Commit Graph

2989 Commits (5e82e1ed2f71586ec4a9c4e21449a9a78013c38e)

Author SHA1 Message Date
Jason A. Donenfeld 84025110cc wireguard: bump to 1.0.20200330
* queueing: backport skb_reset_redirect change from 5.6
* version: bump

This release has only one slight change, to put it closer to the 5.6
codebase, but its main purpose is to bump us to a 1.0.y version number.
Now that WireGuard 1.0.0 has been released for Linux 5.6 [1], we can put
the same number on the backport compat codebase.

When OpenWRT bumps to Linux 5.6, we'll be able to drop this package
entirely, which I look forward to seeing.

[1] https://lists.zx2c4.com/pipermail/wireguard/2020-March/005206.html

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-03-31 08:01:34 +02:00
Nick Hainke c9c3fd1320 hostapd: add abridged flag in disassoc_imminent
If the abridged flag is set to 1 the APs that are listed in the BSS
Transition Candidate List are prioritized. If the bit is not set, the
APs have the same prioritization as the APs that are not in the list.

If you want to steer a client, you should set the flag!

The flag can be set by adding {...,'abridged': true,...} to the normal
ubus call.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2020-03-30 01:46:50 +02:00
Nick Hainke c8ef465e10 hostapd: expose beacon reports through ubus
Subscribe to beacon reports through ubus.
Can be used for hearing map and client steering purposes.

First enable rrm:
    ubus call hostapd.wlan0 bss_mgmt_enable '{"beacon_report":True}'

Subscribe to the hostapd notifications via ubus.

Request beacon report:
    ubus call hostapd.wlan0 rrm_beacon_req
	'{"addr":"00:xx:xx:xx:xx:xx", "op_class":0, "channel":1,
	"duration":1,"mode":2,"bssid":"ff:ff:ff:ff:ff:ff", "ssid":""}'

Signed-off-by: Nick Hainke <vincent@systemli.org>
[rework identation]
Signed-off-by: David Bauer <mail@david-bauer.net>
2020-03-30 01:46:50 +02:00
Jesus Fernandez Manzano 86440659b5 hostapd: Add 802.11r support for WPA3-Enterprise
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
2020-03-30 01:46:50 +02:00
Hans Dedecker 089cddc252 odhcp6c: update to latest git HEAD
f575351 ra: fix sending router solicitations

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-29 22:24:30 +02:00
Kevin Darbyshire-Bryant 8d25c8e7f6 dnsmasq: bump to 2.81rc4
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-29 18:30:08 +01:00
Kevin Darbyshire-Bryant 94dae0f191 nftables: implement no/json variants
Replace the build time choice of json support with a package based
choice.  Users requiring a json aware version of 'nft' may now install
nftables-json.

The default choice to fulfill the 'nftables' package dependency is
'nftables-nojson'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-29 17:27:54 +01:00
DENG Qingfang 972daf7fdc curl: rebuild when libopenssl config changes
When some libopenssl options change curl will have to be rebuild to
adapt to those changes, avoiding undefined reference errors or features
disabled in curl.

Add CONFIG_OPENSSL_ENGINE, CONFIG_OPENSSL_WITH_COMPRESSION and
CONFIG_OPENSSL_WITH_NPN to PKG_CONFIG_DEPENDS so it will trigger
rebuild every time the options are changed.

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-03-29 14:31:04 +01:00
Hans Dedecker 001211a5ba netifd: fix compilation with musl 1.2.0
1e8328 system-linux: fix compilation with musl 1.2.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-26 21:58:02 +01:00
Hans Dedecker ea69b13d84 odhcp6c: fix compilation with musl 1.2.0
49305e6 odhcp6c: fix compilation with musl 1.2.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-26 21:58:02 +01:00
Henrique de Moraes Holschuh 556b8581a1 dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)
Fix the test for an enabled sysntp initscript in dnsmasq.init, and get
rid of "test -o" while at it.

Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an
RTC-less ath79 router.  dnssec-no-timecheck would be clearly missing
from /var/etc/dnsmasq.conf.* while the router was still a few days in
the past due to non-working DNSSEC + DNS-based NTP server config.

The fix was tested with the router in the "DNSSEC broken state": it
properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp
was able to resolve the server name to an IP address, and set the system
time.  DNSSEC was then enabled by SIGINT through the ntp hotplug hook,
as expected.

A missing system.ntp.enabled UCI node is required for the bug to show
up.  The reasons for why it would be missing in the first place were not
investigated.

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-03-25 21:40:51 +01:00
Henrique de Moraes Holschuh f81403c433 dnsmasq: init: get rid of test -a and test -o
Refer to shellcheck SC2166.  There are just too many caveats that are
shell-dependent on test -a and test -o to use them.

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
2020-03-25 21:39:20 +01:00
Jo-Philipp Wich 052aaa7c96 uhttpd: bump to latest Git HEAD
5e9c23c client: allow keep-alive for POST requests
5fc551d tls: support specifying accepted TLS ciphers

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-03-25 19:22:10 +01:00
Kevin Darbyshire-Bryant 9b0290ffbd nftables: bump to 0.9.3
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-24 14:42:48 +00:00
Jordan Sokolic 27ffd5ee30 dnsmasq: add 'scriptarp' option
Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions.
The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended
to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute.

Also enable --script-arp if has_handlers returns true.

Signed-off-by: Jordan Sokolic <oofnik@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-03-22 22:17:37 +01:00
David Bauer 46d0ce19f1 iwinfo: update to latest Git HEAD
9f5a7c4 iwinfo: add missing HT modename for HT-None
06a03c9 Revert "iwinfo: add BSS load element to scan result"
9a4bae8 iwinfo: add device id for Qualcomm Atheros QCA9990
eba5a20 iwinfo: add device id for BCM43602
a6914dc iwinfo: add BSS load element to scan result
bb21698 iwinfo: add device id for Atheros AR9287
7483398 iwinfo: add device id for MediaTek MT7615E

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-03-22 02:08:02 +01:00
Rafał Miłecki 8c33debb52 samba36: log error if getting device info failed
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2020-03-21 22:35:45 +01:00
Jason A. Donenfeld 2bd56595a6 wireguard: bump to 0.0.20200318
WireGuard had a brief professional security audit. The auditors didn't find
any vulnerabilities, but they did suggest one defense-in-depth suggestion to
protect against potential API misuse down the road, mentioned below. This
compat snapshot corresponds with the patches I just pushed to Dave for
5.6-rc7.

* curve25519-x86_64: avoid use of r12

This buys us 100 extra cycles, which isn't much, but it winds up being even
faster on PaX kernels, which use r12 as a RAP register.

* wireguard: queueing: account for skb->protocol==0

This is the defense-in-depth change. We deal with skb->protocol==0 just fine,
but the advice to deal explicitly with it seems like a good idea.

* receive: remove dead code from default packet type case

A default case of a particular switch statement should never be hit, so
instead of printing a pretty debug message there, we full-on WARN(), so that
we get bug reports.

* noise: error out precomputed DH during handshake rather than config

All peer keys will now be addable, even if they're low order. However, no
handshake messages will be produced successfully. This is a more consistent
behavior with other low order keys, where the handshake just won't complete if
they're being used anywhere.

* send: use normaler alignment formula from upstream

We're trying to keep a minimal delta with upstream for the compat backport.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-03-21 09:42:07 +01:00
Jason A. Donenfeld 858c6b17c8 wireguard-tools: bump to 1.0.20200319
* netlink: initialize mostly unused field
* curve25519: squelch warnings on clang

Code quality improvements.

* man: fix grammar in wg(8) and wg-quick(8)
* man: backlink wg-quick(8) in wg(8)
* man: add a warning to the SaveConfig description

Man page improvements. We hope to rewrite our man pages in mdocml at some
point soon.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-03-21 09:41:52 +01:00
Daniel Golle 50a59b3a39 hostapd: fix segfault in wpa_supplicant ubus
When introducing ubus reload support, ubus initialization was moved
to the service level instead of being carried out when adding a BSS
configuration. While this works when using wpa_supplicant in that way,
it breaks the ability to run wpa_supplicant on the command line, eg.
for debugging purposes.
Fix that by re-introducing ubus context intialization when adding
configuration.

Reported-by: @PolynomialDivision https://github.com/openwrt/openwrt/pull/2417
Fixes: 60fb4c92b6 ("hostapd: add ubus reload")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-03-18 19:05:22 +01:00
Leon M. George b78f61c336 hostapd: fix pointer cast warnings
Signed-off-by: Leon M. George <leon@georgemail.eu>
2020-03-17 10:23:28 +01:00
Leon M. George a8a993e64c hostapd: remove trailing whitespace
Signed-off-by: Leon M. George <leon@georgemail.eu>
2020-03-17 10:23:28 +01:00
Hans Dedecker 3db9b83f16 curl: bump to 7.69.1
For changes in 7.69.1; see https://curl.haxx.se/changes.html#7_69_1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-16 21:31:01 +01:00
Rozhuk Ivan d890f85e59 wwan: fix hotplug event handling
Hotplug manager send: "remove" -> "add" -> "bind" events,
script interpret bind as "not add" = "remove" and mark device
as unavailable.

Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-03-16 21:03:25 +01:00
Rozhuk Ivan 4821ff064b comgt: fix hotplug event handling
Hotplug manager send: "remove" -> "add" -> "bind" events,
script interpret bind as "not add" = "remove" and mark device
as unavailable.

Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-03-16 21:02:33 +01:00
Hans Dedecker d21f5aaa99 netifd: update to latest git HEAD
dbdef93 interface-ip: transfer prefix route ownership for deprecated ipv6addr to kernel

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-16 20:59:12 +01:00
Mathias Kresin 1a9408281b iproute2: revert add libcap support, enabled in ip-full
This reverts commit a6da3f9ef7.

The libcap isn't as optional as the commit messages suggests. A hard
dependency to the libcap package is added, which is only available in
the external packages feed. Therefore it is impossible to package
ip-full without having the external packages feed up and running, which
is a regression to the former behaviour.

Signed-off-by: Mathias Kresin <dev@kresin.me>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-15 21:38:05 +01:00
Hans Dedecker a5c30efeb1 odhcpd: update to latest git HEAD
6594c6b ubus: use dhcpv6 ia assignment flag
a90cc2e dhcpv6-ia: avoid setting lifetime to infinite for static assignments
bb07fa4 dhcpv4: avoid setting lifetime to infinite for static assignments

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-15 20:09:19 +01:00
Kevin Darbyshire-Bryant d7613bd02f iptables: update to 1.8.4
Bump to iptable 1.8.4 and address packaging issue as mentioned in the
original bump/revert cycle.

"This reverts commit 10cbc896c0.
The updated iptables package does not build due to the following error
encountered on the buildbots:
    cp: cannot stat '.../iptables-1.8.4/ipkg-install/usr/lib/libiptc.so.*': No such file or directory

The changelog mentions "build: remove -Wl,--no-as-needed and libiptc.so" so
it appears as if further packaging changes are needed beyond a simple
version bump."

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-15 15:55:56 +00:00
Hans Dedecker 659ae99e9b curl: bump to 7.69.0
For changes in 7.69.0; see https://curl.haxx.se/changes.html#7_69_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-03-10 22:15:18 +01:00
Kevin Darbyshire-Bryant 04a21c26a0 dnsmasq: bump to v2.81rc3
Bump to latest release candidate and drop 2 local patches that have been
upstreamed.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-10 12:49:07 +00:00
Kevin Darbyshire-Bryant 0b84b89251 dnsmasq: bump to 2.81rc2 + 2 local
Bump to dnsmasq 2.81rc2.  In the process discovered several compiler
warnings one with a logical error.

2 relevant patches sent upstream, added as 2 local patches for OpenWrt

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-06 15:47:56 +00:00
Kevin Darbyshire-Bryant 3251ac8f2d dnsmasq: bump to v2.81rc1
1st release candidate for v2.81 after 18 months.

Refresh patches & remove all upstreamed leaving:

110-ipset-remove-old-kernel-support.patch

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-04 20:44:23 +00:00
Alan Swanson 25cb5685c1 netifd: rename 20-smp-tune to 20-smp-packet-steering
Rename the script to be more obvious that this is for
packet steering only.

Signed-off-by: Alan Swanson <reiver@improbability.net>
2020-03-03 22:43:09 +01:00
Alan Swanson d3868f15f8 netifd: change RPS/XPS handling to all CPUs and disable by default
The current implementation is significantly lowering lantiq
performace [1][2] by using RPS with non-irq CPUs and XPS
with alternating CPUs.

The previous netifd implementation (by default but could be
configured) simply used all CPUs and this patch essentially
reverts to this behaviour.

The only document suggesting using non-interrupt CPUs is Red
Hat [3] where if the network interrupt rate is extremely high
excluding the CPU that handles network interrupts *may* also
improve performance.

The original packet steering patches [4] advise that optimal
settings for the CPU mask seems to depend on architectures
and cache hierarcy so one size does not fit all. It also
advises that the overhead in processing for a lightly loaded
server can cause performance degradation.

Ideally, proper IRQ balancing is a better option with
the irqbalance daemon or manually.

The kernel does not enable packet steering by default, so
also disable in OpenWRT by default. (Though mvebu with its
hardware scheduling issues [5] might want to enable packet
steering by default.)

Change undocumented "default_ps" parameter to clearer
"packet_steering" parameter. The old parameter was only ever
set in target/linux/mediatek/base-files/etc/uci-defaults/99-net-ps
and matched the default.

[1] https://forum.openwrt.org/t/18-06-4-speed-fix-for-bt-homehub-5a
[2] https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=1105
[3] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/network-rps
[4] https://marc.info/?l=linux-netdev&m=125792239522685&w=2
[5] https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=2e1f6f1682d3974d8ea52310e460f1bbe470390f

Fixes: #1852
Fixes: #2573

Signed-off-by: Alan Swanson <reiver@improbability.net>
2020-03-03 22:43:08 +01:00
Petr Štetiar 2c3c83e40b ppp: activate PIE ASLR by default
This activates PIE ASLR support by default when the regular option is
selected.

Size increase on imx6:

 112681 ppp_2.4.8-2_arm_cortex-a9_neon.ipk
 121879 ppp_2.4.8-2_arm_cortex-a9_neon.ipk
 = 9198 diff

Acked-by: Alexander Couzens <lynxis@fe80.eu>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-03-01 21:35:59 +01:00
Petr Štetiar 35890514bb ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes: CVE-2020-8597
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-26 16:38:43 +01:00
Jo-Philipp Wich 817e775319 Revert "ppp: backport security fixes"
This reverts commit 215598fd03 since it
didn't contain a reference to the CVE it addresses. The next commit
will re-add the commit including a CVE reference in its commit message.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-26 16:37:27 +01:00
John Crispin d3b7838ebe hostapd: enhance wifi reload
Add a radio_config_id property. If the radio config changes return an error
upon receiving the reconf call.

Signed-off-by: John Crispin <john@phrozen.org>
2020-02-25 17:01:55 +01:00
Piotr Dymacz 2d113f89d2 hostapd: start hostapd/wpa_supplicant for all wiphy devices
c888e17e06 ("hostapd: manage instances via procd instead of pidfile")
added procd support for managing hostapd and wpa_supplicant daemons
but at the same time limited wiphy names to 'phy*'.

This brings back initial behaviour (introduced in 60fb4c92b6 ("hostapd:
add ubus reload") and makes procd manage daemons for any wiphy device
found in '/sys/class/ieee80211'.

CC: Felix Fietkau <nbd@nbd.name>
CC: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2020-02-24 23:27:50 +01:00
Piotr Dymacz 82679ca0b9 umbim: move package to 'WWAN' submenu
'uqmi' was moved to 'WWAN' submenu in 9abdeee0b7.
Let's be consistent and do the same with 'umbim'.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2020-02-24 23:27:50 +01:00
Hauke Mehrtens 806354ab53 linux-atm: Fix compile warning
The function trace_on_exit() is given to atexit() as a parameter, but
atexit() only takes a function pointer to a function with a void
parameter.

This problem was introduced when the on_exit() function was incompletely
replaced by atexit().

Fixes: ba6c8bd614 ("linux-atm: add portability fixes")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-02-24 23:25:28 +01:00
DENG Qingfang b9d29b78c8 iw: update to 5.4
Update iw to 5.4
This increases the ipk size of iw-tiny/full by about 400 bytes

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-02-22 16:38:41 +01:00
Adrian Schmutzler a5b2c6f5ed rssileds: add dependencies based on LDFLAGS
This adds the direct dependencies introduced by TARGET_LDFLAGS
to the package's DEPENDS variable.

This was found by accidentally building rssileds on octeon, which
resulted in:

"Package rssileds is missing dependencies for the following libraries:
libnl-tiny.so"

Though the dependencies are provided when building for the
relevant targets ar71xx, ath79 and ramips, it seems more tidy to
specify them explicitly.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-02-22 14:26:01 +01:00
Stijn Tintel a9b5473c92 lldpd: bump to 1.0.5
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-02-22 10:31:28 +02:00
Petr Štetiar 215598fd03 ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-02-20 09:12:12 +01:00
Russell Senior 731f7ea48a dnsmasq: fix uci-defaults script to exit 0 so it is cleaned up
A file, package/network/services/dnsmasq/files/50-dnsmasq-migrate-resolv-conf-auto.sh,
was added in commit 6a28552120, but it
does not exit in a way that tells the uci-defaults mechanism that it
succeeded, and so it is not cleaned up after running successfully. Add
an exit 0 to the end to correct that.

Signed-off-by: Russell Senior <russell@personaltelco.net>
2020-02-19 22:02:59 +01:00
Jason A. Donenfeld 49caf9f98a wireguard: bump to 0.0.20200215
* send: cleanup skb padding calculation
* socket: remove useless synchronize_net

Sorry for the back-to-back releases. This fixes a regression spotted by Eric
Dumazet.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-02-15 08:57:49 +01:00
DENG Qingfang 5715b21f80 iproute2: update to 5.5.0, enable LTO
Update iproute2 to 5.5.0
Enable LTO to save several KB of size

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-02-13 21:35:13 +01:00
Jo-Philipp Wich 04069fde19 uhttpd: update to latest Git HEAD
2ee323c file: poke ustream after starting deferred program

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-12 18:01:13 +01:00