A bunch of kernel modules depends on kmod-usb-net, but does not
select it. Make AddDepends/usb-net selective, so we can drop
some redundant +kmod-usb-net definitions for DEVICE_PACKAGES.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This commit adds a patch to procd to support loading the SELinux
policy early at boot time, and adjusts the procd package to use this
SELinux support when libselinux is enabled.
The procd patch has been submitted separately [1]: obviously the
intent is to have it merged in the procd Git repository rather than
have it in OpenWrt itself.
[1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025791.html
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
[split commit into openwrt.git and procd.git]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This adds support for ZyXEL NBG6616 uboot-env access
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[add "ar71xx" to commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
mac80211 reports a packet loss event to user space when 50 consecutive packets
were not acked. On a high throughput link with long aggregates and sudden
link changes, this can trigger way too easily.
Mitigate false positives by only triggering the event on a packet loss if
no ACK was received for at least a second
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Exchange the patch fixing the kernel ringbuffer WARNING flood for the
one accepted upstream.
Fixes commit a956c14d6a ("mac80211: util: don't warn on missing sband
iftype data")
Signed-off-by: David Bauer <mail@david-bauer.net>
The hostapd configuration logic is supposed to accept "option key" as
legacy alias for "option auth_secret". This particular fallback option
failed to work though because "key" was not a registered configuration
variable.
Fix this issue by registering the "key" option as well, similar to the
existing "server" nad "port" options.
Ref: https://github.com/openwrt/openwrt/pull/3282
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
If an existing "wpa_psk_file" is passed to hostapd, the "key" option may
be omitted.
While we're at it, also improve the passphrase length checking to ensure
that it is either exactly 64 bytes or 8 to 63 bytes.
Fixes: FS#2689
Ref: https://github.com/openwrt/openwrt/pull/3283
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add a dependency on kmod-nls-base for the new exfat driver. Otherwise
the build fails on ramips and ath79 on kernel 5.4:
Package kmod-fs-exfat is missing dependencies for the following libraries:
nls_base.ko
Fixes commit cd41234d2f ("exfat: add out of tree module")
Signed-off-by: David Bauer <mail@david-bauer.net>
The board name is equivalent to the compatible, not the device
definition. Fix it.
Fixes: b4588c8538 ("kernel/om-watchdog: Apply device renames from ramips")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Add package which provides size optimized wpad with support for just
WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[adapt to recent changes, add dependency for WPA_WOLFSSL config]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
When passing a section or option value to config_get() which contains
characters that happen to be valid variable interpolation expressions,
the function returns a nonsensical expression result instead of the
expected empty string.
When the passed section or option name contains other characters which
are not valid within a shell variable name, a substitution error is
occuring instead.
The issue can be easily reproduced by one of the following examples:
root@OpenWrt:~# . /lib/functions.sh
root@OpenWrt:~# config load system
root@OpenWrt:~# config_get variable invalid-section option
root@OpenWrt:~# echo "$variable"
section_option:-
root@OpenWrt:~# . /lib/functions.sh
root@OpenWrt:~# config load system
root@OpenWrt:~# config_get variable section invalid-option
root@OpenWrt:~# echo "$variable"
option:-
root@OpenWrt:~# . /lib/functions.sh
root@OpenWrt:~# config load system
root@OpenWrt:~# config_get variable section invalid@option
-ash: eval: syntax error: bad substitution
Fix this issue by only performing interpolations when the given section
and option arguments are free of illegal characters.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Before this commit, if uci option "dnssec" was set, we pass "--dnssec"
and friends to dnsmasq, let it start and decide whether to quit and
whether to emit message for diagnosis
# dnsmasq --dnssec; echo $?
dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h
1
DNSSEC as a feature is different from others like dhcp, tftp in that
it's a security feature. Better be explicit. With this change
committed, we make it so by not allowing it in the first in the
initscript, should dnsmasq later decides to not quit (not likely) or
quit without above explicit error (unlikely but less so ;)
So this is just being proactive. on/off choices with uci option
"dnssec" are still available like before
Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
47a9f0d service: add method to query available container features
afbaba9 initd: attempt to mount cgroup2
ead60fe jail: use pidns semantics also for timens
759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits
83053b6 instance: add instances into unified cgroup hierarchy
16159bb jail: parse OCI cgroups resources
282ff0c jail: only free cgroups if they were allocated
ab55357 jail: fix freeing cgroups avl
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This patch adds support for the WNDR4300TN, marketed by Belgian ISP
Telenet. The hardware is the same as the WNDR4300 v1, without the
fifth ethernet port (WAN) and the USB port. The circuit board has
the traces, but the components are missing.
Specifications:
* SoC: Atheros AR9344
* RAM: 128 MB
* Flash: 128 MB NAND flash
* WiFi: Atheros AR9580 (5 GHz) and AR9344 (2.4 GHz)
* Ethernet: 4x 1000Base-T
* LED: Power, LAN, WiFi 2.4GHz, WiFi 5GHz, WPS
* UART: on board, to the right of the RF shield at the top of the board
Installation:
* Flashing through the OEM web interface:
+ Connect your computer to the router with an ethernet cable and browse
to http://192.168.0.51/
+ Log in with the default credentials are admin:password
+ Browse to Advanced > Administration > Firmware Upgrade in the Telenet
interface
+ Upload the Openwrt firmware: openwrt-ath79-nand-netgear_wndr4300tn-squashfs-factory.img
+ Proceed with the firmware installation and give the device a few
minutes to finish and reboot.
* Flashing through TFTP:
+ Configure your wired client with a static IP in the 192.168.1.x range,
e.g. 192.168.1.10 and netmask 255.255.255.0.
+ Power off the router.
+ Press and hold the RESET button (the factory reset button on the bottom
of the device, with the gray circle around it, next to the Telenet logo)
and turn the router on while keeping the button pressed.
+ The power LED will start flashing orange. You can release the button
once it switches to flashing green.
+ Transfer the image over TFTP:
$ tftp 192.168.1.1 -m binary -c put openwrt-ath79-nand-netgear_wndr4300tn-squashfs-factory.img
Signed-off-by: Davy Hollevoet <github@natox.be>
[use DT label reference for adding LEDs in DTSI files]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
47a9f0d service: add method to query available container features
afbaba9 initd: attempt to mount cgroup2
ead60fe jail: use pidns semantics also for timens
759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits
83053b6 instance: add instances into unified cgroup hierarchy
16159bb jail: parse OCI cgroups resources
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Testmode commands are typically only used for manufacturing or vendor specific
debugging features, so they should not be in the default image
Signed-off-by: Felix Fietkau <nbd@nbd.name>
With the introduction of the generic OpenVPN hotplug mechanism, wrapped
--up and --down scripts got the wrong amount and order of arguments passed,
breaking existing configurations and functionality.
Fix this issue by passing the same amount of arguments in the same expected
order as if the scripts were executed by the OpenVPN daemon directly.
Ref: https://github.com/openwrt/openwrt/pull/1596#issuecomment-668935156
Fixes: 8fe9940db6 ("openvpn: add generic hotplug mechanism")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This package provides the necessary files to translate `config dsa_vlan`
and `config dsa_port` sections of `/etc/config/network` into appropriate
bridge vlan filter rules.
The approach of the configuration is to bridge all DSA ports into a logical
bridge device, called "switch0" by default, and to set VLAN port membership,
tagging state and PVID as specified by UCI on each port and on the switch
bridge device itself, allowing logical interfaces to reference port VLAN
groups by using "switch0.N" as ifname, where N denotes the VLAN ID.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
212f836 ubus: rename JSON-RPC format related functions
628341f ubus: use local "blob_buf" in uh_ubus_handle_request_object()
9d663e7 ubus: use BLOBMSG_TYPE_UNSPEC for "params" JSON attribute
77d345e ubus: drop unused "obj" arguments
8d9e1fc ubus: parse "call" method params only for relevant call
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* compat: rhel 8.3 beta removed nf_nat_core.h
* compat: ipv6_dst_lookup_flow was ported to rhel 7.9 beta
This compat tag adds support for RHEL 8.3 beta and RHEL 7.9 beta, in addition
to RHEL 8.2 and RHEL 7.8. It also marks the first time that
<https://www.wireguard.com/build-status/> is all green for all RHEL kernels.
After quite a bit of trickery, we've finally got the RHEL kernels building
automatically.
* compat: allow override of depmod basedir
When building in an environment with a different modules install path, it's
not possible to override the depmod basedir flag by setting the DEPMODBASEDIR
environment variable.
* compat: add missing headers for ip_tunnel_parse_protocol
This fixes compilation with some unusual configurations.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
ifconfig is effectively deprecated for quite some time now. Let's
replace the remaining occurrences for packages by the
corresponding ip commands now.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Update the openvpn sample configurations to use modern options in favor
of deprecated ones, suggest more sane default settings and add some
warnings.
* Add tls_crypt and ncp_disable to the sample configuration
* Replace nsCertType with remote_cert_tls in client sample configuration
* Comment out "option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
The wg utility compiles and runs without issues in MIPS16 mode, despite setting
PKG_USE_MIPS16:=0 in the makefile. Let's remove this, allowing for a substantial
size reduction of the wg executable. Since wg is a just a configuration utility,
it shouldn't be performance-critical, as the crypto heavy-lifting is done on the
kernel side.
wg sizes for both modes:
MIPS32: 64309 bytes
MIPS16: 42501 bytes
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
>From an email conversation with the person responsible for upstreaming
the exFAT driver, it seems the staging one in kernel 5.4 is not so
good. Excerpts below.
Namjae Jeon:
Hm... exfat in 5.4 kernel that we did crap shit long time ago is
contributed by someone who we don't know.
This version is unstable and low quality code. We have been improving
it continuously.
and staging version exfat is removed from linux 5.7 kernel.
linux exfat oot version is a backport of exfat in linux 5.7 kernel to
support lower version kernel, and it is a real.
You can see the patch history fro linux-exfat-oot.
this version support timezone and boot sector verification feature newly.
and better filesystem structure and much clean code quality that
reviewed by high profile kernel developers. and add many bug fixes.
And this version is officially maintained by me and kernel guys.
I would not recommend to use staging exfat version.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Don't kill the wireless daemon on teardown. hostapd as well as
wpa_supplicant are managed by procd which would detect the shutdown of
either process as a crash loop.
Signed-off-by: David Bauer <mail@david-bauer.net>
When retrieving the PID for hostapd and wpa_supplicant via ubus the
wrong service name is currently used. This leads to the following error
in the log:
netifd: radio0 (1409): WARNING (wireless_add_process):
executable path /usr/sbin/wpad does not match process path (/proc/exe)
Fixing the service name retrieves the correct PID and therefore the
warning won't occur.
Signed-off-by: David Bauer <mail@david-bauer.net>
This replaces the internal device names "Audi" and "Viper" with the
real model names, which a user would look for. This makes the
Linksys devices on this target consistent with the names recently
changed for mvebu based on the same idea.
As a consequence, the "viper" device definition is split into two
separate definitions with the correct names for both real models.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Explicitly mount the BPF filesystem if available. This is used for pinning
eBPF programs and maps, making them accessible to other eBPF programs or
from userspace with the help of libbpf or bpftool.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
[daniel@makrotopia.org: bumped PKG_RELEASE]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is
exceptionally hard to read. This tries to make things a little
easier by inverting the hierarchy of the conditions, so SSL_VARIANT
is checked first and LOCAL_VARIANT is checked second.
This exploits the fact that some of the previous conditions were
unnecessary, e.g. there is no hostapd-mesh*, so we don't need
to exclude this combination.
It also should make it a little easier to see which options are
actually switched by SSL_VARIANT and which by LOCAL_VARIANT.
The patch is supposed to be cosmetic.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
So far, the compatibility mechanism only works if both device and
image are already updated to the new routines. This patch extends
the sysupgrade metadata and fwtool_check_image() to account for
"older" images as well:
The basic mechanism for older devices to check for image compatibility
is the supported_devices entry. This can be exploited by putting
a custom message into this variable of the metadata, so older FW
will produce a mismatch and print the message as it thinks it's the
list of supported devices. So, we have two cases:
device 1.0, image 1.0:
The metadata will just contain supported_devices as before.
device 1.0, image 1.1:
The metadata will contain:
"new_supported_devices":["device_string1", "device_string2", ...],
"supported_devices":["Image version 1.1 incompatible to device: ..."]
If the device is "legacy", i.e. does not have the updated fwtool.sh,
it will just fail with image check and print the content of
supported_devices. If DEVICE_COMPAT_MESSAGE is set, this will be
printed on old devices as well through the same mechanism. Otherwise
a generic "Please check documentation ..." is appended.
Upgrade can still be performed with -F like when
SUPPORTED_DEVICES has been removed to prevent bricking.
If the device has updated fwtool.sh (but is 1.0), it will just use
the new_supported_devices instead, and work as intended (flashing
with -n will work, flashing without will print the appropriate
warning).
This mechanism should provide a fair tradeoff between simplicity
and functionality.
Since we touched a lot of fields in metadata, this also bumps
metadata_version to 1.1.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
We regularly encounter the situation that devices are subject to
changes that will make them incompatible to previous versions.
Removing SUPPORTED_DEVICES will not really be helpful in most of these
cases, as this only helps after a rename.
To solve this situation, this patchset introduces a compatibility
version for devices. In this patch, the actual checks are implemented
into fwtool_check_image():
If an incompatible change is introduced, one can increase either
the minor version (1.0->1.1) or the major version (1.0->2.0).
Minor version increment:
This will still allow sysupgrade, but require to reset config
(-n or SAVE_CONFIG=0). If sysupgrade is called without -n, a
corresponding message will be printed. If sysupgrade is called
with -n, it will just pass, with supported devices being checked
as usual. (Which will allow us to add back SUPPORTED_DEVICES for
many cases.)
Major version increment:
This is meant for potential (rare) cases where sysupgrade is
not possible at all, because it would break the device.
In this case, a warning will be printed, and -n won't help.
If image check fails because of one of the versions parts not
matching, the content of DEVICE_COMPAT_MESSAGE is printed in
addition to the generic message (if set).
For both cases, upgrade can still be forced with -F as usual.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
We regularly encounter the situation that devices are subject to
changes that will make them incompatible to previous versions.
Removing SUPPORTED_DEVICES will not really be helpful in most of these
cases, as this only helps after a rename.
To solve this situation, this patchset introduces a compatibility
version for devices. To complement the DEVICE_COMPAT_VERSION set
for the image to be flashed, this implements a compat_version on
the device, so it will have something to compare with the image.
The only viable way to achieve this seems to be via board.d files,
i.e. this is technically adding a compat version for the device's
config.
Like for the network setup, this will set up a command
ucidef_set_compat_version to set the compat_version in board.d.
This will then add a string to /etc/board.json, which will be
translated into uci system config by bin/config_generate.
By this, the compat_version, being a version of the config, will
also be exposed to the user.
As with DEVICE_COMPAT_VERSION, missing uci entry will be assumed
as compat_version "1.0", so we only need to add this if a device
needs to be bumped, e.g.
ucidef_set_compat_version "1.1"
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
28be011 instance: make sure values are not inherited from previous runs
2ae5cbc uxc: remove debugging left-over
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
For a few packages, the current TITLE is too long, so it is not
displayed at all when running make menuconfig. Despite, there is
no indication of OpenSSL vs. wolfSSL in the titles.
Thus, this patch adjusts titles to be generally shorter, and adds
the SSL variant to it.
While at it, make things easier by creating a shared definition for
eapol-test like it's done already for all the other flavors.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Drop outdated and by now broken patchset originally supplied by
Peter Oh in August 2018 but never merged upstream.
Instead add the more promissing rework recently submitted by
Markus Theil who picked up Peter's patchset, fixed and completed it
and added support for HE (802.11ax) in mesh mode.
This is only compile tested and needs some real-life testing.
Fixes: FS#3214
Fixes: 167028b750 ("hostapd: Update to version 2.9 (2019-08-08)")
Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Fixes: 017320ead3 ("hostapd: bring back mesh patches")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
c3ca99f jail: serialize hook execution
8ff8970 jail: add some remaining OCI features
9d5fa0a uxc: behave more like a compliant OCI run-time
1274033 uxc: fix create operation
2d811a4 jail: add 'kill' method to container.%s object
08133b8 uxc: use new container.%s kill ubus API
Signed-off-by: Daniel Golle <daniel@makrotopia.org>