This reverts commit 26681fa6a6 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This reverts commit fc80ef3613 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and
rdma for the ip-full variant
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This reverts commit 248797834b as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Currently it seems impossible to configure /etc/config/dhcp to achieve
the following use case
- run dnsmasq with no-resolv
- re-generate /etc/resolv.conf with "nameserver 127.0.0.1"
Before this change, we have to set resolvfile to /tmp/resolv.conf.auto
to achive the 2nd effect above, but setting resolvfile requires noresolv
being false.
A new boolean option "localuse" is added to indicate that we intend to
use dnsmasq as the local dns resolver. It's false by default and to
align with old behaviour it will be true automatically if resolvfile is
set to /tmp/resolv.conf.auto
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Opkg treats text after a version number as higher than without:
~# opkg compare-versions "2.80rc1" "<<" "2.80"; echo $?
1
~# opkg compare-versions "2.80rc1" ">>" "2.80"; echo $?
0
This causes opkg not offering final release as upgradable version, and
even refusing to update, since it thinks the installed version is
higher.
This can be mitigated by adding ~ between the version and the text, as ~
will order as less than everything except itself. Since 'r' < 't', to
make sure that test will be treated as lower than rc we add a second ~
before the test tag. That way, the ordering becomes
2.80~~test < 2.80~rc < 2.80
which then makes opkg properly treat prerelease versions as lower.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
It was already enabled for wpad builds and since commit 6a15077e2d
the script relies on it. Size impact is minimal (2 kb on MIPS .ipk).
Signed-off-by: Felix Fietkau <nbd@nbd.name>
In the case of SHARED_LIBS=y, don't use -export-dynamic to place *all*
symbols into the dynamic symbol table. Instead, use --dynamic-list to
export a smaller set of symbols similar to that defined in static-syms.h
in the case of SHARED_LIBS=n, avoiding an 11 KB tc package size increase.
Also increment PKG_RELEASE.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This enables using the tc module m_xt.so, which uses the act_ipt kernel
module to allow tc actions based on iptables targets. e.g.
tc filter add dev eth0 parent 1: prio 10 protocol ip \
u32 match u32 0 0 action xt -j DSCP --set-dscp-class BE
Make the SHARED_LIBS parameter configurable and based on tc package
selection.
Fix a problem using the tc m_xt.so plugin as also described in
https://bugs.debian.org/868059:
Sync include/xtables.h from iptables to make sure the right offset is
used when accessing structure members defined in libxtables. One could
get “Extension does not know id …” otherwise. (See also: #868059)
Patch to sync the included xtables.h with system iptables 1.6.x. This
continues to work with iptables 1.8.2.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Simplify build and runtime dependencies on libelf, which allows tc and ip
to load BPF and XDP object files respectively.
Preserve optionality of libelf by having configuration script follow the
HAVE_ELF environment variable, used similarly to the HAVE_MNL variable.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Replace the old 'tc' with a singleton package variant which will be used
to enable additional functionality and limit it only to tc. Non-variant
packages will only be installed during 'tiny' variant builds, hence will
be configured without extra features, thus preserving previously limited
functionality and reduced package sizes.
Also set ip-tiny as the default variant, and install 'tiny' versions of
development libraries.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Compile-based feature detection (e.g. xtables, ipset support) was broken
due to silent compilation errors in the configure script, caused by a
Makefile variable KERNEL_INCLUDE referring to kernel build headers. Use
userspace headers by setting the same "user_headers" kernel include path
as used for the iptables build.
Remove redundant or unused Build/Configure definitions from package
Makefile, including KERNEL_INCLUDE, LIBC_INCLUDE and DBM includes.
Don't pass LDFLAGS within MAKE_FLAGS as this interferes with LDFLAGS in
tc/Makefile and masks a link parameter ("-Wl,-export-dynamic"). Instead,
use standard TARGET_LDFLAGS.
Replace EXTRA_CCOPTS in MAKE_FLAGS with cleaner TARGET_CPPFLAGS, and also
drop now unneeded patch 150-extra-ccopts.patch.
Enable defining XT_LIB_DIR from Makefile, needed to set the iptables
modules directory to something other than /lib/xtables, and also add
libxtables dependency. Both are needed with working xtables detection.
Note that libxtables is also pulled in by iptables, firewall or luci, so
this change has no size impact in most cases.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Since v4.13, iproute2 switched to a config.mk file with greater use of
pkg-config for library/feature detection. Replace the old Config patch
with one modifying the configure script but enabling the same changes:
- explicitly disable TC_CONFIG_ATM
- rely on feature detection for IP_CONFIG_SETNS and TC_CONFIG_XT
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Same reasoning as in bdedb798150a58ad7ce3c4741f2f31df97e84c3f; don't set
default firewall zone to wan as the firewall zone for the vti interface
can be configured in the firewall config or it makes it impossible not to
specify a firewall zone for the vti interface.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Same reasoning as in bdedb798150a58ad7ce3c4741f2f31df97e84c3f; don't set
default firewall zone to wan as the firewall zone for the ipip interface
can be configured in the firewall config or it makes it impossible not to
specify a firewall zone for the ipip interface.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Fixed CVEs:
CVE-2018-16890
CVE-2019-3822
CVE-2019-3823
For other changes in version 7.64.0 see https://curl.haxx.se/changes.html#7_64_0
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
There are two problems with this behaviour that the zone is set to wan
if no zone config option is defined in the interface section.
* The zone for the interface is "normally" specified in the firewall
config file. So if we have defined "no" zone for this interface zone
option is set now to "wan" additonaly if we add the interface in the firewall
config section to the "lan" zone, the interface is added to lan and wan at once.
iptables-save | grep <iface>
This is not what I expect.
* If I do not want to set a zone to this interface it is not possible.
Remove the default assigment to wan if no zone option is defined.
If some one need the option it stil possible to define this option.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
As the usage of libbsd is no longer limited to glibc, prevent libbsd
being picked up by removing the dependency on libbsd.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This bumps ppp to latest git version.
There is one upstream commit, which changes DES encryption calls from
libcrypt / glibc to openssl.
As long as we don't use glibc-2.28, revert this commit.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* tools: curve25519: handle unaligned loads/stores safely
This should fix sporadic crashes with `wg pubkey` on certain architectures.
* netlink: auth socket changes against namespace of socket
In WireGuard, the underlying UDP socket lives in the namespace where the
interface was created and doesn't move if the interface is moved. This
allows one to create the interface in some privileged place that has
Internet access, and then move it into a container namespace that only
has the WireGuard interface for egress. Consider the following
situation:
1. Interface created in namespace A. Socket therefore lives in namespace A.
2. Interface moved to namespace B. Socket remains in namespace A.
3. Namespace B now has access to the interface and changes the listen
port and/or fwmark of socket. Change is reflected in namespace A.
This behavior is arguably _fine_ and perhaps even expected or
acceptable. But there's also an argument to be made that B should have
A's cred to do so. So, this patch adds a simple ns_capable check.
* ratelimiter: build tests with !IPV6
Should reenable building in debug mode for systems without IPv6.
* noise: replace getnstimeofday64 with ktime_get_real_ts64
* ratelimiter: totalram_pages is now a function
* qemu: enable FP on MIPS
Linux 5.0 support.
* keygen-html: bring back pure javascript implementation
Benoît Viguier has proofs that values will stay well within 2^53. We
also have an improved carry function that's much simpler. Probably more
constant time than emscripten's 64-bit integers.
* contrib: introduce simple highlighter library
This is the highlighter library being used in:
- https://twitter.com/EdgeSecurity/status/1085294681003454465
- https://twitter.com/EdgeSecurity/status/1081953278248796165
It's included here as a contrib example, so that others can paste it into
their own GUI clients for having the same strictly validating highlighting.
* netlink: use __kernel_timespec for handshake time
This readies us for Y2038. See https://lwn.net/Articles/776435/ for more info.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Update to the latest version of iproute2; see https://lwn.net/Articles/776174/
for a full overview of the changes in 4.20.
Remove upstream patch 001-fix-print_0xhex-on-32-bit.patch and 002-tc-fix-xtables-incorrect-usage-of-LDFLAGS.patch
Introduce a patch to include <linux/limits.h> for XATTR_SIZE_MAX in tc
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
This adds a wrapper (uci_load_validate) for uci_validate_section() that
allows callers (through a callback function) to access the values set by
uci_validate_section(), without having to manually declare a
(potentially long) list of local variables.
The callback function receives two arguments when called, the config
section name and the return value of uci_validate_section().
If no callback function is given, then the wrapper exits with the value
returned by uci_validate_section().
This also updates several init scripts to use the new wrapper function.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
these utilities need to run with uid 0 to be useful. Thus,
install them setuid root like other distros do, too.
Signed-off-by: Carsten Wolff <carsten@wolffcarsten.de>
[use INSTALL_SUID macro]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In order to prepare the switch from librpc to libtirpc, we need to relocate
conntrack-tools to the packages feed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In the case of upstream libraries, set the ABI_VERSION variable to the
soname value of the first version version after the last backwards
incompatible change.
For custom OpenWrt libraries, set the ABI_VERSION to the date of the
last Git commit doing backwards incompatible changes to the source,
such as changing function singatures or dropping exported symbols.
The soname values have been determined by either checking
https://abi-laboratory.pro/index.php?view=tracker or - in the case
of OpenWrt libraries - by carefully reviewing the changes made to
header files thorough the corresponding Git history.
In the future, the ABI_VERSION values must be bumped whenever the
library is updated to an incpompatible version but not with every
package update, in order to reduce the dependency churn in the
binary package repository.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
f52bb5b fix previous commit
18eac67 Fix entries in /etc/hosts disabling static leases.
f8c77ed Fix removal of DHCP_CLIENT_MAC options from DHCPv6 relay replies.
4bf62f6 Tidy cache_blockdata_free()
9c0d445 Fix e7bfd556c079c8b5e7425aed44abc35925b24043 to actually work.
2896e24 Check for not(DS or DNSKEY) in is_outdated_cname_pointer()
a90f09d Fix crash freeing negative SRV cache entries.
5b99eae Cache SRV records.
2daca52 Fix typo in ra-param man page section.
2c59473 File logic bug in cache-marshalling code. Introduced a couple of commits back.
cc921df Remove nested struct/union in cache records and all_addr.
ab194ed Futher address union tidying.
65a01b7 Tidy address-union handling: move class into explicit argument.
bde4647 Tidy all_addr union, merge log and rcode fields.
e7bfd55 Alter DHCP address selection after DECLINE in consec-addr mode. Avoid offering the same address after a recieving a DECLINE message to stop an infinite protocol loop. This has long been done in default address allocation mode: this adds similar behaviour when allocaing addresses consecutively.
The most relevant fix for openwrt is 18eac67 (& my own local f52bb5b
which fixes a missing bracket silly) To quote the patch:
It is possible for a config entry to have one address family specified by a
dhcp-host directive and the other added from /etc/hosts. This is especially
common on OpenWrt because it uses odhcpd for DHCPv6 and IPv6 leases are
imported into dnsmasq via a hosts file.
To handle this case there need to be separate *_HOSTS flags for IPv4 and IPv6.
Otherwise when the hosts file is reloaded it will clear the CONFIG_ADDR(6) flag
which was set by the dhcp-host directive.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
7abbed4 dhcpv6: add setting to choose IA_NA, IA_PD or both
dd1aefd router: add syslog tracing for skipped routes
0314d58 router: filter route information option
5e99738 router: make announcing DNS info configurable (FS#2020)
1fe77f3 router: check return code of odhcpd_get_interface_dns_addr()
8f49804 config: check for invalid DNS addresses
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
d2e247d odhcp6c: align further with RFC8415
ce83a23 dhcpv6: avoid parsing unncessary IAs
b079733 dhcpv6: set cnt to correct IOV enum
41494da dhcpv6: get rid of request_prefix
f7437e4 dhcpv6: sanitize option request list
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The new samba36-hotplug package provides a hotplug.d script for the
"mount" subsystem. It automatically shares every mounted block device.
It works by updating /var/run/config/samba file which:
1) Is read by procd init script
2) Gets wiped on reboot providing a consistent state
3) Can be safely updated without flash wearing or conflicting with user
changes being made in /etc/config/samba
Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This will allow automation/hotplug.d scripts to store runtime shares in
the /var/run/config/samba. It's useful e.g. for USB drives that user
wants to be automatically shared.
Using /var/run/config/ provides:
1) Automated cleaning on reboots
It's important for consistency (to avoid sharing non-existing drives)
2) Safety for user non-commited changes
Automated scripts should never call "uci [foo] commit" as that could
flush incomplete config.
Another minor gain is avoiding flash wearing for runtime setup.
Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
70f8785 zones: add zone identifying local traffic in raw OUTPUT chain
6920de7 utils: Free args in __fw3_command_pipe()
6ba9105 options: redirects: Fix possible buffer overflows
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This updates hostapd to version the git version from 2018-12-02 which
matches the 2.7 release.
The removed patches were are already available in the upstream code, one
additional backport is needed to fix a compile problem.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>