Commit Graph

2775 Commits

Author SHA1 Message Date
Jo-Philipp Wich
64bb88841f uqmi: inherit firewall zone membership to virtual sub interfaces
Fix an issue where subinterfaces were not added to the same
firewall zone as their parent.

Fixes: FS#2122
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-03-05 13:19:43 +01:00
Daniel Golle
e882d5bf31 iwinfo: update to latest git
b514490 iwinfo: add device id for MediaTek MT7603E
e9e1400 iwinfo: more Ralink and MediaTek WiSoC and PCIe chips
cb108c5 iwinfo: fix capitalization of vendor name

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-03-01 23:25:59 +01:00
Jason A. Donenfeld
2e9b92da1f wireguard: bump to 0.0.20190227
* wg-quick: freebsd: allow loopback to work

FreeBSD adds a route for point-to-point destination addresses. We don't
really want to specify any destination address, but unfortunately we
have to. Before we tried to cheat by giving our own address as the
destination, but this had the unfortunate effect of preventing
loopback from working on our local ip address. We work around this with
yet another kludge: we set the destination address to 127.0.0.1. Since
127.0.0.1 is already assigned to an interface, this has the same effect
of not specifying a destination address, and therefore we accomplish the
intended behavior. Note that the bad behavior is still present in Darwin,
where such workaround does not exist.

* tools: remove unused check phony declaration
* highlighter: when subtracting char, cast to unsigned
* chacha20: name enums
* tools: fight compiler slightly harder
* tools: c_acc doesn't need to be initialized
* queueing: more reasonable allocator function convention

Usual nits.

* systemd: wg-quick should depend on nss-lookup.target

Since wg-quick(8) calls wg(8) which does hostname lookups, we should
probably only run this after we're allowed to look up hostnames.

* compat: backport ALIGN_DOWN
* noise: whiten the nanoseconds portion of the timestamp

This mitigates unrelated sidechannel attacks that think they can turn
WireGuard into a useful time oracle.

* hashtables: decouple hashtable allocations from the main device allocation

The hashtable allocations are quite large, and cause the device allocation in
the net framework to stall sometimes while it tries to find a contiguous
region that can fit the device struct. To fix the allocation stalls, decouple
the hashtable allocations from the device allocation and allocate the
hashtables with kvmalloc's implicit __GFP_NORETRY so that the allocations fall
back to vmalloc with little resistance.

* chacha20poly1305: permit unaligned strides on certain platforms

The map allocations required to fix this are mostly slower than unaligned
paths.

* noise: store clamped key instead of raw key

This causes `wg show` to now show the right thing. Useful for doing
comparisons.

* compat: ipv6_stub is sometimes null

On ancient kernels, ipv6_stub is sometimes null in cases where IPv6 has
been disabled with a command line flag or other failures.

* Makefile: don't duplicate code in install and modules-install
* Makefile: make the depmod path configurable

* queueing: net-next has changed signature of skb_probe_transport_header

A 5.1 change. This could change again, but for now it allows us to keep this
snapshot aligned with our upstream submissions.

* netlink: don't remove allowed ips for new peers
* peer: only synchronize_rcu_bh and traverse trie once when removing all peers
* allowedips: maintain per-peer list of allowedips

This is a rather big and important change that makes it much much faster to do
operations involving thousands of peers. Batch peer/allowedip addition and
clearing is several orders of magnitude faster now.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-28 08:50:19 +01:00
Hans Dedecker
c8153722a2 odhcpd: update to latest git HEAD
16c5b6c ubus: always trigger an update if interface is not found

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-27 12:12:48 +01:00
David Santamaría Rogado
e9b2a1e382 omcproxy: define configuration file
omcproxy's configuration is lost on every update or installation.
Avoid it by defining the configuration file.

Signed-off-by: David Santamaría Rogado <howl.nsp@gmail.com>
2019-02-27 10:26:14 +01:00
Mantas Pucka
abf445f189 Revert "iw: compile with LTO enabled"
After update to 5.0.1 iw-full package failed to display command list on
ipq40xx arch. Root cause was found to be LTO reordering causing
incorrect detection of command struct size in:

iw.c:552
	cmd_size = labs((long)&__section_set - (long)&__section_get);

This reverts commit ef16a394d2.

Signed-off-by: Mantas Pucka <mantas@8devices.com>
2019-02-26 23:20:04 +01:00
Hans Dedecker
0b4b1027c6 odhcpd: update to latest git HEAD (FS#2142)
9e9389c dhcpv4: fix adding assignment in list (FS#2142)
e69265b dhcpv4: fix static lease lookup
afbd7dd dhcp: rework assignment free logic

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-25 12:07:52 +01:00
Alexander Couzens
b7f2adbdd3
package/dnsmasq: add max_ttl/min_cache_ttl/max_cache_ttl
max_ttl - limit the ttl in the dns answer if greater as $max_ttl
min_cache_ttl - force caching of dns answers even the ttl in the answer
		is lower than the $min_cache_ttl
max_cache_ttl - cache only dns answer for $max_cache_ttl.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2019-02-24 01:48:25 +01:00
Yousong Zhou
c17a68cc61 dnsmasq: prefer localuse over resolvfile guesswork
This makes it clear that localuse when explicitly specified in the
config will have its final say on whether or not the initscript should
touch /etc/resolv.conf, no matter whatever the result of previous
guesswork would be

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-02-23 01:58:20 +00:00
Daniel Golle
0b373bf4d6 uqmi: fix PIN_STATUS_FAILED error with MC7455 WCDMA/LTE modem
Apparently this modem replies differently to attempted --get-pin-status
which makes the script fail if a pincode is set. Fix this.

Manufacturer: Sierra Wireless, Incorporated
Model: MC7455
Revision: SWI9X30C_02.24.05.06 r7040 CARMD-EV-FRMWR2 2017/05/19 06:23:09

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-02-20 15:16:24 +01:00
Arnout Vandecappelle (Essensium/Mind)
2e0f41e73a hostapd: add Multi-AP patches and config options
Cherry-pick Multi-AP commits from uptream:
 9c06f0f6a hostapd: Add Multi-AP protocol support
 5abc7823b wpa_supplicant: Add Multi-AP backhaul STA support
 a1debd338 tests: Refactor test_multi_ap
 bfcdac1c8 Multi-AP: Don't reject backhaul STA on fronthaul BSS
 cb3c156e7 tests: Update multi_ap_fronthaul_on_ap to match implementation
 56a2d788f WPS: Add multi_ap_subelem to wps_build_wfa_ext()
 83ebf5586 wpa_supplicant: Support Multi-AP backhaul STA onboarding with WPS
 66819b07b hostapd: Support Multi-AP backhaul STA onboarding with WPS
 8682f384c hostapd: Add README-MULTI-AP
 b1daf498a tests: Multi-AP WPS provisioning

Add support for Multi-AP to the UCI configuration. Every wifi-iface gets
an option 'multi_ap'. For APs, its value can be 0 (multi-AP support
disabled), 1 (backhaul AP), 2 (fronthaul AP), or 3 (fronthaul + backhaul
AP). For STAs, it can be 0 (not a backhaul STA) or 1 (backhaul STA, can
only associate with backhaul AP).

Also add new optional parameter to wps_start ubus call of
wpa_supplicant to indicate that a Multi-AP backhaul link is required.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-02-20 13:17:11 +01:00
Hans Dedecker
1bdd3b5f7d Revert "iproute2: use tc package variant to limit other package sizes"
This reverts commit e6d84fa886 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Hans Dedecker
de14f4301e Revert "iproute2: simplify linking libelf for eBFP/XDP object file support"
This reverts commit 26681fa6a6 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Hans Dedecker
566bfa417e Revert "iproute2: tc: enable and fix support for using .so plugins"
This reverts commit fc80ef3613 as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and
rdma for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Hans Dedecker
96060b3018 Revert "iproute2: tc: reduce size of dynamic symbol table"
This reverts commit 248797834b as it breaks the
installation of the iproute2 utilities ip-bridge, ss, nstat, devlink and rdma
for the ip-full variant

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 15:22:28 +01:00
Yousong Zhou
ec2a2a2aea dnsmasq: allow using dnsmasq as the sole resolver
Currently it seems impossible to configure /etc/config/dhcp to achieve
the following use case

 - run dnsmasq with no-resolv
 - re-generate /etc/resolv.conf with "nameserver 127.0.0.1"

Before this change, we have to set resolvfile to /tmp/resolv.conf.auto
to achive the 2nd effect above, but setting resolvfile requires noresolv
being false.

A new boolean option "localuse" is added to indicate that we intend to
use dnsmasq as the local dns resolver.  It's false by default and to
align with old behaviour it will be true automatically if resolvfile is
set to /tmp/resolv.conf.auto

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-19 13:06:06 +00:00
Hans Dedecker
331963717b odhcpd: update to latest git HEAD
1f01299 config: fix build failure in case DHCPv4 support is disabled
67b3a14 dhcpv4: fix assignment of requested IP address
ca8ba91 dhcp: rework static lease logic
36833ea dhcpv6: rapid commit support
1ae316e dhcpv6: fix parsing of DHCPv6 relay messages
80157e1 dhcpv4: fix compile issue
671ccaa dhcpv6-ia: move function definitions to odhcpd.h
0db69b0 dhcpv6: improve code readibility
7847b27 treewide: unify dhcpv6 and dhcpv4 assignments
a54cee0 netlink: rework handling of netlink messages
9f25dd8 treewide: use avl tree to store interfaces
f21a0a7 treewide: align syslog tracing
edc5fb0 dhcpv6-ia: add full CONFIRM support
9d6eadf dhcpv6-ia: rework append_reply()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-18 16:11:32 +01:00
Rosy Song
93b984b78a samba36: allow build with no ipv6 support
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-02-17 19:22:39 +01:00
Deng Qingfang
f5db5742e4 iw: update to 5.0.1
Refresh patches

MIPS IPK size increases:
iw-tiny: +3k
iw-full: +10k

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
[Remove sha256, nan, bloom, measurements and ftm from tiny version]
[sync nl80211 between backports and iw]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-02-17 17:33:18 +01:00
Jonas Gorski
c8a30172f8 dnsmasq: ensure test and rc order as older than final releases
Opkg treats text after a version number as higher than without:

 ~# opkg compare-versions "2.80rc1" "<<" "2.80"; echo $?
 1
 ~# opkg compare-versions "2.80rc1" ">>" "2.80"; echo $?
 0

This causes opkg not offering final release as upgradable version, and
even refusing to update, since it thinks the installed version is
higher.

This can be mitigated by adding ~ between the version and the text, as ~
will order as less than everything except itself. Since 'r' < 't', to
make sure that test will be treated as lower than rc we add a second ~
before the test tag. That way, the ordering becomes

  2.80~~test < 2.80~rc < 2.80

which then makes opkg properly treat prerelease versions as lower.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2019-02-17 16:55:24 +01:00
Felix Fietkau
5b6997dcb3 hostapd: update the fix for a race condition in mesh new peer handling
Prevent the mesh authentication state machine from getting reset on bogus
new peer discovery

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-17 16:06:44 +01:00
Felix Fietkau
f948aa4d4f hostapd: enable CONFIG_DEBUG_SYSLOG for wpa_supplicant
It was already enabled for wpad builds and since commit 6a15077e2d
the script relies on it. Size impact is minimal (2 kb on MIPS .ipk).

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-17 13:05:14 +01:00
Hans Dedecker
880f8e6d32 dnsmasq: add rapid commit config option
Add config option rapidcommit to enable support for DHCPv4 rapid
commit (RFC4039)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-13 10:37:36 +01:00
Felix Fietkau
db93949aa3 hostapd: fix race condition in mesh new peer handling
Avoid trying to add the same station to the driver multiple times

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 15:12:35 +01:00
Felix Fietkau
6a15077e2d hostapd: send wpa_supplicant logging output to syslog
Helpful for debugging network connectivity issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 15:12:35 +01:00
Tony Ambardar
248797834b iproute2: tc: reduce size of dynamic symbol table
In the case of SHARED_LIBS=y, don't use -export-dynamic to place *all*
symbols into the dynamic symbol table. Instead, use --dynamic-list to
export a smaller set of symbols similar to that defined in static-syms.h
in the case of SHARED_LIBS=n, avoiding an 11 KB tc package size increase.

Also increment PKG_RELEASE.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
fc80ef3613 iproute2: tc: enable and fix support for using .so plugins
This enables using the tc module m_xt.so, which uses the act_ipt kernel
module to allow tc actions based on iptables targets. e.g.

   tc filter add dev eth0 parent 1: prio 10 protocol ip \
   u32 match u32 0 0 action xt -j DSCP --set-dscp-class BE

Make the SHARED_LIBS parameter configurable and based on tc package
selection.

Fix a problem using the tc m_xt.so plugin as also described in
https://bugs.debian.org/868059:

  Sync include/xtables.h from iptables to make sure the right offset is
  used when accessing structure members defined in libxtables. One could
  get “Extension does not know id …” otherwise. (See also: #868059)

Patch to sync the included xtables.h with system iptables 1.6.x. This
continues to work with iptables 1.8.2.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
26681fa6a6 iproute2: simplify linking libelf for eBFP/XDP object file support
Simplify build and runtime dependencies on libelf, which allows tc and ip
to load BPF and XDP object files respectively.

Preserve optionality of libelf by having configuration script follow the
HAVE_ELF environment variable, used similarly to the HAVE_MNL variable.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
e6d84fa886 iproute2: use tc package variant to limit other package sizes
Replace the old 'tc' with a singleton package variant which will be used
to enable additional functionality and limit it only to tc. Non-variant
packages will only be installed during 'tiny' variant builds, hence will
be configured without extra features, thus preserving previously limited
functionality and reduced package sizes.

Also set ip-tiny as the default variant, and install 'tiny' versions of
development libraries.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
bc86da377c iproute2: simplify Makefile, patches and fix feature detection
Compile-based feature detection (e.g. xtables, ipset support) was broken
due to silent compilation errors in the configure script, caused by a
Makefile variable KERNEL_INCLUDE referring to kernel build headers. Use
userspace headers by setting the same "user_headers" kernel include path
as used for the iptables build.

Remove redundant or unused Build/Configure definitions from package
Makefile, including KERNEL_INCLUDE, LIBC_INCLUDE and DBM includes.

Don't pass LDFLAGS within MAKE_FLAGS as this interferes with LDFLAGS in
tc/Makefile and masks a link parameter ("-Wl,-export-dynamic"). Instead,
use standard TARGET_LDFLAGS.

Replace EXTRA_CCOPTS in MAKE_FLAGS with cleaner TARGET_CPPFLAGS, and also
drop now unneeded patch 150-extra-ccopts.patch.

Enable defining XT_LIB_DIR from Makefile, needed to set the iptables
modules directory to something other than /lib/xtables, and also add
libxtables dependency. Both are needed with working xtables detection.
Note that libxtables is also pulled in by iptables, firewall or luci, so
this change has no size impact in most cases.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar
43e14a2f9e iproute2: fix broken configuration patch
Since v4.13, iproute2 switched to a config.mk file with greater use of
pkg-config for library/feature detection. Replace the old Config patch
with one modifying the configure script but enabling the same changes:
 - explicitly disable TC_CONFIG_ATM
 - rely on feature detection for IP_CONFIG_SETNS and TC_CONFIG_XT

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Hans Dedecker
630a363936 vti: remove setting default firewall zone to wan
Same reasoning as in bdedb798150a58ad7ce3c4741f2f31df97e84c3f; don't set
default firewall zone to wan as the firewall zone for the vti interface
can be configured in the firewall config or it makes it impossible not to
specify a firewall zone for the vti interface.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-09 21:04:36 +01:00
Hans Dedecker
7f33f3d712 ipip: remove setting default firewall zone to wan
Same reasoning as in bdedb798150a58ad7ce3c4741f2f31df97e84c3f; don't set
default firewall zone to wan as the firewall zone for the ipip interface
can be configured in the firewall config or it makes it impossible not to
specify a firewall zone for the ipip interface.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-09 21:04:08 +01:00
Deng Qingfang
39273b849f curl: bump to 7.64.0
Fixed CVEs:

CVE-2018-16890
CVE-2019-3822
CVE-2019-3823

For other changes in version 7.64.0 see https://curl.haxx.se/changes.html#7_64_0

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-02-08 08:37:24 +01:00
Florian Eckert
bdedb79815 gre: remove setting default firewall zone to wan
There are two problems with this behaviour that the zone is set to wan
if no zone config option is defined in the interface section.

* The zone for the interface is "normally" specified in the firewall
config file. So if we have defined "no" zone for this interface zone
option is set now to "wan" additonaly if we add the interface in the firewall
config section to the "lan" zone, the interface is added to lan and wan at once.

iptables-save | grep <iface>

This is not what I expect.

* If I do not want to set a zone to this interface it is not possible.

Remove the default assigment to wan if no zone option is defined.
If some one need the option it stil possible to define this option.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2019-02-07 21:58:07 +01:00
Hans Dedecker
8399ee4543 netifd: handle hotplug event socket errors
5cd7215 system-linux: handle hotplug event socket ENOBUFS errors

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-31 22:14:55 +01:00
Kevin Darbyshire-Bryant
352db3e62a dnsmasq: latest pre-2.81 patches
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-01-31 10:13:05 +00:00
Jo-Philipp Wich
c6aa9ff388 uhttpd: disable concurrent requests by default
In order to avoid straining CPU and memory resources on lower end devices,
avoid running multiple CGI requests in parallel.

Ref: https://forum.openwrt.org/t/high-load-fix-on-openwrt-luci/29006
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-30 10:12:00 +01:00
Hans Dedecker
a3ccac6b1d iproute2: drop libbsd dependency
As the usage of libbsd is no longer limited to glibc, prevent libbsd
being picked up by removing the dependency on libbsd.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-29 14:00:13 +01:00
Felix Fietkau
4443804b54 wpa_supplicant: fix calling channel switch via wpa_cli on mesh interfaces
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-01-29 11:27:13 +01:00
Felix Fietkau
ae6b5815cd hostapd: add support for passing CSA events from sta/mesh to AP interfaces
Fixes handling CSA when using AP+STA or AP+Mesh

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-01-29 11:27:06 +01:00
Hans Dedecker
617e414643 map: depend on nat46, provide map-t
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-27 18:39:55 +01:00
Hans Dedecker
633cac0cb4 464xlat: import from routing, add myself as maintainer
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-27 18:39:18 +01:00
Martin Schiller
eaaee181d1 ppp: update to version 2.4.7.git-2018-06-23
This bumps ppp to latest git version.

There is one upstream commit, which changes DES encryption calls from
libcrypt / glibc to openssl.

As long as we don't use glibc-2.28, revert this commit.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2019-01-25 14:55:46 +01:00
Jo-Philipp Wich
b1781d5841 iproute2: replace libelf1 dependency with libelf
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 12:56:31 +01:00
Jo-Philipp Wich
0e70f69a35 treewide: revise library packaging
- Annotate versionless libraries (such as libubox, libuci etc.) with a fixed
  ABI_VERSION resembling the source date of the last incompatible change
- Annotate packages shipping versioned library objects with ABI_VERSION
- Stop shipping unversioned library symlinks for packages with ABI_VERSION

Ref: https://openwrt.org/docs/guide-developer/package-policies#shared_libraries
Ref: https://github.com/KanjiMonster/maintainer-tools/blob/master/check-abi-versions.pl
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 10:39:30 +01:00
Jason A. Donenfeld
bbcd0634f8 wireguard: bump to 0.0.20190123
* tools: curve25519: handle unaligned loads/stores safely

This should fix sporadic crashes with `wg pubkey` on certain architectures.

* netlink: auth socket changes against namespace of socket

In WireGuard, the underlying UDP socket lives in the namespace where the
interface was created and doesn't move if the interface is moved. This
allows one to create the interface in some privileged place that has
Internet access, and then move it into a container namespace that only
has the WireGuard interface for egress. Consider the following
situation:

1. Interface created in namespace A. Socket therefore lives in namespace A.
2. Interface moved to namespace B. Socket remains in namespace A.
3. Namespace B now has access to the interface and changes the listen
port and/or fwmark of socket. Change is reflected in namespace A.

This behavior is arguably _fine_ and perhaps even expected or
acceptable. But there's also an argument to be made that B should have
A's cred to do so. So, this patch adds a simple ns_capable check.

* ratelimiter: build tests with !IPV6

Should reenable building in debug mode for systems without IPv6.

* noise: replace getnstimeofday64 with ktime_get_real_ts64
* ratelimiter: totalram_pages is now a function
* qemu: enable FP on MIPS

Linux 5.0 support.

* keygen-html: bring back pure javascript implementation

Benoît Viguier has proofs that values will stay well within 2^53. We
also have an improved carry function that's much simpler. Probably more
constant time than emscripten's 64-bit integers.

* contrib: introduce simple highlighter library

This is the highlighter library being used in:
- https://twitter.com/EdgeSecurity/status/1085294681003454465
- https://twitter.com/EdgeSecurity/status/1081953278248796165

It's included here as a contrib example, so that others can paste it into
their own GUI clients for having the same strictly validating highlighting.

* netlink: use __kernel_timespec for handshake time

This readies us for Y2038. See https://lwn.net/Articles/776435/ for more info.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23 18:06:49 +01:00
Deng Qingfang
752bd72668 iproute2: update to 4.20.0
Update to the latest version of iproute2; see https://lwn.net/Articles/776174/
for a full overview of the changes in 4.20.
Remove upstream patch 001-fix-print_0xhex-on-32-bit.patch and 002-tc-fix-xtables-incorrect-usage-of-LDFLAGS.patch
Introduce a patch to include <linux/limits.h> for XATTR_SIZE_MAX in tc

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-01-23 17:55:21 +01:00
Jeffery To
d13e86d4c2 procd: Add wrapper for uci_validate_section()
This adds a wrapper (uci_load_validate) for uci_validate_section() that
allows callers (through a callback function) to access the values set by
uci_validate_section(), without having to manually declare a
(potentially long) list of local variables.

The callback function receives two arguments when called, the config
section name and the return value of uci_validate_section().

If no callback function is given, then the wrapper exits with the value
returned by uci_validate_section().

This also updates several init scripts to use the new wrapper function.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-01-22 09:05:59 +01:00
Carsten Wolff
2bf22b1fb7 iputils: install ping, ping6, traceroute6 with setuid root
these utilities need to run with uid 0 to be useful. Thus,
install them setuid root like other distros do, too.

Signed-off-by: Carsten Wolff <carsten@wolffcarsten.de>
[use INSTALL_SUID macro]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 09:05:59 +01:00
Jo-Philipp Wich
62fbdcaf06 conntrack-tools: relocated to packages feed
In order to prepare the switch from librpc to libtirpc, we need to relocate
conntrack-tools to the packages feed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 08:14:00 +01:00
Jo-Philipp Wich
797e5c1c48 packages: set more explicit ABI_VERSION values
In the case of upstream libraries, set the ABI_VERSION variable to the
soname value of the first version version after the last backwards
incompatible change.

For custom OpenWrt libraries, set the ABI_VERSION to the date of the
last Git commit doing backwards incompatible changes to the source,
such as changing function singatures or dropping exported symbols.

The soname values have been determined by either checking
https://abi-laboratory.pro/index.php?view=tracker or - in the case
of OpenWrt libraries - by carefully reviewing the changes made to
header files thorough the corresponding Git history.

In the future, the ABI_VERSION values must be bumped whenever the
library is updated to an incpompatible version but not with every
package update, in order to reduce the dependency churn in the
binary package repository.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-19 14:31:51 +01:00
Rosy Song
27be78ef46 dnsmasq: allow building without tftp server support
It saves 2871 bytes on package size while 4 bytes on memory size.

Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-01-17 22:07:06 +01:00
Hans Dedecker
76cc766521 odhcpd: fix onlink IA check (FS#2060)
0a36768 dhcpv6-ia: fix compiler warning
1893905 dhcpv6-ia: fix onlink IA check (FS#2060)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-16 23:01:05 +01:00
Kevin Darbyshire-Bryant
7541d30c9c dnsmasq: backport latest pre2.81 patches
f52bb5b fix previous commit
18eac67 Fix entries in /etc/hosts disabling static leases.
f8c77ed Fix removal of DHCP_CLIENT_MAC options from DHCPv6 relay replies.
4bf62f6 Tidy cache_blockdata_free()
9c0d445 Fix e7bfd556c079c8b5e7425aed44abc35925b24043 to actually work.
2896e24 Check for not(DS or DNSKEY) in is_outdated_cname_pointer()
a90f09d Fix crash freeing negative SRV cache entries.
5b99eae Cache SRV records.
2daca52 Fix typo in ra-param man page section.
2c59473 File logic bug in cache-marshalling code. Introduced a couple of commits back.
cc921df Remove nested struct/union in cache records and all_addr.
ab194ed Futher address union tidying.
65a01b7 Tidy address-union handling: move class into explicit argument.
bde4647 Tidy all_addr union, merge log and rcode fields.
e7bfd55 Alter DHCP address selection after DECLINE in consec-addr mode. Avoid offering the same address after a recieving a DECLINE message to stop an infinite protocol loop. This has long been done in default address allocation mode: this adds similar behaviour when allocaing addresses consecutively.

The most relevant fix for openwrt is 18eac67 (& my own local f52bb5b
which fixes a missing bracket silly) To quote the patch:

It is possible for a config entry to have one address family specified by a
dhcp-host directive and the other added from /etc/hosts. This is especially
common on OpenWrt because it uses odhcpd for DHCPv6 and IPv6 leases are
imported into dnsmasq via a hosts file.

To handle this case there need to be separate *_HOSTS flags for IPv4 and IPv6.
Otherwise when the hosts file is reloaded it will clear the CONFIG_ADDR(6) flag
which was set by the dhcp-host directive.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-01-16 15:39:54 +00:00
Hans Dedecker
4029788ff3 odhcpd: update to latest git HEAD (FS#2020)
7abbed4 dhcpv6: add setting to choose IA_NA, IA_PD or both
dd1aefd router: add syslog tracing for skipped routes
0314d58 router: filter route information option
5e99738 router: make announcing DNS info configurable (FS#2020)
1fe77f3 router: check return code of odhcpd_get_interface_dns_addr()
8f49804 config: check for invalid DNS addresses

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-15 14:02:21 +01:00
Hans Dedecker
70ffcb947c odhcp6c: update to latest git HEAD
d2e247d odhcp6c: align further with RFC8415
ce83a23 dhcpv6: avoid parsing unncessary IAs
b079733 dhcpv6: set cnt to correct IOV enum
41494da dhcpv6: get rid of request_prefix
f7437e4 dhcpv6: sanitize option request list

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-11 15:26:06 +01:00
Rafał Miłecki
ef1efa756e samba36: add package with hotplug.d script for auto sharing
The new samba36-hotplug package provides a hotplug.d script for the
"mount" subsystem. It automatically shares every mounted block device.

It works by updating /var/run/config/samba file which:
1) Is read by procd init script
2) Gets wiped on reboot providing a consistent state
3) Can be safely updated without flash wearing or conflicting with user
   changes being made in /etc/config/samba

Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-01-10 10:33:40 +01:00
Rafał Miłecki
5a59e2c059 samba36: append config from /var/run/config/ for runtime shares
This will allow automation/hotplug.d scripts to store runtime shares in
the /var/run/config/samba. It's useful e.g. for USB drives that user
wants to be automatically shared.

Using /var/run/config/ provides:
1) Automated cleaning on reboots
   It's important for consistency (to avoid sharing non-existing drives)
2) Safety for user non-commited changes
   Automated scripts should never call "uci [foo] commit" as that could
   flush incomplete config.

Another minor gain is avoiding flash wearing for runtime setup.

Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-01-10 10:33:40 +01:00
Hans Dedecker
fd5f0606fd firewall: update to latest git HEAD
70f8785 zones: add zone identifying local traffic in raw OUTPUT chain
6920de7 utils: Free args in __fw3_command_pipe()
6ba9105 options: redirects: Fix possible buffer overflows

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-03 17:09:51 +01:00
Hauke Mehrtens
99956528df hostapd: update to version 2018-12-02 (2.7)
This updates hostapd to version the git version from 2018-12-02 which
matches the 2.7 release.

The removed patches were are already available in the upstream code, one
additional backport is needed to fix a compile problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-01-02 15:47:13 +01:00
Mathias Kresin
213c0e78fa iwinfo: fix PKG_MIRROR_HASH
The PKG_MIRROR_HASH was for some reason wrong.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-12-30 20:33:49 +01:00
Hans Dedecker
d405edb481 omcproxy: optimize interface triggers
Before installing an interface triggger check if an interface
trigger for the interface is already in place.
This avoids installing identical interface triggers for a given
interface

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-29 16:08:31 +01:00
David Santamaría Rogado
df8f8bad08 omcproxy: fix installation of interface triggers (FS#1972)
omcproxy will not start up if either the downlink or uplink interface is
not up at boottime as the interface triggers are not correctly
installed.

Further rework omcproxy init to make use of network functions defined
in network.sh; set proper family and proto options in procd firewall
rules.

Signed-off-by: David Santamaría Rogado <howl.nsp@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-29 16:07:51 +01:00
Mathias Kresin
a5030f8b10 iwinfo: update to latest git
dd508af iwinfo: fix QCA9984 vendor id
0eaabf1 iwinfo: add device id for Atheros AR9287
6e998ec iwinfo: add device id for MediaTek MT7612E
5aa8c54 libiwinfo: nl80211: add mesh stats on assoclist.
77a9e98 iwinfo: Add Mikrotik R11e-2HPnD and R11e-5HacT to hardware list

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-12-29 12:35:47 +01:00
Rafał Miłecki
ae622c93b3 Revert "samba36: add hotplug support"
This reverts commit fd569e5e9d.

After an extra review & discussion few concerns were raised regarding
that feature:
1) It reacts to hotplug.d "block" events instead of more accurate (but
   currently unavailable) "mount" events.
2) It requires *something* to mount block device before samba hotplug.d
   gets fired. Otherwise samba_add_section() will just return.
3) It doesn't reload Samba which some users may expect
4) It operates on /etc/ which is not a right place for autogenerated
   ephemeral config.
5) It doesn't include any cleanup for non-existing shares.

Cc: Rosy Song <rosysong@rosinson.com>
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2018-12-28 23:09:38 +01:00
Stijn Tintel
c5b89abe2a lldpd: consolidate CONFIGURE_VARS
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-12-28 12:19:32 +02:00
Daniel Engberg
9a37c95431 wireguard: Update to snapshot 0.0.20181218
Update WireGuard to 0.0.20181218

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-12-24 12:58:22 +01:00
Deng Qingfang
0babdf2d2b curl: bump to 7.63.0
Refresh patches, for changes in version 7.63.0 see https://curl.haxx.se/changes.html#7_63_0

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2018-12-24 09:46:06 +01:00
Hans Dedecker
f36bc3f9b1 odhcpd: use PKG_VERSION default value
Instrad of defining PKG_VERSION in the Makefile use the PKG_VERSION
default value

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-21 18:30:01 +01:00
Hans Dedecker
9b8ea3623b odhcpd: add PKG_VERSION again
Fixes commit 63d0752ca8

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-20 16:50:08 +01:00
Hans Dedecker
63d0752ca8 odhcpd: update to latest git HEAD
2d2a3b8 odhcpd: switch to libubox container_of implementation
2a71c1e treewide: switch to libubox ARRAY_SIZE immplementation

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-20 15:43:31 +01:00
Jo-Philipp Wich
de7ae9a0ef iproute2: require nls infrastructure due to libelf linking
Depending on the global nls support configuration in the buildroot, the
linked libelf.so library might depend on libintl.so.

Import the nls.mk helper to set library prefixes and flags accordingly
in this case.

Ref: https://github.com/openwrt/packages/issues/7728#issuecomment-448760140
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-12-20 08:13:24 +01:00
Jo-Philipp Wich
386803a006 iproute2: only link libelf where needed
The iproute2 build system links libelf support to every utility while only
the tc program actually requires libelf specific functionality.

Unfortunately the BPF ELF functionality is not confined into an own
compilation unit but added to the existing bpf.c sources of the shared
static libutil.a, causing every iproute2 applet to pick up an implicit
libelf.so dependency.

In order to avoid this requirement, patch the iproute2 build system to
create both a libutil.a and a libutil-elf.a, with the former being built
without libelf functionality and to only link the tc applet with the libelf
enabled libutil.

Finally, make the tc package depend on libelf to solve compilation errors.

Ref: https://github.com/openwrt/packages/issues/7728
Fixes: FS#2011
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-12-19 10:50:02 +01:00
Hans Dedecker
83109450ce dropbear: fix dropbear startup issue
Interface triggers are installed by the dropbear init script in case an
interface is configured for a given dropbear uci section.
As dropbear is started after network the interface trigger event can be
missed during a small window; this is especially the case if lan is
specified as interface.
Fix this by starting dropbear before network so no interface trigger
is missed. As dropbear is started earlier than netifd add a boot function
to avoid the usage of network.sh functions as call to such functions will
fail at boottime.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2018-12-18 19:43:22 +01:00
Syrone Wong
6263a9baa3 ipset: update to 7.1
Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
2018-12-17 21:57:22 +01:00
Kevin Darbyshire-Bryant
3f7de917be netifd: fix ipv6 multicast check in previous commit
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-17 19:05:07 +00:00
Kevin Darbyshire-Bryant
d112d095a9 netifd: support configuring class e 240.0.0.0/4 addresses
cd089c5 proto: Support class-e addressing in netifd

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-17 09:27:53 +00:00
Hans Dedecker
3262fce1cd omcproxy: use PROJECT_GIT in PKG_SOURCE_URL
Switch PKG_SOURCE_URL to git.openwrt.org

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-16 19:23:36 +01:00
Hans Dedecker
0074a5e67e omcproxy: switch to OpenWrt github repo
Switch to OpenWrt github repo in PKG_SOURCE_URL so we can
remove the out of tree patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-16 18:09:23 +01:00
Hauke Mehrtens
835947ce64 hostapd: Make eapol-test depend on libubus
The eapol-test application also uses the code with the newly activated
ubus support, add the missing dependency.

Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-16 14:25:41 +01:00
Rosen Penev
1e98d985bb swconfig: Add missing include
Fixes these warnings:

swlib.c:455:18: warning: implicit declaration of function 'isspace'
swlib.c:461:9: warning: implicit declaration of function 'isdigit'

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-16 00:57:19 +01:00
Eneas U de Queiroz
cb4d00d184 omcproxy: fix compilation on little-endian CPUs
Don't use cpu_to_be32 outside of a function.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-12-16 00:57:19 +01:00
Kevin Darbyshire-Bryant
9048b22e67 dnsmasq: Fix dhcp-boot, dhcp-reply-delay and pxe-prompt regressions
The above options were incorrectly changed to required tags.  Make them
optional again.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-14 17:51:42 +00:00
Hans Dedecker
6ff27cf0f5 iproute2: backport patch fixing incorrect usage of LDFLAGS
Backport upstream patch fixing incorrect passing of -lxtables to
LDFLAGS instead of LDLIBS in the tc/Makefile

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-14 09:57:15 +01:00
Hans Dedecker
81bb9189e4 netifd: update to latest git HEAD
1ac1c78 system-linux: get rid of SIOCSDEVPRIVATE

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-13 22:05:40 +01:00
Martin Schiller
3850b41f01 openvpn: re-add option comp_lzo
This option is deprecated but needs to be kept for backward compatibility. [0]

[0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--comp-lzo

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2018-12-12 17:15:01 +01:00
Kevin Darbyshire-Bryant
ad8a5aa06a dnsmasq: fix ipv6 ipset bug
During upstream removal of conditional ipv6 support an order swap error
was made in a ternary operator usage.

This patch sent upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-12 11:54:49 +00:00
Hans Dedecker
1ff98ddff7 iproute2: backport upstream patch to fix print_0xhex on 32 bit
The argument to print_0xhex is converted to unsigned long long
so the format string give for normal printout has to be some
variant of %llx. Backport the patch as otherwise, bogus values
will be printed on 32 bit platforms.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-12 12:38:54 +01:00
Daniel Golle
f5753aae23 hostapd: add support for WPS pushbutton station
similar to hostapd, also add a ubus interface for wpa_supplicant
which will allow handling WPS push-button just as it works for hostapd.
In order to have wpa_supplicant running without any network
configuration (so you can use it to retrieve credentials via WPS),
configure wifi-iface in /etc/config/wireless:

  config wifi-iface 'default_radio0'
      option device 'radio0'
      option network 'wwan'
      option mode 'sta'
      option encryption 'wps'

This section will automatically be edited if credentials have
successfully been acquired via WPS.

Size difference (mips_24kc): roughly +4kb for the 'full' variants of
wpa_supplicant and wpad which do support WPS.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-12-12 09:37:23 +01:00
Kevin Darbyshire-Bryant
8c0f6a010a dnsmasq: follow upstream dnsmasq pre-v2.81 v2
Backport upstream commits.  Most interesting 122392e which changes how
SERVFAIL is handled especially in event of genuine server down/failure
scenarios with multiple servers.  a799ca0 also interesting in that
answered received via TCP are now cached, DNSSEC typically using TCP
meant until now answers weren't cached, hence reducing performance.

59e4703 Free config file values on parsing errors.
48d12f1 Remove the NO_FORK compile-time option, and support for uclinux.
122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e
3a5a84c Fix Makefile lines generating UBUS linker config.
24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant.
6f7812d Fix spurious AD flags in some DNS replies from local config.
cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab
cf59843 Don't forward *.bind/*.server queries upstream
ee87504 Remove ability to compile without IPv6 support.
a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>.
a799ca0 Impove cache behaviour for TCP connections.

Along with an additional patch to fix compilation without DHCPv6, sent
upstream.

I've been running this for aaaages without obvious issue hence brave
step of opening to wider openwrt community.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 10:38:49 +00:00
Kevin Darbyshire-Bryant
18e02fa20c Revert "dnsmasq: follow upstream dnsmasq pre-v2.81"
This reverts commit a6a8fe0be5.

buildbot found an error
option.c: In function 'dhcp_context_free':
option.c:1042:15: error: 'struct dhcp_context' has no member named 'template_interface'
       free(ctx->template_interface);

revert for the moment

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 09:57:19 +00:00
Kevin Darbyshire-Bryant
a6a8fe0be5 dnsmasq: follow upstream dnsmasq pre-v2.81
Backport upstream commits.  Most interesting 122392e which changes how
SERVFAIL is handled especially in event of genuine server down/failure
scenarios with multiple servers.  a799ca0 also interesting in that
answered received via TCP are now cached, DNSSEC typically using TCP
meant until now answers weren't cached, hence reducing performance.

59e4703 Free config file values on parsing errors.
48d12f1 Remove the NO_FORK compile-time option, and support for uclinux.
122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e
3a5a84c Fix Makefile lines generating UBUS linker config.
24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant.
6f7812d Fix spurious AD flags in some DNS replies from local config.
cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab
cf59843 Don't forward *.bind/*.server queries upstream
ee87504 Remove ability to compile without IPv6 support.
a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>.
a799ca0 Impove cache behaviour for TCP connections.

I've been running this for aaaages without obvious issue hence brave
step of opening to wider openwrt community.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 09:14:07 +00:00
Kevin Darbyshire-Bryant
7b083bbb82 dnsmasq: drop dnssec timestamp file patch
Openwrt no longer uses and has not used since 5acfe55d71 Jun 2016 the
timestamp file (/etc/dnsmasq.time) method of resolving the dnssec/ntp
dnslookup chicken/egg problem, having used signals from ntp since that
change.

Drop the 'dnssec-improve-timestamp-heuristic' patch since it is neither
used nor sent upstream.  One less thing to refresh & maintain.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-10 09:14:06 +00:00
Hans Dedecker
929c448a6d firewall: update to latest git HEAD
14589c8 redirects: properly handle src_dport in SNAT rules

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-09 17:36:12 +01:00
Ansuel Smith
f939598b7a iptables: fix ebtables vlan compile issue (FS#1990)
Backport an upstream patch which fixes an userspace/kernel headers
collison

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2018-12-08 21:50:14 +01:00
Ansuel Smith
1286c55302 iptables: bump to 1.8.2
Drop 030-extensions-libxt_bpf-Fix-build-with-old-kernel-versi.patch as pushed upstream
Added patches :
001-extensions_format-security_fixes_in_libip.patch
002-include_fix_build_with_kernel_headers_before_4_2.patch
101-remove-register-check.patch

The first and the second patch are upsteam fixes for compilation errors.
The third patch remove check if one target lib is already registred; this is caused by
shared libs that are loaded before the iptables execution.

Iptables changelog:

bba6bc6 (tag: v1.8.2) configure: bump versions for 1.8.2 release
61d6c38 xtables: add 'printf' attribute to xlate_add
5edb249 libxtables: xlate: init buffer to zero
9afd2a6 tests: shell: fix expected arptables-save output
6387941 arptables: fix --version info
d703c1f arptables: ignore --table argument.
d5754e3 arptables: make uni/multicast mac masks static
1b63e66 arptables: add test cases
5aecb2d arptables: pre-init hlen and ethertype
9677ed1 arptables: fix src/dst mac handling
ab0b6d5 arptables: fix target ip offset
c0c75ce arptables: fix -s/-d handling for negation and mask
3ac65af arptables: add basic test infra for arptables-nft
e31564f arptables: fix rule deletion/compare
2345ff6 arptables: remove code that is also commented-out in original arptables
50c2397 arptables-save: add -c option, like xtables-save
d9a518e arptables: use ->save for arptables-save, like xtables
5a52e6a extensions: test protocol and interface negation
85d7df9 xtables: Fix error return code in nft_chain_user_rename()
3ccb443 xtables: Clarify error message when deleting by index
95db364 xtables: Fix typo in do_command() error message
5f508b7 ebtables: use extrapositioned negation consistently
583b27e ebtables-save: add -c option, using xtables-style counters
e6723ab nft: add NFT_TABLE_* enumeration
21ec111 nft: replace nft_chain_dump() by nft_chain_list_get()
05947c8 iptables-nft: fix -f fragment option
7bd9feb libxtables: add and use mac print helpers
a10eb88 extensions: libebt_ip: fix tos negation
9b127b7 extensions: libebt_ip6: fix ip6-dport negation
c59ba1b xtables-nft: make -Z option work
1bf4a13 nft: add missing error string
a9f9377 iptables-tests: add % to run iptables commands
b81c8da iptables-tests: do not append xtables-multi to external commands
edf2b7c ebtables-nft: add arpreply target
2d1372e ebtables: add redirect test case
c3e8dbd ebtables: add test cases
cd90cef ebtables: relax -t table restriction, add snat/dnat test cases
fd95f1f ebtables: fix -j CONTINUE handling for add/delete
fb747f8 tests: add basic ebtables test support
d4bc5a3 iptables-nft: fix bogus handling of zero saddr/daddr
9ff9915 iptables-test: fix netns test
8c918db xtables: Fix for matching rules with wildcard interfaces
b2fc2a3 extensions: limit: unbreak build without libnftnl
682f39a xtables: Fix for spurious errors from iptables-translate
90f7dc3 (tag: v1.8.1) configure: bump versions for 1.8.1 release
0123183 iptables-test: add -N option to exercise netns removal path
abae556 libxtables: expose new etherdb lookup function through libxtables API
c2d9ed9 libxtables: prefix exported new functions for etherdb lookups
5a44360 Revert "extensions: libxt_quota: Allow setting the remaining quota"
2673faf xtables: Remove target_maxnamelen field
8ca3436 extensions: cgroup: fix option parsing for v2
0a8f2bc extensions: libxt_quota: Allow setting the remaining quota
b373a91 nft-shared: Use xtables_calloc()
5a40961 arptables: Use the shared nft_ipv46_parse_target()
9f07503 Combine parse_target() and command_jump() implementations
7373297 Combine command_match() implementations
a76ba54 libiptc: NULL-terminate errorname
a3716cc libxtables: Check extension real_name length
0195b64 iptables: Gitignore xtables-{legacy, nft}-multi scripts
671e40a xtables: Drop pointless check
7c9a152 arptables: Fix incorrect strcmp() in nft_arp_rule_find()
11e91a4 xtables: Don't read garbage in nft_ipv4_parse_payload()
d95c1e8 libxtables: Use posix_spawn() instead of vfork()
7e50eba Fix a few cases of pointless assignments
f40ce2d extensions: libebt_ip{, 6}: Drop pointless error checking
47fb86c nft-arp: Drop ineffective conditional
80aae9b iptables: Use print_ifaces() from xtables
8da04ff Share print_ipv{4,6}_addr() from xtables
b686594 iptables-apply: Replace signal numbers by names
f175dee iptables-apply: Quote strings passed to echo
52aa150 nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query()
61ebf3f libxtables: Don't read garbage in xtables_strtoui()
ab639f2 libxtables: Avoid calling memcpy() with NULL source
22ef371 libiptc: Simplify alloc_handle() function signature
6b7145f libxt_time: Drop initialization of variable 'year'
749d3c2 libxt_ipvs: Avoid potential buffer overrun
8e798e0 libxt_conntrack: Avoid potential buffer overrun
74eb239 libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTION
d0c1f1b libxt_LED: Avoid string overrun while parsing led-trigger-id
23ef6f0 xtables: Remove unused variable in nft_is_table_compatible()
4e499d5 ip{, 6}tables-restore: Fix for uninitialized array 'curtable'
1788f54 Mark fall through cases in switch() statements
31f1434 libxtables: Integrate getethertype.c from xtables core
7ae4fb1 xtables: Fix for wrong assert() in __nft_table_flush()
8c786a3 nfnl_osf: Drop pointless check in xt_osf_strchr()
6fc7762 libxt_string: Fix array out of bounds check
2a68be1 xtables-save: Ignore uninteresting tables
f9efc8c extensions: add cgroup revision 2
9b8cb16 extensions: REJECT: Merge reject tables
56d7ab4 libxt_string: Avoid potential array out of bounds access
bfd41c8 ebtables: Fix for potential array boundary overstep
e6f9867 libiptc: Avoid side-effect in memset() calls
4144571 libxtables: Fix potential array overrun in xtables_option_parse()
9242b5d xtables: Accept --wait in iptables-nft-restore
c9f4f04 xtables: Don't check all rules for being compatible
15606f2 doc: Improve layout of u32 instructions
7345037 xtables-restore: Fix flushing referenced custom chains
7df11d1 xtables: Drop use of IP6T_F_PROTO
b6a06c1 xtables: Align return codes with legacy iptables
3bb497c xtables: Fix for deleting rules with comment
0800d9b ip6tables-translate: Fix libip6t_mh.txlate test
4cf650c ebtables-translate: Fix for libebt_limit.txlate
783e9c2 xtables: Add missing deinitialization
9771d06 ebtables: Review match/target lookup once more
85ed1ab extensions: libebt_mark: Drop mark_supplied check
6a46ca0 xtables: Add a few missing exit calls
acde6be ebtables-translate: Fix segfault while parsing extension options
2c4e4d2 ebtables: trivial: Leverage C99-style initializers a bit more
9f5b28a xlate-test: Fix for calling wrong command name
1a878a7 extensions: AUDIT: Provide translation
5ee03e6 xtables: Use meta l4proto for -p match
37b68b2 xtables: Fix for segfault when registering hashlimit extension
92f7b04 xtables: Fix for segfault in iptables-nft
294f9ef ebtables: Fix entries count in chain listing
6f29aa8 xtables: Make 'iptables -S nonexisting' return non-zero
7bccf30 ebtables: Fix for listing of non-existent chains
3d9a13d xtables: Fix for no output in iptables-nft -S
a33c6fd arptables: Drop extensions/libxt_mangle.c
02b8097 ebtables: Merge libebt_limit.c into libxt_limit.c
5de8dcf xtables: Use native nftables limit expression
514de48 ebtables: Remove flags misinterpretations
528cbf9 xtables: Fix for wrong counter format in -S output
9ca32c4 xtables: Don't pass full invflags to add_compat()
e055aeb xtables: Improve xtables-monitor first impression
b925733 tests: Fix skipping for recent nft-only tests
277f374 xtables: Spelling fixes in xtables-monitor
a9d9f64 xtables: Fix potential segfault in nft_rule_append()
fbf0bf7 tests: Add ebtables-{save,restore} testcases
f1d8508 tests: Add arptables-{save,restore} testcases
63c3dae xtables: Implement arptables-{save,restore}
aa7fb04 ebtables: Review match/target lookup
3f123dc ebtables-restore: Use xtables_restore_parse()
295d5a8 xtables-restore: Make COMMIT support configurable
1679b2c xtables-restore: Improve user-defined chain detection
2ce9f65 xtables: Match verbose ip{,6}tables output with legacy
cd79556 xtables: Reserve space for 'opt' column in ip6tables output
0357254 xtables: Print error when listing non-existent chains
206033e xtables: Fix for no output on first iptables-nft invocation
a0698de xtables: Do not count rules as chain references
d11b6b8 arptables: Fix jumps into user-defined chains
3f27955 arptables: Fix opcode printing in numeric output
f988fe4 xtables: Fix symlinks/names for ebtables-{save, restore}
3319c61 ebtables: Support --init-table command
3ec8aac arptables: Print policy only for base chains
83bc189 arptables: Fix for trailing spaces in output
aaed1b6 arptables: Fix memleaks in do_commandarp()
d67d85d ebtables: Print non-standard target parameters
2e478e9 ebtables: Fix match_list insertion
a192f03 ebtables: Fix for wrong program name in error messages
a2ed880 xshared: Consolidate argv construction routines
1cc0918 xshared: Consolidate parse_counters()
78b9d43 Consolidate DEBUGP macros
14ad525 xtables: Fix program name in xtables_error()
f7bbdb0 xtables: Use correct built-in chain count
ae574b2 xtables: Fix compilation with NLDEBUG defined
82d278c xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs
c2895ea xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs
89d3443 xtables: Fix for nft_rule_flush() returning garbage
c259447 xtables: Allocate rule cache just once
ed30b93 nft: don't print rule counters unless verbose
31e4b59 iptables-restore: free the table lock when skipping a table
f8e29a1 xtables: avoid bogus 'is incompatible' warning
6ea7579 nft: decode meta l4proto
922508e xtables: implement ebtables-{save,restore}
25ef908 xtables: introduce nft_init_eb()
de8574a xtables: parameter to add_argv() may be const
6f60f22 xtables: pass format to nft_rule_save()
f3b772c xtables: introduce save_chain callback
fa1681f xtables: rename {print,save}_rule functions
444d581 xtables: get rid of nft_ipv{4,6}_save_counters()
34e1e23 xtables: eliminate nft_ipv{4,6}_rule_find()
de782e8 xtables: merge nft_ipv{4,6}_parse_target()
ae8eece xtables: get rid of nft_ipv{4,6}_print_header()
2687794 xtables: arp: make rule_to_cs callback private
1bf73c4 xtables: Use new callbacks in nft_rule_print_save()
1866625 xtables: introduce rule_to_cs/clear_cs callbacks
0589457 xtables: simplify struct nft_xt_ctx
d9c6a5d xtables: merge {ip,arp}tables_command_state structs
87b5b9e iptables: replace memset by c99-style initializers
907da5c xtables: fix crash if nft_rule_list_get() fails
565a223 xtables: Support nft suffix for arptables and ebtables
c468f01 tests: check iptables retval, not echo
47d1484 iptables: tests: add test for iptables-save and iptables-restore
e4e0704 extensions: don't bother to build libebt/libarp extensions if nft backend was disabled
17c66a5 iptables: tests: shell: Add README
6c2118c (tag: v1.8.0) configure: bump version and libnftnl dependency
7b66fc2 man: clarify translate tools do not modify any state
f7fec51 xtables-monitor: add --version option
b470b8e xtables-legacy: fix argv0 name for ip6tables-legacy
2028e54 xtables: display legacy/nf_tables flavor in error messages, too
fd8d7d7 ebtables-nft: add stp match
f15639b tests: add script that mimics firewalld startup
27f7db2 tests: fix variable name to multi-binary
2a89ec5 tests: add a few simple tests for list/new/delete
37d9d5b ebtables-nft: make -L, -X CHAINNAME work
816bd1f ebtables-nft: remove exec_style
b81708f ebtables-nft: don't crash on ebtables -X
de02a75 doc: fix some spellos and the dash escape
dcf4529 tests: add firewalld default ruleset from fedora 27
f23abd5 tests: add another ipv4 only ruleset
ed9cfe1 tests: add initial save/restore test cases
9933dc5 tests: adapt test suite to run with legacy+nftables based binaries
be70918 xtables: rename xt-multi binaries to -nft, -legacy
d49ba50 xtables-restore: init table before processing policies
344c6eb doc: Fix spelling error in hashlimit section
e063873 tests: make duplicate test work
d26c538 xtables: add xtables-monitor
db84371 xtables: translate nft meta trace set 1 to -j TRACE
20eac2a xtables: warn in case old-style (set/getsockopt) tables exist
c9f5e18 xtables: add nf_tables vs. legacy postfix to version strings
e5fed16 iptables8.in: Update coreteam names
672accf include: update kernel netfilter header files
856a875 xtables: silence two compiler warnings
ae6e159 xtables: remove dead code inherited from ebtables
107b7eb configure: add -Wlogical-op warning to cflags
bc7f49d ebtables-translate: remove --change-counters code
38b4166 iptables: tests: shell: add shell test-suite
1e6427a xtables-compat: skip invalid tables
cb368b6 xtables: more error printing fixes
b1b828f xtables: homogenize error message
4caa559 xtables: initialize basechains for rule flush command too
9b89622 xtables: rework rule cache logic
01e25e2 xtables: add chain cache
8d190e9 xtables: initialize basechains only once on ruleset restore
0a86351 xtables-compat: ignore '+' interface name
125d1ce xtables-compat: append all errors into single line
437746c xtables: extended error reporting
d1c79cd xtables: allocate struct xt_comment_info for comments
4e20209 xtables: use libnftnl batch API
49709e2 xtables-compat: remove nft_is_ruleset_compatible
03e1377 xtables: allow dumping of chains in specific table
94fd83d xtables: inconsistent error reporting for -X and no empty chain
c4f1622 ebtables-compat: add arp match extension
24ce746 ebtables-compat: add redirect match extension
84c04e3 ebtables-compat: add nat match extensions
14ec998 xtables-compat: ebtables: prefer snprintf to strncpy
5e2b473 xtables-compat: extend generic tests for masks and wildcards
1a696c9 libxtables: store all requested match types
bb436ce xtables-compat: ip6table-save: fix save of ip6 address masks
6454d7d ebtables-translate: suppress redundant protocols
07f4ca9 xtables-compat: ebtables: allow checking for zero-mac
0ca2d2a xtables-compat: ebtables: add helpers to print interface and mac addresses
3d9f300 xtables-compat: ebtables: remove interface masks from ebt_entry struct
20e2758 xtables-compat: ebtables: fix logical interface negation
2682bb0 xtables-compat: ebtables: add and use helper to parse all interface names
564862d xtables-compat: ebtables: split match/target print from nft_bridge_print_firewall
0ae81d0 xtables-compat: ebtables: kill ebtables_command_state
651cfee xtables-compat: pass correct table skeleton
652b98e xtables-compat: fix wildcard detection
49f4993 extensions: libip6t_srh.t: Add test cases for psid, nsid, and lsid
429143b extensions: libxt_CONNMARK: incorrect translation after v2
db7b4e0 extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark
155e1c0 extensions: libip6t_srh: support matching previous, next and last SID
f4ffda1 extensions: libipt_DNAT: tests added for shifted portmap range
6a9ffb1 xtables-compat-restore: flush table and its content with no -n
07ae37c xtables-compat: fix bogus error with -X and no user-defined chains
df3d92b xtables-compat-restore: flush user-defined chains with -n
ca16584 xtables-compat-restore: flush rules and delete user-defined chains
ac1e85a extensions: libipt_DNAT: use size of nf_nat_range2 for rev2
e25d99a xtables-compat: pass larger socket buffer
838746e xtables-compat: xtables-save: don't return 1
2211679 xtables-compat: ebtables: support concurrent option
a77a7d8 iptables-test: fix bug with rateest
de87405 xtables-compat: fix ipv4 frag (-f)
c7b2fd6 xtables-compat: also check tg2->userspacesize
5685938 xtables-compat: avoid unneeded bitwise ops
b9d7b49 xtables-compat: restore: sync options with iptables-restore
c0ef861 extensions: add xlate test for ipables -f
d79a7f1 xtables-compat: output -s,d first during save, just like iptables
d1eb4d5 iptables-compat: chains are purge out already from table flush
09f0d47 iptables-compat: do not fail on restore if user chain exists
8798eb8 iptables-compat: remove non-batching routines
b633ef9 xtables.conf: fix hook skeletons
7af2178 xtables-compat: fall back to comment match in case name is too long
e9aeecf xlate-test: use locally installed xlate tools
0ab58e3 xtables-compat: ebtables: handle mac masks properly
734ad40 xtables-compat: nft-arp: fix warning wrt. sprintf-out-of-bounds
fb7ae9f xtables-compat: truncate comments to 254 bytes
36976c4 extensions: libipt_DNAT: support shifted portmap ranges
d7ac61b iptables-test: add nft switch and test binaries from git
992e17d xtables-compat: only fetch revisions for ip/ip6
12a52ff xtables: Fix rules print/save after iptables update
1197c5e xtables: Register all match/target revisions supported by us and kernel
e3bb24c xtables: Check match/target size vs XT_ALIGN(size) at register time
3b2530c xtables: Do not register matches/targets with incompatible revision
d3f1437 xtables: Introduce and use common function to print val[/mask] arguments
29b1d97 xtables: Introduce and use common function to parse val[/mask] arguments
56aadc0 extensions: Initialize linear mapping of symbols in _init() of extension
79c2da9 extensions: ULOG: remove test
a0956ce ebtables-translate: turn off useless compat queries
9840869 nft: arptables: remove obsolete forward hook definition
7a37d14 iptables-compat: statify nft_restart()
a3aac1d iptables-compat: handle netlink dump EINTR errors
a567dc3 ebtables-compat: add 'vlan' match extension
7564bba ebtables-compat: add 'pkttype' match extension
4d40904 ebtables-translate: update table name on -t
5c8ce9c ebtables-compat: add 'ip6' match extension
8a85a14 libebt_ip: fix translations for tos and icmp
b6f0bec libebt_ip: add icmp support
f38ed1e xt-translate: quote interface names in translated output
71a6e37 icmp: split icmp type printing to header file
e67c088 ebtables-translate: add initial test cases
207dd5e xt-compat: add ebtables-translate
d988274 xlate-translate: split common parts into helper
1650806 xtables-eb: export 3 functions
6b2041c nft-bridge: add eb-translate backend functions
3063c37 nft-bridge: fix mac address printing
394a400 nft: fix crash when getprotobynumber() returns 0
6a1dbdf ebtables-compat: support intra-positioned negations
3e94f0a nft-bridge: add forward declaration for struct nftnl_rule
5024efe libebt_limit: print 'minute' and 'seconds', not 'min' and 'secs'
ce3c780 nft: make nft_init self-contained
cb151d5 xtables-translate: rm duplicate includes
69c089b xt-compat: constify a few struct members
03ecffe ebtables-compat: add initial translations
57af67d iptables: constify option struct
88231c4 ebtables-compat: load mark target
6b4e167 ebtables-compat: don't make failing extension load fatal
24110b5 libxt_comment: silence truncation warning
98fc8ce xtables-compat: only validate the xtables builtin tables
9d9b724 xtables-compat: skip unsupported tables
59d15cf xtables-compat: also validate priorities and hook points match expected values
eb35854 xtables-compat: fix snprintf truncation warnings
fc04c8a extensions: CLUSTERIP: do not allow --local-node 0
eb2c052 extensions: CLUSTERIP: add tests
ca3c397 iptables: add xtables-translate.8 manpage
5beb158 extensions: libxt_bpf: Fix build with old kernel versions
147a891 extenstions: ecn: add tcp ecn/cwr translation
ed928a8 extensions: add tests for comp match options
632ace7 xtables-compat-multi.c: Allow symlink of ebtables
d7ccc68 iptables: add xtables-compat.8 manpage
043da5b extensions: connmark: remove non-working translation
a93b502 extensions: prefer plain 'set' over 'set mark and'
577b7e2 xtables-compat-restore: use correct hook priorities

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2018-12-08 10:54:09 +01:00
Rosen Penev
26dcaf58ee comgt: Fix 3g.sh permissions
3g.sh needs to be executable. 600 is not correct for that.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-12-06 08:42:39 +01:00
Florian Eckert
675eb747aa openvpn: add list element parsing
For the parameters tls-cipher and ncp-ciphers more than one option can
be used in the OpenVPN configuration, separated by a colon, which should
be implemented as a list in order to configure it more clearly. By
adding the new OPENVPN_LIST option to the openvpn.options file with the
tls-cipher and ncp-cipher parameters, uci can now add this option as a
"list" and the init script will generate the appropriate OpenVPN
configuration from it.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-12-03 09:54:03 +01:00
Hans Dedecker
493c1d1766 odhcpd: update to latest git HEAD
d404c7e netlink: fix triggering of NETEV_ADDR6LIST_CHANGE event
ae6cf80 config: correctly break string for prefix filter

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-29 21:46:12 +01:00
Jo-Philipp Wich
3082370551 openvpn: update to 2.4.6
Update the OpenVPN package to version 2.4.6, refresh patches and drop
menuconfig options which are not supported upstream anymore.

Also fix the x509-alt-username configure flag - it is not supported
by mbedtls and was syntactically wrong in the Makefile - and the
port-share option which has been present in menuconfig but not been
used in the Makefile.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-11-28 22:10:19 +01:00
Jo-Philipp Wich
56378bc12d uhttpd: update to latest Git head
cdfc902 cgi: escape url in 403 error output
0bba1ce uhttpd: fix building without TLS and Lua support
2ed3341 help: document -A option
fa5fd45 file: fix CPP syntax error
77b774b build: avoid redefining _DEFAULT_SOURCE

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-11-28 12:55:50 +01:00
Hans Dedecker
533f7673ae netifd: update to latest git HEAD
dfa4ede interface: fix return code of __interface_add()
a82a8f6 netifd: fix resource leak on error in netifd_add_dynamic()
fa2403d config: fix resource leaks on error in config_parse_interface()
85de9de interface: fix memory leak on error in __interface_add()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-26 15:33:45 +01:00
Jason A. Donenfeld
48d8d46d33 wireguard: bump to 0.0.20181119
* chacha20,poly1305: fix up for win64
* poly1305: only export neon symbols when in use
* poly1305: cleanup leftover debugging changes
* crypto: resolve target prefix on buggy kernels
* chacha20,poly1305: don't do compiler testing in generator and remove xor helper
* crypto: better path resolution and more specific generated .S
* poly1305: make frame pointers for auxiliary calls
* chacha20,poly1305: do not use xlate

This should fix up the various build errors, warnings, and insertion errors
introduced by the previous snapshot, where we added some significant
refactoring. In short, we're trying to port to using Andy Polyakov's original
perlasm files, and this means quite a lot of work to re-do that had stableized
in our old .S.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-11-19 22:15:02 +01:00
Hans Dedecker
8e409f476b netifd: update to latest git HEAD
4b83102 treewide: switch to C-code style comments
70506bf treewide: make some functions static
d9872db interface: fix removal of dynamic interfaces
2f7ef7d interface: rework code to get rid of interface_set_dynamic

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-19 10:15:26 +01:00
Jason A. Donenfeld
bf52c968e8 wireguard: bump to 0.0.20181115
* Zinc no longer ships generated assembly code. Rather, we now
  bundle in the original perlasm generator for it. The primary purpose
  of this snapshot is to get testing of this.
* Clarify the peer removal logic and make lifetimes more precise.
* Use READ_ONCE for is_valid and is_dead.
* No need to use atomic when the recounter is mutex protected.
* Fix up macros and annotations in allowedips.
* Increment drop counter when staged packets are dropped.
* Use static constants instead of enums for 64-bit values in selftest.
* Mark large constants as ULL in poly1305-donna64.
* Fix sparse warnings in allowedips debugging code.
* Do not use wg_peer_get_maybe_zero in timer callbacks, since we now can
  carefully control the lifetime of these functions and ensure they never
  execute after dropping the last reference.
* Cleanup hashing in ratelimiter.
* Do not guard timer removals, since del_timer is always okay.
* We now check for PM_AUTOSLEEP, which makes the clear*on-suspend decision a
  bit more general.
* Set csum_level to ~0, since the poly1305 authenticator certainly means
  that no data was modified in transit.
* Use CHECKSUM_PARTIAL check for skb_checksum_help instead of
  skb_checksum_setup check.
* wg.8: specify that wg(8) shows runtime info too
* wg.8: AllowedIPs isn't actually required
* keygen-html: add missing glue macro
* wg-quick: android: do not choke on empty allowed-ips

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-11-16 09:23:02 +01:00
Kevin Darbyshire-Bryant
3a6bddd7f7 hostapd: add utf8_ssid flag & enable as default
SSIDs may contain UTF8 characters but ideally hostapd should be told
this is the case so it can advertise the fact. Default enable this
option.

add uci option utf8_ssid '0'/'1' for disable/enable e.g.

config wifi-iface
	option utf8_ssid '0'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-11-14 17:41:18 +00:00
Petr Štetiar
1b4b942bce Revert "iptables: fix dependency for libip6tc on IPV6"
This patch reverts commit 2dc1f54b12 as it
breaks the build for me on x86-64 if I've IPV6 support disabled. Same config
builds fine on `openwrt-18.06` branch at 55d078b2.

  $ grep IPV6 .config

  # CONFIG_KERNEL_IPV6 is not set
  # CONFIG_IPV6 is not set

Build errors out on:

  Package libiptc is missing dependencies for the following libraries:
  libip6tc.so.0

Looking at iptables-1.6.2/libiptc/Makefile.am:

  libiptc_la_LIBADD   = libip4tc.la libip6tc.la

and to iptables-1.6.2/libiptc/libiptc.pc.in:

  Requires:	libip4tc libip6tc

It seems that libiptc needs v4/v6 libs, so v6 isn't optional.

Cc: Rosy Song <rosysong@rosinson.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2018-11-10 18:50:29 +01:00
Hans Dedecker
5617e138bd ethtool: update to 4.19
8a1ad80 Release version 4.19.
ecdf295 ethtool: Fix uninitialized variable use at qsfp dump
98c148e ethtool: better syntax for combinations of FEC modes
d4b9f3f ethtool: support combinations of FEC modes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-10 13:44:09 +01:00
Hans Dedecker
559635dbb6 iproute2: update to 4.19.0
Update to the latest version of iproute2; see https://lwn.net/Articles/769354/
for a full overview of the changes in 4.19.
Remove 190-add-cake-to-tc patch as CAKE qdisc is now supported in 4.19.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-08 11:09:13 +01:00
Alexander Couzens
900005ee75
iperf: allow non-ipv6 builds
Add configure argument --disable-ipv6 when ipv6 is deselected.
Add fix-non-ipv6-builds.patch as long there is no new upstream
release.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2018-11-03 02:36:24 +01:00
Hans Dedecker
c9f5934c71 curl: noop commit to refer CVEs fixed in 7.62.0
When bumping Curl to 7.62.0 in commit 278e4eba09 I did not include the fixed
CVEs in the commit message; this commit fixes this.

The following CVEs were fixed in 7.62.0 :

CVE-2018-16839
CVE-2018-16840
CVE-2018-16842

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-02 13:16:13 +01:00
Hans Dedecker
278e4eba09 curl: bump to 7.62.0
Refresh patches, for changes in version 7.62.0 see https://curl.haxx.se/changes.html#7_62_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-31 23:06:42 +01:00
Kevin Darbyshire-Bryant
3dba852547 dnsmasq: tighten config file permissions
Install following as config files (600) perms instead of as data (644)

/usr/share/dnsmasq/dhcpbogushostname.conf
/usr/share/dnsmasq/trust-anchors.conf
/usr/share/dnsmasq/rfc6761.conf
/etc/hotplug.d/ntp/25-dnsmasqsec
/etc/config/dhcp
/etc/dnsmasq.conf

dnsmasq reads relevant config files before dropping root privilege and
running as dnsmasq:dnsmasq

ntpd runs as root so the hotplug script is still accessible

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-30 09:25:32 +00:00
Kevin Darbyshire-Bryant
6c4d3d705a dnsmasq: bump to v2.80
dnsmasq v2.80 release

Change from rc1:

91421cb Fix compiler warning.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-19 17:36:02 +01:00
Hans Dedecker
15a59e3e08 iproute2: install ip-tiny and ip-full in /usr/libexec
Install the ip-tiny and ip-full variants in /usr/libexec as the suffixed
ip variants are not meant to be called directly

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-18 17:15:51 +02:00
Jason A. Donenfeld
4653818dab wireguard: bump to 0.0.20181018
ba2ab5d version: bump snapshot
5f59c76 tools: wg-quick: wait for interface to disappear on freebsd
ac7e7a3 tools: don't fail if a netlink interface dump is inconsistent
8432585 main: get rid of unloaded debug message
139e57c tools: compile on gnu99
d65817c tools: use libc's endianness macro if no compiler macro
f985de2 global: give if statements brackets and other cleanups
b3a5d8a main: change module description
296d505 device: use textual error labels always
8bde328 allowedips: swap endianness early on
a650d49 timers: avoid using control statements in macro
db4dd93 allowedips: remove control statement from macro by rewriting
780a597 global: more nits
06b1236 global: rename struct wireguard_ to struct wg_
205dd46 netlink: do not stuff index into nla type
2c6b57b qemu: kill after 20 minutes
6f2953d compat: look in Kbuild and Makefile since they differ based on arch
a93d7e4 create-patch: blacklist instead of whitelist
8d53657 global: prefix functions used in callbacks with wg_
123f85c compat: don't output for grep errors

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-18 08:55:01 +02:00
Hans Dedecker
db6f9d5598 netifd: update to latest git HEAD
841b5d1 system-linux: enable by default ignore encaplimit for grev6 tunnels
125cbee system-linux: fix a typo in gre tunnel data parsing logic

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-17 11:18:30 +02:00
Hans Dedecker
3d015e971f gre: make encaplimit support configurable
Make inclusion of the destination option header containing the tunnel
encapsulation limit configurable for IPv6 GRE packets.
Setting the uci parameter encaplimit to ignore; allows to disable the
insertion of the destination option header in the IPv6 GRE packets.
Otherwise the tunnel encapsulation limit value can be set to a value
from 0 till 255 by setting the encaplimit uci parameter accordingly.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-17 11:18:20 +02:00
Kevin Darbyshire-Bryant
1063d904b7 hostapd: add basic variant
Add a basic variant which provides WPA-PSK only, 802.11r and 802.11w and
is intended to support 11r & 11w (subject to driver support) out of the
box.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-16 15:07:41 +01:00
Rosy Song
fd09e251e9 ppp: don't start ppp with IPv6 support if ipv6 is not supported
Signed-off-by: Rosy Song <rosysong@rosinson.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-16 14:31:45 +02:00
Jo-Philipp Wich
3e633bb370 hostapd: fix MAC filter related log spam
Backport two upstream fixes to address overly verbose logging of MAC ACL
rejection messages.

Fixes: FS#1468
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-10-16 12:11:20 +02:00
Christian Lamparter
583466bb5b dnsmasq: fix dnsmasq failure to start when ujail'd
This patch fixes jailed dnsmasq running into the following issue:

|dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory
|dnsmasq[1]: FAILED to start up
|procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash

Fixes: a45f4f50e1 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349")

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[bump package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-16 10:39:59 +01:00
Kevin Darbyshire-Bryant
b8bc672f24 dnsmasq: bump to v2.80rc1
53792c9 fix typo
df07182 Update German translation.

Remove local patch 001-fix-typo which is a backport of the above 53792c9

There is no practical difference between our test8 release and this rc
release, but this does at least say 'release candidate'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-16 08:39:21 +01:00
Hans Dedecker
39e5e17045 dnsmasq: fix compile issue
Fix compile issue in case HAVE_BROKEN_RTC is enabled

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-15 13:42:55 +02:00
Hauke Mehrtens
4c3fae4adc hostapd: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise)
This adds support for the WPA3-Enterprise mode authentication.

The settings for the WPA3-Enterpriese mode are defined in
WPA3_Specification_v1.0.pdf. This mode also requires ieee80211w and
guarantees at least 192 bit of security.

This does not increase the ipkg size by a significant size.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
18c6c93a3b hostapd: Activate Opportunistic Wireless Encryption (OWE)
OWE is defined in RFC 8110 and provides encryption and forward security
for open networks.

This is based on the requirements in the Wifi alliance document
Opportunistic_Wireless_Encryption_Specification_v1.0_0.pdf
The wifi alliance requires ieee80211w for the OWE mode.
This also makes it possible to configure the OWE transission mode which
allows it operate an open and an OWE BSSID in parallel and the client
should only show one network.

This increases the ipkg size by 5.800 Bytes.
Old: 402.541 Bytes
New: 408.341 Bytes

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
4a009a16d2 hostapd: Activate Simultaneous Authentication of Equals (SAE)
This build the full openssl and wolfssl versions with SAE support which
is the main part of WPA3 PSK.

This needs elliptic curve cryptography which is only provided by these
two external cryptographic libraries and not by the internal
implementation.

The WPA3_Specification_v1.0.pdf file says that in SAE only mode
Protected Management Frames (PMF) is required, in mixed mode with
WPA2-PSK PMF should be required for clients using SAE, and optional for
clients using WPA2-PSK. The defaults are set now accordingly.

This increases the ipkg size by 8.515 Bytes.
Old: 394.026 Bytes
New: 402.541 Bytes

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
a1ad1144b6 hostapd: SAE: Do not ignore option sae_require_mfp
This patch was send for integration into the hostapd project.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:14 +02:00
Hauke Mehrtens
779773a0de hostapd: backport build fix when OWE is activated
This backports a compile fix form the hostapd project.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:14 +02:00
Hauke Mehrtens
4b93b03577 hostapd: sync config with default configuration
This replaces the configuration files with the versions from the hostapd
project and the adaptions done by OpenWrt.

The resulting binaries should be the same.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:14 +02:00
Hauke Mehrtens
8f7a2bd084 netifd: update to latest git HEAD
22476ff wireless: Add Simultaneous Authentication of Equals (SAE)
c6c3a0d wireless: Add Opportunistic Wireless Encryption (OWE)
a117e41 wireless: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise)

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:08 +02:00
Florian Eckert
71865200c9 uqmi: fix variable initilization for timeout handling
Also add logging output for SIM initilization.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-12 09:36:05 +02:00
Florian Eckert
4cabda8b7d uqmi: update PKG_RELEASE version
update PKG_RELEASE

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
0c9d06b5b2 uqmi: stop proto handler if verify pin count is not 3
Check pin count value from pin status and stop verification the pin if
the value is less then 3. This should prevent the proto-handler to
lock the SIM. If SIM is locked then the PUK is needed.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
4b80bd878d uqmi: evaluate pin-status output in qmi_setup function
Load the json output from uqmi --get-pin-status command and evaluate the
"pin1_status" value.

The following uqmi "pin1_status" values are evaluated:

- disabled
  Do not verify PIN because SIM verification is disabled on this SIM

- blocked
  Stop qmi_setup because SIM is locked and a PUK is required

- not_verified
  SIM is not yet verified. Do a uqmi --verify-pin1 command if a SIM is
  specified

- verified:
  Do not verify the PIN because this was already done before

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
f171a86d06 uqmi: do not block proto handler if SIM is uninitialized
QMI proto setup-handler will wait forever if SIM does not get initialized.
To fix this stop polling pin status and notify netifd. Netifd will generate
then a "ifup-failed" ACTION.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
dec1bfa0f4 uqmi: do not block proto handler if modem is unable to registrate
QMI proto setup-handler will wait forever if it is unable to registrate to
the mobile network. To fix this stop polling network registration status
and notify netifd. Netifd will generate then a "ifup-failed" ACTION.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
dee93def39 uqmi: add timeout option value
This value will be used for now during following situations:
* Ask the sim with the uqmi --get-pin-status command.
* Wait for network registration with the uqmi --get-serving-system command.

This two commands wait forever in a while loop. Add a timeout to stop
waiting and so inform netifd.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
2d57aa9c4c uqmi: redirect uqmi commands output to /dev/null
Move uqmi std and error output on commands without using them to /dev/null.
This will remove useless outputs in the syslog.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
Florian Eckert
692c6d9a5d uqmi: fix indenting
fix indenting

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-10-11 12:18:16 +02:00
John Crispin
3e8ef61c01 package/: fix $(PROJECT_GIT) usage
Signed-off-by: John Crispin <john@phrozen.org>
2018-10-11 08:42:52 +02:00
Rosen Penev
4572d996a4 linux-atm: Install hotplug file as 600
The hotplug files is only used by procd, which runs as root.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:35 +02:00
Rosen Penev
c7144ec688 comgt: Install hotplug and netifd files as 600
procd and netifd both run as root. These files are not used elsewhere.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:28 +02:00
Rosen Penev
f5ddbd695b samba36: Install several config files as 600
Hotplug is managed by procd, which runs as root. The other files are used
by root as well.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:18 +02:00
Rosen Penev
745c3acd64 soloscli: Install hotplug file as 600
Hotplug is managed by procd, which runs as root.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:06:09 +02:00
Rosen Penev
49065d227a firewall: Install config files as 600
None of the files in firewall are used by non-root.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-10-11 08:05:41 +02:00
Kevin Darbyshire-Bryant
a45f4f50e1 dnsmasq: add dhcp-ignore-names support - CERT VU#598349
dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for
specific hostnames.  Clients claiming certain hostnames and thus
claiming DNS namespace represent a potential security risk. e.g. a
malicious host could claim 'wpad' for itself and redirect other web
client requests to it for nefarious purpose. See CERT VU#598349 for more
details.

Some Samsung TVs are claiming the hostname 'localhost', it is believed
not (yet) for nefarious purposes.

/usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames
in correct syntax to be excluded. e.g.

dhcp-name-match=set:dhcp_bogus_hostname,localhost

Inclusion of this file is controlled by uci option dhcpbogushostname
which is enabled by default.

To be absolutely clear, DHCP leases to these requesting hosts are still
permitted, but they do NOT get to claim ownership of the hostname
itself and hence put into DNS for other hosts to be confused/manipulate by.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-09 09:45:16 +01:00
Kevin Darbyshire-Bryant
3925298f3c wireguard: bump to 0.0.20181007
64750c1 version: bump snapshot
f11a2b8 global: style nits
4b34b6a crypto: clean up remaining .h->.c
06d9fc8 allowedips: document additional nobs
c32b5f9 makefile: do more generic wildcard so as to avoid rename issues
20f48d8 crypto: use BIT(i) & bitmap instead of (bitmap >> i) & 1
b6e09f6 crypto: disable broken implementations in selftests
fd50f77 compat: clang cannot handle __builtin_constant_p
bddaca7 compat: make asm/simd.h conditional on its existence
b4ba33e compat: account for ancient ARM assembler

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-09 09:11:58 +01:00
Kevin Darbyshire-Bryant
30cc5b0bf4 dnsmasq: bump to v2.80test8
e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.
0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN.
ee1df06 Tweak strategy for confirming SLAAC addresses.
1e87eba Clarify manpage for --auth-sec-servers
0893347 Make interface spec optional in --auth-server.
7cbf497 Example config file fix for CERT Vulnerability VU#598349.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-10-07 16:42:12 +01:00