Commit Graph

3113 Commits

Author SHA1 Message Date
Daniel Golle
0709f6e798 iproute2: disable SELinux for now
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 14:03:07 +01:00
Rui Salvaterra
e5eeb34a8c dropbear: fix ssh alternative when dbclient isn't built
The ssh symlink was still being created even when dbclient was disabled in the
build configuration. Fix this annoyance.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-08-12 21:57:37 +02:00
Hans Dedecker
5e512cc9c1 ppp: update to latest git HEAD
677aa53 Fix -W option for pppoe-discovery utility (#157)
115c419 Accept Malformed Windows Success Message (#156)
5bdb148 pppd: Add documentation of stop-bits option to pppd man page (#154)
2a7981f Add ipv6cp-accept-remote option
0678d3b pppd: Fix the default value for ipv6cp-accept-local to false

Refresh patches

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-08-11 21:27:07 +02:00
Jo-Philipp Wich
bc1c9fdc20 hostapd: recognize option "key" as alias for "auth_secret"
The hostapd configuration logic is supposed to accept "option key" as
legacy alias for "option auth_secret". This particular fallback option
failed to work though because "key" was not a registered configuration
variable.

Fix this issue by registering the "key" option as well, similar to the
existing "server" nad "port" options.

Ref: https://github.com/openwrt/openwrt/pull/3282
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-07 21:19:29 +02:00
Jo-Philipp Wich
321503dbf3 hostapd: make "key" option optional if "wpa_psk_file" is provided
If an existing "wpa_psk_file" is passed to hostapd, the "key" option may
be omitted.

While we're at it, also improve the passphrase length checking to ensure
that it is either exactly 64 bytes or 8 to 63 bytes.

Fixes: FS#2689
Ref: https://github.com/openwrt/openwrt/pull/3283
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-07 21:04:02 +02:00
Petr Štetiar
c487cf8e94 hostapd: add wpad-basic-wolfssl variant
Add package which provides size optimized wpad with support for just
WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
[adapt to recent changes, add dependency for WPA_WOLFSSL config]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-07 12:02:19 +02:00
Yousong Zhou
064dc1e81b dnsmasq: abort when dnssec requested but not available
Before this commit, if uci option "dnssec" was set, we pass "--dnssec"
and friends to dnsmasq, let it start and decide whether to quit and
whether to emit message for diagnosis

  # dnsmasq --dnssec; echo $?
  dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h
  1

DNSSEC as a feature is different from others like dhcp, tftp in that
it's a security feature.  Better be explicit.  With this change
committed, we make it so by not allowing it in the first in the
initscript, should dnsmasq later decides to not quit (not likely) or
quit without above explicit error (unlikely but less so ;)

So this is just being proactive.  on/off choices with uci option
"dnssec" are still available like before

Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2020-08-07 15:56:30 +08:00
Jo-Philipp Wich
11ea7ba698 Revert "dsaconfig: introduce package for UCI configuration of VLAN filter rules"
This reverts commit 96b87196b0.

This commit was not meant to go into master.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 19:13:43 +02:00
Jo-Philipp Wich
f85bc0d77d Revert "add vfconfig"
This reverts commit 34553e8cc9.

This commit was not meant to go into master.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 19:13:21 +02:00
Jo-Philipp Wich
b92f54b919 openvpn: fix arguments passing to wrapped up and down scripts
With the introduction of the generic OpenVPN hotplug mechanism, wrapped
--up and --down scripts got the wrong amount and order of arguments passed,
breaking existing configurations and functionality.

Fix this issue by passing the same amount of arguments in the same expected
order as if the scripts were executed by the OpenVPN daemon directly.

Ref: https://github.com/openwrt/openwrt/pull/1596#issuecomment-668935156
Fixes: 8fe9940db6 ("openvpn: add generic hotplug mechanism")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 08:34:31 +02:00
Jo-Philipp Wich
34553e8cc9 add vfconfig
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 08:34:19 +02:00
Jo-Philipp Wich
96b87196b0 dsaconfig: introduce package for UCI configuration of VLAN filter rules
This package provides the necessary files to translate `config dsa_vlan`
and `config dsa_port` sections  of `/etc/config/network` into appropriate
bridge vlan filter rules.

The approach of the configuration is to bridge all DSA ports into a logical
bridge device, called "switch0" by default, and to set VLAN port membership,
tagging state and PVID as specified by UCI on each port and on the switch
bridge device itself, allowing logical interfaces to reference port VLAN
groups by using "switch0.N" as ifname, where N denotes the VLAN ID.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-06 08:34:19 +02:00
Rafał Miłecki
3d167ed805 uhttpd: update to the latest master
212f836 ubus: rename JSON-RPC format related functions
628341f ubus: use local "blob_buf" in uh_ubus_handle_request_object()
9d663e7 ubus: use BLOBMSG_TYPE_UNSPEC for "params" JSON attribute
77d345e ubus: drop unused "obj" arguments
8d9e1fc ubus: parse "call" method params only for relevant call

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2020-08-05 15:49:03 +02:00
Jason A. Donenfeld
80a6d3d4a2 wireguard: bump to 1.0.20200729
* compat: rhel 8.3 beta removed nf_nat_core.h
* compat: ipv6_dst_lookup_flow was ported to rhel 7.9 beta

This compat tag adds support for RHEL 8.3 beta and RHEL 7.9 beta, in addition
to RHEL 8.2 and RHEL 7.8. It also marks the first time that
<https://www.wireguard.com/build-status/> is all green for all RHEL kernels.
After quite a bit of trickery, we've finally got the RHEL kernels building
automatically.

* compat: allow override of depmod basedir

When building in an environment with a different modules install path, it's
not possible to override the depmod basedir flag by setting the DEPMODBASEDIR
environment variable.

* compat: add missing headers for ip_tunnel_parse_protocol

This fixes compilation with some unusual configurations.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-08-03 23:14:24 +02:00
Adrian Schmutzler
50413e1ec8 package: replace remaining occurrences of ifconfig with ip
ifconfig is effectively deprecated for quite some time now. Let's
replace the remaining occurrences for packages by the
corresponding ip commands now.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-03 10:42:35 +02:00
Magnus Kroken
48a9d99a21 openvpn: revise sample configuration
Update the openvpn sample configurations to use modern options in favor
of deprecated ones, suggest more sane default settings and add some
warnings.

* Add tls_crypt and ncp_disable to the sample configuration
* Replace nsCertType with remote_cert_tls in client sample configuration
* Comment out "option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2020-08-01 14:54:39 +01:00
Rui Salvaterra
f2af32c20c wireguard-tools: allow compiling with MIPS16 instructions
The wg utility compiles and runs without issues in MIPS16 mode, despite setting
PKG_USE_MIPS16:=0 in the makefile. Let's remove this, allowing for a substantial
size reduction of the wg executable. Since wg is a just a configuration utility,
it shouldn't be performance-critical, as the crypto heavy-lifting is done on the
kernel side.

wg sizes for both modes:

MIPS32: 64309 bytes
MIPS16: 42501 bytes

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-08-01 14:54:39 +01:00
David Bauer
8b3e170526 hostapd: fix incorrect service name
When retrieving the PID for hostapd and wpa_supplicant via ubus the
wrong service name is currently used. This leads to the following error
in the log:

netifd: radio0 (1409): WARNING (wireless_add_process):
executable path /usr/sbin/wpad does not match process  path (/proc/exe)

Fixing the service name retrieves the correct PID and therefore the
warning won't occur.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-07-31 19:51:51 +02:00
Adrian Schmutzler
c4dd7fc23b hostapd: reorganize config selection hierarchy for WPA3
The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is
exceptionally hard to read. This tries to make things a little
easier by inverting the hierarchy of the conditions, so SSL_VARIANT
is checked first and LOCAL_VARIANT is checked second.

This exploits the fact that some of the previous conditions were
unnecessary, e.g. there is no hostapd-mesh*, so we don't need
to exclude this combination.

It also should make it a little easier to see which options are
actually switched by SSL_VARIANT and which by LOCAL_VARIANT.

The patch is supposed to be cosmetic.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-31 11:40:15 +02:00
Adrian Schmutzler
917980fd8a hostapd: improve TITLE for packages
For a few packages, the current TITLE is too long, so it is not
displayed at all when running make menuconfig. Despite, there is
no indication of OpenSSL vs. wolfSSL in the titles.

Thus, this patch adjusts titles to be generally shorter, and adds
the SSL variant to it.

While at it, make things easier by creating a shared definition for
eapol-test like it's done already for all the other flavors.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-30 16:27:44 +01:00
Daniel Golle
34705946e2 hostapd: update mesh DFS patches and add mesh HE support
Drop outdated and by now broken patchset originally supplied by
Peter Oh in August 2018 but never merged upstream.
Instead add the more promissing rework recently submitted by
Markus Theil who picked up Peter's patchset, fixed and completed it
and added support for HE (802.11ax) in mesh mode.

This is only compile tested and needs some real-life testing.

Fixes: FS#3214
Fixes: 167028b750 ("hostapd: Update to version 2.9 (2019-08-08)")
Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Fixes: 017320ead3 ("hostapd: bring back mesh patches")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-30 16:27:44 +01:00
Yousong Zhou
6c57fb7aa9 firewall: bump to version 2020-07-05
Changes since last source version

  e9b90df zones: apply tcp mss clamping also on ingress path
  050816a redirects: fix segmentation fault
  f62a52b treewide: replace unsafe string functions
  23cc543 improve reload logic
  9d7f49d redurects: add support to define multiple zones for dnat reflection rules
  f87d0b0 firewall3: defaults: fix uci flow_offloading option
  fe9602c rules: fix typo
  7cc2a84 defaults: robustify flow table detection.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2020-07-26 18:10:52 +08:00
Hauke Mehrtens
ed2015c386 mac80211: Update to version 5.8-rc2-1
The following patches:
* 972-ath10k_fix-crash-due-to-wrong-handling-of-peer_bw_rxnss_override-parameter.patch
* 973-ath10k_fix-band_center_freq-handling-for-VHT160-in-recent-firmwares.patch
are replaced by this commit in the upstream kernel:
* 3db24065c2c8 ("ath10k: enable VHT160 and VHT80+80 modes")

The following patches were applied upstream:
* 001-rt2800-enable-MFP-support-unconditionally.patch
* 090-wireless-Use-linux-stddef.h-instead-of-stddef.h.patch

The rtw88 driver is now split into multiple kernel modules, just put it
all into one OpenWrt kernel package.

rtl8812au-ct was patched to compile against the mac80211 from kernel
5.8, but not runtime tested.

Add a patch which fixes ath10k on IPQ40XX, this patch was send upstream
and fixes a crash when loading ath10k on this SoC.

Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq40xx/ map-ac2200]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-07-23 23:39:56 +02:00
Michal Hrusecky
cdb25bcef3 openvpn: Allow override of interface name
If using a configuration file for OpenVPN, allow overriding name of the
interface. The reason is that then people could use configuration file
provided by VPN provider directly and override the name of the interface
to include it in correct firewall zone without need to alter the
configuration file.

Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit c93667358515ec078ef4ac96393623ac084e5c9e)
2020-07-23 13:10:09 +02:00
Michal Hrusecky
8483bf3126 openpvn: Split out config parsing code for reuse
Split out code that parses openvpn configuration file into separate file
that can be later included in various scripts and reused.

Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit 86d8467c8ab792c79809a08c223dd9d40da6da2e)
2020-07-23 13:10:09 +02:00
Kevin Darbyshire-Bryant
017cd5bfb0 umdns: fix compiling using gcc 10
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-07-22 15:59:54 +01:00
David Bauer
93bbd998aa hostapd: enter DFS state if no available channel is found
Previously hostapd would not stop transmitting when a DFS event was
detected and no available channel to switch to was available.

Disable and re-enable the interface to enter DFS state. This way, TX
does not happen until the kernel notifies hostapd about the NOP
expiring.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-07-20 15:08:19 +02:00
Johannes Kimmel
65e9de3c33 vxlan: add capability for multiple fdb entries
Similar to wireguard, vxlan can configure multiple peers or add specific
entries to the fdb for a single mac address.

While you can still use peeraddr/peer6addr option within the proto
vxlan/vxlan6 section to not break existing configurations, this patch
allows to add multiple sections that conigure fdb entries via the bridge
command. As such, the bridge command is now a dependency of the vxlan
package. (To be honest without the bridge command available, vxlan isn't
very much fun to use or debug at all)

Field names are taken direclty from the bridge command.

Example with all supported parameters, since this hasn't been documented so
far:

  config interface 'vx0'
      option proto     'vxlan6'      # use vxlan over ipv6

      # main options
      option ip6addr   '2001:db8::1' # listen address
      option tunlink   'wan6'        # optional if listen address given
      option peer6addr '2001:db8::2' # now optional
      option port      '8472'        # this is the standard port under linux
      option vid       '42'          # VXLAN Network Identifier to use
      option mtu       '1430'        # vxlan6 has 70 bytes overhead

      # extra options
      option rxcsum  '0'  # allow receiving packets without checksum
      option txcsum  '0'  # send packets without checksum
      option ttl     '16' # specifies the TTL value for outgoing packets
      option tos     '0'  # specifies the TOS value for outgoing packets
      option macaddr '11:22:33:44:55:66' # optional, manually specify mac
                                         # default is a random address

Single peer with head-end replication. Corresponds to the following call
to bridge:

  $ bridge fdb append 00:00:00:00:00:00 dev vx0 dst 2001:db8::3

  config vxlan_peer
      option vxlan 'vx0'
      option dst '2001:db8::3' # always required

For multiple peers, this section can be repeated for each dst address.

It's possible to specify a multicast address as destination. Useful when
multicast routing is available or within one lan segment:

  config vxlan_peer
      option vxlan 'vx0'
      option dst 'ff02::1337' # multicast group to join.
                              # all bum traffic will be send there
      option via 'eth1'       # for multicast, an outgoing interface needs
                              # to be specified

All available peer options for completeness:

  config vxlan_peer
      option vxlan   'vx0'               # the interface to configure
      option lladdr  'aa:bb:cc:dd:ee:ff' # specific mac,
      option dst     '2001:db8::4'       # connected to this peer
      option via     'eth0.1'            # use this interface only
      option port    '4789'              # use different port for this peer
      option vni     '23'                # override vni for this peer
      option src_vni '123'               # see man 3 bridge

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
2020-07-20 13:43:36 +02:00
Johannes Kimmel
5222aadbf3 vxlan: remove mandatory peeraddr
vxlan can be configured without a peer address. This is used to prepare
an interface and add peers later.

Fixes: FS#2743

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Acked-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-07-20 13:43:36 +02:00
Kevin Darbyshire-Bryant
a197fa093c dnsmasq: bump to 2.82
This fixes a nasty problem introduced in 2.81 which causes random
crashes on systems where there's significant DNS activity over TCP. It
also fixes DNSSEC validation problems with zero-TTL DNSKEY and DS
records.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-07-20 10:38:35 +01:00
Martin Schiller
6299c1760a ltq-*dsl-app: dsl_control: remove unneeded check for lantiq_dsl.sh
This file is always present because it is part of the ltq-dsl-base
package on which these packages depend.

This check would not have been necessary in the past, because the script
was part of the TARGET_LANTIQ on which these packages also depend.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2020-07-17 12:14:32 +02:00
Martin Schiller
4d8552c265 lantiq: move dsl related base-files into own package
It does not make sense to install this components on lantiq systems
where the dsl subsystem is not needed/used.

This also makes it possible to use the files also on other targets.
(hopefully ipq401x / FritzBox 7530 in the near future)

Signed-off-by: Martin Schiller <ms.3headeddevs@gmail.com>
2020-07-17 12:14:32 +02:00
Adrian Schmutzler
9c170cb92f package: drop PKG_VERSION for purely local packages
In the package guidelines, PKG_VERSION is supposed to be used as
"The upstream version number that we're downloading", while
PKG_RELEASE is referred to as "The version of this package Makefile".
Thus, the variables in a strict interpretation provide a clear
distinction between "their" (upstream) version in PKG_VERSION and
"our" (local OpenWrt trunk) version in PKG_RELEASE.

For local (OpenWrt-only) packages, this implies that those will only
need PKG_RELEASE defined, while PKG_VERSION does not apply following
a strict interpretation. While the majority of "our" packages actually
follow that scheme, there are also some that mix both variables or
have one of them defined but keep them at "1".

This is misleading and confusing, which can be observed by the fact
that there typically either one of the variables is never bumped or
the choice of the variable to increase depends on the person doing the
change.

Consequently, this patch aims at clarifying the situation by
consistently using only PKG_RELEASE for "our" packages. To achieve
that, PKG_VERSION is removed there, bumping PKG_RELEASE where
necessary to ensure the resulting package version string is bigger
than before.

During adjustment, one has to make sure that the new resulting composite
package version will not be considered "older" than the previous one.

A useful tool for evaluating that is 'opkg compare-versions'. In
principle, there are the following cases:

1. Sole PKG_VERSION replaced by sole PKG_RELEASE:
   In this case, the resulting version string does not change, it's
   just the value of the variable put in the file. Consequently, we
   do not bump the number in these cases so nobody is tempted to
   install the same package again.

2. PKG_VERSION and PKG_RELEASE replaced by sole PKG_RELEASE:
   In this case, the resulting version string has been "version-release",
   e.g. 1-3 or 1.0-3. For this case, the new PKG_RELEASE will just
   need to be higher than the previous PKG_VERSION.
   For the cases where PKG_VERSION has always sticked to "1", and
   PKG_RELEASE has been incremented, we take the most recent value of
   PKG_RELEASE.

Apart from that, a few packages appear to have developed their own
complex versioning scheme, e.g. using x.y.z number for PKG_VERSION
_and_ a PKG_RELEASE (qos-scripts) or using dates for PKG_VERSION
(adb-enablemodem, wwan). I didn't touch these few in this patch.

Cc: Hans Dedecker <dedeckeh@gmail.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: Andre Valentin <avalentin@marcant.net>
Cc: Matthias Schiffer <mschiffer@universe-factory.net>
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Steven Barth <steven@midlink.org>
Cc: Daniel Golle <dgolle@allnet.de>
Cc: John Crispin <john@phrozen.org>

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-15 18:33:56 +02:00
Adrian Schmutzler
b29d620ed2 vxlan: bump and change to PKG_RELEASE
Bumping package version has been overlooked in a previous commit.

While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter
is meant for upstream version number only.
(The effective version string for the package would be "3" in both
cases, so there is no harm done for version comparison.)

Fixes: 0453c3866f ("vxlan: fix udp checksum control")

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-15 18:33:56 +02:00
Johannes Kimmel
0453c3866f vxlan: fix udp checksum control
So far, passing "rxcsum" and "txcsum" had no effect.

Fixes: 95ab18e012 ("vxlan: add options to enable and disable UDP
checksums")

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-15 00:23:38 +02:00
Tony Ambardar
e89a7d72a5 iproute2: tc: fix missing em_ipset module
Feature detection doesn't recognize ipset v7 use on kernel v5.x systems
and thus disables the tc ematch function em_ipset.

- backport patch:
  * 002-configure-support-ipset-v7.patch:
    650591a7a70c configure: support ipset version 7 with kernel version 5

Fixes: 4e0c54bc5b ("kernel: add support for kernel 5.4")

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2020-07-14 22:00:43 +02:00
Tony Ambardar
9852104c71 iproute2: tc: fix dynamic symbol table size optimization
Recent iproute2 5.x versions modified the symbols resolved for plugins,
causing "tc .. action xt .." to fail. Update the list of symbols to fix.

Fixes: b61495409b ("iproute2: tc: reduce size of dynamic symbol table")

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2020-07-14 22:00:43 +02:00
Jason A. Donenfeld
ad81e2da08 wireguard: bump to 1.0.20200712
This release brings parity with the commits Linus released a few hours
ago into 5.8-rc5.

* receive: account for napi_gro_receive never returning GRO_DROP

The napi_gro_receive function no longer returns GRO_DROP ever, making
handling GRO_DROP dead code. This commit removes that dead code.
Further, it's not even clear that device drivers have any business in
taking action after passing off received packets; that's arguably out of
their hands.

* device: implement header_ops->parse_protocol for AF_PACKET

WireGuard uses skb->protocol to determine packet type, and bails out if
it's not set or set to something it's not expecting. For AF_PACKET
injection, we need to support its call chain of:

    packet_sendmsg -> packet_snd -> packet_parse_headers ->
      dev_parse_header_protocol -> parse_protocol

Without a valid parse_protocol, this returns zero, and wireguard then
rejects the skb. So, this wires up the ip_tunnel handler for layer 3
packets for that case.

* queueing: make use of ip_tunnel_parse_protocol

Now that wg_examine_packet_protocol has been added for general
consumption as ip_tunnel_parse_protocol, it's possible to remove
wg_examine_packet_protocol and simply use the new
ip_tunnel_parse_protocol function directly.

* compat: backport ip_tunnel_parse_protocol and ip_tunnel_header_ops

These are required for moving wg_examine_packet_protocol out of
wireguard and into upstream.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-07-13 08:02:02 +02:00
Adrian Schmutzler
b837216345 wireguard-tools: replace backticks by $(...)
This replaces deprecated backticks by more versatile $(...) syntax.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-11 12:52:01 +02:00
Kirill Lukonin
667fbb8151 comgt: add new script to send ussd request and get the answer
New script for comgt. Should help to fetch balance or any additional information with USSD.
This script uses the standard AT command which should be supported by all modems.

Run-tested on: Mikrotik wAP LTE KIT

Signed-off-by: Kirill Lukonin <klukonin@gmail.com>
[fixed from/sob]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-08 16:07:05 +02:00
Hans Dedecker
2b479512bc curl: bump to 7.71.1
For changes in 7.71.1; see https://curl.haxx.se/changes.html#7_71_1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-07-07 22:16:47 +02:00
Petr Štetiar
4e57fd5ada dropbear: make rsa-sha2-256 pubkeys usable again
Upstream in commit 972d723484d8 ("split signkey_type and signature_type
for RSA sha1 vs sha256") has added strict checking of pubkey algorithms
which made keys with SHA-256 hashing algorithm unusable as they still
reuse the `ssh-rsa` public key format. So fix this by disabling the
check for `rsa-sha2-256` pubkeys.

Ref: https://tools.ietf.org/html/rfc8332#section-3
Fixes: d4c80f5b17 ("dropbear: bump to 2020.80")
Tested-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-07 19:47:24 +02:00
Hans Dedecker
9858a8c582 odhcpd: bump to latest git HEAD
5da5299 odhcpd: fix compilation with GCC10

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-07-02 22:28:06 +02:00
Hans Dedecker
cbb66f9edb curl: bump to 7.71.0
For changes in 7.71.0; see https://curl.haxx.se/changes.html#7_71_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-07-01 22:19:50 +02:00
Hans Dedecker
d4c80f5b17 dropbear: bump to 2020.80
- drop patches (applied upstream)
 * 001-backport_GNU_SOURCE-for-random.patch
 * 002-backport-move-GNU_SOURCE-earlier.patch
 * 010-backport-disable-toom-and-karatsuba.patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-30 22:13:46 +02:00
Rui Salvaterra
69ca308673 dropbear: init: replace backticks with $()
This replaces deprecated backticks by more versatile $(...) syntax.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[add commit description]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-06-30 19:01:18 +02:00
Sukru Senli
c856f7adfb netifd: replace timesvr with timesrv
/lib/netifd/dhcp.script:
         Keep support for 'timesvr' while also supporting 'timesrv'
         Add log message indicating deprecation of 'timesvr'

Signed-off-by: Sukru Senli <sukru.senli@iopsys.eu>
2020-06-27 00:19:13 +02:00
Hans Dedecker
751e6ab8e6 dropbear: fix compilation for uClibc
Backport patches which fix compile issue for uClibc-ng :

dbrandom.c:174:8: warning: implicit declaration of function 'getrandom'; did you mean 'genrandom'? [-Wimplicit-function-declaration]
  ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
        ^~~~~~~~~
        genrandom
dbrandom.c:174:36: error: 'GRND_NONBLOCK' undeclared (first use in this function); did you mean 'SOCK_NONBLOCK'?
  ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
                                    ^~~~~~~~~~~~~
                                    SOCK_NONBLOCK

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-24 22:36:21 +02:00
Jason A. Donenfeld
ea5192e6c5 wireguard: bump to 1.0.20200623
* compat: drop centos 8.1 support as 8.2 is now out

Of note, as well, is that we now have both RHEL7 and RHEL8 in our CI at
<https://www.wireguard.com/build-status/>.

* Kbuild: remove -fvisibility=hidden from cflags

This fixes an issue when compiling wireguard as a module for ARM kernels in
THUMB2 mode without the JUMP11 workaround.

* noise: do not assign initiation time in if condition

Style fix.

* device: avoid circular netns references

Fixes a circular reference issue with network namespaces.

* netns: workaround bad 5.2.y backport

This works around a back backport in the 5.2.y series.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-24 08:01:37 +02:00
Sven Roederer
7e67d14486 igmpproxy: remove some bashism
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.
This follows up 3519bf4976

As a result, we also need to move the and/or out of the test brackets.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
[squash from two patches, adjust commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-06-23 20:00:16 +02:00