procd-seccomp switched to OCI-compliant seccomp parser instead of our
(legacy, OpenWrt-specific) format. Convert ruleset to new format.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
wireguard-tools is trying to import the menuconfig section
from the wireguard package, but since it's not anymore in
the same makefile this seems to fail and wireguard-tools
ends up in "extra packages" category instead with other
odds and ends.
Same for the description, it's trying to import it from the
wireguard package but it fails so it only shows the line
written in this makefile.
remove the broken imports and add manually the entries
and description they were supposed to load
Fixes: ea980fb9c6 ("wireguard: bump to 20191226")
Signed-off-by: Alberto Bursi <bobafetthotmail@gmail.com>
[fix trailing whitespaces, add Fixes]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Update dropbear to latest stable 2.81; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
Refresh patches
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
BusyBox ip already provides the required functionality and is enabled by default
in OpenWrt. This patch drops the ip dependency and makes the BusyBox ip required
dependencies explicit, allowing for a significant image size reduction.
openwrt-ath79-generic-ubnt_nanostation-loco-m-squashfs-sysupgrade.bin size:
4588354 bytes (with ip-tiny)
4457282 bytes (with BusyBox ip)
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Update iproute2 to latest stable 5.9; for the changes see https://lwn.net/Articles/834755/
Refresh patches
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Hauke Mehrtens <hauke@huake-m.de>
* noise: take lock when removing handshake entry from table
This is a defense in depth patch backported from upstream to account for any
future issues with list node lifecycles.
* netns: check that route_me_harder packets use the right sk
A test for an issue that goes back to before Linux's git history began. I've
fixed this upstream, but it doesn't look possible to put it into the compat
layer, as it's a core networking problem. But we still test for it in the
netns test and warn on broken kernels.
* qemu: drop build support for rhel 8.2
We now test 8.3+.
* compat: SYM_FUNC_{START,END} were backported to 5.4
* qemu: bump default testing version
The real motivation for this version bump: 5.4.76 made a change that broke our
compat layer.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
3023b0cc7352 bridge: add support for defining port member vlans via hotplug ops
a3016c451248 vlan: add pass-through hotplug ops that pass the VLAN info to the bridge
d59f3ddcbaf0 vlandev: add pass-through hotplug ops that pass the VLAN info to the bridge
dd5e61153636 bridge: show vlans in device status
a56e14afa612 bridge: preserve hotplug ports on vlan update if config is unchanged
d1e8884f8911 bridge: fix use-after-free bug on bridge member free
3a2b21001c3c system-dummy: set present state only for simple devices
ed11f0c0ffe4 bridge: only overwrite implicit vlan assignment if vlans are configured
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Allow configuring ipsets with dedicated config sections:
config ipset
list name 'ss_rules_dst_forward'
list name 'ss_rules6_dst_forward'
list domain 't.me'
list domain 'telegram.org'
instead of current, rather inconvenient syntax:
config dnsmasq
...
list ipset '/t.me/telegram.org/ss_rules_dst_forward,ss_rules6_dst_forward'
Current syntax will still continue to work though.
With this change, a LuCI GUI for DNS ipsets should be easy to implement.
Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
The uhttpd package takes care of creating self-signed certificates if
px5g is installed. This improves the security of router management as it
encrypts the LuCI connection.
The EC P-256 curve is faster than RSA which which improves the user
experience on embedded devices. EC P-256 is support for as old devices
as Android 4.4.
Signed-off-by: Paul Spooren <mail@aparcar.org>
If only AP mode is needed, this is currently the most space-efficient way to
provide support for WPA{2,3}-PSK, 802.11w and 802.11r.
openwrt-ath79-generic-ubnt_nanostation-loco-m-squashfs-sysupgrade.bin sizes:
4719426 bytes (with wpad-basic-wolfssl)
4457282 bytes (with hostapd-basic-wolfssl)
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Hotspot 2.0 AP features have been made available in the -full variants
of hostapd and wpad. Hence we no longer need a seperate package for
that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add OpenSSL-linked basic variants (which provides WPA-PSK only, 802.11r and
802.11w) of both hostapd and wpad. For people who don't need the full hostapd
but are stuck with libopenssl for other reasons, this saves space by avoiding
the need of an additional library (or a larger hostapd with built-in crypto).
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
This adds missing config symbols for interworking as well as Hotspot 2.0
to the wpa_supplicant-full configuration.
These symbols were added to the hostapd-full configuration prior to this
commit. Without adding them to the wpa_supplicant configuration,
building of wpad-full fails.
Thanks to Rene for reaching out on IRC.
Fixes: commit be9694aaa2 ("hostapd: add UCI support for Hotspot 2.0")
Fixes: commit 838b412cb5 ("hostapd: add interworking support")
Signed-off-by: David Bauer <mail@david-bauer.net>
/etc/hotplug.d/ntp/25-dnsmasqsec is being sourced by /sbin/hotplug-call
running as ntpd user. For that to work the file needs to be readable by
that user.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This adds configuration options to enable interworking for hostapd.
All options require iw_enabled to be set to 1 for a given VAP.
All IEEE802.11u related settings are supported with exception of the
venue information which will be added as separate UCI sections at a
later point.
The options use the same name as the ones from the hostapd.conf file
with a "iw_" prefix added.
All UCI configuration options are passed without further modifications
to hostapd with exceptions of the following options, whose elements can
be provided using UCI lis elements:
- iw_roaming_consortium
- iw_anqp_elem
- iw_nai_realm
- iw_domain_name
- iw_anqp_3gpp_cell_net
Signed-off-by: David Bauer <mail@david-bauer.net>
This adds support for enabling the FTM responder flag for the APs
extended capabilities. On supported hardware, enabling the ftm_responder
config key for a given AP will enable the FTM responder bit.
FTM support itself is unconditionally implemented in the devices
firmware (ath10k 2nd generation with 3.2.1.1 firmware). There's
currently no softmac implementation.
Also allow to configure LCI and civic location information which can be
transmitted to a FTM initiator.
Signed-off-by: David Bauer <mail@david-bauer.net>
Remove the ieee80211v option. It previously was required to be enabled
in order to use time_advertisement, time_zone, wnm_sleep_mode and
bss_transition, however it didn't enable any of these options by default.
Remove it, as configuring these options independently is enough.
This change does not influence the behavior of any already configured
setting.
Signed-off-by: David Bauer <mail@david-bauer.net>
Allow to configure both RRM beacon as well as neighbor reports
independently and only enable them by default in case the ieee80211k
config option is set.
Signed-off-by: David Bauer <mail@david-bauer.net>
59e4fc98162d cache: cache_answer: fix off by one
4cece9cc7db4 cache: cache_record_find: fix buffer overflow
be687257ee0b cmake: tests: provide umdns-san binary
bf01f2dd0089 tests: add dns_handle_packet_file tool
134afc728846 tests: add libFuzzer based fuzzing
de08a2c71ca8 cmake: create static library
cdc18fbb3ea8 interface: fix possible null pointer dereference
1fa034c65cb6 interface: fix value stored to 'fd' is never read
3a67ebe3fc66 Add initial GitLab CI support
50caea125517 cmake: fix include dirs and libs lookup
Signed-off-by: Petr Štetiar <ynezz@true.cz>
For IPv6 native connections when using IPv6 DNS lookups, there is no
valid default resolver if ignoring WAN DHCP provided nameservers.
This uses a runtime check to determine if IPv6 is supported on the host.
Signed-off-by: Joel Johnson <mrjoel@lixil.net>
ntpd in packages feed had already a user 'ntp' with UID 123 declared.
Rename the username of busybox-ntpd to be 'ntp' instead of 'ntpd' so
it doesn't clash.
Reported-by: Etienne Champetier <champetier.etienne@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Changelog follows
ced0d535 build: find and use libnl header dirs
5722218e proto: rework parse_addr to return struct device_addr
3d7bf604 device_addr: record address index as in the blob
24ce1eab interface: proto_ip: order by address index first
This bump mainly affects order of interface addresses in ubus output. At the
moment dnsmasq uses first address of an interface for setting dhcp-range option
in its config
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Expose WPS ubus API only if compiled with WPS support and add new
handler for wps_status call.
Also add '-v wps' option to check whether WPS support is present in
hostapd.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This is useful to bring up multiple client mode interfaces on a single
channel much faster without having to scan through a lot of channels
Signed-off-by: Felix Fietkau <nbd@nbd.name>
It should return false to indicate that the option should not be ignored
Fixes 064dc1e8 ("dnsmasq: abort when dnssec requested but not
available")
Reported-by: Sami Olmari <sami@olmari.fi>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The TFTP server provided by dnsmasq supports serving a select boot image
based on the client's MAC or IP address. This allows an administrator
to activate this feature in /etc/config/dhcp. Here is an example
/etc/config/dhcp that configures dnsmasq with --tftp-unique-root=mac:
...
config dnsmasq
option enable_tftp 1
option tftp_root /usr/libexec/tftpboot
option tftp_unique_root mac
config boot router
option serveraddress 192.168.1.1
option servername tftp.example.com
option filename openwrt-initramfs-kernel.bin
...
With this configuration, dnsmasq will serve
/usr/libexec/tftpboot/00-11-22-33-44-55/openwrt-initramfs-kernel.bin to
the client with MAC address 00:11:22:33:44:55.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
Add config options:
srcportmin/srcportmax : range of port numbers to use as UDP source ports
to communicate to the remote VXLAN tunnel endpoint
ageing : lifetime in seconds of FDB entries learnt by the kernel
maxaddress : maximum number of FDB entries
learning : enable/disable entering unknown source link layer addresses
and IP addresses into the VXLAN device FDB.
rsc : enable/disable route short circuit
proxy : enable/disable ARP proxy
l2miss : enable/disable netlink LLADDR miss notifications
l3miss : enable/disable netlink IP ADDR miss notifications
gbp : enable/disable the Group Policy extension
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Make the BSSID and SSID fields optional when configuring a neighbor
report into hostapd.
Both options can now be an empty string. For the BSSID, the first 6 byte
are copied from the neighbor report. For the SSID, the SSID for the
affected hostapd BSS is used.
Signed-off-by: David Bauer <mail@david-bauer.net>
Rafal Milecki pointed out that ubus events are meant for low-level ubus
events only (e.g. addition or removal of an object). Higher level
events should happen as notifications on the ubus object itself.
Dispatch BSS events on the main hostapd ubus object instead of
publishing them as ubus events.
Signed-off-by: David Bauer <mail@david-bauer.net>
hostapd will emit a ubus event with the eventname hostapd.<ifname>.<event>
when adding, removing or reloading a BSS.
This way, services which install state (for example the RMM neighbor
list) can on-demand reinstall this information for the BSS without
polling this state.
Signed-off-by: David Bauer <mail@david-bauer.net>
UCI defaults scripts are supposed to be numbered, but odhcpd's lacked numbering, which
turned out to mess up my custom scripts numbered 9[0-9]_*. The idea is to have high number
(custom) scripts executed last. Jow confirmed numbering is the default case, not the
exception (thanks).
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
With global NLS support enabled (CONFIG_BUILD_NLS), the linked libelf.so
and libbfd.so libraries will depend on libintl.so. Import the nls.mk helper
to set library prefixes and flags accordingly, and also conditionally add
"-lintl" as link-time library.
Fix a build error on ppc due to a EDEADLOCK redefinition in errno.h.
Use upstream stable kernel 5.8.9, and fix overriding of feature detection
to only allow/hide detected features. Also refresh existing patches.
Fixes: 2f0d672088 ("bpftools: add utility and library packages supporting
eBPF usage")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Add support for per-BSS airtime weight configuration. This allows to set
a airtime weight per BSS as well as a ratio limit based on the weight.
Support for this feature is only enabled in the full flavors of hostapd.
Consult the hostapd.conf documentation (Airtime policy configuration)
for more information on the inner workings of the exposed settings.
Signed-off-by: David Bauer <mail@david-bauer.net>
* ipc: split into separate files per-platform
This is in preparation for FreeBSD support, which I had hoped to have this
release, but we're still waiting on some tooling fixes, so hopefully next
wg(8) will support that. Either way, the code base is now a lot more amenable
to adding more kernel platform support.
* man: wg-quick: use syncconf instead of addconf for strip example
Simple documentation fix.
* pubkey: isblank is a subset of isspace
* ctype: use non-locale-specific ctype.h
In addition to ensuring that isalpha() and such isn't locale-specific, we also
make these constant time, even though we're never distinguishing between bits
of a secret using them. From that perspective, though, this is markedly better
than the locale-specific table lookups in glibc, even though base64 characters
span two cache lines and valid private keys must hit both. This may be useful
for other projects too: https://git.zx2c4.com/wireguard-tools/tree/src/ctype.h
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Don't use bash syntax, because /bin/sh is used here.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* compat: backport kfree_sensitive and switch to it
* netlink: consistently use NLA_POLICY_EXACT_LEN()
* netlink: consistently use NLA_POLICY_MIN_LEN()
* compat: backport NLA policy macros
Backports from upstream changes.
* peerlookup: take lock before checking hash in replace operation
A fix for a race condition caught by syzkaller.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
3d9bd73 utils: fix check_pid_path to work with deleted file as well
330f403 vlan: initialize device ifname earlier at creation time
c057e71 device: do not check state from within device_init
cb0c07b system-dummy: fix resolving ifindex
ccd9ddc bridge: add support for turning on vlan_filtering
82bcb64 bridge: add support for adding vlans to a bridge
0e8cea0 bridge: add support for VLAN filtering
6086b63 config: enable bridge vlan filtering by default for bridges that define VLANs
ac0710b device: look up full device name before traversing vlan chain
e32e21e bridge: flush vlan list on bridge free
645ceed interface-ip: clear host bits of the device prefix
d7b614a netifd-wireless: parse 'osen' encryption
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The Ed25519 key pairs are much shorter than RSA pairs and are supported
by default in OpenSSH. Looking at websites explaining how to create new
SSH keys, many suggest using Ed25519 rather than RSA, however consider
the former as not yet widely established. OpenWrt likely has a positive
influence on that development.
As enabling Ed25519 is a compile time option, it is currently not
possible to install the feature via `opkg` nor select that option in an
ImageBuilder.
Due to the size impact of **12kB** the option should only be enabled for
devices with `!SMALL_FLASH`.
This approach seems cleaner than splitting `dropbear` into two packages
like `dropbear` and `dropbear-ed25519`.
Signed-off-by: Paul Spooren <mail@aparcar.org>
af30be0 Fix setting prefix for IPv6 link-local addresss
0314df4 Disable asking password again when prompt program returns 128
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Add support for building bpftool and libbpf from the latest 5.8.3 kernel
sources, ensuring up-to-date functionality and fixes. Both are written to
be backwards compatible, which simplfies build and usage across different
OpenWRT image kernels.
'bpftool' is the primary userspace tool widely used for introspection and
manipulation of eBPF programs and maps. Two variants are built: a 'full'
version which supports object disassembly and depends on libbfd/libopcodes
(total ~500KB); and a 'minimal' version without disassembly functions and
dependencies. The default 'minimal' variant is otherwise fully functional,
and both are compiled using LTO for further (~30KB) size reductions.
'libbpf' provides shared/static libraries and dev files needed for building
userspace programs that perform eBPF interaction.
Several cross-compilation and build-failure problems are addressed by new
patches and ones backported from farther upstream:
* 001-libbpf-ensure-no-local-symbols-counted-in-ABI-check.patch
* 002-libbpf-fix-build-failure-from-uninitialized-variable.patch
* 003-bpftool-allow-passing-BPFTOOL_VERSION-to-make.patch
* 004-v5.9-bpftool-use-only-ftw-for-file-tree-parsing.patch
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
In a multi-wan setup, netifd may need guidance on which wan device to
use to create the route to the remote peer.
This commit adds a 'tunlink' option similar to other tunneling interfaces
such as 6in4, 6rd, gre, etc.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
curl is replaced by uclient-fetch within the OpenWrt build system and we
can therefore move curl to packages.git. This is based on the Hamburg
2019 decision that non essential packages should move outside base.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This fixes the following compile errors after the wolfssl 4.5.0 update:
LD wpa_cli
../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject':
../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
type = GEN_EMAIL;
^~~~~~~~~
ENAVAIL
../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in
../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function)
type = GEN_DNS;
^~~~~~~
../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function)
type = GEN_URI;
^~~~~~~
../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event':
../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
if (gen->type != GEN_EMAIL &&
^~~~~~~~~
ENAVAIL
../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function)
gen->type != GEN_DNS &&
^~~~~~~
../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function)
gen->type != GEN_URI)
^~~~~~~
Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed
Fixes: 00722a720c ("wolfssl: Update to version 4.5.0")
Reported-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Instead of using mbedtls by default use wolfssl. We now integrate
wolfssl in the default build so use it also as default ssl library for
curl.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Backport a commit from upstream curl to fix a problem in configure with
wolfssl.
checking size of time_t... configure: error: cannot determine a size for time_t
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fixes package libcurl build issue :
Package libcurl is missing dependencies for the following libraries:
libzstd.so.1
Suggested-by: Syrone Wong <wong.syrone@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Abort the dhcp-check based on the interface instead of the carrier
state. In cases where the interface is up but the carrier is down,
netifd won't cause a dnsmasq reload, thus dhcp won't become active
on this interface.
Signed-off-by: David Bauer <mail@david-bauer.net>
"type" is already used as a common option for all protocols types, so
using the same option name for the map type makes the configuration
ambiguous. Luci in particular adds controls for both options and sees
errors when reading the resulting configuration.
Use "maptype" instead, but still fallback to "type" if "maptype" is not
set. This allows configurations to migrate without breaking old
configurations.
This addresses FS#3287.
Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
The is no reason to catch the output by $() and then echo it again.
Remove the useless echos.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The legacy map version based on the IPv6 Interface Identifier in
draft-ietf-softwire-map-03 was typically used by uncommenting the LEGACY
variable in the map.sh file, which is not ideal. A proper configuration
option is needed instead.
The IPv6 Interface Identifier format described in the draft was
eventually changed in RFC7597, but is still used by some major ISPs,
including in Japan.
Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
If not needed, disabling scp allows for a nice size reduction.
Dropbear executable size comparison:
153621 bytes (baseline)
133077 bytes (without scp)
In other words, we trim a total of 20544 bytes.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
The ssh symlink was still being created even when dbclient was disabled in the
build configuration. Fix this annoyance.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
677aa53 Fix -W option for pppoe-discovery utility (#157)
115c419 Accept Malformed Windows Success Message (#156)
5bdb148 pppd: Add documentation of stop-bits option to pppd man page (#154)
2a7981f Add ipv6cp-accept-remote option
0678d3b pppd: Fix the default value for ipv6cp-accept-local to false
Refresh patches
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The hostapd configuration logic is supposed to accept "option key" as
legacy alias for "option auth_secret". This particular fallback option
failed to work though because "key" was not a registered configuration
variable.
Fix this issue by registering the "key" option as well, similar to the
existing "server" nad "port" options.
Ref: https://github.com/openwrt/openwrt/pull/3282
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
If an existing "wpa_psk_file" is passed to hostapd, the "key" option may
be omitted.
While we're at it, also improve the passphrase length checking to ensure
that it is either exactly 64 bytes or 8 to 63 bytes.
Fixes: FS#2689
Ref: https://github.com/openwrt/openwrt/pull/3283
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add package which provides size optimized wpad with support for just
WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[adapt to recent changes, add dependency for WPA_WOLFSSL config]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Before this commit, if uci option "dnssec" was set, we pass "--dnssec"
and friends to dnsmasq, let it start and decide whether to quit and
whether to emit message for diagnosis
# dnsmasq --dnssec; echo $?
dnsmasq: DNSSEC not available: set HAVE_DNSSEC in src/config.h
1
DNSSEC as a feature is different from others like dhcp, tftp in that
it's a security feature. Better be explicit. With this change
committed, we make it so by not allowing it in the first in the
initscript, should dnsmasq later decides to not quit (not likely) or
quit without above explicit error (unlikely but less so ;)
So this is just being proactive. on/off choices with uci option
"dnssec" are still available like before
Link: https://github.com/openwrt/openwrt/pull/3265#issuecomment-667795302
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
With the introduction of the generic OpenVPN hotplug mechanism, wrapped
--up and --down scripts got the wrong amount and order of arguments passed,
breaking existing configurations and functionality.
Fix this issue by passing the same amount of arguments in the same expected
order as if the scripts were executed by the OpenVPN daemon directly.
Ref: https://github.com/openwrt/openwrt/pull/1596#issuecomment-668935156
Fixes: 8fe9940db6 ("openvpn: add generic hotplug mechanism")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This package provides the necessary files to translate `config dsa_vlan`
and `config dsa_port` sections of `/etc/config/network` into appropriate
bridge vlan filter rules.
The approach of the configuration is to bridge all DSA ports into a logical
bridge device, called "switch0" by default, and to set VLAN port membership,
tagging state and PVID as specified by UCI on each port and on the switch
bridge device itself, allowing logical interfaces to reference port VLAN
groups by using "switch0.N" as ifname, where N denotes the VLAN ID.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
212f836 ubus: rename JSON-RPC format related functions
628341f ubus: use local "blob_buf" in uh_ubus_handle_request_object()
9d663e7 ubus: use BLOBMSG_TYPE_UNSPEC for "params" JSON attribute
77d345e ubus: drop unused "obj" arguments
8d9e1fc ubus: parse "call" method params only for relevant call
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* compat: rhel 8.3 beta removed nf_nat_core.h
* compat: ipv6_dst_lookup_flow was ported to rhel 7.9 beta
This compat tag adds support for RHEL 8.3 beta and RHEL 7.9 beta, in addition
to RHEL 8.2 and RHEL 7.8. It also marks the first time that
<https://www.wireguard.com/build-status/> is all green for all RHEL kernels.
After quite a bit of trickery, we've finally got the RHEL kernels building
automatically.
* compat: allow override of depmod basedir
When building in an environment with a different modules install path, it's
not possible to override the depmod basedir flag by setting the DEPMODBASEDIR
environment variable.
* compat: add missing headers for ip_tunnel_parse_protocol
This fixes compilation with some unusual configurations.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
ifconfig is effectively deprecated for quite some time now. Let's
replace the remaining occurrences for packages by the
corresponding ip commands now.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Update the openvpn sample configurations to use modern options in favor
of deprecated ones, suggest more sane default settings and add some
warnings.
* Add tls_crypt and ncp_disable to the sample configuration
* Replace nsCertType with remote_cert_tls in client sample configuration
* Comment out "option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
The wg utility compiles and runs without issues in MIPS16 mode, despite setting
PKG_USE_MIPS16:=0 in the makefile. Let's remove this, allowing for a substantial
size reduction of the wg executable. Since wg is a just a configuration utility,
it shouldn't be performance-critical, as the crypto heavy-lifting is done on the
kernel side.
wg sizes for both modes:
MIPS32: 64309 bytes
MIPS16: 42501 bytes
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
When retrieving the PID for hostapd and wpa_supplicant via ubus the
wrong service name is currently used. This leads to the following error
in the log:
netifd: radio0 (1409): WARNING (wireless_add_process):
executable path /usr/sbin/wpad does not match process path (/proc/exe)
Fixing the service name retrieves the correct PID and therefore the
warning won't occur.
Signed-off-by: David Bauer <mail@david-bauer.net>
The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is
exceptionally hard to read. This tries to make things a little
easier by inverting the hierarchy of the conditions, so SSL_VARIANT
is checked first and LOCAL_VARIANT is checked second.
This exploits the fact that some of the previous conditions were
unnecessary, e.g. there is no hostapd-mesh*, so we don't need
to exclude this combination.
It also should make it a little easier to see which options are
actually switched by SSL_VARIANT and which by LOCAL_VARIANT.
The patch is supposed to be cosmetic.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
For a few packages, the current TITLE is too long, so it is not
displayed at all when running make menuconfig. Despite, there is
no indication of OpenSSL vs. wolfSSL in the titles.
Thus, this patch adjusts titles to be generally shorter, and adds
the SSL variant to it.
While at it, make things easier by creating a shared definition for
eapol-test like it's done already for all the other flavors.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Drop outdated and by now broken patchset originally supplied by
Peter Oh in August 2018 but never merged upstream.
Instead add the more promissing rework recently submitted by
Markus Theil who picked up Peter's patchset, fixed and completed it
and added support for HE (802.11ax) in mesh mode.
This is only compile tested and needs some real-life testing.
Fixes: FS#3214
Fixes: 167028b750 ("hostapd: Update to version 2.9 (2019-08-08)")
Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Fixes: 017320ead3 ("hostapd: bring back mesh patches")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The following patches:
* 972-ath10k_fix-crash-due-to-wrong-handling-of-peer_bw_rxnss_override-parameter.patch
* 973-ath10k_fix-band_center_freq-handling-for-VHT160-in-recent-firmwares.patch
are replaced by this commit in the upstream kernel:
* 3db24065c2c8 ("ath10k: enable VHT160 and VHT80+80 modes")
The following patches were applied upstream:
* 001-rt2800-enable-MFP-support-unconditionally.patch
* 090-wireless-Use-linux-stddef.h-instead-of-stddef.h.patch
The rtw88 driver is now split into multiple kernel modules, just put it
all into one OpenWrt kernel package.
rtl8812au-ct was patched to compile against the mac80211 from kernel
5.8, but not runtime tested.
Add a patch which fixes ath10k on IPQ40XX, this patch was send upstream
and fixes a crash when loading ath10k on this SoC.
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq40xx/ map-ac2200]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
If using a configuration file for OpenVPN, allow overriding name of the
interface. The reason is that then people could use configuration file
provided by VPN provider directly and override the name of the interface
to include it in correct firewall zone without need to alter the
configuration file.
Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit c93667358515ec078ef4ac96393623ac084e5c9e)
Split out code that parses openvpn configuration file into separate file
that can be later included in various scripts and reused.
Signed-off-by: Michal Hrusecky <michal@hrusecky.net>
(cherry picked from commit 86d8467c8ab792c79809a08c223dd9d40da6da2e)
Previously hostapd would not stop transmitting when a DFS event was
detected and no available channel to switch to was available.
Disable and re-enable the interface to enter DFS state. This way, TX
does not happen until the kernel notifies hostapd about the NOP
expiring.
Signed-off-by: David Bauer <mail@david-bauer.net>
Similar to wireguard, vxlan can configure multiple peers or add specific
entries to the fdb for a single mac address.
While you can still use peeraddr/peer6addr option within the proto
vxlan/vxlan6 section to not break existing configurations, this patch
allows to add multiple sections that conigure fdb entries via the bridge
command. As such, the bridge command is now a dependency of the vxlan
package. (To be honest without the bridge command available, vxlan isn't
very much fun to use or debug at all)
Field names are taken direclty from the bridge command.
Example with all supported parameters, since this hasn't been documented so
far:
config interface 'vx0'
option proto 'vxlan6' # use vxlan over ipv6
# main options
option ip6addr '2001:db8::1' # listen address
option tunlink 'wan6' # optional if listen address given
option peer6addr '2001:db8::2' # now optional
option port '8472' # this is the standard port under linux
option vid '42' # VXLAN Network Identifier to use
option mtu '1430' # vxlan6 has 70 bytes overhead
# extra options
option rxcsum '0' # allow receiving packets without checksum
option txcsum '0' # send packets without checksum
option ttl '16' # specifies the TTL value for outgoing packets
option tos '0' # specifies the TOS value for outgoing packets
option macaddr '11:22:33:44:55:66' # optional, manually specify mac
# default is a random address
Single peer with head-end replication. Corresponds to the following call
to bridge:
$ bridge fdb append 00:00:00:00:00:00 dev vx0 dst 2001:db8::3
config vxlan_peer
option vxlan 'vx0'
option dst '2001:db8::3' # always required
For multiple peers, this section can be repeated for each dst address.
It's possible to specify a multicast address as destination. Useful when
multicast routing is available or within one lan segment:
config vxlan_peer
option vxlan 'vx0'
option dst 'ff02::1337' # multicast group to join.
# all bum traffic will be send there
option via 'eth1' # for multicast, an outgoing interface needs
# to be specified
All available peer options for completeness:
config vxlan_peer
option vxlan 'vx0' # the interface to configure
option lladdr 'aa:bb:cc:dd:ee:ff' # specific mac,
option dst '2001:db8::4' # connected to this peer
option via 'eth0.1' # use this interface only
option port '4789' # use different port for this peer
option vni '23' # override vni for this peer
option src_vni '123' # see man 3 bridge
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
vxlan can be configured without a peer address. This is used to prepare
an interface and add peers later.
Fixes: FS#2743
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Acked-by: Matthias Schiffer <mschiffer@universe-factory.net>
This fixes a nasty problem introduced in 2.81 which causes random
crashes on systems where there's significant DNS activity over TCP. It
also fixes DNSSEC validation problems with zero-TTL DNSKEY and DS
records.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This file is always present because it is part of the ltq-dsl-base
package on which these packages depend.
This check would not have been necessary in the past, because the script
was part of the TARGET_LANTIQ on which these packages also depend.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
It does not make sense to install this components on lantiq systems
where the dsl subsystem is not needed/used.
This also makes it possible to use the files also on other targets.
(hopefully ipq401x / FritzBox 7530 in the near future)
Signed-off-by: Martin Schiller <ms.3headeddevs@gmail.com>
In the package guidelines, PKG_VERSION is supposed to be used as
"The upstream version number that we're downloading", while
PKG_RELEASE is referred to as "The version of this package Makefile".
Thus, the variables in a strict interpretation provide a clear
distinction between "their" (upstream) version in PKG_VERSION and
"our" (local OpenWrt trunk) version in PKG_RELEASE.
For local (OpenWrt-only) packages, this implies that those will only
need PKG_RELEASE defined, while PKG_VERSION does not apply following
a strict interpretation. While the majority of "our" packages actually
follow that scheme, there are also some that mix both variables or
have one of them defined but keep them at "1".
This is misleading and confusing, which can be observed by the fact
that there typically either one of the variables is never bumped or
the choice of the variable to increase depends on the person doing the
change.
Consequently, this patch aims at clarifying the situation by
consistently using only PKG_RELEASE for "our" packages. To achieve
that, PKG_VERSION is removed there, bumping PKG_RELEASE where
necessary to ensure the resulting package version string is bigger
than before.
During adjustment, one has to make sure that the new resulting composite
package version will not be considered "older" than the previous one.
A useful tool for evaluating that is 'opkg compare-versions'. In
principle, there are the following cases:
1. Sole PKG_VERSION replaced by sole PKG_RELEASE:
In this case, the resulting version string does not change, it's
just the value of the variable put in the file. Consequently, we
do not bump the number in these cases so nobody is tempted to
install the same package again.
2. PKG_VERSION and PKG_RELEASE replaced by sole PKG_RELEASE:
In this case, the resulting version string has been "version-release",
e.g. 1-3 or 1.0-3. For this case, the new PKG_RELEASE will just
need to be higher than the previous PKG_VERSION.
For the cases where PKG_VERSION has always sticked to "1", and
PKG_RELEASE has been incremented, we take the most recent value of
PKG_RELEASE.
Apart from that, a few packages appear to have developed their own
complex versioning scheme, e.g. using x.y.z number for PKG_VERSION
_and_ a PKG_RELEASE (qos-scripts) or using dates for PKG_VERSION
(adb-enablemodem, wwan). I didn't touch these few in this patch.
Cc: Hans Dedecker <dedeckeh@gmail.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: Andre Valentin <avalentin@marcant.net>
Cc: Matthias Schiffer <mschiffer@universe-factory.net>
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Steven Barth <steven@midlink.org>
Cc: Daniel Golle <dgolle@allnet.de>
Cc: John Crispin <john@phrozen.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Bumping package version has been overlooked in a previous commit.
While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter
is meant for upstream version number only.
(The effective version string for the package would be "3" in both
cases, so there is no harm done for version comparison.)
Fixes: 0453c3866f ("vxlan: fix udp checksum control")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
So far, passing "rxcsum" and "txcsum" had no effect.
Fixes: 95ab18e012 ("vxlan: add options to enable and disable UDP
checksums")
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Feature detection doesn't recognize ipset v7 use on kernel v5.x systems
and thus disables the tc ematch function em_ipset.
- backport patch:
* 002-configure-support-ipset-v7.patch:
650591a7a70c configure: support ipset version 7 with kernel version 5
Fixes: 4e0c54bc5b ("kernel: add support for kernel 5.4")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Recent iproute2 5.x versions modified the symbols resolved for plugins,
causing "tc .. action xt .." to fail. Update the list of symbols to fix.
Fixes: b61495409b ("iproute2: tc: reduce size of dynamic symbol table")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This release brings parity with the commits Linus released a few hours
ago into 5.8-rc5.
* receive: account for napi_gro_receive never returning GRO_DROP
The napi_gro_receive function no longer returns GRO_DROP ever, making
handling GRO_DROP dead code. This commit removes that dead code.
Further, it's not even clear that device drivers have any business in
taking action after passing off received packets; that's arguably out of
their hands.
* device: implement header_ops->parse_protocol for AF_PACKET
WireGuard uses skb->protocol to determine packet type, and bails out if
it's not set or set to something it's not expecting. For AF_PACKET
injection, we need to support its call chain of:
packet_sendmsg -> packet_snd -> packet_parse_headers ->
dev_parse_header_protocol -> parse_protocol
Without a valid parse_protocol, this returns zero, and wireguard then
rejects the skb. So, this wires up the ip_tunnel handler for layer 3
packets for that case.
* queueing: make use of ip_tunnel_parse_protocol
Now that wg_examine_packet_protocol has been added for general
consumption as ip_tunnel_parse_protocol, it's possible to remove
wg_examine_packet_protocol and simply use the new
ip_tunnel_parse_protocol function directly.
* compat: backport ip_tunnel_parse_protocol and ip_tunnel_header_ops
These are required for moving wg_examine_packet_protocol out of
wireguard and into upstream.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
New script for comgt. Should help to fetch balance or any additional information with USSD.
This script uses the standard AT command which should be supported by all modems.
Run-tested on: Mikrotik wAP LTE KIT
Signed-off-by: Kirill Lukonin <klukonin@gmail.com>
[fixed from/sob]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Upstream in commit 972d723484d8 ("split signkey_type and signature_type
for RSA sha1 vs sha256") has added strict checking of pubkey algorithms
which made keys with SHA-256 hashing algorithm unusable as they still
reuse the `ssh-rsa` public key format. So fix this by disabling the
check for `rsa-sha2-256` pubkeys.
Ref: https://tools.ietf.org/html/rfc8332#section-3
Fixes: d4c80f5b17 ("dropbear: bump to 2020.80")
Tested-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This replaces deprecated backticks by more versatile $(...) syntax.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[add commit description]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
/lib/netifd/dhcp.script:
Keep support for 'timesvr' while also supporting 'timesrv'
Add log message indicating deprecation of 'timesvr'
Signed-off-by: Sukru Senli <sukru.senli@iopsys.eu>
Backport patches which fix compile issue for uClibc-ng :
dbrandom.c:174:8: warning: implicit declaration of function 'getrandom'; did you mean 'genrandom'? [-Wimplicit-function-declaration]
ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
^~~~~~~~~
genrandom
dbrandom.c:174:36: error: 'GRND_NONBLOCK' undeclared (first use in this function); did you mean 'SOCK_NONBLOCK'?
ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
^~~~~~~~~~~~~
SOCK_NONBLOCK
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* compat: drop centos 8.1 support as 8.2 is now out
Of note, as well, is that we now have both RHEL7 and RHEL8 in our CI at
<https://www.wireguard.com/build-status/>.
* Kbuild: remove -fvisibility=hidden from cflags
This fixes an issue when compiling wireguard as a module for ARM kernels in
THUMB2 mode without the JUMP11 workaround.
* noise: do not assign initiation time in if condition
Style fix.
* device: avoid circular netns references
Fixes a circular reference issue with network namespaces.
* netns: workaround bad 5.2.y backport
This works around a back backport in the 5.2.y series.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.
This follows up 3519bf4976
As a result, we also need to move the and/or out of the test brackets.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
[squash from two patches, adjust commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
- drop patches (applied upstream):
* 010-backport-change-address-logging.patch
* 020-backport-ed25519-support.patch
* 021-backport-chacha20-poly1305-support.patch
- backport patches:
* 010-backport-disable-toom-and-karatsuba.patch:
reduce dropbear binary size (about ~8Kb).
- refresh patches.
- don't bother anymore with following config options
because they are disabled in upstream too:
* DROPBEAR_3DES
* DROPBEAR_ENABLE_CBC_MODE
* DROPBEAR_SHA1_96_HMAC
- explicitly disable DO_MOTD as it was before commit a1099ed:
upstream has (accidentally) switched it to 0 in release 2019.77,
but reverted back in release 2020.79.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Ubus patch as it seems have been broken by some rebase in the past as
the location of line that adds ubus object file was in condition for
CONFIG_MACSEC. That condition was adding object files that are not
touched by ubus patch. This means ubus.o does not have to be included in
that case. When it has to be and when build fails is when CONFIG_AP is
set. All files included in wpa_supplicant that are touched by this patch
are in this condition. This means that this is for sure the original
place for it.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
After a hardware reconnect, the control device might be unavailable and
attempting to interact with it will lead to hanging gcom calls, leaving
the protocol setup in an unrecoverable state.
Change the protocol handler to bail out early and notify netifd if the
control device is not defined or if the underlying device node does not
exist.
Also ensure that the "disconnect", "connect" and "setmode" commands are
actually defined before trying to invoke them.
Finally attempt to re-query the device manufacturer if it is unset in
the interface state in order to prevent UNUPPORTED_MODEM errors after
a modem hardware reconnect.
Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com>
[reword subject and commit message]
Ref: https://github.com/openwrt/openwrt/pull/2352
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Pass a default --up and --down executable to each started OpenVPN instance
which triggers /etc/hotplug.d/openvpn/ scripts whenever an instance
goes up or down.
User-configured up and down scripts are invoked by the default shipped
01-user hotplug handler to ensure that existing setups continue to work
as before.
As a consequence of this change, the up, down and script_security OpenVPN
options are removed from the option file, since we're always passing them
via the command line, they do not need to get included into the generated
configuration.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[reword commit message, move hotplug executable to /usr/libexec]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Bringing up of station vlan fails if the optional mac entry isn't set.
The default mac "00:00:00:00:00:00", which should match all stations,
is mistakenly set to the non used variable "isolate". This results in
a wrong formatted .psk file which has to be "vlan_id mac key".
fixes: 5aa2ddd0: hostapd: add support for wifi-station and wifi-vlan sections
Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
IPKG_INSTROOT is only set under image builder and we won't be running
this script at build time either, so remove the reference before it gets
cargo-culted into other scripts.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
The folder for the uci-defaults file of this package is wrong, so
the file most probably has not been executed at all for several
years at least.
Fix the folder and remove the useless shebang for the file.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Bump to latest Git and refresh all patches in order to get fix for "UPnP
SUBSCRIBE misbehavior in hostapd WPS AP" (CVE-2020-12695).
General security vulnerability in the way the callback URLs in the UPnP
SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695).
Some of the described issues may be applicable to the use of UPnP in WPS
AP mode functionality for supporting external registrars.
Ref: https://w1.fi/security/2020-1/
Signed-off-by: Petr Štetiar <ynezz@true.cz>
d13290b Fix advertised IPv6 addresses
Don't just serve link-local addresses via mdns, offer all.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
When bringing up wifi the first time after boot, these warnings appear:
netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.psk': No such file or directory
netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.vlan': No such file or directory
Silence them by adding the "-f" option to rm.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: John Crispin <john@phrozen.org>
This patch adds support for 2 new uci sections.
config wifi-vlan
# iface is optional. if it is not defined the vlan will apply
# to all interfaces
option iface default_radio0
option name guest
option vid 100
option network guest
config wifi-station
# iface is optional. if it is not defined the station will apply
# to all interfaces
option iface default_radio0
# mac is optional. if it is not defined it will be a catch all
# for any sta using this key
option mac '00:11:22:33:44:55'
# vid is optional. if it is not defined, the sta will be part of
# the primary iface.
option vid 100
option key testtest
With this patch applied it is possible to use multiple PSKs on a single BSS.
Signed-off-by: John Crispin <john@phrozen.org>
db275e1 interface-ip: fix build on non-linux systems
3392046 system-dummy: fix missing return
a56b457 netifd: wireless: add support for tracking wifi-station sections
4ce33ce netifd: wireless: add support for tracking wifi-vlan sections
Signed-off-by: John Crispin <john@phrozen.org>
ddd57c2 pppd: Add lcp-echo-adaptive option
c319558 pppd: Handle SIGINT and SIGTERM during interrupted syscalls (#148)
0bc11fb Added missing options to manual pages. (#149)
b1fcf16 Merge branch 'monotonic-time' of https://github.com/themiron/ppp
c78e312 pppd: linux: use monotonic time if possible
Remove patch 121-debian_adaptive_lcp_echo as patch is upstream accepted
Remove patch 206-compensate_time_change.patch as timewrap issues are
solved by a patch making use of monotonic time
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Also ensure that the error message is actually printed to stderr and that
the rule generation is aborted if an interface cannot be resolved.
Ref: https://github.com/openwrt/luci/issues/3975
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
disable_vht parameter needs to be set when using wpa_supplicant NOHT/HT* modes.
Signed-off-by: Enrique Rodríguez Valencia <enrique.rodriguez@galgus.net>
Commit 472fd98c5b ("hostapd: disable support for Wired Equivalent
Privacy by default") made support for WEP optional.
Expose the WEP support to LuCi or other userspace tools using the
existing interface. This way they are able to remove WEP from the
available ciphers if hostapd is built without WEP support.
Signed-off-by: David Bauer <mail@david-bauer.net>
Running your firewall's "wan" zone in REJECT zone (1) exposes the
presence of the router, (2) depending on the sophistication of
fingerprinting tools might identify the OS and release running on
the firewall which then identifies known vulnerabilities with it
and (3) perhaps most importantly of all, your firewall can be
used in a DDoS reflection attack with spoofed traffic generating
ICMP Unreachables or TCP RST's to overwhelm a victim or saturate
his link.
This rule, when enabled, allows traceroute to work even when the
default input policy of the firewall for the wan zone has been
set to DROP.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This updates the mac80211 backport.
The removed patches are already integrated in the upstream version.
The 131-Revert-mac80211-aes-cmac-switch-to-shash-CMAC-driver.patch patch
was manually adapted to the changes in kernel 5.7.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This updates the mac80211 backport.
The removed patches are already integrated in the upstream version.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Bring back 802.11s mesh features to the level previously available
before the recent hostapd version bump. This is mostly to support use
of 802.11s on DFS channels, but also making mesh forwarding
configurable which is crucial for use of 802.11s MAC with other routing
protocols, such as batman-adv, on top.
While at it, fix new compiler warning by adapting 700-wifi-reload.patch
to upstream changes, now building without any warnings again.
Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This version has the various slew of bug fixes and compat fixes and
such, but the most interesting thing from an OpenWRT perspective is that
WireGuard now plays nicely with cake and fq_codel. I'll be very
interested to hear from OpenWRT users whether this makes a measurable
difference. Usual set of full changes follows.
This release aligns with the changes I sent to DaveM for 5.7-rc7 and were
pushed to net.git about 45 minutes ago.
* qemu: use newer iproute2 for gcc-10
* qemu: add -fcommon for compiling ping with gcc-10
These enable the test suite to compile with gcc-10.
* noise: read preshared key while taking lock
Matt noticed a benign data race when porting the Linux code to OpenBSD.
* queueing: preserve flow hash across packet scrubbing
* noise: separate receive counter from send counter
WireGuard now works with fq_codel, cake, and other qdiscs that make use of
skb->hash. This should significantly improve latency spikes related to
buffer bloat. Here's a before and after graph from some data Toke measured:
https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png
* compat: support RHEL 8 as 8.2, drop 8.1 support
* compat: support CentOS 8 explicitly
* compat: RHEL7 backported the skb hash renamings
The usual RHEL churn.
* compat: backport renamed/missing skb hash members
The new support for fq_codel and friends meant more backporting work.
* compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4
The main motivation for releasing this now: three stable kernels were released
at the same time, with a patch that necessitated updating in our compat layer.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Upstream in commit 200c7693c9a1 ("Make WEP functionality an optional
build parameter") has made WEP functionality an optional build parameter
disabled as default, because WEP should not be used for anything
anymore. As a step towards removing it completely, they moved all WEP
related functionality behind CONFIG_WEP blocks and disabled it by
default.
This functionality is subject to be completely removed in a future
release.
So follow this good security advice, deprecation notice and disable WEP
by default, but still allow custom builds with WEP support via
CONFIG_WPA_ENABLE_WEP config option till upstream removes support for
WEP completely.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Bump package to latest upstream Git HEAD which is commit dd2daf0848ed
("HE: Process HE 6 GHz band capab from associating HE STA"). Since last
update there was 1238 commits done in the upstream tree with 618 files
changed, 53399 insertions, 24928 deletions.
I didn't bothered to rebase mesh patches as the changes seems not
trivial and I don't have enough knowledge of those parts to do/test that
properly, so someone else has to forward port them, ideally upstream
them so we don't need to bother anymore. I've just deleted them for now:
004-mesh-use-setup-completion-callback-to-complete-mesh-.patch
005-mesh-update-ssid-frequency-as-pri-sec-channel-switch.patch
006-mesh-inform-kernel-driver-DFS-handler-in-userspace.patch
007-mesh-apply-channel-attributes-before-running-Mesh.patch
011-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
013-mesh-do-not-allow-pri-sec-channel-switch.patch
015-mesh-do-not-use-offchan-mgmt-tx-on-DFS.patch
016-mesh-fix-channel-switch-error-during-CAC.patch
018-mesh-make-forwarding-configurable.patch
Refreshed all other patches, removed upstreamed patches:
051-wpa_supplicant-fix-race-condition-in-mesh-mpm-new-pe.patch
067-0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
070-driver_nl80211-fix-WMM-queue-mapping-for-regulatory-.patch
071-driver_nl80211-fix-regulatory-limits-for-wmm-cwmin-c.patch
090-wolfssl-fix-crypto_bignum_sum.patch
091-0001-wolfssl-Fix-compiler-warnings-on-size_t-printf-forma.patch
091-0002-wolfssl-Fix-crypto_bignum_rand-implementation.patch
091-0003-wolfssl-Do-not-hardcode-include-directory-in-wpa_sup.patch
800-usleep.patch
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq8065/NBG6817; ipq40xx/MAP-AC2200]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
* ipc: add support for openbsd kernel implementation
* ipc: cleanup openbsd support
* wg-quick: add support for openbsd kernel implementation
* wg-quick: cleanup openbsd support
Very exciting! wg(8) and wg-quick(8) now support the kernel implementation for
OpenBSD. OpenBSD is the second kernel, after Linux, to receive full fledged
and supported WireGuard kernel support. We'll probably send our patch set up
to the list during this next week. `ifconfig wg0 create` to make an interface,
and `wg ...` like usual to configure WireGuard aspects of it, like usual.
* wg-quick: support dns search domains
If DNS= has a non-IP in it, it is now treated as a search domain in
resolv.conf. This new feature will be rolling out across our various GUI
clients in the next week or so.
* Makefile: simplify silent cleaning
* ipc: remove extra space
* git: add gitattributes so tarball doesn't have gitignore files
* terminal: specialize color_mode to stdout only
Small cleanups.
* highlighter: insist on 256-bit keys, not 257-bit or 258-bit
The highlighter's key checker is now stricter with base64 validation.
* wg-quick: android: support application whitelist
Android users can now have an application whitelist instead of application
blacklist.
* systemd: add wg-quick.target
This enables all wg-quick at .services to be restarted or managed as a unit via
wg-quick.target.
* Makefile: remember to install all systemd units
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Hotplug scripts are sourced so the #!/bin/sh is superfluous/deceptive.
Re-arrange script to only source 'procd' if we get to the stage of
needing to signal the process, reduce hotplug processing load a little.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
add option to set management IP pattern
also add missing 'unconfigure system hostname'
for example pattern '!192.168.1.1' makes it possible that
WAN IP is selected instead of LAN IP
Signed-off-by: Daniel A. Maierhofer <git@damadmai.at>
[grammar and spelling fixes in commit message]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Samba 3.6 is completely unsupported, in addition to having tons of patches
It also causes kernel panics on some platforms when sendfile is enabled.
Example:
https://github.com/gnubee-git/GnuBee_Docs/issues/45
I have reproduced on ramips as well as mvebu in the past.
Samba 4 is an alternative available in the packages repo.
cifsd is a lightweight alternative available in the packages repo. It is
also a faster alternative to both Samba versions (lower CPU usage). It
was renamed to ksmbd.
To summarize, here are the alternatives:
- ksmbd + luci-app-cifsd
- samba4 + luci-app-samba4
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[drop samba36-server from GEMINI_NAS_PACKAGES, ksmbd rename + summary]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* compat: timeconst.h is a generated artifact
Before we were trying to check for timeconst.h by looking in the kernel
source directory. This isn't quite correct on configurations in which
the object directory is separate from the kernel source directory, for
example when using O="elsewhere" as a make option when building the
kernel. The correct fix is to use $(CURDIR), which should point to
where we want.
* compat: use bash instead of bc for HZ-->USEC calculation
This should make packaging somewhat easier, as bash is generally already
available (at least for dkms), whereas bc isn't provided by distros by
default in their build meta packages.
* socket: remove errant restriction on looping to self
It's already possible to create two different interfaces and loop
packets between them. This has always been possible with tunnels in the
kernel, and isn't specific to wireguard. Therefore, the networking stack
already needs to deal with that. At the very least, the packet winds up
exceeding the MTU and is discarded at that point. So, since this is
already something that happens, there's no need to forbid the not very
exceptional case of routing a packet back to the same interface; this
loop is no different than others, and we shouldn't special case it, but
rather rely on generic handling of loops in general. This also makes it
easier to do interesting things with wireguard such as onion routing.
At the same time, we add a selftest for this, ensuring that both onion
routing works and infinite routing loops do not crash the kernel. We
also add a test case for wireguard interfaces nesting packets and
sending traffic between each other, as well as the loop in this case
too. We make sure to send some throughput-heavy traffic for this use
case, to stress out any possible recursion issues with the locks around
workqueues.
* send: cond_resched() when processing tx ringbuffers
Users with pathological hardware reported CPU stalls on CONFIG_
PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
these workers would never terminate. That turned out not to be okay on
systems without forced preemption. This commit adds a cond_resched() to
the bottom of each loop iteration, so that these workers don't hog the
core. We don't do this on encryption/decryption because the compat
module here uses simd_relax, which already includes a call to schedule
in preempt_enable.
* selftests: initalize ipv6 members to NULL to squelch clang warning
This fixes a worthless warning from clang.
* send/receive: use explicit unlikely branch instead of implicit coalescing
Some code readibility cleanups.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* compat: support latest suse 15.1 and 15.2
* compat: support RHEL 7.8's faulty siphash backport
* compat: error out if bc is missing
* compat: backport hsiphash_1u32 for tests
We now have improved support for RHEL 7.8, SUSE 15.[12], and Ubuntu 16.04.
* compat: include sch_generic.h header for skb_reset_tc
A fix for a compiler error on kernels with weird configs.
* compat: import latest fixes for ptr_ring
* compat: don't assume READ_ONCE barriers on old kernels
* compat: kvmalloc_array is not required anyway
ptr_ring.h from upstream was imported, with compat modifications, to our
compat layer, to receive the latest fixes.
* compat: prefix icmp[v6]_ndo_send with __compat
Some distros that backported icmp[v6]_ndo_send still try to build the compat
module in some corner case circumstances, resulting in errors. Work around
this with the usual __compat games.
* compat: ip6_dst_lookup_flow was backported to 3.16.83
* compat: ip6_dst_lookup_flow was backported to 4.19.119
Greg and Ben backported the ip6_dst_lookup_flow patches to stable kernels,
causing breaking in our compat module, which these changes fix.
* git: add gitattributes so tarball doesn't have gitignore files
Distros won't need to clean this up manually now.
* crypto: do not export symbols
These don't do anything and only increased file size.
* queueing: cleanup ptr_ring in error path of packet_queue_init
Sultan Alsawaf reported a memory leak on an error path.
* main: mark as in-tree
Now that we're upstream, there's no need to set the taint flag.
* receive: use tunnel helpers for decapsulating ECN markings
ECN markings are now decapsulated using RFC6040 instead of the old RFC3168.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Init script checks for an already active DHCP server on the interface
and if such DHCP server is found, then it logs "refusing to start DHCP"
message, starts dnsmasq without DHCP service unless `option force 1` is
set and caches the DHCP server check result.
Each consecutive service start then uses this cached DHCP server check
result, but doesn't provide log feedback about disabled DHCP service
anymore.
So this patch ensures, that the log message about disabled DHCP service
on particular interface is always provided.
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Backport patch from hostapd.git master that fixes copy/paste error in
crypto_bignum_sub() in crypto_wolfssl.c.
This missing fix was discovered while testing SAE over a mesh interface.
With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with
wpad-mesh-wolfssl.
Cc: Sean Parkinson <sean@wolfssl.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
f4d759b dhcp.c: further improve validation
Further improve input validation for CVE-2020-11752
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
cdac046 dns.c: fix input validation fix
Due to a slight foobar typo, failing to de-reference a pointer, previous
fix not quite as complete as it should have been.
Improve CVE-2020-11750 fix
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
When compiled with glibc the config_scan.c wants to use the
cpupolicy2numeric() function which is only available when
HAVE_SCHED_SETSCHEDULER is set. It looks like the wrong define was used here.
This fixes a build problem with glibc in combination with the force
ac_cv_func_sched_setscheduler=no in the OpenWrt CONFIGURE_VARS.
This fixes the following compile error with glibc:
----------------------------------------------------------------------
/bin/ld: config_scan.o: in function `socks_yylex':
dante-1.4.1/sockd/config_scan.l:461: undefined reference to `cpupolicy2numeric'
collect2: error: ld returned 1 exit status
make[5]: *** [Makefile:522: sockd] Error 1
Fixes: aaf46a8fe2 ("dante: disable sched_getscheduler() - not implemented in musl")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810) which allows
disrupting service of a freshly connected client that has not yet
negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.
Release announcement:
https://openvpn.net/community-downloads/#heading-13812
Full list of changes:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
The previous commit introduced a regression for netns jails without
jail_ifname set. Fix that.
Fixes: 4e4f7c6d2d ("netifd: network namespace jail improvements")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
aaaca2e interface: allocate and free memory for jail name
d93126d interface: allow renaming interface when moving to jail netns
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
CONFIG_WRITE functionality is not used and could be removed.
Looks helpful for devices with small flash because wpad is also affected.
Little testing shows that about 6 KB could be saved.
Signed-off-by: Kirill Lukonin <klukonin@gmail.com>