A, the modem is the same as in MF286. MF286R uses a
different modem based on Marvell PXA1826 chip.

Internal modem of MF286A is supported via uqmi, MF286R modem isn't fully
supported, but it is expected to use comgt-ncm for connection, as it
uses standard 3GPP AT commands for connection establishment.

Console connection: connector X2 is the console port, with the following
pinout, starting from pin 1, which is the topmost pin when the board is
upright:
- VCC (3.3V). Do not use unless you need to source power for the
  converer from it.
- TX
- RX
- GND
Default port configuration in U-boot as well as in stock firmware is
115200-8-N-1.

Installation:
Due to different flash layout from stock firmware, sysupgrade from
within stock firmware is impossible, despite it's based on QSDK which
itself is based on OpenWrt.

STEP 0: Stock firmware update:
As installing OpenWrt cuts you off from official firmware updates for
the modem part, it is recommended to update the stock firmware to latest
version before installation, to have built-in modem at the latest firmware
version.

STEP 1: gaining root shell:

Method 1:
This works if busybox has telnetd compiled in the binary.
If this does not work, try method 2.

Using well-known exploit to start telnetd on your router - works
only if Busybox on stock firmware has telnetd included:
- Open stock firmware web interface
- Navigate to "URL filtering" section by going to "Advanced settings",
  then "Firewall" and finally "URL filter".
- Add an entry ending with "&&telnetd&&", for example
  "http://hostname/&&telnetd&&".
- telnetd will immediately listen on port 4719.
- After connecting to telnetd use "admin/admin" as credentials.

Method 2:
This works if busybox does not have telnetd compiled in. Notably, this
is the case in DNA.fi firmware.
If this does not work, try method 3.

- Set IP of your computer to 192.168.0.22. (or appropriate subnet if
  changed)
- Have a TFTP server running at that address
- Download MIPS build of busybox including telnetd, for example from:
  https://busybox.net/downloads/binaries/1.21.1/busybox-mips
  and put it in it's root directory. Rename it as "telnetd".
- As previously, login to router's web UI and navigate to "URL
  filtering"
- Using "Inspect" feature, extend "maxlength" property of the input
  field named "addURLFilter", so it looks like this:
  <input type="text" name="addURLFilter" id="addURLFilter" maxlength="332"
    class="required form-control">
- Stay on the page - do not navigate anywhere
- Enter "http://aa&zte_debug.sh 192.168.0.22 telnetd" as a filter.
- Save the settings. This will download the telnetd binary over tftp and
  execute it. You should be able to log in at port 23, using
  "admin/admin" as credentials.

Method 3:
If the above doesn't work, use the serial console - it exposes root shell
directly without need for login. Some stock firmwares, notably one from
finnish DNA operator lack telnetd in their builds.

STEP 2: Backing up original software:
As the stock firmware may be customized by the carrier and is not
officially available in the Internet, IT IS IMPERATIVE to back up the
stock firmware, if you ever plan to returning to stock firmware.
It is highly recommended to perform backup using both methods, to avoid
hassle of reassembling firmware images in future, if a restore is
needed.

Method 1: after booting OpenWrt initramfs image via TFTP:
PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION.
- Dump stock firmware located on stock kernel and ubi partitions:

  ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin
  ssh root@192.168.1.1: cat /dev/mtd9 > mtd9_ubi.bin

And keep them in a safe place, should a restore be needed in future.

Method 2: using stock firmware:
- Connect an external USB drive formatted with FAT or ext4 to the USB
  port.
- The drive will be auto-mounted to /var/usb_disk
- Check the flash layout of the device:

  cat /proc/mtd

  It should show the following:
  mtd0: 000a0000 00010000 "u-boot"
  mtd1: 00020000 00010000 "u-boot-env"
  mtd2: 00140000 00010000 "reserved1"
  mtd3: 000a0000 00020000 "fota-flag"
  mtd4: 00080000 00020000 "art"
  mtd5: 00080000 00020000 "mac"
  mtd6: 000c0000 00020000 "reserved2"
  mtd7: 00400000 00020000 "cfg-param"
  mtd8: 00400000 00020000 "log"
  mtd9: 000a0000 00020000 "oops"
  mtd10: 00500000 00020000 "reserved3"
  mtd11: 00800000 00020000 "web"
  mtd12: 00300000 00020000 "kernel"
  mtd13: 01a00000 00020000 "rootfs"
  mtd14: 01900000 00020000 "data"
  mtd15: 03200000 00020000 "fota"
  mtd16: 01d00000 00020000 "firmware"

  Differences might indicate that this is NOT a MF286A device but
  one of other variants.
- Copy over all MTD partitions, for example by executing the following:

  for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do cat /dev/mtd$i > \
  /var/usb_disk/mtd$i; done

  "Firmware" partition can be skipped, it is a concatenation
  of "kernel" and "rootfs".

- If the count of MTD partitions is different, this might indicate that
  this is not a MF286A device, but one of its other variants.
- (optionally) rename the files according to MTD partition names from
  /proc/mtd
- Unmount the filesystem:

  umount /var/usb_disk; sync

  and then remove the drive.
- Store the files in safe place if you ever plan to return to stock
  firmware. This is especially important, because stock firmware for
  this device is not available officially, and is usually customized by
  the mobile providers.

STEP 3: Booting initramfs image:

Method 1: using serial console (RECOMMENDED):
- Have TFTP server running, exposing the OpenWrt initramfs image, and
  set your computer's IP address as 192.168.0.22. This is the default
  expected by U-boot. You may wish to change that, and alter later
  commands accordingly.
- Connect the serial console if you haven't done so already,
- Interrupt boot sequence by pressing any key in U-boot when prompted
- Use the following commands to boot OpenWrt initramfs through TFTP:

  setenv serverip 192.168.0.22
  setenv ipaddr 192.168.0.1
  tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin
  bootm 0x81000000

  (Replace server IP and router IP as needed). There is no  emergency
  TFTP boot sequence triggered by buttons, contrary to MF283+.
- When OpenWrt initramfs finishes booting, proceed to actual
  installation.

Method 2: using initramfs image as temporary boot kernel
This exploits the fact, that kernel and rootfs MTD devices are
consecutive on NAND flash, so from within stock image, an initramfs can
be written to this area and booted by U-boot on next reboot, because it
uses "nboot" command which isn't limited by kernel partition size.
- Download the initramfs-kernel.bin image
- After backing up the previous MTD contents, write the images to the
  "firmware" MTD device, which conveniently concatenates "kernel" and
  "rootfs" partitions that can fit the initramfs image:

  nandwrite -p /dev/<firmware-mtd> \
  /var/usb_disk/openwrt-ath79-zte_mf286a-initramfs-kernel.bin

- If write is OK, reboot the device, it will reboot to OpenWrt
  initramfs:

  reboot -f

- After rebooting, SSH into the device and use sysupgrade to perform
  proper installation.

Method 3: using built-in TFTP recovery (LAST RESORT):
- With that method, ensure you have complete backup of system's NAND
  flash first. It involves deliberately erasing the kernel.
- Download "-initramfs-kernel.bin" image for the device.
- Prepare the recovery image by prepending 8MB of zeroes to the image,
  and name it root_uImage:

  dd if=/dev/zero of=padding.bin bs=8M count=1

  cat padding.bin openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin >
  root_uImage

- Set up a TFTP server at 192.0.0.1/8. Router will use random address
  from that range.
- Put the previously generated "root_uImage" into TFTP server root
  directory.
- Deliberately erase "kernel" partition" using stock firmware after
  taking backup. THIS IS POINT OF NO RETURN.
- Restart the device. U-boot will attempt flashing the recovery
  initramfs image, which will let you perform actual installation using
  sysupgrade. This might take a considerable time, sometimes the router
  doesn't establish Ethernet link properly right after booting. Be
  patient.
- After U-boot finishes flashing, the LEDs of switch ports will all
  light up. At this moment, perform power-on reset, and wait for OpenWrt
  initramfs to finish booting. Then proceed to actual installation.

STEP 4: Actual installation:
- Set your computer IP to 192.168.1.22/24
- scp the sysupgrade image to the device:

  scp openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin \
  root@192.168.1.1:/tmp/

- ssh into the device and execute sysupgrade:

  sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin

- Wait for router to reboot to full OpenWrt.

STEP 5: WAN connection establishment
Since the router is equipped with LTE modem as its main WAN interface, it
might be useful to connect to the Internet right away after
installation. To do so, please put the following entries in
/etc/config/network, replacing the specific configuration entries with
one needed for your ISP:

config interface 'wan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option auth '<auth>' # As required, usually 'none'
        option pincode '<pin>' # If required by SIM
        option apn '<apn>' # As required by ISP
        option pdptype '<pdp>' # Typically 'ipv4', or 'ipv4v6' or 'ipv6'

For example, the following works for most polish ISPs
config interface 'wan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option auth 'none'
        option apn 'internet'
        option pdptype 'ipv4'

The required minimum is:
config interface 'wan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
In this case, the modem will use last configured APN from stock
firmware - this should work out of the box, unless your SIM requires
PIN which can't be switched off.

If you have build with LuCI, installing luci-proto-qmi helps with this
task.

Restoring the stock firmware:

Preparation:
If you took your backup using stock firmware, you will need to
reassemble the partitions into images to be restored onto the flash. The
layout might differ from ISP to ISP, this example is based on generic stock
firmware
The only partitions you really care about are "web", "kernel", and
"rootfs". These are required to restore the stock firmware through
factory TFTP recovery.

Because kernel partition was enlarged, compared to stock
firmware, the kernel and rootfs MTDs don't align anymore, and you need
to carve out required data if you only have backup from stock FW:
- Prepare kernel image
  cat mtd12_kernel.bin mtd13_rootfs.bin > owrt_kernel.bin
  truncate -s 4M owrt_kernel_restore.bin
- Cut off first 1MB from rootfs
  dd if=mtd13_rootfs.bin of=owrt_rootfs.bin bs=1M skip=1
- Prepare image to write to "ubi" meta-partition:
  cat mtd6_reserved2.bi mtd7_cfg-param.bin mtd8_log.bin mtd9_oops.bin \
  mtd10_reserved3.bin mtd11_web.bin owrt_rootfs.bin > \
  owrt_ubi_ubi_restore.bin

You can skip the "fota" partition altogether,
it is used only for stock firmware update purposes and can be overwritten
safely anyway. The same is true for "data" partition which on my device
was found to be unused at all. Restoring mtd5_cfg-param.bin will restore
the stock firmware configuration you had before.

Method 1: Using initramfs:
This method is recmmended if you took your backup from within OpenWrt
initramfs, as the reassembly is not needed.
- Boot to initramfs as in step 3:
- Completely detach ubi0 partition using ubidetach /dev/ubi0_0
- Look up the kernel and ubi partitions in /proc/mtd
- Copy over the stock kernel image using scp to /tmp
- Erase kernel and restore stock kernel:
  (scp mtd4_kernel.bin root@192.168.1.1:/tmp/)
  mtd write <kernel_mtd> mtd4_kernel.bin
  rm mtd4_kernel.bin
- Copy over the stock partition backups one-by-one using scp to /tmp, and
  restore them individually. Otherwise you might run out of space in
  tmpfs:

  (scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/)

  mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin
  rm mtd3_ubiconcat0.bin

  (scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/)

  mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin
  rm mtd5_ubiconcat1.bin

- If the write was correct, force a device reboot with

  reboot -f

Method 2: Using live OpenWrt system (NOT RECOMMENDED):
- Prepare a USB flash drive contatining MTD backup files
- Ensure you have kmod-usb-storage and filesystem driver installed for
  your drive
- Mount your flash drive

  mkdir /tmp/usb

  mount /dev/sda1 /tmp/usb

- Remount your UBI volume at /overlay to R/O

  mount -o remount,ro /overlay

- Write back the kernel and ubi partitions from USB drive

  cd /tmp/usb
  mtd write mtd4_kernel.bin /dev/<kernel_mtd>

  mtd write mtd9_ubi.bin /dev/<kernel_ubi>

- If everything went well, force a device reboot with
  reboot -f

Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota"
MTD partition which may be safely erased after reboot anyway.

Method 3: using built-in TFTP recovery:
This method is recommended if you took backups using stock firmware.
- Assemble a recovery rootfs image from backup of stock partitions by
  concatenating "web", "kernel", "rootfs" images dumped from the device,
  as "root_uImage"
- Use it in place of "root_uImage" recovery initramfs image as in the
  TFTP pre-installation method.

Quirks and known issuesa
- It was observed, that CH340-based USB-UART converters output garbage
  during U-boot phase of system boot. At least CP2102 is known to work
  properly.
- Kernel partition size is increased to 4MB compared to stock 3MB, to
  accomodate future kernel updates - at this moment OpenWrt 5.10 kernel
  image is at 2.5MB which is dangerously close to the limit. This has no
  effect on booting the system - but keep that in mind when reassembling
  an image to restore stock firmware.
- uqmi seems to be unable to change APN manually, so please use the one
  you used before in stock firmware first. If you need to change it,
  please use protocok '3g' to establish connection once, or use the
  following command to change APN (and optionally IP type) manually:
  echo -ne 'AT+CGDCONT=1,"IP","<apn>' > /dev/ttyUSB0
- The only usable LED as a "system LED" is the blue debug LED hidden
  inside the case. All other LEDs are controlled by modem, on which the
  router part has some influence only on Wi-Fi LED.
- Wi-Fi LED currently doesn't work while under OpenWrt, despite having
  correct GPIO mapping. All other LEDs are controlled by modem,
  including this one in stock firmware. GPIO19, mapped there only acts
  as a gate, while the actual signal source seems to be 5GHz Wi-Fi
  radio, however it seems it is not the LED exposed by ath10k as
  ath10k-phy0.
- GPIO5 used for modem reset is a suicide switch, causing a hardware
  reset of whole board, not only the modem. It is attached to
  gpio-restart driver, to restart the modem on reboot as well, to ensure
  QMI connectivity after reboot, which tends to fail otherwise.
- Modem, as in MF283+, exposes root shell over ADB - while not needed
  for OpenWrt operation at all - have fun lurking around.
  The same modem module is used as in older MF286.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-02-26 17:46:10 +01:00
Petr Štetiar
104e912c27 usbmode: update to version 2022-02-24
* usbmode: add config #0 and delay before actual config

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-02-26 13:36:30 +01:00
Vladislav Grigoryev
abd18bd033 jsonfilter: update makefile url
Specify URL as PKG_SOURCE_URL in the jsonfilter Makefile.

Signed-off-by: Vladislav Grigoryev <vg.aetera@gmail.com>
2022-02-26 13:36:30 +01:00
Christian Lamparter
e126a1e413 mac80211: add #if guards against 5.4 compile failures
Both struct net_device_path_ctx and struct net_device_path
are not available in 5.4. This causes an build error on the
bcm63xx target.

|mac80211/driver-ops.h: In function 'drv_net_fill_forward_path':
|driver-ops.h:1502:57: error: passing argument 4 of
|'local->ops->net_fill_forward_path' from incompatible pointer type
| [-Werror=incompatible-pointer-types]
| 1502 |                          ctx, path);
|      |                          ^~~
|      |                            |
|      |                         struct net_device_path_ctx *

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-25 17:27:28 +01:00
Hannu Nyman
97158fe10e kernel: package ramoops pstore-ram crash log storage
Package the ability to log kernel crashes to 'ramoops' pstore
files into RAM in /sys/fs/pstore

Reference to the ramoops admin guide in upstream Linux:
https://www.kernel.org/doc/html/v5.10/admin-guide/ramoops.html

The files in RAM survive a warm reboot, but not a cold reboot.

Note: kmod-ramoops selects kmod-pstore and kmod-reed-solomon.

The feature can be used by selecting the kmod-ramoops and
adding a ramoops reserved-memory definition to the device DTS.
Example from R7800:

       reserved-memory {
                rsvd@5fe00000 {
                        reg = <0x5fe00000 0x200000>;
                        reusable;
                };

                ramoops@42100000 {
                        compatible = "ramoops";
                        reg = <0x42100000 0x40000>;
                        record-size = <0x4000>;
                        console-size = <0x4000>;
                        ftrace-size = <0x4000>;
                        pmsg-size = <0x4000>;
                };
        };

If no definition has been made in DTS, no crash log is stored
for the device.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(added CONFIG_EFI_VARS_PSTORE disable)
2022-02-24 20:45:12 +01:00
Jax Jiang
1050e66c8f x86: grub2: search for the "kernel" filesystem on all disks
Previously, grub2 was hardcoded to always look on "hd0" for the
kernel.

This works well when the system only had a single disk.
But if there was a second disk/stick present, it may have look
on the wrong drive because of enumeration races.

This patch utilizes grub2 search function to look for a filesystem
with the label "kernel". This works thanks to existing setup in
scripts/gen_image_generic.sh. Which sets the "kernel" label on
both the fat and ext4 filesystem variants.

Signed-off-by: Jax Jiang <jax.jiang.007@gmail.com>
Suggested-by: Alberto Bursi <bobafetthotmail@gmail.com> (MX100 WA)
(word wrapped, slightly rewritten commit message, removed MX100 WA)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-24 20:45:12 +01:00
Claudiu Beznea
3e53eec589 at91: add support for sama7g5-ek board
Add support for SAMA7G5-EK board.
Hardware:
- SoC: SAMA7G5
- RAM: Aliance Memory AS4C256M16D3LC (4 Gbit DDR3L)
- SD/MMC: 1 standard 4bit SD Card interface
- USB: 1 Micro-AB host/device, 1 Type-A host, 1 Type-C host
- CAN: 2 interfaces
- Ethernet: 10/100 port, 1Gbps port
- Wi-Fi/BT: 1 optional interface
- Audio: 1 SPDIF RX port, 1 SPDIF TX port, 4 digital microphones
- Camera: 1 RPi CSI camera interface
- Debug: 1 J-Link-OB + CDC, 1 JTAG
- LEDs: 1 RGB
- Buttons: 4 push buttons
- Expansions: 1 RPi Expansion connector, 2 mikroBUS connectors
- Power management: 1 power management IC, 1 power consumption
  measurement device

Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
2022-02-24 19:05:29 +01:00
Claudiu Beznea
3ed992a996 uboot-at91: update to linux4sam-2021.10
Update uboot-at91 to linux4sam-2021.10 version.

Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
2022-02-24 19:05:28 +01:00
Claudiu Beznea
bf13b2da2a at91bootstrap: update to v3.10.4, v4.0.1
AT91Bootstrap version 4 is available only for SAM9X60, SAMA5D2, SAMA5D3,
SAMA5D4, SAMA7G5. Thus use v4.0.1 for the above targets and v3.10.4 for
the rest of them. With the switch to v4 AT91Bootstrap binaries are now
on build/binaries. Take also this into account. Also, patches directory
is not needed anymore with the version update.

Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
2022-02-24 19:05:28 +01:00
Rucke Teg
e040d31177 base-file: remove password aging feature form /etc/shadow
In the default shadow file, as visible in the failsafe mode, the user
root has value of `0` set in  the 3rd field, the date of last password
change. This setting means that the password needs to be changed the
next time the user will log in the system. `dropbear` server is ignoring
this setting but `openssh-server` tries to enforce it and fails in the
failsafe mode because the rootfs is R/O.

Disable the password aging feature for user root by setting the 3rd
filed empty.

Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
2022-02-24 18:10:30 +01:00
Nick Lowe
e8d048c5e0 hostapd: SAE - Enable hunting-and-pecking and H2E
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.

Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.

The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.

For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.

For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2022-02-24 18:04:05 +01:00
Petr Štetiar
b9251e3b40 wolfssl: fix API breakage of SSL_get_verify_result
Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable.  In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:

 $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
 Downloading 'https://letsencrypt.org'
 Connecting to 18.159.128.50:443
 Connection error: Invalid SSL certificate

Fixes: #9283
References: https://github.com/wolfSSL/wolfssl/issues/4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-02-22 20:27:15 +01:00
Daniel Golle
2baded9ecc
base-files: make sure tools are present in sysupgrade ramdisk
Not all targets create /var/lock or touch /var/lock/fw_printenv.lock in
their platform.sh. This is problematic as fw_printenv then fails in
case /var/lock/fw_printenv.lock has not been created by previous calls
to fw_printenv/fw_setenv before sysupgrade is run.

Targets using fw_printenv/fw_setenv during sysupgrade:
 * ath79/*
 * ipq40xx/*
 * ipq806x/*
 * kirkwood/*
 * layerscape/*
 * mediatek/mt7622
 * mvebu/*
 * ramips/*
 * realtek/*

Targets currently using additional steps in /lib/upgrade/platform.sh
to make sure /var/lock/fw_printenv.lock (or at least /var/lock)
actually exists:
 * ath79/* (openmesh devices)
 * ipq40xx/* (linksys devices)
 * ipq806x/* (linksys devices)
 * kirkwood/* (linksys devices)
 * layerscape/*
 * mvebu/cortexa9 (linksys devices)

Given that accessing the U-Boot environment during sysupgrade is not
uncommon and the situation across targets is currently quite diverse,
just make sure both tools as well fw_env.config are always copied to
the ramdisk used for sysupgrade. Also make sure /var/lock always
exists.

This now allows to remove copying of fw_printenv/fw_setenv as well as
fw_env.config, creation of /var/lock or even /var/lock/fw_printenv.lock
from lib/upgrade/platform.sh or files included there.

As the same applies also to 'fwtool' which is used by generic eMMC
sysupgrade, also always copy that to ramdisk.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-22 19:16:03 +00:00
Eneas U de Queiroz
0134f845da openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:

    config engine 'devcrypto'
            option enabled '1'

Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.

The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.

The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped.  It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Eneas U de Queiroz
30b0351039 openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.

The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Eneas U de Queiroz
17a6ca12d3 openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory.  The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.

Patches were refreshed with --zero-commit.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Felix Fietkau
cbfce92367 qosify: update to the latest version
65b42032063f interface: add missing autorate-ingress options

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-20 18:13:14 +01:00
Josef Schlehofer
696f0a1cb4 uboot-mvebu: backport pending patches for Marvell A38x
100-ddr-marvell-a38x-fix-BYTE_HOMOGENEOUS_SPLIT_OUT-deci.patch [1]:
SoC Marvell A38x is used in Turris Omnia, and we thought that with recent
fiddling around DDR training to fix it once for all, there were
reproduced the issue in the upcoming new revision Turris Omnia boards.

101-arm-mvebu-spl-Add-option-to-reset-the-board-on-DDR-t.patch [2]:
This is useful when some board may occasionally fail with DDR training,
and it adds the option to reset the board on the DDR training failure

102-arm-mvebu-turris_omnia-Reset-the-board-immediately-o.patch [3]:
This enables the option CONFIG_DDR_RESET_ON_TRAINING_FAILURE (added by
101 patch), so the Turris Omnia board is restarted immediately, and it
does not require to reset the board manually or wait 120s for MCU to
reset the board

[1] https://patchwork.ozlabs.org/project/uboot/patch/20220217000837.13003-1-kabel@kernel.org/
[2] https://patchwork.ozlabs.org/project/uboot/patch/20220217000849.13028-1-kabel@kernel.org/
[3] https://patchwork.ozlabs.org/project/uboot/patch/20220217000849.13028-2-kabel@kernel.org/

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-02-20 14:26:42 +01:00
Florian Eckert
808210d992 mac80211: add debug compile option for rtw88 devices
This commit adds the following package compile options.

CONFIG_PACKAGE_RTW88_DEBGUG:
Compile the driver with additional debug logging output

CONFIG_PACKAGE_RTW88_DEBGUGFS:
Add the possibility to map information about the driver rtw88 into
debugfs.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2022-02-20 14:26:40 +01:00
Lech Perczak
411940ded4 ath79: uboot-envtools: fix partition for ZTE MF286
By mistake, a wrong partition for U-boot environment was introduced for
ZTE MF286 while adding support, when flash layout wasn't finalized. Fix
that, according to the actual flash layout:
dev:    size   erasesize  name
mtd0: 00140000 00020000 "fota-flag"
mtd1: 00140000 00020000 "caldata"
mtd2: 00140000 00020000 "mac"
mtd3: 00f40000 00020000 "ubiconcat0"
mtd4: 00400000 00020000 "kernel"
mtd5: 06900000 00020000 "ubiconcat1"
mtd6: 00080000 00010000 "u-boot"
mtd7: 00020000 00010000 "u-boot-env"
mtd8: 07840000 00020000 "ubi"

Fixes: 8c78a13bfc ("ath79: support ZTE MF286")
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-02-20 14:04:38 +01:00
Petr Štetiar
d8bf730fe0 netifd: bump to version 2022-02-20
Contains following changes:

 136006b88826 cmake: fix usage of implicit library and include paths
 bc0e84d689e2 netifd: interface-ip: don't set fib6 policies if ipv6 disabled

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-02-20 10:52:55 +01:00
Sungbo Eo
19a90262df wireless-regdb: update to version 2022.02.18
e061299 wireless-regdb: Raise DFS TX power limit to 250 mW (24 dBm) for the US
2ce78ed wireless-regdb: Update regulatory rules for Croatia (HR) on 6GHz
0d39f4c wireless-regdb: Update regulatory rules for South Korea (KR)
acad231 wireless-regdb: Update regulatory rules for France (FR) on 6 and 60 GHz
ea83a82 wireless-regdb: add support for US S1G channels
4408149 wireless-regdb: add 802.11ah bands to world regulatory domain
5f3cadc wireless-regdb: Update regulatory rules for Spain (ES) on 6GHz
e0ac69b Revert "wireless-regdb: Update regulatory rules for South Korea (KR)"
40e5e80 wireless-regdb: Update regulatory rules for South Korea (KR)
e427ff2 wireless-regdb: Update regulatory rules for China (CN)
0970116 wireless-regdb: Update regulatory rules for the Netherlands (NL) on 6GHz
4dac44b wireless-regdb: update regulatory database based on preceding changes

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-02-20 13:47:57 +09:00
Christian Lamparter
2aa97ecb59 kernel: add kmod-hwmon-lm70 support
package hwmon's lm70.ko. This module supports the
National Semiconductor/TI LM70,LM71,LM74 and
TI TMP121,TMP122,TMP123 and TMP124 chips (all SPI).

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-19 19:34:18 +01:00
Martin Kennedy
cfe79f2eb8 mpc85xx: Patch HiveAP 330 u-boot to fix boot
When Kernel 5.10 was enabled for mpc85xx, the kernel once again became too
large upon decompression (>7MB or so) to decompress itself on boot (see
FS#4110[1]).

There have been many attempts to fix booting from a compressed kernel on
the HiveAP-330:

- b683f1c36d ("mpc85xx: Use gzip compressed kernel on HiveAP-330")
- 98089bb8ba ("mpc85xx: Use uncompressed kernel on the HiveAP-330")
- 26cb167a5c ("mpc85xx: Fix Aerohive HiveAP-330 initramfs image")

We can no longer compress the kernel due to size, and the stock bootloader
does not support any other types of compression. Since an uncompressed
kernel no longer fits in the 8MiB kernel partition at 0x2840000, we need to
patch u-boot to autoboot by running variable which isn't set by the
bootloader on each autoboot.

This commit repartitions the HiveAP, requiring a new COMPAT_VERSION,
and uses the DEVICE_COMPAT_MESSAGE to guide the user to patch u-boot,
which changes the variable run on boot to be `owrt_boot`; the user can
then set the value of that variable appropriately.

The following has been documented in the device's OpenWrt wiki page:
<https://openwrt.org/toh/aerohive/hiveap-330>. Please look there
first/too for more information.

The from-stock and upgrade from a previous installation now becomes:

0) setup a network with a dhcp server and a tftp server at serverip
(192.168.1.101) with the initramfs image in the servers root directory.

1) Hook into UART (9600 baud) and enter U-Boot. You may need to enter
a password of administrator or AhNf?d@ta06 if prompted. If the password
doesn't work. Try reseting the device by pressing and holding the reset
button with the stock OS.

2) Once in U-Boot, set the new owrt_boot and tftp+boot the initramfs image:
   Use copy and paste!

 # fw_setenv owrt_boot 'setenv bootargs \"console=ttyS0,$baudrate\";bootm 0xEC040000 - 0xEC000000'
 # save
 # dhcp
 # setenv bootargs console=ttyS0,$baudrate
 # tftpboot 0x1000000 192.168.1.101:openwrt-mpc85xx-p1020-aerohive_hiveap-330-initramfs-kernel.bin
 # bootm

3) Once openwrt booted:
carefully copy and paste this into the root shell. One step at a time

  # 3.0 install kmod-mtd-rw from the internet and load it

  opkg update; opkg install kmod-mtd-rw
  insmod mtd-rw i_want_a_brick=y

  # 3.1 create scripts that modifies uboot

cat <<- "EOF" > /tmp/uboot-update.sh
  . /lib/functions/system.sh
  cp "/dev/mtd$(find_mtd_index 'u-boot')" /tmp/uboot
  cp /tmp/uboot /tmp/uboot_patched
  ofs=$(strings -n80 -td < /tmp/uboot | grep '^ [0-9]* setenv bootargs.*cp\.l' | cut -f2 -d' ')
  for off in $ofs; do
    printf "run owrt_boot;            " | dd of=/tmp/uboot_patched bs=1 seek=${off} conv=notrunc
  done
  md5sum /tmp/uboot*
EOF

  # 3.2 run the script to do the modification

  sh /tmp/uboot-update.sh

  # verify that /tmp/uboot and /tmp/uboot_patched are good
  #
  # my uboot was: (is printed during boot)
  # U-Boot 2009.11 (Jan 12 2017 - 00:27:25), Build: jenkins-HiveOS-Honolulu_AP350_Rel-245
  #
  # d84b45a2e8aca60d630fbd422efc6b39  /tmp/uboot
  # 6dc420f24c2028b9cf7f0c62c0c7f692  /tmp/uboot_patched
  # 98ebc7e7480ce9148cd2799357a844b0  /tmp/uboot-update.sh <-- just for reference

  # 3.3 this produces the /tmp/u-boot_patched file.

  mtd write /tmp/uboot_patched u-boot

3) scp over the sysupgrade file to /tmp/ and run sysupgrade to flash OpenWrt:

  sysupgrade -n /tmp/openwrt-mpc85xx-p1020-aerohive_hiveap-330-squashfs-sysupgrade.bin

4) after the reboot, you are good to go.

Other notes:

- Note that after this sysupgrade, the AP will be unavailable for 7 minutes
  to reformat flash. The tri-color LED does not blink in any way to
  indicate this, though there is no risk in interrupting this process,
  other than the jffs2 reformat being reset.

- Add a uci-default to fix the compat version. This will prevent updates
  from previous versions without going through the installation process.

- Enable CONFIG_MTD_SPLIT_UIMAGE_FW and adjust partitioning to combine
  the kernel and rootfs into a single dts partition to maximize storage
  space, though in practice the kernel can grow no larger than 16MiB due
  to constraints of the older mpc85xx u-boot platform.

- Because of that limit, KERNEL_SIZE has been raised to 16m.

- A .tar.gz of the u-boot source for the AP330 (a.k.a. Goldengate) can
  be found here[2].

- The stock-jffs2 partition is also removed to make more space -- this
  is possible only now that it is no longer split away from the rootfs.

- the console-override is gone. The device will now get the console
  through the bootargs. This has the advantage that you can set a different
  baudrate in uboot and the linux kernel will stick with it!

- due to the repartitioning, the partition layout and names got a makeover.

- the initramfs+fdt method is now combined into a MultiImage initramfs.
  The separate fdt download is no longer needed.

- added uboot-envtools to the mpc85xx target. All targets have uboot and
  this way its available in the initramfs.

[1]: https://bugs.openwrt.org/index.php?do=details&task_id=4110
[2]: magnet:?xt=urn:btih:e53b27006979afb632af5935fa0f2affaa822a59

Tested-by: Martin Kennedy <hurricos@gmail.com>
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
(rewrote parts of the commit message, Initramfs-MultiImage,
dropped bootargs-override, added wiki entry + link, uboot-envtools)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-19 19:20:29 +01:00
Rosen Penev
fbb8e1ef45 ksmbd: add out-of-tree module
ksmbd is an upstream linux alternative to Samba which is lighterweight
and more performant, especially on underpowered devices.

Moving it here from the packages feed as it is now an upstream kernel
module. Also easier to update as version updates can be coordinated better

The next LTS kernel (5.15) has this included. A depend on kernel < 5.15
will need to be added later.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-02-19 18:29:42 +01:00
Rosen Penev
666d427652 linux/modules: split up oid_registry
This will be needed by ksmbd in a following commit.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-02-19 18:29:42 +01:00
Eneas U de Queiroz
e6df13d0e1 hostapd: fallback to psk when generating r0kh/r1kh
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret".  auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well.  In
this case,  auth_secret is empty, and the default value of the key can
be computed from the SSID alone.

Fallback to using $key when auth_secret is empty.  While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:52 +01:00
David Bauer
6f78723977 hostapd: add STA extended capabilities to get_clients
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.

This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:45 +01:00
Alexey Smirnov
66071729a2 base-files: add support for heartbeat led trigger
This patch adds support for creation heartbeat led trigger with,
for example, this command:

	ucidef_set_led_heartbeat "..." "..." "..."

from /etc/board.d/01_leds.

Signed-off-by: Alexey Smirnov <s.alexey@gmail.com>
2022-02-19 13:10:01 +01:00
Mauri Sandberg
2c211a901d gpio-nxp-74hc153: remove package
This module was used solely by Buffalo WZR-HP-G300NH devices
and has become obsolete with the introduction of gpio-cascade.

Signed-off-by: Mauri Sandberg <maukka@ext.kapsi.fi>
2022-02-19 13:10:01 +01:00
Mauri Sandberg
2f50d65161 kernel: add package kmod-gpio-cascade
Adds kernel module for Generic GPIO cascade.

Signed-off-by: Mauri Sandberg <maukka@ext.kapsi.fi>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [missing commit description]
2022-02-19 13:10:01 +01:00
Mauri Sandberg
15f0074beb kernel: add package kmod-multiplexer
Adds new kernel module for GPIO controlled multiplexer support.

Signed-off-by: Mauri Sandberg <maukka@ext.kapsi.fi>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [missing commit description]
2022-02-19 13:10:01 +01:00
Daniel Golle
48ace62114
procd: update to git HEAD
a87d010 uxc: remove unused printf parameter
 ad65249 instance: exit in case asprintf() fails

Build with glibc should again work after this commit.

Fixes: e9e61d76fd ("procd: update to git HEAD")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-19 00:11:55 +00:00
Daniel Golle
e9e61d76fd
procd: update to git HEAD
df1123e uxc: add support for user-defined settings
 0272c7c uxc: allow editing settings using 'create'
 a839518 uxc: clean up error handling

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-18 03:03:34 +00:00
Daniel Golle
397de50089
base-files: Make sure rootfs_data_max is considered
For sysupgrade on NAND/UBI devices there is the U-Boot environment
variable rootfs_data_max which can be used to limit the size of the
rootfs_data volume created on sysupgrade.
This stopped working reliable with recent kernels, probably due to a
race condition when reading the number of free erase blocks from sysfs
just after removing a volume.
Change the script to just try creating rootfs_data with the desired
size and retry with maximum size in case that fails. Hence calculating
the available size in the script can be dropped which works around the
problem.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-17 15:15:42 +00:00
Stijn Tintel
add7884cd0 libnetfilter-conntrack: bump to 1.0.9
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2022-02-17 13:59:44 +02:00
Felix Fietkau
5a0975f7ef mt76: update to the latest version
ddd3c2f38b30 mt76: redefine mt76_for_each_q_rx to adapt mt7986 changes
7fa5229a4228 mt76: improve signal strength reporting
025a72cd2d24 mt76: mt7915: fix injected MPDU transmission to not use HW A-MSDU
8c765fd92d97 mt76: mt7615: introduce SAR support
799a15bb68f9 mt76: fix endianness errors in reverse_frag0_hdr_trans
c114919f0c08 mt76: mt7915: Fix channel state update error issue
93191a37e59a mt76: mt7915: fix potential memory leak of fw monitor packets
cde589b2efb7 mt76: mt7921s: fix missing fc type/sub-type for 802.11 pkts
6ef22f4dc4e4 mt76: mt7915: add support for MT7986
7f1818cd8f2d mt76: mt7915: introduce band_idx in mt7915_phy
1d57a0d506db mt76: mt7915: initialize smps mode in mt7915_mcu_sta_rate_ctrl_tlv()
1f2a4816a3de mt76: mt7615: fix compiler warning on frame size
d60f335e785b mt76: mt7915: fix endianness warnings in mt7915_debugfs_rx_fw_monitor
d0ab636cb61c mt76: mt7915: fix endianness warnings in mt7915_mac_tx_free()
9d9bd7b3c48c mt76: connac: adjust wlan_idx size from u8 to u16
be1091f1172d mt76: mt7615: Fix assigning negative values to unsigned variable
d4fc42889a30 mt76: mt7915: check band idx for bcc event
98ee3e2889ea mt76: mt7915: fix logic error and remove the unused member of mt7915_dev
bbbbafb67bac mt76: mt7915: fix compiler warning
abd80cf68db1 mt76: mt7915: fix the muru tlv issue
a050c14b5631 mt76: mt7915: use min_t() to make code cleaner
9fee8f3736eb mt76: mt7915e: Fix degraded performance after temporary overheat
f2e1a62cf0d0 mt76: mt7915e: Add a hwmon attribute to get the actual throttle state.
c67df0d3130a mt76: mt7915e: Enable thermal management by default

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-15 15:18:22 +01:00
Felix Fietkau
eae0dbf68c mac80211: fix traffic stalls on forwarded mesh packets due to wrong AC selection
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-15 15:17:01 +01:00
Daniel Golle
5205010a54
procd: simplify uxc init script
'uxc boot' is inteded to be called multiple times, so there is not need
to guard the first call on boot -- the actual code anyway didn't do
that, so just remove it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-13 23:31:27 +00:00
Hauke Mehrtens
8f5875c4e2 tcpdump: Fix CVE-2018-16301
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-12 23:22:05 +01:00
Felix Fietkau
2fd208e272 mac80211: fix rekey failure in drivers with 802.3 decap offload
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-12 23:03:51 +01:00
Jo-Philipp Wich
0d1220acdf firewall4: update to latest Git HEAD
53caa1a fw4: resolve zone layer 2 devices for hw flow offloading
9fe58f5 fw4: rework and fix family inheritance logic
8795296 tests: mocklib: fix infinite recursion in wrapped print()
281b1bc tests: change mocked wan interface type to PPPoE
93b710d tests: mocklib: forward compatibility change
1a94915 fw4: only stage reflection rules if all required addrs are known
5c21714 fw4: add device iifname/oifname matches to DSCP and MARK rules
3eacc97 tests: adjust 01_ruleset test case to latest changes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-12 20:51:22 +01:00
Jo-Philipp Wich
4aea6d231b ucode: update to latest Git HEAD
a29bad9 compiler: fix patchlist corruption on switch statement syntax errors
86f0662 lib: change `ord()` to always return single byte value
116a8ce vallist: fix storing/retrieving short strings with 8bit byte value

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-12 20:51:22 +01:00
Felix Fietkau
8072bf3322 qosify: update to the latest version
e230e71e0a12 map: fix copy-paste error in codepoints map
580d2ccf89f3 bpf: declare tcp_ports/udp_ports without typedef
8d6c19a81f3f ubus: fix a use-after-free bug

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-10 21:08:09 +01:00
Jo-Philipp Wich
1847382456 ucode: update to latest Git HEAD
a317c17 compiler: fix incorrect loop break targets

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-08 23:46:21 +01:00
Leonardo Mörlein
5406684087 wireguard-tools: allow generating private_key
When the uci configuration is created automatically during a very early
stage, where no entropy daemon is set up, generating the key directly is
not an option. Therefore we allow to set the private_key to "generate"
and generate the private key directly before the interface is taken up.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Tested-by: Jan-Niklas Burfeind <git@aiyionpri.me>
2022-02-08 12:52:14 +01:00
David Bauer
04ed224543 hostapd: refresh patches
Refresh patches after updating to hostapd v2.10.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-08 00:21:41 +01:00
David Bauer
adb8c09a83 hostapd: update to v2.10
Upstreamed patches:
020-mesh-make-forwarding-configurable.patch
e6db1bc5da3fd7d5f4dba24aa102543b4749912f
550-WNM-allow-specifying-dialog-token.patch
979f19716539362f8ce60a77bf1b88fdcf5ba8e5
720-ACS-fix-channel-100-frequency.patch
2341585c349231af00cdef8d51458df01bc6965f
741-proxyarp-fix-compilation-with-Hotspot-2.0-disabled.patch
08bdf4f90de61a84ed8f4dd918272dd9d36e2e1f

Compile-tested: wpad-wolfssl hostapd-openssl
Run-tested: ath79-generic

Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-08 00:21:27 +01:00
Jo-Philipp Wich
ae75541594 firewall4: update to latest Git HEAD
a0518b6 fw4: gracefully handle unsupported hardware offloading
ac99eba init: fix boot action in init script

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 23:36:06 +01:00
Felix Fietkau
46e0eeb760 hostapd: automatically calculate channel center freq on chan_switch
Simplifies switching to different channels when on >= VHT80

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-07 17:01:18 +01:00
Jo-Philipp Wich
07eccc29ab rpcd: update to latest Git HEAD
909f2a0 ucode: adjust to latest ucode api
4c532bf ucode: add ucode interpreter plugin
9c6ba38 treewide: adjust ubus object type names
75a96dc build: honour CMake install prefix in hardcoded paths

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:37 +01:00
Jo-Philipp Wich
881a059977 uhttpd: update to latest Git HEAD
2f8b136 main: fix leaking -p/-s argument values
881fd3b ucode: adjust to latest ucode api
8b2868e file: specify UTF-8 as charset for dirlists, add option to override
3a5bd84 main: add ucode options to help text
16aa142 examples: add ucode handler example
3ceccd0 ucode: add ucode plugin support
f0f1406 examples: add example Lua handler script
9e87095 listen: avoid invalid memory access

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Jo-Philipp Wich
2dd6777f15 firewall4: update to latest Git HEAD
b54f462 fw4: parse traffic rules before forwarding rules
4d5af8b fw4: consolidate helper code
300c737 fw4: fix applying zone family restrictions to forwardings
eb9c25a tests: implement fs.opendir() mock interface
d30ff48 tests: fix mocked fs.popen() trace log
52831a0 fw4: improve flowtable handling
7cb10c8 fw4: disable "flow_offloading_hw" option for now
b2241a1 fw4: fix enabling NAT reflection rules for DNATs without explicit family

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Jo-Philipp Wich
134c88c689 ucode: update to latest Git HEAD
11adf0c source: convert source objects into proper uc_value_t type
3a49192 treewide: rework function memory model
7edad5c tests: add functional tests for builtin functions
d5003fd lib: fix leaking tokener in uc_json() on parse exception
5d0ecd9 lib: fix infinite loop on empty regexp matches in uc_replace()
3ad57f1 lib: fix infinite loop on empty regexp matches in uc_match()
32d596d lib: fix infinite loop on empty regexp matches in uc_split()
3e3f38d vm: ensure consistent trace output between gcc and clang compiled ucode
3600ded vm: fix leaking function value on call exception
3059295 vm: NULL-initialize pointer to make cppcheck happy
98e59bf source: zero-initialize conversion union to make cppcheck happy
7a65c14 run_tests.sh: change workdir to testcase directory during execution
afec8d7 run_tests.sh: support placing supplemental testcase files
3ada6e0 run_tests.sh: always treat outputs as text data
2cb627f program: rename bytecode load/write functions, track path of executed file
1094ffa lib: fix memory leak in uc_require_ucode()

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Jo-Philipp Wich
3b1692c463 netifd: update to latest Git HEAD
fd4c9e1 system-linux: expose hw-tc-offload ethtool feature in device status dump
3d76f2e system-linux: add wrapper function for creating link config messages
88af2f1 system-linux: delete bridge devices using netlink
85c3548 system-linux: create bridge devices using netlink

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Raymond Wang
3343ca7e68 ramips: add support for Xiaomi Mi Router CR660x series
Xiaomi Mi Router CR6606 is a Wi-Fi6 AX1800 Router with 4 GbE Ports.
Alongside the general model, it has three carrier customized models:
CR6606 (China Unicom), CR6608 (China Mobile), CR6609 (China Telecom)

Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256MB DDR3 (ESMT M15T2G16128A)
- Flash: 128MB NAND (ESMT F59L1G81MB)
- Ethernet: 1000Base-T x4 (MT7530 SoC)
- WLAN: 2x2 2.4GHz 574Mbps + 2x2 5GHz 1201Mbps (MT7905DAN + MT7975DN)
- LEDs: System (Blue, Yellow), Internet (Blue, Yellow)
- Buttons: Reset, WPS
- UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
- Power: 12VDC, 1A

Jailbreak Notes:
1. Get shell access.
   1.1. Get yourself a wireless router that runs OpenWrt already.
   1.2. On the OpenWrt router:
      1.2.1. Access its console.
      1.2.2. Create and edit
             /usr/lib/lua/luci/controller/admin/xqsystem.lua
             with the following code (exclude backquotes and line no.):
```
     1  module("luci.controller.admin.xqsystem", package.seeall)
     2
     3  function index()
     4      local page   = node("api")
     5      page.target  = firstchild()
     6      page.title   = ("")
     7      page.order   = 100
     8      page.index = true
     9      page   = node("api","xqsystem")
    10      page.target  = firstchild()
    11      page.title   = ("")
    12      page.order   = 100
    13      page.index = true
    14      entry({"api", "xqsystem", "token"}, call("getToken"), (""),
103, 0x08)
    15  end
    16
    17  local LuciHttp = require("luci.http")
    18
    19  function getToken()
    20      local result = {}
    21      result["code"] = 0
    22      result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i
's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/drop
bear start;"
    23      LuciHttp.write_json(result)
    24  end
```
      1.2.3. Browse http://{OWRT_ADDR}/cgi-bin/luci/api/xqsystem/token
             It should give you a respond like this:
             {"code":0,"token":"; nvram set ssh_en=1; nvram commit; ..."}
             If so, continue; Otherwise, check the file, reboot the rout-
             er, try again.
      1.2.4. Set wireless network interface's IP to 169.254.31.1, turn
             off DHCP of wireless interface's zone.
      1.2.5. Connect to the router wirelessly, manually set your access
             device's IP to 169.254.31.3, make sure
             http://169.254.31.1/cgi-bin/luci/api/xqsystem/token
             still have a similar result as 1.2.3 shows.
   1.3. On the Xiaomi CR660x:
        1.3.1. Login to the web interface. Your would be directed to a
               page with URL like this:
               http://{ROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/web/home#r-
               outer
        1.3.2. Browse this URL with {STOK} from 1.3.1, {WIFI_NAME}
               {PASSWORD} be your OpenWrt router's SSID and password:
               http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/misy-
               stem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWO-
               RD}
               It should return 0.
        1.3.3. Browse this URL with {STOK} from 1.3.1:
               http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/xqsy-
               stem/oneclick_get_remote_token?username=xxx&password=xxx&-
               nonce=xxx
   1.4. Before rebooting, you can now access your CR660x via SSH.
        For CR6606, you can calculate your root password by this project:
        https://github.com/wfjsw/xiaoqiang-root-password, or at
        https://www.oxygen7.cn/miwifi.
        The root password for carrier-specific models should be the admi-
        nistration password or the default login password on the label.
        It is also feasible to change the root password at the same time
        by modifying the script from step 1.2.2.
        You can treat OpenWrt Router however you like from this point as
        long as you don't mind go through this again if you have to expl-
        oit it again. If you do have to and left your OpenWrt router unt-
        ouched, start from 1.3.
2. There's no official binary firmware available, and if you lose the
   content of your flash, no one except Xiaomi can help you.
   Dump these partitions in case you need them:
   "Bootloader" "Nvram" "Bdata" "crash" "crash_log"
   "firmware" "firmware1" "overlay" "obr"
   Find the corespond block device from /proc/mtd
   Read from read-only block device to avoid misoperation.
   It's recommended to use /tmp/syslogbackup/ as destination, since files
   would be available at http://{ROUTER_ADDR}/backup/log/YOUR_DUMP
   Keep an eye on memory usage though.
3. Since UART access is locked ootb, you should get UART access by modify
   uboot env. Otherwise, your router may become bricked.
   Excute these in stock firmware shell:
    a. nvram set boot_wait=on
    b. nvram set bootdelay=3
    c. nvram commit
   Or in OpenWrt:
    a. opkg update && opkg install kmod-mtd-rw
    b. insmod mtd-rw i_want_a_brick=1
    c. fw_setenv boot_wait on
    d. fw_setenv bootdelay 3
    e. rmmod mtd-rw

Migrate to OpenWrt:
 1. Transfer squashfs-firmware.bin to the router.
 2. nvram set flag_try_sys1_failed=0
 3. nvram set flag_try_sys2_failed=1
 4. nvram commit
 5. mtd -r write /path/to/image/squashfs-firmware.bin firmware

Additional Info:
 1. CR660x series routers has a different nand layout compared to other
    Xiaomi nand devices.
 2. This router has a relatively fresh uboot (2018.09) compared to other
    Xiaomi devices, and it is capable of booting fit image firmware.
    Unfortunately, no successful attempt of booting OpenWrt fit image
    were made so far. The cause is still yet to be known. For now, we use
    legacy image instead.

Signed-off-by: Raymond Wang <infiwang@pm.me>
2022-02-07 00:03:27 +01:00
Wenli Looi
c32008a37b ath79: add partial support for Netgear EX7300v2
Hardware
--------
SoC: QCN5502
Flash: 16 MiB
RAM: 128 MiB
Ethernet: 1 gigabit port
Wireless No1: QCN5502 on-chip 2.4GHz 4x4
Wireless No2: QCA9984 pcie 5GHz 4x4
USB: none

Installation
------------
Flash the factory image using the stock web interface or TFTP the
factory image to the bootloader.

What works
----------
- LEDs
- Ethernet port
- 5GHz wifi (QCA9984 pcie)

What doesn't work
-----------------
- 2.4GHz wifi (QCN5502 on-chip)
  (I was not able to make this work, probably because ath9k requires
  some changes to support QCN5502.)

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2022-02-07 00:03:27 +01:00
Rosen Penev
7994461a5a base-files: replace fgrep with grep -F
fgrep is deprecated and replaced by grep -F. The latter is used
throughout the tree whereas this is the only usage of the former.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-02-06 23:09:15 +01:00
Ansuel Smith
4d904524ef kernel: bpf-headers: fix build error when testing kernel is used
Now that we have separate files for each kernel version,
only the version/hash for the target kernel are available.
This cause a missing hash error (and wrong kernel version) for
bpf-headers when a testing kernel version is used for the current target.

Fix this error by manually including the kernel version/hash file for the
specific kernel version requested.

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2022-02-06 12:43:57 +01:00
Stijn Tintel
2c929f8105 util-linux: package ipcs command
Add a package for util-linux' ipcs command, to show information about
System V inter-process communication facilities.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-05 17:48:56 +02:00
Lech Perczak
8c78a13bfc ath79: support ZTE MF286
ZTE MF286 is an indoor LTE category 6 CPE router with simultaneous
dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit
Ethernet switch, FXS and external USB 2.0 port.

Hardware highlights:
- CPU: QCA9563 SoC at 775MHz,
- RAM: 128MB DDR2,
- NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only,
- NAND Flash: GD5F1G04UBYIG 128MB SPI NAND-Flash, for all other data,
- Wi-Fi 5GHz: QCA9882 2x2 MIMO 802.11ac radio,
- WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio,
- Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port,
- WWAN: MDM9230-based category 6 internal LTE modem in extended
  mini-PCIE form factor, with 3 internal antennas and 2 external antenna
  connections, single mini-SIM slot. Modem model identified as MF270,
- FXS: one external ATA port (handled entirely by modem part) with two
  physical connections in parallel,
- USB: Single external USB 2.0 port,
- Switches: power switch, WPS, Wi-Fi and reset buttons,
- LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery,
  Signal state) handled entirely by modem. 4 link status LEDs handled by
  the switch on the backside.
- Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and
  monitoring handled by modem.
- Label MAC device: eth0

Console connection: connector X2 is the console port, with the following
pinout, starting from pin 1, which is the topmost pin when the board is
upright:
- VCC (3.3V). Do not use unless you need to source power for the
  converer from it.
- TX
- RX
- GND
Default port configuration in U-boot as well as in stock firmware is
115200-8-N-1.

Installation:
Due to different flash layout from stock firmware, sysupgrade from
within stock firmware is impossible, despite it's based on QSDK which
itself is based on OpenWrt.

STEP 0: Stock firmware update:
As installing OpenWrt cuts you off from official firmware updates for
the modem part, it is recommended to update the stock firmware to latest
version before installation, to have built-in modem at the latest firmware
version.

STEP 1: gaining root shell:

Method 1:
This works if busybox has telnetd compiled in the binary.
If this does not work, try method 2.

Using well-known exploit to start telnetd on your router - works
only if Busybox on stock firmware has telnetd included:
- Open stock firmware web interface
- Navigate to "URL filtering" section by going to "Advanced settings",
  then "Firewall" and finally "URL filter".
- Add an entry ending with "&&telnetd&&", for example
  "http://hostname/&&telnetd&&".
- telnetd will immediately listen on port 4719.
- After connecting to telnetd use "admin/admin" as credentials.

Method 2:
This works if busybox does not have telnetd compiled in. Notably, this
is the case in DNA.fi firmware.
If this does not work, try method 3.

- Set IP of your computer to 192.168.1.22.
- Have a TFTP server running at that address
- Download MIPS build of busybox including telnetd, for example from:
  https://busybox.net/downloads/binaries/1.21.1/busybox-mips
  and put it in it's root directory. Rename it as "telnetd".
- As previously, login to router's web UI and navigate to "URL
  filtering"
- Using "Inspect" feature, extend "maxlength" property of the input
  field named "addURLFilter", so it looks like this:
  <input type="text" name="addURLFilter" id="addURLFilter" maxlength="332"
    class="required form-control">
- Stay on the page - do not navigate anywhere
- Enter "http://aa&zte_debug.sh 192.168.1.22 telnetd" as a filter.
- Save the settings. This will download the telnetd binary over tftp and
  execute it. You should be able to log in at port 23, using
  "admin/admin" as credentials.

Method 3:
If the above doesn't work, use the serial console - it exposes root shell
directly without need for login. Some stock firmwares, notably one from
finnish DNA operator lack telnetd in their builds.

STEP 2: Backing up original software:
As the stock firmware may be customized by the carrier and is not
officially available in the Internet, IT IS IMPERATIVE to back up the
stock firmware, if you ever plan to returning to stock firmware.

Method 1: after booting OpenWrt initramfs image via TFTP:
PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION.
- Dump stock firmware located on stock kernel and ubi partitions:

  ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin
  ssh root@192.168.1.1: cat /dev/mtd8 > mtd8_ubi.bin

And keep them in a safe place, should a restore be needed in future.

Method 2: using stock firmware:
- Connect an external USB drive formatted with FAT or ext4 to the USB
  port.
- The drive will be auto-mounted to /var/usb_disk
- Check the flash layout of the device:

  cat /proc/mtd

  It should show the following:
  mtd0: 00080000 00010000 "uboot"
  mtd1: 00020000 00010000 "uboot-env"
  mtd2: 00140000 00020000 "fota-flag"
  mtd3: 00140000 00020000 "caldata"
  mtd4: 00140000 00020000 "mac"
  mtd5: 00600000 00020000 "cfg-param"
  mtd6: 00140000 00020000 "oops"
  mtd7: 00800000 00020000 "web"
  mtd8: 00300000 00020000 "kernel"
  mtd9: 01f00000 00020000 "rootfs"
  mtd10: 01900000 00020000 "data"
  mtd11: 03200000 00020000 "fota"

  Differences might indicate that this is NOT a vanilla MF286 device but
  one of its later derivatives.
- Copy over all MTD partitions, for example by executing the following:

  for i in 0 1 2 3 4 5 6 7 8 9 10 11; do cat /dev/mtd$i > \
  /var/usb_disk/mtd$i; done

- If the count of MTD partitions is different, this might indicate that
  this is not a standard MF286 device, but one of its later derivatives.
- (optionally) rename the files according to MTD partition names from
  /proc/mtd
- Unmount the filesystem:

  umount /var/usb_disk; sync

  and then remove the drive.
- Store the files in safe place if you ever plan to return to stock
  firmware. This is especially important, because stock firmware for
  this device is not available officially, and is usually customized by
  the mobile providers.

STEP 3: Booting initramfs image:

Method 1: using serial console (RECOMMENDED):
- Have TFTP server running, exposing the OpenWrt initramfs image, and
  set your computer's IP address as 192.168.1.22. This is the default
  expected by U-boot. You may wish to change that, and alter later
  commands accordingly.
- Connect the serial console if you haven't done so already,
- Interrupt boot sequence by pressing any key in U-boot when prompted
- Use the following commands to boot OpenWrt initramfs through TFTP:

  setenv serverip 192.168.1.22
  setenv ipaddr 192.168.1.1
  tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin
  bootm 0x81000000

  (Replace server IP and router IP as needed). There is no  emergency
  TFTP boot sequence triggered by buttons, contrary to MF283+.
- When OpenWrt initramfs finishes booting, proceed to actual
  installation.

Method 2: using initramfs image as temporary boot kernel
This exploits the fact, that kernel and rootfs MTD devices are
consecutive on NAND flash, so from within stock image, an initramfs can
be written to this area and booted by U-boot on next reboot, because it
uses "nboot" command which isn't limited by kernel partition size.
- Download the initramfs-kernel.bin image
- Split the image into two parts on 3MB partition size boundary, which
  is the size of kernel partition. Pad the output of second file to
  eraseblock size:

  dd if=openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin \
  bs=128k count=24 \
  of=openwrt-ath79-zte_mf286-intermediate-kernel.bin

  dd if=openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin \
  bs=128k skip=24 conv=sync \
  of=openwrt-ath79-zte_mf286-intermediate-rootfs.bin

- Copy over /usr/bin/flash_eraseall and /usr/bin/nandwrite utilities to
  /tmp. This is CRITICAL for installation, as erasing rootfs will cut
  you off from those tools on flash!

- After backing up the previous MTD contents, write the images to the
  respective MTD devices:

  /tmp/flash_eraseall /dev/<kernel-mtd>

  /tmp/nandwrite /dev/<kernel-mtd> \
  /var/usb_disk/openwrt-ath79-zte_mf286-intermediate-kernel.bin

  /tmp/flash_eraseall /dev/<kernel-mtd>

  /tmp/nandwrite /dev/<rootfs-mtd> \
  /var/usb_disk/openwrt-ath79-zte_mf286-intermediate-rootfs.bin

- Ensure that no bad blocks were present on the devices while writing.
  If they were present, you may need to vary the split  between
  kernel and rootfs parts, so U-boot reads a valid uImage after skipping
  the bad blocks. If it fails, you will be left with method 3 (below).
- If write is OK, reboot the device, it will reboot to OpenWrt
  initramfs:

  reboot -f

- After rebooting, SSH into the device and use sysupgrade to perform
  proper installation.

Method 3: using built-in TFTP recovery (LAST RESORT):
- With that method, ensure you have complete backup of system's NAND
  flash first. It involves deliberately erasing the kernel.
- Download "-initramfs-kernel.bin" image for the device.
- Prepare the recovery image by prepending 8MB of zeroes to the image,
  and name it root_uImage:

  dd if=/dev/zero of=padding.bin bs=8M count=1

  cat padding.bin openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin >
  root_uImage

- Set up a TFTP server at 192.0.0.1/8. Router will use random address
  from that range.
- Put the previously generated "root_uImage" into TFTP server root
  directory.
- Deliberately erase "kernel" partition" using stock firmware after
  taking backup. THIS IS POINT OF NO RETURN.
- Restart the device. U-boot will attempt flashing the recovery
  initramfs image, which will let you perform actual installation using
  sysupgrade. This might take a considerable time, sometimes the router
  doesn't establish Ethernet link properly right after booting. Be
  patient.
- After U-boot finishes flashing, the LEDs of switch ports will all
  light up. At this moment, perform power-on reset, and wait for OpenWrt
  initramfs to finish booting. Then proceed to actual installation.

STEP 4: Actual installation:
- scp the sysupgrade image to the device:

  scp openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.bin \
  root@192.168.1.1:/tmp/

- ssh into the device and execute sysupgrade:

  sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.bin

- Wait for router to reboot to full OpenWrt.

STEP 5: WAN connection establishment
Since the router is equipped with LTE modem as its main WAN interface, it
might be useful to connect to the Internet right away after
installation. To do so, please put the following entries in
/etc/config/network, replacing the specific configuration entries with
one needed for your ISP:

config interface 'wan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option auth '<auth>' # As required, usually 'none'
        option pincode '<pin>' # If required by SIM
        option apn '<apn>' # As required by ISP
        option pdptype '<pdp>' # Typically 'ipv4', or 'ipv4v6' or 'ipv6'

For example, the following works for most polish ISPs
config interface 'wan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option auth 'none'
        option apn 'internet'
        option pdptype 'ipv4'

If you have build with LuCI, installing luci-proto-qmi helps with this
task.

Restoring the stock firmware:

Preparation:
If you took your backup using stock firmware, you will need to
reassemble the partitions into images to be restored onto the flash. The
layout might differ from ISP to ISP, this example is based on generic stock
firmware.
The only partitions you really care about are "web", "kernel", and
"rootfs". For easy padding and possibly restoring configuration, you can
concatenate most of them into images written into "ubi" meta-partition
in OpenWrt. To do so, execute something like:

cat mtd5_cfg-param.bin mtd6-oops.bin mtd7-web.bin mtd9-rootfs.bin > \
mtd8-ubi_restore.bin

You can skip the "fota" partition altogether,
it is used only for stock firmware update purposes and can be overwritten
safely anyway. The same is true for "data" partition which on my device
was found to be unused at all. Restoring mtd5_cfg-param.bin will restore
the stock firmware configuration you had before.

Method 1: Using initramfs:
- Boot to initramfs as in step 3:
- Completely detach ubi0 partition using ubidetach /dev/ubi0_0
- Look up the kernel and ubi partitions in /proc/mtd
- Copy over the stock kernel image using scp to /tmp
- Erase kernel and restore stock kernel:
  (scp mtd4_kernel.bin root@192.168.1.1:/tmp/)
  mtd write <kernel_mtd> mtd4_kernel.bin
  rm mtd4_kernel.bin
- Copy over the stock partition backups one-by-one using scp to /tmp, and
  restore them individually. Otherwise you might run out of space in
  tmpfs:

  (scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/)

  mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin
  rm mtd3_ubiconcat0.bin

  (scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/)

  mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin
  rm mtd5_ubiconcat1.bin

- If the write was correct, force a device reboot with

  reboot -f

Method 2: Using live OpenWrt system (NOT RECOMMENDED):
- Prepare a USB flash drive contatining MTD backup files
- Ensure you have kmod-usb-storage and filesystem driver installed for
  your drive
- Mount your flash drive

  mkdir /tmp/usb

  mount /dev/sda1 /tmp/usb

- Remount your UBI volume at /overlay to R/O

  mount -o remount,ro /overlay

- Write back the kernel and ubi partitions from USB drive

  cd /tmp/usb
  mtd write mtd4_kernel.bin /dev/<kernel_mtd>

  mtd write mtd8_ubi.bin /dev/<kernel_ubi>

- If everything went well, force a device reboot with
  reboot -f

Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota"
MTD partition which may be safely erased after reboot anyway.

Method 3: using built-in TFTP recovery (LAST RESORT):
- Assemble a recovery rootfs image from backup of stock partitions by
  concatenating "web", "kernel", "rootfs" images dumped from the device,
  as "root_uImage"
- Use it in place of "root_uImage" recovery initramfs image as in the
  TFTP pre-installation method.

Quirks and known issues
- Kernel partition size is increased to 4MB compared to stock 3MB, to
  accomodate future kernel updates - at this moment OpenWrt 5.10 kernel
  image is at 2.5MB which is dangerously close to the limit. This has no
  effect on booting the system - but keep that in mind when reassembling
  an image to restore stock firmware.
- uqmi seems to be unable to change APN manually, so please use the one
  you used before in stock firmware first. If you need to change it,
  please use protocok '3g' to establish connection once, or use the
  following command to change APN (and optionally IP type) manually:
  echo -ne 'AT+CGDCONT=1,"IP","<apn>' > /dev/ttyUSB0
- The only usable LED as a "system LED" is the green debug LED hidden
  inside the case. All other LEDs are controlled by modem, on which the
  router part has some influence only on Wi-Fi LED.
- Wi-Fi LED currently doesn't work while under OpenWrt, despite having
  correct GPIO mapping. All other LEDs are controlled by modem,
  including this one in stock firmware. GPIO19, mapped there only acts
  as a gate, while the actual signal source seems to be 5GHz Wi-Fi
  radio, however it seems it is not the LED exposed by ath10k as
  ath10k-phy0.
- GPIO5 used for modem reset is a suicide switch, causing a hardware
  reset of whole board, not only the modem. It is attached to
  gpio-restart driver, to restart the modem on reboot as well, to ensure
  QMI connectivity after reboot, which tends to fail otherwise.
- Modem, as in MF283+, exposes root shell over ADB - while not needed
  for OpenWrt operation at all - have fun lurking around.
- MAC address shift for 5GHz Wi-Fi used in stock firmware is
  0x320000000000, which is impossible to encode in the device tree, so I
  took the liberty of using MAC address increment of 1 for it, to ensure
  different BSSID for both Wi-Fi interfaces.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-02-05 12:14:08 +01:00
Pawel Dembicki
a91ab8bc05 ipq40xx: add support for ZTE MF286D
ZTE MF286D is a LTE router with four gigabit ethernet ports
and integrated QMI mPCIE modem.

Hardware specification:

  - CPU: IPQ4019
  - RAM: 256MB
  - Flash: NAND 128MB + NOR 2MB
  - WLAN1:  Qualcomm Atheros QCA4019 2.4GHz 802.11bgn 2x2:2
  - WLAN2:  Qualcomm Atheros QCA4019 5GHz 802.11anac 2x2:2
  - LTE: mPCIe cat 12 card (Modem chipset MDM9250)
  - LAN: 4 Gigabit Ports
  - USB: 1x USB2.0 (regular port). 1x USB3.0 (mpcie - used by the modem)
  - Serial console: X8 connector 115200 8n1

Known issues:

  - Many LEDs are driven by the modem. Only internal LEDs and wifi LEDs
    are driven by cpu.
  - Wifi LED is triggered by phy0tpt only
  - No VoIP support
  - LAN1/WAN port is configured as WAN
  - ZTE gives only one MAC per device. Use +1/+2/+3 increment for WAN
    and WLAN0/1

Opening the case:

1. Take of battery lid (no battery support for this model, battery cage
   is dummy).
2. Unscrew screw placed behind battery lid.
3. Take off back cover. It attached with multiple plastic clamps.
4. Unscrew four more screws hidden behind back case.
5. Remove front panel from blue chassis. There are more plastic
   clamps.
6. Unscrew two boards, which secures the PCB in the chassis.
7. Extract board from blue chassis.

Console connection (X8 connector):

1. Parameters: 115200 8N1
2. Pin description: (from closest pin to X8 descriptor to farthest)
    - VCC (3.3V)
    - TX
    - RX
    - GND

Install Instructions:

Serial + initramfs:
1. Place OpenWrt initramfs image for the device on a TFTP in
   the server's root. This example uses Server IP: 192.168.1.3
2. Connect serial console (115200,8n1) to X8 connector.
3. Connect TFTP server to RJ-45 port.
4. Stop in u-Boot and run u-Boot commands:
	setenv serverip 192.168.1.3
	setenv ipaddr 192.168.1.72
	set fdt_high 0x85000000
	tftp openwrt-ipq40xx-generic-zte_mf286d-initramfs-fit-zImage.itb
	bootm $loadaddr
5. Please make backup of original partitions, if you think about revert
   to stock.
6. Login via ssh or serial and remove stock partitions:
	ubiattach -m 9
	ubirmvol /dev/ubi0 -N ubi_rootfs
	ubirmvol /dev/ubi0 -N ubi_rootfs_data
7. Install image via "sysupgrade -n".

Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(cosmetic changes to the commit message)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-05 00:44:35 +01:00
Christian Lamparter
c2630ac910 linux-firmware: qca99x0 update package
Kalle Valo ath10k-firmware repository no longer provides the
legacy board.bin files for the qca99x0 chips. Instead he
copied over the codeaurora version and add more board files.

In the future, this board-2.bin should find its way to
linux-firmware.git, which would allow us to remove the
extra download code completely.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-05 00:44:35 +01:00
Christian Lamparter
fcd5fd49c5 kernel: usb: remove left-over LINUX_5_10 dependency symbol
this should have been removed together with linux 5.4 APM821XX
support. Currently, this didn't hurt or broke something. But it
will in the next stable kernel release.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-04 21:13:15 +01:00
Felix Fietkau
8c1d5129ee bpf-headers: fix build error from within the SDK
The SDK does not ship the generic platform files. Use relative path for
GENERIC_PLATFORM_DIR to make it work. This points it at the files from
the feed directory instead of the base SDK path

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-04 12:51:48 +01:00
Sven Eckelmann
8a8b7b4234 om-watchdog: Drop unused package
All devices which used this package migrated to the kernel GPIO-line
watchdog driver and configure it over their DT.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-02-03 22:27:15 +01:00
Josef Schlehofer
d16bd89c71 uboot-mvebu: backport two patches for Marvell A38x
This solves issue with DDR training on Turris Omnia.

Log:
********   DRAM initialization Failed (res 0x1)   ********
DDR3 Training Sequence - FAILED
ERROR ### Please RESET the board ###

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-02-03 21:24:26 +01:00
Josef Schlehofer
5c804bc199 uboot-mvebu: Add U-boot for Turris Omnia
* Add U-boot support for Turris Omnia

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-02-03 21:24:26 +01:00
Josef Schlehofer
782d4c8306 uboot-mvebu: update to version 2022.01
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Tested-by: Andre Heider <a.heider@gmail.com> # ESPRESSObin
2022-02-03 21:24:26 +01:00
Felix Fietkau
e045e40671 mt76: update to the latest version
833b9d7fcf7f mt76: allow drivers to drop rx packets early
f703084f31cb mt76: mt7915: process txfree and txstatus without allocating skbs
047b9a9e78b3 mt76: mt7615: in debugfs queue stats, skip wmm index 3 on mt7663
fea36e02075c mt76: only kick tx queue if frames were queued
8381e54ebfb5 linux-firmware: update firmware for MT7921 WiFi device
d57dadb8c861 Revert "mt76: only kick tx queue if frames were queued"
3a21d6e2153b mt76: mt7663: disable 4addr capability
f1d66cf7a6c5 mt76: connac: fix possible NULL pointer dereference in mt76_connac_get_phy_mode_v2
c9a4146404d4 sync with upstream
4ed8c910b94e mt76: mt7921: fix possible resume failure
bf105aa6cd2f mt76: mt7921: fix network buffer leak by txs missing
e2b454b6fb30 mt76: connac: introduce MCU_EXT macros
5a87f5497c9b mt76: connac: align MCU_EXT definitions with 7915 driver
720ddc32507d mt76: connac: remove MCU_FW_PREFIX bit
da5128a59eda mt76: connac: introduce MCU_UNI_CMD macro
116109bee7cb mt76: connac: introduce MCU_CE_CMD macro
f96fbdf038d5 mt76: connac: rely on MCU_CMD macro
922f0d408413 mt76: mt7915: rely on mt76_connac definitions
b4ae1da1d1e0 mt76: mt7921: reduce log severity levels for informative messages
db105a722b87 mt76: mt7921s: make pm->suspended usage consistent
e2cc063238c0 mt76: mt7921s: fix suspend error with enlarging mcu timeout value
812b73f2f1e0 mt76: mt7915: introduce mt76_vif in mt7915_vif
b041a8a30055 mt76: mt7915: add mu-mimo and ofdma debugfs knobs
b851a3e7839d mt76: mt7921: remove dead definitions
266c7a9f2994 mt76: connac: rely on le16_add_cpu in mt76_connac_mcu_add_nested_tlv
19cc7d83190c mt76: mt7921: clear pm->suspended in mt7921_mac_reset_work
928c4550e413 mt76: mt7921s: make pm->suspended usage consistent [update]
8d6c68a7d0d1 mt76: mt7921: fix possible resume failure [update]
26fb105e538c mt76: mt7921s: fix cmd timeout in throughput test
9db482264389 mt76: mt7921: fix build regression
3edb87cdf138 mt7915: formatting change to sync with upstream
5cad38ba247d mt76: mt7915: add mt7915_mmio_probe() as a common probing function
15f9f88b362a mt76: mt7915: refine register definition
de49cf43ef34 mt76: add MT_RXQ_MAIN_WA for mt7916
6032c35f1306 mt76: mt7915: rework dma.c to adapt mt7916 changes
074d7c5381ed mt76: mt7915: add firmware support for mt7916
27b3253318e7 mt76: mt7915: rework eeprom.c to adapt mt7916 changes
030540246088 mt76: mt7915: enlarge wcid size to 544
400129c69f91 mt76: mt7915: add txfree event v3
cbbb3f65fcd0 mt76: mt7915: update rx rate reporting for mt7916
eb51c4deef0e mt76: mt7915: update mt7915_chan_mib_offs for mt7916
fb4709222028 mt76: mt7915: add mt7916 calibrated data support
e758feeaf1d6 mt76: mt7915: add device id for mt7916
115ea27a5cab mt76: connac: fix sta_rec_wtbl tag len
b3f922266685 mt76: mt7915: rely on mt76_connac_mcu_alloc_sta_req
bac5eda1f5b2 mt76: mt7915: rely on mt76_connac_mcu_alloc_wtbl_req
b44485d5c8ac mt76: mt7915: rely on mt76_connac_mcu_add_tlv routine
9cc58e254d53 mt76: connac: move mt76_connac_mcu_get_cipher in common code
60dcd9f09ff6 mt76: connac: move mt76_connac_chan_bw in common code
a8d0b7d0cc60 mt76: mt7915: rely on mt76_connac_get_phy utilities
4441db30c1c1 mt76: connac: move mt76_connac_mcu_add_key in connac module
794b6f18d0fb mt76: mt7915: fix code defect
9d2a01b6cb60 mt76: set wlan_idx_hi on mt7916
2c89977b32c2 mt76: mt7915: fix kernel build warning
6c4874839830 mt76: make mt76_sar_capa static
215fdcc7ca6c mt76: mt7915: use proper aid value in mt7915_mcu_wtbl_generic_tlv in sta mode
bc254718b40e mt76: mt7915: use proper aid value in mt7915_mcu_sta_basic_tlv
22fcff5ff21a mt76: sdio: lock sdio when it is needed
4669882aa595 mt76: mt7921s: clear MT76_STATE_MCU_RUNNING immediately after reset
944545855e0f mt76: mt7921s: update mt7921s_wfsys_reset sequence
854c8d076a34 mt76: mt7915: move pci specific code back to pci.c
a77da27796f2 mt76: mt7915: fix warning: variable 'base' is used uninitialized
7b5e69961c71 mt76: mt7915: fix warning: variable 'flags' set but not used
b5138e7b89f9 mt76: mt7921: fix a possible race enabling/disabling runtime-pm
af218fbe2500 linux-firmware: update firmware for MT7921 WiFi device
31c19c467950 mt76: mt7915: remove duplicated defs in mcu.h
9198eca1b16f mt76: connac: move mt76_connac_mcu_bss_omac_tlv in connac module
829d87a93a51 mt76: connac: move mt76_connac_mcu_bss_ext_tlv in connac module
50956cf17901 mt76: connac: move mt76_connac_mcu_bss_basic_tlv in connac module
bda40f4e1d5e mt76: mt7915: rely on mt76_connac_mcu_sta_ba_tlv
4728939c1d48 mt76: mt7915: rely on mt76_connac_mcu_wtbl_ba_tlv
e3ae1828068b mt76: mt7915: rely on mt76_connac_mcu_sta_ba
d9e9989eca07 mt76: mt7915: rely on mt76_connac_mcu_wtbl_generic_tlv
168713595fff mt76: mt7915: rely on mt76_connac_mcu_sta_basic_tlv
60394d3e3504 mt76: mt7915: rely on mt76_connac_mcu_sta_uapsd
3a79454d078d mt76: mt7915: rely on mt76_connac_mcu_wtbl_smps_tlv
9ae9aa6c1aea mt76: mt7915: rely on mt76_connac_mcu_wtbl_ht_tlv
fd8cdfab91e4 mt76: mt7915: rely on mt76_connac_mcu_wtbl_hdr_trans_tlv
a92024c5a5b5 mt76: connac: move mt76_connac_mcu_wtbl_update_hdr_trans in connac module
6dc585a3a274 mt76: connac: introduce is_connac_v1 utility routine
0f29d2aa5a72 mt76: connac: move mt76_connac_mcu_set_pm in connac module
dcf408ff8a5e mt76: mt7921: get rid of mt7921_mcu_get_eeprom
77b2a8601fc1 mt76: mt7915: rely on mt76_connac_mcu_start_firmware
65f78dee243a mt76: connac: move mt76_connac_mcu_restart in common module
5adf5b14040b mt76: mt7915: rely on mt76_connac_mcu_patch_sem_ctrl/mt76_connac_mcu_start_patch
69bf1dabe78f mt76: mt7915: rely on mt76_connac_mcu_init_download
951b1ddd370e mt76: connac: move mt76_connac_mcu_gen_dl_mode in mt76-connac module
0826b3992238 mt76: mt7915: rely on mt76_connac_mcu_set_rts_thresh
058de6d36fa9 mt76: connac: move mt76_connac_mcu_rdd_cmd in mt76-connac module
aafda86aed2b mt76: mt7921e: make dev->fw_assert usage consistent
def12bef91a3 mt76: mt7921: forbid the doze mode when coredump is in progress
009414d27d37 mt76: mt76_connac: fix MCU_CE_CMD_SET_ROC definition error
3c5856eca223 mt76: mt7921: set EDCA parameters with the MCU CE command
01a3d73b452e mt76: mt7615: fix a possible race enabling/disabling runtime-pm
123ed864d1ae mt76: mt7921e: process txfree and txstatus without allocating skbs
018f98abba68 mt76: connac: add support for passing the cipher field in bss_info
288e7443e35c mt76: mt7615: update bss_info with cipher after setting the group key
36e1577cb3d3 mt76: mt7915: update bss_info with cipher after setting the group key
d42590d8fcc8 mt76: make cipher in struct mt76_vif u8 instead of enum
11602b8505c6 mt76: mt7615e: process txfree and txstatus without allocating skbs
2ef775c10bd3 linux-firmware: add firmware for MT7916
976ea3879730 mt76: mt7915: add support for passing chip/firmware debug data to user space
d11bd7bd83f4 tools: add support for sending firmware debug data via udp
dc8e2e8dcd34 mt76: mt7921: do not always disable fw runtime-pm
7063127f852b mt76: mt7921: fix a leftover race in runtime-pm
f78f4334b0b2 mt76: mt7615: fix a leftover race in runtime-pm
f1f94d19c160 mt76: mt7915: fix ht mcs in mt7915_mac_add_txs_skb()
c2ff2f0d6d19 mt76: mt7921: fix ht mcs in mt7921_mac_add_txs_skb()
3e7954a0b32e mt76: mt7921s: fix mt7921s_mcu_[fw|drv]_pmctrl
3c2cc9034376 mt76: mt7921e: fix possible probe failure after reboot
f7f6c6dcc6eb mt76: mt7921: fix crash when startup fails.
8656198c925b mt76: sdio: disable interrupt in mt76s_sdio_irq
6204d61ab821 mt76: mt7921: fix endianness issues in mt7921_mcu_set_tx()
68c5aa56f5f2 mt76: mt7921: toggle runtime-pm adding a monitor vif
541e4e8d3c3e mt76: mt7915: set bssinfo/starec command when adding interface
78770f741af9 mt76: mt7915: introduce mt7915_set_radar_background routine
93c03778f92e mt76: mt7915: enable radar trigger on rdd2
4c76a6c3a1f2 mt76: mt7915: introduce rdd_monitor debugfs node
5b94045f927e mt76: mt7915: report radar pattern if detected by rdd2
22094b27ff6a mt76: mt7915: enable radar background detection
4282ca57a143 mt76: connac: move mt76_connac_lmac_mapping in mt76-connac module
0f16c67657a2 mt76: mt7915: add missing DATA4_TB_SPTL_REUSE1 to mt7915_mac_decode_he_radiotap
9a16d33311a7 mt76: mt7921: remove duplicated code in mt7921_mac_decode_he_radiotap
639b55fdc95e mt76: mt7615: add support for LG LGSBWAC02 (MT7663BUN)
ebbd2717a16e mt76: mt7663s: flush runtime-pm queue after waking up the device
37c3bf2256de mt76: mt7603: check sta_rates pointer in mt7603_sta_rate_tbl_update
96959bd15eef mt76: mt7615: check sta_rates pointer in mt7615_sta_rate_tbl_update
4e42e55ce636 mt76: stop the radar detector after leaving dfs channel
8b32439d5a86 mt76: mt7915: fix possible memory leak in mt7915_mcu_add_sta
b4e6f0d6f15a mt76: mt7921s: fix a possible memory leak in mt7921_load_patch
15398f1e8385 mt76: mt7915: fix mcs_map in mt7915_mcu_set_sta_he_mcs()
607eda6eb032 mt76: mt7915: update max_mpdu_size in mt7915_mcu_sta_amsdu_tlv()
69d20f2e6cb0 mt76: mt7915: fix the nss setting in bitrates
c3ffa536249a mt76: sdio: honor the largest Tx buffer the hardware can support
e3e3562f8fa0 mt76: mt7921s: run sleep mode by default
553200cf63fd firmware: update mt7662 firmware to version 2.3
20d1fed838b9 mt76x02: improve mac error check/reset reliability
9b2ac62d6f31 mt76: mt76x02: improve tx hang detection
fae295af31eb mt76: mt7915: fix/rewrite the dfs state handling logic
e0f9479bf893 mt76: mt7615: fix/rewrite the dfs state handling logic
822e1135e7e1 mt76: mt76x02: use mt76_phy_dfs_state to determine radar detector state
f8c0ed1e6bdf mt76: do not always copy ethhdr in reverse_frag0_hdr_trans
ab9b8078427a mt76: dma: initialize skip_unmap in mt76_dma_rx_fill

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-03 15:16:47 +01:00
Felix Fietkau
0b5a547ef0 mac80211: backport support for background radar detection
Will be used in an upcoming mt76 update

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-03 15:16:47 +01:00
Felix Fietkau
03ea0405a6 mac80211: backport MBSSID/EMA support patches
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-03 15:16:47 +01:00
Felix Fietkau
543ada64ed mac80211: reorganize patches
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-03 15:16:47 +01:00
Felix Fietkau
02b9b6872a mac80211: backport support for ndo_fill_forward_path
Will be used in an upcoming mt76 update

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-03 15:16:47 +01:00
Etienne Champetier
0e32c6baf3 iptables: add ip{,6}tables-legacy{,-restore,-save} symlinks
Now that we can have both legacy and nft iptables variants
installed at the same time, install the legacy symlinks

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-03 00:02:31 +01:00
Etienne Champetier
3a5df36cf6 iptables: use ALTERNATIVES for ip(6)tables(-nft)
As nftables is now the default, ip(6)tables-nft gets higher priority

The removed symlinks ("$(CP)" line) will now be installed by the
ALTERNATIVES mechanism

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-03 00:02:31 +01:00
Etienne Champetier
b0bd6599e8 iptables: rework ip(6)tables-nft dependencies
according to iptables-nft man page,
"These tools use the libxtables framework extensions and hook to the nf_tables
kernel subsystem using the nft_compat module."

This means that to work, iptables-nft needs the same modules as
iptables legacy except the ip(6)table-{filter,mangle,nat,raw}
ip_tables, ip6tables.
When those modules are loaded iptables-nft-save output contains
"# Warning: iptables-legacy tables present, use iptables-legacy-save to see them"
But as long as it's empty it should not be a problem.

To have nft properly display the rules created by ip(6)tables-nft we need
all iptables targets and matches to be built as extension and not built-in
(/usr/lib/iptables/libip(6)t_*.so)

When switching a package to iptables-nft, you need to keep the
iptables-mod-* dependencies

This patch does minimal changes:
- remove the direct iptables-nft -> iptables dependency
- and more important add nft-compat dependency

The rule
iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT
becomes
table ip filter {
	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT
	}
}

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-03 00:02:31 +01:00
Etienne Champetier
1ebb8e3b6b netfilter: add kmod-nft-compat
This modules is required by iptables-nft

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-02 23:24:03 +01:00
Etienne Champetier
4e7ad15904 iptables: fix ip6tables-nft description
ip6tables-nft packages ip6tables* utils not iptables*

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-02 23:24:03 +01:00
Etienne Champetier
a5c8811c04 iptables: fix ip6tables-extra description
The define was referencing ip6tables-mod-extra instead of ip6tables-extra

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-02 23:24:03 +01:00
Daniel Golle
4367d4f869
uqmi: update to git HEAD
f254fc5 uqmi: add support for get operating mode

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-02 02:37:21 +00:00
Alar Aun
70eedac9b3 ipq40xx: add MikroTik cAP ac support
This adds support for the MikroTik RouterBOARD RBcAPGi-5acD2nD
(cAP ac), a  indoor dual band, dual-radio 802.11ac wireless AP, two
10/100/1000 Mbps Ethernet ports.

See https://mikrotik.com/product/cap_ac for more info.

Specifications:
 - SoC: Qualcomm Atheros IPQ4018
 - RAM: 128 MB
 - Storage: 16 MB NOR
 - Wireless:
   · Built-in IPQ4018 (SoC) 802.11b/g/n 2x2:2, 2.5 dBi antennae
   · Built-in IPQ4018 (SoC) 802.11a/n/ac 2x2:2, 2.5 dBi antennae
 - Ethernet: Built-in IPQ4018 (SoC, QCA8075) , 2x 1000/100/10 port,
   PoE in and passive PoE out

Unsupported:
 - PoE out

Installation:
Boot the initramfs image via TFTP and then flash the sysupgrade
image using "sysupgrade -n"

Signed-off-by: Alar Aun <alar.aun@gmail.com>
2022-02-01 23:18:58 +01:00
Sergey V. Lobanov
93d91197b9 wolfssl: update to 5.1.1-stable
Bump from 4.8.1-stable to 5.1.1-stable

Detailed release notes: https://github.com/wolfSSL/wolfssl/releases

Upstreamed patches:
001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch -
 fa8f23284d
002-Update-macro-guard-on-SHA256-transform-call.patch -
 f447e4c1fa

Refreshed patches:
100-disable-hardening-check.patch
200-ecc-rng.patch

CFLAG -DWOLFSSL_ALT_CERT_CHAINS replaced to --enable-altcertchains
configure option

The size of the ipk changed on aarch64 like this:
491341 libwolfssl4.8.1.31258522_4.8.1-stable-7_aarch64_cortex-a53.ipk
520322 libwolfssl5.1.1.31258522_5.1.1-stable-1_aarch64_cortex-a53.ipk

Tested-by: Alozxy <alozxy@users.noreply.github.com>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-02-01 23:18:01 +01:00
Marek Behún
45d541bb40 kernel: add kmod-vrf
Add option to compile kmod-vrf, support for Virtual Routing and
Forwarding (Lite).

This module depends on NET_L3_MASTER_DEV, which is a boolean kernel
option, so we need to create a configuration option also for this, and
make kmod-vrf depend on it.

Signed-off-by: Marek Behún <kabel@kernel.org>
2022-02-01 22:59:09 +01:00
Hauke Mehrtens
6cab21bd6d kernel: Make kmod-usb-net-lan78xx depend on kmod-of-mdio
kmod-usb-net-lan78xx depends on kmod-of-mdio when this package is
activated.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
8c1a84aada uboot-envtools: Update to version 2022.01
The sizes of the ipk changed on MIPS 24Kc like this:
13281 uboot-envtools_2021.01-54_mips_24kc.ipk
13308 uboot-envtools_2022.01-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
392609543d libcap: Update to version 2.63
The sizes of the ipk changed on MIPS 24Kc like this:
11248 libcap_2.51-1_mips_24kc.ipk
14461 libcap_2.63-1_mips_24kc.ipk

18864 libcap-bin_2.51-1_mips_24kc.ipk
20576 libcap-bin_2.63-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
8c2445a0e4 e2fsprogs: Update to version 1.46.5
The sizes of the ipk changed on MIPS 24Kc like this:
  8788 badblocks_1.45.6-2_mips_24kc.ipk
  8861 badblocks_1.46.5-1_mips_24kc.ipk

  3652 chattr_1.45.6-2_mips_24kc.ipk
  3657 chattr_1.46.5-1_mips_24kc.ipk

 58128 debugfs_1.45.6-2_mips_24kc.ipk
 60279 debugfs_1.46.5-1_mips_24kc.ipk

  8551 dumpe2fs_1.45.6-2_mips_24kc.ipk
  8567 dumpe2fs_1.46.5-1_mips_24kc.ipk

  4797 e2freefrag_1.45.6-2_mips_24kc.ipk
  4791 e2freefrag_1.46.5-1_mips_24kc.ipk

159790 e2fsprogs_1.45.6-2_mips_24kc.ipk
168212 e2fsprogs_1.46.5-1_mips_24kc.ipk

  7083 e4crypt_1.45.6-2_mips_24kc.ipk
  7134 e4crypt_1.46.5-1_mips_24kc.ipk

  5749 filefrag_1.45.6-2_mips_24kc.ipk
  6233 filefrag_1.46.5-1_mips_24kc.ipk

  4361 libcomerr0_1.45.6-2_mips_24kc.ipk
  4355 libcomerr0_1.46.5-1_mips_24kc.ipk

168040 libext2fs2_1.45.6-2_mips_24kc.ipk
174209 libext2fs2_1.46.5-1_mips_24kc.ipk

  8514 libss2_1.45.6-2_mips_24kc.ipk
  8613 libss2_1.46.5-1_mips_24kc.ipk

  3148 lsattr_1.45.6-2_mips_24kc.ipk
  3227 lsattr_1.46.5-1_mips_24kc.ipk

 22530 resize2fs_1.45.6-2_mips_24kc.ipk
 22909 resize2fs_1.46.5-1_mips_24kc.ipk

 33315 tune2fs_1.45.6-2_mips_24kc.ipk
 34511 tune2fs_1.46.5-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
18c6b99666 util-linux: Update to version 2.37.3
This release fixes two security mount(8) and umount(8) issues:

CVE-2021-3996
    Improper UID check in libmount allows an unprivileged user to unmount FUSE
    filesystems of users with similar UID.

CVE-2021-3995
    This issue is related to parsing the /proc/self/mountinfo file allows an
    unprivileged user to unmount other user's filesystems that are either
    world-writable themselves or mounted in a world-writable directory.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
693d7c12e8 util-linux: Do not build raw any more.
The man page of the raw tool does not build because the disk-utils/raw.8
file is missing. It looks like it should be in the tar.xz file we
download, but it is missing.

We do not package the raw tool, so this is not a problem.

This fixes the following build error:
No rule to make target 'disk-utils/raw.8', needed by 'all-am'.  Stop.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
64866ba474 strace: Update to version 5.16
The sizes of the ipk changed on MIPS 24Kc like this:
289764 strace_5.14-1_mips_24kc.ipk
310899 strace_5.16-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
cec4614df8 ethtool: Update to version 5.16
795f420 cmis: Rename CMIS parsing functions
369b43a cmis: Initialize CMIS memory map
da16288 cmis: Use memory map during parsing
6acaeb9 cmis: Consolidate code between IOCTL and netlink paths
d7d15f7 sff-8636: Rename SFF-8636 parsing functions
4230597 sff-8636: Initialize SFF-8636 memory map
b74c040 sff-8636: Use memory map during parsing
799572f sff-8636: Consolidate code between IOCTL and netlink paths
9fdf45c sff-8079: Split SFF-8079 parsing function
2ccda25 netlink: eeprom: Export a function to request an EEPROM page
86792db cmis: Request specific pages for parsing in netlink path
6e2b32a sff-8636: Request specific pages for parsing in netlink path
c2170d4 sff-8079: Request specific pages for parsing in netlink path
9538f38 netlink: eeprom: Defer page requests to individual parsers
664586e Merge branch 'review/next/module-mem-map' into master
50fdaec ethtool: Set mask correctly for dumping advertised FEC modes
c5e7133 cable-test: Fix premature process termination
73091cd sff-8636: Use an SFF-8636 specific define for maximum number of channels
837c166 sff-common: Move OFFSET_TO_U16_PTR() to common header file
8658852 cmis: Initialize Page 02h in memory map
27b42a9 cmis: Initialize Banked Page 11h in memory map
340d88e cmis: Parse and print diagnostic information
eae6a99 cmis: Print Module State and Fault Cause
82012f2 cmis: Print Module-Level Controls
d7b1007 sff-8636: Print Power set and Power override bits
429f2fc Merge branch 'review/cmis-diag' into master
32457a9 monitor: do not show duplicate options in help text
c01963e Release version 5.16.

The sizes of the ipk changed on MIPS 24Kc like this:
34317 ethtool_5.15-1_mips_24kc.ipk
34311 ethtool_5.16-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
57f38e2c82 mbedtls: Update to version 2.16.12
This fixes the following security problems:
* Zeroize several intermediate variables used to calculate the expected
  value when verifying a MAC or AEAD tag. This hardens the library in
  case the value leaks through a memory disclosure vulnerability. For
  example, a memory disclosure vulnerability could have allowed a
  man-in-the-middle to inject fake ciphertext into a DTLS connection.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
  mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
  (out of memory). After that, calling mbedtls_ssl_session_free()
  and mbedtls_ssl_free() would cause an internal session buffer to
  be free()'d twice. CVE-2021-44732

The sizes of the ipk changed on MIPS 24Kc like this:
182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
5b96048de1 gdb: Update gdb to version 11.2
This is a minor corrective release over GDB 11.1, fixing the following issues:
* PR sim/28302 (gdb fails to build with glibc 2.34)
* PR build/28318 (std::thread support configure check does not use CXX_DIALECT)
* PR gdb/28405 (arm-none-eabi: internal-error: ptid_t remote_target::select_thread_for_ambiguous_stop_reply(const target_waitstatus*): Assertion `first_resumed_thread != nullptr' failed)
* PR tui/28483 ([gdb/tui] breakpoint creation not displayed)
* PR build/28555 (uclibc compile failure since commit 4655f8509fd44e6efabefa373650d9982ff37fd6)
* PR rust/28637 (Rust characters will be encoded using DW_ATE_UTF)
* PR gdb/28758 (GDB 11 doesn't work correctly on binaries with a SHT_RELR (.relr.dyn) section)
* PR gdb/28785 (Support SHT_RELR (.relr.dyn) section)

The sizes of the ipk changed on mips 24Kc like this:
2285775 gdb_11.1-3_mips_24kc.ipk
2287441 gdb_11.2-4_mips_24kc.ipk
191828 gdbserver_11.1-3_mips_24kc.ipk
191811 gdbserver_11.2-4_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Sungbo Eo
0c635cf830 linux-firmware: intel: add firmware for AX210
Add the most recent supported firmware file for Intel Wi-Fi 6E AX210
wireless chip. The API version 67 is not yet supported by the driver.
Additional PNVM file is required since API version 62.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-01-31 18:59:10 +00:00
Daniel Golle
b6a2cee4b7
ubox: fix broken deferred start of logfile writer
Just use 'start' action which will have the desired effect instead of
trying to introduce a 'start_file' action which didn't work that way
because procd jshn magic would have to wrap around it.

Fixes: 88baf6ce2c ("ubox: only start log to file when filesystem has been mounted")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-31 15:03:25 +00:00
Daniel Golle
5d110c0161
procd: seccomp/jail: Fix build error on arm with glibc
From: Peter Lundkvist <peter.lundkvist@gmail.com>

This fixes the make_syscall_h.sh script to recognize both
__NR_Linux, used by mips, and __NR_SYSCALL_BASE and
__ARM_NR_BASE used by arm.

Run-tested on arm (ipq806x) and mips (ath79), both with glibc.
Compile-tested and checked resulting syscall_names.h file wuth
glibc: aarch64, powerpc, x86_64, i486
musl: arm, mips

Fixes: FS#4194, FS#4195

Signed-off-by: Peter Lundkvist <peter.lundkvist@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-31 00:10:42 +00:00
Daniel Golle
88baf6ce2c
ubox: only start log to file when filesystem has been mounted
If log_file is on an filesystem mounted using /etc/config/fstab we have
to wait for that to happen before starting the logread process.
Inhibit the start of the file-writer process and use a mount trigger to
fire it up once the filesystem actually becomes available.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-30 20:19:37 +00:00
Daniel Golle
6d76ec3872
procd: support generic mount triggers and clean up
Allow init scripts to trigger free-form actions by exposing
procd_add_action_mount_trigger.
Clean up mount trigger wrappers while at it to reduce code duplication.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-30 20:16:25 +00:00
Roman Azarenko
5bd926efa9 util-linux: add lslocks
This change adds the "lslocks" utility from util-linux.

Signed-off-by: Roman Azarenko <roman.azarenko@iopsys.eu>
2022-01-28 22:12:18 +01:00
Hauke Mehrtens
fcb29171bc arc770: Remove arc770 target
The arc700 target is not booting up since some time, see here:
https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/issues/400

It looks like there is a problem in the toolchain when using glibc.

Currently no one is working on fixing this problem, remove the target
instead. This target also does not have many users we are aware of.

If someone wants to have this target back, feel free to add a fixed
version of this target again.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-01-28 21:58:24 +01:00
Jo-Philipp Wich
edb41fea66 firewall4: update to latest Git HEAD
16a1070 fw4.uc: handle zone masq6 option
5f61dbf ruleset: fix chain selection for mark and dscp targets
0bc844b ruleset: properly deal with wildcards in zone device selectors
101988d fw4: fix family comparisons
127dbc0 ruleset: emit AF specific rules for DSCP matches
d63cb89 fw4: fix parsing inverted numeric DSCP values
8c8a867 fw4: fix wrong `parse_network()` return value on `parse_subnet()` failure
f85bb2d ruleset: consolidate zone matches for raw_prerouting and raw_output chains
5669bc7 fw4: consolidate device grouping logic
94f03e0 ruleset: properly render redirect targets without port
fff9779 fw4: fix family selection logic for redirect rules
ca88fcd tests: update interface dump mock data
e60bb4b ruleset: support non-contiguous address masks
8fec51a fw4: fix potential crashes when parsing invalid redirect sections
c08eb44 fw4: fix redirect destination zone resolving
0df6ba0 fw4: fix address selection logic for DNAT reflection rules
60a2518 tests: add test coverage for redirect rules
e479eff fw4: add RFC-8622 'Least Effort' (LE) DSCP mark
ac8a737 ruleset: remove redundant syn check
bd5dc4b tests: run testcases in strict mode
3ee6a5c ruleset: fix undeclared variable access uncovered by strict mode

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-01-28 19:13:37 +01:00
Jo-Philipp Wich
0a29133b1f ucode: update to latest Git HEAD
c6dae42 LICENSE: add ISC license file
402f603 lib: introduce struct library
dcb6ffd struct: fix PowerPC specific compiler pragma name
a0512ea treewide: fix typo in exported function names and types
eaaaf88 nl80211: fix wiphy dump reply merge logic
e6efadb fs: add utility functions
54ef6c0 nl80211: fix premature netlink reply receive abort
07802f3 syntax: disallow keywords in object property shorthand notation
3489b75 vm: support object property access on resource value types
dc8027c types: consider resource prototypes when marking reachable objects
5680fab treewide: fix upvalue reference type name
0d29b25 treewide: fix "resource" misspellings
99fdafd vm: introduce value registry
66f7c00 ubus: add support for async requests
5c77dd5 fs: implement fdopen(), file.fileno() and proc.fileno()
b605dbf treewide: rework numeric value handling
599d233 vallist: store double values in a platform neutral manner
5bb9ab7 struct: reuse double packing routines from core
2fd7ab5 vm: optimize string concatenation
eafa321 lib: implement uniq() function
6b2e79a types: add initial infrastructure for function serialization
725bb75 compiler, vm: use a program wide constant list
6c2caf9 source: refactor source file handling
371ba45 program: implement support for precompiling source files
3578afe build: support building without compile capabilities
61d0a34 lib: replace usages of vasprintf() with xvasprintf()
03b6a8e syntax: drop legacy syntax support
01132db lib: fix %J string formats with precision specifier
3f44c42 lib: rework format string handling
a1b3c5d struct: implement `*` format, fix invalid memory accesses
34a04a2 run_tests.sh: fix exitcode evaluation
abe38e7 run_tests.sh: add ability to define environment variables for testcases
04fa2ba tests: reorganize testcase files
6a55d10 lib: fix exists() error return value
aa860a3 vm: fix `null` loose equality/inequality checks
3f6d199 vallist: uc_number_parse(): parse empty strings as `0`, not `NaN`
ddc5aa7 vm: fix NaN strict equality tests

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-01-28 19:13:37 +01:00
Florian Fainelli
17135ae091 perf: Depend on libbfd and libopcodes when enabled
bpftool will enabled libbfd and libopcodes which gets picked up by perf
as libraries to link against. Add those missing dependencies when either
of these packages are enabled.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2022-01-27 20:16:57 -08:00
Tiago Gaspar
ef4c97576b netfilter: correct some dependencies
nf-nathelper-extra and nf-conntrack-netlink had iptables related
dependencies, yet, when looking for the respective kernel symbols and
checking it's dependencies it was confirmed that iptables wasn't
required and that these were either it's own moodule or tool independent
(nftables or iptables).

Correct these and make sure no unneeded extras are pulled in.

Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
2022-01-27 09:56:40 +01:00
Daniel Golle
145d896e0e
uboot-mediatek: update to version 2022.01
Tested on BananaPi R2 (SD, eMMC), BananaPi R64 (SD, eMMC, SPI-NAND) and
UniElec U7623-02 (eMMC).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-23 20:20:53 +00:00
Daniel Golle
31872a38be
uboot-envtools: add configuration for UniElec U7623 board
Add U-Boot env settings to allow accessing the environment using
fw_printenv and fw_setenv tools on the UniElec U7623 board.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-23 20:20:42 +00:00
Daniel Golle
213b406ae3
uboot-mediatek: update build for the U7623-02 board
Brings bootmenu and production/recovery dual-boot scheme like on
the BPi-R2, BPi-R64, E8450 and UniFi 6 LR.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-23 19:48:42 +00:00
Hans Dedecker
7edd10f9df netifd: update to git HEAD
ed71876 iprule: add support for uidrange

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-01-23 18:54:16 +01:00
Jo-Philipp Wich
3d3d03479d ucode: add temporary fix for integer formatting on 32bit systems
The ucode VM always passes 64bit integer values to sprintf implementation
while the `%d` format expects 32bit integers on 32bit platforms, leading
to incorrect formatting results.

Temporarily solve the issue by casting the numeric argument to int until
a more thorough fix arrives with the next update.

Fixes: FS#4234
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-01-23 00:57:58 +01:00
Hauke Mehrtens
6ae657e459 util-linux: Add taskset
This adds the taskset application from util Linux.
It is already built, but not packaged yet.

Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
2022-01-21 23:53:00 +01:00
Hauke Mehrtens
71bdff9139 ltq-vdsl-mei: Remove static linking
This removes -static compile option. The -static option tells GCC to
link this statically with the libc, which we do not want in OpenWrt. We
want to link everything dynamically to the libc. This fixes a compile
problem with glibc.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-21 23:09:24 +01:00
Matthew Hagan
46ce629fe0 ipip: add 'nohostroute' option
Add the nohostroute option as available for gre and wg tunnels to
allow the user to prevent explicit creation of a route to the peer
address.

Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
2022-01-19 20:57:59 +01:00
Hauke Mehrtens
e74529552c ustream-ssl: update to Git version 2022-01-16
868fd88 ustream-openssl: wolfSSL: Add compatibility for wolfssl >= 5.0

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-16 21:51:21 +01:00
Sven Eckelmann
8143709c90 ath79: Add support for OpenMesh OM2P v1
Device specifications:
======================

* Qualcomm/Atheros AR7240 rev 2
* 350/350/175 MHz (CPU/DDR/AHB)
* 32 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2x 10/100 Mbps Ethernet
* 1T1R 2.4 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x fast ethernet
  - eth0
    + 18-24V passive POE (mode B)
    + used as WAN interface
  - eth1
    + builtin switch port 4
    + used as LAN interface
* 12-24V 1A DC
* external antenna

The device itself requires the mtdparts from the uboot arguments to
properly boot the flashed image and to support dual-boot (primary +
recovery image). Unfortunately, the name of the mtd device in mtdparts is
still using the legacy name "ar7240-nor0" which must be supplied using the
Linux-specfic DT parameter linux,mtd-name to overwrite the generic name
"spi0.0".

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-16 21:42:19 +01:00
Nick Hainke
607f06f81c mtd-utils: update to 2.1.4
Changes from 2.1.3 to 2.1.4:

Features:
      - ubiscan debugging and statistics utility

Fixes:
      - Some mtd-tests erroneously using sub-pages instead of the full page size
      - Buffer overrun in fectest
      - Missing jffs2 kernel header in the last release, leading to build
        failures on some systems.

Changes from 2.1.2 to 2.1.3:

Features:
       flashcp: Add new function that copy only different blocks
       flash_erase: Add flash erase chip
       Add flash_otp_erase
       Add an ubifs mount helper
       Add nandflipbits tool

Fixes:
       mkfs.ubifs: Fix runtime assertions when running without crypto
       mtd-utils: Use AC_SYS_LARGEFILE
       Fix test binary installation
       libmtd: avoid divide by zero
       ubihealthd: fix UBIFS build dependency
       mkfs.ubifs: remove OPENSSL_no_config()
       misc-utils: Add fectest to build system
       mkfs.ubifs: Fix build with SELinux
       Fix typos found by Debian's lintian tool
       Fix jffs2 build if zlib or lzo headers are not in default paths

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-01-16 20:51:14 +01:00
Christian Lamparter
0a08d4faad kernel: add missing kmod+regmap-i2c dependency for NCT7802Y module
x86, mt7623 and others buildbot failed due to:
|Package kmod-hwmon-nct7802 is missing dependencies for the following libraries:
|regmap-core.ko
|regmap-i2c.ko

Fixes: 1ed50b92d1 ("package: kernel: add driver module for NCT7802Y")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-01-15 19:55:14 +01:00
Pawel Dembicki
9149ed4f05 mvebu: cortexa9: Add support for Ctera C200-V2
2-Bay NAS - maximum two 3.5" Harddisks

Hardware:
  - SoC: Marvell 88F6707-A1 ARMv7 Processor 1,2GHz (ARMADA 370 SoC)
  - Ram: 1GB (2x Nanya NT5CC512M8DN-D1)
  - NAND Flash: 256MB (ESMT F59L2G81A-25T)
  - Lan: 1x GBE (Marvell 88E1318-NNB2)
  - Storage: 2x SATA HDD 3.5" Slot
  - USB: 2x USB 3.0 port (Renesas uPD720202)
  - Console: Internal J3 connector (1: Vcc, 2: Rx, 3: Tx, 4: GND)
  - LEDs: 13x GPIO controlled
  - Buttons: 2x GPIO controlled

Known issues:
  - Buzzer is unused due lack of proper driver
  - USB1/2 usbport ledtrigger won't work (through DT)
  - Renesas uPD720202 requires firmware file. It's possible to find
    non-free binary. Please look for 'UPDATE.mem' file and put in into
    '/lib/firmware/renesas_usb_fw.mem' file.

Installation:
  - Apply factory initramfs image via stock web-gui.
  - Do sysupgrade to make installation complete.

Back to stock:
  - OpenWrt rootfs partition use unused space after stock firmware.
  - Full revert is possible.
  - Login via ssh and run:

 ## ctera_c200-v2_back_to_factory start ##
 . /lib/functions.sh
 part=$(find_mtd_part "active_bank")
 active_bank=$(strings "$part" | grep bank)
 if [ "$active_bank" = "bank1" ]; then
 	echo "bank2" > /tmp/change_bank
 else
 	echo "bank1" > /tmp/change_bank
 fi
 mtd write /tmp/change_bank active_bank
 reboot
 ## ctera_c200-v2_back_to_factory end ##

Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(put back-to-stock script into commit message, removed dup. SUBPAGESIZE var,
added 01_leds for non-working dt-usb-port trigger)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-01-15 17:41:19 +01:00
Pawel Dembicki
1ed50b92d1 package: kernel: add driver module for NCT7802Y
This commit add package with hwmon-nct7802 module.

This driver implements support for the Nuvoton NCT7802Y hardware monitoring
chip. NCT7802Y supports 6 temperature sensors, 5 voltage sensors, and 3 fan
speed sensors.

Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(fixed c&p'ed module description)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-01-15 17:41:19 +01:00
Joshua Roys
51b9aef553 ipq40xx: add support for ASUS RT-ACRH17/RT-AC42U
SOC:	IPQ4019
CPU:	Quad-core ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
DRAM:	256 MB
NAND:	128 MiB Macronix MX30LF1G18AC
ETH:	Qualcomm Atheros QCA8075 Gigabit Switch (4x LAN, 1x WAN)
USB:	1x 3.0 (via Synopsys DesignWare DWC3 controller in the SoC)
WLAN1:	Qualcomm Atheros QCA4019 2.4GHz 802.11bgn 2x2:2
WLAN2:	Qualcomm Atheros QCA9984 5GHz 802.11nac 4x4:4
INPUT:	1x WPS, 1x Reset
LEDS:	Status, WIFI1, WIFI2, WAN (red & blue), 4x LAN

This board is very similar to the RT-ACRH13/RT-AC58U. It must be flashed
with an intermediary initramfs image, the jffs2 ubi volume deleted, and
then finally a sysupgrade with the final image performed.

Signed-off-by: Joshua Roys <roysjosh@gmail.com>
(added ALT0)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-01-15 17:21:01 +01:00
David Bauer
2a31e9ca97 hostapd: add op-class to get_status output
Include the current operation class to hostapd get_status interface.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-01-14 22:12:44 +01:00
Hans Dedecker
d9064c31ca netifd: update to git HEAD
3043206 system: fix compilation with glibc 2.34

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-01-14 21:46:29 +01:00
Paul Spooren
0637093e8c iptables: enable nftable support by default
OpenWrt plans to move over to firewall4 which uses nftables under the
hood. To allow a smooth migration the package `iptables-nft` offer a
transparent wrapper to apply iptables rules to nftables.

Without the config option for nftables the package isn't installed and
therefore can't be tested. This commit enabled it and therefore provides
the wrapper.

The size of the iptables package increases from 25436 to 26500 Bytes.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2022-01-14 00:42:28 +01:00
Hans Dedecker
7f2052ef22 netifd: update to git HEAD
96902e8 Revert "netifd: add devtype to ubus call"
29e6acf netifd: add devtype to ubus call
7ccbf08 netifd: add devtype to ubus call

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-01-12 21:14:29 +01:00
Daniel Golle
8c31f6bcab
procd: update to git HEAD
ca6c35c uxc: usage message cosmetics
 e083dd4 uxc: fix two minor issues reported by Coverity
 35dfbff procd: jail/cgroups: correctly enable "rdma" when requested
 3b3ac64 procd: mount /dev with noexec
 ac2b8b3 procd: clean up /dev/pts mounts

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-12 19:17:21 +00:00
Kevin Darbyshire-Bryant
e955a08340 firewall: update to latest HEAD
0f16ea5 options.c: add DSCP code LE Least Effort
24ba465 firewall3: remove redundant syn check
df1306a firewall3: fix locking issue
3624c37 firewall3: support table load on access on Linux 5.15+

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-01-10 11:45:15 +00:00
Sven Eckelmann
97f5617259 ath79: Add support for OpenMesh OM5P-AC v1
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
  - eth0
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as LAN interface
  - eth1
    + AR8035 ethernet PHY (SGMII)
    + 10/100/1000 Mbps Ethernet
    + 18-24V passive POE (mode B)
    + used as WAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-09 21:12:28 +01:00
Sven Eckelmann
72ef594550 ath79: Add support for OpenMesh OM5P-AN
Device specifications:
======================

* Qualcomm/Atheros AR9344 rev 2
* 560/450/225 MHz (CPU/DDR/AHB)
* 64 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 1T1R 2.4 GHz Wi-Fi
* 2T2R 5 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
  - eth0
    + AR8035 ethernet PHY
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as LAN interface
  - eth1
    + 10/100 Mbps Ethernet
    + builtin switch port 1
    + 18-24V passive POE (mode B)
    + used as WAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-09 21:12:28 +01:00
Daniel Golle
000825d792
opkg: update to git HEAD of 2022-01-09
db7fb64 libopkg: pkg_hash: prefer to-be-installed packages
 2edcfad libopkg: set 'const' attribute for argv

This should fix the ImageBuilder problems people are having since we
introduced the 'uci-firewall' providers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-01-09 20:10:32 +00:00
Stijn Tintel
0f50d3daff firewall4: bump to git HEAD
9a509d4 ruleset.uc: consolidate ip and ip6 offload
 21f311d ruleset.uc: don't trim newline before comment sign
 f121383 tests: enable flow offloading in tests
 550df40 tests: add test for unknown defaults option
 47c5a5b tests: add test for deprecated rule option
 69a89d6 tests: add test for unknown rule option
 07579df fw4.uc: handle interface zone option

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-01-09 17:38:18 +02:00
Josef Schlehofer
31647d8be8 kernel: add kmod-usb-net-lan78xx
Add kernel module for Microchip LAN78XX based USB 2 & USB 3
10/100/1000 Ethernet adapters. [1]

This kernel module is required for the Seeed Studio's Mini Router
based on RPI CM4 [2].

[1] <https://cateee.net/lkddb/web-lkddb/USB_LAN78XX.html>
[2] <https://www.seeedstudio.com/Dual-GbE-Carrier-Board-with-4GB-RAM-32GB-eMMC-RPi-CM4-Case-p-5029.html>

Link: <https://github.com/openwrt/openwrt/pull/4893>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(added kmod-phy-microchip and kmod-fixed-phy dependencies,
rpi3 needs lan78xx but has it built-in)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-01-08 23:23:22 +01:00
Christian Lamparter
3fabca8894 kernel: provide kmod-fixed-phy as separate kmod
Almost all targets have the fixed-phy feature built into the kernel.
One big exception is x86. This caused a problem with the upcoming
LAN78xx usb driver. Hence this patch breaks out the fixed-phy from
of_mdio (which didn't include the .ko) and puts into a separate
module.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-01-08 23:20:21 +01:00
Christian Lamparter
d9ff9a4270 kernel: add kmod-phy-microchip
phy drivers for Microchip's LAN88xx PHYs.
This is needed for the "LAN7801" variant
of the upstream lan78xx usb ethernet driver.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-01-08 23:17:18 +01:00
Florian Fainelli
a372946e60 elfutils: Add missing musl-fts dependency
libdw depends on libfts.so when building with the musl-libc library, add
this missing dependency.

Fixes: 6835ea13f0 ("elfutils: update to 0.186")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2022-01-07 20:50:50 -08:00
Marty Jones
3fe253c6ab linux-firmware: add new package r8152-firmware
Linux upstream commit 9370f2d05a
add load firmware file through request_firmware,this affect the
nanopi r2s and some USB adapters in kernel 5.10 with this error:
'r8152 4-1:1.0: unable to load firmware patch rtl_nic/rtl8153b-2.fw'
This patch split the USB NIC firmware files from r8169 firmware,
and adds r8152-firmware to r8152 driver.
Add kmod-usb-net-cdc-ncm to support RTL8156A and RTL8156B 2.5G ethernet
adapters supported since v5.13-rc1.
195aae321c

Signed-off-by: Marty Jones <mj8263788@gmail.com>
2022-01-08 00:49:59 +01:00
Jan Hoffmann
9d878d8422 ltq-ifxos: update to 1.7.1
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
[fix warnings, switch to tag tarball, update patches]
Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-01-08 00:49:59 +01:00
Andre Heider
5ee1e04517 ltq-vdsl: move to the default device name /dev/dsl_cpe_api/0
This makes patching it for ltq-vdsl-app unnecessary and paves the way
for VRX518 support.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-01-08 00:49:59 +01:00
Hannu Nyman
a54b406ccb busybox: update to 1.35.0
Update busybox to 1.35.0

* refresh patches

Config refresh:

Refresh commands, run after busybox is first built once:

cd package/utils/busybox/config/
../convert_menuconfig.pl ../../../../build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/busybox-default/busybox-1.35.0
cd ..
./convert_defaults.pl ../../../build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/busybox-default/busybox-1.35.0/.config > Config-defaults.in

Manual edits needed after config refresh:

* Config-defaults.in: OpenWrt config symbol IPV6 logic applied to
  BUSYBOX_DEFAULT_FEATURE_IPV6

* Config-defaults.in: OpenWrt configTARGET_bcm53xx logic applied to
  BUSYBOX_DEFAULT_TRUNCATE (commit 547f1ec)

* Config-defaults.in: OpenWrt logic applied to
  BUSYBOX_DEFAULT_LOGIN_SESSION_AS_CHILD (commit dc92917)

* config/editors/Config.in: Add USE_GLIBC dependency to
  BUSYBOX_CONFIG_FEATURE_VI_REGEX_SEARCH (commit f141090)

* config/shell/Config.in : change at "Options common to all shells" the symbol
  SHELL_ASH --> BUSYBOX_CONFIG_SHELL_ASH
  (discussion in http://lists.openwrt.org/pipermail/openwrt-devel/2021-January/033140.html
  Apparently our script does not see the hidden option while
  prepending config options with "BUSYBOX_CONFIG_" which leads to a
  missed dependency when the options are later evaluated.)

* Edit Config.in files by adding quotes to sourced items in
  config/Config.in, config/networking/Config.in and config/util-linux/Config.in (commit 1da014f)

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2022-01-08 00:49:59 +01:00
Glenn Strauss
a8513e2461 mbedtls: enable session tickets
session tickets are a feature of TLSv1.2 and require less memory
and overhead on the server than does managing a session cache

Building mbedtls with support for session tickets will allow the
feature to be used with lighttpd-1.4.56 and later.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-01-08 00:49:59 +01:00
Sergey V. Lobanov
6835ea13f0 elfutils: update to 0.186
Upstreamed patches (deleted):
0001-ppc_initreg.c-Incliude-asm-ptrace.h-for-pt_regs-defi.patch -
 https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=8382833a257b57b0d288be07d2d5e7af6c102869
110-no-cdefs.patch -
 https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=d390548df1942e98a1d836269a5e41ba52e121f1

Auto-refreshed:
006-Fix-build-on-aarch64-musl.patch
101-no-fts.patch

Manually updated and refreshed:
005-build_only_libs.patch
003-libintl-compatibility.patch
100-musl-compat.patch

Disabled _obstack_free check (via configure vars)

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-01-08 00:49:59 +01:00
Nick McKinney
e0a574d4b7 ramips: add support for Linksys EA6350 v4
Specifications:
- SoC: MT7621DAT (880MHz, 2 Cores)
- RAM: 128 MB
- Flash: 128 MB NAND
- Ethernet: 5x 1GiE MT7530
- WiFi: MT7603/MT7613
- USB: 1x USB 3.0

This is another MT7621 device, very similar to other Linksys EA7300
series devices.

Installation:

Upload the generated factory.bin image via the stock web firmware
updater.

Reverting to factory firmware:

Like other EA7300 devices, this device has an A/B router configuration
to prevent bricking.  Hard-resetting this device three (3) times will
put the device in failsafe (default) mode.  At this point, flash the
OEM image to itself and reboot.  This puts the router back into the 'B'
image and allows for a firmware upgrade.

Troubleshooting:

If the firmware will not boot, first restore the factory as described
above.  This will then allow the factory.bin update to be applied
properly.

Signed-off-by: Nick McKinney <nick@ndmckinney.net>
2022-01-08 00:49:59 +01:00
Sergey V. Lobanov
04e6434c62 utils/mdadm: fix build on hosts without /run dir
CHECK_RUN_DIR=0 must be a part of MAKE_FLAGS, not MAKE_VARS, otherwise
it is not possible to compile mdadm on host without /run dir.

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-01-08 00:49:59 +01:00
Hauke Mehrtens
e708bf76d5 toolchain: glibc: Update to version 2.34
glibc version 2.34 does not provide versioned shared libraries any more,
it only provides shared libraries using the ABI version. Do not try to
copy them any more.

The functions from libpthread and librt were integrated into the main
binary, the libpthread.so and librt.so are only used for backwards
compatibility any more.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-07 22:30:40 +01:00
Stijn Tintel
4d1f133561 firewall4: bump to git HEAD
main.uc: fix device gathering

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-01-06 21:30:14 +02:00
Jo-Philipp Wich
7881dce7d8 firewall4: fix syntax error in dependency spec
Fixes: ae60af8572 ("firewall4: order DEPENDS alphabetically")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 16:58:06 +01:00
Stijn Tintel
53b87a7a28 firewall/firewall4: provide uci-firewall
Provide uci-firewall via PROVIDES in both firewall and firewall4. This
will allow us to change the dependency of luci-app-firewall to
uci-firewall, making it possible to use it with either implementation.

Move CONFLICTS from firewall4 to firewall, to solve this recursive
dependency problem:

tmp/.config-package.in:307:error: recursive dependency detected!
tmp/.config-package.in:307:     symbol PACKAGE_firewall is selected by PACKAGE_firewall4
tmp/.config-package.in:328:     symbol PACKAGE_firewall4 depends on PACKAGE_firewall

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:54:50 +02:00
Stijn Tintel
3ec25a657d firewall4: bump to git HEAD
4ead2a6 treewide: move executables to /sbin
 9ebc2f4 fw4.uc: filter duplicates in fw4.set
 85b74f3 treewide: support flow offloading
 be3b4e6 treewide: support hardware flow offloading
 38889b7 treewide: support set timeout
 31c7550 fw4.uc: do not skip defaults with invalid option
 334a127 fw4.uc: introduce DEPRECATED flag
 7a0d38f fw4.uc: add _name as deprecated option
 5e7ad3b fw4.uc: don't fail on unknown options
 be5f4e3 fw4.uc: allow use of cidr in ipsets

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:54:43 +02:00
Stijn Tintel
ae60af8572 firewall4: order DEPENDS alphabetically
Add some line breaks while at at, to improve readability.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:54:06 +02:00
Stijn Tintel
3d4acc34bb firewall4: drop kmod-ipt-nat from CONFLICTS
The limitation of not being able to use iptables and nft nat at the same
time exists only in kernels before 4.18.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:53:47 +02:00
Daniel Kestrel
b61d756b6c ltq-deu: disable arc4 algorithm
ARC4 was used for WEP, which is not secure anymore. Therefor it is
disabled in the driver, but the code is not removed for now.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:23:15 +01:00
Daniel Kestrel
fc4d88cf73 ltq-deu: add aes_gcm algorithm
The lantiq AES hardware does not support the gcm algorithm. But it
can be implemented in the driver as a combination of the aes_ctr
algorithm and the xor plus gfmul operations for the hashing.
Due to the wrapping of the several algorithms and the inefficient
16 byte block by 16 byte block invokation in the kernel
implementations, this driver is about 3 times faster for the larger
block sizes.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:23:15 +01:00
Daniel Kestrel
973e28f248 ltq-deu: change PKG_RELEASE to AUTORELEASE
As per suggestion by adschm, PKG_RELEASE is set to AUTORELEASE.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:23:15 +01:00
Daniel Kestrel
a0d6b09c36 ltq-deu: remove redundant code for setting the key in aes
After adding xts and cbcmac the aes algorithm source had three sections
for setting the aes key to the hardware which are identical.
Method aes_set_key_hw was created which is now called from within the
spinlock secured control sections in methods ifx_deu_aes, ifx_deu_aes_xts
and aes_cbcmac_final_impl and reduces the size of ifxmips_aes.c.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:23:15 +01:00
Daniel Kestrel
79efaa7f8f ltq-deu: add shash cbcmac-aes algorithm to the driver
Since commit 53b6783 hostapd is using the kernel api which includes the
cbcmac-aes shash algorithm. The kernels implementation is a wrapper around
the aes encryption algorithm, which encrypts block (16 bytes) by block.
When the ltq-deu driver is present, it uses hardware aes, but every 16 byte
encrypt requires setting the key. This is very inefficient and is a huge
overhead. Since the cbcmac-aes is simply a hash that uses the cbc aes
algorithm starting with an iv set to x'00' with an optional ecb aes
encryption of a possible last incomplete block that is padded with the
positional bytes of the last cbc encrypted block, this algorithm is now
added to the driver. Most of the code is derived from md5-hmac and
tailored for aes. Tested with the kernels crypto testmgr including extra
tests against the kernels generic ccm module implementation.
This patch also fixes the overallocation in the aes_ctx that is caused
by using u32 instead of u8 for the aes keys.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:23:15 +01:00
Daniel Kestrel
f8e5c6080c ltq-deu: remove driver disablement for kernel 5.4 and above
Remove the dependency on kernel 5.4 from the Makefile to allow the
driver to compile with kernel 5.10 or kernel versions higher than
5.4.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:23:15 +01:00
Daniel Kestrel
43422deed3 ltq-deu: add aes_xts algorithm
The lantiq AES hardware does not support the xts algorithm. Apart
from the cipher text stealing (XTS), the AES XTS implementation is
just an XOR with the IV, followed by AES ECB, followed by another
XOR with the IV and as such can be also implemented by using the
lantiq hardware's CBC AES implemention plus one additional XOR with
the IV in the driver. The output IV by CBC AES is also not usable
and the gfmul operation not supported by lantiq hardware. Both need
to be done in the driver too in addition to the IV treatment which is
the initial encryption by the other half of the input key and to
set the IV to the IV registers for every block.
In the generic kernel implementation, the block size for XTS is set
to 16 bytes, although the algorithm is designed to process any size
of input larger than 16 bytes. But since there is no way to
indicate a minimum input length, the block size is used. This leads
to certain issues when the skcipher walk functions are used, e.g.
processing less than block size bytes is not supported by calling
skcipher_walk_done.
The walksize is 2 AES blocks because otherwise for splitted input
or output data, less than blocksize is to be returned in some cases,
which cannot be processed. Another issue was that depending on
possible split of input/output data, just 16 bytes are returned while
less than 16 bytes were remaining, while cipher text stealing
requires 17 bytes or more for processing.
For example, if the input is 60 bytes and the walk is 48, then
processing 48 bytes leads to a return code of -EINVAL for
skcipher_walk_done. Therefor the processed counter is used to
figure out, when the actual cipher text stealing for the remaining
bytes less than blocksize needs to be applied.
Measured with cryptsetup benchmark, this XTS AES implementation is
about 19% faster than the kernels XTS implementation that uses the
hardware ECB AES (ca. 18.6 MiB/s vs. 15.8 MiB/s decryption 256b key).
The implementation was tested with the kernels crypto testmgr against
the kernels generic XTS AES implementation including extended tests.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:23:08 +01:00
Daniel Kestrel
006fee0dad ltq-deu: update initialisations for hmac algorithms
The processing in the hmac algorithms depends on the status fields:
count, dbn and started. Not all were initialised in the init method
and after finishing the final method. Added missing fields to init
method and call init method after finishing final.
The memsets have the wrong size in the original driver and did not
clear everything and are not necessary. Since no memset is done in
the kernels generic implementation, memsets were removed.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:23:05 +01:00
Daniel Kestrel
6ade9d1dda ltq-deu: remove compiler warning and shorten locked sections
Removing hash pointer in _hmac_setkey since its not needed and causes
a compiler warning.
Make the spinlock control sections shorter and move initializations
out of the control sections to free the spinlock faster for allowing
other threads to use the hash engine.
Minor improvements for indentation and removal of blanks and blank
lines in some areas.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:23:02 +01:00
Daniel Kestrel
0470b05b56 ltq-deu: fix temp size exceed in hmac algorithms
Exceeding the temp array size was not checked and instead storage not
allocated by the driver was used/overwritten which in most cases
resulted in reboots. This patch implements processing the input to the
hash algorithm in tempsize chunks.
The _hmac_final methods were changed to _hmac_final_impl adding a
parameter that indicates intermediate or final processing. The started
variable was added to the context to indicate, if there is an
intermediate result in the context. For sha1_hmac the variable to store
the intermediate hash was added to the context too.
In order to avoid md5_hmac_final_impl being recursively called if the
padding of the input and the resulting last transform during the hmac
algorighms final processing causes the temp array to overflow and to
make sure that there is at least one block in the temp array when the
_hmac_final for final processing is called, the check for exceeding
the temp array in _hmac_transform was moved before copying the block
and incrementing dbn. dbn needs to be at least 1 at final processing
time to let the hash engine apply the opad operation.
To make the hash engine not apply the hmac algorithms final opad
operation, for intermediate processing the dbn in the control register
is set to a higher value than number of dbns are actually processed.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:22:59 +01:00
Daniel Kestrel
85383b3112 ltq-deu: fix setkey errors and static shared temp for hmac algos
The hmac algorithms state, that keys larger than the key size should be
hashed with the underlying hash algorithms and then those hashes are to
be used as keys. This patch implements this. In order to avoid allocating
a descriptor during setkey, a shash_desc pointer is added to the context.
Another issue for multithreaded callers is the shared temp array.
The temp array is static and as such would be shared among multithreaded
callers, which obviously would neither work nor produce correct results.
The temp array (4k size) is moved to the context and since the size of
the context is limited, it can only be defined as pointer otherwise the
initialisation of the hash algorithm fails.
The allocations and freeing of both the temp and the desc pointer in the
context are done by implementing cra_init and cra_exit functions for
the hmac algorithms.
Also improved indentation in some areas.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:22:57 +01:00
Daniel Kestrel
9cb1875d2f ltq-deu: fix ifxdeu-ctr-rfc3686(aes) not matching generic impl
Error ifxdeu-ctr-rfc3686(aes) (16) doesn't match generic impl (20) occurs
when running the cryptomgr extra tests that compare against the linux
kernels generic implementation.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:22:53 +01:00
Daniel Kestrel
34a3eaf07f ltq-deu: changes for hash multithread callers and md5 endianess
The algorithms sha1, sha1_hmac and md5_hmac all use ENDI=1. The md5
algorithm uses ENDI=0 and the endian_swap methods to reverse the
endianess switch by using user CPU time, which is unnecessary overhead.
Danube and AR9 devices do not set endianess for SHA1, so is done for
MD5.
Furthermore the patch replaces endian_swap with le32_to_cpu for md5 and
md5 hmac algorithms and removes endian_swap for them.
The init functions initialize the algorithm in the hardware. The lock is
not used to write to the control register. If another thread calls
another hash algo before update or final, the result will be wrong.
Therefore move the algorithm init to the lock protected sections in the
transform or final methods.
Setting the hw key for the hmac algorithms is now done from within the
lock protected sections in their final methods. The lock protecting is
removed from the _hmac_setkey_hw functions.
In final for md5 and sha1 the lock section is removed, because all the
work was already done in transform (which is called from final). As such
only copying the hash to the output is required.
MD5 and MD5_HMAC produce 16 byte hashes (4 DWORDS) only, therefor
writing register D5R to the hash output is removed for MD5_HMAC.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:22:50 +01:00
Daniel Kestrel
87a19c9345 ltq-deu: make deu hash lock global and remove md5_hmac_ exports
All hash algorithms use the same base IFX_HASH_CON to access the hash unit.
Parallel threads should not be able to call different hash algorithms and
therefor a global lock is required.
Fixed linker warning, that md5_hmac_init, md5_hmac_update and
md5_hmac_final are static export symbols. The export symbols are not
required, because the functions are exposed using shash_alg structure.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:22:48 +01:00
Daniel Kestrel
536dc6f164 ltq-deu: add aes_ofb and aes_cfb algorithms
The functions ifx_deu_aes_cfg and ifx_deu_aes_ofb have been part of the
driver ever since. But the functions and definitions to make the
algorithms actually usable were missing.
This patch adds the neccessary code for aes_ofb and aes_cfb algorithms.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:22:45 +01:00
Daniel Kestrel
cd01d41c77 ltq-deu: fix cryptomgr test errors for aes
When running cryptomgr tests against the driver, there are several
occurences of different errors for even and uneven splitted data in the
underlying scatterlists for the ctr and ctr_rfc3686 algorithms which are
now fixed.
Fixed error in ctr_rfc3686_aes_decrypt function which was introduced with
the previous commit by using CRYPTO_DIR_ENCRYPT in the decrypt function.

Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
2022-01-06 00:22:42 +01:00