Clean up conflicts/provides/depends hell and add PROVIDES for
eapol-test variants while at it.
Update mesh-DFS patchset from Peter Oh to v5 (with local fixes) which
allows to drop two revert-patches for upstream commits which previously
were necessary to un-break mesh-DFS support.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(backported from 78f1974bc5)
(rebased patches)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Instead of selecting the SSL provider at compile time, build package
variants for each option so users can select the binary package without
having to build it themselves.
Most likely not all variants have actually ever been user by anyone.
We should reduce the selection to the reasonable and most used
combinations at some point in future. For now, build them all.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(backported from c8fdd0e9c8)
Support for building wpa_supplicant/hostapd against wolfssl has been
added upstream recently, add build option to allow users using it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(backported from 69f544937f)
(rebased patches)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update to latest git HEAD in order to support configuring multiple
concurrent Lua prefixes in a single uhttpd instance:
b741dec lua: support multiple Lua prefixes
Additionally rework the init script and update the default configuration
example to treat the lua_prefix option as key=value uci list, similar to
the interpreter extension mapping. Support for the old "option lua_prefix"
plus "option lua_handler" notation is still present.
Finally drop the sed postinstall hack in uhttpd-mod-lua to avoid mangling
files belonging to other packages. Since Lua prefixes have precedence
over CGI prefixes, simply register `/cgi-bin/luci` as Lua handler which
will only become active if both luci-base and uhttpd-mod-lua is installed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 214146c6f2)
If libcap-ng is detected during tcpdump build, support for it is
enabled and the binary is linked against it. Explicitly disable
libcap-ng support to avoid build failing due to a missing depndency.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Cherry-picked & squashed from relevant commits from master:
dnsmasq v2.80 release
Change from rc1:
91421cb Fix compiler warning.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 6c4d3d705a)
dnsmasq: remove creation of /etc/ethers
Remove creation of file /etc/ethers in dnsmasq init script as the
file is now created by default in the base-files package by
commit fa3301a28e
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 6c227e45cb)
dnsmasq: bump to dnsmasq v2.80test5
Refresh patches
Remove 240-ubus patch as upstream accepted.
Add uci option ubus which allows to enable/disable ubus support (enabled
by default)
Upstream commits since last bump:
da8b651 Implement --address=/example.com/#
c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c
974a6d0 Add --caa-record
b758b67 Improve logging of RRs from --dns-rr.
9bafdc6 Tidy up file parsing code.
97f876b Properly deal with unaligned addresses in DHCPv6 packets.
cbfbd17 Fix broken DNSSEC records in previous.
b6f926f Don't return NXDOMAIN to empty non-terminals.
c822620 Add --dhcp-name-match
397c050 Handle case of --auth-zone but no --auth-server.
1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/
dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c
c16d966 Add copyright to src/metrics.h
1dfed16 Remove C99 only code.
6f835ed Format fixes - ubus.c
9d6fd17 dnsmasq.c fix OPT_UBUS option usage
8c1b6a5 New metrics and ubus files.
8dcdb33 Add --enable-ubus option.
aba8bbb Add collection of metrics
caf4d57 Add OpenWRT ubus patch
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 3d377f4375)
dnsmasq: bump to dnsmasq 2.80test6
Refresh patches
Changes since latest bump:
af3bd07 Man page typo.
d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789
47b45b2 Fix lengths of interface names
2b38e38 Minor improvements in lease-tools
282eab7 Mark die function as never returning
c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8
03212e5 Manpage typo.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 43d4b8e89e)
dnsmasq: Handle memory allocation failure in make_non_terminals()
Backport upstream commit:
ea6cc33 Handle memory allocation failure in make_non_terminals()
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 687168ccd9)
dnsmasq: Change behavior when RD bit unset in queries.
Backport upstream commit
Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 6c4cbe94bd)
dnsmasq: bump to v2.80test7
Bump to latest test release:
3a610a0 Finesse allocation of memory for "struct crec" cache entries.
48b090c Fix b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely).
4139298 Change behavior when RD bit unset in queries.
51cc10f Add warning about 0.0.0.0 and :: addresses to man page.
ea6cc33 Handle memory allocation failure in make_non_terminals()
ad03967 Add debian/tmpfiles.conf
f4fd07d Debian bugfix.
e3c08a3 Debian packaging fix. (restorecon)
118011f Debian packaging fix. (tmpfiles.d)
Delete our own backports of ea6cc33 & 4139298, so the only real changes
here, since we don't care about the Debian stuff are 48b090c & 3a610a0
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit d9a37d8d1e)
dnsmasq: bump to v2.80test8
e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.
0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN.
ee1df06 Tweak strategy for confirming SLAAC addresses.
1e87eba Clarify manpage for --auth-sec-servers
0893347 Make interface spec optional in --auth-server.
7cbf497 Example config file fix for CERT Vulnerability VU#598349.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 30cc5b0bf4)
dnsmasq: add dhcp-ignore-names support - CERT VU#598349
dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for
specific hostnames. Clients claiming certain hostnames and thus
claiming DNS namespace represent a potential security risk. e.g. a
malicious host could claim 'wpad' for itself and redirect other web
client requests to it for nefarious purpose. See CERT VU#598349 for more
details.
Some Samsung TVs are claiming the hostname 'localhost', it is believed
not (yet) for nefarious purposes.
/usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames
in correct syntax to be excluded. e.g.
dhcp-name-match=set:dhcp_bogus_hostname,localhost
Inclusion of this file is controlled by uci option dhcpbogushostname
which is enabled by default.
To be absolutely clear, DHCP leases to these requesting hosts are still
permitted, but they do NOT get to claim ownership of the hostname
itself and hence put into DNS for other hosts to be confused/manipulate by.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit a45f4f50e1)
dnsmasq: fix compile issue
Fix compile issue in case HAVE_BROKEN_RTC is enabled
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 39e5e17045)
dnsmasq: bump to v2.80rc1
53792c9 fix typo
df07182 Update German translation.
Remove local patch 001-fix-typo which is a backport of the above 53792c9
There is no practical difference between our test8 release and this rc
release, but this does at least say 'release candidate'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit b8bc672f24)
dnsmasq: fix dnsmasq failure to start when ujail'd
This patch fixes jailed dnsmasq running into the following issue:
|dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory
|dnsmasq[1]: FAILED to start up
|procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash
Fixes: a45f4f50e1 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[bump package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 583466bb5b)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Support for -D got broken in the 2.0.11 release by the upstream commit
218d8c667944 ("first pass L2 mode w/UDP checks, v4 only"). After that
commit clients were still able to connect but no traffic was passed.
It was reported and is fixed now in the upstream git repository.
Backport two patches to fix this. The first one is just a requirement
for the later to apply. The second one is the real fix and it needed
only a small adjustment to apply without backporing the commit
10887b59c7e7 ("fix --txstart-time report messages").
Fixes: 7d15f96eaf ("iperf: bump to 2.0.12")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 87cd118794)
Allow setting specific routing tables via the ip4table and ip6table
options also when ${ifname}_4 and ${ifname}_6 child interfaces are
being created.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit e51aa699f7)
Pull in latest upstream tweaks:
Similar to the previous patch for no-split-gso, the negative keywords for
'nat', 'wash' and 'ack-filter' were not printed either. Add those as well.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 033f02b9b5)
When the GSO splitting was turned into dual split-gso/no-split-gso options,
the printing of the latter was left out. Add that, so output is consistent
with the options passed
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 8cac857289)
CAKE supports overriding of its internal classification of
packets through the tc filter mechanism.
Update the man page in our package, even though we don't
build them. Someone may find the documentation useful.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 30598a05385b0ac2380dd4f30037a9f9d0318cf2)
(cherry picked from commit dc9388ac55)
This patch makes sch_cake's gso/gro splitting configurable
from userspace.
To disable breaking apart superpackets in sch_cake:
tc qdisc replace dev whatever root cake no-split-gso
to enable:
tc qdisc replace dev whatever root cake split-gso
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Dave Taht <dave.taht@gmail.com>
[pulled from netdev list - no API/ABI change]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 3e8a9389961cd866b867740a2f71c2a0af97ab56)
Allowing DHCPV6_CLIENT_FQDN and DHCPV6_ACCEPT_RECONFIGURE to be turned off.
Defaulting to false, former behavior remains unchanged.
Signed-off-by: pacien <pacien.trangirard@pacien.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
(cherry picked from commit ef01c1d308)
The dnsmasq variants should provide dnsmasq, otherwise it is impossible
to include them in the image.
This change allows one to have CONFIG_PACKAGE_dnsmasq=m and
CONFIG_PACKAGE_dnsmasq-full=y, e.g. because you want DNSSEC support, or
IPSETs suport on your 3000-devices fleet ;-)
Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
The control device /dev/cdc-wdm0 is not available immediately on the
D-Link DWR-921 Rev.C3, therefore the wwan interface fails to start at
boot with a "The specified control device does not exist" error.
This patch alters /lib/netifd/proto/qmi.sh to wait for
network.wwan.delay earlier, before checking for the control device,
instead of just before interacting with the modem.
One still has to use network.wwan.proto='qmi', as the "wwan" proto
performs that sort of check before any delay is possible, failing with a
"No valid device was found" error.
Signed-off-by: Thomas Equeter <tequeter@users.noreply.github.com>
Some combination of modem/wireless operator requires more time to
execute the commands.
Tested on DWR-512 embedded wwan modem and italian operator iliad (new
virtual operator).
Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
(cherry picked from commit 774d7fc9f2)
CVE description :
The recv_msg_userauth_request function in svr-auth.c in Dropbear through
2018.76 is prone to a user enumeration vulnerability because username
validity affects how fields in SSH_MSG_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Unauthenticated EAPOL-Key decryption in wpa_supplicant
Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/
Vulnerability
A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.
When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.
Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.
Vulnerable versions/configurations
All wpa_supplicant versions.
Acknowledgments
Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.
Possible mitigation steps
- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.
- Merge the following commits to wpa_supplicant and rebuild:
WPA: Ignore unauthenticated encrypted EAPOL-Key data
This patch is available from https://w1.fi/security/2018-1/
- Update to wpa_supplicant v2.7 or newer, once available
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 1961948585)
This backports a fix for:
* CVE-2018-0500 SMTP send heap buffer overflow
See here for details: https://curl.haxx.se/docs/adv_2018-70a2.html
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Multiple security fixes
* CVE-2018-0497 Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel
* CVE-2018-0498 Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel
Disable OFB block mode and XTS block cipher mode, added in 2.11.0.
Disable Chacha20 and Poly1305 cryptographic primitives, added in 2.12.0
Patch the so version back to the original one, the API changes are
looking no so invasive.
The size of mbedtls increased a little bit:
ipkg for mips_24kc before:
163.967 Bytes
ipkg for mips_24kc after:
164.753 Bytes
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The sierra_net driver is using proto_directip_setup for setup. So use
proto_directip_teardown for teardown.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
(cherry picked from commit d05967baec)
Override the default shutdown action (stop) and close all processes
of dropbear
Since commit 498fe85, the stop action only closes the process
that's listening for new connections, maintaining the ones with
existing clients.
This poses a problem when restarting or shutting-down a device,
because the connections with existing SSH clients, like OpenSSH,
are not properly closed, causing them to hang.
This situation can be avoided by closing all dropbear processes when
shutting-down the system, which closes properly the connections with
current clients.
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
[Luis: Rework commit message]
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
(cherry picked from commit 1e177844bc)
a0a1e52 fix compile error
75ee790 interface-ip: fix eui64 ifaceid generation (FS#1668)
ca97097 netifd: make sure the vlan ifname fits into the buffer
b8c1bca iprule: remove bogus assert calls
a2f952d iprule: fix broken in_dev/out_dev checks
263631a vlan: use alloca to get rid of IFNAMSIZE in vlan_dev_set_name()
291ccbb ubus: display correct prefix size for IPv6 prefix address
908a9f4 CMakeLists.txt: add -Wimplicit-fallthrough to the compiler flags
b06b011 proto-shell.c: add a explicit "fall through" comment to make the compiler happy
60293a7 replace fall throughs in switch/cases where possible with simple code changes
5cf7975 iprule: rework interface based rules to handle dynamic interfaces
57f87ad Introduce new interface event "create" (IFEV_CREATE)
03785fb system-linux: fix build error on older kernels
d1251e1 system-linux: adjust bridge isolate mode for upstream attribute naming
e9eff34 system-linux: extend link mode speed definitions
c1f6a82 system-linux: add autoneg and link-partner output
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 3c4eeb5d21)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2.0.12 change set (as of June 25th 2018)
o Change the unicast TTL default value from 1 to the system default (to be compatable with previous versions.) Mulitcast still defaults to 1.
o adpative formatting bug fix: crash occurs when values exceed 1 Tera. Add support for Tera and Peta and eliminate the potential crash condition
o configure default compile to include isochronous support (use configure --disable-isochronous to remove support)
o replace 2.0.11's --vary-load option with a more general -b option to include <mean>,<stdev>, e.g. -b 100m,40m, which will pull from a log normal distribution every 0.1 seconds
o fixes for windows cross compile (using mingw32)
o compile flags of -fPIE for android
o configure --enable-checkprograms to compile ancillary binaries used to test things such as delay, isoch, pdf generation
o compile tests when trying to use 64b seq numbers on a 32b platform
o Fix GCC ver 8 warnings
2.0.11 change set (as of May 24th, 2018)
o support for -b on server (read rate limiting)
o honor -T (ttl) for unicast. (Note: the default value is 1 so this will impact unicast tests that require routing)
o support for --isochronous traffic with optional frames per second, mean and variance uses a log normal distribution (requires configure w/-enable-isochronous and compile)
o support for --udp triggers (requires configure w/ --enable-udptriggers, early code with very limited support)
o support for --udp-histogram with optional bin width and number of bins (default is 1 millisecond bin width and 1000 bins)
o support for frame (burst) latency histograms when --isochronous is set
o support for --tx-sync with -P for synchonrized writes. Initial use is for WiFi OFDMA latency testing.
o support for --incr-dstip with -P for simultaneous flows to multiple destinations (use case is for OFDMA)
o support for --vary-load with optional weight, uses log normal distribution (requires -b to set the mean)
o support for --l2checks to detect L2 length errors not detected by v4 or v6 payload length errors (requires linux, berkeley packet filters BPFs and AF_PACKET socket support)
o support for server joining mulitcast source specific multicast (S,G) and (*,G) for both v4 and v6 on platforms that support it
o improved write counters (requires -e)
o accounting bug fix on client when write fails, this bug was introduced in 2.0.10
o slight restructure client/server traffic thread code for maintainability
o python: flow example script updates
o python: ssh node object using asyncio
o python: histograms in flows with plotting (assumed gnuplot available)
o python: hierarchical clustering of latency histograms (early code)
o man pages updates
o Note: latency histograms require client and server system clock synchronization. A GPS disciplined oscillator using Precision Time Protocol works well for this.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Update to new iwinfo version.
Adds support for channel survey.
Adds ubus support.
Etc.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 296ae7ab89)
e59f925 hardware: add device ids for QCA9984, 88W8887 and 88W8964 radios
2a82f87 nl80211: back out early when receiving FAIL-BUSY reply
77c32f0 nl80211: fix code calculating average signal and rate
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 20b76c0a5b)
Refresh patches
Upstream commits since last bump:
3b6eb19 Log DNSSEC trust anchors at startup.
f3e5787 Trivial comment change.
c851c69 Log failure to confirm an address in DHCPv6.
a3bd7e7 Fix missing fatal errors when parsing some command-line/config options.
ab5ceaf Document the --help option in the french manual
1f2f69d Fix recurrent minor spelling mistake in french manual
f361b39 Fix some mistakes in french translation of the manual
eb1fe15 When replacing cache entries, preserve CNAMES which target them.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 1e93ef8498)
As dnsmasq is started earlier than netifd usage of network.sh functions
at boottime will fail; therefore don't call at boottime the functions
which construct the dhcp pool/relay info.
As interface triggers are installed the dhcp pool/relay info will be
constructed when the interface gets reported as up by netifd.
At the same time also register interface triggers based on DHCP relay
config.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 2336b942b3)
Refresh patches and backport upstream to current HEAD:
a997ca0 Fix sometimes missing DNSSEC RRs when DNSSEC validation not enabled.
51e4eee Fix address-dependent domains for IPv6.
05ff659 Fix stupid infinite loop introduced by preceding commit.
db0f488 Handle some corner cases in RA contructed interfaces with addresses changing interface.
7dcca6c Warn about the impact of cache-size on performance.
090856c Allow zone transfer in authoritative mode whenever auth-peer is specified.
cc5cc8f Sane error message when pcap file header is wrong.
c488b68 Handle standard and contructed dhcp-ranges on the same interface.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit fbf475403b)
Reduces .ipk size on MIPS from 41.6k to 41.1k
Changes:
30463d0 zones: add interface/subnet bound LOG rules
0e77bf2 options: treat time strings as UTC times
d2bbeb7 firewall3: make reject types selectable by user
aa8846b ubus: avoid dumping interface state with NULL message
Cherry picked and squashed from commits:
a3f2451fba firewall: update to latest git HEAD
433d71e73e fw3: update to latest git HEAD
ef96d1e34a firewall: compile with LTO enabled
1e83f775a3 firewall3: update to latest git HEAD
3ee2c76ae0 firewall: update to latest git HEAD
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This watchdog script tries to re-resolve hostnames for inactive WireGuard peers.
Use it for peers with a frequently changing dynamic IP.
persistent_keepalive must be set, recommended value is 25 seconds.
Run this script from cron every minute:
echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root
Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>
[bump the package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 20c4819c7b)
80b41cd version: bump snapshot
fe5f0f6 recieve: disable NAPI busy polling
e863f40 device: destroy workqueue before freeing queue
81a2e7e wg-quick: allow link local default gateway
95951af receive: use gro call instead of plain call
d9501f1 receive: account for zero or negative budget
e80799b tools: only error on wg show if all interfaces failk
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
[Added commit log to commit description]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 57b808ec88)
* device: print daddr not saddr in missing peer error
* receive: style
Debug messages now make sense again.
* wg-quick: android: support excluding applications
Android now supports excluding certain apps (uids) from the tunnel.
* selftest: ratelimiter: improve chance of success via retry
* qemu: bump default kernel version
* qemu: decide debug kernel based on KERNEL_VERSION
Some improvements to our testing infrastructure.
* receive: use NAPI on the receive path
This is a big change that should both improve preemption latency (by not
disabling it unconditionally) and vastly improve rx performance on most
systems by using NAPI. The main purpose of this snapshot is to test out this
technique.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit 4630159294)
iproute2's tc was updated to support the recently upstreamed cake qdisc.
Backport this canonical support from upstream into iproute2 v4.16
There is no kernel kmod/userspace tc ABI change in this release from the
previous package bump, so everyone can breath a sigh of relief.
This is largely a code style change, the exception to prove the rule:
option 'autorate_ingress' has been changed to 'autorate-ingress' to fit
in with upstream option naming expectations.
No openwrt package (e.g. sqm-scripts) has knowledge of
'autorate_ingress' thus only users who made their own scripts or used
it within the 'dangerous configuration' options of sqm-scripts will be
affected.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
procd needs processes to stay in foreground to remain under its gaze and
control. Failure to do so means service stop commands fail to actually
stop the process (procd doesn't think it's running 'cos the process has
exited already as part of its forking routing)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9d5a246930)
The previous callback code was fragile, dependent on some UCI callback
bugs and side-effects now fixed in master commit 73d8a6ab.
Update scripts to use callbacks where appropriate and necessary, while
using normal UCI config parsing for all else. This results in smaller,
simpler, more robust code. Use callbacks in generate.sh to only process
'interface' defaults and the varying entries for 'reclassify', 'default'
and 'classify' sections. Also switch qos-stat to use non-callback UCI
handling.
The current changes work independently of 73d8a6ab (i.e. both before and
after), and are consistent with UCI config parsing documentation.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Fix broken DHCPv6 servers which provide the server unicast option but
do not reply on DHCPv6 renew messages directed to the IPv6 address
contained in the server unicast option which results in broken IPv6
connectivity.
67ae6a7 odhcp6c: add option to ignore Server Unicast option
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
dfd9827 version: bump snapshot
88729f0 wg-quick: android: prevent outgoing handshake packets from being dropped
1bb9daf compat: more robust ktime backport
68441fb global: use fast boottime instead of normal boottime
d0bd6dc global: use ktime boottime instead of jiffies
18822b8 tools: fix misspelling of strchrnul in comment
0f8718b manpages: eliminate whitespace at the end of the line
590c410 global: fix a few typos
bb76804 simd: add missing header
7e88174 poly1305: give linker the correct constant data section size
fd8dfd3 main: test poly1305 before chacha20poly1305
c754c59 receive: don't toggle bh
Compile-tested-for: ath79 Archer C7 v2
Run-tested-on: ath79 Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 3ce11588f6)
Bump iproute2/tc support of cake.
Add support for cake's change to u64 attribute passing for certain
attributes (rate & byte counts)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit a2165f936e)
this makes sure that offloading support is properly included for v4.14 targets.
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit ebe1216c7c)
Includes specific support for PH8(1e2d-0053) / ELS61(1e2d-005b) modules.
Note for ELS61, the serial driver changes from serial option(ttyUSB) to usb-cdc (ttyACM).
Two additional fixes in this commit resolve issues with ttyACM devices: -
* wwan.sh - sys-fs has a subdirectory indirection (*/tty/ttyACMx) which was not handled properly
* wwan.usb - dependent scripts were not included, so this never actually called proto_set_available for example (and relied on inadvertent call for ttyUSB case)
Signed-off-by: David Thornley <david.thornley@touchstargroup.com>
(cherry picked from commit cb262b0939)
0bc4230 version: bump snapshot
ed04799 poly1305: add missing string.h header
cbd4e34 compat: use stabler lkml links
caa718c ratelimiter: do not allow concurrent init and uninit
894ddae ratelimiter: mitigate reference underflow
0a8a62c receive: drop handshake packets if rng is not initialized
cad9e52 noise: wait for crng before taking locks
83c0690 netlink: maintain static_identity lock over entire private key update
0913f1c noise: take locks for ss precomputation
073f31a qemu: bump default kernel
bec4c48 wg-quick: android: don't forget to free compiled regexes
7ce2ef3 wg-quick: android: disable roaming to v6 networks when v4 is specified
9132be4 dns-hatchet: apply resolv.conf's selinux context to new resolv.conf
41a5747 simd: no need to restore fpu state when no preemption
6d7f0b0 simd: encapsulate fpu amortization into nice functions
f8b57d5 queueing: re-enable preemption periodically to lower latency
b7b193f queueing: remove useless spinlocks on sc
5bb62fe tools: getentropy requires 10.12
4e9f120 chacha20poly1305: use slow crypto on -rt kernels on arm too
Compiled-for: ar71xx, lantiq
Run-tested-on: ar71xx Archer C7 v2 & lantiq HH5a
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Commit ecd954d530 installs specific interface triggers which rewrites the dnsmasq config
file and restarts dnsmasq if the network interface becomes active for which a trigger
has been installed.
In case no dhcp sections are specified or ignore is set to 1 dnsmasq will not be started
at startup which breaks DNS resolving.
Fix this by ditching the BOOT check in start_service and always start dnsmasq at startup.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Be compatible with ISPs which don't support the destination option header containing
the tunnel encapsulation limit as reported in FS#1501.
Setting the uci parameter encaplimit to ignore; allows to disable the insertion
of the destination option header in the ds-lite packets.
Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255
by setting the encaplimit uci parameter accordingly.
If no encaplimit value is specified the default value is 4 as before.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Be compatible with ISPs which don't support the destination option header containing
the tunnel encapsulation limit as reported in FS#1501 for dynamic created ds-lite/map
interfaces.
Setting the uci parameter encaplimit_dslite/map to ignore; allows to disable the insertion
of the destination option header for the dynamic created ds-lite/map interface.
Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255
by setting the encaplimit_dslite/map uci parameter accordingly.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Be compatible with ISPs which don't support the destination option header containing
the tunnel encapsulation limit as reported in FS#1501.
Setting the uci parameter encaplimit to ignore; allows to disable the insertion
of the destination option header in the map-e packets.
Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255
by setting the encaplimit uci parameter accordingly.
If no encaplimit value is specified the default value is 4 as before.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Fix condir option processing allowing to use the format
"<directory>[,<file-extension>......]," as documented on the dnsmasq man
page which previously resulted into bogus dir being created.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This version bump was made upstream mostly for OpenWRT, and should fix
an issue with a null dst when on the flow offloading path.
While we're at it, Kevin and I are the only people actually taking care
of this package, so trim the maintainer list a bit.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Use ft_psk_generate_local=1 by default, as it makes everything else fairly
trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd
fairly much does it all for us.
We do need to provide nas_identifier, which can be derived from the BSSID,
and we need to generate a mobility_domain, for which we default to the first
four chars of the md5sum of the SSID.
The complex manual setup should also still work, but the defaults also
now work easily out of the box. Verified by manually running hostapd
(with the autogenerated config) and watching the debug output:
wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake
This was previous submitted to LEDE in
https://github.com/lede-project/source/pull/1382
[dwmw2: Rewrote commit message]
Signed-off-by: Gospod Nassa <devianca@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
(cherry picked from commit 3cc56a5534)
Drop package/network/services/wireguard/patches/100-portability.patch
Instead pass 'PLATFORM=linux' to make since we are always building FOR
linux.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit f06def4221)
During handshake we are highjack and reset a LED to the configured trigger
afterwards. ltq-xdsl-app need to start after the LED init script, to
ensure that the LED init script doesn't re-highjack the LED we are
currently using for handshake indication.
Drop the comment about the atm dependency. The dependency was fixed quite
some time ago by using hotplug scripts for br2684ctl.
Signed-off-by: Mathias Kresin <dev@kresin.me>
(cherry picked from commit 0678cc850c)
This reverts commit c97189e26d
as it has different issues:
-Host file is not written in a directory unique per dnsmasq instance
-odhcpd writes host info into the same directory but still sends a SIGHUP to dnsmasq
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
1.) "addn-hosts" per default point to a file (but it supports directory)
2.) "hostsdir" only support directory with the additional benefit: New or changed files are read automatically.
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
* chacha20poly1305: add mips32 implementation
"The OpenWRT Commit" - this significantly speeds up performance on cheap
plastic MIPS routers, and presumably the remaining MIPS32r2 super computers
out there.
* timers: reinitialize state on init
* timers: round up instead of down in slack_time
* timers: remove slack_time
* timers: clear send_keepalive timer on sending handshake response
* timers: no need to clear keepalive in persistent keepalive
Andrew He and I have helped simplify the timers and remove some old warts,
making the whole system a bit easier to analyze.
* tools: fix errno propagation and messages
Error messages are now more coherent.
* device: remove allowedips before individual peers
This avoids an O(n^2) traversal in favor of an O(n) one. Before systems with
many peers would grind when deleting the interface.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Refresh patches; remove 320-mbedtls_dont_use_deprecated_sha256_function
patch as upstream fixed
For changes in version 2.60 see https://curl.haxx.se/changes.html#7_60_0
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This makes it easier to distribute prefixes over a wireguard tunnel
interface, by simply setting the ip6prefix option in uci (just like with
other protocols).
Obviously, routing etc needs to be setup properly for things to work; this
just adds the config option so the prefix can be assigned to other
interfaces.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The max_oper_chwidth settings was parsed incorrectly for big endian system.
This prevented the system to switch to VHT80 (or VHT160). Instead they were
mapped to:
* HT20: 20MHz
* VHT20: 20MHz
* HT40: 40MHz
* VHT40: 40MHz
* VHT80: 40MHz
* VHT160: 40MHz
This happened because each max_oper_chwidth setting in the config file was
parsed as "0" instead of the actual value.
Fixes: a4322eba2b ("hostapd: fix encrypted mesh channel settings")
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
b45e162 helpers: fix the set_helper in the rule structure
f742ba7 helpers.conf: support also tcp in the CT sip helper
08b2c61 helpers: make the proto field as a list rather than one option
Signed-off-by: John Crispin <john@phrozen.org>
Fix encrypted (or DFS) AP+MESH interface combination in a way similar
to how it's done for AP+STA and fix netifd shell script.
Refresh patches while at it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
6b4a340 version: bump snapshot
faa2103 compat: don't clear header bits on RHEL
4014532 compat: handle RHEL 7.5's recent backports
66589bc queueing: preserve pfmemalloc header bit
37f114a chacha20poly1305: make gcc 8.1 happy
926caae socket: use skb_put_data
724d979 wg-quick: preliminary support for go implementation
c454c26 allowedips: simplify arithmetic
71d44be allowedips: produce better assembly with unsigned arithmetic
5e3532e allowedips: use native endian on lookup
856f105 allowedips: add selftest for allowedips_walk_by_peer
41df6d2 embeddable-wg-library: zero attribute padding
9a1bea6 keygen-html: add zip file example
f182b1a qemu: retry on 404 in wget for kernel.org race
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Refresh patches and backport upstream to current HEAD:
1f1873a Log warning on very large cachesize config, instead of truncating it.
0a496f0 Do unsolicited RAs for interfaces which appear after dnsmasq startup.
e27825b Fix logging in previous.
1f60a18 Retry SERVFAIL DNSSEC queries to a different server, if possible.
a0088e8 Handle query retry on REFUSED or SERVFAIL for DNSSEC-generated queries.
34e26e1 Retry query to other servers on receipt of SERVFAIL rcode.
6b17335 Add packet-dump debugging facility.
07ed585 Add logging for DNS error returns from upstream and local configuration.
0669ee7 Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip are set.
f84e674 Be persistent with broken-upstream-DNSSEC warnings.
Compile & run tested: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Right now interface.update events are sent out by netifd upon interface state,
route, address (lifetime), prefix lifetime changes.
Dnsmasq is only interested in interface state changes and currently adds an
interface trigger for all the "interface.*" events.
In combination with commit 23bba9cb33, which triggers a SIGHUP signal to dnsmasq,
IPv6 address/prefix lifetime changes on the wan will trigger dnsmasq reloads which
can become frequent in case of shorter lifetimes.
To avoid frequent dnsmasq reload, this patch adds specific interface triggers.
During dnsmasq init it loops dhcp uci section; if the value of the ignore option
is set to 0, then the corresponding interface trigger is not installed.
Otherwise, if the ignore option value is 1, then procd_add_interface_trigger is
called which adds the interface trigger.
Signed-off-by: hux <xinxing.huchn@gmail.com>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Point at github which is new, maintained location for igmpproxy.
Remove all patches as all have been upstreamed.
Closes FS#1456
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The init sccript for igmpproxy uses the option 'network' both as an interface name for fetching the l3_device name and for creating the firewall rules. This only works if the name of the network and firewall zone are identical.
This commit introduces a new option 'zone' for configuring the upstream and downstream firewall zones in order for the init script to create the required firewall rules automatically. When no such options are given, the init script falls back to not creating the firewall rules and the user can opt to create these manually.
Signed-off-by: Jaap Buurman <jaapbuurman@gmail.com>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Bearing fruits of the latest upstreaming efforts on cake.
Changes: diffserv-llt dropped. The paper describing this DSCP
allocation has gone stale and doesn't appear used.
The userspace to kernel netlink messages for cake have been reworked in
a backwards incompatible way, so tc & cake must be bumped together this
once.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
print_uint() will silently promote its variable type to uint64_t, but there
is nothing that ensures that the format string specifier passed along with
it fits (and the function name suggest to pass "%u").
Fix this by changing print_uint() to use a native 'unsigned int' type, and
introduce a separate print_u64() function for printing 64-bit values. All
call sites that were actually printing 64-bit values using print_uint() are
converted to use print_u64() instead.
Since print_int() was already using native int types, just add a
print_s64() to match, but don't convert any call sites.
Fixes wonkyness in some stats from some qdiscs under tc
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Add hotplug handle script for storage devices,
this will add corresponding option in the
/etc/config/samba file automatically.
Signed-off-by: Rosy Song <rosysong@rosinson.com>
Update to latest version of iproute2, refresh patches.
See https://lkml.org/lkml/2018/4/2/349 for a full overview of the
changes in 4.16.
Build and tested on AR7xxx against musl
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Without this patch the extra LDFLAGS of objects were selected based on the
name of the extension being built, which breaks for aggregate so builds.
Signed-off-by: John Crispin <john@phrozen.org>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Choose first running interface, rather than first "up" interface (Redhat #1403025)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
4136529 dhcpv6-ia: keep tentative assignments alive for a short time
200cc8f dhcpv6-ia: make assignment lookup more strict
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
7cc2668 version: bump snapshot
860c7c7 poly1305: do not place constants in different sections
5f1e4ca compat: remove unused dev_recursion_level backport
7e4b991 blake2s: remove unused helper
13225fc send: simplify skb_padding with nice macro
a1525bf send: account for route-based MTU
bbb2fde wg-quick: account for specified fwmark in auto routing mode
c452105 qemu: bump default version
dbe5223 version: bump snapshot
1d3ef31 chacha20poly1305: put magic constant behind macro
cdc164c chacha20poly1305: add self tests from wycheproof
1060e54 curve25519: add self tests from wycheproof
0e1e127 wg-quick.8: fix typo
2b06b8e curve25519: precomp const correctness
8102664 curve25519: memzero in batches
1f54c43 curve25519: use cmov instead of xor for cswap
fa5326f curve25519: use precomp implementation instead of sandy2x
9b19328 compat: support OpenSUSE 15
3102d28 compat: silence warning on frankenkernels
8f64c61 compat: stable kernels are now receiving b87b619
62127f9 wg-quick: hide errors on save
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Import two patches from Peter Oh to allow setting channel
bandwidth in the way it already works for managed interfaces.
This fixes mesh interfaces on 802.11ac devices always coming up in
VHT80 mode.
Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which
also skips secondary channel scan just like noscan works in AP mode.
This time also make sure to add all files to the patch before
committing it...
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Import two patches from Peter Oh to allow setting channel
bandwidth in the way it already works for managed interfaces.
This fixes mesh interfaces on 802.11ac devices always coming up in
VHT80 mode.
Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which
also skips secondary channel scan just like noscan works in AP mode.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Pipe uqmi output from qmi_wds_stop function into /dev/null.
This will supress the following output in proto teardown.
netifd: wwan (x): "No effect"
netifd: wwan (x): Command failed: Permission denied
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
For unencrypted mesh networks our scripts take care of setting
the various mesh_param values. wpa_supplicant changes somes of them
when being used for SAE encrypted mesh and previously didn't allow
configuring any of them. Add support for setting mesh_fwding (which
has to be set to 0 when using other routing protocols on top of
802.11s) and update our script to pass the value to wpa_supplicant.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
513eb27 system-linux: check ioctl return value in system_vlan()
df1625d system-linux: check ioctl return value in system_if_flags()
209c508 system-linux: fix segfault on alloc failure in system_if_check()
4a8e20e system-linux: fix segfault on error in system_add_ip6_tunnel()
36e4700 handler: fix resource leak on error in netifd_init_script_handlers()
86a0e7c system-linux: remove unnecessary open call in system_if_dump_info()
1e2cf67 system-linux: fix memory leak on error in system_add_vxlan()
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
And import patchset to allow 802.11s mesh on DFS channels, see also
http://lists.infradead.org/pipermail/hostap/2018-April/038418.html
Fix sae_password for encryption mesh (sent upstream as well).
Also refreshed existing patches and fixed 463-add-mcast_rate-to-11s.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2e783b227766 ebt_ip: add support for matching IGMP type
b5fbb8d786c9 ebt_ip: add support for matching ICMP type and code
c5e5b784fd1a Move ICMP type handling functions from ebt_ip6 to useful_functions.c
11da52177196 include: sync linux/netfilter_bridge/ebt_ip.h with kernel
Note: the new features require at least kernel 4.17 or backported patches.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Split physdev match out of ipt-extra to allow installing ipt-extra without
pulling in br-netfilter.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
RFC6771 does not exclude the forwarding of the example domain as it
states : "Caching DNS servers SHOULD NOT recognize example names as
special and SHOULD resolve them normally."
Example domains cannot be assigned to any user or person by DNS
registrars as they're registered in perpetuity to IANA meaning
they can be resolved; therefore let's remove the example domains
from the rfc6761.conf file.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
74b5a3 script: fix possible negative delay
473f248 dhcpv6: always trigger script update in case of IA updates
ea18935 ra: rework route information option handling
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This Adds fixes for the following security problems based on debians patches:
CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms
CVE-2017-12163: Server memory information leak over SMB1
CVE-2017-12150: SMB1/2/3 connections may not require signing where they should
CVE-2018-1050: Denial of Service Attack on external print server.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This reverts commit 745d0e7f4b.
It looks like upstream don't want the patch so let's revert it here too.
I hope a fix from upstream is forthcoming.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Fix psidlen becomes negative in case embedded address bit lenght is smaller than
IPv4 suffix length.
While at it improve parameter checking making the code more logical and
easier to read.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
opkg currently has some issues with Provides and this change makes the
image builder fail because of that. Revert the change for now until opkg
is fixed
This reverts commit 092d75aa3e.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The following patches were merged upstream:
000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
replaced by commit 0e3bd7ac6
001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
replaced by commit cb5132bb3
002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
replaced by commit 87e2db16b
003-Prevent-installation-of-an-all-zero-TK.patch
replaced by commit 53bb18cc8
004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
replaced by commit 0adc9b28b
005-TDLS-Reject-TPK-TK-reconfiguration.patch
replaced by commit ff89af96e
006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
replaced by commit adae51f8b
007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
replaced by commit 2a9c5217b
008-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch
replaced by commit a00e946c1
009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch
replaced by commit b488a1294
010-Optional-AP-side-workaround-for-key-reinstallation-a.patch
replaced by commit 6f234c1e2
011-Additional-consistentcy-checks-for-PTK-component-len.patch
replaced by commit a6ea66530
012-Clear-BSSID-information-in-supplicant-state-machine-.patch
replaced by commit c0fe5f125
013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch
replaced by commit 114f2830d
Some patches had to be modified to work with changed upstream source:
380-disable_ctrl_iface_mib.patch (adding more ifdef'ery)
plus some minor knits needed for other patches to apply which are not
worth being explicitely listed here.
For SAE key management in mesh mode, use the newly introduce
sae_password parameter instead of the psk parameter to also support
SAE keys which would fail the checks applied on the psk field (ie.
length and such). This fixes compatibility issues for users migrating
from authsae.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Improve portability of init script by declaring resolvfile as local
in dnsmasq_stop function.
Fixes resolvfile being set for older busybox versions in dnsmasq_start
in a multi dnsmasq instance config when doing restart; this happens when
the last instance has a resolvfile configured while the first instance
being started has noresolv set to 1.
Base on a patch by "Phil"
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Cake in kernel space now splits stats structure handling across netlink
messages to reduce stack usage issue flagged by upstream kernel checks.
Update user space (tc) qdisc handling to understand this new regime.
Cake also reports packet overheads & compensation in a different way so
add display code for this. e.g.
'tc -s qdisc show dev eth0' reports this extra detail:
min/max transport layer size: 28 / 1500
min/max overhead-adjusted size: 65 / 1550
average transport hdr offset: 14
Cake also supports output in JSON format.
Patch is bulkier than before because a (slightly out of date - see above
stats) man page is included for reference. Better than nothing!
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
print_int used 'int' type internally, whereas print_uint used 'uint64_t'
These helper functions eventually call vfprintf(fp, fmt, args) which is
a variable argument list function and is dependent upon 'fmt' containing
correct information about the length of the passed arguments.
Unfortunately print_int v print_uint offered no clue to the programmer
that internally passed ints to print_uint were being promoted to 64bits,
thus the format passed in 'fmt' string vs the actual passed integer
could be different lengths. This is even more interesting on big endian
architectures where 'vfprintf' would be looking in the middle of an
int64 type. Symptoms of this included tc qdisc showing bizarre values
for a variety of fields across a variety of qdiscs (e.g. refcnt, flows,
quantum)
print_u/int now stick with native int size.
A similar patch has been sent upstream.
Fixes FS#1425
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
94b6878 Tidy crypto.c of old library compat. Now need libnettle 3.
8b96552 Fix compiler warning.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Option --client-cert-not-required DEPRECATED is deprecated in v2.4 and removed in OpenVPN 2.5.
Replaced by param --verify-client-cert none|optional|require in v2.4 see
https://community.openvpn.net/openvpn/wiki/ DeprecatedOptions#a--client-cert-not-required
Signed-off-by: Christian Bayer <cave@cavebeat.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_ RELEASE increase]
Support configuration in the form...
list ip6prefix 2001:db8:1234::/64
list ip6prefix 2001:db8:5678::/64
... to allow specifying multiple routed IPv6 prefixes.
Implements feature request FS#1361.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
1f5a29c ip: do not add local routes for host dependencies
c06f842 device: add support for setting the isolate options for bridge ports
69aeaab interface-ip: fix route selection for host dependencies
Signed-off-by: Felix Fietkau <nbd@nbd.name>
392811a ubus: let fw3_ubus_address() return the number of resolved addresses
359adcf options: emit an empty address item when resolving networks fails
503db4a zones: disable masq when resolving of all masq_src or masq_dest items failed
f50a524 helpers: implement explicit CT helper assignment support
a3ef503 zones: allow per-table log control
8ef12cb iptables: fix possible NULL pointer access on constructing rule masks
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7c0d711 version: bump snapshot
b6a5cc0 contrib: add extract-handshakes kprobe example
37dc953 wg-quick: if resolvconf/run/iface exists, use it
1f9be19 wg-quick: if resolvconf/interface-order exists, use it
4d2d395 noise: align static_identity keys
14395d2 compat: use correct -include path
38c6d8f noise: fix function prototype
302d0c0 global: in gnu code, use un-underscored asm
ff4e06b messages: MESSAGE_TOTAL is unused
ea81962 crypto: read only after init
e35f409 Kconfig: require DST_CACHE explicitly
9d5baf7 Revert "contrib: keygen-html: rewrite in pure javascript"
6e09a46 contrib: keygen-html: rewrite in pure javascript
e0af0f4 compat: workaround netlink refcount bug
ec65415 contrib: embedded-wg-library: add key generation functions
06099b8 allowedips: fix comment style
ce04251 contrib: embedded-wg-library: add ability to add and del interfaces
7403191 queueing: skb_reset: mark as xnet
Changes:
* queueing: skb_reset: mark as xnet
This allows cgroups to classify packets.
* contrib: embedded-wg-library: add ability to add and del interfaces
* contrib: embedded-wg-library: add key generation functions
The embeddable library gains a few extra tricks, for people implementing
plugins for various network managers.
* crypto: read only after init
* allowedips: fix comment style
* messages: MESSAGE_TOTAL is unused
* global: in gnu code, use un-underscored asm
* noise: fix function prototype
Small cleanups.
* compat: workaround netlink refcount bug
An upstream refcounting bug meant that in certain situations it became
impossible to unload the module. So, we work around it in the compat code. The
problem has been fixed in 4.16.
* contrib: keygen-html: rewrite in pure javascript
* Revert "contrib: keygen-html: rewrite in pure javascript"
We nearly moved away from emscripten'ing the fiat32 code, but the resultant
floating point javascript was just too terrifying.
* Kconfig: require DST_CACHE explicitly
Required for certain frankenkernels.
* compat: use correct -include path
Fixes certain out-of-tree build systems.
* noise: align static_identity keys
Gives us better alignment of private keys.
* wg-quick: if resolvconf/interface-order exists, use it
* wg-quick: if resolvconf/run/iface exists, use it
Better compatibility with Debian's resolvconf.
* contrib: add extract-handshakes kprobe example
Small utility for extracting ephemeral key data from the kernel's memory.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (git log --oneline description)
The lantiq components still leak some user space linker options into the
kernel space. This breaks with build when ASLR is activated, deactivate
it for now on these packages.
Fixes: FS#1391
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The split-up into packages gre, grev4 and grev6 causes confusion for the
users as reported in FS#1399.
As IPv4 and IPv6 are considered now as bundled; squash the grev4 and grev6
packages into the gre package and let gre provide both grev4 and grev6.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Fixes the assumption the busybox udhcpc applet is always enabled; in case
the symbolic link check fails the DHCP shell handler script will exit and
as result the DHCP protocol handler will not be registered in netifd.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Remove RPS/XPS support from netifd core, move the logic to a hotplug
script that uses a different policy which provides better performance
and more fairness across flows
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Support config in the form of ....
add_list sendopts=router:10.10.10.2
add_list sendopts=nissrv:20.20.20.2
add_list sendopts=0x7D:abba
This allows to configure sendopts having white spaces as option value
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Support configuration in the form...
list ip6prefix 2001:db8:1234::/64
list ip6prefix 2001:db8:5678::/64
... to allow specifying multiple additional IPv6 prefixes.
Implements feature request FS#1361.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
As indicated in #5574 samba fails to build with linker error due to lack
of talloc_* functions when the packet libtalloc also gets build.
According to Makefile it is compiled with "--without-libtalloc" option.
Running ./configure --help shows that there is another option connected
to libtalloc: --enable/disable-external-libtalloc.
Adding this option fixes build.
Signed-off-by: Jakub Tymejczyk <jakub@tymejczyk.pl>
Remove this old patch which prevents showing the xfrm ports for SCTP
This was added in commit 60c1f0f64d ("finally move buildroot-ng to trunk")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
459b6932 policy: add nft translation for simple policy none/strict use case
255e55b7 tests: xlate-test: no need to require superuser privileges
6990bbc5 extensions: hashlimit: remove space before burst in translation to nft
13ecaeb0 extensions: hashlimit: Rename 'flow table' keyword to meter
c252a2b0 extensions: Add test for cluster nft translation
bda1daa4 extensions: ip6t_{S,D}NAT: add more tests
88fa4543 extensions: ip6t_{S,D}NAT: multiple to-dst/to-src arguments not reported
64a0e098 extensions: libxt_cluster: Add translation to nft
6067208f extensions: add support for 'srh' match
0f387b07 extensions: hashlimit: fix incorrect burst in translations
1ffe6a74 extensions: libxt_hashlimit: Do not print default timeout and burst
27de281d extensions: Add macro _DEFAULT_SOURCE.
75364151 iptables: Remove const qualifier from struct option.
8b0da213 iptables: masquerade: add randomize-full support
e64db006 iptables: patch to correct linker flag sequence
033eac81 extensions: libxt_tcpmss: Add test case for invalid ranges.
505bfa11 iptables: xtables-eb: Remove const qualifier from struct option
a6d6821a iptables: extensions: Fix MARK target help
71de414c libxt_sctp: fix array out of range in print_chunk
1a32381a extensions: add tests for ipcomp protocol
4bd51770 tests: xlate: print output in same way as nft-test.py
d0e3d95f libxt_recent: Remove ineffective checks for info->name
23e6ed71 libxt_TOS: add tests for translation infrastructure
9564595e Update .gitignore
bebce197 iptables: iptables-compat translation for TCPMSS
dbbab0aa extensions: libxt_tcpmss: Detect invalid ranges
0e958281 iptables-translate: add test file for TCPMSS extension
de3c68b6 iptables-compat: do not allow to delete populated user define chains
f4b80ce7 iptables: change large file support handling
f5b46c2f iptables: Constify option struct
21ba5b38 ip{,6}tables-restore: Don't accept wait-interval without wait
60e0ffd3 ip{,6}tables-restore: Don't ignore missing wait-interval value
af468b6e utils: Add a man page for nfnl_osf
1773dcaa utils: nfnl_osf: Fix synopsis in help text
895ce096 extensions: libxt_bpf: fix missing __NR_bpf declaration
3c633296 xtables-compat-restore: fix translation of mangle's OUTPUT
1c32e560 netfilter: xt_hashlimit: add rate match mode
b5331f88 xtables-compat: fix memory leak when listing
91ae12e3 xtables-compat-restore: fix several memory leaks
79e1edd1 iptables-xml: Fix segfault on jump without a target
c49a93f1 xtables-translate: fix double space before comment
79fa7cc2 libip6t_icmp6: xlate: remove leftover space
8e62f572 tests: xlate: generalize owner
8d994bcf iptables: Add file output option to iptables-save
f8e5ebc5 iptables: Fix crash on malformed iptables-restore
80d8bfaa iptables: insist that the lock is held.
c29d99c8 libxtables: Display weird character warning for wildcards
1fe96cfb tests: xlate: check if it is being run as root
3f92b259 tests: xlate: remove python 3.5 dependency
d89dc47a iptables-restore/save: exit when given an unknown option
65801d02 iptables-restore.8: document -w/-W options
9cd3adbe iptables-restore/ip6tables-restore: add --version/-V argument
1ec1fb7a extensions: libxt_hashlimit: fix 64-bit printf formats
27f69f4a iptables: extensions: Remove typedef in struct.
340105fa tests: add regression tests for xtables-translate
b669e184 extensions: libxt_TOS: Add translation to nft
b2a84476 iptables: Remove unnecessary braces.
2963a8df iptables: Remove explicit static variables initalization.
1cf4ba6f iptables: Constify option struct
999eaa24 iptables-restore: support acquiring the lock.
6e2e169e iptables: remove duplicated argument parsing code
836846f0 iptables: move XT_LOCK_NAME from CFLAGS to config.h.
b91af533 iptables: set the path of the lock file via a configure option.
0e94eb2e iptables-translate: print nft iff there are more expanded rules to print
48ad179b libxtables: abolish AI_CANONNAME
9f50bbdf libxtables: remove unnecessary nesting from host_to_ip(6)addr
c6df55d6 iptables-translate: print nft command for each expand rules via dns names
82dacbb8 xtables-translate: Avoid querying the kernel
9f972f45 extensions: libxt_addrtype: Add translation to nft
2c8e251e utils: nfsynproxy: fix build with musl libc
9b8cb756 libiptc: don't set_changed() when checking rules with module jumps
eb66632d extensions: libxt_hashlimit: Add translation to nft
72bb3dbf xshared: using the blocking file lock request when we wait indefinitely
24f81746 xshared: do not lock again and again if "-w" option is not specified
fc3c3b4e libxt_hashlimit: add new unit test to catch kernel bug
516d9191 iptables: update pf.os
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
This makes it possible to add an iptables rule that offloads routing/NAT
packet processing to a software fast path. This fast path is much
quicker than running packets through the regular tables/chains.
Requires Linux 4.14
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Daniel Golle
Rosy Song
Hans Dedecker
Martin Schiller
Jo-Philipp Wich
Stijn Tintel
Kevin Darbyshire-Bryant
Rafał Miłecki
pacien
Henrique de Moraes Holschuh
Thomas Equeter
Giuseppe Lippolis
John Crispin
Hauke Mehrtens
Masashi Honma
Christian Schoenebeck
Koen Vandeputte
Nick Hainke
Aleksandr V. Piskunov
Jason A. Donenfeld
Tony Ambardar
David Thornley
Gospod Nassa
Mathias Kresin
Toke Høiland-Jørgensen
Sven Eckelmann
hux
Jaap Buurman
Felix Fietkau
Florian Eckert
Daniel Engberg
Matthias Schiffer
Rosen Penev
Christian Bayer
Philip Prindeville
Magnus Kroken
Jakub Tymejczyk
Ansuel Smith