40ab806 config: use dedicated link local function to check interface
a84bff2 netlink: add support for getting interface linklocal
2ea065f Revert "config: recheck have_link_local on interface reload if already init"
4b38e6b config: fix feature for enabling service only when interface RUNNING
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Given ipv6 has SLAAC it is quite plausible to wish to use dynamic
dhcp4 but static dhcp6. This patch keeps dynamicdhcp as the default
option for both, but is overridden by dynamicdhcpv6 or dynamicdhcpv4
Signed-off-by: Ian Dall <ian@beware.dropbear.id.au>
The dhcphostsfile must be mounted into the (ujail) sandbox.
The file can not be accessed without this mount.
Signed-off-by: Ruben Jenster <rjenster@gmail.com>
7c0f603 router: skip RA and wait for LINK-LOCAL to be assigned
ba30afc config: skip interface setup if interface not IFF_RUNNING
06b111e Revert "odhcpd: Reduce error messages"
90d6cc9 odhcpd: Reduce error messages
Also drop AUTORELEASE since it got deprecated.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This reduces open coding and allows to easily add a knob to enable
it treewide, where chosen packages can still opt-out via "no-lto".
Some packages used LTO, but not the linker plugin. This unifies 'em
all to attempt to produce better code.
Quoting man gcc(1):
"This improves the quality of optimization by exposing more code to the
link-time optimizer."
Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed
that every buildsystem uses +$(MAKE) correctly.
Signed-off-by: Andre Heider <a.heider@gmail.com>
This reduces open coding and allows to easily add a knob to
enable it treewide, where chosen packages can still opt-out via
"no-gc-sections".
Note: libnl, mbedtls and opkg only used the CFLAGS part without the
LDFLAGS counterpart. That doesn't help at all if the goal is to produce
smaller binaries. I consider that an accident, and this fixes it.
Note: there are also packages using only the LDFLAGS part. I didn't
touch those, as gc might have been disabled via CFLAGS intentionally.
Signed-off-by: Andre Heider <a.heider@gmail.com>
This allows adding backup servers, in case the primary ones fail.
Assume that port and shared secret are going to be the same.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This patch fixes a corner case when using passwords that are exactly 64
characters in length with mesh mode or passwords longer than 63 characters
with SAE because 'psk' is used instead of 'sae_password'.
SAE is obligatory for 802.11s (mesh point).
The 'psk' option for hostapd is suited for WPA2 and enforces length
restrictions on passwords. Values of 64 characters are treated as PMKs.
With SAE, PMKs are always generated during the handshake and there are no
length restrictions.
The 'sae_password' option is more suited for SAE and should be used
instead.
Before this patch, the 'sae_password' option is only used with mesh mode
passwords that are not 64 characters long.
As a consequence:
- mesh passwords can't be 64 characters in length
- SAE only works with passwords with lengths >8 and <=63 (due to psk
limitation).
Fix this by always using 'sae_password' with SAE/mesh and applying the PMK
differentiation only when PSK is used.
Fixes: #11324
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
[ improve commit description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Use ipcalc's return value to react to invalid range specifications.
By simply ignoring the range instead of aborting with an error code,
dnsmasq should still start when there's an error (best effort).
Aborting the config generation or working with invalid range specs leaves
dnsmasq crash-looping which is the right thing to do concerning that
particular interface but it also hinders DHCP service on other interfaces
and DNS on the router itself.
Signed-off-by: Leon M. George <leon@georgemail.eu>
uhttpd's cmake options all default to ON. Either we set all of them or
none if the defaults need to be changed. Let's go with the latter.
Because support for all modules is always compiled in, remove two unused
and useless config toggles.
uhttpd detects and uses libcrypt itself, no need to add it here again.
Signed-off-by: Andre Heider <a.heider@gmail.com>
47561aa mimetypes: add audio/video support for apple airplay
6341357 ucode: respect all arguments passed to send()
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Dnsmasq DNS cache size is only 150 by default.
Set the uci default value to 1000, so that cache gets used more
and unnecessary DNS queries to upstream can be avoided.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
There is currently a problem with making reproducible version of lldpd.
The tool version is generated based on 3 source:
1. .dist-version file in release tar
2. git hash with presence of .git directory
3. current date
Using the codeload tar from github results in getting the repo without
the .git directory and since they are not release tar, we don't have
.dist-version. This results in having lldpd bin with a version set to
the current build time.
Switch to release tar so that we correctly have a .dist-version file and
the version is not based on the build time.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Reviewed-by: Robert Marko <robimarko@gmail.com>
def7755c459d add missing copyright headers
f68307fd96d7 add hairpin mode support
9ee8f433ba4e nl: do not pass NDA_VLAN with vid=0
978c1f9eed07 add support for the bridge port isolated flag
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The ABI of the wolfssl library changed a bit between version 5.5.3 and
5.5.4. This release update will trigger a rebuild of all packages which
are using wolfssl to make sure they are adapted to the new ABI.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The libraries libpthread, libdl, libutil, libanl have been integrated
into the libc library in version 2.34. it is not needed to explicitly
link them any more.
Most of the functions have been moved from the librt.so into libc.so
some time ago already.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Most relevant feature for openwrt in this release, supports dynamically
removing hosts from 'hostsdir' supplied host files.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
hostapd's compile time option CONFIG_IEEE80211N was removed almost 3 years
ago, 80.211n/HT is always included since then.
Noticed because `hostapd -v11n` confusingly returned an error.
See hostapd's commit:
f3bcd69603 "Remove CONFIG_IEEE80211N build option"
Signed-off-by: Andre Heider <a.heider@gmail.com>
eee80211_frequency_to_channel() isn't used anymore, which is a leftover from:
2a31e9ca97 "hostapd: add op-class to get_status output"
Signed-off-by: Andre Heider <a.heider@gmail.com>
Add new UCI list 'addn_mount' allowing the expose additional filesystem
paths to the jailed dnsmasq process. This is useful e.g. in case of
manually configured includes to the configuration file or symlinks
pointing outside of the exposed paths as used by e.g. the safe-search
package in the packages feed.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
addresses from DNS answers. these options is supported since version 2.87.
Co-authored-by: NueXini <nuexini@alumni.tongji.edu.cn>
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
dtim_period is a bss property, not a device one.
It is already handled properly in mac80211.sh
Fixes: 30c64825c7 ("hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add build option for nftables sets. By default disable iptables ipset
support. By default enable nftable nftset support since this is what
fw4 uses.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
dnsmasq: nftset: serve from ipset config
Use existing ipset configs as source for nftsets to be compatible with
existing configs. As the OS can either have iptables XOR nftables
support, it's fine to provide both to dnsmasq. dnsmasq will silently
fail for the present one. Depending on the dnsmasq compile time options,
the ipsets or nftsets option will not be added to the dnsmasq config
file.
dnsmasq will try to add the IP addresses to all sets, regardless of the
IP version defined for the set. Adding an IPv6 to an IPv4 set and vice
versa will silently fail.
Signed-off-by: Mathias Kresin <dev@kresin.me>
dnsmasq: support populating nftsets in addition to ipsets
Tell dnsmasq to populate nftsets instead of ipsets, if firewall4 is present in
the system. Keep the same configuration syntax in /etc/config/dhcp, for
compatibility purposes.
Huge thanks to Jo-Philipp Wich for basically writing the function.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
dnsmasq: obtain nftset ip family from nft
Unfortunately dnsmasq nft is noisy if an attempt to add a mismatched ip address
family to an nft set is made.
Heuristic to guess which ip family a nft set might belong by inferring
from the set name.
In order of preference:
If setname ends with standalone '4' or '6' use that, else
if setname has '4' or '6' delimited by '-' or '_' use that (eg
foo-4-bar) else
If setname begins with '4' or '6' standalone use that.
By standalone I mean not as part of a larger number eg. 24
If the above fails then use the existing nft set query mechanism and if
that fails, well you're stuffed!
With-thanks-to: Jo-Philipp Wich <jo@mein.io> who improved my regexp
knowledge.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
dnsmasq: specify firewall table for nftset
Permit ipsets to specify an nftables table for the set. New config
parameter is 'table'. If not specified the default of 'fw4' is used.
config ipset
list name 'BK_4,BK_6'
option table 'dscpclassify'
option table_family 'ip'
option family '4'
list domain 'ms-acdc.office.com'
list domain 'windowsupdate.com'
list domain 'update.microsoft.com'
list domain 'graph.microsoft.com'
list domain '1drv.ms'
list domain '1drv.com'
The table family can also be specified, usually 'ip' or 'ip6' else the
default 'inet' capable of both ipv4 & ipv6 is used.
If the table family is not specified then finally a family option is
available to specify either '4' or '6' for ipv4 or ipv6 respectively.
This is all in addition to the existing heuristic that will look in the
nftset name for an ip family clue, or in total desperation, query the
value from the nftset itself.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
When running sysupgrade from an existing configuration, move existing
ipset definitions to a dedicated config section. Later on, it will allow
to serve ipset as well as nftable sets from the same configuration.
Signed-off-by: Mathias Kresin <dev@kresin.me>
This backports a commit from upstream dnsmasq to fix CVE-2022-0934.
CVE-2022-0934 description:
A single-byte, non-arbitrary write/use-after-free flaw was found in
dnsmasq. This flaw allows an attacker who sends a crafted packet
processed by dnsmasq, potentially causing a denial of service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Calling /etc/init.d/uhttpd reload directly in the acme hotplug script
can inadvertently start a stopped instance.
Signed-off-by: Glen Huang <i@glenhuang.com>
a92c0a7 dhcpv6-ia: make tmp lease file hidden
4a673e1 fix null pointer dereference for INFORM messages
860ca90 odhcpd: Support for Option NTP and SNTP
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Add the measurement report value to the beacon reports send via ubus. It
is possible to derive from the measurement report if a station refused to
do a beacon report and why. It is important to know why a station refuses
to do a beacon-report. In particular, we should not request a beacon
report from a station again that refused a beacon-report before.
The rejection reasons can be found by looking at the bits defined by:
- MEASUREMENT_REPORT_MODE_ACCEPT
- MEASUREMENT_REPORT_MODE_REJECT_LATE
- MEASUREMENT_REPORT_MODE_REJECT_INCAPABLE
- MEASUREMENT_REPORT_MODE_REJECT_REFUSED
Suggested-by: Ian Clowes <clowes_ian@hotmail.com>
Signed-off-by: Nick Hainke <vincent@systemli.org>