Commit Graph

3942 Commits

Author SHA1 Message Date
Jo-Philipp Wich
b5ec04f81a Revert "nftables: fix parsing date expressions"
This reverts commit eada892577.

The commit contained unrelated target changes.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-08-09 11:50:52 +02:00
Jo-Philipp Wich
eada892577 nftables: fix parsing date expressions
Musl libc does not support the non-POSIX "%F" format for strptime() so
replace all occurrences of it with an equivalent "%Y-%m-%d" format.

Fixes: #10419
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-08-09 00:20:14 +02:00
Hans Dedecker
a23d132cff odhcp6c: update to git HEAD
7d21e8d dhcpv6: add option to ignore stateless advertise

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-08-05 18:31:24 +02:00
Chen Minqiang
31cca8f8d3 umdns: add missing syscall to seccomp filter
There is some syscall missing:
'getdents64'
'getrandom'
'statx'
'newfstatat'

Found with:
'mkdir /etc/umdns; ln -s /tmp/1.json /etc/umdns/; utrace /usr/sbin/umdns'

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2022-08-05 14:10:42 +02:00
Roland Barenbrug
456b9029d7 ltq-vdsl-app: Fix counter overflow resulting in negative values
The re-transmit counters can overflow the 32 bit representation resulting
in negative values being displayed. Background being that the numbers are
treated at some point as signed INT rather than unsigned INT.
Change the counters from 32 bit to 64 bit, should provide sufficient room
to avoid any overflow. Not the nicest solution but it works

Fixes: #10077
Signed-off-by: Roland Barenbrug <roland@treslong.com>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
2022-08-05 13:49:30 +02:00
Boris Krasnovskiy
00718b9d7a hostapd: prevent unused crypto lib dependencies from being compiled
Prevented unused crypto lib dependencies from being compiled

Signed-off-by: Boris Krasnovskiy <borkra@gmail.com>
2022-07-31 00:11:21 +02:00
Dávid Benko
f920908626 odhcp6c: update to latest git HEAD
9212bfc odhcp6c: fix IA discard when T1 > 0 and T2 = 0

Signed-off-by: Dávid Benko <davidbenko@davidbenko.dev>
2022-07-30 23:50:44 +02:00
Christian Lamparter
d4391ef073 layerscape: update remaining PKG_HASH / PKG_MIRROR_HASH
The change of the PKG_VERSION caused the hash of the package to
change. This is because the PKG_VERSION is present in the
internal directory structure of the archive.

Fixes: e879cccaa2 ("uboot-layerscape: update PKG_HASH")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-07-22 22:03:27 +02:00
Manuel Giganto
d12eb103e8
hostapd: add ppsk option (private psk)
This PR allows a user to enable a private psk, where each station
may have it's own psk or use a common psk if it is not defined.
The private psk is defined using the sta's mac and a radius server
is required.

ppsk option should be enabled in the wireless configuration along with
radius server details. When using PPSK, the key is ignored, it will be
retrieved from radius server. SAE is not yet supported (private sae) in
hostapd.

Wireless example configuration:
	option encryption 'psk2+ccmp'
	option ppsk '1'
	option auth_server '127.0.0.1'
	option auth_secret 'radiusServerPassword'

If you want to use dynamic VLAN on PPSK also include:
	option dynamic_vlan '2'
	option vlan_tagged_interface 'eth0'
	option vlan_bridge 'br-vlan'
	option vlan_naming '0'

It works enabling mac address verification on radius server and
requiring the tunnel-password (the private psk) from radius server.

In the radius server we need to configure the users. In case of
freeradius: /etc/freeradius3/mods-config/files/authorize
The user and Cleartext-Password should be the mac lower case using the
format "aabbccddeeff"

<sta mac> Cleartext-Password := "<sta mac>"
	Tunnel-Password = <Private Password>

Example of a user configured in radius and using dynamic VLAN5:

8cb84a000000 Cleartext-Password := "8cb84a000000"
	Tunnel-Type = VLAN,
	Tunnel-Medium-Type = IEEE-802,
	Tunnel-Private-Group-ID = 5,
	Tunnel-Password = MyPrivPw

If we want to have a default or shared psk, used when the mac is not
found in the list, we need to add the following at the end of the radius
authorize file:

DEFAULT Auth-Type := Accept
	Tunnel-Password = SharedPw

And if using VLANs, for example VLAN6 for default users:
DEFAULT Auth-Type := Accept
	Tunnel-Type = VLAN,
	Tunnel-Medium-Type = IEEE-802,
	Tunnel-Private-Group-ID = 6,
	Tunnel-Password = SharedPw

Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
2022-07-15 08:20:36 +02:00
Michael Pratt
ba7da73680 firewall3: update file hash
the hash and timestamp of the remote copy of the archive
has changed since last bump
meaning the remote archive copy was recreated

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-07-14 17:09:06 +01:00
Paul Blazejowski
4a1dcaf848 hostapd: apply patch to fix building openssl variant
Add patch from:
https://patchwork.ozlabs.org/project/hostap/patch/20220622121355.1337612-1-a.heider@gmail.com/

Fixes: dab9103 ("hostapd: update to 2022-06-02")
Signed-off-by: Paul Blazejowski <paulb@blazebox.homeip.net>
2022-07-11 00:50:54 +02:00
Nick Hainke
436fad7a3e iptables: update to 1.8.8
Remove upstreamed patches:
- 001-xtables-Call-init_extensions6-for-static-builds.patch
- 002-xtables-Call-init_extensions_a_b.patch

Fix patches:
- 102-iptables-disable-modprobe.patch
  Fix warnings in the form of:
  xtables.c:475:14: warning: 'get_modprobe' defined but not used [-Wunused-function]
  475 | static char *get_modprobe(void)
      |              ^~~~~~~~~~~~

Backport patches:
- 020-treewide-use-uint-instead-of-u_int.patch
- 030-revert-fix-build-for-missing-ETH_ALEN-definition.patch
- 040-xshared-Fix-build-for-Werror-format-security.patch
- 050-build-fix-error-during-out-of-tree-build.patch
- 060-libxtables-unexport-init_extensions-declarations.patch

Refresh patches:
- 101-remove-check-already.patch
- 102-iptables-disable-modprobe.patch
- 200-configurable_builtin.patch
- 600-shared-libext.patch
- 700-disable-legacy-revisions.patch

Remove from Makefile:
 $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/

Changelog:
fa0ccdbd configure: bump version for 1.8.8 release
8468fd4f nft: Fix EPERM handling for extensions without rev 0
ce9195c6 extensions: LOG: Document --log-macdecode in man page
404f304d man: *NAT: Review --random* option descriptions
0a538259 extensions: DNAT: Merge core printing functions
a7c2b728 libxtables: Revert change to struct xtables_pprot
fd64a587 libxtables: Drop xtables_globals 'optstring' field
3b8a6a6f xshared: Extend xtables_printhelp() for arptables
8ff84eaf xshared: Move arp_opcodes into shared space
adbfec0b extensions: MARK: Drop extra newline at end of help
1dcfb81e nft: split gen_payload() to allocate register and initialize expression
7e38890c nft: prepare for dynamic register allocation
165cafec nft: pass handle to helper functions to build netlink payload
94309632 nft: native mark matching support
aa92ec96 nft: pass struct nft_xt_ctx to parse_meta()
4c70c42f nft-shared: update context register for bitwise expression
18c96821 extensions: man: Document service name support in DNAT and REDIRECT
72d542b6 extensions: Merge REDIRECT into DNAT
14d77c8a extensions: Merge IPv4 and IPv6 DNAT targets
9621318b extensions: DNAT: Rename from libipt to libxt
2e0c9a40 extensions: ipt_DNAT: Combine xlate functions also
7adef314 extensions: ipt_DNAT: Merge v1/v2 print/save code
3f4f1cf0 extensions: ipt_DNAT: Merge v1 and v2 parsers
070a8626 Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified"
08c14fa6 man: DNAT: Describe shifted port range feature
24fff5d7 xlate-test: Fix for empty source line on failure
ac4c84cc libxtables: Boost rule target checks by announcing chain names
f58b0d74 libxtables: Implement notargets hash table
b1aee6b2 nft: Reject standard targets as chain names when restoring
b555bfed tests: shell: Fix 0004-return-codes_0 for static builds
c293e116 nft: Review static extension loading
0836524f xtables: Call init_extensions{,a,b}() for static builds
6c689b63 Simplify static build extension loading
0c8e2535 libxtables: Fix for warning in xtables_ipmask_to_numeric
0c0cd434 nft: Don't pass command state opaque to family ops callbacks
b6196c75 xshared: Prefer xtables_chain_protos lookup over getprotoent
07ee529f nft: Speed up immediate parsing
b5f2faea nft: Simplify immediate parsing
17534cb1 Improve error messages for unsupported extensions
2dbb49d1 libxtables: Register only the highest revision extension
07e2107e xshared: Implement xtables lock timeout using signals
a3980769 tests: NFLOG: enable `--nflog-range` tests
b8e8ac27 tests: support explicit variant test result
adb03c3f tests: add `NOMATCH` test result
7a006c7d tests: iptables-test: rename variable
b7f15b42 iptables.8: Describe the effect of multiple -v flags
1407a9c4 tests: iptables-test: Support variant deviation
fc8f7289 nft: cache: Dump rules if debugging
73b91292 nft: Add debug output to table creation
51d9d9e0 ebtables: Support verbose mode
ad1ed75f nft: Set NFTNL_CHAIN_FAMILY in new chains
17ed253f iptables-restore: Support for extra debug output
a761a026 nft: Use verbose flag to toggle debug output
98e69b7e nft: add support for native tcp flag matching
92808bd5 nft-shared: add tcp flag dissection
6aba94ef nft: prefer native expressions instead of tcp match
c034cf31 nft: prefer native expressions instead of udp match
5489493e nft-shared: support native udp port delinearize
5795a1b5 nft-shared: support native tcp port range delinearize
250dce87 nft-shared: support native tcp port delinearize
ea5d45dc extensions: libxt_NFLOG: fix typo
26ecdf53 xshared: Fix response to unprivileged users
b32ae771 build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT`
05286bab extensions: libxt_NFLOG: remove extra space when saving targets with prefixes
f0d02998 extensions: libxt_NFLOG: fix `--nflog-prefix` Python test-cases
f9df828a extensions: libxt_NFLOG: disable `--nflog-range` Python test-cases
62ad29e9 extensions: libxt_NFLOG: don't truncate log prefix on print/save
db99f601 extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG
30b178b9 extensions: *NAT: Kill multiple IPv4 range support
7ee5b970 tests: iptables-test: correct misspelt variable
223f02ca nft: fix indentation error.
5c2c2eea ip6tables: Use the shared do_parse, too
9baf3bf0 iptables: Use xtables' do_parse() function
e4f5185d nft: Move proto_parse and post_parse callbacks to xshared
ded7b579 xshared: Store parsed wait and wait_interval in xtables_args
62c3c93d xshared: Move do_parse to shared space
3039a52c xtables: Do not pass nft_handle to do_parse()
ece001c2 xtables: Pass xtables_args to check_inverse()
17abaeb1 xtables: Pass xtables_args to check_empty_interface()
dc8d8fce xtables: Move struct nft_xt_cmd_parse to xshared.h
98a4462f xtables: Pull table validity check out of do_parse()
d83371c7 xtables: Drop xtables' family on demand feature
49aa44ba nft-shared: set correct register value
b129b1cf iptables-*-restore: Drop pointless line reference
316d8efb libxtables: Extend basic_exit_err()
4bff5aef xtables_globals: Embed variant name in .program_version
51e5d293 xshared: Share exit_tryhelp()
56ac0452 xshared: Share a common printhelp function
4149b5d8 xshared: Share print_match_save() between legacy ip*tables
273d88a7 extensions: tcpmss: add iptables-translate support
7213561d xshared: Make load_proto() static
cf14b92b nft-shared: Drop unused function print_proto()
24f30842 xshared: Share print_header() with legacy iptables
a323c283 xshared: Share print_fragment() with legacy
1d73cec0 xshared: Share print_rule_details() with legacy
e5fb9f8e xshared: Share save_ipv{4,6}_addr() with legacy
22f2e1fc xshared: Share save_rule_details() with legacy
766e4872 xshared: Share print_iface() function
b5881e7f nft: Change whitespace printing in save_rule callback
1189d830 xshared: Merge and share parse_chain()
1eab8e83 extensions: hashlimit: Fix tests with HZ=1000
afa525ee xlate-test: Print full path if testing all files
b8d5271d Unbreak xtables-translate
0af80a91 nft: Merge xtables-arp-standalone.c into xtables-standalone.c
142cf724 xtables: arptables accepts empty interface names
ab0a785a xtables: Derive xtables_globals from family
6cf3976e nft-shared: Make nft_check_xt_legacy() family agnostic
832a0e2b nft-arp: Introduce post_parse callback
0aea399d arptables: Use standard data structures when parsing
fe83b12f libxtables: Introduce xtables_globals print_help callback
0687852d xtables-standalone: Drop version number from init errors
dded8ff3 nft: Add family ops callbacks wrapping different nft_cmd_* functions
38e1fe58 xtables: Simplify addr_mask freeing
cfdda180 nft-shared: Introduce init_cs family ops callback
65b150ae xshared: Store optstring in xtables_globals
2e6014c7 nft: Introduce builtin_tables_lookup()
db90ff64 tests: shell: fix bashism
45d8f769 nft: Delete builtin chains compatibly
e865a853 nft-chain: Introduce base_slot field
f9b33967 nft: Check base-chain compatibility when adding to cache
43189612 nft: cache: Avoid double free of unrecognized base-chains
040a15f2 xtables-translate: add missing argument and option to usage
2ed6dc75 tests: iptables-test: Fix conditional colors on stderr
63ab4fe3 ebtables: Avoid dropping policy when flushing
b714d45d iptables-test.py: print with color escapes only when stdout isatty
481626bb tests: shell: Return non-zero on error
7559af83 tests: iptables-test: Exit non-zero on error
c057939d tests: xlate-test: Exit non-zero on error
a8da7186 tests: iptables-test: Print errors to stderr
5166c445 tests: xlate-test: Print errors to stderr
fa78ff15 tests: xlate-test: Don't skip any input after the first empty line
fcbe454b tests: iptables-test: Fix missing chain case
61e85e31 iptables-nft: allow removal of empty builtin chains
544e7dc1 Fix a few doc typos
e438b976 nft: Use xtables_{m,c}alloc() everywhere
ca11c7b7 nft: Use xtables_malloc() in mnl_err_list_node_add()
cf410aa6 extensions: libxt_mac: Fix for missing space in listing
7ae14dc1 iptables-test: Make netns spawning more robust
bef9dc57 extensions: hashlimit: Fix tests with HZ=100
943fbf3e ip6tables: masquerade: use fully-random so that nft can understand the rule
ef7781eb libxtables: exit if called by setuid executeable
8629c53f tests/shell: Assert non-verbose mode is silent
57d1422d nft: Fix for non-verbose check command
26318637 ebtables: Dump atomic waste
765bf04e doc: ebtables-nft.8: Adjust for missing atomic-options
e727ccad xtables: Call init_extensions6() for static builds
9e1fffdf extensions: libxt_multiport: add translation for -m multiport --ports
c8145139 extensions: libxt_conntrack: simplify translation using negation
1c934617 extensions: libxt_tcp: rework translation to use flags match representation
bb01e33d extensions: libxt_connlimit: add translation
62828a6a tests: xlate-test: support multiline expectation
ba863c4b libxtables: extend xlate infrastructure
68ed965b extensions: libxt_string: Avoid buffer size warning for strncpy()
9b85e1ab libxtables: Introduce xtables_strdup() and use it everywhere
ca840c20 extensions: libebt_ip6: Use xtables_ip6parse_any()
084671d5 iptables-apply: Drop unused variable
0729ab37 nft: Avoid buffer size warnings copying iface names
eab75ed3 nft: Avoid memleak in error path of nft_cmd_new()
ffe88f8f libxtables: Fix memleak in xtopt_parse_hostmask()
8bb5bcae extensions: libebt_ip6: Drop unused variables
97fabae7 libxtables: Drop leftover variable in xtables_numeric_to_ip6addr()
5818be17 extensions: sctp: Translate --chunk-types option
a61282ec extensions: sctp: Fix nftables translation
556f7044 Use proto_to_name() from xshared in more places
eea68ca8 ebtables-translate: Use shared ebt_get_current_chain() function
9dc50b5b xshared: Merge invflags handling code
3664249f xshared: Eliminate iptables_command_state->invert
f647f61f xtables: Make invflags 16bit wide
616800af extensions: SECMARK: Implement revision 1
1e984079 nft-arp: Make use of ipv4_addr_to_string()
acac2dbe Eliminate inet_aton() and inet_ntoa()
9084ef29 extensions: sctp: Explain match types in man page
a3e81c62 nft: Increase BATCH_PAGE_SIZE to support huge rulesets
fdf64dcd nft: cache: Sort chains on demand only
c5d9a723 fix build for missing ETH_ALEN definition
18d7535d extensions: libxt_conntrack: use bitops for status negation
18e334da extensions: libxt_conntrack: use bitops for state negation
831f57c7 libxtables: Simplify xtables_ipmask_to_cidr() a bit
46f9d3a9 xtables-translate: Fix translation of odd netmasks
330f5df0 nft: Fix bitwise expression avoidance detection
5f1fcace iptables-nft: fix -Z option
c9441657 include: Drop libipulog.h
30c1d443 ebtables: Exit gracefully on invalid table names

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Nick Hainke
ce6e034c52 lldpd: update to 1.0.14
Changes
- Add configure commands to alter inventory TLVs

Fixes
- Update seccomp rules for newer kernel/libc
- Correctly handle an interface whose index has changed
- Don't send VLANs when there are too many

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Nick Hainke
2c7101360f lldpd: switch to codeload.github.com
The mirror does not seem to work well anymore. Switch to
codeload.github.com.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Nick Hainke
202ecc9f4b wpan-tools: update to 0.9
Changes:
- wpan-ping: fix ifname setting
- wpan-hwsim: hardware simulator configuration utility
- wpan-hwsim: fix long option argument option for dot
- Don't install examples
- hwsim: make sure lqi is always initialized
- iwpan: fix clang compiler warning on absolute-value
- examples: fix wrongly used unsigned attribute
- build: hwsim: fix list of files needed for dist build

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 18:16:34 +02:00
Nick Hainke
9194cee553 wpan-tools: update to 0.8
Remove upstreamed patches:
- 001-src-nl_extras.h-fix-compatibility-with-libnl-3.3.0.patch

Changes:
- examples: add README with details to the various examples
- examples: af_ieee802154_tx example
- examples: af_ieee802154_rx example
- examples: add af_packet_rx example
- examples: af_inet6_rx example
- examples: af_packet_tx example
- examples: af_inet6_tx example
- examples: add .gitignore file for examples directory
- src/nl_extras.h: fix compatibility with libnl 3.3.0
- wpan-ping: add the support to set wpan-ping interval
- wpan-ping: Add the filtering function for frame receiving

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 18:16:34 +02:00
Nick Hainke
3707e5cbe3 wpan-tools: cleanup Makefile
- Use SPDX
- Add PKG_RELEASE
- Change wpan.cakelab.org to linux-wpan.org/wpan-tools.html
- Switch to github.com as PKG_SOURCE_URL

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 18:16:34 +02:00
Daniel Golle
d29722e6ff
xdp-tools: fix build with NLS enabled
Make sure the 'configure' shell script finds the libintl when linking
the test programs for discovering libpcap and libbpf.

Reported-by: @trippleflux
Fixes: 6ad1bea2a6 ("xdp-tools: add package")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-07-06 22:38:20 +01:00
Nick Hainke
8288a4bbb3
xdp-tools: mark as nonshared
The SDK does not have the LLVM toolchain yet.

Hopefully fixes errors in the form:
  xsk_def_xdp_prog.c:4:10: fatal error: 'bpf/bpf_helpers.h' file not found
  #include <bpf/bpf_helpers.h>

Fixes: 6ad1bea2a6 ("xdp-tools: add package")
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-06 22:38:02 +01:00
Daniel Golle
6ad1bea2a6
xdp-tools: add package
xdp-tools - Library and utilities for use with the eXpress Data Path:
Fast Programmable Packet Processing in the Operating System Kernel

 * libxdp: library for attaching XDP programs and using AF_XDP sockets
 * xdp-filter: a simple XDP-powered packet filter
 * xdp-loader: an XDP program loader
 * xdpdump: tool for capturing packets at the XDP layer

Thanks to Nick @PolynomialDivision Hainke for testing and fixing!

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-07-04 18:36:03 +01:00
Nick Hainke
86b0d3b00b tcpdump: update to 4.99.1
Adjust
- 100-tcpdump_mini.patch

Remove upstreamed patches:
- 101-CVE-2020-8037.patch
- 102-CVE-2018-16301.patch

Changelog:

  Wednesday, June 9, 2021 by gharris
  Summary for 4.99.1 tcpdump release
    Source code:
      Squelch some compiler warnings
      ICMP: Update the snapend for some nested IP packets.
      MACsec: Update the snapend thus the ICV field is not payload
        for the caller.
      EIGRP: Fix packet header fields
      SMB: Disable printer by default in CMake builds
      OLSR: Print the protocol name even if the packet is invalid
      MSDP: Print ": " before the protocol name
      ESP: Remove padding, padding length and next header from the buffer
      DHCPv6: Update the snapend for nested DHCPv6 packets
      OpenFlow 1.0: Get snapend right for nested frames.
      TCP: Update the snapend before decoding a MPTCP option
      Ethernet, IEEE 802.15.4, IP, L2TP, TCP, ZEP: Add bounds checks
      ForCES: Refine SPARSEDATA-TLV length check.
      ASCII/hex: Use nd_trunc_longjmp() in truncation cases
      GeoNet: Add a ND_TCHECK_LEN() call
      Replace ND_TCHECK_/memcpy() pairs with GET_CPY_BYTES().
      BGP: Fix overwrites of global 'astostr' temporary buffer
      ARP: fix overwrites of static buffer in q922_string().
      Frame Relay: have q922_string() handle errors better.
    Building and testing:
      Rebuild configure script when building release
      Fix "make clean" for out-of-tree autotools builds
      CMake: add stuff from CMAKE_PREFIX_PATH to PKG_CONFIG_PATH.
    Documentation:
      man: Update a reference as www.cifs.org is gone. [skip ci]
      man: Update DNS sections
    Solaris:
      Fix a compile error with Sun C

  Wednesday, December 30, 2020, by mcr@sandelman.ca, denis and fxl.
  Summary for 4.99.0 tcpdump release
    CVE-2018-16301: For the -F option handle large input files safely.
    Improve the contents, wording and formatting of the man page.
    Print unsupported link-layer protocol packets in hex.
    Add support for new network protocols and DLTs: Arista, Autosar SOME/IP,
      Broadcom LI and Ethernet switches tag, IEEE 802.15.9, IP-over-InfiniBand
      (IPoIB), Linux SLL2, Linux vsockmon, MACsec, Marvell Distributed Switch
      Architecture, OpenFlow 1.3, Precision Time Protocol (PTP), SSH, WHOIS,
      ZigBee Encapsulation Protocol (ZEP).
    Make protocol-specific updates for: AH, DHCP, DNS, ESP, FRF.16, HNCP,
      ICMP6, IEEE 802.15.4, IPv6, IS-IS, Linux SLL, LLDP, LSP ping, MPTCP, NFS,
      NSH, NTP, OSPF, OSPF6, PGM, PIM, PPTP, RADIUS, RSVP, Rx, SMB, UDLD,
      VXLAN-GPE.
    User interface:
      Make SLL2 the default for Linux "any" pseudo-device.
      Add --micro and --nano shorthands.
      Add --count to print a counter only instead of decoding.
      Add --print, to cause packet printing even with -w.
      Add support for remote capture if libpcap supports it.
      Display the "wireless" flag and connection status.
      Flush the output packet buffer on a SIGUSR2.
      Add the snapshot length to the "reading from file ..." message.
      Fix local time printing (DST offset in timestamps).
      Allow -C arguments > 2^31-1 GB if they can fit into a long.
      Handle very large -f files by rejecting them.
      Report periodic stats only when safe to do so.
      Print the number of packets captured only as often as necessary.
      With no -s, or with -s 0, don't specify the snapshot length with newer
        versions of libpcap.
      Improve version and usage message printing.
    Building and testing:
      Install into bindir, not sbindir.
      autoconf: replace --with-system-libpcap with --disable-local-libpcap.
      Require the compiler to support C99.
      Better detect and use various C compilers and their features.
      Add CMake as the second build system.
      Make out-of-tree builds more reliable.
      Use pkg-config to detect libpcap if available.
      Improve Windows support.
      Add more tests and improve the scripts that run them.
      Test both with "normal" and "x87" floating-point.
      Eliminate dependency on libdnet.
    FreeBSD:
      Print a proper error message about monitor mode VAP.
      Use libcasper if available.
      Fix failure to capture on RDMA device.
      Include the correct capsicum header.
    Source code:
      Start the transition to longjmp() for packet truncation handling.
      Introduce new helper functions, including GET_*(), nd_print_protocol(),
        nd_print_invalid(), nd_print_trunc(), nd_trunc_longjmp() and others.
      Put integer signedness right in many cases.
      Introduce nd_uint*, nd_mac_addr, nd_ipv4 and nd_ipv6 types to fix
        alignment issues, especially on SPARC.
      Fix many C compiler, Coverity, UBSan and cppcheck warnings.
      Fix issues detected with AddressSanitizer.
      Remove many workarounds for older compilers and OSes.
      Add a sanity check on packet header length.
      Add and remove plenty of bounds checks.
      Clean up pcap_findalldevs() call to find the first interface.
      Use a short timeout, rather than immediate mode, for text output.
      Handle DLT_ENC files *not* written on the same OS and byte-order host.
      Add, and use, macros to do locale-independent case mapping.
      Use a table instead of getprotobynumber().
      Get rid of ND_UNALIGNED and ND_TCHECK().
      Make roundup2() generally available.
      Resync SMI list
 against Wireshark.
      Fix many typos.

Co-Developed-by: Ivan Pavlov <AuthorReflex@gmail.com>
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-03 20:25:38 +02:00
Michael Yartys
442708dfe2 wpa_supplicant: compile with OCV support
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile -basic and
-full variants with support for OCV. This feature can be configured in the
wireless config by setting ocv equal to one of the following values:

0 = disabled (hostapd/wpa_supplicant default)
1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the
    driver indicates support for operating channel validation.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
2022-07-03 20:25:38 +02:00
Michael Yartys
f60628f33c hostapd: enable compilation of OCV and add build feature discovery
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile the -basic and
-full variants of hostapd with this feature, and enable discovery of this
feature for future luci integration. OCV can be configured by setting ocv
equal to one of the following values in the wireless config:

0 = disabled (hostapd/wpa_supplicant default)
1 = enabled
2 = enabled in workaround mode - Allow STA that claims OCV capability to
    connect even if the STA doesn't send OCI or negotiate PMF.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
2022-07-03 20:25:38 +02:00
Etienne Champetier
35fec487e3 iptables: default to ip(6)tables-nft
OpenWrt now uses firewall4 (nft) by default,
so iptables should also default to nftables backend.

When multiple packages provide the same virtual package,
opkg pick the first one by alphabetical order,
so we rename iptables-legacy to iptables-zz-legacy and add
iptables-legacy in PROVIDES.

We also need to remove IPTABLES_NFTABLES config as
this cause recursive dependencies.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-06-29 00:57:56 +02:00
Stijn Tintel
6556cad99d hostapd: disable mbo by default
Enabling mbo by default on 802.11ax devices breaks for encryption types
that do not enable 802.11w by default. Disable mbo by default to fix
this. Enabling mbo by default on 802.11ax devices was not explained in
the commit message anyway.

Fixes: 6eee983656 ("hostapd: introduce mbo option")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-28 22:16:47 +03:00
Stijn Tintel
5c57f9bbea hostapd: support MBO in bss_transition_request
Support the use of MBO in the bss_transition_request ubus method.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-28 03:23:51 +03:00
Stijn Tintel
6eee983656 hostapd: introduce mbo option
Introduce a new option mbo to toggle Multi Band Operation aka Agile
Multiband for a BSS.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-28 03:23:51 +03:00
Stijn Tintel
eaad8dfc22 hostapd: enable MBO if 802.11ax is enabled
Multi Band Operation is required for 802.11ax certification, so let's
enable it if 802.11ax support is enabled.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-28 03:23:51 +03:00
Stijn Tintel
48c321082c hostapd: add config symbol to enable MBO
Multi Band Operation aka Agile Multiband introduces new Transition
and Transition Rejection Reason Codes that should improve client
steering. Add a config symbol to enable it, and enable it by default for
the full variants.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-28 03:23:50 +03:00
Konstantin Demin
f98bb1ffe5 dropbear: cherry-pick upstream commit 544f28a0
Resolves #10081

Reported-By: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2022-06-27 00:57:15 +02:00
Nick Hainke
71b211d304 arptables: update to 0.0.5 and cleanup
Update to 0.0.5:

efae894 arptables 0.0.5 release
1f3c6bc libarptc: Simplify alloc_handle by using calloc()
4e5e23a Eliminate compiler warning about size passed to strncmp()
bf11d72 Add .gitignore
28b22d5 arptables: legacy renaming
988d6a4 arptables: cleanup sysvinit script
f4ab8f6 src: Remove support for libc5
047f37b src: Use stdint types
4bb2f83 arptables: Add MARK target
dbbe9f7 arptables: Add revision field for arptables userspace
935acea src: fix compilation warning
5700dbf src: cache in tree and use x_tables.h
4b7d6b0 arptables: remove dead dynamic hooks code
c299484 arptables: fix potential buffer overflow (author: dcb)
9fcaf70 arptables: add missing long option --set-counters and update documentation
36daba3 arptables: install man pages
f79b957 Add man pages for arptables-{save,restore}
c492c16 add GPL text
8f58693 fix potential buffer overflows reported by static analysis
ee4ec13 make static analysis tool happy (false positive)
b064d44 build an libarptc.a archive

Cleanup Makefile:
- Switch to release versions
- Use ftp(http) mirror
- Add PKG_LICENSE_FILES

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-27 00:57:15 +02:00
Nick Hainke
fe5d3a4204 ethtool: update to 5.18
9eabf30 Release version 5.18.
2b3ddcb ethtool: fec: Change the prompt string to adapt to current situations
d660dde pretty: add missing message descriptions for rings
aaeb16a pretty: support u8 enumerated types
6b320b8 rings: add support to set/get cqe size
41fddc0 update UAPI header copies
42e6c28 help: fix alignment of rx-buf-len parameter
e1d0a19 ethtool.8: Fix typo in man page
37f0586 Release version 5.17.
8c2984c strset: do not put a pointer to a local variable to nlctx
8fd02a2 ioctl: add the memory free operation after send_ioctl call fails
b9f25ea ethtool: Add support for OSFP transceiver modules
6e79542 features: add --json support
5ed5ce5 Merge branch 'next' into  master
b90abbb man: document recently added parameters
51a9312 tunables: add support to get/set tx copybreak buf size
a081c2a rings: add support to set/get rx buf len
d699bab Merge branch 'master' into next
52db6b9 Merge branch 'review/module-extstate' into next
6407b52 monitor: add option for --show-module/--set-module
1f35786 ethtool: Add transceiver module extended state
2d4c5b7 ethtool: Add ability to control transceiver modules' power mode
005908b Update UAPI header copies

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-27 00:57:15 +02:00
Nick Hainke
a74a853d0d nftables: update to 1.0.4
Needs libnftnl 1.2.2.

3eb0da9f build: Bump version to 1.0.4
a964d1b5 tests: shell: remove leftover modules on cleanup
818f7dde evaluate: reset ctx->set after set interval evaluation
3835de19 tests: shell: sets_with_ifnames release netns on exit
59bd944f optimize: segfault when releasing unsupported statement

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-24 17:10:24 +02:00
Nick Hainke
879dd95f43 nftables: clean up Makefile
Add PKG_LICENSE_FILES. Use SPDX.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-24 17:10:24 +02:00
Nick Hainke
8704e75d25 nftables: update to 1.0.3
Remove backport:
- 001-examples-compile-with-make-check.patch

87fdf683 build: Bump version to 1.0.3
c4ec825b nft: simplify chain lookup in do_list_chain
4f6724f1 intervals: fix compilation --with-mini-gmp
4c20fe95 json: update json output ordering to place rules after chains
57741350 netlink_delinearize: release last register on exit
d6fdb0d8 sets_with_ifnames: add test case for concatenated range
88b2345a segtree: add pretty-print support for wildcard strings in concatenated sets
806ab081 netlink: swap byteorder for host-endian concat data
c224aa6b intervals: deletion should adjust range not yet in the kernel
ea1f1c9f optimize: memleak in statement matrix
0a6dbfce optimize: merge nat rules with same selectors into map
743b0e81 optimize: do not clone unsupported statement
c8b35039 optimize: incorrect logic in verdict comparison
fc4da141 src: fix always-true assertions
d1289bff intervals: set on EXPR_F_KERNEL flag for new elements in set cache
721b9dec tests: add concat test case with integer base type subkey
22b750aa src: allow use of base integer types as set keys in concatenations
3ed9fada intervals: build list of elements to be added from cache
e45b4939 intervals: fix deletion of multiple ranges with automerge
3b7b22ae intervals: add elements with EXPR_F_KERNEL to purge list only
ea31855d netlink: remove unused argument from helper function
48204bd7 intervals: Simplify element sanity checks
ab1b21be intervals: unset EXPR_F_KERNEL for adjusted elements
e0beff27 src: restore interval sets work with string datatypes
3e8d934e intervals: support to partial deletion with automerge
7a6e1604 evaluate: allow for zero length ranges
3da9643f intervals: add support to automerge with kernel elements
7b061e63 mnl: update mnl_nft_setelem_del() to allow for more reuse
fdb8e0ff src: remove rbtree datastructure
81e36530 src: replace interval segment tree overlap and automerge
f1cc44ed src: add EXPR_F_KERNEL to identify expression in the kernel
ad43b84e segtree: add support for get element with sets that contain ifnames
06db2308 segtree: use correct byte order for 'element get'
4c6681a7 tests: add testcases for interface names in sets
5e393ea1 segtree: add string "range" reversal support
2fb4d7ea src: make interval sets work with string datatypes
403936c1 evaluate: string prefix expression must retain original length
ada50f84 segtree: split prefix and range creation to a helper function
ae7d32fc evaluate: keep prefix expression length
d2b23984 evaluate: make byteorder conversion on string base type a no-op
c36ecfc2 tests: py: Add meta time tests without 'meta' keyword
6fa4ff56 tests: py: Don't colorize output if stderr is redirected
f561a0cc tests: monitor: Hide temporary file names from error output
75fea8a5 tests: py: extend meta time coverage
4460b839 meta: fix compiler warning in date_type_parse()
02100978 meta: time: use uint64_t instead of time_t
4e0026dc include: add missing `#include`
ab74fb5b examples: add .gitignore file
bcad4761 tests: py: add inet/vmap tests
214494aa optimize: Restore optimization for raw payload expressions
82762ab6 src: allow to use integer type header fields via typeof set declaration
64bb3f43 src: allow to use typeof of raw expressions in set declaration
ff0f30e3 expression: typeof verdict needs verdict datatype
60f5c107 src: copy field_count for anonymous object maps as well
4cf97abf rule: Avoid segfault with anonymous chains
4e718641 evaluate: init cmd pointer for new on-stack context
1ea71c23 optimize: do not assume log prefix
3f36cc6c optimize: do not merge unsupported statement expressions
19960c8d optimize: incorrect assert() for unexpected expression type
3de1dbd2 optimize: more robust statement merge with vmap
99eb4696 optimize: fix vmap with anonymous sets
e8f0fa21 scanner: Fix for ipportmap nat statements
59d184be scanner: dup, fwd, tproxy: Move to own scopes
069a0450 scanner: meta: Move to own scope
2165324d scanner: at: Move to own scope
a67fce7f scanner: nat: Move to own scope
578467c1 scanner: policy: move to own scope
a1669709 scanner: flags: move to own scope
020372d9 scanner: reject: Move to own scope
543bf3c2 scanner: import, export: Move to own scopes
88105810 scanner: reset: move to own Scope
8a7e430a scanner: monitor: Move to own Scope
e5547017 scanner: rt: Extend scope over rt0, rt2 and srh
04c95f14 scanner: type: Move to own scope
62a95698 scanner: dst, frag, hbh, mh: Move to own scopes
a060d912 scanner: ah, esp: Move to own scopes
4e215fdf scanner: osf: Move to own scope
5166b298 scanner: dccp, th: Move to own scopes
3e04a6e2 scanner: udp{,lite}: Move to own scope
bbdcfbfa scanner: comp: Move to own scope.
232f2c32 scanner: synproxy: Move to own scope
26b53653 scanner: tcp: Move to own scope
f5722119 scanner: igmp: Move to own scope
a7d8cca9 scanner: icmp{,v6}: Move to own scope
5d837d27 src: add tcp option reset support
1d507ce7 build: explicitly pass --version-script to linker
e98a9b83 libnftables.map: export new nft_ctx_{get,set}_optimize API
9eb98b3b tests: add test case for flowtable with owner flag
18a08fb7 examples: compile with `make check' and add AM_CPPFLAGS

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-24 17:10:24 +02:00
Stijn Tintel
33e7f7c028 hostapd: document ubus methods
Document the ubus methods we added to hostapd so that people don't have
to read code to figure out which methods are available and what they do.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-21 16:19:42 +03:00
Alin Nastac
289c46869b 464xlat: delete SNATed conntracks on interface teardown
Existing conntracks will continue to be SNATed to 192.0.0.1 even after
464xlat interface gets teared down. To prevent this, matching
conntracks must be killed.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2022-06-19 21:54:05 +02:00
David Bauer
dab91036d6 hostapd: update to 2022-06-02
4383528e0 P2P: Use weighted preferred channel list for channel selection
f2c5c8d38 QCA vendor attribute to configure RX link speed threshold for roaming
94bc94b20 Add QCA vendor attribute for DO_ACS to allow using existing scan entries
b9e2826b9 P2P: Filter 6 GHz channels if peer doesn't support them
d5a9944b8 Reserve QCA vendor sub command id 206..212
ed63c286f Remove space before tab in QCA vendor commands
e4015440a ProxyARP: Clear bridge parameters on deinit only if hostapd set them
02047e9c8 hs20-osu-client: Explicit checks for snprintf() result
cd92f7f98 FIPS PRF: Avoid duplicate SHA1Init() functionality
5c87fcc15 OpenSSL: Use internal FIPS 186-2 PRF with OpenSSL 3.0
9e305878c SAE-PK: Fix build without AES-SIV
c41004d86 OpenSSL: Convert more crypto_ec_key routines to new EVP API
667a2959c OpenSSL: crypto_ec_key_get_public_key() using new EVP_PKEY API
5b97395b3 OpenSSL: crypto_ec_key_get_private_key() using new EVP_PKEY API
177ebfe10 crypto: Convert crypto_ec_key_get_public_key() to return new ec_point
26780d92f crypto: Convert crypto_ec_key_get_private_key() to return new bignum
c9c2c2d9c OpenSSL: Fix a memory leak on crypto_hash_init() error path
6d19dccf9 OpenSSL: Free OSSL_DECODER_CTX in tls_global_dh()
4f4479ef9 OpenSSL: crypto_ec_key_parse_{priv,pub}() without EC_KEY API
b092d8ee6 tests: imsi_privacy_attr
563699174 EAP-SIM/AKA peer: IMSI privacy attribute
1004fb7ee tests: Testing functionality to discard DPP Public Action frames
355069616 tests: Add forgotten files for expired IMSI privacy cert tests
b9a222cdd tests: sigma_dut and DPP curve-from-URI special functionality
fa36e7ee4 tests: sigma_dut controlled STA and EAP-AKA parameters
99165cc4b Rename wpa_supplicant imsi_privacy_key configuration parameter
dde7f90a4 tests: Update VM setup example to use Ubuntu 22.04 and UML
426932f06 tests: EAP-AKA and expired imsi_privacy_key
35eda6e70 EAP-SIM peer: Free imsi_privacy_key on an error path
1328cdeb1 Do not try to use network profile with invalid imsi_privacy_key
d1652dc7c OpenSSL: Refuse to accept expired RSA certificate
866e7b745 OpenSSL: Include rsa.h for OpenSSL 3.0
bc99366f9 OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
39e662308 tests: Work around reentrant logging issues due to __del__ misuse
72641f924 tests: Clean up failed test list in parallel-vm.py
e36a7c794 tests: Support pycryptodome
a44744d3b tests: Set ECB mode for AES explicitly to work with cryptodome
e90ea900a tests: sigma_dut DPP TCP Configurator as initiator with addr from URI
ed325ff0f DPP: Allow TCP destination (address/port) to be used from peer URI
e58dabbcf tests: DPP URI with host info
37bb4178b DPP: Host information in bootstrapping URI
1142b6e41 EHT: Do not check HE PHY capability info reserved fields
7173992b9 tests: Flush scan table in ap_wps_priority to make it more robust
b9313e17e tests: Update ap_wpa2_psk_ext_delayed_ptk_rekey to match implementation
bc3699179 Use Secure=1 in PTK rekeying EAPOL-Key msg 1/4 and 2/4
d2ce1b4d6 tests: Wait for request before responding in dscp_response

Compile-tested: all versions / ath79-generic, ramips-mt7621
Run-tested: hostapd-wolfssl / ath79-generic, ramips-mt7621

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-06-18 22:11:12 +02:00
Stijn Tintel
e8433fb433 firewall4: bump to git HEAD
11f5c7b fw4.uc: fix zone helper assignment
  b9d35ff fw4.uc: don't skip zone for unavailable helper
  e35e26b tests: add test for zone helpers
  a063317 ruleset: fix conntrack helpers
  e1cb763 ruleset: reuse zone-jump.uc template for notrack and helper chain jumps
  11410b8 ruleset: reorder declarations & output tweaks
  880dd31 fw4: fix skipping invalid IPv6 ipset entries
  5994466 fw4: simplify `is_loopback_dev()`
  53886e5 fw4: fix crash in parse_cthelper() if no helpers are present
  11256ff fw4: add support for configurable includes
  3b5a033 tests: add test coverage for firewall includes
  d79911c fw4: support sets with timeout capability but without default expiry
  15c3831 fw4: add support for `option log` in rule and redirect sections

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-17 18:15:50 +03:00
David Bauer
574539ee2c hostapd: add owe_transition_ifname
Add the owe_transition_ifname config option to wifi-ifaces.

This allows to configure OWE transition VAPs without adding SSID / BSSID
to the uci conifg but instead autodiscovering these parameters from
other networks on the same PHY.

The following configuration creates a OWE transition mode network
constellation.

config wifi-iface 'open0'
	option device 'radio0'
	option ifname 'open0'
	option network 'lan'
	option mode 'ap'
	option ssid 'FreeNet'
	option encryption 'none'
	option owe_transition_ifname 'owe0'

config wifi-iface 'owe0'
	option device 'radio0'
	option ifname 'owe0'
	option network 'lan'
	option mode 'ap'
	option ssid 'owe_tm.FreeNet'
	option encryption 'owe'
	option hidden '1'
	option owe_transition_ifname 'open0'

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-06-16 11:07:19 +02:00
Rafał Miłecki
d75bb744ea swconfig: parse "switch_vlan" before "switch_port"
Before this change UCI sections of both types were parsed in order as
specified in UCI. That didn't work well with all drivers (e.g. b53).

It seems that VLAN setup can reset / overwrite previously set ports
parameters. It resulted in "switch_port" options defined above
"switch_vlan"s being silently ignored.

Ideally swconfig & all drivers should be improved to handle that
properly but it'd be a waste of time at this point as DSA replaces
swconfig. Use this minor parsing change as a quick fix.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2022-06-15 10:44:32 +02:00
Robert Marko
f03b20837b hostapd: fix feature detection
Fix hostapd feature detection after the bump to 2022-05-08.
getopt was not updated correctly after upstream added support for -q arg.

This reenables feature detection so that LuCi can check for features like
SAE, fast roaming etc.

Fixes: c35ff1affe ("hostapd: update to 2022-05-08")
Signed-off-by: Robert Marko <robimarko@gmail.com>
2022-06-12 23:03:36 +02:00
Stijn Tintel
bbce9f84ec iw: bump to 5.19
7e06706 iw: event: report missing radar events
  5909e73 iw: survey: add support for radio stats
  64bf570 update nl80211.h
  0900996 iw: print Radar background capability if supported
  56c6077 iw: print out assoc comeback event
  a4e5418 iw: support 160MHz frequency command for 6GHz band
  5a71b72 iw: Print local EHT capabilities
  e3287a1 station: print EHT rate information
  ff67fb2 iw: fix double tab in mesh path header
  05a5267 iw: fix 'upto' -> 'up to'
  00a2985 iw: handle VHT extended NSS
  82e0bd1 update nl80211.h
  c95877c info: add missing extended features
  0976378 info: refactor extended features
  79f20cb bump version to 5.19

Sync nl80211.h with our version of mac80211 and remove parts of the iw
code that are not supported by our version of mac80211.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-11 16:03:14 +03:00
David Bauer
b72c7db229 hostapd: fix missing HS20 support for hostapd-full
commit c3a4cddaaf ("hostapd: remove hostapd-hs20 variant")
as well as
commit 9f1927173a ("hostapd: wpas: add missing config symbols")
indicate hostapd-full should support Hotspot 2.0 already, but only
wpa_supplicant (and wpad) do.

How this happened is not really clear, as no commit adding support for
Hotspot 2.0 is in the history.

Fix this and add Hotspot 2.0 capability to hostapd-full.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-06-08 23:17:09 +02:00
David Bauer
6ee4383350 hostapd: ubus: add bss-color to get_status
Add the current BSS color to hostapd get_status method. This field is
set to -1 in case BSS color is not active for the BSS.

Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-08 23:16:20 +02:00
David Bauer
6c152ce5b0 hostapd: randomize default BSS color
In case no specific BSS color is configured, set it to a random value.

Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-08 23:16:12 +02:00
David Bauer
c35ff1affe hostapd: update to 2022-05-08
Update hostapd to Git HEAD from 2022-05-08. This allows us to take
advantage of background radar-detection as well as BSS color collision
detection.

Suggested-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-08 23:16:06 +02:00
Bernd Naumann
98d91e4d5e hostapd: Radius based VLANs on AP with PSK
This patch allows the user to set `auth_server` and related settings on
non WPA2 Enterprise AP modes in `/etc/config/wireless`, too, so the
Radius Attributes for Dynamic VLAN Assignment can be fetched from Radius.

Without this patch, `auth_server` and other needed options are only
written to `hostapd-phy<n>.conf` when `option encryption wpa2` is set.

`hostapd` however supports "Station MAC address -based authentication" for
non WPA Enterprise Modes, too.

A classic approch is to use `accept_mac_file` which contains MAC addr
and VLAN-ID pairs. But, using `accept_mac_file` does not support
VLAN assignment for unknown stations.

This is a sample `freeradius3` config, where a known station
("7e:a6:a7:2a:93:d2") is assigned to VLAN `65` and unknown stations are
assigned to VLAN `67`.

```
"7ea6a72a93d2" Cleartext-Password := "7ea6a72a93d2"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 65

DEFAULT Cleartext-Password := "%{User-Name}"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 67
```

Other option is to configure known stations via `accept_mac_file` and
using only Radius for unknown stations.

I tested this patch only with `wpa_key_mgmt=WPA-PSK`, and assumed that
it should work with other Encryption/Access Mode, too.

Signed-off-by: Bernd Naumann <bernd.naumann@kr217.de>
2022-06-08 16:04:04 +02:00
Stijn Tintel
d5e48a1e8e hostapd: drop wnm_disassoc_imminent
All known users of this ubus method have been updated to use the new
bss_transition_request method instead.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-06 11:19:20 +03:00
Daniel Golle
7eb83b2015
netifd: update to git HEAD
2e1fcf4 netifd: fix hwmode for 60g band
 39ef9fe interface-ip: fix memory corruption bug when using jail network namespaces

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-06-01 20:49:14 +01:00
Christian 'Ansuel' Marangi
419a7ad2dd uhttpd: update to latest Git HEAD
d59d732 client: fix compilation error with GCC 12
51283f9 fix compiler uninitialized variable

Signed-off-by: Christian 'Ansuel' Marangi <ansuelsmth@gmail.com>
2022-06-01 14:41:46 +02:00
Jo-Philipp Wich
a7ddef6ef1 firewall4: update to latest Git HEAD
210991d fw4: prefer /dev/stdin if available
4e5e322 fw4: make `fw4 restart` behavior more robust
221040e ruleset: emit time ranges when both start and stop times are specified
30a7d47 fw4: fix datetime parsing
fb9a6b2 ruleset: correct mangle_output chain type
6dd2617 fw4: fix logic flaw in testing hw flow offloading support
c7c9c84 fw4: ensure that negative bitcounts are properly translated
c4a78ed fw4: fix typo in emitted set types

Fixes: #9764, #9923, #9927, #9935, #9955
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-05-31 21:17:37 +02:00
Felix Fietkau
24cc341fdc netifd: update to the latest version
4b4849cf5e5a interface-ip: unify host and proto route handling
507c0513d176 interface-ip: add support for excluding interfaces in host route lookup

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-05-23 14:12:44 +02:00
Jo-Philipp Wich
2df17604a4 firewall4: update to latest Git HEAD
c22eeef fw4: support negative CIDR bit notation
628d791 hotplug: reliably handle interfaces with ubus zone hints
d005293 fw4: store zone associations from ubus in statefile as well
b268225 fw4: filter non hw-offload capable devices when resolving lower devices
57984e0 fw4: always resolve lower flowtable devices
7782017 tests: fix mocked `fd.read("line")` api
72b196d config: remove restictions on DHCPv6 allow rule
f0cc317 fw4: refactor family selection for forwarding rules
b0b8122 treewide: use modern syntax
05995f1 fw4: fix emitting device jump rules for family restricted zones
b479815 fw4: fix family auto-selection for config nat rules
2816a82 ruleset: ensure that family-agnostic ICMP rules cover ICMPv6 as well
2379c3d tests: add test coverage for zone family selection logic

Fixes: #5066, #9611, #9765, #9854
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-05-20 19:53:04 +02:00
Tiago Gaspar
65258f5d60 firewall: config: remove restictions on DHCPv6 allow rule
Remove restrictions on source and destination addresses, which aren't
specified on RFC8415, and for some reason in openwrt are configured
to allow both link-local and ULA addresses.
As cleared out in issue #5066 there are some ISPs that use Gloabal
Unicast addresses, so fix this rule to allow them.

Fixes: #5066

Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
[rebase onto firewall3, clarify subject, bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-05-04 15:26:16 +02:00
Jan Hoffmann
1daaef31b3 ltq-vdsl-app: disconnect when service is stopped
Stop the connection when the control daemon is terminated. The code is
a modified version of the termination routine in version 4.23.1 of the
daemon (which doesn't support VR9 modems anymore).

This could also be implemented by calling the acos and acs commands via
dsl_cpe_pipe.sh in the init script. However, doing it in the daemon
itself has the advantage of also working if it is terminated in another
way (for example during sysupgrade).

Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
2022-05-04 01:38:04 +01:00
Daniel Golle
51c442c265
uqmi: update to git HEAD
56cb2d4 nas: add decoding of cell_id
 9a9019a uqmi: wms - added storage to read text messages

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-05-04 01:33:21 +01:00
Bruno Victal
0276fab649 dnsmasq: fix jail_mount for serversfile
Fix 'serversfile' option not being jail_mounted by the init script.

Signed-off-by: Bruno Victal <brunovictal@outlook.com>
2022-05-02 18:57:49 +01:00
David Bauer
f757a8a098 iwinfo: update to latest HEAD
dc6847e iwinfo: nl80211: omit A-hwmode on non-5GHz hardware

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-27 00:54:24 +02:00
Daniel Golle
2b5fa44f60
dnsmasq: add logfacility file to jail mounts
If logfacility is a path to a file it needs to be r/w mounted in the
sandbox as well for dnsmasq to work.

Reported-by: @iointerrupt
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-04-25 19:28:12 +01:00
David Bauer
46980294f6 iwinfo: update to latest HEAD
a479b9b devices: remove whitespace
562d015 iwinfo: nl80211: fix hwmode parsing for multi-band NICs

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-24 23:09:51 +02:00
Jo-Philipp Wich
af02a12d7c firewall4: update to latest Git HEAD
fc83d46 ruleset: set auto-merge directive for interval sets
9bce873 fw4: fix skipping invalid ipset entries
425ea8a fw4: fix applying zone flags for source bound rules

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-04-22 00:50:36 +02:00
Cezary Jackiewicz
e02fb42c53 comgt: support ZTE MF286R modem
The modem is based on Marvell PXA1826 and uses ACM+RNDIS interface to
establish connection with custom commands specific to ZTE modems.
Two variants of modems were discovered, some identifying themselves
as "ZTE", and others as plain "Marvell", the chipset manufacturer.
The modem itself runs a fork of OpenWrt inside, which root shell can be
accessed via ADB interface.

Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-04-16 14:02:11 +02:00
Lech Perczak
ed7957810c comgt: ncm: try to detect interface for ttyACM ports
Some modems expose ttyACM as their control ports, which have the
"device" symlink pointing one level down in sysfs tree. Try to find
network interfaces for them as well, this is commonly used for modems
exposing ACM + RNDIS or ACM + ECM interface combinations.

Co-developed-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-04-16 14:02:11 +02:00
Lech Perczak
b2940bb8b2 comgt: ncm: select first available network interface for device
Some modems expose multiple network interfaces on the same USB device,
causing the connection setup script to fail, because glob matching in
the detection phase causes 'ls' to output more than one interface name
plus their base directories in sysfs. Avoid that by listing the
directories explicitly and then selecting first available interface.
This is the case for some variants of ZTE MF286R built-in modem, which
exposes both RNDIS and CDC-ECM network interfaces, causing the
connection setup to fail.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-04-16 14:02:11 +02:00
Lech Perczak
a67629bbe2 comgt: ncm: allow specification of interface name
Add ifname property to UCI, which can be used to override the
autodetected interface name in case the detection fails due to having
none or more than one interface exposed by the modem, which is not
explicitly linked to TTY port. This is needed on certain variants of ZTE
MF286R built-in modem, which exposes both RNDIS and CDC-ECM interfaces
on the modem, on which the automatic detection may select the wrong
network interface.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-04-16 14:02:11 +02:00
Daniel Golle
c5f113c43f
netifd: relax check in dhcp proto handler
Checking whether /sbin/udhcpc is a symbolic link breaks using the
DHCP proto handler inside procd-ujail where bind-mounts are used for
the resolved link. Check whether /sbin/udhcpc is executable instead
to allow using the proto handler for DHCP-provisioned containers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-04-13 19:51:00 +01:00
Rui Salvaterra
435d7a052b firewall3: bump to latest git HEAD
4cd7d4f Revert "firewall3: support table load on access on Linux 5.15+"
50979cc firewall3: remove unnecessary fw3_has_table

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2022-04-13 17:08:17 +01:00
Eneas U de Queiroz
1135b75d1f nftables: add CONFLICT between versions
Have nftables-json conflict with nftables-nojson.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-04-11 21:41:03 +02:00
Konstantin Demin
65256aee23 dropbear: bump to 2022.82
- update dropbear to latest stable 2022.82;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- use $(AUTORELEASE) in PKG_RELEASE
- use https for all uris
- refresh all patches
- rewrite patches:
  - 100-pubkey_path.patch
  - 130-ssh_ignore_x_args.patch

binary/pkg size changes:
- ath79/generic, mips:
  - binary: 215112 -> 219228 (+4116)
  - pkg: 111914 -> 113404 (+1490)
- ath79/tiny, mips:
  - binary: 172501 -> 172485 (-16)
  - pkg: 89871 -> 90904 (+1033)

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2022-04-09 19:31:31 +02:00
Felix Fietkau
0392644083 qosify: update to the latest version
92f5e18675bf interface: fix ifname present check in interface status
ef82defaae26 ubus: add active devices to bridger blacklist

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-04-08 13:07:47 +02:00
Jo-Philipp Wich
1a35ac9990 firewall4: update to latest Git HEAD
a378883 fw4: fix emitting family specific redirect rules without any addrs
11feddf fw4: bracketize IPv6 addresses in dnat addr:port notation
9972f7d fw4: ensure to capitalize weekday names
fde8070 treewide: forward compatibility changes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-04-08 10:45:46 +02:00
David Bauer
f6445cfa1a hostapd: add ubus link-measurements notifications
Notify external ubus subscribers of received link-measurement reports.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-08 01:19:29 +02:00
David Bauer
965aa33a18 hostapd: add ubus method for requesting link measurements
Add a ubus method to request link-measurements from connected STAs.

In addition to the STAs address, the used and maximum transmit power can
be provided by the external process for the link-measurement. If they
are not provided, 0 is used as the default value.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-08 01:19:18 +02:00
David Bauer
2ca5c3da04 hostapd: add support for enabling link measurements
Allow external processes to enable advertisement of link-measurement RRM
capability.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-08 01:19:10 +02:00
Valentyn Datsko
76f55e3c3f
dnsmasq: add procd interface index tracking
Problem exist when dnsmasq is exclusively bind to particular interface.
After reconfiguring or restarting this interface, its index changes, but
dnsmasq uses the old one. When this problem occurs, dnsmasq does not
listen on the correct interface so DHCP does not work, and clients do not
get an IP address. Procd netdev param can be added to restart dnsmasq when
the interface index is changed.

Signed-off-by: Valentyn Datsko <valikk.d@gmail.com>
[combined into a single &&-connected statement]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-04-06 17:32:42 +01:00
Felix Fietkau
64f629e207 bridger: add bridge forwarding accelerator
This package uses BPF to create a fast path which improves bridging performance
by bypassing the bridge layer. It also supports creating tc offload rules for
hardware that supports it.
Hardware offload support can be used with MT7622 + MT7915 once it is merged

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-04-06 14:13:26 +02:00
Felix Fietkau
c38b2c5f16 qosify: update to the latest version
Replace the tc-full dependency with tc + libnl-tiny

1cd5e12eecdc loader/interface: attach bpf program directly using netlink

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-04-05 21:28:32 +02:00
Daniel Golle
ee7cb5e885
uqmi: fix acquiring PIN status
Evaluating the return value of 'json_load' didn't work in the
intended way resulting in PIN status no longer being read on modems
where --get-pin-status doesn't fail.
Fix this by trying --get-pin-status first and checking if pin1_status
field exists in JSON, and if it doesn't try again with
--uim-get-sim-state.

Fixes: #9501
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-03-24 18:45:19 +00:00
Hans Dedecker
73c6d8fd04 odhcpd: update to git HEAD
860ca90 odhcpd: Support for Option NTP and SNTP
83e14f4 router: advertise removed addresses as invalid in 3 consecutive RAs

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-03-22 22:03:37 +01:00
Felix Fietkau
af434e0da2 qosify: update to the latest version
57c7817f91c2 qosify: fix dscp values of ubus-added dns host entries

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-22 10:28:28 +01:00
Felix Fietkau
81f3c4dbcd qosify: update to the latest version
391a9fbd5ace dns: fix parsing vlan encapsulated protocol
6aeeddbc91ad interface: extend dns filters to cover vlan tagged traffic as well
1ab53d4ca601 bpf: return TC_ACT_UNSPEC to allow other filters to proceed
ca21e729af23 interface: switch to using clsact for filters
5d158f6b3c15 interface: run ingress bpf filter on main device ingress instead of ifb egress
bdfcb11847ce interface: fix duplicated dns filter line
b97405aa632a Revert "ubus: remove dnsmasq subscriber"
8fbaf39dbc95 interface: rework adding/removing filters, do not delete clsact
d7ba5804eae4 interface: replace open-coded ifb-dns string with QOSIFY_DNS_IFNAME
91cf440db9e2 loader: fix use of deprecated functions

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-21 20:27:15 +01:00
Jan Hoffmann
b35d33c8b8 ltq-vdsl-app: set MAC address for vectoring error reports
This tells the modem about the WAN MAC address, which is used as source
address for vectoring error reports that are generated by the firmware.

It needs to be set early, as the MEI driver only actually writes the
value to the modem when is in reset state (i.e. the firmware has been
loaded, but connection has not started yet).

Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
2022-03-21 12:28:34 +00:00
Etienne Champetier
30c15d06e8 iptables: bump PKG_RELEASE
Following {arp,eb}tables-nft addition, bump PKG_RELEASE

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
66bb6dde36 iptables: add {arp,eb}tables-nft
Add a patch to add some missing init_extensions{a,b}() calls
Package lib{arp,eb}t_*.so

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
c913be1da1 iptables: add xtables-nft package
This allows to install ip6tables-nft without iptables-nft
This prepare the addition of {arp,eb}tables-nft

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
afb6824a2c iptables: add xtables-legacy package
This allows to install ip6tables-legacy without iptables-legacy

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
905b49920f ebtables: rename to ebtables-legacy
This prepare the introduction of ebtables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Etienne Champetier
2f5088ef5f arptables: rename package to arptables-legacy
This prepare the introduction of arptables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-19 16:13:58 +01:00
Josef Schlehofer
013b043564 iwinfo: update to latest Git head
Changelog:
90bfbb9 devices: Add Cypress CYW43455
234075b devices: fix AMD RZ608 format
0e2a318 devices: add AMD RZ608 device-id

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-03-19 16:13:58 +01:00
Felix Fietkau
54aab4e719 bpftools: fix library path on 64 bit systems
drop the use of LIB_SUFFIX

Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-19 13:29:15 +01:00
Felix Fietkau
00cbf6f6ab bpftools: update to standalone bpftools + libbpf, use the latest version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-19 07:30:06 +01:00
Etienne Champetier
e9c99e0f7f iptables: backport missing init_extensions6() calls
This fixes ip6tables-nft no being able to use built-in
extensions like icmp6.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-03-13 19:24:13 +01:00
Florian Eckert
e5440ec871 ipset: add backport patch for IPv6 nftables ipset-translation
When porting mwan3 from iptables to nftables I tried the new translation
tool for ipset ipset-translate. I noticed that no IPv6 ipset can be
created with the tool. I have reported the problem to the upstream
project and the following patch fixes the problem.

Until this upsream is included in a new release, this patch should be
used in Openwrt.

https://lore.kernel.org/netfilter-devel/20220228190217.2256371-1-pablo@netfilter.org/T/#m09cc3cb738f2e42024c7aecf5b7240d9f6bbc19c

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2022-03-13 19:24:13 +01:00
Daniel Golle
2a801ee562
uqmi: update to git HEAD
44dd095 uqmi: corrected too short received SMS

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-03-12 11:07:27 +00:00
Lech Perczak
c8a88118af uqmi: set CID during 'query-data-status' operation
Modems used in ZTE mobile broadband routers require to query the data
session status using the same CID as one used to establish the session,
otherwise they will report the session as "disconnected" despite
reporting correct PDH in previous step. Without this change, IPv6
connection on these modems doesn't establish properly. In IPv4 this bug
is present as well, but for some reason querying of IPv4 status works
using temporary CID, this however seems noncompliant with QMI
specifications, so fix it as well.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-03-12 10:38:11 +00:00
Yousong Zhou
289fbc5102 iptables: add iptables-mod-socket
Previously libxt_socket.so was included in iptables-mod-tproxy.  It was
missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy
separate packages

Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2022-03-10 10:43:32 +08:00
Josef Schlehofer
d71928c1e3 nftables: update to version 1.0.2
Changelog:
https://lwn.net/ml/netdev/YhO5Pn+6+dgAgSd9@salvia/

Patches:

removed:
- 001-parser-allow-quoted-string-in-flowtable_expr_member:
it is now part of upstream release [1]

added:
- 001-examples-compile-with-make-check.patch:
backported from [2], it fixes:

nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or directory
    3 | #include <nftables/libnftables.h>
      |          ^~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

[1] https://git.netfilter.org/nftables/commit/?h=v1.0.2&id=07af4429241c9832a613cb8620331ac54257d9df
[2] https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2022-03-07 21:44:53 +01:00
Felix Fietkau
759149977e qosify: update to the latest version
3276aed81c73 move run_cmd() to main.c
558eabc13c64 map: move dns host based lookup code to a separate function
6ff06d66c36c dns: add code for snooping dns packets
a78bd43c4a54 ubus: remove dnsmasq subscriber
9773ffa70f1f map: process dns patterns in the order in which they were defined
f13b67c9a786 dns: allow limiting dns entry matching to cname name

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-03-06 23:01:24 +01:00
Hauke Mehrtens
921392e216 iproute2: Remove libxtables from some tc variants
This adds the new tc-bpf variant and removes libxtables dependency from
the tc-tiny variant. The tc-full variant stays like before and contains
everything.

This allows to use tc without libxtables.

The variants have the following sizes:
root@OpenWrt:/# ls -al /usr/libexec/tc-*
-rwxr-xr-x    1 root     root        282453 Mar  1 21:55 /usr/libexec/tc-bpf
-rwxr-xr-x    1 root     root        282533 Mar  1 21:55 /usr/libexec/tc-full
-rwxr-xr-x    1 root     root        266037 Mar  1 21:55 /usr/libexec/tc-tiny

They are linking the following shared libraries:
root@OpenWrt:/# ldd /usr/libexec/tc-tiny
        /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
root@OpenWrt:/# ldd /usr/libexec/tc-bpf
        /lib/ld-musl-mips-sf.so.1 (0x77da6000)
        libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000)
        libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000)
        libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000)
root@OpenWrt:/# ldd /usr/libexec/tc-full
        /lib/ld-musl-mips-sf.so.1 (0x77de8000)
        libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000)
        libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000)
        libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000)
        libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000)
        libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000)

This is based on a patch from Tiago Gaspar.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-03-05 21:06:35 +01:00
Stijn Tintel
c2d7896a65 qosify: bump to git HEAD
interface: disable autorate-ingress by default

Also change the example config to reflect this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-03-04 20:37:05 +02:00
Stijn Tintel
1848b25cdd qosify: add PKG_RELEASE
Without PKG_RELEASE, it's impossible to trigger package updates when
changing files included in the package that are not in the qosify git
repository.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Felix Fietkau <nbd@nbd.name>
2022-03-04 20:25:05 +02:00
Florian Eckert
ba6a48366f ipset: update to 7.15
Update to the latest upstream version. In this version there is a new
tool with which you can convert ipsets into nftables sets. Since we are
now using nftables as default firewall, this could be a useful tool for
porting ipsets to nftables sets.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2022-03-01 21:17:30 +01:00
Paul Spooren
038d5bdab1 layerscape: use semantic versions for LSDK
PKG_VERSION should not contain the package name but the version only.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2022-03-01 00:01:18 +01:00
Etienne Champetier
d95b74f7c9 iptables: bump PKG_RELEASE
Following dependencies rework, bump PKG_RELEASE

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
39d50a2008 iptables: move libiptext* to their own packages
iptables-nft doesn't depend on libip{4,6}tc, so move
libiptext* libs in their own packages to clean up dependencies
Rename libxtables-nft to libiptext-nft

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
795e7155cb iptables: rename to ip(6)tables-legacy, add PROVIDES
Using PROVIDES allows to have other packages continue to
depend on iptables and users to pick between legacy and nft
version.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
316c406e62 iptables: move IPTABLES_{CONNLABEL,NFTABLES} to libxtables
Those 2 configs are not specific to iptables(-legacy)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
d35a573004 iptables: make mod depend on libxtables
'iptables-mod-' can be used directly by firewall3, by
iptables and by iptables-nft. They are not linked to
iptables but to libxtables, so fix the dependencies to allow
to remove iptables(-legacy)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Etienne Champetier
50d3271966 iptables: fix libnftnl/IPTABLES_NFTABLES dependency
libxtables doesn't depend on libnftnl, iptables-nft does,
so move the dependency to not pull libnftnl with firewall3/iptables-legacy

Also libxtables-nft depends on IPTABLES_NFTABLES

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-28 21:52:01 +01:00
Nick Lowe
e8d048c5e0 hostapd: SAE - Enable hunting-and-pecking and H2E
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.

Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.

The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.

For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.

For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2022-02-24 18:04:05 +01:00
Felix Fietkau
cbfce92367 qosify: update to the latest version
65b42032063f interface: add missing autorate-ingress options

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-20 18:13:14 +01:00
Petr Štetiar
d8bf730fe0 netifd: bump to version 2022-02-20
Contains following changes:

 136006b88826 cmake: fix usage of implicit library and include paths
 bc0e84d689e2 netifd: interface-ip: don't set fib6 policies if ipv6 disabled

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-02-20 10:52:55 +01:00
Eneas U de Queiroz
e6df13d0e1 hostapd: fallback to psk when generating r0kh/r1kh
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret".  auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well.  In
this case,  auth_secret is empty, and the default value of the key can
be computed from the SSID alone.

Fallback to using $key when auth_secret is empty.  While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:52 +01:00
David Bauer
6f78723977 hostapd: add STA extended capabilities to get_clients
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.

This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:45 +01:00
Hauke Mehrtens
8f5875c4e2 tcpdump: Fix CVE-2018-16301
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-12 23:22:05 +01:00
Jo-Philipp Wich
0d1220acdf firewall4: update to latest Git HEAD
53caa1a fw4: resolve zone layer 2 devices for hw flow offloading
9fe58f5 fw4: rework and fix family inheritance logic
8795296 tests: mocklib: fix infinite recursion in wrapped print()
281b1bc tests: change mocked wan interface type to PPPoE
93b710d tests: mocklib: forward compatibility change
1a94915 fw4: only stage reflection rules if all required addrs are known
5c21714 fw4: add device iifname/oifname matches to DSCP and MARK rules
3eacc97 tests: adjust 01_ruleset test case to latest changes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-12 20:51:22 +01:00
Felix Fietkau
8072bf3322 qosify: update to the latest version
e230e71e0a12 map: fix copy-paste error in codepoints map
580d2ccf89f3 bpf: declare tcp_ports/udp_ports without typedef
8d6c19a81f3f ubus: fix a use-after-free bug

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-10 21:08:09 +01:00
Leonardo Mörlein
5406684087 wireguard-tools: allow generating private_key
When the uci configuration is created automatically during a very early
stage, where no entropy daemon is set up, generating the key directly is
not an option. Therefore we allow to set the private_key to "generate"
and generate the private key directly before the interface is taken up.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Tested-by: Jan-Niklas Burfeind <git@aiyionpri.me>
2022-02-08 12:52:14 +01:00
David Bauer
04ed224543 hostapd: refresh patches
Refresh patches after updating to hostapd v2.10.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-08 00:21:41 +01:00
David Bauer
adb8c09a83 hostapd: update to v2.10
Upstreamed patches:
020-mesh-make-forwarding-configurable.patch
e6db1bc5da3fd7d5f4dba24aa102543b4749912f
550-WNM-allow-specifying-dialog-token.patch
979f19716539362f8ce60a77bf1b88fdcf5ba8e5
720-ACS-fix-channel-100-frequency.patch
2341585c349231af00cdef8d51458df01bc6965f
741-proxyarp-fix-compilation-with-Hotspot-2.0-disabled.patch
08bdf4f90de61a84ed8f4dd918272dd9d36e2e1f

Compile-tested: wpad-wolfssl hostapd-openssl
Run-tested: ath79-generic

Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-08 00:21:27 +01:00
Jo-Philipp Wich
ae75541594 firewall4: update to latest Git HEAD
a0518b6 fw4: gracefully handle unsupported hardware offloading
ac99eba init: fix boot action in init script

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 23:36:06 +01:00
Felix Fietkau
46e0eeb760 hostapd: automatically calculate channel center freq on chan_switch
Simplifies switching to different channels when on >= VHT80

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-07 17:01:18 +01:00
Jo-Philipp Wich
881a059977 uhttpd: update to latest Git HEAD
2f8b136 main: fix leaking -p/-s argument values
881fd3b ucode: adjust to latest ucode api
8b2868e file: specify UTF-8 as charset for dirlists, add option to override
3a5bd84 main: add ucode options to help text
16aa142 examples: add ucode handler example
3ceccd0 ucode: add ucode plugin support
f0f1406 examples: add example Lua handler script
9e87095 listen: avoid invalid memory access

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Jo-Philipp Wich
2dd6777f15 firewall4: update to latest Git HEAD
b54f462 fw4: parse traffic rules before forwarding rules
4d5af8b fw4: consolidate helper code
300c737 fw4: fix applying zone family restrictions to forwardings
eb9c25a tests: implement fs.opendir() mock interface
d30ff48 tests: fix mocked fs.popen() trace log
52831a0 fw4: improve flowtable handling
7cb10c8 fw4: disable "flow_offloading_hw" option for now
b2241a1 fw4: fix enabling NAT reflection rules for DNATs without explicit family

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Jo-Philipp Wich
3b1692c463 netifd: update to latest Git HEAD
fd4c9e1 system-linux: expose hw-tc-offload ethtool feature in device status dump
3d76f2e system-linux: add wrapper function for creating link config messages
88af2f1 system-linux: delete bridge devices using netlink
85c3548 system-linux: create bridge devices using netlink

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-02-07 11:44:36 +01:00
Felix Fietkau
03ea0405a6 mac80211: backport MBSSID/EMA support patches
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-03 15:16:47 +01:00
Etienne Champetier
0e32c6baf3 iptables: add ip{,6}tables-legacy{,-restore,-save} symlinks
Now that we can have both legacy and nft iptables variants
installed at the same time, install the legacy symlinks

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-03 00:02:31 +01:00
Etienne Champetier
3a5df36cf6 iptables: use ALTERNATIVES for ip(6)tables(-nft)
As nftables is now the default, ip(6)tables-nft gets higher priority

The removed symlinks ("$(CP)" line) will now be installed by the
ALTERNATIVES mechanism

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-03 00:02:31 +01:00
Etienne Champetier
b0bd6599e8 iptables: rework ip(6)tables-nft dependencies
according to iptables-nft man page,
"These tools use the libxtables framework extensions and hook to the nf_tables
kernel subsystem using the nft_compat module."

This means that to work, iptables-nft needs the same modules as
iptables legacy except the ip(6)table-{filter,mangle,nat,raw}
ip_tables, ip6tables.
When those modules are loaded iptables-nft-save output contains
"# Warning: iptables-legacy tables present, use iptables-legacy-save to see them"
But as long as it's empty it should not be a problem.

To have nft properly display the rules created by ip(6)tables-nft we need
all iptables targets and matches to be built as extension and not built-in
(/usr/lib/iptables/libip(6)t_*.so)

When switching a package to iptables-nft, you need to keep the
iptables-mod-* dependencies

This patch does minimal changes:
- remove the direct iptables-nft -> iptables dependency
- and more important add nft-compat dependency

The rule
iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT
becomes
table ip filter {
	chain OUTPUT {
		type filter hook output priority filter; policy accept;
		ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT
	}
}

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-03 00:02:31 +01:00
Etienne Champetier
4e7ad15904 iptables: fix ip6tables-nft description
ip6tables-nft packages ip6tables* utils not iptables*

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-02 23:24:03 +01:00
Etienne Champetier
a5c8811c04 iptables: fix ip6tables-extra description
The define was referencing ip6tables-mod-extra instead of ip6tables-extra

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2022-02-02 23:24:03 +01:00
Daniel Golle
4367d4f869
uqmi: update to git HEAD
f254fc5 uqmi: add support for get operating mode

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-02-02 02:37:21 +00:00
Hauke Mehrtens
cec4614df8 ethtool: Update to version 5.16
795f420 cmis: Rename CMIS parsing functions
369b43a cmis: Initialize CMIS memory map
da16288 cmis: Use memory map during parsing
6acaeb9 cmis: Consolidate code between IOCTL and netlink paths
d7d15f7 sff-8636: Rename SFF-8636 parsing functions
4230597 sff-8636: Initialize SFF-8636 memory map
b74c040 sff-8636: Use memory map during parsing
799572f sff-8636: Consolidate code between IOCTL and netlink paths
9fdf45c sff-8079: Split SFF-8079 parsing function
2ccda25 netlink: eeprom: Export a function to request an EEPROM page
86792db cmis: Request specific pages for parsing in netlink path
6e2b32a sff-8636: Request specific pages for parsing in netlink path
c2170d4 sff-8079: Request specific pages for parsing in netlink path
9538f38 netlink: eeprom: Defer page requests to individual parsers
664586e Merge branch 'review/next/module-mem-map' into master
50fdaec ethtool: Set mask correctly for dumping advertised FEC modes
c5e7133 cable-test: Fix premature process termination
73091cd sff-8636: Use an SFF-8636 specific define for maximum number of channels
837c166 sff-common: Move OFFSET_TO_U16_PTR() to common header file
8658852 cmis: Initialize Page 02h in memory map
27b42a9 cmis: Initialize Banked Page 11h in memory map
340d88e cmis: Parse and print diagnostic information
eae6a99 cmis: Print Module State and Fault Cause
82012f2 cmis: Print Module-Level Controls
d7b1007 sff-8636: Print Power set and Power override bits
429f2fc Merge branch 'review/cmis-diag' into master
32457a9 monitor: do not show duplicate options in help text
c01963e Release version 5.16.

The sizes of the ipk changed on MIPS 24Kc like this:
34317 ethtool_5.15-1_mips_24kc.ipk
34311 ethtool_5.16-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Jo-Philipp Wich
edb41fea66 firewall4: update to latest Git HEAD
16a1070 fw4.uc: handle zone masq6 option
5f61dbf ruleset: fix chain selection for mark and dscp targets
0bc844b ruleset: properly deal with wildcards in zone device selectors
101988d fw4: fix family comparisons
127dbc0 ruleset: emit AF specific rules for DSCP matches
d63cb89 fw4: fix parsing inverted numeric DSCP values
8c8a867 fw4: fix wrong `parse_network()` return value on `parse_subnet()` failure
f85bb2d ruleset: consolidate zone matches for raw_prerouting and raw_output chains
5669bc7 fw4: consolidate device grouping logic
94f03e0 ruleset: properly render redirect targets without port
fff9779 fw4: fix family selection logic for redirect rules
ca88fcd tests: update interface dump mock data
e60bb4b ruleset: support non-contiguous address masks
8fec51a fw4: fix potential crashes when parsing invalid redirect sections
c08eb44 fw4: fix redirect destination zone resolving
0df6ba0 fw4: fix address selection logic for DNAT reflection rules
60a2518 tests: add test coverage for redirect rules
e479eff fw4: add RFC-8622 'Least Effort' (LE) DSCP mark
ac8a737 ruleset: remove redundant syn check
bd5dc4b tests: run testcases in strict mode
3ee6a5c ruleset: fix undeclared variable access uncovered by strict mode

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-01-28 19:13:37 +01:00
Hans Dedecker
7edd10f9df netifd: update to git HEAD
ed71876 iprule: add support for uidrange

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-01-23 18:54:16 +01:00
Matthew Hagan
46ce629fe0 ipip: add 'nohostroute' option
Add the nohostroute option as available for gre and wg tunnels to
allow the user to prevent explicit creation of a route to the peer
address.

Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
2022-01-19 20:57:59 +01:00
David Bauer
2a31e9ca97 hostapd: add op-class to get_status output
Include the current operation class to hostapd get_status interface.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-01-14 22:12:44 +01:00
Hans Dedecker
d9064c31ca netifd: update to git HEAD
3043206 system: fix compilation with glibc 2.34

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-01-14 21:46:29 +01:00
Paul Spooren
0637093e8c iptables: enable nftable support by default
OpenWrt plans to move over to firewall4 which uses nftables under the
hood. To allow a smooth migration the package `iptables-nft` offer a
transparent wrapper to apply iptables rules to nftables.

Without the config option for nftables the package isn't installed and
therefore can't be tested. This commit enabled it and therefore provides
the wrapper.

The size of the iptables package increases from 25436 to 26500 Bytes.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2022-01-14 00:42:28 +01:00
Hans Dedecker
7f2052ef22 netifd: update to git HEAD
96902e8 Revert "netifd: add devtype to ubus call"
29e6acf netifd: add devtype to ubus call
7ccbf08 netifd: add devtype to ubus call

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2022-01-12 21:14:29 +01:00
Kevin Darbyshire-Bryant
e955a08340 firewall: update to latest HEAD
0f16ea5 options.c: add DSCP code LE Least Effort
24ba465 firewall3: remove redundant syn check
df1306a firewall3: fix locking issue
3624c37 firewall3: support table load on access on Linux 5.15+

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-01-10 11:45:15 +00:00
Stijn Tintel
0f50d3daff firewall4: bump to git HEAD
9a509d4 ruleset.uc: consolidate ip and ip6 offload
 21f311d ruleset.uc: don't trim newline before comment sign
 f121383 tests: enable flow offloading in tests
 550df40 tests: add test for unknown defaults option
 47c5a5b tests: add test for deprecated rule option
 69a89d6 tests: add test for unknown rule option
 07579df fw4.uc: handle interface zone option

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-01-09 17:38:18 +02:00
Andre Heider
5ee1e04517 ltq-vdsl: move to the default device name /dev/dsl_cpe_api/0
This makes patching it for ltq-vdsl-app unnecessary and paves the way
for VRX518 support.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-01-08 00:49:59 +01:00
Stijn Tintel
4d1f133561 firewall4: bump to git HEAD
main.uc: fix device gathering

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-01-06 21:30:14 +02:00
Jo-Philipp Wich
7881dce7d8 firewall4: fix syntax error in dependency spec
Fixes: ae60af8572 ("firewall4: order DEPENDS alphabetically")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 16:58:06 +01:00
Stijn Tintel
53b87a7a28 firewall/firewall4: provide uci-firewall
Provide uci-firewall via PROVIDES in both firewall and firewall4. This
will allow us to change the dependency of luci-app-firewall to
uci-firewall, making it possible to use it with either implementation.

Move CONFLICTS from firewall4 to firewall, to solve this recursive
dependency problem:

tmp/.config-package.in:307:error: recursive dependency detected!
tmp/.config-package.in:307:     symbol PACKAGE_firewall is selected by PACKAGE_firewall4
tmp/.config-package.in:328:     symbol PACKAGE_firewall4 depends on PACKAGE_firewall

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:54:50 +02:00
Stijn Tintel
3ec25a657d firewall4: bump to git HEAD
4ead2a6 treewide: move executables to /sbin
 9ebc2f4 fw4.uc: filter duplicates in fw4.set
 85b74f3 treewide: support flow offloading
 be3b4e6 treewide: support hardware flow offloading
 38889b7 treewide: support set timeout
 31c7550 fw4.uc: do not skip defaults with invalid option
 334a127 fw4.uc: introduce DEPRECATED flag
 7a0d38f fw4.uc: add _name as deprecated option
 5e7ad3b fw4.uc: don't fail on unknown options
 be5f4e3 fw4.uc: allow use of cidr in ipsets

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:54:43 +02:00
Stijn Tintel
ae60af8572 firewall4: order DEPENDS alphabetically
Add some line breaks while at at, to improve readability.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:54:06 +02:00
Stijn Tintel
3d4acc34bb firewall4: drop kmod-ipt-nat from CONFLICTS
The limitation of not being able to use iptables and nft nat at the same
time exists only in kernels before 4.18.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
2022-01-06 14:53:47 +02:00
Nick Hainke
f61816fdff hostapd: refresh patchset
Recently the hostapd has undergone many changes. The patches were not refreshed.
Refreshed with
    make package/hostapd/{clean,refresh}

Refreshed:
    - 380-disable_ctrl_iface_mib.patch
    - 600-ubus_support.patch
    - 700-wifi-reload.patch
    - 720-iface_max_num_sta.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-12-31 12:11:59 +01:00
Stijn Tintel
9ba6ee4e25 nftables: allow quoted string in flowtable_expr_member
This is required to be able to use flow offloading on devices with
ifnames that start with a digit, like 6in4-wan6.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-12-31 02:07:13 +02:00
Hauke Mehrtens
137a7607ec layerscape: restool: Remove build of manpages
The build of the manpages needs the pandoc tool, this is not in the
minimal requirements of OpenWrt, just remove the build of the restool
manpage. This fixes the build on systems without pandoc like the OpenWrt build bots.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-28 16:09:12 +01:00
Raphaël Mélotte
69ce75fb12 hostapd: add fallback for WPS on stations
Up to now the WPS script triggered WPS on the stations only if it
could not trigger it successfully on any hostapd instance.

In a Multi-AP context, there can be a need (to establish a new
wireless backhaul link) to trigger WPS on the stations, regardless of
whether there is already a hostapd instance configured or not. The
current script makes it impossible, as if hostapd is running and
configured, WPS would always be triggered on hostapd only.

To allow both possibilities, the following changes are made:

- Change the "pressed" action to "release", so that we can make use of
the "$SEEN" variables (to know for how long the button was pressed).

- If the button is pressed for less than 3 seconds, keep the original
behavior.

- If the button is pressed for 3 seconds or more, trigger WPS on the
stations, regardless of the status of any running hostapd instance.

- Add comments explaining both behaviors.

- While at it, replace the usage of '-a' with a '[] && []'
construct (see [1]).

This gives users a "fallback" mechanism to onboard a device to a
Multi-AP network, even if the device already has a configured hostapd
instance running.

[1]: https://github.com/koalaman/shellcheck/wiki/SC2166

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-12-27 16:32:02 +00:00
Martin Schiller
a0ad1f36f0 umbim: add missing json_close_object call
Otherwise, connection setup may fail due to JSON parse error in netifd.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[Updated commit description]
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2021-12-27 13:51:41 +01:00
Martin Schiller
6d1cca7e65 umbim: explicitly check for PIN1 state
PIN2 is used only to restrict changing of fixed dialling feature,
does not affect network registration. Therefore explicitly check for
PIN1 state during connection setup, which is required for network
registration.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[Updated commit description]
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2021-12-27 13:51:41 +01:00
Martin Schiller
049870a7fe umbim: call umbim disconnect in error case
This is needed to properly close the control channel.

Otherwise, on the next try the caps call may fail.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2021-12-27 13:51:41 +01:00
David Bauer
5ca7793418 hostapd: add missing function declaration
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-27 03:13:36 +01:00
Hauke Mehrtens
18bdfc803b tcpdump: libpcap: Remove http://www.us.tcpdump.org mirror
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.

Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-27 00:49:08 +01:00
Felix Fietkau
5e67cd63c4 hostapd: only attempt to set qos map if supported by the driver
Fixes issues with brcmfmac

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-23 19:18:56 +01:00
Arnout Vandecappelle (Essensium/Mind)
0210f37534 hostapd: keep HE capability after channel switch in AP+STA/Mesh
The auto-ht option already kept HT and VHT support, but wasn't updated
to support HE (11ax).

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-12-21 22:21:38 +00:00
David Bauer
54cfe0774c hostapd: make OpenWrt statistics per-BSS
WNM and RRM statistics were incorrectly per-PHY, leading to shared
statistic counters per BSS.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-20 00:15:03 +01:00
David Bauer
6d1e380666 hostapd: provide BSS-transition-queries to ubus subscribers
Provide incoming BSS transition queries to ubus subscribers.

This allows external steering daemons to provide clients with
an optimal list of transition candidates.

This commit has no functional state in case no ubus subscriber is
present or it does not handle this ubus message.

To prevent hostapd from sending out a generic response by itself, a
subscribing daemon has to return a non-zero response code to hostapd.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-20 00:15:03 +01:00
David Bauer
dd39249f08 hostapd: WNM: allow specifying dialog-token
Backport a patch to allow extending the ubus BSS-transition method
for specifying individual dialog tokens for BSS transition
management requests.

This is required for handling BSS transition queries in the future.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-20 00:15:03 +01:00
Hans Dedecker
df9a62a085 odhcp6c: update to latest git HEAD
39b584b Revert "dhcpv6: add a minimum valid lifetime for IA_PD updates"
c9578e1 dhcpv6: add support for null IA_PD valid lifetime
ca43ea3 dhcpv6: add a minimum valid lifetime for IA_PD updates

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-12-17 21:06:34 +01:00
Hans Dedecker
1e57d52e2f netifd: update to latest git HEAD
5ca5e0b netifd: allow disabling rule/rule6 config sections
8875960 interface-ip: add support for IPv6 prefix invalidation
e589c05 interface-ip: use metric when looking for a route
b54ffde main: fix hotplug script usage message

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-12-17 21:06:24 +01:00
David Bauer
9090e0be4d hostapd: close correct blobmsg table
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-16 20:27:07 +01:00
David Bauer
16bcaa71fa hostapd: add OpenWrt specific statistic counters
This adds a new struct for storing statistics not (yet) tracked by
hostapd regarding RRM and WNM activity.

These statistics can be read using the get_status hostapd interface ubus
method.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-15 00:13:40 +01:00
Hauke Mehrtens
a5cc9e033c iw: Update to version 5.16
Revert a commit to allow providing CFLAGS and LIBS from OpenWrt package
Makefile.

This downgrades the nl80211.h to kernel 5.15 and removes FILS_CRYPTO_OFFLOAD.
This is needed to make it compatible with our patched mac80211 from
kernel 5.15

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-14 22:59:10 +01:00
Martin Schiller
4002a6aa76 restool: bump to LSDK-21.08
Update restool to latest LSDK-21.08.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2021-12-13 23:22:29 +01:00
Felix Fietkau
ea49690ff4 hostapd: add support for specifying the FILS DHCP server
The 'fils_dhcp' option can be set to '*' in order to autodetect the DHCP server
For proto=dhcp networks, the discovered dhcp server will be used
For all other networks, udhcpc is called to discover the address

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-10 11:33:49 +01:00
Felix Fietkau
baba2fdaa6 netifd: on dhcp interfaces, store the dhcp server in interface data
Among other things, this can be used to auto-configure the DHCP server
address for wireless APs using FILS, if the bridged interface is
configured to DHCP

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-10 11:33:49 +01:00
Felix Fietkau
b7d9bced30 hostapd: add support for enabling FILS on AP and client interfaces
This is only supported with WPA-enterprise

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-10 11:33:49 +01:00
Felix Fietkau
5b66dfaf6c hostapd: enable FILS support in the full config and add build feature discovery
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-10 11:33:49 +01:00
Felix Fietkau
fbc9ce779f hostapd: make hostapd/supplicant/wpad packages depend on a specific version of hostapd-commoon
This avoids potential version mismatch between packages when upgraded
individually

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-01 16:39:12 +01:00
Felix Fietkau
b7ce8a8c17 qosify: remove bulk flow detection from default ports
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-01 16:39:12 +01:00
Felix Fietkau
ac83015621 qosify: add besteffort class and switch all default classifications to class names
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-01 16:39:12 +01:00
Stijn Tintel
6832271ee7 nftables: bump to 1.0.1
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-12-01 00:39:36 +02:00
Kevin Darbyshire-Bryant
7a48dfc90c nftables: install package file
Install pc file so dnsmasq can find libnftables

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-11-30 15:16:17 +00:00
David Bauer
3ba9846842 hostapd: add beacon_interval to get_status ubus output
Add the beacon interval to hostapd status output. This allows external
services to discover the beacon interval for a specific VAP.

This way, external wireless management daemons can correctly calculate
fields containing TBTT value from absolute time-values.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-11-25 02:41:42 +01:00
Felix Fietkau
f84053af5c hostapd: add a patch that allows processing auth requests for peers in blocked state
If authentication fails repeatedly e.g. because of a weak signal, the link
can end up in blocked state. If one of the nodes tries to establish a link
again before it is unblocked on the other side, it will block the link to
that other side. The same happens on the other side when it unblocks the
link. In that scenario, the link never recovers on its own.

To fix this, allow restarting authentication even if the link is in blocked
state, but don't initiate the attempt until the blocked period is over.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-24 18:26:47 +01:00
Mark Mentovai
398cbb76fa
hostapd: allow hostapd under ujail to communicate with hostapd_cli
When procd-ujail is available, 1f78538387 runs hostapd as user
"network", with only limited additional capabilities (CAP_NET_ADMIN and
CAP_NET_RAW).

hostapd_cli (CONFIG_PACKAGE_hostapd-utils) communicates with hostapd
over a named UNIX-domain socket. hostapd_cli is responsible for creating
this socket at /tmp/wpa_ctrl_$pid_$counter. Since it typically runs as
root, this endpoint is normally created with uid root, gid root, mode
0755. As a result, hostapd running as uid network is able to receive
control messages sent through this interface, but is not able to respond
to them. If debug-level logging is enabled (CONFIG_WPA_MSG_MIN_PRIORITY
<= 2 at build, and log_level <= 2 in /etc/config/wireless wifi-device),
this message will appear from hostapd:

CTRL: sendto failed: Permission denied

As a fix, hostapd_cli should create the socket node in the filesystem
with uid network, gid network, mode 0770. This borrows the presently
Android-only strategy already in hostapd intended to solve the same
problem on Android.

If procd-ujail is not available and hostapd falls back to running as
root, it will still be able to read from and write to the socket even if
the node in the filesystem has been restricted to the network user and
group. This matches the logic in
package/network/services/hostapd/files/wpad.init, which sets the uid and
gid of /var/run/hostapd to network regardless of whether procd-ujail is
available.

As it appears that the "network" user and group are statically allocated
uid 101 and gid 101, respectively, per
package/base-files/files/etc/passwd and USERID in
package/network/services/hostapd/Makefile, this patch also uses a
constant 101 for the uid and gid.

Signed-off-by: Mark Mentovai <mark@moxienet.com>
[refreshed patch]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-23 18:53:31 +00:00
Oldřich Jedlička
1818157daa dnsmasq: fix ismounted check
Fix the return value, shell return codes should be 0 to indicate success
(i.e. mount point found), 1 should be failure (i.e. mount point not-found).

Fixes: ac4e8aa ("dnsmasq: fix more dnsmasq jail issues")
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
2021-11-23 14:57:52 +00:00
Felix Fietkau
7a496e4b4b qosify: update to the latest version
06872673c10f map: allow referring to a class index directly in tcp/udp default entries

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-22 17:23:15 +01:00
Felix Fietkau
3a1597c7bd qosify: install hotplug handler into /etc/hotplug.d/iface as well
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-22 17:23:15 +01:00
Daniel Golle
8f45849876
uqmi: update to git HEAD
20cd907 uqmi: use unmodified upstream JSON files
 b2c53dc command-nas: fix out-of-bounds read

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-22 01:30:03 +00:00
Felix Fietkau
e9610794fd qosify: add support for configuring overhead
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-21 13:47:18 +01:00
Felix Fietkau
9962585f2d qosify: update to the latest version
2743e58741b3 bpf: work around a verifier issue

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-21 13:47:18 +01:00
Hans Dedecker
9b29c14b0e ethtool: update to version 5.15
cef54c4 Release version 5.15.
23beb39 update UAPI header copies
fd7db64 netlink: settings: Correct duplicate condition
88892ec Merge branch 'review/module-fixes-2-v2'
79cb4ab sff-8636: Remove extra blank lines
128e97c sff-8636: Convert if statement to switch-case
7ff603b sff-8636: Fix incorrect function name
86e9784 sff-8636: Remove incorrect comment
001aecd cmis: Correct comment
1bad83c cmis: Fix wrong define name
2c2fa88 cmis: Fix CLEI code parsing
d007b49 Merge branch 'review/module-fixes' into master
a7431bc netlink: eeprom: Fix compilation when pretty dump is disabled
d02409c ethtool: Fix compilation warning when pretty dump is disabled
2ddb1a1 netlink: eeprom: Fallback to IOCTL when a complete hex/raw dump is requested
7e153a7 cmis: Fix invalid memory access in IOCTL path
769a50e sff-8636: Fix parsing of Page 03h in IOCTL path

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-11-21 12:52:39 +01:00
Daniel Danzberger
0e96e06867 nftables: install libnftables to staging dir
Makes libnftables library and headers available for other packages.

Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
2021-11-20 21:08:25 +01:00
Felix Fietkau
b764cb9e5b qosify: add qosify-status script
This will show detailed status for all devices/interfaces

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-19 23:51:20 +01:00
Felix Fietkau
991966f1f5 qosify: add class specific bulk flow detection example to voice class
With the new version, priority/bulk flow detection can be selectively enabled
and configured per class

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-19 23:51:20 +01:00
Felix Fietkau
0351a5ff87 qosify: update to the latest version
68961a555e42 ubus: drop dnsmasq check for dns_result method
1ca3e26b8169 bpf: refactor code to support explicit opt-in for bulk+prio detection
3f0acf039f41 bpf: move flow prio/bulk detection config into a separate data structure
bc54c97e3333 map, bpf: create a separate map for configured dscp classes
46cf3eae2d99 bpf: fix bulk flow detaction
88f1db7dd611 bpf: fix priority flow detection
b5dec7874373 bpf: remove access to skb->gso_size
e728a319a9a5 interface: unify status, always include ifname, ingress, egress

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-19 23:51:20 +01:00
Felix Fietkau
ff6b89df70 qosify: keep ICMP in the default best-effort class
Also preserve existing DSCP tags to make it easier to test latency for
different DSCP values

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-19 23:51:20 +01:00
Rodrigo B. de Sousa Martins
537df46a39 qosify: move package to Base System
Since sqm-scripts and qos-scripts packages are in the same category as qosify,
the firsts being in the Base System category, I find it understandable to move
the latter to Base System instead of network section.

Signed-off-by: Rodrigo B. de Sousa Martins <rodrigo.sousa.577@gmail.com>
2021-11-19 23:51:20 +01:00
David Bauer
7ae04d3799 hostapd: fix use after free bugs
Using a pointer one lifter after it freed is not the best idea.
Let's not do that.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-11-19 21:58:12 +01:00
Eneas U de Queiroz
5720ac8f4c hostapd: set VARIANT=* for wpa-cli, hostapd-utils
19aae94 [build: avoid rebuilds of unset VARIANT packages] builds
packages defined without a VARIANT only once, using the first VARIANT
defined in the Makefile.

This caused problems with wpa-cli, as it is only built for variants that
include supplicant support, and the first VARIANT defined may not build
it.

The same happens to hostapd-utils, which is not built for
supplicant-only variants.

To circumvent this, set VARIANT=* for both packages so that they get
built for every defined variant.  This should not cause spurious
rebuilds, since tey are not a dependency of any other package defined in
this Makefile.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-11-15 00:38:46 +01:00
Stijn Tintel
53247d3cb4 lldpd: add reload trigger
This is needed to reload the service when calling reload_config, if the
UCI config has changed.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-14 21:26:41 +02:00
Stijn Tintel
d44ab665a6 lldpd: consolidate procd command lines
There is no need to have multiple lines for this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-14 21:26:41 +02:00
Stijn Tintel
f054fcd98a lldpd: bump to 1.0.13
Fixes CVE-2021-43612.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-14 21:26:41 +02:00
Felix Fietkau
9bd9e04b6f qosify: add missing alias support in the init script
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-14 19:36:34 +01:00
Paul Spooren
7bc18aa284 firewall4: update to latest Git HEAD
eb0a3ee fw4.uc: Do not quote port ranges
c5a8e3e tests: adapt test to new ICMP print logic

Also start using $(AUTORELEASE)

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-11-13 09:40:14 -10:00
Russell Senior
fa7356dd9d iproute2: update to 5.15
from https://git.kernel.org/pub/scm/network/iproute2/iproute2.git

changes since 5.14.0:

ad3a118f rdma: Fix SRQ resource tracking information json
7a235a10 man: devlink-port: fix pfnum for devlink port add
229eaba5 uapi: pickup fix for xfrm ABI breakage
a500c5ac lib/bpf: fix map-in-map creation without prepopulation
7c032cac man: devlink-port: remove extra .br
04ee8e6f man: devlink-port: fix style
14802d84 man: devlink-port: fix the devlink port add synopsis
897772a7 cmd: use spaces instead of tabs for usage indentation
e7a98a96 mptcp: unbreak JSON endpoint list
2f5825cb lib: bpf_legacy: fix bpffs mount when /sys/fs/bpf exists
d756c08a tc/f_flower: fix port range parsing
92e32f77 uapi: updates from 5.15-rc1
e7e0e2ce iptuntap: fix multi-queue flag display
deef844b man: ip-link: remove double of
a3272b93 configure: restore backward compatibility
ceba5930 tree-wide: fix some typos found by Lintian
7a705242 ip: remove leftovers from IPX and DECnet
8ab1834e uapi: update headers from 5.15 merge
6d0d35ba ip/bond: add lacp active support
926ad641 Update kernel headers
c730bd0b ip/tunnel: always print all known attributes
df8912ed ipioam6: use print_nl instead of print_null
7e7270bb tc/skbmod: Introduce SKBMOD_F_ECN option
86c596ed IOAM man8
2d83c710 New IOAM6 encap type for routes
f0b3808a Add, show, link, remove IOAM namespaces and schemas
acbdef93 Import ioam6 uapi headers
2d6fa30b Update kernel headers
508ad89c ipneigh: add support to print brief output of neigh cache in tabular format

* update patch 170-ip_tiny.patch to accomodate ioam.

Signed-off-by: Russell Senior <russell@personaltelco.net>
2021-11-13 18:00:11 +01:00
Felix Fietkau
bdaacdc2fc qosify: add default alias sections
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-12 23:11:56 +01:00
Felix Fietkau
50d33fcf7d qosify: update to the latest version
0750f2b4d329 README: dnsmasq integration is complete
8e48d0b0cbba bpf: add initial support for splitting map dscp value into ingress and egress
bfc2cafe2a8c map: add support for defining aliases

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-12 23:11:56 +01:00
Rui Salvaterra
c8340120e7 dnsmasq: fix the dynamic dns object names patch
We can't use booleans, since we're not including stdbool.h. Use integers
instead.

Fixes: 0b79e7c01e ("dnsmasq: generate the dns object name dynamically")

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-11-12 23:11:56 +01:00
Daniel Golle
0cbc6b16db
dnsmasq: add ubus acl to allow calls to hotplug.tftp object
dnsmasq may call hotplug.dhcp, hotplug.neigh and hotplug.tftp.
Only the first two callees were listed in the ACL, so add missing
hotplug.tftp.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-12 15:02:58 +00:00
Felix Fietkau
0b79e7c01e dnsmasq: generate the dns object name dynamically
Fixes an issue with running multiple dnsmasq instances

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-10 10:07:04 +01:00
Paul Fertser
8a6b1a8d29 dnsmasq: add match_tag for --dhcp-host
A set of tags can be specified for --dhcp-host option to restrict the
assignment to the requests which match all the tags.

Example usage:

config vendorclass
        option networkid 'udhcp'
        option vendorclass 'udhcp'

config host
        option mac '*:*:*:*:*:*'
        list match_tag 'switch.10'
        list match_tag 'udhcp'
        option ip '192.168.25.10'

Signed-off-by: Paul Fertser <fercerpav@gmail.com>
2021-11-09 16:45:38 +00:00
Felix Fietkau
a667f6b8dd qosify: mark as nonshared
The SDK does not have the LLVM toolchain yet

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-09 14:07:19 +01:00
Felix Fietkau
85cc004606 qosify: move files to /etc/qosify
Now that wildcard matching is supported, this makes it easier for packages
to supply their own qosify rules

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-08 22:26:46 +01:00
Felix Fietkau
0e4ef0e5a4 qosify: update to the latest version
737970946bc0 map: default to fnmatch matching for dns patterns. support regex via leading /
b56b112e62e2 ubus: fix crash caused by missing static keyword
3a420e272c18 qosify: support wildcards in classifier filenames

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-08 22:26:22 +01:00
Felix Fietkau
48c754d653 qosify: add missing dependency
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-08 21:32:40 +01:00
Felix Fietkau
afb9c24d90 qosify: update to the latest version
2ca7352543da map: make a helper function for freeing entries
411432ec853b map: add support for adding dns regex patterns
14803cb559d8 ubus: remove unused enum
a0740172eda6 ubus: add api for providing dns lookup results for dns regex rules
406fbf478e87 ubus: add support for dynamically adding dns based rules
5fc91183d60a README: mention dns regex entries
3ed8c3eb1a3b README: document mapping file syntax
91ce2e77d302 map: introduce low effort codepoint from RFC8622
5ff14acca0e7 interface: enable NAT on interfaces by default
e70f70e496d7 README: fix typo
f25ded617478 README: fix another typo
675238bc2ce5 loader: always reinitialize programs
010eea0d98c3 map: improve timeout handling of IP entries
7ef54a7f04a0 map: add DF codepoint
6f7fbe698555 map: increase active timeout to 300
60e06a579a13 qosify-bpf: inline check_flow() to ensure that it is jited
f5ae89e8d869 ubus: subscribe to dnsmasq.dns for dns lookup results

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-08 15:06:20 +01:00
Felix Fietkau
d8b33dad0b dnsmasq: add support for monitoring and modifying dns lookup results via ubus
The monitoring functionality will be used for dns rule support in qosify

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-08 15:06:19 +01:00
Daniel Golle
81832b38a0
uqmi: update to git HEAD and improve proto handler script
e303ba8 uqmi: update code generator
 7880de8 uqmi: sync data from libqmi project
 d647f8d uqmi: add more diagnostics commands
 6f95626 uim: add --uim-get-sim-state

Use newly introduce --uim-get-sim-state command to query PIN status
from modems which require using uim instead of dms command for that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-06 02:46:36 +00:00
Stijn Tintel
a05452e4d6 omcproxy: bump to git HEAD
bfba2aa groups: use uloop_timeout_remaining64

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 15:04:45 +02:00
Felix Fietkau
efff3520f4 hostapd: support qos_map_set without CONFIG_INTERWORKING
This feature is useful on its own even without full interworking support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-04 11:50:51 +01:00
Felix Fietkau
a5e3def182 hostapd: add wmm qos map set by default
This implements the mapping recommendations from RFC8325, with an
update from RFC8622. This ensures that DSCP marked packets are properly
sorted into WMM classes.
The map can be disabled by setting iw_qos_map_set to something invalid
like 'none'

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-03 22:47:55 +01:00
Florian Eckert
b14f062849 vti: squash vtiv4 and vtiv6 packages into vti
This change adds the same package behaviour as gre package.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2021-11-03 20:34:43 +01:00
Felix Fietkau
063d49b8a0 qosify: add missing config option for nat support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-03 19:41:49 +01:00
Felix Fietkau
ff4fd56732 qosify: include nls.mk to avoid build error with full NLS support enabled
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-03 18:54:12 +01:00
Felix Fietkau
605192f46c qosify: add missing dependency
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-02 10:57:29 +01:00
Eneas U de Queiroz
4ea0cfe810 iproute2: Avoid unnecessary package rebuilds
Build the tc-mod-iptables before the tc-tiny and tc-full packages.

This avoids unnecessary package rebuild when calling make back to back.
Before this change, tc-mod-iptables will be built after the main tc
binary packages.

Both tc-tiny and tc-full depend on tc-mod-ipables.  If make is called
after the packages are already built, it will check the timestamps of
both packages, and will rebuild the main binaries, since the module
package will be newer than the tc package.

Calling BuildPackage,mod-iptables first ensures that its variant gets
built before the other packages' variants.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-11-01 20:18:55 +01:00
Eneas U de Queiroz
67f9245ee5 hostapd: avoid unnecessary package rebuilds
Package hostapd-common is a dependency of every other package defined in
hostpad Makefile.  It is currently built next to the bottom of that
Makefile's package list.

If you run make back to back, then check-compile will compare the
hostapd-common timestamp to the variant being compiled, to decide if the
varint needs to be rebuilt or not.  Since the hostapd-conf package is
built towards the end of the list, it will be newer than most of the
variants, causing unnecessary package rebuilds.

Move it to the top, so that its timestamp will be older than dependent
packages, avoiding unnecessary rebuild of every selected variant.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-11-01 20:18:55 +01:00
Felix Fietkau
9ae5f09dc8 qosify: fix package section/category
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-01 20:17:02 +01:00
Felix Fietkau
6738820bf6 build: fix bpf toolchain dependency for qosify
Add hidden symbols to fix defaults with CONFIG_DEVEL unset

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-01 18:41:20 +01:00
Felix Fietkau
f3a28b6bcf qosify: add package for simple qos based on ebpf+cake
qosify is simple daemon for setting up and managing CAKE along with a custom
eBPF based classifier that sets DSCP fields of packets.

It is configured via UCI and it supports the following features:
- simple TCP/UDP port based mapping
- IP address based mapping
- priority boosting based on average packet size
- bulk flow detection based on number of packets per second
- dynamically add IP entries with timeout

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-01 16:39:52 +01:00
Daniel Golle
a44e4aaef9
dnsmasq: fix jail mount in case of ignore_hosts_dir being set
Commit a2fcd3900c ("dnsmasq: improve init script") broke the existing
handling for hosts_dir. Remove the redundant mount again to fix it.

Reported-by: Hartmut Birr <e9hack@gmail.com>
Fixes: a2fcd3900c ("dnsmasq: improve init script")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-01 12:02:24 +00:00
Daniel Golle
a2fcd3900c
dnsmasq: improve init script
* fix restart in LuCI (inherited umask was to restrictive)
 * make directory of hosts-file (!= /tmp) accessible in ujail

Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-31 13:07:48 +00:00
Hans Dedecker
2d2c7c4250 6in4: remove 6in4 tunnel delete workaround (FS#3690)
Remove 6in4 tunnel delete workaround as the real issue is
now solved in netifd
(https://git.openwrt.org/?p=project/netifd.git;a=commit;h=8f82742ca4f47f459284f3a07323d04da72ea5f6)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-10-30 21:15:18 +02:00
Hans Dedecker
c4d292969f 6rd : remove 6rd tunnel delete workaround
Remove 6rd tunnel delete workaround in as the real issue
is now solved in netifd
(https://git.openwrt.org/?p=project/netifd.git;a=commit;h=8f82742ca4f47f459284f3a07323d04da72ea5f6)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-10-30 21:14:30 +02:00
Hans Dedecker
4eba313065 netifd: fix deletion of ip tunnels (FS#4058)
8f82742 system-linux: fix deletion of ip tunnels (FS#4058)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-10-30 21:14:01 +02:00
Sven Roederer
5287defa1f dropbear: add config options for agent-forwarding support
* SSH agent forwarding might cause security issues, locally and on the jump
  machine (https://defn.io/2019/04/12/ssh-forwarding/). So allow to
  completely disabling it.
* separate options for client and server
* keep it enabled by default

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2021-10-30 16:32:54 +02:00
Michael Peleshenko
db639238f2 umdns: add missing syscall to seccomp filter
The 'madvise', syscall is missing.
Found with 'utrace /usr/sbin/umdns' on an R7800 and RT3200.

Signed-off-by: Michael Peleshenko <mpeleshenko@gmail.com>
2021-10-27 19:25:59 +01:00
Hauke Mehrtens
cfe0eb7485 mac80211: Update to version 5.14.13-1
The removed patches were applied upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-10-24 00:08:38 +02:00
Hans Dedecker
a1d3796efe ethtool: update to v5.14
Update to newly released version 5.14

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-10-23 21:41:09 +02:00
Hans Dedecker
abc7a97e9c Revert "ethtool: update to v5.14"
This reverts commit 7630001427

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-10-23 21:39:00 +02:00
Hans Dedecker
7630001427 ethtool: update to v5.14
Update to newly released version 5.14

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-10-23 21:35:38 +02:00
Michael Peleshenko
40c18e95dc umdns: add missing syscall to seccomp filter
The 'clock_gettime64', syscall is missing.
Found with 'utrace /usr/sbin/umdns' on an R7800.

Signed-off-by: Michael Peleshenko <mpeleshenko@gmail.com>
2021-10-23 19:31:32 +02:00
David Bauer
9b880f09f3 hostapd: ubus: fix uninitialized pointer
This fixes passing a bogus non-null pointer to the ubus handler in case
the transition request is rejected.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-21 17:09:35 +02:00
Felix Fietkau
63c01ad025 hostapd: fix up patches after the last commit
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-10-21 12:37:23 +02:00
Felix Fietkau
da4be02fcd hostapd: fix a race condition on adding AP mode wds sta interfaces
Both hostapd and netifd attempt to add a VLAN device to a bridge.
Depending on which one wins the race, bridge vlan settings might be incomplete,
or hostapd might run into an error and refuse to service the client.
Fix this by preventing hostapd from adding interfaces to the bridge and
instead rely entirely on netifd handling this properly

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-10-21 11:31:53 +02:00
Felix Fietkau
f448c26923 netifd: update to the latest version
c61a1d432b34 wireless: fix creating AP mode WDS station interfaces
f78bdec2ed5f wireless: fix handling vif attributes on reload with mode change

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-10-21 11:31:53 +02:00
Andre Heider
70729d3454 ltq-vdsl-app: add error vector counters to the ubus metrics
These are useful stats to debug vector related line deteriorations,
see [0].

Example output:
    "erb": {
	    "sent": 169925,
	    "discarded": 0
    }

[0] https://forum.openwrt.org/t/vectoring-on-lantiq-vrx200-vr9-missing-callback-for-sending-error-samples/104046

Signed-off-by: Andre Heider <a.heider@gmail.com>
2021-10-21 00:17:36 +02:00
Andre Heider
276c80bdc0 ltq-vdsl-app: prepare for multiple mei ioctls
Refactor so that the outer function opens and closes the mei fd and
passes it around, just as with the main fd.

That also allows us to use the IOCTL macro in get_vector_status() and
clean up accordingly.

Switch to AUTORELEASE while at it.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2021-10-21 00:17:36 +02:00
Hauke Mehrtens
36019ed589 iw: sync nl80211 with kernel backports
The nl80211 was out of sync with the version used in our backports. This
broke the configuration of the antenna gain.

Fixes: 2bfac61483 ("mac80211: backport support for BSS color changes")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-10-21 00:17:36 +02:00
David Bauer
43c64ffa74 hostapd: fix goto loop for ubus assoc handler
When a ubus event handler denies a association with a non-zero return
value, the code jumps to preceeding code, creating an endless loop until
the event handler accepts the assc request.

Move the ubus handler further up the code to avoid creating such a loop.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-19 17:27:05 +02:00
Stepan Henek
c4e994011f wireguard-tools: add uci option to disable wireguard peers
Right now when I want to temporarily disable wg peer I need to delete
the entire peer section. This is not such a good solution because I
loose the previous configuration of the peer.

This patch adds `disabled` option to peer config which causes that
the config section is ignored.

Signed-off-by: Stepan Henek <stepan.henek@nic.cz>
[use $(AUTORELEASE)]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-10-18 12:14:36 -10:00
Stijn Tintel
dbb0019cbe nftables: bump to 1.0.0
This introduces support for hardware flow offloading, which was added in
in nftables 0.9.9.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2021-10-19 00:12:13 +02:00