Commit Graph

43798 Commits (78277ec162b06e859923936ee00d02920b4ccc6f)

Author SHA1 Message Date
Paul Wassi 78277ec162 ar71xx: fix TL-MR3220-v2 switch port order
Fix the switch port order for proper display on high
level interfaces.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:14 +01:00
Paul Wassi 341311f319 ar71xx: fix TL-WR741ND-v4 switch port order
Fix the switch port order for proper display on high
level interfaces.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:14 +01:00
Paul Wassi ff541c5ca2 ath79: rename TL-WR740ND-v4 to TL-WR740N-v4
Give the device the same name it had in ar71xx.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:14 +01:00
Paul Wassi da1107f8a5 ath79: fix TL-WR741ND-v4 switch port order
Fix the switch port order for proper display on high
level interfaces.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:13 +01:00
Koen Vandeputte 6b6f238b82 kernel: bump 4.19 to 4.19.21
Refreshed all patches.

Remove upstreamed:
- 0007-ARM-dts-Fix-up-the-D-Link-DIR-685-MTD-partition-info.patch

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-14 16:45:01 +01:00
Koen Vandeputte 9a1d7ff187 kernel: bump 4.14 to 4.14.99
Refreshed all patches.

Remove upstreamed:
- 950-0434-mmc-bcm2835-Recover-from-MMC_SEND_EXT_CSD.patch

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-14 16:45:01 +01:00
Koen Vandeputte a23a13dec2 kernel: bump 4.9 to 4.9.156
Refreshed all patches.

Compile-tested on: ar7
Runtime-tested on: none

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-14 16:45:01 +01:00
Hans Dedecker 880f8e6d32 dnsmasq: add rapid commit config option
Add config option rapidcommit to enable support for DHCPv4 rapid
commit (RFC4039)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-13 10:37:36 +01:00
Eneas U de Queiroz 29b69e840a openssl: add package for openssl.cnf, misc changes
- Add the /etc/ssl/openssl.cnf as a separate package, to avoid breaking
  the transitional mechanism, allowing libopenssl_1.0* and
  libopenssl_1.1* to coexist.

- Remove the (selecting) dependency on @KERNEL_AIO

- Use global SOURCE_DATE_EPOCH

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:24:09 +01:00
Eneas U de Queiroz 2eeb2853ed openssl: optimizations based on ARCH/small flash
Add a patch to enable the option to change the default ciphersuite list
ordering to prefer ChaCha20 over AES-GCM.  This is used by default for
all platforms, except for x86_64 and aarch64. The assumption is that
only the latter have AES-specific CPU instructions and asm code that
uses them in openssl.  Chacha20Poly1305 is 3x faster than AES-256 in
systems without AES instructions, with an equivalent strength.

Disable error messages by default except for devices with small flash or
RAM, to aid debugging.

Disable ASM by default on arm platform with small flash.  Size
difference on mips and powerpc, the other platforms with small flash
devices, are not really relevant (using 100K as a threshold).  All of
the affected platforms are source-only anyway.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:24:09 +01:00
Eneas U de Queiroz d872d00b2f openssl: update to version 1.1.1a
This version adds the following functionality:
  * TLS 1.3
  * AFALG engine support for hardware accelleration
  * x25519 ECC curve support
  * CRIME protection: disable use of compression by default
  * Support for ChaCha20 and Poly1305

Patches fixing bugs in the /dev/crypto engine were applied, from
https://github.com/openssl/openssl/pull/7585

This increses the size of the ipk binray on MIPS32 by about 32%:
old:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:23:26 +01:00
Eneas U de Queiroz be3892284c openssl: add configuration options, disable ssl3
Adds the following configuration options:
* using optimized assembler code (was always on before)
* use of x86 SSE2 instructions
* dyanic engine support
* include error messages
* Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms
* RFC3779, CMS protocols
* VIA padlock hardware acceleration engine

Installs openssl.cnf with the library as it is used by engines
independent of the openssl util.

Fixes DTLS option that was innefective before.

Disables insecure SSL3 protocol and SHA0.

Adds openwrt-specific targets to Configure script, including asm support
for i386, ppc and mips64.

Strips building dirs from CFLAGS shown in binary.

Skips the fuzz directory during build.

Removed include/crypto/devcrypto.h that was included here, to use the
cryptodev-linux package, now that it was been moved from the packages
feed to the main openwrt repository.

This decreses the size of the ipk binray on MIPS32 by about 3.3%:
old:
706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 21:14:46 +01:00
Felix Fietkau b044b52ab9 base-files: fix ucert verification
ucert needs to check the firmware part with metadata, but without the signature.
Use the new fwtool mode to extract that without altering the firmware image inside
the check

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 16:42:03 +01:00
Felix Fietkau 8f4e31ea6e fwtool: add support for extracting the truncated data part to stdout
This allows extracing the firmware + metadata from a signed firmware without
altering the original image file

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 16:41:38 +01:00
Felix Fietkau d5681e45f0 fwtool: do not strip metadata if extracting signature
This allows the signature to cover the metadata area

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 16:41:38 +01:00
Felix Fietkau db93949aa3 hostapd: fix race condition in mesh new peer handling
Avoid trying to add the same station to the driver multiple times

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 15:12:35 +01:00
Felix Fietkau 6a15077e2d hostapd: send wpa_supplicant logging output to syslog
Helpful for debugging network connectivity issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 15:12:35 +01:00
Rafał Miłecki 9485ea721e mac80211: brcmfmac: backport early changes queued for the Linux 5.1
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-02-12 14:18:18 +01:00
Rafał Miłecki 0994e65c6a mac80211: brcmfmac: backport remaining patches from the Linux 5.0
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-02-12 13:50:40 +01:00
Tony Ambardar 248797834b iproute2: tc: reduce size of dynamic symbol table
In the case of SHARED_LIBS=y, don't use -export-dynamic to place *all*
symbols into the dynamic symbol table. Instead, use --dynamic-list to
export a smaller set of symbols similar to that defined in static-syms.h
in the case of SHARED_LIBS=n, avoiding an 11 KB tc package size increase.

Also increment PKG_RELEASE.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar fc80ef3613 iproute2: tc: enable and fix support for using .so plugins
This enables using the tc module m_xt.so, which uses the act_ipt kernel
module to allow tc actions based on iptables targets. e.g.

   tc filter add dev eth0 parent 1: prio 10 protocol ip \
   u32 match u32 0 0 action xt -j DSCP --set-dscp-class BE

Make the SHARED_LIBS parameter configurable and based on tc package
selection.

Fix a problem using the tc m_xt.so plugin as also described in
https://bugs.debian.org/868059:

  Sync include/xtables.h from iptables to make sure the right offset is
  used when accessing structure members defined in libxtables. One could
  get “Extension does not know id …” otherwise. (See also: #868059)

Patch to sync the included xtables.h with system iptables 1.6.x. This
continues to work with iptables 1.8.2.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar 26681fa6a6 iproute2: simplify linking libelf for eBFP/XDP object file support
Simplify build and runtime dependencies on libelf, which allows tc and ip
to load BPF and XDP object files respectively.

Preserve optionality of libelf by having configuration script follow the
HAVE_ELF environment variable, used similarly to the HAVE_MNL variable.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar e6d84fa886 iproute2: use tc package variant to limit other package sizes
Replace the old 'tc' with a singleton package variant which will be used
to enable additional functionality and limit it only to tc. Non-variant
packages will only be installed during 'tiny' variant builds, hence will
be configured without extra features, thus preserving previously limited
functionality and reduced package sizes.

Also set ip-tiny as the default variant, and install 'tiny' versions of
development libraries.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar bc86da377c iproute2: simplify Makefile, patches and fix feature detection
Compile-based feature detection (e.g. xtables, ipset support) was broken
due to silent compilation errors in the configure script, caused by a
Makefile variable KERNEL_INCLUDE referring to kernel build headers. Use
userspace headers by setting the same "user_headers" kernel include path
as used for the iptables build.

Remove redundant or unused Build/Configure definitions from package
Makefile, including KERNEL_INCLUDE, LIBC_INCLUDE and DBM includes.

Don't pass LDFLAGS within MAKE_FLAGS as this interferes with LDFLAGS in
tc/Makefile and masks a link parameter ("-Wl,-export-dynamic"). Instead,
use standard TARGET_LDFLAGS.

Replace EXTRA_CCOPTS in MAKE_FLAGS with cleaner TARGET_CPPFLAGS, and also
drop now unneeded patch 150-extra-ccopts.patch.

Enable defining XT_LIB_DIR from Makefile, needed to set the iptables
modules directory to something other than /lib/xtables, and also add
libxtables dependency. Both are needed with working xtables detection.
Note that libxtables is also pulled in by iptables, firewall or luci, so
this change has no size impact in most cases.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar 43e14a2f9e iproute2: fix broken configuration patch
Since v4.13, iproute2 switched to a config.mk file with greater use of
pkg-config for library/feature detection. Replace the old Config patch
with one modifying the configure script but enabling the same changes:
 - explicitly disable TC_CONFIG_ATM
 - rely on feature detection for IP_CONFIG_SETNS and TC_CONFIG_XT

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar d741b31eb8 base-files: enable BPF JIT sysctl by default
Set net.core.bpf_jit_enable=1 in /etc/sysctl.d/10-default.conf.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar a7370b5179 kernel: enable CONFIG_BPF_JIT by default
Enable the built-in BPF JIT compiler for all 4.9, 4.14 and 4.19 kernels,
which should speed up cBPF and eBPF-based packet filtering (tc, iptables)
and packet sniffing (libpcap, tcpdump, fwknopd, etc).

This has minimal kernel size impact, increasing the size of uImage-lzma
(normally ~2 MB on mips_24kc or mips64el_mips64) by 5 KB for the MIPS32
arch cBPF JIT and by 9 KB for the MIPS64 arch eBPF JIT, on kernel 4.14.

With JIT enabled (cBPF only), the standard BPF test module (test_bpf.ko)
running on a DIR-835 (mips_24kc) used 33 CPU seconds, but 68 without JIT.

This change aligns with the notion of OpenWRT as the network go-to swiss
army knife for packet handling, especially on CPU-constrained platforms.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar ebcd5226cc kernel/modules: add kmod-bpf-test package
Add the test_bpf module that runs various test vectors against the BPF
interpreter or BPF JIT compiler. The module must be manually loaded, as
with the kmod-crypto-test module which serves a similar purpose.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar 6be23e91b6 kernel/modules: add kmod-sched-bpf package
Add cls_bpf and act_bpf modules for additional tc classifier and action
support of cBPF and eBPF.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar cd465e3414 kernel/modules: add kmod-sched-ipset package
Add em_ipset module to support tc filter classification by IP set. Build
as a standalone package to help avoid pulling in rest of kmod-sched and
isolate new dependency on kmod-ipt-ipset.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar 59b58ad4c8 kernel/modules: kmod-sched: add some common, useful actions
Add act_pedit, act_csum, act_gact and act_simple modules for additional
tc action support. Module act_simple helps with debug and logging, similar
to iptables LOG target, while act_gact provides common generic actions.
Modules act_pedit and act_csum support general packet mangling, and have
been the subject of feature requests and forum discussions (e.g. DSCP),
as well as being added to the Turris OS fork of OpenWrt ~2 years ago.

Also select dependency kmod-lib-crc32c to support act_csum.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
Tony Ambardar f54e9f183e kernel/modules: kmod-sched-core: add missing dependency, useful module
All tc ematch modules, including those in kmod-sched-core and kmod-sched,
use cls_basic as a core dependency. Relocate cls_basic from kmod-sched to
kmod-sched-core to avoid requiring kmod-sched unnecessarily.

This change is also backwards compatible since any past tc ematch users
will have had to install both kmod-sched-core and kmod-sched anyway.

Add the matchall kernel module cls_matchall introduced in kernel 4.8. The
matchall classifier matches every packet and allows the user to apply
actions on it. It is a simpler, more efficient replacement for the common
but cryptic tc classifier idiom "u32 match u32 0 0".

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2019-02-11 20:18:48 +00:00
David Bauer 0c24b363a6 ath79: add support for Xiaomi Mi Router 4Q
Hardware
--------
CPU:   Qualcomm Atheros QCA9561
RAM:   64M DDR2
FLASH: 16M SPI-NOR
ETH:   1x WAN - 2x LAN
WiFi:  QCA9561 3T3R
BTN:   1x Reset - 1x WPS
LED:   1x Blue - 1x Red - 1x Yellow
UART:  TX - GND - RX - VCC (From ethernet port)
       115200n8 - 3.3V

Installation
------------
1. Connect to the device via UART.

2. Interrupt the U-Boot on power-on by pressing enter when prompted.

3. Connect you computer to one of the routers LAN ports.
   Assign yourself the IP 192.168.31.10/24.
   Copy the OpenWRT initramfs image to a tftp server root directory.
   Rename the image to 'x4q.bin'.

4. Load the initramfs image to the router by executing following command
   in U-Boot. The image will boot afterwards.

   > tftpboot 0x81000000 x4q.bin; bootm

5. SCP the sysupgrade-image into '/tmp'.
   Remember to assign yourself an IP in 192.168.1.0/24 for this step!

6. Install OpenWRT permanently by executing

   > sysupgrade -n /tmp/<OpenWRT-sysupgrade-image>

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-02-11 19:04:06 +01:00
Linus Walleij 4130e24326 gemini: Fix kmod-led-trig-heartbeat typo
It's kmod-ledtrig-* not kmod-led-trig-*.

Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
[extended subject]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-11 19:02:42 +01:00
Sven Eckelmann 2b51d8591f mac80211: ath10k: support for management rate control
Issues a wmi command to firmware when multicast rate change is received with the
new BSS_CHANGED_MCAST_RATE flag.  Also fixes the incorrect fixed_rate setting
for CCK rates which got introduced with addition of ath10k_rates_rev2 enum.

By default the firmware uses 1Mbps and 6Mbps rate for management packets
in 2G and 5G bands respectively. But when the user selects different
basic rates from the userspace, we need to send the management
packets at the lowest basic rate selected by the user.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2019-02-11 19:02:42 +01:00
Sven Eckelmann 835fc08ae3 ath10k-ct: support for management rate control
By default the firmware uses 1Mbps and 6Mbps rate for management packets
in 2G and 5G bands respectively. But when the user selects different
basic rates from the userspace, we need to send the management
packets at the lowest basic rate selected by the user.

This change makes use of WMI_VDEV_PARAM_MGMT_RATE param for configuring the
management packets rate to the firmware.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2019-02-11 19:02:41 +01:00
Christian Lamparter 465044d0fd ath10k-firmware: update Candela Tech firmware images
Release notes since last time:

2019-02-08:
  Fix rate-ctrl assert related to bad logic that tried to guess
  that lower bandwidth probes were automatically successful if
  higher was. The NSS mismatch that can happen here caused the
  assert. Just comment out the offending code
  (per comment from original QCA code). This is bug 69.

2019-02-10:
  Fix bssid mis-alignment that broke 4-addr vlan mode (bug 67).
  Original buggy commit was
  commit 2bf89e70ecd1 ("dev-ds: Better packing of wal_vdev struct.")

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-11 19:02:41 +01:00
Christian Lamparter 0dc48905cb build: add KERNEL_ENTRY and sort DEFAULT_DEVICE_VARS
The KERNEL_ENTRY was missing from the DEFAULT_DEVICE_VARS.

This bug was discovered while preparing alternative images
for the mpc85xx's TP-Link WDR4900-V1, which all failed to
boot due to this:
|## Booting kernel from Legacy Image at 02000000 ...
|   Image Name:   POWERPC OpenWrt Linux-4.14.96
|   Image Type:   PowerPC Linux Kernel Image (uncompressed)
|   Data Size:    2056568 Bytes = 2 MiB
|   Load Address: 01000000
|   Entry Point:  00000000
|   Verifying Checksum ... OK

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-11 19:01:50 +01:00
Rafał Miłecki 83bcacb521 mac80211: brcmfmac: fix a possible NULL pointer dereference
This fixes a possible crash in the brcmf_fw_request_nvram_done():
[   31.687293] Backtrace:
[   31.689760] [<c004fb4c>] (__wake_up_common) from [<c004fc38>] (__wake_up_locked+0x1c/0x24)
[   31.698043]  r10:c6794000 r9:00000009 r8:00000001 r7:bf54dda0 r6:a0000013 r5:c78e7d38
[   31.705928]  r4:c78e7d3c r3:00000000
[   31.709528] [<c004fc1c>] (__wake_up_locked) from [<c00502a8>] (complete+0x3c/0x4c)
[   31.717148] [<c005026c>] (complete) from [<bf54590c>] (brcmf_fw_request_nvram_done+0x5c8/0x6a4 [brcmfmac])
[   31.726818]  r7:bf54dda0 r6:c6794000 r5:00001990 r4:c6782380
[   31.732544] [<bf545344>] (brcmf_fw_request_nvram_done [brcmfmac]) from [<c0204e40>] (request_firmware_work_func+0x38/0x60)
[   31.743607]  r10:00000008 r9:c6bdd700 r8:00000000 r7:c72c3cd8 r6:c67f4300 r5:c6bda300
[   31.751493]  r4:c67f4300
[   31.754046] [<c0204e08>] (request_firmware_work_func) from [<c0034458>] (process_one_work+0x1e0/0x318)
[   31.763365]  r4:c72c3cc0
[   31.765913] [<c0034278>] (process_one_work) from [<c0035234>] (worker_thread+0x2f4/0x448)
[   31.774107]  r10:00000008 r9:00000000 r8:c6bda314 r7:c72c3cd8 r6:c6bda300 r5:c6bda300
[   31.781993]  r4:c72c3cc0
[   31.784545] [<c0034f40>] (worker_thread) from [<c003984c>] (kthread+0x100/0x114)
[   31.791949]  r10:00000000 r9:00000000 r8:00000000 r7:c0034f40 r6:c72c3cc0 r5:00000000
[   31.799836]  r4:c735dc00 r3:c79ed540
[   31.803438] [<c003974c>] (kthread) from [<c00097d0>] (ret_from_fork+0x14/0x24)
[   31.810672]  r7:00000000 r6:00000000 r5:c003974c r4:c735dc00
[   31.816378] Code: e5b53004 e1a07001 e1a06002 e243000c (e5934000)
[   31.822487] ---[ end trace a0ffbb07a810d503 ]---

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-02-11 11:28:03 +01:00
Koen Vandeputte 8c9f255ce5 ar71xx: add rssileds for xw devices
Commit 7ebbbda293 ("ar71xx: ubnt-(xm,xw): fix LED RSSI indication")
adds support for using the RSSI strenght via LEDS.

The rssileds package addition got lost during altering the patch.
Add it again to fix this.

Fixes: 7ebbbda293 ("ar71xx: ubnt-(xm,xw): fix LED RSSI indication")
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-11 09:24:11 +01:00
Daniel Engberg 93034bf7f0 tools/mpfr: Update to 4.0.2
Update mpfr to 4.0.2
Use official site as last resort
Force thread-safety functionality
Refresh patches

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-02-10 20:51:09 +01:00
Daniel Engberg a3383e4b01 tools/bison: Update to 3.3.2
Update bison to 3.3.2
Enable pthreads support
Refresh patches

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-02-10 20:49:56 +01:00
Daniel Engberg a3df068b31 tools/sed: Update to 4.7
Update sed to 4.7
Enable pthreads support

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-02-10 20:48:25 +01:00
Daniel Engberg 1d1dabdf0a tools/tar: Update to 1.31
Update tar to 1.31
Fixes CVE-2018-20482
Switch to tar.xz tarball
Refresh patches

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-02-10 20:47:58 +01:00
Hans Dedecker e3311cb138 glibc: update to latest 2.27 commit [BZ #24180]
9f44fa22cb Add compiler barriers around modifications of the robust mutex list for pthread_mutex_trylock. [BZ #24180]

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-09 21:07:16 +01:00
Hans Dedecker 630a363936 vti: remove setting default firewall zone to wan
Same reasoning as in bdedb798150a58ad7ce3c4741f2f31df97e84c3f; don't set
default firewall zone to wan as the firewall zone for the vti interface
can be configured in the firewall config or it makes it impossible not to
specify a firewall zone for the vti interface.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-09 21:04:36 +01:00
Hans Dedecker 7f33f3d712 ipip: remove setting default firewall zone to wan
Same reasoning as in bdedb798150a58ad7ce3c4741f2f31df97e84c3f; don't set
default firewall zone to wan as the firewall zone for the ipip interface
can be configured in the firewall config or it makes it impossible not to
specify a firewall zone for the ipip interface.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-09 21:04:08 +01:00
Felix Fietkau 945bcaf6ec kernel: fold xt_FLOWOFFLOAD fixes into the main patch
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-09 14:37:30 +01:00
HsiuWen Yen 33b690216e netfilter: fix checking method of conntrack helper
This patch uses nfct_help() to detect whether an established connection
needs conntrack helper instead of using test_bit(IPS_HELPER_BIT,
&ct->status).

The reason for this modification is that IPS_HELPER_BIT is only set when
the conntrack helper is attached by explicit CT target.

However, in the case that a device enables conntrack helper via the other
ways (e.g., command "echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper")
, the status of IPS_HELPER_BIT will not present any change. That means the
IPS_HELPER_BIT might lose the checking ability in the context.

Signed-off-by: HsiuWen Yen <y.hsiuwen@gmail.com>
2019-02-09 14:37:26 +01:00
Felix Fietkau 61e01f248e base-files: do not strip fwtool signature data during check
Same reason as in commit 9808bd2799 -
sysupgrade --test must not alter the image in any way

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-09 14:34:24 +01:00