Commit Graph

2666 Commits (2d139450a3be401e11c2a2b6f817bdf6c421d6db)

Author SHA1 Message Date
Rosy Song 456df06071 odhcpd-ipv6only: fix dependency for IPV6
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-30 21:05:42 +02:00
Hans Dedecker 8e604dea31 netifd: update to latest git HEAD
94e156f scripts: fix previous commit
3c8ac1c netifd: fix wpa mixed mode matching

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-30 21:05:35 +02:00
Enrique Giraldo 61454a0a8c hostapd: add acs feature indication
Signed-off-by: Enrique Giraldo <enrique.giraldo@galgus.net>
2018-09-29 17:23:11 +02:00
Kevin Darbyshire-Bryant 37961f12ba wireguard: bump to 0.0.20180925
33523a5 version: bump snapshot
0759480 curve25519-hacl64: reduce stack usage under KASAN
b9ab0fc chacha20: add bounds checking to selftests
2e99d19 chacha20-mips32r2: reduce stack and branches in loop, refactor jumptable handling
d6ac367 qemu: bump musl
28d8b7e crypto: make constant naming scheme consistent
56c4ea9 hchacha20: keep in native endian in words
0c3c0bc chacha20-arm: remove unused preambles
3dcd246 chacha20-arm: updated scalar code from Andy
6b9d5ca poly1305-mips64: remove useless preprocessor error
3ff3990 crypto-arm: rework KERNEL_MODE_NEON handling again
dd2f91e crypto: flatten out makefile
67a3cfb curve25519-fiat32: work around m68k compiler stack frame bug
9aa2943 allowedips: work around kasan stack frame bug in selftest
317b318 chacha20-arm: use new scalar implementation
b715e3b crypto-arm: rework KERNEL_MODE_NEON handling
77b07d9 global: reduce stack frame size
ddc2bd6 chacha20: add chunked selftest and test sliding alignments and hchacha20
2eead02 chacha20-mips32r2: reduce jumptable entry size and stack usage
a0ac620 chacha20-mips32r2: use simpler calling convention
09247c0 chacha20-arm: go with Ard's version to optimize for Cortex-A7
a329e0a chacha20-mips32r2: remove reorder directives
3b22533 chacha20-mips32r2: fix typo to allow reorder again
d4ac6bb poly1305-mips32r2: remove all reorder directives
197a30c global: put SPDX identifier on its own line
305806d ratelimiter: disable selftest with KASAN
4e06236 crypto: do not waste space on selftest items
5e0fd08 netlink: reverse my christmas trees
a61ea8b crypto: explicitly dual license
b161aff poly1305: account for simd being toggled off midway
470a0c5 allowedips: change from BUG_ON to WARN_ON
aa9e090 chacha20: prefer crypto_xor_cpy to avoid memmove
1b0adf5 poly1305: no need to trick gcc 8.1
a849803 blake2s: simplify final function
073f3d1 poly1305: better module description

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-27 21:19:38 +01:00
Kevin Darbyshire-Bryant d9a37d8d1e dnsmasq: bump to v2.80test7
Bump to latest test release:

3a610a0 Finesse allocation of memory for "struct crec" cache entries.
48b090c Fix b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely).
4139298 Change behavior when RD bit unset in queries.
51cc10f Add warning about 0.0.0.0 and :: addresses to man page.
ea6cc33 Handle memory allocation failure in make_non_terminals()
ad03967 Add debian/tmpfiles.conf
f4fd07d Debian bugfix.
e3c08a3 Debian packaging fix. (restorecon)
118011f Debian packaging fix. (tmpfiles.d)

Delete our own backports of ea6cc33 & 4139298, so the only real changes
here, since we don't care about the Debian stuff are 48b090c & 3a610a0

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-27 16:13:40 +01:00
Rosy Song 2dc1f54b12 iptables: fix dependency for libip6tc on IPV6
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-26 22:40:37 +02:00
Hauke Mehrtens 02e7fa6f8a iw: update nl80211.h
Now this file matches the version in backports.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-09-26 16:39:44 +02:00
Rosy Song a6add47869 netifd: do not validate relevant section when ipv6 is not supported
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-25 22:35:38 +02:00
David Yang aaf46a8fe2 dante: disable sched_getscheduler() - not implemented in musl
musl doesn't come with an valid implementation of `sched_getscheduler()`;
it simply returns -ENOSYS for it. Without this option (and compile dante
with `sched_getscheduler()` enabled), you will get

    error: serverinit(): sched_getscheduler(2): failed to retrieve current
    cpuscheduling policy: Function not implemented

and dante won't start at all.

Ref: http://lists.alpinelinux.org/alpine-devel/3932.html
Ref: http://lists.alpinelinux.org/alpine-devel/3936.html
Signed-off-by: David Yang <mmyangfl@gmail.com>
[slightly reword commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-09-24 19:04:47 +02:00
Jo-Philipp Wich 4f277eb640 lldpd: inhibit linking of libbsd on !GLIBC
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-09-24 08:36:10 +02:00
Yangbo Lu db30adc931 layerscape: fix get_device_file() function of restool
The restool failed to work with current gcc-7.3.0-musl.
This patch is to add a restool fix-up patch to fix
multiple problems encountered in the get_device_file()
function:
 - The deprecated atoi() function is replaced by strtoul
 - An invalid memory access was being performed by using
 memory from dir->d_name even after closedir(). This is
 fixed by a strdup() on the device filename.
 - Also, error prints now print any relevant error code.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2018-09-22 21:20:58 +02:00
Yangbo Lu 5c325c2b63 layerscape: update restool to LSDK-18.06
The restool source code had been migrated to codeaurora
for LSDK-18.06 release and the future release. This patch
is to update restool to LSDK-18.06 release.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
2018-09-22 21:20:56 +02:00
Kevin Darbyshire-Bryant 6c4cbe94bd dnsmasq: Change behavior when RD bit unset in queries.
Backport upstream commit

Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-21 09:59:03 +01:00
Rosen Penev 7651e254d5 dropbear: Install /etc/config as 600
/etc/config/dropbear is used by the init script which only runs as root.

Small whitespace change.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-19 09:41:28 +01:00
Rosen Penev add4871582 lldpd: Install /etc/config file as 600
/etc/config/lldpd is only used by the init script, which only runs as root

Adjusted homepage and download URLs to use HTTPS.

-std=c99 is useful for GCC versions less than 6. Current OpenWrt uses 7.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-19 09:41:28 +01:00
Hans Dedecker 6cd41ca673 netifd: update to latest git HEAD
23941d7 system-linux: enable by default ignore encaplimit for ip6 tunnels

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-19 10:09:25 +02:00
Hans Dedecker d9691b66e2 map: drop default encaplimit value
Setting encaplimit to a numerical value results into the value being
included as tunnel encapsulation limit in the destination option header
for tunneled packets.
Several users have reported interop issues as not all ISPs support the
destination option header containing the tunnel encapsulation limit
resulting into broken map connectivity.
Therefore drop the default encaplimit value for map tunnels so
no destination option header is included by default.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-19 09:42:45 +02:00
Hans Dedecker 1241707b40 ds-lite: drop default encaplimit value
Setting encaplimit to a numerical value results into the value being
included as tunnel encapsulation limit in the destination option header
for tunneled packets.
Several users have reported interop issues as not all ISPs support the
destination option header containing the tunnel encapsulation limit
resulting into broken ds-lite connectivity.
Therefore drop the default encaplimit value for ds-lite tunnels so
no destination option header is included by default.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-19 09:42:28 +02:00
Jason A. Donenfeld f07a94da50 wireguard: bump to 0.0.20180918
* blake2s-x86_64: fix whitespace errors
* crypto: do not use compound literals in selftests
* crypto: make sure UML is properly disabled
* kconfig: make NEON depend on CPU_V7
* poly1305: rename finish to final
* chacha20: add constant for words in block
* curve25519-x86_64: remove useless define
* poly1305: precompute 5*r in init instead of blocks
* chacha20-arm: swap scalar and neon functions
* simd: add __must_check annotation
* poly1305: do not require simd context for arch
* chacha20-x86_64: cascade down implementations
* crypto: pass simd by reference
* chacha20-x86_64: don't activate simd for small blocks
* poly1305-x86_64: don't activate simd for small blocks
* crypto: do not use -include trick
* crypto: turn Zinc into individual modules
* chacha20poly1305: relax simd between sg chunks
* chacha20-x86_64: more limited cascade
* crypto: allow for disabling simd in zinc modules
* poly1305-x86_64: show full struct for state
* chacha20-x86_64: use correct cut off for avx512-vl
* curve25519-arm: only compile if symbols will be used
* chacha20poly1305: add __init to selftest helper functions
* chacha20: add independent self test

Tons of improvements all around the board to our cryptography library,
including some performance boosts with how we handle SIMD for small packets.

* send/receive: reduce number of sg entries

This quells a powerpc stack usage warning.

* global: remove non-essential inline annotations

We now allow the compiler to determine whether or not to inline certain
functions, while still manually choosing so for a few performance-critical
sections.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-19 08:30:13 +01:00
Kevin Darbyshire-Bryant 687168ccd9 dnsmasq: Handle memory allocation failure in make_non_terminals()
Backport upstream commit:

ea6cc33 Handle memory allocation failure in make_non_terminals()

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-19 07:43:02 +01:00
Daniel Golle e51aa699f7 uqmi: pass-through ipXtable to child interfaces
Allow setting specific routing tables via the ip4table and ip6table
options also when ${ifname}_4 and ${ifname}_6 child interfaces are
being created.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-09-15 19:18:42 +02:00
Kevin Darbyshire-Bryant 033f02b9b5 iproute2: q_cake: Also print nonat, nowash and no-ack-filter keywords
Pull in latest upstream tweaks:
Similar to the previous patch for no-split-gso, the negative keywords for
'nat', 'wash' and 'ack-filter' were not printed either. Add those as well.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-15 08:46:32 +01:00
Rosy Song 918ec4d549 odhcpd: enable ipv6 server mode only when it is supported
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-09-12 21:47:33 +02:00
Kevin Darbyshire-Bryant 8cac857289 iproute2: q_cake: Add printing of no-split-gso option
When the GSO splitting was turned into dual split-gso/no-split-gso options,
the printing of the latter was left out. Add that, so output is consistent
with the options passed

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-09-12 09:13:44 +01:00
Florian Fainelli 4fca0e8896 netifd: update to latest HEAD
0059335c5b60 CMakeList: Check that compiler supports -Wimplicit-fallthrough

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2018-09-11 17:19:51 -07:00
Jason A. Donenfeld a54f492d0c wireguard: bump to 0.0.20180910
* curve25519: arm: do not modify sp directly
* compat: support neon.h on old kernels
* compat: arch-namespace certain includes
* compat: move simd.h from crypto to compat since it's going upstream

This fixes a decent amount of compat breakage and thumb2-mode breakage
introduced by our move to Zinc.

* crypto: use CRYPTOGAMS license

Rather than using code from OpenSSL, use code directly from AndyP.

* poly1305: rewrite self tests from scratch
* poly1305: switch to donna

This makes our C Poly1305 implementation a bit more intensely tested and also
faster, especially on 64-bit systems. It also sets the stage for moving to a
HACL* implementation when that's ready.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-11 11:34:23 +02:00
Rosen Penev f78e07ad2a hostapd: Fix compile with OpenSSL 1.1.0 + no deprecated APIs
Patch was accepted upsteam:

https://w1.fi/cgit/hostap/commit/?id=373c796948599a509bad71695b5b72eef003f661

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-10 09:01:37 +02:00
Hans Dedecker 43d4b8e89e dnsmasq: bump to dnsmasq 2.80test6
Refresh patches

Changes since latest bump:

af3bd07 Man page typo.
d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789
47b45b2 Fix lengths of interface names
2b38e38 Minor improvements in lease-tools
282eab7 Mark die function as never returning
c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8
03212e5 Manpage typo.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-09 22:02:45 +02:00
Daniel Engberg 9cfa5f2cec curl: Update to 7.61.1
Update curl to 7.61.1

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-09-09 21:38:10 +02:00
pacien ef01c1d308 odhcp6c: add client fqdn and reconfigure options
Allowing DHCPV6_CLIENT_FQDN and DHCPV6_ACCEPT_RECONFIGURE to be turned off.
Defaulting to false, former behavior remains unchanged.

Signed-off-by: pacien <pacien.trangirard@pacien.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2018-09-08 21:36:30 +02:00
Henrique de Moraes Holschuh ca1b347691 dnsmasq: allow dnsmasq variants to be included in image
The dnsmasq variants should provide dnsmasq, otherwise it is impossible
to include them in the image.

This change allows one to have CONFIG_PACKAGE_dnsmasq=m and
CONFIG_PACKAGE_dnsmasq-full=y, e.g. because you want DNSSEC support, or
IPSETs suport on your 3000-devices fleet ;-)

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
2018-09-06 17:57:59 +02:00
Hans Dedecker 3d377f4375 dnsmasq: bump to dnsmasq v2.80test5
Refresh patches
Remove 240-ubus patch as upstream accepted.
Add uci option ubus which allows to enable/disable ubus support (enabled
by default)

Upstream commits since last bump:

da8b651 Implement --address=/example.com/#
c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c
974a6d0 Add --caa-record
b758b67 Improve logging of RRs from --dns-rr.
9bafdc6 Tidy up file parsing code.
97f876b Properly deal with unaligned addresses in DHCPv6 packets.
cbfbd17 Fix broken DNSSEC records in previous.
b6f926f Don't return NXDOMAIN to empty non-terminals.
c822620 Add --dhcp-name-match
397c050 Handle case of --auth-zone but no --auth-server.
1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/
dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c
c16d966 Add copyright to src/metrics.h
1dfed16 Remove C99 only code.
6f835ed Format fixes - ubus.c
9d6fd17 dnsmasq.c fix OPT_UBUS option usage
8c1b6a5 New metrics and ubus files.
8dcdb33 Add --enable-ubus option.
aba8bbb Add collection of metrics
caf4d57 Add OpenWRT ubus patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-06 15:48:13 +02:00
Hans Dedecker ecc3165cbc odhcpd: bump to git HEAD (detect broken hostnames)
881f66b odhcpd: detect broken hostnames
3e17fd9 config: fix odhcpd_attrs array size

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-05 11:04:19 +02:00
Jason A. Donenfeld 4ccbe7de6c wireguard: bump to 0.0.20180904
* Kconfig: use new-style help marker
* global: run through clang-format
* uapi: reformat
* global: satisfy check_patch.pl errors
* global: prefer sizeof(*pointer) when possible
* global: always find OOM unlikely

Tons of style cleanups.

* crypto: use unaligned helpers

We now avoid unaligned accesses for generic users of the crypto API.

* crypto: import zinc

More style cleanups and a rearrangement of the crypto routines to fit how this
is going to work upstream. This required some fairly big changes to our build
system, so there may be some build errors we'll have to address in subsequent
snapshots.

* compat: rng_is_initialized made it into 4.19

We therefore don't need it in the compat layer anymore.

* curve25519-hacl64: use formally verified C for comparisons

The previous code had been proved in Z3, but this new code from upstream
KreMLin is directly generated from the F*, which is preferable. The
assembly generated is identical.

* curve25519-x86_64: let the compiler decide when/how to load constants

Small performance boost.

* curve25519-arm: reformat
* curve25519-arm: cleanups from lkml
* curve25519-arm: add spaces after commas
* curve25519-arm: use ordinary prolog and epilogue
* curve25519-arm: do not waste 32 bytes of stack
* curve25519-arm: prefix immediates with #

This incorporates ASM nits from upstream review.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-05 08:52:36 +02:00
Alexander Couzens 967d6460c0
hostapd: fix build of wpa-supplicant-p2p
VARIANT:= got removed by accident.

Fixes: 3838b16943 ("hostapd: fix conflicts hell")
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2018-09-03 21:51:06 +02:00
Kevin Darbyshire-Bryant dc9388ac55 iproute2: update cake man page
CAKE supports overriding of its internal classification of
packets through the tc filter mechanism.

Update the man page in our package, even though we don't
build them.  Someone may find the documentation useful.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 30598a05385b0ac2380dd4f30037a9f9d0318cf2)
2018-08-31 15:30:28 +07:00
Jo-Philipp Wich 555c592304 ppp: remove hardcoded lcp-echo-failure, lcp-echo-interval values
OpenWrt used to ship hardcoded defaults for lcp-echo-failure and
lcp-echo-interval in the non-uci /etc/ppp/options file.

These values break uci support for *disabling* LCP echos through
the use of "option keepalive 0" as either omitting the keepalive
option or setting it to 0 will result in no lcp-echo-* flags
getting passed to the pppd cmdline, causing the pppd process to
revert to the defaults in /etc/ppp/options.

Address this issue by letting the uci "keepalive" option default
to the former hardcoded values "5, 1" and by removing the fixed
lcp-echo-failure and lcp-echo-interval settings from the
/etc/ppp/options files.

Ref: https://github.com/openwrt/luci/issues/2112
Ref: https://dev.archive.openwrt.org/ticket/2373.html
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=854
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=1259
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-30 15:19:45 +02:00
Thomas Equeter acedce1d79 uqmi: wait for the control device too
The control device /dev/cdc-wdm0 is not available immediately on the
D-Link DWR-921 Rev.C3, therefore the wwan interface fails to start at
boot with a "The specified control device does not exist" error.

This patch alters /lib/netifd/proto/qmi.sh to wait for
network.wwan.delay earlier, before checking for the control device,
instead of just before interacting with the modem.

One still has to use network.wwan.proto='qmi', as the "wwan" proto
performs that sort of check before any delay is possible, failing with a
"No valid device was found" error.

Signed-off-by: Thomas Equeter <tequeter@users.noreply.github.com>
2018-08-29 13:10:12 +02:00
Giuseppe Lippolis 774d7fc9f2 comgt: increase timeout on runcommands
Some combination of modem/wireless operator requires more time to
execute the commands.
Tested on DWR-512 embedded wwan modem and italian operator iliad (new
virtual operator).

Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
2018-08-29 08:34:10 +02:00
Robert Marko a9d7353192 ethtool: Update to 4.18
Tested on 8devices Jalapeno(ipq40xx)
Introduces following changes:
Feature: Add support for WAKE_FILTER (WoL using filters)
Feature: Add support for action value -2 (wake-up filter)
Fix: document WoL filters option also in help message
Feature: ixgbe dump strings for security registers

Signed-off-by: Robert Marko <robimarko@gmail.com>
2018-08-28 13:46:16 +02:00
Hans Dedecker 8fd8e79143 iproute2: update to 4.18.0
Update to the latest version of iproute2; see https://lwn.net/Articles/762515/
for a full overview of the changes in 4.18.
Remove upstream patch 001-rdma-sync-some-IP-headers-with-glibc

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-25 20:54:00 +02:00
Hans Dedecker 2211ee0037 dropbear: backport upstream fix for CVE-2018-15599
CVE description :
The recv_msg_userauth_request function in svr-auth.c in Dropbear through
2018.76 is prone to a user enumeration vulnerability because username
validity affects how fields in SSH_MSG_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-24 15:25:26 +02:00
Jo-Philipp Wich 214146c6f2 uhttpd: support multiple Lua prefixes
Update to latest git HEAD in order to support configuring multiple
concurrent Lua prefixes in a single uhttpd instance:

  b741dec lua: support multiple Lua prefixes

Additionally rework the init script and update the default configuration
example to treat the lua_prefix option as key=value uci list, similar to
the interpreter extension mapping. Support for the old "option lua_prefix"
plus "option lua_handler" notation is still present.

Finally drop the sed postinstall hack in uhttpd-mod-lua to avoid mangling
files belonging to other packages. Since Lua prefixes have precedence
over CGI prefixes, simply register `/cgi-bin/luci` as Lua handler which
will only become active if both luci-base and uhttpd-mod-lua is installed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-23 09:18:04 +02:00
Rosen Penev 499773f8ef samba36: Enable umdnsd support
Allows discovery without having to use NetBIOS. Useful for mobile devices.

Could eventually throw nbmd away. But that requires Windows 10...

Tested on Fedora 28 with avahi-discover.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-08-22 11:23:02 +02:00
Jo-Philipp Wich e5f56c07d7 iptables: make iptables-mod-conntrack-extra depend on kmod-ipt-raw
Since kernel 4.14 there is no auto assignment of conntrack helpers anymore
so fw3 needs raw table support in order to stage ct helper assignment rules.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-22 07:14:45 +02:00
Hans Dedecker 6c227e45cb dnsmasq: remove creation of /etc/ethers
Remove creation of file /etc/ethers in dnsmasq init script as the
file is now created by default in the base-files package by
commit fa3301a28e

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-21 15:55:10 +02:00
Jo-Philipp Wich 22681cdef2 uhttpd: update to latest Git head
952bf9d build: use _DEFAULT_SOURCE
30a18cb uhttpd: recognize PATCH, PUT and DELETE HTTP methods

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-21 14:48:47 +02:00
Hans Dedecker 40eb9bda44 netifd: update to latest git HEAD
7454d12 interface: let interface_set_down() return void
32f11a8 interface: make __interface_set_down() static
b9d5a8c interface: extend interface error messages in interface_set_up()
de394b3 interface: ensure NO_DEVICE error is always reported

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-20 16:27:38 +02:00
Yury Shvedov cad9519eba hostapd: process all CSA parameters
This adds processing of all CSA arguments from ubus switch_chan request
in the same manner as in the control interface API.

Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
2018-08-20 09:24:43 +02:00
Hans Dedecker e2791e80cb netifd: update to latest git HEAD
522456b device: gracefully handle device names exceeding IFNAMESIZ

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-14 22:56:31 +02:00
Stijn Tintel 03e5dcbf10 firewall: bump to git HEAD
12a7cf9 Add support for DSCP matches and target
06fa692 defaults: use a generic check_kmod() function
1c4d5bc defaults: fix check_kmod() function

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-08-13 22:05:46 +03:00
Jason A. Donenfeld 42dc0e2594 wireguard: bump to 0.0.20180809
* send: switch handshake stamp to an atomic

Rather than abusing the handshake lock, we're much better off just using
a boring atomic64 for this. It's simpler and performs better. Also, while
we're at it, we set the handshake stamp both before and after the
calculations, in case the calculations block for a really long time waiting
for the RNG to initialize.

* compat: better atomic acquire/release backport

This should fix compilation and correctness on several platforms.

* crypto: move simd context to specific type

This was a suggestion from Andy Lutomirski on LKML.

* chacha20poly1305: selftest: use arrays for test vectors

We no longer have lines so long that they're rejected by SMTP servers.

* qemu: add easy git harness

This makes it a bit easier to use our qemu harness for testing our mainline
integration tree.

* curve25519-x86_64: avoid use of r12

This causes problems with RAP and KERNEXEC for PaX, as r12 is a
reserved register.

* chacha20: use memmove in case buffers overlap

A small correctness fix that we never actually hit in WireGuard but is
important especially for moving this into a general purpose library.

* curve25519-hacl64: simplify u64_eq_mask
* curve25519-hacl64: correct u64_gte_mask

Two bitmath fixes from Samuel, which come complete with a z3 script proving
their correctness.

* timers: include header in right file

This fixes compilation in some environments.

* netlink: don't start over iteration on multipart non-first allowedips

Matt Layher found a bug where a netlink dump of peers would never terminate in
some circumstances, causing wg(8) to keep trying forever. We now have a fix as
well as a unit test to mitigate this, and we'll be looking to create a fuzzer
out of Matt's nice library.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-12 16:12:01 +02:00
John Crispin 1961948585 wpa_supplicant: fix CVE-2018-14526
Unauthenticated EAPOL-Key decryption in wpa_supplicant

Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/

Vulnerability

A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.

When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.

Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.

Vulnerable versions/configurations

All wpa_supplicant versions.

Acknowledgments

Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.

Possible mitigation steps

- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.

- Merge the following commits to wpa_supplicant and rebuild:

WPA: Ignore unauthenticated encrypted EAPOL-Key data

This patch is available from https://w1.fi/security/2018-1/

- Update to wpa_supplicant v2.7 or newer, once available

Signed-off-by: John Crispin <john@phrozen.org>
2018-08-10 15:48:21 +02:00
Hans Dedecker 2e02fdb363 odhcp6c: apply IPv6/ND configuration earlier
Apply IPv6/ND configuration before proto_send_update so that all config info
is available when netifd is handling the notify_proto ubus call.
In particular this fixes an issue when netifd is updating the downstream IPv6 mtu
as netifd was still using the not yet updated upstream IPv6 mtu to set the
downstream IPv6 mtu

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-09 18:46:57 +02:00
Hans Dedecker e0fbf62821 iproute2: remove libutil from InstallDev section
Commit 4d961538f6 added libutil to the iproute2 InstallDev section
but lead to compile issues with packages picking up the wrong libutil
since libutil is quite a generic name ...
Further libutil is rather meant for internal usage in iproute2 than a
public API; therefore let's remove it from the InstallDev section together
with ll_map.h

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-09 17:48:03 +02:00
Hans Dedecker 6579af7a77 netifd: update to latest git HEAD
115a694 interface-ip: always override downstream IPv6 mtu

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-09 17:39:24 +02:00
Hans Dedecker 4d961538f6 iproute2: add libutil to InstallDev section
In iproute2 v4.17 ll_map has been moved from the libnetlink to the libutil
library; add libutil as well to the staging dir in order to keep support
for ll_map

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-08 14:29:08 +02:00
Jason A. Donenfeld 68e2ebe64a wireguard: bump to 0.0.20180802
Changelog taken from the version announcement

> == Changes ==
>
>   * chacha20poly1305: selftest: split up test vector constants
>
>   The test vectors are encoded as long strings -- really long strings -- and
>   apparently RFC821 doesn't like lines longer than 998.
>   https://cr.yp.to/smtp/message.html
>
>   * queueing: keep reference to peer after setting atomic state bit
>
>   This fixes a regression introduced when preparing the LKML submission.
>
>   * allowedips: prevent double read in kref
>   * allowedips: avoid window of disappeared peer
>   * hashtables: document immediate zeroing semantics
>   * peer: ensure resources are freed when creation fails
>   * queueing: document double-adding and reference conditions
>   * queueing: ensure strictly ordered loads and stores
>   * cookie: returned keypair might disappear if rcu lock not held
>   * noise: free peer references on failure
>   * peer: ensure destruction doesn't race
>
>   Various fixes, as well as lots of code comment documentation, for a
>   small variety of the less obvious aspects of object lifecycles,
>   focused on correctness.
>
>   * allowedips: free root inside of RCU callback
>   * allowedips: use different macro names so as to avoid confusion
>
>   These incorporate two suggestions from LKML.
>
> This snapshot contains commits from: Jason A. Donenfeld and Jann Horn.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-08-04 04:04:34 +00:00
Kevin Darbyshire-Bryant 13c66f8820 iproute2: cake: make gso/gro splitting configurable
This patch makes sch_cake's gso/gro splitting configurable
from userspace.

To disable breaking apart superpackets in sch_cake:

tc qdisc replace dev whatever root cake no-split-gso

to enable:

tc qdisc replace dev whatever root cake split-gso

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Dave Taht <dave.taht@gmail.com>
[pulled from netdev list - no API/ABI change]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-08-02 22:00:19 +01:00
Koen Vandeputte 457e6d5a27 iperf: bump to 2.0.12
Fixes the annoying 'feature' were TTL was set to "1" by default ..
Users had to specify -T manually to test outside the own network.

2.0.12 change set (as of June 25th 2018)

o Change the unicast TTL default value from 1 to the system default (to be compatable with previous versions.) Multicast still defaults to 1.
o adpative formatting bug fix: crash occurs when values exceed 1 Tera. Add support for Tera and Peta and eliminate the potential crash condition
o configure default compile to include isochronous support (use configure --disable-isochronous to remove support)
o replace 2.0.11's --vary-load option with a more general -b option to include <mean>,<stdev>, e.g. -b 100m,40m, which will pull from a log normal distribution every 0.1 seconds
o fixes for windows cross compile (using mingw32)
o compile flags of -fPIE for android
o configure --enable-checkprograms to compile ancillary binaries used to test things such as delay, isoch, pdf generation
o compile tests when trying to use 64b seq numbers on a 32b platform
o Fix GCC ver 8 warnings

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-08-02 15:03:21 +02:00
Rosy Song f30583c41d nftables: allow to build with json support
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-08-01 11:25:04 +02:00
Jo-Philipp Wich fdd6c556ab iwinfo: update to latest Git HEAD
a514139 build: compile with -ffunction-sections, -fdata-sections and LTO
3c30b17 wl: only invoke nvram executable if it exists
65b8333 Revert "build: compile with -ffunction-sections, -fdata-sections and LTO"

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-31 20:40:33 +02:00
John Crispin 3c4eeb5d21 netifd: update to latest git HEAD
fix a compile error

Signed-off-by: John Crispin <john@phrozen.org>
2018-07-30 23:56:14 +02:00
Hans Dedecker 929eac5b82 netifd: update to latest git HEAD (FS#1668)
75ee790 interface-ip: fix eui64 ifaceid generation (FS#1668)
ca97097 netifd: make sure the vlan ifname fits into the buffer
b8c1bca iprule: remove bogus assert calls
a2f952d iprule: fix broken in_dev/out_dev checks
263631a vlan: use alloca to get rid of IFNAMSIZE in vlan_dev_set_name()
291ccbb ubus: display correct prefix size for IPv6 prefix address
908a9f4 CMakeLists.txt: add -Wimplicit-fallthrough to the compiler flags
b06b011 proto-shell.c: add a explicit "fall through" comment to make the compiler happy
60293a7 replace fall throughs in switch/cases where possible with simple code changes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-30 23:01:55 +02:00
Stijn Tintel 50c5fdd54d tcpdump: explicitly disable libcap-ng support
When libcap-ng is detected during build, support for it is enabled. This
will cause a build failure due to a missing dependency. Explicitly
disable libcap-ng support to avoid this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-07-30 23:27:55 +03:00
Nick Hainke abefb4fda3 hostapd: add ht and vht support in handle event function Add ht and vht capabilities. If a device sends a probe request, the capabilities are added.
Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-07-30 11:01:04 +02:00
Nick Hainke 74ac742277 hostapd: add ubus call for ap features
The call "get_features" allows to gather hostapd config options
via ubus. As first infos we add the ht and vht support.
Although nl80211 supports to gather informations about
ht and vht capabilities, the hostapd configuration can disable
vht and ht. However, it is possible that the iw output is not
representing the actual hostapd configuration.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-07-30 10:59:25 +02:00
Luiz Angelo Daros de Luca f1bef0596f openvpn-easy-rsa: update to 3.0.4
Upstream renamed openssl-1.0.cnf to openssl-easyrsa.cnf.
However, pkg kept using openssl-1.0.cnf.

Upstream easyrsa searchs for vars, openssl-*, x509-types in the
same directory as easyrsa script. This was patched to revert
back to static /etc/easy-rsa/ directory (as does OpenSUSE).
EASYRSA_PKI still depends on $PWD.

Move easyrsa from /usr/sbin to /usr/bin as root is not needed.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2018-07-30 10:43:38 +02:00
Martin Strobel 7d7323bccd iptables: add ip[6|]tables-compat packages + libxtables-compat depends on IPTABLES_NFTABLES
allows iptables-compat to use nft packet filtering
allows to translate iptables-style to nft-style

Signed-off-by: Martin Strobel <arctus@crza.de>
2018-07-30 10:43:36 +02:00
Dmitry Tunin c128371124 igmpproxy: drop SSDP packets
It is insecure to let this type of packets inside
They can e.g. open ports on some other routers with UPnP, etc

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
2018-07-30 10:43:36 +02:00
Nick Hainke 296ae7ab89 iwinfo: update to version 2018-07-24
Update to new iwinfo version.
Adds support for channel survey.
Adds ubus support.
Etc.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-07-30 10:43:31 +02:00
Daniel Engberg 5647cc7bd4 treewide: Bump PKG_RELEASE due to mbedtls update
Bump PKG_RELEASE on packages that depends on (lib)mbedtls to avoid library
mismatch.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-30 10:35:12 +02:00
Rosen Penev fc89831ae8 thc-ipv6: Update URLs
Development has moved to GitHub. Found using UScan.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-07-29 12:11:31 +02:00
Dmitry Tunin 7a6b2badfa igmpproxy: add a silent logging option
[0-3](none, minimal[default], more, maximum)

It is not 100% backward compatible, because now 0 disables logging

Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
2018-07-28 15:20:39 +01:00
Kevin Darbyshire-Bryant 1e93ef8498 dnsmasq: bump to dnsmasq v2.80test3
Refresh patches

Upstream commits since last bump:

3b6eb19 Log DNSSEC trust anchors at startup.
f3e5787 Trivial comment change.
c851c69 Log failure to confirm an address in DHCPv6.
a3bd7e7 Fix missing fatal errors when parsing some command-line/config options.
ab5ceaf Document the --help option in the french manual
1f2f69d Fix recurrent minor spelling mistake in french manual
f361b39 Fix some mistakes in french translation of the manual
eb1fe15 When replacing cache entries, preserve CNAMES which target them.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-28 11:16:41 +01:00
Masashi Honma d05967baec wwan: Fix teardown for sierra_net driver
The sierra_net driver is using proto_directip_setup for setup. So use
proto_directip_teardown for teardown.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2018-07-27 11:17:20 +02:00
Syrone Wong 7dfd72dfff ead: use new protocol setting API since libpcap 1.9.0
Dropped the protocol API specific symbol: HAS_PROTO_EXTENSION and
switch to the official API

Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
2018-07-27 11:17:20 +02:00
Jo-Philipp Wich 88c88823d5 odhcpd: update to latest git HEAD
44cce31 ubus: avoid dumping interface state with NULL message

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-26 14:53:05 +02:00
Jo-Philipp Wich 3ee2c76ae0 firewall: update to latest git HEAD
aa8846b ubus: avoid dumping interface state with NULL message

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-26 08:44:53 +02:00
Daniel Engberg f486f81c64 utils/curl: Disable libpsl
Disabled libpsl to fix build issue reported by buildbots

Package libcurl is missing dependencies for the following libraries:
libpsl.so.5


Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-24 15:35:51 +02:00
Aleksandr V. Piskunov 20c4819c7b wireguard-tools: add wireguard_watchdog script
This watchdog script tries to re-resolve hostnames for inactive WireGuard peers.
Use it for peers with a frequently changing dynamic IP.
persistent_keepalive must be set, recommended value is 25 seconds.
Run this script from cron every minute:
echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root

Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>
[bump the package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-22 21:52:20 +01:00
Jason A. Donenfeld 57b808ec88 wireguard: bump to 0.0.20180718
80b41cd version: bump snapshot
fe5f0f6 recieve: disable NAPI busy polling
e863f40 device: destroy workqueue before freeing queue
81a2e7e wg-quick: allow link local default gateway
95951af receive: use gro call instead of plain call
d9501f1 receive: account for zero or negative budget
e80799b tools: only error on wg show if all interfaces failk

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
[Added commit log to commit description]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-22 21:01:34 +01:00
Felix Fietkau f0ac9afe69 hostapd: remove unused struct hostapd_ubus_iface
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-22 17:17:20 +02:00
Kevin Darbyshire-Bryant 03fce62c09 iproute2: tc: backport canonical cake support
iproute2's tc was updated to support the recently upstreamed cake qdisc.
Backport this canonical support from upstream into iproute2 v4.17

There is no kernel kmod/userspace tc ABI change in this release from the
previous package bump, so everyone can breath a sigh of relief.

This is largely a code style change, the exception to prove the rule:
option 'autorate_ingress' has been changed to 'autorate-ingress' to fit
in with upstream option naming expectations.

No openwrt package (e.g. sqm-scripts) has knowledge of
'autorate_ingress' thus only users who made their own scripts or used
it within the 'dangerous configuration' options of sqm-scripts will be
affected.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-21 08:47:40 +01:00
Mathias Kresin 3838b16943 hostapd: fix conflicts hell
Add each variant to the matching PROVIDERS variables after evaluating
the respective hostapd*, wpad* and wpa* variant.

Each package providing the same feature will automatically conflict with
all prior packages providing the same feature.

This way we can handle the conflicts automatically without introducing
recursive dependencies.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-07-18 19:17:46 +02:00
Mathias Kresin 8af8ceb1c8 hostapd: cleanup package definition
Move common variables and/or values to the package (variant) default.
Add additional values in variant packages if necessary. Remove further
duplicates by introducing new templates.

Remove the ANY_[HOSTAPD|SUPPLICANT_PROVIDERS]_PROVIDERS. The are the
same as the variables without the any prefix. No need to maintain both
variables.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-07-18 19:17:46 +02:00
Kevin Darbyshire-Bryant 9d5a246930 igmpproxy: run in foreground for procd
procd needs processes to stay in foreground to remain under its gaze and
control.  Failure to do so means service stop commands fail to actually
stop the process (procd doesn't think it's running 'cos the process has
exited already as part of its forking routing)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-18 18:00:42 +01:00
Hans Dedecker 1e83f775a3 firewall3: update to latest git HEAD
d2bbeb7 firewall3: make reject types selectable by user

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-17 22:15:03 +02:00
Hans Dedecker 2336b942b3 dnsmasq: don't use network functions at boottime (FS#1542)
As dnsmasq is started earlier than netifd usage of network.sh functions
at boottime will fail; therefore don't call at boottime the functions
which construct the dhcp pool/relay info.
As interface triggers are installed the dhcp pool/relay info will be
constructed when the interface gets reported as up by netifd.
At the same time also register interface triggers based on DHCP relay
config.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-17 21:32:20 +02:00
Jo-Philipp Wich 9019323ec1 ppp: fix building pptp plugin
The pptp.so plugin needs to be built with -fPIC as well in order to be
linkable again.

Fixes 888a15ff83 ("ppp: add missing -fPIC to rp-pppoe.so CFLAGS")
Fixes e7397eef69 ("ppp: compile with LTO enabled")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-17 21:21:44 +02:00
Jo-Philipp Wich 28d3a1b54b openvpn: increase procd termination timeout to 15s
Increase the termination timeout to 15s to let OpenVPN properly tear down
its connections, especially when weak links or complex down scripts are
involved.

Fixes FS#859.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-17 16:03:56 +02:00
Christian Schoenebeck 1e177844bc dropbear: close all active clients on shutdown
Override the default shutdown action (stop) and close all processes
of dropbear

Since commit 498fe85, the stop action only closes the process
that's listening for new connections, maintaining the ones with
existing clients.
This poses a problem when restarting or shutting-down a device,
because the connections with existing SSH clients, like OpenSSH,
are not properly closed, causing them to hang.

This situation can be avoided by closing all dropbear processes when
shutting-down the system, which closes properly the connections with
current clients.

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
[Luis: Rework commit message]
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
2018-07-16 08:40:51 +02:00
Daniel Engberg 49bdd43da2 curl: Update to 7.61.0
Update curl to 7.61.0

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-15 22:35:22 +02:00
Hans Dedecker def5b7f285 odhcp6c: add noserverunicast config option for broken DHCPv6 servers
Fix broken DHCPv6 servers which provide the server unicast option but
do not reply on DHCPv6 renew messages directed to the IPv6 address
contained in the server unicast option whihc results in broken IPv6
connectivity.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-15 22:19:10 +02:00
Felix Fietkau 888a15ff83 ppp: add missing -fPIC to rp-pppoe.so CFLAGS
Fixes build error with LTO

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-14 11:00:23 +02:00
Felix Fietkau 47b42137ce dropbear: compile with LTO enabled
Reduces size of the .ipk on MIPS from 87k to 84k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau ef96d1e34a firewall: compile with LTO enabled
Reduces .ipk size on MIPS from 41.6k to 41.1k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau ef16a394d2 iw: compile with LTO enabled
Reduces .ipk size on MIPS from 34k to 33k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau e7397eef69 ppp: compile with LTO enabled
Reduces .ipk size on MIPS from 98.5k to 98k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau dfbd49bd22 ppp: fix linker flags for the radius plugin
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Felix Fietkau 07940acc34 netifd: compile with LTO enabled
Reduces .ipk size from 65k to 63k on MIPS

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Hans Dedecker af70d86d62 netifd: update to latest git HEAD
5cf7975 iprule: rework interface based rules to handle dynamic interfaces
57f87ad Introduce new interface event "create" (IFEV_CREATE)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-11 21:55:23 +02:00
Felix Fietkau 68f9921ed8 netifd: update to the latest version
c1f6a82 system-linux: add autoneg and link-partner output
e9eff34 system-linux: extend link mode speed definitions
d1251e1 system-linux: adjust bridge isolate mode for upstream attribute naming
03785fb system-linux: fix build error on older kernels

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-11 20:59:05 +02:00
Moritz Warning 954faac7bc qos-scripts: fix indentation
Signed-off-by: Moritz Warning <moritzwarning@web.de>
2018-07-11 09:40:40 +02:00
Jason A. Donenfeld 4630159294 wireguard: bump to 0.0.20180708
* device: print daddr not saddr in missing peer error
* receive: style

Debug messages now make sense again.

* wg-quick: android: support excluding applications

Android now supports excluding certain apps (uids) from the tunnel.

* selftest: ratelimiter: improve chance of success via retry
* qemu: bump default kernel version
* qemu: decide debug kernel based on KERNEL_VERSION

Some improvements to our testing infrastructure.

* receive: use NAPI on the receive path

This is a big change that should both improve preemption latency (by not
disabling it unconditionally) and vastly improve rx performance on most
systems by using NAPI. The main purpose of this snapshot is to test out this
technique.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-11 09:04:03 +02:00
Hans Dedecker 7e82418372 iproute2: update to 4.17.0
Update to the latest version of iproute2; see https://lwn.net/Articles/756991/
for a full overview of the changes in 4.17.
Remove upstream patch 002-json_print-fix-hidden-64-bit-type-promotion.
Backport upstream patch 001-rdma-sync-some-IP-headers-with-glibc fixing
rdma compile issue.
At the same time re-organize patch numbering so the OpenWRT specific
patches start at 100.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-10 19:30:12 +02:00
Felix Fietkau 6dac92a42e hostapd: build with LTO enabled (using jobserver for parallel build)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-10 14:26:35 +02:00
Hans Dedecker 98a6bee09a odhcpd: update to latest git HEAD
345bba0 dhcpv4: improve error checking in handle_dhcpv4()
c0f6390 odhcpd: Check if open the ioctl socket failed

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-09 09:28:55 +02:00
Daniel Engberg 10554cfcc1 mbedtls: Update to 2.11.0
Update mbed TLS to 2.11.0

Disable OFB block mode and XTS block cipher mode, added in 2.11.0.
The soVersion of mbedtls changed, bump PKG_RELEASE for packages that use mbedTLS
This is to avoid having a mismatch between packages when upgrading.

The size of mbedtls increased a little bit:
ipkg for mips_24kc before:
163.846 Bytes
ipkg for mips_24kc after:
164.382 Bytes

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-07 18:29:14 +02:00
Kevin Darbyshire-Bryant fbf475403b dnsmasq: bump to latest patches on 2.80rc2
Refresh patches and backport upstream to current HEAD:

a997ca0 Fix sometimes missing DNSSEC RRs when DNSSEC validation not enabled.
51e4eee Fix address-dependent domains for IPv6.
05ff659 Fix stupid infinite loop introduced by preceding commit.
db0f488 Handle some corner cases in RA contructed interfaces with addresses changing interface.
7dcca6c Warn about the impact of cache-size on performance.
090856c Allow zone transfer in authoritative mode whenever auth-peer is specified.
cc5cc8f Sane error message when pcap file header is wrong.
c488b68 Handle standard and contructed dhcp-ranges on the same interface.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-03 13:58:55 +01:00
Kevin Darbyshire-Bryant a2165f936e iproute2: tc: update support for cake
Bump iproute2/tc support of cake.

Add support for cake's change to u64 attribute passing for certain
attributes (rate & byte counts)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-03 11:40:18 +01:00
Jo-Philipp Wich b54bef2058 uhttpd: update to latest Git head
db86175 lua: honour size argument in recv() function
d3b9560 utils: add uh_htmlescape() helper
8109b95 file: escape strings in HTML output
393b59e proc: expose HTTP Origin header in process environment
796d42b client: flush buffered SSL output when tearing down client ustream

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-07-03 06:59:13 +02:00
Hans Dedecker afac2a2dd6 ebtables: update to latest git 2018-06-27
48cff25 build: drop install -o/-g root
53d7e7a extensions: ebt_string: take action if snprintf discards data

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-07-02 17:33:55 +02:00
John Crispin 433d71e73e fw3: update to latest git HEAD
72684e5 firewall3: Fix GCC8 warnings by replacing sprintf with snprintf

Signed-off-by: John Crispin <john@phrozen.org>
2018-07-02 07:23:42 +02:00
Rosen Penev 1f2612a4dd samba36: Disable external libtdb and libtevent
This was causing issues recently as samba36 is not API compatible with the
libtdb in the packages repo. It shouldn't be using it anyway. Nor tevent.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-07-02 07:12:41 +02:00
Alexander Couzens b06c447c5f
swconfig: swlib_map_settings(): change return type to void
The return value of the function isn't used anywhere.
Fixes missing return value, CID 1329717.

Found-by: Coverity
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2018-06-29 05:46:25 +02:00
Alexander Couzens e37ad4e5ca
swconfig: fix un-initialized return value
Fix CID 1330844

Found-by: Coverity
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2018-06-29 05:45:20 +02:00
Tony Ambardar b701d78105 qos-scripts: fix uci callback handling
The previous callback code was fragile, dependent on some UCI callback
bugs and side-effects now fixed in master commit 73d8a6ab.

Update scripts to use callbacks where appropriate and necessary, while
using normal UCI config parsing for all else. This results in smaller,
simpler, more robust code. Use callbacks in generate.sh to only process
'interface' defaults and the varying entries for 'reclassify', 'default'
and 'classify' sections. Also switch qos-stat to use non-callback UCI
handling.

The current changes work independently of 73d8a6ab (i.e. both before and
after), and are consistent with UCI config parsing documentation.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2018-06-28 16:41:45 +02:00
Kevin Darbyshire-Bryant 3ce11588f6 wireguard: bump to 0.0.20180625
dfd9827 version: bump snapshot
88729f0 wg-quick: android: prevent outgoing handshake packets from being dropped
1bb9daf compat: more robust ktime backport
68441fb global: use fast boottime instead of normal boottime
d0bd6dc global: use ktime boottime instead of jiffies
18822b8 tools: fix misspelling of strchrnul in comment
0f8718b manpages: eliminate whitespace at the end of the line
590c410 global: fix a few typos
bb76804 simd: add missing header
7e88174 poly1305: give linker the correct constant data section size
fd8dfd3 main: test poly1305 before chacha20poly1305
c754c59 receive: don't toggle bh

Compile-tested-for: ath79 Archer C7 v2
Run-tested-on: ath79 Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-06-26 20:10:54 +01:00
Hans Dedecker b7ef10cbf0 odhcpd: update to latest git HEAD
81a281e dhcpv6-ia: fix border assignment size setting
a2ffc59 dhcpv6-ia: fix status code for not on link IAs
5b087a6 dhcpv6-ia: improve error checking in assign_pd()
c9114a1 config: fix wrong assignment
bb8470f dhcpv4: delay forced renew transaction start
62a1b09 dhcpv4: fix DHCP address space logic
d5726ff dhcpv4: improve logging when sending DHCP messages
9484351 odhcpd: call handle_error when socket error can be retrieved
c45e2eb dhcpv6: fix out of bounds write in handle_nested_message()
c2ff5af dhcpv6-ia: log renew messages as well
676eb38 router: fix possible segfault in send_router_advert()
392701f odhcpd: fix passing possible negative parameter
029123b treewide: switch to C-code style comments
6b79748 router: improve error checking
12e21bc netlink: fix incorrect sizeof argument
d7aa414 dhcpv6: improve error checking in dhcpv6_setup_interface()
373495a ubus: fix invalid ipv6-prefix json
79d5e6f ndp: improve error checking
d834ae3 dhcpv4: fix error checking in dhcpv4_setup_interface()
f2aa383 dhcpv4: fix out of bound access in dhcpv4_put
4591b36 dhcpv4: improve error checking in dhcpv4_setup_interface()
4983ee5 odhcpd: fix strncpy bounds

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-06-26 14:48:25 +02:00
Philip Prindeville d375d5fafe iperf3: update to 3.6
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2018-06-26 08:57:25 +02:00
Alin Nastac ab07ae2f27 netfilter: add bpf match support
Add xt_bpf modules to {kmod-ipt,iptables-mod}-filter.

Match using Linux Socket Filter. Expects a BPF program in decimal
format. This is the format generated by the nfbpf_compile utility.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
2018-06-26 08:57:25 +02:00
Yousong Zhou c4aadbdaf6 dropbear: let opkg manage symlinks of ssh, scp
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-06-25 15:21:24 +08:00
John Crispin ebe1216c7c iptables: set nonshared flag
this makes sure that offloading support is properly included for v4.14 targets.

Signed-off-by: John Crispin <john@phrozen.org>
2018-06-22 11:46:21 +02:00
David Thornley cb262b0939 wwan: Add support for Gemalto Cinterion cellular modules
Includes specific support for PH8(1e2d-0053) / ELS61(1e2d-005b) modules.

Note for ELS61, the serial driver changes from serial option(ttyUSB) to usb-cdc (ttyACM).

Two additional fixes in this commit resolve issues with ttyACM devices: -

* wwan.sh - sys-fs has a subdirectory indirection (*/tty/ttyACMx) which was not handled properly
* wwan.usb - dependent scripts were not included, so this never actually called proto_set_available for example (and relied on inadvertent call for ttyUSB case)

Signed-off-by: David Thornley <david.thornley@touchstargroup.com>
2018-06-22 09:31:32 +02:00
Kevin Darbyshire-Bryant 3b11b225b3 wireguard: bump to 0.0.20180620
0bc4230 version: bump snapshot
ed04799 poly1305: add missing string.h header
cbd4e34 compat: use stabler lkml links
caa718c ratelimiter: do not allow concurrent init and uninit
894ddae ratelimiter: mitigate reference underflow
0a8a62c receive: drop handshake packets if rng is not initialized
cad9e52 noise: wait for crng before taking locks
83c0690 netlink: maintain static_identity lock over entire private key update
0913f1c noise: take locks for ss precomputation
073f31a qemu: bump default kernel
bec4c48 wg-quick: android: don't forget to free compiled regexes
7ce2ef3 wg-quick: android: disable roaming to v6 networks when v4 is specified
9132be4 dns-hatchet: apply resolv.conf's selinux context to new resolv.conf
41a5747 simd: no need to restore fpu state when no preemption
6d7f0b0 simd: encapsulate fpu amortization into nice functions
f8b57d5 queueing: re-enable preemption periodically to lower latency
b7b193f queueing: remove useless spinlocks on sc
5bb62fe tools: getentropy requires 10.12
4e9f120 chacha20poly1305: use slow crypto on -rt kernels on arm too

Compiled-for: ar71xx, lantiq
Run-tested-on: ar71xx Archer C7 v2 & lantiq HH5a

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-06-20 22:10:33 +02:00
Hans Dedecker a9222e0328 odhcp6c: update to latest git HEAD
b99c1f6 odhcp6c: remove len check in option parsing handle

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-06-20 15:42:22 +02:00
Robert Marko 4bb2532ec1 ethtool: Update to 4.17
Tested on 8devices Jalapeno(ipq40xx)
Introduces following changes
* Fix: In ethtool.8, remove superfluous and incorrect \
* Fix: fix uninitialized return value
* Fix: fix RING_VF assignment
* Fix: remove unused global variable
* Fix: several fixes in do_gregs()
* Fix: correctly free hkey when get_stringset() fails
* Fix: remove unreachable code
* Fix: fix stack clash in do_get_phy_tunable and do_set_phy_tunable
* Feature: Add register dump support for MICROCHIP LAN78xx

Signed-off-by: Robert Marko <robimarko@gmail.com>
2018-06-20 15:36:02 +02:00
Hans Dedecker 0e84393ee2 dnsmasq: fix dnsmasq startup issue
Commit ecd954d530 installs specific interface triggers which rewrites the dnsmasq config
file and restarts dnsmasq if the network interface becomes active for which a trigger
has been installed.
In case no dhcp sections are specified or ignore is set to 1 dnsmasq will not be started
at startup which breaks DNS resolving.
Fix this by ditching the BOOT check in start_service and always start dnsmasq at startup.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-06-20 14:07:19 +02:00
Rosy Song 1ee98fdef3 nftables: bump to version 0.9.0
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-06-18 18:21:20 +02:00
Mirko Parthey c84ef1f188 iptables: increment PKG_RELEASE to force update
While support for the FLOWOFFLOAD target is available in the firmware
images, it is still missing in some of the binary packages on
downloads.openwrt.org, e.g. for the mipsel_mips32 architecture.

Increment PKG_RELEASE to force an update of these packages.
Also adjust the package description to include the FLOWOFFLOAD target.

Signed-off-by: Mirko Parthey <mirko.parthey@web.de>
2018-06-18 15:27:57 +02:00
Daniel Golle c8ac28237d ltq-vdsl-app: use downloaded vectoring firmware
Use vectoring firmware downloaded via vdsl_fw_install.sh from
ltq-vdsl-fw package for annex B and annex J.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-06-15 13:28:38 +02:00
Hans Dedecker 31f35be016 odhcp6c: user string option support
ca8822b odhcp6c: add support for user string options

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-06-11 15:48:32 +02:00
Hans Dedecker 8d60f6ee40 dnsmasq: fix confdir option processing (FS#1572)
Fix condir option processing allowing to use the format
"<directory>[,<file-extension>......]," as documented on the dnsmasq man
page which previously resulted into bogus dir being created.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-06-11 11:41:26 +02:00
Denton Gentry a84962ea35 hostapd: make cli treat UNKNOWN COMMAND as failing
Avoid infinite loop at 100% CPU when running hostapd_cli
if CONFIG_CTRL_IFACE_MIB is not defined.

  _newselect(4, [3], NULL, NULL, ...)
  recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16
  sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24

Signed-off-by: Denton Gentry <denny@geekhold.com>
2018-06-07 09:27:50 +02:00
Rosen Penev 2737cea0bb ethtool: Update to 4.16
Tested on Turris Omnia (mvebu).

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-06-07 09:06:04 +02:00
Rosen Penev 802afaaf5e iperf: Update to 2.0.11
Tested on Turris Omnia (mvebu).

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-06-07 09:05:48 +02:00
Hans Dedecker 1bbe813db0 ebtables: update to latest git 2018-06-06
5699354 extensions: fix build failure on fc28
e6359ee build: update ebtables.h from kernel and drop local unused copy

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-06-06 22:34:41 +02:00
Daniel Golle 987900f2de hostapd: properly build hostapd-only SSL variants
Make sure hostapd-openssl is actually build against OpenSSL, same
for wolfSSL.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-06-05 15:33:35 +02:00
Felix Fietkau 7d8681ccb9 hostapd: expose device taxonomy signature via ubus
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-06-05 09:28:04 +02:00
Felix Fietkau 23c1827e34 hostapd: add support for client taxonomy in the full config
This can be used to fingerprint clients to try to identify the exact
model

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-06-05 09:28:00 +02:00
Hans Dedecker e4577d2e68 map: make tunnel encapsulation limit support configurable (FS#1501)
Be compatible with ISPs which don't support the destination option header containing
the tunnel encapsulation limit as reported in FS#1501.
Setting the uci parameter encaplimit to ignore; allows to disable the insertion
of the destination option header in the map-e packets.
Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255
by setting the encaplimit uci parameter accordingly.
If no encaplimit value is specified the default value is 4 as before.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-06-04 17:07:29 +02:00
Hans Dedecker 082cd951bb netifd: update to latest git HEAD (FS#1501)
a580028 system-linux: make encaplimit configurable for ip6 tunnels (FS#1501)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-06-04 17:07:15 +02:00
Hans Dedecker 327c711da4 odhcp6c: make ds-lite/map tunnel encapsulation limit support configurable (FS#1501)
Be compatible with ISPs which don't support the destination option header containing
the tunnel encapsulation limit as reported in FS#1501 for dynamic created ds-lite/map
interfaces.
Setting the uci parameter encaplimit_dslite/map to ignore; allows to disable the insertion
of the destination option header for the dynamic created ds-lite/map interface.
Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255
by setting the encaplimit_dslite/map uci parameter accordingly.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-06-04 17:05:28 +02:00
Hans Dedecker a3372953e9 ds-lite: make tunnel encapsulation limit support configurable (FS#1501)
Be compatible with ISPs which don't support the destination option header containing
the tunnel encapsulation limit as reported in FS#1501.
Setting the uci parameter encaplimit to ignore; allows to disable the insertion
of the destination option header in the ds-lite packets.
Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255
by setting the encaplimit uci parameter accordingly.
If no encaplimit value is specified the default value is 4 as before.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-06-04 17:04:45 +02:00
Ivan Shapovalov 91b5b2e20d netifd: drop conflicting 'device' interface property
Do not set device runtime property on interfaces in the hotplug handler
and in fixup_interfaces(). This property conflicts with device option
in several proto handlers (mainly QMI and other WWAN/3G protos) and does
not seem to be used anywhere.

Signed-off-by: Ivan Shapovalov <intelfx@intelfx.name>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2018-06-01 15:02:41 +02:00
Jason A. Donenfeld 060e1ecefa wireguard: bump to 0.0.20180531 to fix flow offloading
This version bump was made upstream mostly for OpenWRT, and should fix
an issue with a null dst when on the flow offloading path.

While we're at it, Kevin and I are the only people actually taking care
of this package, so trim the maintainer list a bit.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31 07:40:15 +02:00
Daniel Golle 78f1974bc5 hostapd: update packaging and patches
Clean up conflicts/provides/depends hell and add PROVIDES for
eapol-test variants while at it.
Update mesh-DFS patchset from Peter Oh to v5 (with local fixes) which
allows to drop two revert-patches for upstream commits which previously
were necessary to un-break mesh-DFS support.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-31 00:38:16 +02:00
Rosen Penev 7a20c7a05d curl: Add ca-bundle dependency
While building, curl complains that the path specified is missing.
Also, without ca-bundle, something like 'curl https://www.google.com'
does not work due to a certificate verify error.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-05-30 06:38:19 +02:00
Rosen Penev f97946c496 curl: Use ca-bundle for all TLS libraries.
It simplifies the Makefile a bit. In addition, using ca-bundle
saves some space as well.

It also fixes an issue with at least transmission, which has a dependency
on ca-bundle, but currently libcurl with OpenSSL or GnuTLS cause it not
to work.

This has been tested on mt7621 with OpenSSL and GnuTLS just by running
'curl https://www.google.com' and seeing if there's a verify error.
The rest are already using ca-bundle and therefore work fine.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-05-30 06:38:06 +02:00
Daniel Golle c8fdd0e9c8 hostapd: convert ssl provider build options to variants
Instead of selecting the SSL provider at compile time, build package
variants for each option so users can select the binary package without
having to build it themselves.
Most likely not all variants have actually ever been user by anyone.
We should reduce the selection to the reasonable and most used
combinations at some point in future. For now, build them all.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-25 16:01:59 +02:00
Hans Dedecker a3f2451fba firewall: update to latest git HEAD
30463d0 zones: add interface/subnet bound LOG rules
0e77bf2 options: treat time strings as UTC times

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-05-25 14:33:59 +02:00
Daniel Golle 69f544937f hostapd: update to git HEAD of 2018-05-21, allow build against wolfssl
Support for building wpa_supplicant/hostapd against wolfssl has been
added upstream recently, add build option to allow users using it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-24 22:21:10 +02:00
Hans Dedecker bcf20e0583 Revert "dnsmasq: use "hostsdir" instead of "addn-hosts""
This reverts commit a03035dad1
as it has several issues:
-Host file is located in a directory which is not unique per dnsmasq instance
-odhcpd writes host info into the same directory but still sends a SIGHUP to dnsmasq

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-05-24 10:20:45 +02:00
Christian Schoenebeck a03035dad1 dnsmasq: use "hostsdir" instead of "addn-hosts"
1.) "addn-hosts" per default point to a file (but it supports directory)
2.) "hostsdir" only support directory with the additional benefit: New or changed files are read automatically.

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
2018-05-23 22:13:26 +02:00
Hauke Mehrtens cb11b23d60 mbedtls: update to version 2.9.0
The soversion was changed in this version again and is now aligned with
the 2.7.2 version.
The size of the ipkg file stayed mostly the same.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-05-22 20:47:20 +02:00
Rosy Song 39e87e0ffc nftables: bump to 0.8.5 version
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-05-21 18:07:47 +02:00
Jason A. Donenfeld aa30eb5b07 wireguard: bump to 20180519
* chacha20poly1305: add mips32 implementation

"The OpenWRT Commit" - this significantly speeds up performance on cheap
plastic MIPS routers, and presumably the remaining MIPS32r2 super computers
out there.

* timers: reinitialize state on init
* timers: round up instead of down in slack_time
* timers: remove slack_time
* timers: clear send_keepalive timer on sending handshake response
* timers: no need to clear keepalive in persistent keepalive

Andrew He and I have helped simplify the timers and remove some old warts,
making the whole system a bit easier to analyze.

* tools: fix errno propagation and messages

Error messages are now more coherent.

* device: remove allowedips before individual peers

This avoids an O(n^2) traversal in favor of an O(n) one. Before systems with
many peers would grind when deleting the interface.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-19 09:02:33 +02:00
Gospod Nassa 3cc56a5534 hostapd: fix IEEE 802.11r (fast roaming) defaults
Use ft_psk_generate_local=1 by default, as it makes everything else fairly
trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd
fairly much does it all	for us.

We do need to provide nas_identifier, which can	be derived from	the BSSID,
and we need to generate	a mobility_domain, for which we	default	to the first
four chars of the md5sum of the	SSID.

The complex manual setup should also still work, but the defaults also
now work easily out of the box. Verified by manually running hostapd
(with the autogenerated config) and watching the debug output:

wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake

 This was previous submitted to LEDE in
 https://github.com/lede-project/source/pull/1382

[dwmw2: Rewrote commit message]
Signed-off-by: Gospod Nassa <devianca@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2018-05-18 11:19:00 +02:00
John Crispin 20b76c0a5b iwinfo: bump to latest git HEAD
e59f925 hardware: add device ids for QCA9984, 88W8887 and 88W8964 radios
2a82f87 nl80211: back out early when receiving FAIL-BUSY reply
77c32f0 nl80211: fix code calculating average signal and rate

Signed-off-by: John Crispin <john@phrozen.org>
2018-05-18 11:19:00 +02:00
Kevin Darbyshire-Bryant f06def4221 wireguard: no longer need portability patch
Drop package/network/services/wireguard/patches/100-portability.patch

Instead pass 'PLATFORM=linux' to make since we are always building FOR
linux.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-05-18 11:19:00 +02:00
Kevin Darbyshire-Bryant 4ff23afdcc wireguard: bump to 20180514
52be69b version: bump snapshot
4884b45 ncat-client-server: add wg-quick variant
a333551 wg-quick: add darwin implementation
f5bf84d compat: backport for OpenSUSE 15
fe1ae1b wg-quick: add wg symlink
ecc1c5f wg-quick: add android implementation
3e6bb79 tools: reorganize for multiplatform wg-quick
b289d12 allowedips: Fix graphviz output after endianness patch

Refresh cross compile compatibility patch

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-05-17 09:47:20 +02:00
Mathias Kresin 0678cc850c ltq-xdsl-app: start after led script
During handshake we are highjack and reset a LED to the configured trigger
afterwards. ltq-xdsl-app need to start after the LED init script, to
ensure that the LED init script doesn't re-highjack the LED we are
currently using for handshake indication.

Drop the comment about the atm dependency. The dependency was fixed quite
some time ago by using hotplug scripts for br2684ctl.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2018-05-17 07:40:19 +02:00
Hans Dedecker 0ed9281fda curl: bump to 7.60.0
Refresh patches; remove 320-mbedtls_dont_use_deprecated_sha256_function
patch as upstream fixed

For changes in version 2.60 see https://curl.haxx.se/changes.html#7_60_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-05-16 14:36:22 +02:00
Hans Dedecker ac70ac3532 ebtables: update to latest git 2018-05-15
66a9701 ebtables: Fix build errors and warnings
9fff3d5 include: Fix musl libc compatibility
b1cdae8 extensions: Add string filter to ebtables

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-05-15 14:31:11 +02:00
Toke Høiland-Jørgensen 50913b77e4 wireguard: Add support for ip6prefix config option
This makes it easier to distribute prefixes over a wireguard tunnel
interface, by simply setting the ip6prefix option in uci (just like with
other protocols).

Obviously, routing etc needs to be setup properly for things to work; this
just adds the config option so the prefix can be assigned to other
interfaces.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
2018-05-15 06:41:38 +02:00
Sven Eckelmann ba5ec6b77c hostapd: fix VHT80 for encrypted mesh channel settings
The max_oper_chwidth settings was parsed incorrectly for big endian system.
This prevented the system to switch to VHT80 (or VHT160). Instead they were
mapped to:

* HT20:   20MHz
* VHT20:  20MHz
* HT40:   40MHz
* VHT40:  40MHz
* VHT80:  40MHz
* VHT160: 40MHz

This happened because each max_oper_chwidth setting in the config file was
parsed as "0" instead of the actual value.

Fixes: a4322eba2b ("hostapd: fix encrypted mesh channel settings")
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
2018-05-14 19:07:37 +02:00
John Crispin e1a9485b0e firewall3: update to latest git HEAD
b45e162 helpers: fix the set_helper in the rule structure
f742ba7 helpers.conf: support also tcp in the CT sip helper
08b2c61 helpers: make the proto field as a list rather than one option

Signed-off-by: John Crispin <john@phrozen.org>
2018-05-14 16:24:10 +02:00
Daniel Golle 6e0fa4a76d hostapd: fix mesh+AP
Fix encrypted (or DFS) AP+MESH interface combination in a way similar
to how it's done for AP+STA and fix netifd shell script.
Refresh patches while at it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-14 09:48:58 +02:00
Kevin Darbyshire-Bryant 89c5e32c3e wireguard: bump to 0.0.20180513
6b4a340 version: bump snapshot
faa2103 compat: don't clear header bits on RHEL
4014532 compat: handle RHEL 7.5's recent backports
66589bc queueing: preserve pfmemalloc header bit
37f114a chacha20poly1305: make gcc 8.1 happy
926caae socket: use skb_put_data
724d979 wg-quick: preliminary support for go implementation
c454c26 allowedips: simplify arithmetic
71d44be allowedips: produce better assembly with unsigned arithmetic
5e3532e allowedips: use native endian on lookup
856f105 allowedips: add selftest for allowedips_walk_by_peer
41df6d2 embeddable-wg-library: zero attribute padding
9a1bea6 keygen-html: add zip file example
f182b1a qemu: retry on 404 in wget for kernel.org race

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-05-14 10:41:21 +08:00
Kevin Darbyshire-Bryant 066c85321e dnsmasq: bump to 2.80test2
Refresh patches and backport upstream to current HEAD:

1f1873a Log warning on very large cachesize config, instead of truncating it.
0a496f0 Do unsolicited RAs for interfaces which appear after dnsmasq startup.
e27825b Fix logging in previous.
1f60a18 Retry SERVFAIL DNSSEC queries to a different server, if possible.
a0088e8 Handle query retry on REFUSED or SERVFAIL for DNSSEC-generated queries.
34e26e1 Retry query to other servers on receipt of SERVFAIL rcode.
6b17335 Add packet-dump debugging facility.
07ed585 Add logging for DNS error returns from upstream and local configuration.
0669ee7 Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip are set.
f84e674 Be persistent with broken-upstream-DNSSEC warnings.

Compile & run tested: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-05-12 22:05:07 +02:00
hux ecd954d530 dnsmasq: add specific interface procd triggers
Right now interface.update events are sent out by netifd upon interface state,
route, address (lifetime), prefix lifetime changes.
Dnsmasq is only interested in interface state changes and currently adds an
interface trigger for all the "interface.*" events.
In combination with commit 23bba9cb33, which triggers a SIGHUP signal to dnsmasq,
IPv6 address/prefix lifetime changes on the wan will trigger dnsmasq reloads which
can become frequent in case of shorter lifetimes.

To avoid frequent dnsmasq reload, this patch adds specific interface triggers.
During dnsmasq init it loops dhcp uci section; if the value of the ignore option
is set to 0, then the corresponding interface trigger is not installed.
Otherwise, if the ignore option value is 1, then procd_add_interface_trigger is
called which adds the interface trigger.

Signed-off-by: hux <xinxing.huchn@gmail.com>
2018-05-11 13:49:03 +02:00
Kevin Darbyshire-Bryant 247055cbfb igmpproxy: bump to 0.2.1
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Point at github which is new, maintained location for igmpproxy.
Remove all patches as all have been upstreamed.

Closes FS#1456

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-05-07 11:01:39 +02:00
Jaap Buurman 0b04926433 igmpproxy: fix creation of firewall rules
The init sccript for igmpproxy uses the option 'network' both as an interface name for fetching the l3_device name and for creating the firewall rules. This only works if the name of the network and firewall zone are identical.

This commit introduces a new option 'zone' for configuring the upstream and downstream firewall zones in order for the init script to create the required firewall rules automatically. When no such options are given, the init script falls back to not creating the firewall rules and the user can opt to create these manually.

Signed-off-by: Jaap Buurman <jaapbuurman@gmail.com>
2018-05-07 11:01:04 +02:00
Nick Hainke 0a7657c300 hostapd: add channel utilization as config option
Add the channel utilization as hostapd configuration option.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-05-07 10:44:09 +02:00
Kevin Darbyshire-Bryant 080fb7a3fb iproute2: import latest cake
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Bearing fruits of the latest upstreaming efforts on cake.

Changes: diffserv-llt dropped.  The paper describing this DSCP
allocation has gone stale and doesn't appear used.

The userspace to kernel netlink messages for cake have been reworked in
a backwards incompatible way, so tc & cake must be bumped together this
once.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-05-07 08:09:12 +02:00
Kevin Darbyshire-Bryant ad5af37ca7 iproute2: backport json_print-fix-hidden-64-bit-type-promotion
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
print_uint() will silently promote its variable type to uint64_t, but there
is nothing that ensures that the format string specifier passed along with
it fits (and the function name suggest to pass "%u").

Fix this by changing print_uint() to use a native 'unsigned int' type, and
introduce a separate print_u64() function for printing 64-bit values. All
call sites that were actually printing 64-bit values using print_uint() are
converted to use print_u64() instead.

Since print_int() was already using native int types, just add a
print_s64() to match, but don't convert any call sites.

Fixes wonkyness in some stats from some qdiscs under tc

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-05-07 08:09:05 +02:00
Felix Fietkau 3a456683e5 hostapd: fix a mesh mode crash with CONFIG_TAXONOMY enabled
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-05-03 12:38:33 +02:00
Rosy Song fd569e5e9d samba36: add hotplug support
Add hotplug handle script for storage devices,
  this will add corresponding option in the
  /etc/config/samba file automatically.

Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-05-02 09:18:27 +02:00
Hans Dedecker 2f1e329d7a iproute2: update to 4.16
Update to latest version of iproute2, refresh patches.
See https://lkml.org/lkml/2018/4/2/349 for a full overview of the
changes in 4.16.
Build and tested on AR7xxx against musl

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-05-02 09:18:26 +02:00
John Crispin 90e65763a4 iptables: fix per object LDFLAGS for aggragate object builds
Without this patch the extra LDFLAGS of objects were selected based on the
name of the extension being built, which breaks for aggregate so builds.

Signed-off-by: John Crispin <john@phrozen.org>
2018-05-01 11:12:15 +02:00
Hans Dedecker 7ff31bed98 odhcp6c: update to latest git HEAD
5316d7f ra: always trigger update in case of RA parameter change
327f73d dhcpv6: fix strncpy bounds

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-29 23:12:31 +02:00
Hans Dedecker afdca53ace netifd: update to latest git HEAD (Coverity fixes)
56ceced interface-ip: remove superfluous iface check in interface_ip_set_enabled()
4f4a8c0 system-linux: fix strncpy bounds

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-27 21:39:57 +02:00
Kevin Darbyshire-Bryant 78f4305933 iftop: bump to latest
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Choose first running interface, rather than first "up" interface (Redhat #1403025)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-04-27 09:59:28 +02:00
Hans Dedecker 99815690a2 odhcpd: update to latest git HEAD
4136529 dhcpv6-ia: keep tentative assignments alive for a short time
200cc8f dhcpv6-ia: make assignment lookup more strict

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-23 21:47:23 +02:00
Kevin Darbyshire-Bryant 5950ab067b wireguard: bump to 20180420
7cc2668 version: bump snapshot
860c7c7 poly1305: do not place constants in different sections
5f1e4ca compat: remove unused dev_recursion_level backport
7e4b991 blake2s: remove unused helper
13225fc send: simplify skb_padding with nice macro
a1525bf send: account for route-based MTU
bbb2fde wg-quick: account for specified fwmark in auto routing mode
c452105 qemu: bump default version
dbe5223 version: bump snapshot
1d3ef31 chacha20poly1305: put magic constant behind macro
cdc164c chacha20poly1305: add self tests from wycheproof
1060e54 curve25519: add self tests from wycheproof
0e1e127 wg-quick.8: fix typo
2b06b8e curve25519: precomp const correctness
8102664 curve25519: memzero in batches
1f54c43 curve25519: use cmov instead of xor for cswap
fa5326f curve25519: use precomp implementation instead of sandy2x
9b19328 compat: support OpenSUSE 15
3102d28 compat: silence warning on frankenkernels
8f64c61 compat: stable kernels are now receiving b87b619
62127f9 wg-quick: hide errors on save

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-04-20 18:59:46 +02:00
Daniel Golle a4322eba2b hostapd: fix encrypted mesh channel settings
Import two patches from Peter Oh to allow setting channel
bandwidth in the way it already works for managed interfaces.
This fixes mesh interfaces on 802.11ac devices always coming up in
VHT80 mode.

Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which
also skips secondary channel scan just like noscan works in AP mode.

This time also make sure to add all files to the patch before
committing it...

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-20 16:00:01 +02:00
Felix Fietkau 1a89547957 Revert "hostapd: fix encrypted mesh channel settings"
This reverts commit 7f52919a2f, which is
currently breaking the builds and needs to be reworked

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-04-20 10:36:42 +02:00
Daniel Golle 7f52919a2f hostapd: fix encrypted mesh channel settings
Import two patches from Peter Oh to allow setting channel
bandwidth in the way it already works for managed interfaces.
This fixes mesh interfaces on 802.11ac devices always coming up in
VHT80 mode.

Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which
also skips secondary channel scan just like noscan works in AP mode.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-20 07:52:19 +02:00
Daniel Golle 2ec96787c3 netifd: update to latest git HEAD
b3dca7b wireless: include noscan option in common wdev vars

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-20 07:52:19 +02:00
Hans Dedecker fdf2e1fe1e odhcpd: update to latest git HEAD (FS#1457)
dcfc06a router: fix managed address configuration setting

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-19 15:51:13 +02:00
Florian Eckert 4a243f7a09 network/uqmi: pipe the output off qmi_wds_stop to /dev/null
Pipe uqmi output from qmi_wds_stop function into /dev/null.
This will supress the following output in proto teardown.

netifd: wwan (x): "No effect"
netifd: wwan (x): Command failed: Permission denied

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2018-04-19 14:39:38 +02:00
Daniel Golle ff8df2b3f9 hostapd: mesh: make forwarding configurable
For unencrypted mesh networks our scripts take care of setting
the various mesh_param values. wpa_supplicant changes somes of them
when being used for SAE encrypted mesh and previously didn't allow
configuring any of them. Add support for setting mesh_fwding (which
has to be set to 0 when using other routing protocols on top of
802.11s) and update our script to pass the value to wpa_supplicant.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-18 22:12:18 +02:00
Daniel Engberg ed4ac0ed65 curl: Deprecate idn(1) support and switch to xz tarball
libidn(1) is deprecated, add libidn2 support
Switch to xz tarball (smaller size)

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-04-16 22:01:09 +02:00
Hans Dedecker 20d3c118ae netifd: update to latest git HEAD (coverity fixes)
513eb27 system-linux: check ioctl return value in system_vlan()
df1625d system-linux: check ioctl return value in system_if_flags()
209c508 system-linux: fix segfault on alloc failure in system_if_check()
4a8e20e system-linux: fix segfault on error in system_add_ip6_tunnel()
36e4700 handler: fix resource leak on error in netifd_init_script_handlers()
86a0e7c system-linux: remove unnecessary open call in system_if_dump_info()
1e2cf67 system-linux: fix memory leak on error in system_add_vxlan()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-16 13:12:48 +02:00
Stijn Tintel 03774d28e1 lldpd: bump to 1.0.1
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-04-15 21:41:36 +03:00
Daniel Golle c52ef396f9 hostapd: fix compile of -mini variants
Fixes commit d88934aa5a (hostapd: update to git snapshot of 2018-04-09)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-13 06:01:16 +02:00
Daniel Golle d88934aa5a hostapd: update to git snapshot of 2018-04-09
And import patchset to allow 802.11s mesh on DFS channels, see also
http://lists.infradead.org/pipermail/hostap/2018-April/038418.html
Fix sae_password for encryption mesh (sent upstream as well).
Also refreshed existing patches and fixed 463-add-mcast_rate-to-11s.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-13 03:27:01 +02:00
Matthias Schiffer 85a35c644e
ebtables: update to latest git 2018-04-11
2e783b227766 ebt_ip: add support for matching IGMP type
b5fbb8d786c9 ebt_ip: add support for matching ICMP type and code
c5e5b784fd1a Move ICMP type handling functions from ebt_ip6 to useful_functions.c
11da52177196 include: sync linux/netfilter_bridge/ebt_ip.h with kernel

Note: the new features require at least kernel 4.17 or backported patches.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-04-12 07:34:57 +02:00
Matthias Schiffer 177fa14340
iptables: split physdev match out as a separate package
Split physdev match out of ipt-extra to allow installing ipt-extra without
pulling in br-netfilter.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-04-09 19:41:48 +02:00