Different invocations of the dnsmasq init script (e.g. at startup by procd)
will rewrite the dhcp host file which might result into dnsmasq reading an
empty dhcp host file as it is being rewritten by the dnsmasq init script.
Let the dnsmasq init script first write to a temp dhcp host file so it does
not overwrite the contents of the existing dhcp host file.
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
wpa_disable_eapol_key_retries can't prevent attacks against the Wireless
Network Management (WNM) Sleep Mode handshake. Currently, hostapd
processes WNM Sleep Mode requests from clients regardless of the setting
wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in
order to ignore such requests by clients when wnm_sleep_mode is disabled
(which is the default).
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
[rewrite commit subject (<= 50 characters), bump PKG_RELEASE]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
wpa_disable_eapol_key_retries can't prevent attacks against the
Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
that the existing hostapd option tdls_prohibit can be used to further
complicate this possibility at the AP side. tdls_prohibit=1 makes
hostapd advertise that use of TDLS is not allowed in the BSS.
Note: If an attacker manages to lure both TDLS peers into a fake
AP, hiding the tdls_prohibit advertisement from them, it might be
possible to bypass this protection.
Make this option configurable via UCI, but disabled by default.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Tiny variant supports a subset of the ip commands; align the ip help
text so it actually reflects which commands are supported in the
tiny variant.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Preserves optionality of libmnl by letting configuration
script follow the HAVE_MNL environment variable.
Signed-off-by: Russell Senior <russell@personaltelco.net>
If all configured dns servers return refused in response to a query in
strict mode; dnsmasq will end up in an infinite loop retransmitting the
dns query resulting into high CPU load.
Problem is fixed by checking for the end of a dns server list iteration
in strict mode.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
11f42a8 mt76x2: add channel argument to eeprom tx power functions
3bd7e76 mt76x2: initialize channel power limits
19fff41 mt76x2: convert between per-chain tx power and combined output
737cf2b mt7603: rename mt7603_mac_reset to mt7603_pse_reset
8026638 mt7603: rename MT_PSE_RESET register
c4dd32a mt7603: remove watchdog reset on interface stop
d99092b mt7603: remove WARN_ON_ONCE for workaround checks
c8807b4 mt7603: simplify PSE reset
d8a5990 mt7603: warn if PSE reset fails
c079960 mt7603: clean up dma debug reads
96817d6 mt7603: make mt7603_mac_watchdog_reset() static
e953c78 mt7603: clear wtbl PS bit for powersave responses
57a2e33 mt7603: set tx-skip flag for powersave clients
c8e5ab1 mt7603: initialize wtbl ps flag on station add
b4034cf mt76x2: remove some harmless WARN_ONs in tx status and rx path
8e17d36 mt7603: remove some harmless WARN_ONs in rx path
Signed-off-by: Felix Fietkau <nbd@nbd.name>
layerscape firmware package names collide with existing package contributions.
Ex: layerscape mc and midnight-commander(mc) are in conflict.
Firmware packages: mc, ppa, rcw and dpl are renamed to ls-mc, ls-ppa, ls-rcw
and ls-dpl respectively.
Signed-off-by: Ted Hess <thess@kitschensync.net>
CVE-2017-8816: NTLM buffer overflow via integer overflow
CVE-2017-8817: FTP wildcard out of bounds read
CVE-2017-8818: SSL out of buffer access
For other bugfixes and changes in 7.57.0 see https://curl.haxx.se/changes.html
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Latencies can be much higher on wifi devices, especially with
aggregation. Tune the network stack setting introduced in the previous
commit to account for that.
This commit reintroduces the previously reverted one with a fix for the
crash issues
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Due to improper localization of helper variables, "config host" entries
without a given mac address may inherit the mac address of a preceeding,
leading to invalid generated netive configuration.
Fix the issue by marking the "macs" and "tags" helper variables in
dhcp_host_add() local, avoiding the need for explicitely resetting them
with each invocation.
Reported-by: Russell Senior <russell@personaltelco.net>
Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This reverts commit 2dc485250d.
This patch needs some additional checks in order to avoid overwriting
unrelated fields for request sockets.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
== Changes ==
* compat: support timespec64 on old kernels
* compat: support AVX512BW+VL by lying
* compat: fix typo and ranges
* compat: support 4.15's netlink and barrier changes
* poly1305-avx512: requires AVX512F+VL+BW
Numerous compat fixes which should keep us supporting 3.10-4.15-rc1.
* blake2s: AVX512F+VL implementation
* blake2s: tweak avx512 code
* blake2s: hmac space optimization
Another terrific submission from Samuel Neves: we now have an implementation
of Blake2s using AVX512, which is extremely fast.
* allowedips: optimize
* allowedips: simplify
* chacha20: directly assign constant and initial state
Small performance tweaks.
* tools: fix removing preshared keys
* qemu: use netfilter.org https site
* qemu: take shared lock for untarring
Small bug fixes.
Remove myself from the maintainers list: we have enough and I'm happy to
carry on doing package bumps on ad-hoc basis without the 'official'
title.
Run-tested: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
939ad5dd Update manual pages
24d92b97 Add deprecation warning when spdylay support is enabled
4c92ff18 Bump up version number to 1.28.0, LT revision to 29:0:15
280db5c6 Update neverbleed
7fbcb2d0 Merge pull request #1074 from nghttp2/fix-doc
53aeb2c3 Fix doc
ff200bfc clang-format-5.0
fee3151f Switch to clang-format-5.0
99a85159 Update manual pages
2a981a3f Merge pull request #1066 from nghttp2/nghttpx-add-affinity-cookie-secure
0028275d nghttpx: Add affinity-cookie-secure parameter to backend option
ee8bfddf Merge pull request #1063 from nghttp2/error_callback2
194acb1f src: Use nghttp2_error_callback2
43a2a70a Add nghttp2_error_callback2
73344ae9 nghttpx: Use plain hex string format for client serial
c479f612 Merge pull request #1060 from nghttp2/nghttpx-add-client-serial
eca0a302 nghttpx: Add $tls_client_serial log variable
4720c5cb nghttpx: Make client serial available in mruby script
cd55ab28 nghttpx: Add function to get serial number from certificate
d402cfdf Merge pull request #1057 from nghttp2/nghttpx-add-tls-client-issuer-name
22502182 Add tls_client_issuer_name log variable and expose it to mruby
05e1fd5e Update manual pages
943d7923 Add Session Affinity section to nghttpx howto
568ecbfb doc: Add missing port
f5ddd7f4 nghttpx: Make initial_addr_idx_ unsigned
88abbce7 nghttpx: Fix compile error with gcc
16e90365 nghttpx: Fix affinity retry
fa7945c6 nghttpx: Refactor
daca43f0 nghttpx: Fix stalled backend connection on retry
16bc11e6 nghttpx: Remove duplicated util::make_socket_nodelay
6f7e94cd Merge pull request #1047 from PiotrSikora/go_vet
61efa15a integration: Fix issues reported by the `go vet` tool.
8c0ea56b Merge pull request #1036 from nghttp2/nghttpx-affinity-cookie
54905371 nghttpx: Refactor
6010d393 integration: Add tests
be5c39a1 src: Add tests
b8fda680 nghttpx: Cookie based session affinity
e29b9c12 Merge pull request #1045 from nghttp2/nghttpx-sha1-fingerprint
539e2781 nghttpx: Add tls_client_fingerprint_sha1 to mruby and accesslog
7008afd4 nghttpx: Refactor get_x509_fingerprint to accept hash function
77a41756 Merge pull request #1041 from nghttp2/fix-examples-client-server
b15045d6 Merge pull request #1040 from nghttp2/nghttpx-mruby-add-more-tls-vars
03084f75 examples: Make client and server work with libevent-2.1.8
60baca27 nghttpx: Add more TLS related attributes to mruby Env object
86990db2 Merge pull request #1038 from nghttp2/nghttpx-add-more-logging-vars
cb376bcd nghttpx: Add client fingerprint and subject name to accesslog
f2b8edd1 nghttpx: Fix memory leak
c4f8afcf nghttpx: Get TLS info only when it is necessary when writing accesslog
1a1a216d Merge pull request #1037 from nghttp2/nghttpx-mruby-tls-client-vars
9f80a82c nghttpx: Add client fingerprint and subject name to mruby env
c573c80b nghttpx: Pass a pointer to SSL instead of TLSSessionInfo to LogSpec
3cd6817e Fix typos
d4a69658 Add another warning about mruby
8e06fe49 Fix typo
aaeeec8f Fix typos
66d5e246 Bump up version number to 1.28.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
dfb2f6c pkt_sched: make compile again
5ab7026 sch_cake: make compile again
6f28803 codel5: make more checkpatch compliant
bd426aa Fix build error on 4.12
e4a3628 Whitespace tidy up
Signed-off-by: Fushan Wen <qydwhotmail@gmail.com>
Add an ipv6only variant providing server services for RA, stateful and stateless
DHCPv6, prefix delegation and relay support for DHCPv6, NDP and RA.
The full variant called odhcpd supports DHCPv4 server as before.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Bump to latest WireGuard snapshot release:
ed479fa (tag: 0.0.20171122) version: bump snapshot
efd9db0 chacha20poly1305: poly cleans up its own state
5700b61 poly1305-x86_64: unclobber %rbp
314c172 global: switch from timeval to timespec
9e4aa7a poly1305: import MIPS64 primitive from OpenSSL
7a5ce4e chacha20poly1305: import ARM primitives from OpenSSL
abad6ee chacha20poly1305: import x86_64 primitives from OpenSSL
6507a03 chacha20poly1305: add more test vectors, some of which are weird
6f136a3 compat: new kernels have netlink fixes
e4b3875 compat: stable finally backported fix
cc07250 qemu: use unprefixed strip when not cross-compiling
64f1a6d tools: tighten up strtoul parsing
c3a04fe device: uninitialize socket first in destruction
82e6e3b socket: only free socket after successful creation of new
df318d1 compat: fix compilation with PaX
d911cd9 curve25519-neon: compile in thumb mode
d355e57 compat: 3.16.50 got proper rt6_get_cookie
666ee61 qemu: update kernel
2420e18 allowedips: do not write out of bounds
185c324 selftest: allowedips: randomized test mutex update
3f6ed7e wg-quick: document localhost exception and v6 rule
Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The uboot target is named MarsBoard_A10 and it was not build at all.
This fixes a build problem seen by the build bot.
Fixes: 6a3565985f ("sunxi: Added profile for HAOYU Electronics Marsboard A10")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fix the target dependency to make it possible to select this module also
on x86 target and its subtargets.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The firmware directory in the Linux kernel was removed in kernel 4.14,
take the e100 firmware files now from the linux-firmware repository
instead. To do so create the new package e100-firmware. This will also
work with older kernel versions.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Adds NFS4 client support:
1. Package kmod-fs-nfs is split into kmod-fs-nfs (nfs.ko) and
kmod-fs-nfs-v3 (nfsv3.ko).
2. A new package kmod-fs-nfs-v4 (nfsv4.ko) is created.
3. Package kmod-fs-nfs-common-v4 is renamed to kmod-fs-nfs-rpcsec
and includes additional module rpcsec_gss_krb5.ko.
CONFIG_NFS_V4 goes into kmod-fs-nfs-v4, CONFIG_NFSD_V4 (NFS4
server) is removed. Missing kernel module oid_registry.ko
needed by auth_rpcgss.ko is added to the package.
A new package kmod-crypto-cts needed by rpcsec_gss_krb5.ko is
also created.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
[add dependency to kmod-crypto-ecb in fs-nfs-common-rpcsec]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The module parameters "nogameport=1" and "nocir=1" are needed,
because this is not supported on recent chips and doesn't
really tell if the system is stable.
As this features will already be removed in linux-4.13 or newer,
this module parameters can be removed in the future.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
make check complains about PKG_MIRROR_HASH of the wireless-regdb package:
WARNING: PKG_MIRROR_HASH does not match wireless-regdb-2017-10-20-4343d359.tar.xz
hash 5f5b669f32ae36cb65b1d99efbbbfd42c2983cda32f6448346e3e54ffaba3889
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The DEFINE_PCI_DEVICE_TABLE macro was removed with upstream commit
7e9321599011 ("treewide: remove references to the now unnecessary
DEFINE_PCI_DEVICE_TABLE").
Use the pci_device_id struct to fix the acx-mac80211 build failure on
ramips.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Without this change, the instance-specific conf-file is being added to procd_add_jail_mount,
but not used by dnsmasq.
Signed-off-by: Emerson Pinter <dev@pinter.com.br>
Usually this function is called for appending some small files only
(like fs marks) but let's just make it more generic and capable of
handling bigger files easily. Increasing buffer to 1 KiB shouldn't hurt.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
It was there in case of adding some "create" command options that should
be parsed before actually creating the output image. It seems we don't
need any at this point so let's drop this function for now.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/
Thanks to swalker for CPE to package mapping and
keep tracking CVEs.
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
My compilation failed because of missing uint.* definitions:
In file included from mtd.h:33:0,
from bootstream.c:35:
BootControlBlocks.h:58:2: error: unknown type name 'uint8_t'
uint8_t m_u8DataSetup;
^
BootControlBlocks.h:59:2: error: unknown type name 'uint8_t'
uint8_t m_u8DataHold;
^
BootControlBlocks.h:60:2: error: unknown type name 'uint8_t'
uint8_t m_u8AddressSetup;
^
BootControlBlocks.h:61:2: error: unknown type name 'uint8_t'
uint8_t m_u8DSAMPLE_TIME;
Adding the header file fixes the problem.
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[fold changes into 001-compile.patch]
Signed-off-by: Mathias Kresin <dev@kresin.me>
The kernel firmware/ is going away, so pull this firmware
from the linux-firmware git repo instead. No actual changes
to the installed files.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Significantly improves throughput on MT76x2, fixes some stability
issues, adds LED support.
Changes:
266ef38 mt76x2: mcu: remove unused parameter in mt76x2_mcu_msg_alloc signature
758376d mt7603: mcu: remove unused parameter in mt7603_mcu_msg_alloc() signature
e764787 Fix errors found by cppcheck
a6fce8a mt7603: add LED definition registers
f658dd2 mt76x2: add LED register definitions
f6a021d mt76x2: Support using PCI ID as chip ID
c9bdcd8 mt76: add led support using mac80211 led framework
58e9138 mt76x2: init: add ma80211 led callbacks
8ea8da3 mt7603: init: add ma80211 led callbacks
ded88cd mt76x2: Add PCI identifier for MT7602
51a6764 mt7603: remove unnecessary mcu register read function
fbdbf65 debugfs: add support for changing the LED pin
cc02e49 mac80211: move DT led configuration to the "led" child node
e4e7734 mt76x2: limit client WCID entries to 0-127
60172cc mt76x2: clear drop flag for all WCIDs on init
d8140b6 mt76x2: clear per-WCID tx rate lookup register
0ce7923 mt76x2: add helper function for setting drop mask
ccc4baf mt76x2: clear drop mask when sending a PS response
ff60d14 mt76: increase rx ring size for mt76x2
b57ada5 mt76x2: add rx statistics registers
af425de mt76x2: fix LNA gain register annotation
efd7724 mt76x2: sync channel gain value with latest reference driver
4af37bd mt76x2: implement dynamic AGC tuning based on false packet detection count
70f2002 mt76x2: add more gain tuning based on the latest reference driver
8f1c8ab mt76x2: sync tx power related values with reference driver
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Latencies can be much higher on wifi devices, especially with
aggregation. Tune the network stack setting introduced in the previous
commit to account for that
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The wireless regdb is now loaded via firmware loading, CRDA support and
built-in regdb support have been removed.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
9c13096 ubus: Remove unnecessary memset calls.
6d1ea6c libubus: Fix deletion from context's object AVL tree when removing object
e02813b ubusd: don't free messages in ubus_send_msg() anymore
be146ad ubusd: rename goto label from `error` to `out`
27d712d ubusd_monitor: alloc & free the buffer outside of the loop
5f87f54 ubusd: move global retmsg per client
Signed-off-by: Felix Fietkau <nbd@nbd.name>
These adapters support SR-IOV. Thus the host can assign Virtual Functions
(VFs) to different VMs by the PCI-E Passthrough (e.g. VFIO for KVM), to
gain different advantages (performance, VF to VF communications, host
kernel offload, etc.).
Signed-off-by: Chris Blakely <cpblakely@gmail.com>
Add the parent of the sysupgrade script to the list of pids not getting
killed
Signed-off-by: Mat Trudel <mat@geeky.net>
Signed-off-by: John Crispin <john@phrozen.org>
- Remove obsolete patch chunks regarding fixed_freq
- Instead of patching in custom HT40+/- parameters, use the standard
config syntax as much as possible.
- Use fixed_freq for mesh
- Fix issues with disabling obss scan when using fixed_freq on mesh
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Passing the ctrl iface to wpa_supplicant will automatically cause wpa_supplicant
to send "STOP_AP" messages to the hostapd. This breaks the AP interfaces.
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
The beacon_int is currently set explicitly for hostapd and when LEDE uses
iw to join and IBSS/mesh. But it was not done when wpa_supplicant was used
to join an encrypted IBSS or mesh.
This configuration is required when an AP interface is configured together
with an mesh interface. The beacon_int= line must therefore be re-added to
the wpa_supplicant config. The value is retrieved from the the global
variable.
Fixes: 1a16cb9c67 ("mac80211, hostapd: always explicitly set beacon interval")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [rebase]
The wpa_supplicant code for IBSS allows to set the mcast rate. It is
recommended to increase this value from 1 or 6 Mbit/s to something higher
when using a mesh protocol on top which uses the multicast packet loss as
indicator for the link quality.
This setting was unfortunately not applied for mesh mode. But it would be
beneficial when wpa_supplicant would behave similar to IBSS mode and set
this argument during mesh join like authsae already does. At least it is
helpful for companies/projects which are currently switching to 802.11s
(without mesh_fwding and with mesh_ttl set to 1) as replacement for IBSS
because newer drivers seem to support 802.11s but not IBSS anymore.
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
Tested-by: Simon Wunderlich <simon.wunderlich@openmesh.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [refresh]
There is no need to allocate buffer as big as the whole image in order
to calculate CRC32. It's enough to use small buffer and just read file
content block by block.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This requires changing this helper to accept initial/current CRC32
value as argument but it allows dropping duplicated (complex?) code
calculating the CRC32.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Remove multicast routing firewall rules when the igmpproxy is stopped by
triggering a firewall config change.
Keeping the firewall open from the wan for igmp and udp multicast is not
desired when the igmpproxy service is inactive.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
When a library is using fortify-packages GCC will complain about
"error: format not a string literal, argument types not checked".
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:
../libssl.so: undefined reference to `SSLv3_client_method'
Fixes CVE: CVE-2017-3735, CVE-2017-3736
Signed-off-by: Peter Wagner <tripolar@gmx.at>
Check if the compiler defines __linux__, instead of assuming that the
host OS is the same as the target OS.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The QorIQ FRDM-LS1012A Board is an ultra-low-cost
development platform for QorIQ LS1012A Series Network
Processors built on ARM Cortex-A53 processor.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
This patch is to add PPA (The Primary Protected Application)
package and also enable it for all layerscape devices.
LSDK github provides ppa source code git tree, but it
only could be compiled with 64-bit toolchain. For 32-bit
devices, there was no method to use it.
https://github.com/qoriq-open-source/ppa-generic
This patch is to directly use a private ppa binary tree for
both 32-bit and 64-bit devices.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
This patch is to use ppfe git tree on LSDK github
instead of private git tree, and support the latest
ppfe on ls1012ardb.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>