Commit Graph

1808 Commits (41b63b50d1c70bb00319580a3de4eb90691cfd28)

Author SHA1 Message Date
John Crispin 41164ba2dc odhcpd: update to latest git HEAD
Signed-off-by: John Crispin <john@phrozen.org>
2016-11-21 12:04:23 +01:00
Magnus Kroken a74394be00 openvpn: update to 2.3.13
Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-11-21 10:11:53 +01:00
Matthias Schiffer c18bf14dab
hostapd: fix PKG_CONFIG_DEPENDS for CONFIG_WPA_SUPPLICANT_*
These symbols don't affect wpa-supplicant only, but also wpad.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-11-16 20:59:17 +01:00
Hans Dedecker e58f3f515f odhcpd: Add reload support
odhcpd daemon has hitless config reload support by means of the
sighup signal; add reload_service function which uses sighup
signal to reload the config

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-11-14 20:35:13 +01:00
Ralph Sennhauser 32cfd3bd50 arptables: bump to 2015-05-20
This fixes building with musl and drops the dependency on the OpenWrt
kernel-header patches:

  270-uapi-kernel.h-glibc-specific-inclusion-of-sysinfo.h.patch
  271-uapi-libc-compat.h-do-not-rely-on-__GLIBC__.patch
  272-uapi-if_ether.h-prevent-redefinition-of-struct-ethhd.patch

Use the new upstream location at netfilter.org and use a define instead
of a patch to "optimize".

See also: https://git.netfilter.org/arptables/log/

Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
[Jo-Philipp Wich: add mirror SHA256 sum]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-11-14 13:14:30 +01:00
Jo-Philipp Wich dc7c9f590a conntrack-tools: update to v1.4.4
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-11-14 13:03:53 +01:00
Rafał Miłecki fc93494066 iw: fix build error caused by redeclaration of NL80211_ATTR_PAD
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Fixes: 7aff00ab19 ("iw: update to version 4.9")
2016-11-12 16:30:06 +01:00
Rafał Miłecki 7aff00ab19 iw: update to version 4.9
This adds support for "channels" command which displays more details
about channels. It includes e.g. info about available widths.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2016-11-12 16:09:19 +01:00
Rafał Miłecki 7305b55588 iw: update to version 4.7
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2016-11-12 16:04:16 +01:00
Jo-Philipp Wich 113544dccf firewall: update to fix FS#31, FS#73, FS#154, FS#248
Update to latest Git head in order to import several fixes and enhancements.

- Disable drop invalid by default (FS#73, FS#154)

  Instead of dropping packets with conntrack state INVALID, only allow streams
  with explicit NEW or UNTRACKED conntrack state.

  This change gives user defined rules the chance to accept traffic like ICMPv6
  multicast which would be filtered away by the very early ctstate INVALID drop
  rule otherwise.

  The old behaviour can be restored by explicitely setting "drop_invalid" to 1
  in the global firewall config section.

- Fix re-initialization of loadable iptables extensions on musl (FS#31)

  Since musl does not implement actual dlclose() semantics, it is impossible to
  re-run initializers on subsequent dlopen() calls.

  The firewall3 executable now intercepts the extension registration calls
  instead in order to be able to re-call them when needed.

  This also allowed us to switch to libxtables' builtin extension loader as a
  positive side-effect.

- Fix masquerade rules for multiple negated IP addresses (FS#248)

  When building MASQUERADE rules for zones which specify multiple negated
  addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of
  the masquerading chain instead of creating multiple rules with inverted "-s"
  arguments.

- Tag own rules using comments

  Instead of relying on the nonstandard xt_id match, use the xt_comment match
  to mark own rules. Existing comments are prefixed with "!fw3: " while
  uncommented rules are marked with a sole "!fw3" string.

  This allows removing the xt_id match entirely in a later commit.

- Make missing ubus connection nonfatal

  Technically, firewall3 is able to operate without ubus just fine as long as
  the zones are declared using "option device" or "option subnet" instead of
  "option network" so do not abort execution if ubus could not be connected or
  of no network namespace is exported in ubus.

  This allows running firewall3 on ordinary Linux systems.

- Fix conntrack requirement detection for indirectly connected zones

  The current code fails to apply the conntrack requirement flag recursively to
  zones, leading to stray NOTRACK rules which break conntrack based traffic
  policing.

  Change the implementation to iteratively reapply the conntrack fixup logic
  until no more zones had been changed in order to ensure that all directly and
  indirectly connected zones receive the conntrack requirement flag.

- Add support for iptables 1.6.x

  Adds support for the xtables version 11 api in order to allow building
  against iptables 1.6.x

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-11-08 11:35:50 +01:00
Christian Lamparter 9c91335dc7 iperf3: update to version 3.1.4
"This release fixes a few minor bugs, including a
(non-security-impacting) buffer overflow fix ported
from upstream cjson."
<http://software.es.net/iperf/news.html#iperf-3-1-4-released>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2016-11-08 11:17:11 +01:00
Hans Dedecker a50243ea1f dnsmasq: Support add-mac option
Adds the mac address of the DNS requestor to DNS queries which
are forwarded upstream and can be used to do filtering by the
upstream servers. This only works if the requestor is on the
same subnet as the dnsmasq server

The addmac parameter can hold the following values:
	0 : mac address is not added
	1 : mac address is added in binary format
	base64 : mac address is added base64 encoded
	text: : mac address is added in human readable format
		as hex and colons

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-11-08 11:17:10 +01:00
Alberto Bursi e4fef72244 comgt: move to WWAN submenu, fixed link
moving comgt and its modules to WWAN submenu to join uqmi as both are tools for WWAN modems.

I replaced the link with comgt's ubuntu manpage because the old link isn't working anymore.

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2016-11-08 11:17:10 +01:00
Alberto Bursi 9abdeee0b7 uqmi: moved to WWAN submenu
Moving uqmi to WWAN submenu

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2016-11-08 11:17:10 +01:00
Cezary Jackiewicz 862e7fb7b3 gcom: Fix 'mode' option for ncm
For Huawei devices like E3372 proper command for set lte mode is:

AT^SYSCFGEX="03",3fffffff,2,4,7fffffffffffffff,,

Eval is required for proper quotation.

Without this fix:

Fri Nov  4 19:07:49 2016 daemon.notice netifd: Interface 'wan' is setting up now
Fri Nov  4 19:07:52 2016 daemon.notice netifd: wan (2060): sending -> AT
Fri Nov  4 19:07:52 2016 daemon.notice netifd: wan (2060): sending -> ATZ
Fri Nov  4 19:07:53 2016 daemon.notice netifd: wan (2060): sending -> ATQ0
Fri Nov  4 19:07:53 2016 daemon.notice netifd: wan (2060): sending -> ATV1
Fri Nov  4 19:07:54 2016 daemon.notice netifd: wan (2060): sending -> ATE1
Fri Nov  4 19:07:55 2016 daemon.notice netifd: wan (2060): sending -> ATS0=0
Fri Nov  4 19:07:55 2016 daemon.notice netifd: wan (2060): sending -> AT+CGDCONT=1,"IP","internet"
Fri Nov  4 19:07:57 2016 daemon.notice netifd: wan (2060): sending -> AT^SYSCFGEX=\"03\",3fffffff,2,4,7fffffffffffffff,,
Fri Nov  4 19:07:58 2016 daemon.notice netifd: wan (2060): Error running AT-command
Fri Nov  4 19:07:58 2016 daemon.notice netifd: wan (2060): Failed to set operating mode
Fri Nov  4 19:07:58 2016 daemon.notice netifd: wan (2092): Stopping network
...

With this fix:

Fri Nov  4 19:10:59 2016 daemon.notice netifd: Interface 'wan' is setting up now
Fri Nov  4 19:11:01 2016 daemon.notice netifd: wan (2539): sending -> AT
Fri Nov  4 19:11:01 2016 daemon.notice netifd: wan (2539): sending -> ATZ
Fri Nov  4 19:11:02 2016 daemon.notice netifd: wan (2539): sending -> ATQ0
Fri Nov  4 19:11:03 2016 daemon.notice netifd: wan (2539): sending -> ATV1
Fri Nov  4 19:11:03 2016 daemon.notice netifd: wan (2539): sending -> ATE1
Fri Nov  4 19:11:04 2016 daemon.notice netifd: wan (2539): sending -> ATS0=0
Fri Nov  4 19:11:05 2016 daemon.notice netifd: wan (2539): sending -> AT+CGDCONT=1,"IP","internet"
Fri Nov  4 19:11:06 2016 daemon.notice netifd: wan (2539): sending -> AT^SYSCFGEX="03",3fffffff,2,4,7fffffffffffffff,,
Fri Nov  4 19:11:07 2016 daemon.notice netifd: wan (2539): sending -> AT^NDISDUP=1,1,"internet"
Fri Nov  4 19:11:08 2016 daemon.notice netifd: wan (2539): Connected, starting DHCP on wwan0
Fri Nov  4 19:11:08 2016 daemon.notice netifd: Interface 'wan' is now up
Fri Nov  4 19:11:08 2016 daemon.notice netifd: Network device 'wwan0' link is up
Fri Nov  4 19:11:08 2016 daemon.notice netifd: Network alias 'wwan0' link is up
Fri Nov  4 19:11:08 2016 daemon.notice netifd: Interface 'wan_4' is enabled
Fri Nov  4 19:11:08 2016 daemon.notice netifd: Interface 'wan_4' has link connectivity
Fri Nov  4 19:11:08 2016 daemon.notice netifd: Interface 'wan_4' is setting up now
...

Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
2016-11-08 05:49:58 +01:00
Karl Palsson df1804b75c dnsmasq: support log-dhcp option
Helpful when trying to resolve issues with quirky dhcp client devices.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2016-11-02 10:25:44 +01:00
Jo-Philipp Wich eb10b13f16 iproute2: rename ip to ip-tiny and let both ip-tiny and ip-full provide "ip"
Rename the "ip" package declaration to "ip-tiny" and let both "ip-tiny" and
"ip-full" provide the virtual "ip" package. This allows users to freely choose
the "ip" command variant while other packages can continue to depend on "ip"
without needing to enforce a specific variant.

Note that this commit does not add busybox as "ip" provider due to
the following reasons:

 - The builtin Busybox ip applet cannot be added or removed at runtime
 - Both "ip-tiny" and "ip-full" are able to install without file clashes even
   if the busybox applet is enabled
 - The system is preferring full "ip-tiny" and "ip-full" at runtime, even
   if Busybox ip is still present.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-11-02 02:33:30 +01:00
Alexis Green 12f0d5402c hostapd: properly package wpa-supplicant-mesh
Ensure that selecting the wpa-supplicant-mesh package actually packages the
wpa_supplicant binary with SAE support and add missing dependency on OpenSSL.

Signed-off-by: Alexis Green <alexis@cessp.it>
[Jo-Philipp Wich: slightly reword commit message for clarity]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-31 13:46:01 +01:00
Petr Konecny 6797a10fa1 hostapd support for VLANs through a file in addition to Radius.
Signed-off-by: Petr Konecny <pekon@google.com>
2016-10-31 13:24:58 +01:00
Daniel Dickinson 98c86e2970 uhttpd: Add Basic Auth config
We add an 'httpauth' section type that contains the options:

prefix: What virtual or real URL is being protected
username: The username for the Basic Auth dialogue
password: Hashed (crypt()) or plaintext password for the Basic Auth dialogue

httpauth section names are given included as list
items to the instances to which they are to be applied.

Further any existing httpd.conf file (really whatever
is configured in the instance, but default of
/etc/httpd.conf) is appended to the per-instance httpd.conf

Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
2016-10-31 13:22:51 +01:00
Alexandru Ardelean b7fadb12b7 lldpd: freeze execution of lldpd during reload
During reload, we could send invalid information to the other
side and confuse it.

That's why, during reload we'll pause execution, do the reconfig
and resume + update when reload is done.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-31 12:51:15 +01:00
Alexandru Ardelean 909f063066 lldpd: fix reload function for when interfaces change
The problem is that interfaces are specified at start as
command line arguments, making them unchange-able via reload.

That means, we have to move (since lldpd allows this) the
interfaces-match-pattern option to be in a config file and reload
the configuration.
It's either that, or do a 'restart'.

Since we're generating the lldpd.conf file, we'll have to
move the 'sysconfdir' of lldpd to /tmp, where the files will
get written ; this will prevent any unncessary flash writes.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-31 12:51:15 +01:00
John Crispin 1e3c4f763c openvpn: cacert does not exist
cacert is really called ca and already in the script

Signed-off-by: John Crispin <john@phrozen.org>
2016-10-27 19:53:01 +02:00
John Crispin 0ec48b883c openvpn: add handling for capath and cafile
Signed-off-by: John Crispin <john@phrozen.org>
2016-10-27 15:19:59 +02:00
Daniel Engberg dc8605b7f7 package/network/utils/ipset: Update to 6.30
Updates to 6.30

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-27 13:16:50 +02:00
John Crispin 83ece71d63 netifd: update to latest git HEAD
Signed-off-by: John Crispin <john@phrozen.org>
2016-10-27 12:45:05 +02:00
Hans Dedecker a35f9bbc43 dnsmasq: Multiple dnsmasq instances support
Adds support in uci for configuring multiple dnsmasq instances via
multiple dnsmasq sections.
The uci sections host, boot, mac, tag, vendorclass, userclass,
circuitid, ... will refer to a dnsmasq instance via the instance
parameter defined in the section; if the instance parameter is
not specified backwards compatibility is preserved.

Start/Stopping a dnsmasq instance can be achieved by passing the
dnsmasq instance name as argument to start/stop via the init script.

Multiple dnsmasq instances is usefull in scenarios where you want to
bind a dnsmasq instance to an interface in order to isolate networks.

This patch is a rework of a multiple dnsmasq instance patch by Daniel Dickinson

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-10-26 17:53:53 +02:00
Hans Dedecker 311682905e ipip: Support fqdn as remote tunnel endpoint
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-10-26 17:53:53 +02:00
Hannu Nyman 9097dc5ad8 uhttpd: create self-signed certificates with unique subjects
Add a partially random O= item to the certificate subject in order
to make the automatically generated certificates' subjects unique.

Firefox has problems when several self-signed certificates
with CA:true attribute and identical subjects have been
seen (and stored) by the browser. Reference to upstream bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1147544
https://bugzilla.mozilla.org/show_bug.cgi?id=1056341
https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34

Certificates created by the OpenSSL one-liner fall into that category.

Avoid identical certificate subjects by including a new 'O=' item
with CommonName + a random part (8 chars). Example:
/CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ

That ensures that the browser properly sees the accumulating
certificates as separate items and does not spend time
trying to form a trust chain from them.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-26 15:16:52 +02:00
Hannu Nyman 82132540a3 uhttpd: prefer px5g for certificate creation
Prefer the old default 'px5g' for certificate creation
as Firefox seems to dislike OpenSSL-created certs.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-26 15:16:51 +02:00
Baptiste Jonglez 89817614bb netifd: Request DHCP option 121 (classless route) by default
This option, defined by RFC3442, allows a DHCP server to send static
routes to a client.  But the client has to request this option
explicitely.

Static routes are useful when the gateway configured by DHCP cannot be
in the same subnet as the client.  This happens, for instance, when
using DHCP to hand out addresses in /32 subnets.

A new configuration option "classlessroute" is available, allowing
users to disable this feature (the option defaults to true).

Other DHCP clients already request this option by default (dhcpcd, for
instance, and possibly Windows).  If a DHCP server does not support
this option, it will simply ignore it.

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2016-10-26 15:16:51 +02:00
Simon Hailes 86c6b07e15 wwan: rename data files
This is to ensure that git can be cloned onto a windows drive without failing.

Signed-off-by: Simon Hailes <btsimonh@googlemail.com>
2016-10-26 15:16:51 +02:00
Marcin Jurkowski 85fbffd74b qmi: add metric, defaultroute and peerdns options for qmi protocol
Adds generic network options for qmi protocol dynamic interfaces
as suggested by Felix in
https://lists.openwrt.org/pipermail/openwrt-devel/2016-February/039794.html.

IPv6-related code taken from Bruno's patch https://patchwork.ozlabs.org/patch/584816.

This depends on netifd patch https://patchwork.ozlabs.org/patch/686820/.

Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
Signed-off-by: Bruno Randolf <br1@einfach.org>
2016-10-26 12:37:46 +02:00
Marcin Jurkowski 35129469ca mbim: add metric, defaultroute and peerdns options for mbim protocol
Adds generic network options for mbim protocol dynamic interfaces
as suggested by Felix in
https://lists.openwrt.org/pipermail/openwrt-devel/2016-February/039794.html.

This depends on netifd patch https://patchwork.ozlabs.org/patch/686820/.

Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
2016-10-26 12:37:46 +02:00
Marcin Jurkowski 72eb2b8e22 comgt: add metric, defaultroute and peerdns options for directip protocol
Adds generic network options for directip protocol dynamic interfaces
as suggested by Felix in
https://lists.openwrt.org/pipermail/openwrt-devel/2016-February/039794.html.

This depends on netifd patch https://patchwork.ozlabs.org/patch/686820/.

Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
2016-10-26 12:37:46 +02:00
Marcin Jurkowski c560d25d19 comgt: add metric, defaultroute and peerdns options for ncm protocol
Adds generic network options for ncm protocol dynamic interfaces
as suggested by Felix in
http://lists.openwrt.org/pipermail/openwrt-devel/2016-February/039794.html.

This depends on netifd patch https://patchwork.ozlabs.org/patch/686820/.

Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
2016-10-26 12:37:46 +02:00
Jo-Philipp Wich 81b256ee00 uhttpd: fix handling of special "/" prefix when matching handlers
The special prefix of "/" should match any url by definition but the final
assertion which ensures that the matched prefix ends in '\0' or '/' is causing
matches against the "/" prefix to fail.

Update to current HEAD in order to fix this particular case.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-25 16:38:50 +02:00
Felix Fietkau be7f2abb60 iperf: used an updated renamed tarball instead of main upstream URL
iperf upstream added some bugfixes to the already released 2.0.9 version
without changing the filename. This conflicts with old mirrored files
and the hash that we previously used.
To avoid conflict, use a renamed tarball from mirror2.openwrt.org
containing the new upstream changes

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-17 11:16:31 +02:00
Alexandru Ardelean a24442c4f3 network/utils/maccalc: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean 0af93f8f30 network/utils/rssileds: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean 808a618bc4 network/utils/resolveip: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean 964f8bc4e5 network/utils/owipcalc: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean d0345c6bb6 network/ipv6/map: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean 3f8598feaf network/utils/iwcap: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean 598722956b network/services/ead: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean 8cf08b6783 network/ipv6/6rd: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean b8135a5b96 network/config/swconfig: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean 58cf9a2476 network/services/hostapd: move whole files outside of patches and drop Build/Prepare rule in favor of default one
This more of a demo for the previous commit that comes with
this one, where I added support for copying source from 'src' to
the build dir(s).

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:51 +02:00
Daniel Engberg 49ee771e6b package/network/services/lldpd: Update to 0.9.5
Updates lldpd to 0.9.5

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-15 11:36:51 +02:00
Daniel Engberg 3a136f5c56 packages/network/utils/wpan-tools: Update to 0.7
* Updates to 0.7
* Switches tarball to xz

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-15 11:36:50 +02:00
Daniel Engberg 87002c0646 package/network/utils/ipset: Update to 6.29
Updates to 6.29

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-15 11:36:50 +02:00
Hans Dedecker 1341b88732 odhcpd: Upstep to git HEAD version
Adds per-host leasetime support
Various bugfixes :
	-Prioritize ifname resolving via ubus
	-Free interface if ifindex cannot be resolved
	-...

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [update mirror sha256]
2016-10-13 17:05:21 +02:00
Felix Fietkau db47363ff7 uqmi: re-enable autoconnect which was dropped without explanation
Fixes a regression in commit 8f24ee638275:
"uqmi: Add proper IPv6 support"

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-12 11:58:59 +02:00
Felix Fietkau 3b9b963e6e uqmi: always use DHCP for IPv4
Commit 8f24ee6382 ("uqmi: Add proper IPv6 support") changed the code
to fetch the IPv4 address via QMI by default instead of using DHCP to
make it consistent with the IPv6 codepath.
This breaks on at least some Sierra Wireless cards, where data exchanges
fail to work until the host has fetched a DHCP lease.
Leave v6 as it is, but always use DHCP for v4.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-12 11:58:57 +02:00
Felix Fietkau 175b59c59b uhttpd: update to the latest version, adds a small json handler fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-08 13:50:54 +02:00
Daniel Engberg 9edfe7dd13 source: Switch to xz for packages and tools where possible
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-06 12:16:56 +02:00
Hans Dedecker 34528c4807 dslite: Quote resolveip hostname argument
Quote resolveip hostname argument to avoid bad shell injections.
While at it fix pattern match logic in case multiple IPv6 addresses
are returned for a hostname as they're seperated by newline by
resolveip and not a white space

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-10-06 12:16:12 +02:00
Jo-Philipp Wich eb75b6ac1f uhttpd: rename certificate defaults section
Now that the uhttpd init script can generate certificates using openssl as
well, update the section name and related comment to be more generic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-06 11:29:24 +02:00
Felix Fietkau 73c87a3cad hostapd: make -mesh and -p2p variants depend on the cfg80211 symbol
Avoids build failures when the nl80211 driver is disabled

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-05 23:02:13 +02:00
Hannu Nyman 3c4858eeb2 uhttpd: support using OpenSSL for certificate generation
Support the usage of the OpenSSL command-line tool for generating
the SSL certificate for uhttpd. Traditionally 'px5g' based on
PolarSSL (or mbedTLS in LEDE), has been used for the creation.

uhttpd init script is enhanced by adding detection of an installed
openssl command-line binary (provided by 'openssl-util' package),
and if found, the tool is used for certificate generation.

Note: After this patch the script prefers to use the OpenSSL tool
if both it and px5g are installed.

This enables creating a truly OpenSSL-only version of LuCI
without dependency to PolarSSL/mbedTLS based px5g.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-05 00:48:19 +02:00
Hans Dedecker a79f3d11b3 gre: Support fqdn as remote tunnel endpoint
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-10-04 11:50:51 +02:00
Kevin Darbyshire-Bryant 4ef1144958 iproute2: tc cake qdisc add nat, docsis & ptm modes
Add cake nat de-masquerading mode: nat, nonat.
Also docsis & ptm overhead related keywords: nat, nonat,
ptm, docsis-downstream-ip, docsis-downstream, docsis-upstream-ip
& docsis-upstream.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-10-04 11:50:48 +02:00
Kevin Darbyshire-Bryant 34c2726ca7 iproute2: fix no fortify build failure
Fix rt_names build failure when FORTIFY_SOURCE disabled.
Include limits.h which otherwise gets automatically included
by fortify headers.

Solves FS #194

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-30 10:15:28 +02:00
Felix Fietkau 76af0eff3f netifd: update to the latest version, adds various fixes
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-09-28 09:56:32 +02:00
Jo-Philipp Wich 875cddd94c iwinfo: fix WPA cipher reporting
Within the Lua binding, use the same logic as the command line interface for
reporting the used WPA ciphers. Instead of printing the intersection of
pairwise and group ciphers, report both group and pairwise ciphers.

This fixes a case where a connection which uses CCMP for pairwise and TKIP
as groupwise cipher is getting reported as using the NONE cipher.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-09-27 16:23:48 +02:00
Jo-Philipp Wich 864b2d113a 6in4: fix invalid local variable declaration (FS#188)
Remove an invalid local variable declaration in the tunnel update subshell
invocation. Local declarations outside of function scopes are illegal since
the Busybox update to version 1.25.0 .

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-09-27 16:23:06 +02:00
Matthias Schiffer 77f54eae45
config: enable shadow passwords unconditionally
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.

The config symbol is kept (for a while), as packages from feeds depend on
it.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Hauke Mehrtens df9efc9497 curl: update to version 7.50.3
This fixes the following security problems:
7.50.1:
 CVE-2016-5419 TLS session resumption client cert bypass
 CVE-2016-5420 Re-using connections with wrong client cert
 CVE-2016-5421 use of connection struct after free
7.50.2:
 CVE-2016-7141 Incorrect reuse of client certificates
7.50.3:
 CVE-2016-7167 curl escape and unescape integer overflows

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-09-24 13:48:05 +02:00
Hauke Mehrtens e59bbb6fe2 ltq-vdsl-app: update to version 4.17.18.6
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
2016-09-20 22:43:43 +02:00
Hans Dedecker 32f4777530 dnsmasq: Add match section support
Match sections allow to set a tag specified by the option networkid if the client
sends an option and optionally the option value specified by the match option.
The force option will convert the dhcp-option to force-dhcp-option if set to 1 in
the dnsmasq config if options are specified in the dhcp_option option.

config match
    option networkid tag
    option match 12,myhost
    option force 1
    list dhcp_option '3,192.168.1.1'

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-09-19 15:30:32 +02:00
Florian Fainelli 559f55dffc iwinfo: Bump to 2016-07-29
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2016-09-19 15:30:32 +02:00
Rafał Miłecki e70e3c544a hostapd: fix regression breaking brcmfmac
The latest update of hostapd broke brcmfmac due to upstream regression.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2016-09-13 12:06:42 +02:00
Kevin Darbyshire-Bryant 591755ad1a dnsmasq: make NO_ID optional in full variant
Permit users of the full variant to disable the NO_ID *.bind pseudo
domain masking.

Defaulted 'on' in all variants.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-10 12:17:39 +02:00
Kevin Darbyshire-Bryant 96f0bbe91d dropbear: hide dropbear version
As security precaution and to limit the attack surface based on
the version reported by tools like nmap mask out the dropbear
version so the version is not visible anymore by snooping on the
wire. Version is still visible by 'dropbear -V'

Based on a patch by Hans Dedecker <dedeckeh@gmail.com>

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove trailing _]
2016-09-10 12:17:39 +02:00
Kevin Darbyshire-Bryant 03cd416795 dnsmasq: Don't expose *.bind data incl version
Don't expose dnsmasq version & other data to clients via the *.bind
pseudo domain.  This uses a new 'NO_ID' compile time option which has been
discussed and submitted upstream.

This is an alternate to replacing version with 'unknown' which affects
the version reported to syslog and 'dnsmasq --version'

Run time tested with & without NO_ID on Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-08 15:28:38 +02:00
Felix Fietkau 859d940c79 hostapd: update to version 2016-09-05
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-09-08 15:28:38 +02:00
Kevin Darbyshire-Bryant 9209f4304b dnsmasq: fix remove pidfile on shutdown regression
Regression introduced by 3481d0d dnsmasq: run as dedicated UID/GID

dnsmasq is unable to remove its own pidfile as /var/run/dnsmasq is owned
by root and now dnsmasq runs as dnsmasq:dnsmasq.  Change directory
ownership to match.

dnsmasq initially starts as root, creates the pidfile, then drops to
requested non-root user.  Until this fix dnsmasq had insufficient
privilege to remove its own pidfile.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-06 11:26:05 +02:00
Johannes Römer e8cb7d30e9 hostapd: fix typo and indentation in ap_sta_support.patch
Signed-off-by: Johannes Römer <jroemer@posteo.net>
2016-09-05 18:03:24 +02:00
Karl Palsson a4dc9ff934 dropbear: mdns flag is a bool, not integer
Effectively the same for most purposes, but more accurate.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2016-09-05 07:27:16 +02:00
Felix Fietkau 8e0cb8f582 ebtables: fix build with glibc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-30 12:12:34 +02:00
Felix Fietkau 18c7d1c626 dante: remove -D_GNU_SOURCE to fix build errors with current glibc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-30 12:12:34 +02:00
Felix Fietkau 98206cb9c6 iperf: add -lm to fix build with newer glibc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-30 10:51:21 +02:00
Felix Fietkau b0dcb6bfed iperf: drop PKG_BUILD_DIR override
No longer necessary since the removal of build variants

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-30 10:51:21 +02:00
Jo-Philipp Wich 885910225d iwinfo: mark as nonshared
The iwinfo library might get compiled with different backends, depending on
the driver selection of the current target, so mark it as nonshared to avoid
broken libiwinfo support on other targets with same cpu architecture but
different wireless driver types.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-25 16:51:57 +02:00
Felix Fietkau 2b0a1292f8 uqmi: update to the latest version, adds QMI-in-MBIM support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-24 15:16:01 +02:00
Magnus Kroken 2653a12c4d openvpn: update to 2.3.12
300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream.
Replaced 101-remove_polarssl_debug_call.patch with upstream backport.

Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-08-24 00:33:08 +02:00
Ash Benz 798cd261ab hostapd: use printf to improve portability.
Signed-off-by: Ash Benz <ash.benz@bk.ru>
2016-08-23 12:15:41 +02:00
Felix Fietkau c487bde9e4 netifd: update to the latest version
Adds fixes for wireless device error handling
Adds link state fixes for shell proto handlers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-23 11:08:35 +02:00
Hans Dedecker d7c249fa1c ppp: Extend uci datamodel with persistency sypport
PPP daemon can be put into persist mode meaning the
daemon will not exit after a connection gets terminated
but will instead try to reopen the connection.
The re-initiation after the link has been terminated
can be controlled via holdoff; this is helpfull in
scenarios where a BRAS is in denial of service mode
due to link setup requests after a BRAS has gone down

Following uci parameters have been added :
persist (boolean) : Puts the ppp daemon in persist mode
maxfail (integer) : Number of consecutive fail attempts which
puts the PPP daemon in exit mode
holdoff (interget) : Specifies how many seconds to wait
before re-initiating link setup after it has been terminated

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-08-18 09:49:18 +02:00
John Crispin 99a1888287 swconfig: revert the portmapping patches, they seem to cause a segfault
Revert "kernel/swconfig: remove obsolete portmapping feature from swconfig"

This reverts commit 675407baa4.

Revert "swconfig: remove obsolete portmapping feature"

This reverts commit fca1eb349e.

Signed-off-by: John Crispin <john@phrozen.org>
2016-08-16 10:20:01 +02:00
John Crispin fca1eb349e swconfig: remove obsolete portmapping feature
Signed-off-by: John Crispin <john@phrozen.org>
2016-08-15 15:32:36 +02:00
Conn O'Griofa 63f6fc5c16 samba: add file/interface reload triggers & filter interfaces
* Only parse interfaces that are up during init_config (as the
  script depends on this to determine the proper IP/subnet range)
* Add reload interface triggers for samba-designated interfaces
* Force full service restart upon config change to ensure Samba
  binds to new interfaces (sending HUP signal doesn't work)
* Rename "interface" variable to "samba_iface" and move into
  global scope

Needed to fix Samba connectivity for clients connecting from a
different LAN subnet (e.g. pseudobridge configurations) due to the
'bind interfaces only' setting.

Signed-off-by: Conn O'Griofa <connogriofa@gmail.com>
2016-08-15 15:18:35 +02:00
Jo-Philipp Wich 4e8c6f3407 dropbear: security update to 2016.74
- Security: Message printout was vulnerable to format string injection.

  If specific usernames including "%" symbols can be created on a system
  (validated by getpwnam()) then an attacker could run arbitrary code as root
  when connecting to Dropbear server.

  A dbclient user who can control username or host arguments could potentially
  run arbitrary code as the dbclient user. This could be a problem if scripts
  or webpages pass untrusted input to the dbclient program.

- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
  the local dropbearconvert user when parsing malicious key files

- Security: dbclient could run arbitrary code as the local dbclient user if
  particular -m or -c arguments are provided. This could be an issue where
  dbclient is used in scripts.

- Security: dbclient or dropbear server could expose process memory to the
  running user if compiled with DEBUG_TRACE and running with -v

  The security issues were reported by an anonymous researcher working with
  Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-12 11:45:47 +02:00
Petko Bordjukov dff6df9625 hostapd: Allow RADIUS accounting without 802.1x
RADIUS accounting can be used even when RADIUS authentication is not
used. Move the accounting configuration outside of the EAP-exclusive
sections.

Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
2016-08-11 10:45:33 +02:00
Felix Fietkau 51e70267bd hostapd: remove unused hostapd-common-old package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-05 11:02:57 +02:00
Felix Fietkau 56cf1adc50 kernel: remove esfq qdisc
It has been obsolete for years now

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-04 18:27:54 +02:00
Florian Eckert 109c55aea1 uqmi: add metric option to interface config
It is now possible to add an metric option for the qmi proto in dhcp mode.

Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
2016-07-26 08:39:36 +02:00
Florian Eckert 15867deac8 uqmi: fix option ipv6
If option ist not set then ipv6 is still enabled on this Interface.
Check if variable is zero will fix this issue.

Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
2016-07-26 08:39:36 +02:00
Felix Fietkau 9201e88f51 kernel: remove hostap driver
It has been marked as broken for well over a month now and nobody has
complained.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-31 12:25:24 +02:00
Felix Fietkau b2ddfbc1c7 dnsmasq: drop --interface and --except-interface options when the interface cannot be found
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 20:58:14 +02:00