Commit Graph

2338 Commits

Author SHA1 Message Date
Rosy Song
fd569e5e9d samba36: add hotplug support
Add hotplug handle script for storage devices,
  this will add corresponding option in the
  /etc/config/samba file automatically.

Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-05-02 09:18:27 +02:00
Hans Dedecker
2f1e329d7a iproute2: update to 4.16
Update to latest version of iproute2, refresh patches.
See https://lkml.org/lkml/2018/4/2/349 for a full overview of the
changes in 4.16.
Build and tested on AR7xxx against musl

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-05-02 09:18:26 +02:00
John Crispin
90e65763a4 iptables: fix per object LDFLAGS for aggragate object builds
Without this patch the extra LDFLAGS of objects were selected based on the
name of the extension being built, which breaks for aggregate so builds.

Signed-off-by: John Crispin <john@phrozen.org>
2018-05-01 11:12:15 +02:00
Hans Dedecker
7ff31bed98 odhcp6c: update to latest git HEAD
5316d7f ra: always trigger update in case of RA parameter change
327f73d dhcpv6: fix strncpy bounds

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-29 23:12:31 +02:00
Hans Dedecker
afdca53ace netifd: update to latest git HEAD (Coverity fixes)
56ceced interface-ip: remove superfluous iface check in interface_ip_set_enabled()
4f4a8c0 system-linux: fix strncpy bounds

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-27 21:39:57 +02:00
Kevin Darbyshire-Bryant
78f4305933 iftop: bump to latest
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Choose first running interface, rather than first "up" interface (Redhat #1403025)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-04-27 09:59:28 +02:00
Hans Dedecker
99815690a2 odhcpd: update to latest git HEAD
4136529 dhcpv6-ia: keep tentative assignments alive for a short time
200cc8f dhcpv6-ia: make assignment lookup more strict

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-23 21:47:23 +02:00
Kevin Darbyshire-Bryant
5950ab067b wireguard: bump to 20180420
7cc2668 version: bump snapshot
860c7c7 poly1305: do not place constants in different sections
5f1e4ca compat: remove unused dev_recursion_level backport
7e4b991 blake2s: remove unused helper
13225fc send: simplify skb_padding with nice macro
a1525bf send: account for route-based MTU
bbb2fde wg-quick: account for specified fwmark in auto routing mode
c452105 qemu: bump default version
dbe5223 version: bump snapshot
1d3ef31 chacha20poly1305: put magic constant behind macro
cdc164c chacha20poly1305: add self tests from wycheproof
1060e54 curve25519: add self tests from wycheproof
0e1e127 wg-quick.8: fix typo
2b06b8e curve25519: precomp const correctness
8102664 curve25519: memzero in batches
1f54c43 curve25519: use cmov instead of xor for cswap
fa5326f curve25519: use precomp implementation instead of sandy2x
9b19328 compat: support OpenSUSE 15
3102d28 compat: silence warning on frankenkernels
8f64c61 compat: stable kernels are now receiving b87b619
62127f9 wg-quick: hide errors on save

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-04-20 18:59:46 +02:00
Daniel Golle
a4322eba2b hostapd: fix encrypted mesh channel settings
Import two patches from Peter Oh to allow setting channel
bandwidth in the way it already works for managed interfaces.
This fixes mesh interfaces on 802.11ac devices always coming up in
VHT80 mode.

Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which
also skips secondary channel scan just like noscan works in AP mode.

This time also make sure to add all files to the patch before
committing it...

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-20 16:00:01 +02:00
Felix Fietkau
1a89547957 Revert "hostapd: fix encrypted mesh channel settings"
This reverts commit 7f52919a2f, which is
currently breaking the builds and needs to be reworked

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-04-20 10:36:42 +02:00
Daniel Golle
7f52919a2f hostapd: fix encrypted mesh channel settings
Import two patches from Peter Oh to allow setting channel
bandwidth in the way it already works for managed interfaces.
This fixes mesh interfaces on 802.11ac devices always coming up in
VHT80 mode.

Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which
also skips secondary channel scan just like noscan works in AP mode.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-20 07:52:19 +02:00
Daniel Golle
2ec96787c3 netifd: update to latest git HEAD
b3dca7b wireless: include noscan option in common wdev vars

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-20 07:52:19 +02:00
Hans Dedecker
fdf2e1fe1e odhcpd: update to latest git HEAD (FS#1457)
dcfc06a router: fix managed address configuration setting

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-19 15:51:13 +02:00
Florian Eckert
4a243f7a09 network/uqmi: pipe the output off qmi_wds_stop to /dev/null
Pipe uqmi output from qmi_wds_stop function into /dev/null.
This will supress the following output in proto teardown.

netifd: wwan (x): "No effect"
netifd: wwan (x): Command failed: Permission denied

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-04-19 14:39:38 +02:00
Daniel Golle
ff8df2b3f9 hostapd: mesh: make forwarding configurable
For unencrypted mesh networks our scripts take care of setting
the various mesh_param values. wpa_supplicant changes somes of them
when being used for SAE encrypted mesh and previously didn't allow
configuring any of them. Add support for setting mesh_fwding (which
has to be set to 0 when using other routing protocols on top of
802.11s) and update our script to pass the value to wpa_supplicant.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-18 22:12:18 +02:00
Daniel Engberg
ed4ac0ed65 curl: Deprecate idn(1) support and switch to xz tarball
libidn(1) is deprecated, add libidn2 support
Switch to xz tarball (smaller size)

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-04-16 22:01:09 +02:00
Hans Dedecker
20d3c118ae netifd: update to latest git HEAD (coverity fixes)
513eb27 system-linux: check ioctl return value in system_vlan()
df1625d system-linux: check ioctl return value in system_if_flags()
209c508 system-linux: fix segfault on alloc failure in system_if_check()
4a8e20e system-linux: fix segfault on error in system_add_ip6_tunnel()
36e4700 handler: fix resource leak on error in netifd_init_script_handlers()
86a0e7c system-linux: remove unnecessary open call in system_if_dump_info()
1e2cf67 system-linux: fix memory leak on error in system_add_vxlan()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-16 13:12:48 +02:00
Stijn Tintel
03774d28e1 lldpd: bump to 1.0.1
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-04-15 21:41:36 +03:00
Daniel Golle
c52ef396f9 hostapd: fix compile of -mini variants
Fixes commit d88934aa5a (hostapd: update to git snapshot of 2018-04-09)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-13 06:01:16 +02:00
Daniel Golle
d88934aa5a hostapd: update to git snapshot of 2018-04-09
And import patchset to allow 802.11s mesh on DFS channels, see also
http://lists.infradead.org/pipermail/hostap/2018-April/038418.html
Fix sae_password for encryption mesh (sent upstream as well).
Also refreshed existing patches and fixed 463-add-mcast_rate-to-11s.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-13 03:27:01 +02:00
Matthias Schiffer
85a35c644e
ebtables: update to latest git 2018-04-11
2e783b227766 ebt_ip: add support for matching IGMP type
b5fbb8d786c9 ebt_ip: add support for matching ICMP type and code
c5e5b784fd1a Move ICMP type handling functions from ebt_ip6 to useful_functions.c
11da52177196 include: sync linux/netfilter_bridge/ebt_ip.h with kernel

Note: the new features require at least kernel 4.17 or backported patches.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-04-12 07:34:57 +02:00
Matthias Schiffer
177fa14340
iptables: split physdev match out as a separate package
Split physdev match out of ipt-extra to allow installing ipt-extra without
pulling in br-netfilter.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-04-09 19:41:48 +02:00
Hans Dedecker
3612d90351 dnsmasq: remove example domains from rfc6761.conf (FS#1447)
RFC6771 does not exclude the forwarding of the example domain as it
states : "Caching DNS servers SHOULD NOT recognize example names as
special and SHOULD resolve them normally."
Example domains cannot be assigned to any user or person by DNS
registrars as they're registered in perpetuity to IANA meaning
they can be resolved; therefore let's remove the example domains
from the rfc6761.conf file.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-09 17:35:17 +02:00
Hans Dedecker
9356a6bfc7 odhcpd: update to latest git HEAD
31f217f router: improve RFC7084 compliancy

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-09 17:17:24 +02:00
Hans Dedecker
f890821fe7 odhcp6c: update to latest git HEAD
74b5a3 script: fix possible negative delay
473f248 dhcpv6: always trigger script update in case of IA updates
ea18935 ra: rework route information option handling

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-05 21:52:15 +02:00
Felix Fietkau
adc3f31b2c firewall: update to the latest version, adds hw flow offload support
35b3e74 defaults: add support for setting --hw on the xt_FLOWOFFLOAD rule

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-04-05 18:12:30 +02:00
Felix Fietkau
d073f650cd kernel: add support for enabling hardware flow offload via iptables
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-04-05 18:12:30 +02:00
Hauke Mehrtens
9aaa23ec8b samba36: fix some security problems
This Adds fixes for the following security problems based on debians patches:
CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms
CVE-2017-12163: Server memory information leak over SMB1
CVE-2017-12150: SMB1/2/3 connections may not require signing where they should
CVE-2018-1050: Denial of Service Attack on external print server.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-04-03 23:26:45 +02:00
Hans Dedecker
986f80595b netifd: update to latest git HEAD
3dc8c91 interface-ip: fix memory leak in interface_ip_add_target_route()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-03 21:28:53 +02:00
Hans Dedecker
ac593d895a odhcp6c: update to latest git HEAD
5cbd305 odhcp6c: improve code readibility
eb83b7e treewide: improve error handling
b7b11cb dhcpv6: initialize ifreq struct
f0469e2 ra: handle socket fail creation
d573461 odhcp6c: fix file pointer leakage

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-31 19:31:42 +02:00
Kevin Darbyshire-Bryant
a64fae8354 Revert "iproute2: fix hidden uint to uin64_t promotion in json_print"
This reverts commit 745d0e7f4b.

It looks like upstream don't want the patch so let's revert it here too.

I hope a fix from upstream is forthcoming.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-03-31 09:18:31 +02:00
Hans Dedecker
479aaf6375 map: fix psidlen becoming negative (FS#1430)
Fix psidlen becomes negative in case embedded address bit lenght is smaller than
IPv4 suffix length.
While at it improve parameter checking making the code more logical and
easier to read.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-29 22:19:18 +02:00
Felix Fietkau
4bcf6acb14 Revert "ppp: make ppp-multilink provide ppp"
opkg currently has some issues with Provides and this change makes the
image builder fail because of that. Revert the change for now until opkg
is fixed

This reverts commit 092d75aa3e.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-03-29 11:57:40 +02:00
Daniel Golle
eba3b028e4 hostapd: update to git snapshot of 2018-03-26
The following patches were merged upstream:
000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
 replaced by commit 0e3bd7ac6
001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
 replaced by commit cb5132bb3
002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
 replaced by commit 87e2db16b
003-Prevent-installation-of-an-all-zero-TK.patch
 replaced by commit 53bb18cc8
004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
 replaced by commit 0adc9b28b
005-TDLS-Reject-TPK-TK-reconfiguration.patch
 replaced by commit ff89af96e
006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
 replaced by commit adae51f8b
007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
 replaced by commit 2a9c5217b
008-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch
 replaced by commit a00e946c1
009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch
 replaced by commit b488a1294
010-Optional-AP-side-workaround-for-key-reinstallation-a.patch
 replaced by commit 6f234c1e2
011-Additional-consistentcy-checks-for-PTK-component-len.patch
 replaced by commit a6ea66530
012-Clear-BSSID-information-in-supplicant-state-machine-.patch
 replaced by commit c0fe5f125
013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch
 replaced by commit 114f2830d

Some patches had to be modified to work with changed upstream source:
380-disable_ctrl_iface_mib.patch (adding more ifdef'ery)
plus some minor knits needed for other patches to apply which are not
worth being explicitely listed here.

For SAE key management in mesh mode, use the newly introduce
sae_password parameter instead of the psk parameter to also support
SAE keys which would fail the checks applied on the psk field (ie.
length and such). This fixes compatibility issues for users migrating
from authsae.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-03-27 19:25:32 +02:00
Felix Fietkau
d290024c42 netifd: update to the latest version (fixes FS#1452)
9c8d781 netifd: return the interface for locally addressable host dependencies

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-03-27 11:33:51 +02:00
Hans Dedecker
287f5ebd2f dnsmasq: improve init script portability (FS#1446)
Improve portability of init script by declaring resolvfile as local
in dnsmasq_stop function.
Fixes resolvfile being set for older busybox versions in dnsmasq_start
in a multi dnsmasq instance config when doing restart; this happens when
the last instance has a resolvfile configured while the first instance
being started has noresolv set to 1.

Base on a patch by "Phil"

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-24 18:50:45 +01:00
Rosen Penev
43788a91fb ethtool: Update to 4.15.
Contains kernel 4.14 updates. Compile tested on mvebu.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-03-23 23:49:55 +01:00
Kevin Darbyshire-Bryant
4a788fcf63 iproute2: cake: support new overhead reporting & stats structures
Cake in kernel space now splits stats structure handling across netlink
messages to reduce stack usage issue flagged by upstream kernel checks.
Update user space (tc) qdisc handling to understand this new regime.

Cake also reports packet overheads & compensation in a different way so
add display code for this. e.g.

'tc -s qdisc show dev eth0' reports this extra detail:

 min/max transport layer size:         28 /    1500
 min/max overhead-adjusted size:       65 /    1550
 average transport hdr offset:         14

Cake also supports output in JSON format.

Patch is bulkier than before because a (slightly out of date - see above
stats) man page is included for reference. Better than nothing!

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-03-23 22:08:22 +01:00
Hans Dedecker
0f30f56e38 firewall: update to latest git HEAD
5cdf15e helpers.conf: add CT rtsp helper
d5923f1 Reword rule comments
c1a295a defaults: add support for xt_FLOWOFFLOAD rule
41c2ab5 ipsets: add support for specifying entries

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-22 13:29:22 +01:00
Hans Dedecker
89b8ba96b4 openvpn: remove deprecated config options
Remove deprecated config options in 2.5 as described in [0]

[0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-20 21:15:27 +01:00
Kevin Darbyshire-Bryant
745d0e7f4b iproute2: fix hidden uint to uin64_t promotion in json_print
print_int used 'int' type internally, whereas print_uint used 'uint64_t'

These helper functions eventually call vfprintf(fp, fmt, args) which is
a variable argument list function and is dependent upon 'fmt' containing
correct information about the length of the passed arguments.

Unfortunately print_int v print_uint offered no clue to the programmer
that internally passed ints to print_uint were being promoted to 64bits,
thus the format passed in 'fmt' string vs the actual passed integer
could be different lengths.  This is even more interesting on big endian
architectures where 'vfprintf' would be looking in the middle of an
int64 type.  Symptoms of this included tc qdisc showing bizarre values
for a variety of fields across a variety of qdiscs (e.g. refcnt, flows,
quantum)

print_u/int now stick with native int size.

A similar patch has been sent upstream.

Fixes FS#1425

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-03-19 11:40:01 +01:00
Kevin Darbyshire-Bryant
b0b5d0aebb dnsmasq: bump to 2.79 release
94b6878 Tidy crypto.c of old library compat. Now need libnettle 3.
8b96552 Fix compiler warning.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-03-19 11:39:13 +01:00
Rosen Penev
f4ea74abb6 curl: Update to 7.59
Compile tested on ar71xx.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-03-19 11:39:13 +01:00
Christian Bayer
49f3286bde openvpn: add config param verify_client_cert
Option --client-cert-not-required DEPRECATED is deprecated in v2.4 and removed in OpenVPN 2.5.
Replaced by param --verify-client-cert none|optional|require in v2.4 see
https://community.openvpn.net/openvpn/wiki/ DeprecatedOptions#a--client-cert-not-required

Signed-off-by: Christian Bayer <cave@cavebeat.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_	RELEASE increase]
2018-03-17 14:56:39 +01:00
Hans Dedecker
d88e928a44 dnsmasq: bump to 2.79rc2
ae29065 Fix debian/changelog syntax.
6b2b564 Enhance --synth-domain to allow names with sequential integers.
4f7bb57 Fix deletion of dhcp-options from inotify dynamic files.
56f0623 Allow trailing dot in CNAME.
f3223fb Fix nettle_hash() function to avoid ABI incompatibilities.
4c4f4c2 Debian dependency tweaking for new dnsmasq-base-lua package.
773af30 Man page typo fix.
4cc944b Merge branch 'master' of ssh://thekelleys.org.uk/var/local/git/dnsmasq
87e00fe Compiler warning fixes.
e7a4af8 Compiler warning fixes.
2d69d61 Add liblua-dev to Debian build-depends.
30e4a94 Debian package: add dnsmasq-base-lua binary package.
232a8f3 Merge messages for release.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-13 22:39:24 +01:00
Jo-Philipp Wich
e83bc5e3c7 6in4: support multiple additional user prefixes
Support configuration in the form...

    list ip6prefix 2001:db8:1234::/64
    list ip6prefix 2001:db8:5678::/64

... to allow specifying multiple routed IPv6 prefixes.

Implements feature request FS#1361.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-13 18:27:41 +01:00
Felix Fietkau
1cd76e2d85 netifd: update to the latest version (fixes FS#1358)
1f5a29c ip: do not add local routes for host dependencies
c06f842 device: add support for setting the isolate options for bridge ports
69aeaab interface-ip: fix route selection for host dependencies

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-03-13 13:35:05 +01:00
Felix Fietkau
092d75aa3e ppp: make ppp-multilink provide ppp
Fixes dependencies on ppp from other packages

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-03-12 20:02:29 +01:00
Philip Prindeville
61e0af06d9 iperf3: update to 3.5
Get rid of patches which are already upstream.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2018-03-09 22:13:22 +01:00
Magnus Kroken
ffbe51b294 openvpn: update to 2.4.5
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-03-09 22:13:21 +01:00