Bind to the configured system interfaces only. Switchport interfaces
are no longer ignored and uci interface values for LLDPD are honored.
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit 064b4999ad)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
Init script reload with trigger to detect config file update.
Reload command added to attempt non-impactful lldpd reload where
lldpcli can be used to update config without process restart.
Config hash function used to track whether process restart is needed.
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
(cherry picked from commit e483c247dc)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
allow to overwrite the detected system capabilities e.g. if devices
does not operate as bridge.
Signed-off-by: Sebastian Pflieger <sebastian@pflieger.email>
(cherry picked from commit 3ce909914a)
Link: https://github.com/openwrt/openwrt/pull/15299
Signed-off-by: Robert Marko <robimarko@gmail.com>
This patch fixes the list delimiter between 3GPP networks
passed to hostapd.
> list iw_anqp_3gpp_cell_net '262,001'
> list iw_anqp_3gpp_cell_net '262,002'
When passing a list of "iw_anqp_3gpp_cell_net" parameters via UCI,
hostapd would crash at startup:
> daemon.err hostapd: Line 73: Invalid anqp_3gpp_cell_net: 262,001:262,002
Using a semicolon as a delimiter, hostapd will start as expected.
Signed-off-by: Sarah Maedel <git@tbspace.de>
(cherry picked from commit 8de185a176)
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.
As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].
An explanation of the impact of the vulnerability is provided from the
advisory[1]:
This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.
[1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit db7f70fe61)
On some setup failures, iface->bss can be NULL
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 1ee5b7e506)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The data is modified within hostapd_add_iface
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 032d3fcf7a)
Link: https://github.com/openwrt/openwrt/pull/15898
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Don't ignore probe requests which contain an invalid DS parameter for the
current operating channel.
As the comment outlines, the drop shall only apply if
dot11RadioMeasurementActivated is set to 1.
However, it was observed Linux clients (Debian 12 / NixOS 23.11)
with an Intel 8265 NIC may generate a probe request frame with
dot11RadioMeasurementActivated set to false and an invalid DSSS
parameter.
These were also dropped even though they should not have been. They
however should not have contained this parameter in the first place.
Don't drop Probe Requests which contain such an invalid field. This may
lead to more probe responses being sent, however it does fix very
frequent connection issues for these clients on 2.4 GHz.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 68e4cc9be5)
When an IBBS interface is configured for IBSS legacy mode, wdev.htmode
is empty. This is empty string results in an empty positional argument
to the "ibbs join" command, for example:
iw dev phy0-ibss0 ibss join crymesh 2412 '' fixed-freq beacon-interval 100
This empty argument is interpreted as an invalid HT mode by 'iw',
causing the entire command to fail and print a "usage" message:
daemon.notice netifd: radio0 (4527): Usage: iw [options] \
dev <devname> ibss join <SSID> <freq in MHz> ...
Although nobody will ever need more than 640K of IBSS, explicitly use
"NOHT" if an HT mode is not given. This fixes the problem.
Fixes: e56c5f7b27 ("hostapd: add ucode support, use ucode for the main ubus object")
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [extend to cover more cases]
(cherry picked from commit cee9fcdb73)
52144f723bec pex: after receiving data update req, notify peer of local address/port
29aacb9386e0 pex: track indirect hosts (reachable via gateway) as peers without adding them to wg
48049524d4fc pex: do not send peer notifications for hosts with a gateway
12ac684ee22a pex: do not query for hosts with a gateway
203c88857354 pex: fix endian issues on config transfer
a29d45c71bca network: fix endian issue in converting port to network id
cbbe9d337a17 unet-cli: emit id by default
806457664ab6 unet-cli: strip initial newline in usage message
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit a112ed4126)
These two patches are fixing minor problems with DNSSEC found shortly
after the dnsmasq 2.90 release.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 28c87d7ecd)
dnsmasq was recently updated to 2.90, but PKG_RELEASE was not reset to 1.
Fixes: 838a27f64f ("dnsmasq: version 2.90")
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 694e647784)
Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387,
CVE-2023-50868) among many other goodies and fixes (notably, upstream
568fb024... fixes a UAF in cache_remove_uid that was routinely crashing
dnsmasq in my deployment).
Catch up our 200-ubus_dns.patch, too.
Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
(cherry picked from commit 838a27f64f)
If the dnsmasq process forks to handle TCP connections, it closes the ubus
context. But instead of changing the daemon wide pointer to NULL, only the
local variable was adjusted - and this portion of the code was even dropped
(dead store) by some optimizing compilers.
It makes more sense to change the daemon->ubus pointer because various
functions are already checking it for NULL. It is also the behavior which
ubus_destroy() implements.
Fixes: d8b33dad0b ("dnsmasq: add support for monitoring and modifying dns lookup results via ubus")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(cherry picked from commit 711dcb7763)
802.11r can not be used when selecting WPA. It needs at least WPA2.
This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.
Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
(cherry picked from commit cdc4c55175)
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
(cherry picked from commit e2f6bfb833)
Fixes: https://github.com/openwrt/luci/issues/6930
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fix netifd hostapd.sh selection of FILS-SHA384 algorithm with eap-192.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 472312f83f)
Checking for AP_VLAN misdetects ath10k-ath12k as fullmac, because of software
crypto limitations. Check for monitor mode support instead, which is more
reliable.
Fixes: https://github.com/openwrt/openwrt/issues/14575
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 2b4941a6f1)
Use postinst script to reload service instead of uci-defaults hack. It's
possible thanks to recent base-files change that executes postinst after
uci-defaults.
This fixes support for uhttpd customizations. It's possible (again) to
adjust uhttpd config with custom uci-defaults before it gets started.
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: d25d281fd6 ("uhttpd: Reload config after uhttpd-mod-ubus was added")
Ref: b799dd3c70 ("base-files: execute package's "postinst" after executing uci-defaults")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 1f11a4e283)
[Upstream Backport]
The range for the 5 GHz channel 118 was encoded with an incorrect
channel number.
Fixes: ed8e13decc71 (ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan())
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 56d7887917)
Increasing the receive window size improves throughout on higher-latency
links such as WAN connections. The current default of 24KB caps out at
around 500 KB/s.
Increasing the receive buffer to 256KB increases the throughput to at
least 11 MB/s.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f95eecfb21)
Refresh patches for hostapd using make package/hostapd/refresh.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 05e516b12d)
Currently for 802.1s only, for wifi 2.4GHz in g/n mode, 40MHz is never
permitted.
This is probably due to the complexity of setting periodic check for the
intolerant bit. When noscan option is set, we ignore the presence of the
intoleran bit in near AP, so we can enable 40MHz and ignore any complex
logic for checking.
Fixes: #13112
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 6c9ac57d58)
Also channel 7 for 2.4GHz can be set to HT40PLUS. Permit this and add it
to the list of the channels.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b1c7b1bd67)
noscan option for mesh was broken and actually never applied.
This is caused by a typo where ssid->noscan value is check instead of
conf->noscan resulting in the logic swapped and broken.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 1b5ea2e199)
Apply them directly using nl80211 after setting up the interface.
Use the same method in wdev.uc as well
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 531314260d)
d8118f6 config: make sure timer is not on the timeouts list before freeing
4bbc6e7 add hostsfile output in addition to statefile
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 0221b86032)
Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl/ath11k
based adapters. The reason for it is hostapd tries to install additional
IEs for scanning while the driver does not support this.
The kernel indicates the maximum number of bytes for additional scan IEs
using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
only add additional scan IEs in case the driver can accommodate these
additional IEs.
Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
Bug-Debian: https://bugs.debian.org/1004524
Bug-ArchLinux: https://bugs.archlinux.org/task/73495
Upstream-Status: Changes Requested [https://patchwork.ozlabs.org/project/hostap/patch/20220130192200.10883-1-mail@david-bauer.net]
Reported-by: Étienne Morice <neon.emorice@mail.com>
Tested-by: Étienne Morice <neon.emorice@mail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 6dca88aa4a)
The code for hostapd-mbedtls did not work when used for OWE association.
When handling association requests, the buffer offsets and length
assumptions were incorrect, leading to never calculating the y point,
thus denying association.
Also when crafting the association response, the buffer contained the
trailing key-type.
Fix up both issues to adhere to the specification and make
hostapd-mbedtls work with the OWE security type.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 39341f422f)
479c7f8676d9 cache: make record/hostname lookup case-insensitive
26c97a5a50bf ubus: add a browse flag for suppressing cached ip addresses
c286c51a9bd9 Fix AVL tree traversal in cache_record_find and cache_host_is_known
4035fe42df58 interface: use a global socket instead of per-interface ones
c63d465698c7 cache: dump hostname target from srv records
b42b22152d73 use hostname from SRV record to look up IP addresses
d45c443aa1e6 ubus: add array flag support for the hosts method
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 3e1ac00ccb)
Recent hostapd changes just edited the ucode files. It is required to
bump the PKG_RELEASE to include the newest changes in the latest builds.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 91d2ead3c3)
If the full interface is restarted while bringing up an AP, it can trigger a
wpa_supplicant interface start before wpa_supplicant is notified of the
allocated mac addresses.
Fix this by moving the iface_update_supplicant_macaddr call to just after
the point where mac addresses are allocated.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit abceef120d)
Ensure that the iface disable in uc_hostapd_iface_start also clears the ACS
state.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit f1bb528ae7)
The patch refresh accidentally moved the hostapd_ucode_free_iface call to
the wrong function
Fixes: e9722aef9e ("hostapd: fix a crash when disabling an interface during channel list update")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 3a5ad6e3d7)
Without it, a lot of authentication modes fail without obvious error messages
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 560965d582)
WPA3 Enterprise-transitional requires optional MFP support and SHA1+SHA256
WPA3 Enterprise-only requires SHA1 support disabled and mandatory MFP.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b63df6ce5d)
