85f01c44a950 bridge: check bridge port vlan membership on link-up events
17e453bd68b4 wireless: add back regular virtual interfaces on hotplug-add events as well
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Programs like the olsr-name-plugin write hostname files to "/tmp/hosts/".
If you don't add this to the jail_mount, dnsmasq can't read it anymore.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This will restart the interface in case the CSA fails and can be used to
force the device on a DFS channel (including full CAC)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
f12b073c0cc3 wireless: add some comments to functions
b0d090688302 bridge: fix setting pvid for updated vlans
ff3764ce28e0 device: move hotplug handling logic from system-linux.c to device.c
16bff892f415 ubus: add a dummy mode ubus call to simulate hotplug events
7f30b02013f2 examples: make dummy wireless vif names shorter
013a1171e9b0 device: do not treat devices with non-digit characters after . as vlan devices
f037b082923a wireless: handle WDS per-sta devices
db0fa24e1c17 bridge: fix enabling hotplug-added VLANs on the bridge port
4e92ea74273f bridge: bring up pre-existing vlans on hotplug as well
1f283c654aeb bridge: fix hotplug vlan overwrite on big-endian systems
Signed-off-by: Felix Fietkau <nbd@nbd.name>
a0a0e02 iwinfo: rename hardware.txt to devices.txt
Also split common devices.txt (former hardware.txt) into a common
libiwinfo-data package to allow different libiwinfo versions to
coexist without file clashes.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Imports a function from iw to convert frequencies to channel numbers.
Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
[fix potential out of bounds read]
Signed-off-by: David Bauer <mail@david-bauer.net>
'--local' is a synonym for '--server' so let's use '--local' in the
resultant config file for uci's 'local' instead of uci's local
parameter being turned into '--server'. Slightly less confusion all
round.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Drop support for building the obsolete broadcom-wl backend and always
forcibly enable the nl82011 support. This allows us to make the package
shared again since no target specific compilation is happening anymore.
This will solve various repository coherency issues related to unavailable
libiwinfo versions in the long run.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This script was expecting only add/remove events which has not been the
case since Kernel 4.12 (which added bind/unbind). Bind events were getting
treated as remove events which would cause hotplugged 3g modems to not
work.
More info:
https://lkml.org/lkml/2018/12/23/128https://github.com/systemd/systemd/issues/8221
Signed-off-by: Arjun AK <arjunak234@gmail.com>
Currently, when using multiple dnsmasq instances they are all assigned
to the same Ubus instance name. This does not work, as only a single
instance can register with Ubus at a time. In the log, this leads to
`Cannot add object to UBus: Invalid argument` error messages.
Furthermore, upstream 3c93e8eb41952a9c91699386132d6fe83050e9be changes
behaviour so that instead of the log, dnsmasq exits at start instead.
With this patch, all dnsmasq instances are assigned unique names so that
they can register with Ubus concurrently. One of the enabled instances
is always assigned the previous default name "dnsmasq" to avoid breaking
backwards compatibility with other software relying on that default.
Previously, a random instance got assigned that name (while the others
produced error logs). Now, the first unnamed dnsmasq config section is
assigned the default name. If there are no unnamed dnsmasq sections the
first encountered named dnsmasq config section is assigned instead.
A similar issue exists for Dbus and was similarly addressed.
Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
[tweaked commit message] dnsmasq was not crashing it is exiting
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This reverts commit 3628870015.
dnsmasq v2.86test3 has some issues with ubus, so is being reverted.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This reverts commit dea4bae7c2.
dnsmasq v2.86test3 has some issues with ubus and needs reverting, hence
this needs reverting.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Need this version to add config option for connmark DNS filtering.
Summary of upstream CHANGELOG:
* Handle DHCPREBIND requests in the DHCPv6 server code.
* Fix bug which caused dnsmasq to lose track of processes forked.
* Major rewrite of the DNS server and domain handling code.
* Revise resource handling for number of concurrent DNS queries.
* Improve efficiency of DNSSEC.
* Connection track mark based DNS query filtering.
Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
With the default configuration we generate, the supplicant starts
scanning and tries to connect to any open network when the interface
is enabled.
In some cases it can be desirable to prevent the supplicant from
scanning by itself. For example, if on the same radio an AP is
configured and an unconfigured STA is added (to be configured with
WPS), the AP might not be able to beacon until the STA stops
scanning.
In such a case, the STA configuration can still be required to set
specific settings (e.g. multi_ap_backhaul_sta) so it can't be set to
"disabled" in uci (because that would prevent the supplicant from
being run at all). The alternative is to add the "disabled" parameter
to the default network block in the supplicant configuration.
This patch adds a "default_disabled" setting in UCI which, when set,
adds the "disabled" parameter to the supplicant default network block.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
In the aftermath of the KRACK attacks, hostapd gained an AP-side workaround
against WNM-Sleep Mode GTK/IGTK reinstallation attacks. WNM Sleep Mode is not
enabled by default on OpenWrt, but it is configurable through the option
wnm_sleep_mode. Thus, make the AP-side workaround configurable as well by
exposing the option wnm_sleep_mode_no_keys. If you use the option
wpa_disable_eapol_key_retries and have wnm_sleep_mode enabled, you might
consider using this workaround.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Commit 0a7657c ("hostapd: add channel utilization as config option") added the
two new uci options bss_load_update_period and chan_util_avg_period. However,
the corresponding "config_add_int" calls for these options weren't added, so
attempting to actually use these options and change their values is bound to
fail - they always stay at their defaults. Add the missing code to actually
make these options work.
Fixes: 0a7657c ("hostapd: add channel utilization as config option")
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
The country3 option in hostapd.conf allows the third octet of the country
string to be set. It can be used e.g. to indicate indoor or outdoor use (see
hostapd.conf for further details). Make this option configurable but optional
in OpenWrt.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
commit 50413e1ec8 replaced ifconfig
with ip. In order to set a link state to up, the interface needs
to be added first.
Fixes: FS#3754
Signed-off-by: Perry Melange <isprotejesvalkata@gmail.com>
[Add Fixes tag]
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Make it possible to specify the SAE mechanism for PWE derivation. The
following values are possible:
0 = hunting-and-pecking loop only
1 = hash-to-element only
2 = both hunting-and-pecking loop and hash-to-element enabled
hostapd currently defaults to hunting-and-pecking loop only.
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
This is a follow up of 1a9b896d ("treewide: nuke DRIVER_11W_SUPPORT").
LuCI commit ab010406 ("luci-mod-network: skip check for 802.11w feature")
skips check of the 11w feature [1]. Now advertising it in hostapd is
superfluous so stop doing it.
[1]: https://github.com/openwrt/luci/pull/4689
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
[remove outdated PKG_RELEASE bump and update to SPDX]
Signed-off-by: Paul Spooren <mail@aparcar.org>
Make the organization (O=) of the cert configurable via uci. If not
configured, use a combination of "OpenWrt" and an unique id like it was
done before.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
aa0e3c4bbe12 iwinfo: nl80211: add support for printing the device path for a phy
dd6d6d2dec35 iwinfo: nl80211: use new path lookup function for nl80211_phy_idx_from_uci_path
268bb26d2e2a iwinfo: nl80211: support looking up phy by path=.. and macaddr=...
c0414642fead iwinfo: nl80211: fix typo
Signed-off-by: Felix Fietkau <nbd@nbd.name>
In setups using VLAN bridge filtering, hostapd may need to communicate using
a VLAN interface on top of the bridge, instead of using the bridge directly
Signed-off-by: Felix Fietkau <nbd@nbd.name>
61a71e5e49c3 bridge: dynamically create vlans for hotplug members
cb6ee9608e10 bridge: fix dynamic delete of hotplug vlans
7f199050f395 wireless: pass the real network ifname to the setup script
50381d0a2998 bridge: allow adding/removing VLANs to configured member ports via hotplug
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This makes it possible to avoid using a RADIUS server for WPA enterprise authentication
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This allows WPA enterprise roaming in the same mobility domain without any
manual key configuration (aside from radius credentials)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
It allows enforcing a limit on associated stations to be enforced for the
full device, e.g. in order to deal with hardware/driver limitations
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This update only adds one commit:
b102f19bcc53 tests: Opportunistic Wireless Encryption - SA Query
The main reason for the bump is to have a newer PKG_SOURCE_DATE,
so we can reset PKG_RELEASE to 1 (this has not been done for the
most recent bump), and replace it with AUTORELEASE.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Channel 100 is a valid channel to choose for 80MHz operation. However,
it's assigned to 5500 MHz, not 5550MHz. In fact, there is no channel
assigned to this frequency.
Fix this obbvious typo to allow ACS to select channel 100 for 80 MHz
operation again.
Signed-off-by: David Bauer <mail@david-bauer.net>
This fixes `iw dev wlan0-mesh station dump`.
8fab0c9 iw: fix ftm_request missing arguments segfault
e816fbc iw: fix mgmt dump missing arguments segfault
5d9d1b8 iw: Fix timestamp output on 32-bit architectures
4b25ae3 iw: fix pointer arithmetic in __print_he_capa
c3df363 iw: add option to print human readable event time
cd64525 iw: print ctrl port tx status event
0ba98b9 iw: use correct type in policy check for mesh
9e38dee iw: scan: fixup HE caps whitespace
17e8564 iw: scan: parse HE capabilities
5735e58 iw: util: factor out HE capability parser
6d8d507 iw: scan: add extension tag parsing
b4e1ec4 man: update wikipage URL, reformat SEE ALSO section
c56036a iw: enable 80MHz support for 6GHz band 11s mesh
fa72728 iw: handle positive error codes gracefully
7ba9093 iw: scan: add flag for scanning colocated ap
5ec60ed iw: Add 'coloc' and 'flush' options to sched_scan
f8ade75 iw: update wikipage URL
b6f2dac iw: Add support for specifying the 160MHz bandwidth when setting the channel/frequency
Signed-off-by: Andre Heider <a.heider@gmail.com>
Instead of requiring the user to call it on each BSS individually,
run it on all BSSs internally.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
899c2a4 interface: support "device" attribute and deprecate "ifname"
62e3cb5 scripts/netifd-wireless.sh: add support for specifying the operating band
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This marks all packages which depend on a target with @TARGET nonshared.
If they are not marked nonshared they would be build by the SDK build
and if this happens with a different SDK, then the SDK from the target
the package depends on, the package would not be added to the index.
This should fix the image builder for some of these packages.
This should fix the image builder at least for bcm27xx/bcm2710 and
bcm4908/generic.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Since upstream commit 6467de5a8840 ("Randomize z ordinates in
scalar mult when timing resistant") WolfSSL requires a RNG for
the EC key when built hardened which is the default.
Set the RNG for the EC key to fix connections for OWE clients.
Signed-off-by: David Bauer <mail@david-bauer.net>
02dd2f2df7cb fix unannotated fall-through warnings
3052f2f67686 extdev: remove unused function
2a97fd006c3b device: add support for configuring devices with external auth handler
87e469be0c08 wireless: fix memory corruption bug when using vlans/station entries in the config
7277764bf817 bridge: rename "ifname" attribute to "ports"
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This can be used to handle network configuration of dynamically created vlan
interfaces in a more flexible way
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if
make TOPDIR="$(pwd)" -C "$pkgdir" compile
was called manually. In most of the cases, I just saw warnings like this:
make: Entering directory '/home/.../package/gluon-status-page'
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
[...]
While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.
After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
With some debug in qmi.sh using following patch, some errors are visible
in the registration step
@@ -29,6 +29,7 @@ proto_qmi_init_config() {
}
proto_qmi_setup() {
+ set -x
local interface="$1"
local dataformat connstat plmn_mode mcc mnc
local device apn auth username password pincode delay modes pdptype
@@ -224,6 +225,8 @@ proto_qmi_setup() {
fi
done
+ registration=$(uqmi -s -d "$device" --get-serving-system)
+
[ -n "$modes" ] && uqmi -s -d "$device" --set-network-modes "$modes" > /dev/null 2>&1
echo "Starting network $interface"
During the boot of the system, modem could not start automatically its
network registration.
netifd: wan (9235): + echo 'Waiting for network registration'
netifd: wan (9235): Waiting for network registration
netifd: wan (9235): + local 'registration_timeout=0'
netifd: wan (9235): + uqmi -s -d /dev/cdc-wdm1 --get-serving-system
netifd: wan (9235): + grep '"searching"'
netifd: wan (9235): + uqmi -s -d /dev/cdc-wdm1 --get-serving-system
netifd: wan (9235): + registration='{"registration":"not_registered","plmn_mcc":208,"plmn_mnc":20,"plmn_description":"","roaming":true}'
netifd: wan (9235): + '[' -n ]
netifd: wan (9235): + echo 'Starting network wan'
As the while loop checks only "searching" pattern, uqmi.sh script quits
searching loop and continues whereas the modem is not registered
Other issue, after X seconds modem stops searching.
netifd: wan (9213): + uqmi -s -d /dev/cdc-wdm0 --get-serving-system
netifd: wan (9213): + grep '"searching"'
netifd: wan (9213): + '[' -e /dev/cdc-wdm0 ]
netifd: wan (9213): + '[' 3 -lt 0 -o 0 '=' 0 ]
netifd: wan (9213): + let registration_timeout++
netifd: wan (9213): + sleep 1
netifd: wan (9213): + uqmi -s -d /dev/cdc-wdm0 --get-serving-system
netifd: wan (9213): + grep '"searching"'
netifd: wan (9213): + uqmi -s -d /dev/cdc-wdm0 --get-serving-system
netifd: wan (9213): + registration='{"registration":"not_registered"}'
netifd: wan (9213): + '[' -n ]
netifd: wan (9213): + echo 'Starting network wan'
netifd: wan (9213): Starting network wan
If registration_timeout is not expired, registration can be restarted
Signed-off-by: Thomas Richard <thomas.richard@kontron.com>
Tested-by: Florian Eckert <fe@dev.tdt.de>
Fixes issue with merged DNS requests in 2.83/2.84 not being
retried on the firsts failed request causing lookup failures.
Also fixes the following security problem in dnsmasq:
* CVE-2021-3448:
If specifiying the source address or interface to be used
when contacting upstream name servers such as:
server=8.8.8.8@1.2.3.4, server=8.8.8.8@1.2.3.4#66 and
server=8.8.8.8@eth0 then all would use the same socket
bound to the explicitly configured port. Now only
server=8.8.8.8@1.2.3.4#66 will use the explicitly
configured port and the others random source ports.
Remove upstreamed patches and update remaining patch.
Signed-off-by: Alan Swanson <reiver@improbability.net>
[refreshed old runtime support patch]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This package depends on the lantiq target and is only build for that
target. A normal package would be build by the SDK builder probably
under a different target and then this package will not be selected.
Mark it as nonshared to build it when the lantiq target gets build.
Fixes: FS#3773, FS#3774
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
When running multiple instances of dnsmasq, for example one being for the lan
and another for a guest network, it might not be desirable to have the same dns names
configured in both networks
Signed-off-by: João Henriques <joaoh88@gmail.com>
Update to the latest stable upstream version.
Drop unneeded make variables to remove redundant assignments seen during
invocation of package Makefile.
Also remove the following patch now included upstream:
* 200-fix-install-param-order-on-macos.patch
Compile and run-tested on malta/mips32be, using bpftool directly and also
libbpf (linked with tc) to inspect and load simple eBPF programs.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Rename feature variable clang-bpf-global-var following upstream changes.
This restores the HAVE_CLANG feature override and should avoid rare build
errors where a recent host clang and BTF-enabled host kernel are present.
Fixes: 23be333401 ("bpftools: update to 5.10.10")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Skip building Makefile targets that aren't packaged: tipc, dcb, ifstat,
rtacct, lnstat, and man. Also, only compile targets needed for the current
build variant i.e. don't compile 'tc' when building an 'ip' variant and
vice versa.
These changes reduce typical build times by over 30%:
$ make package/iproute2/clean && time make -j8 package/iproute2/compile
(old)
...
real 2m24.985s
user 3m12.537s
sys 0m26.677s
(new)
...
real 1m36.945s
user 2m8.734s
sys 0m20.046s
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
With the old ubus dsl API, the numbers for the individual line_states and
power_states were also returned. These were not ported to the new DSL
C-API. This commit adds the missing information.
For this the internal values are mapped to numbers.
* additional JSON output for state_num:
"state_num": <map_state_number>
Since not all values are meaningful only the following values are
implemented, this can be extended if the future.
* LSTATE_MAP_NOT_INITIALIZED
* LSTATE_MAP_EXCEPTION
* LSTATE_MAP_IDLE
* LSTATE_MAP_SILENT
* LSTATE_MAP_HANDSHAKE
* LSTATE_MAP_FULL_INIT
* LSTATE_MAP_SHOWTIME_NO_SYNC
* LSTATE_MAP_SHOWTIME_TC_SYNC
* LSTATE_MAP_RESYNC
* additinal JSON output for power_level:
"power_state_num": <map_power_satte_number>,
Since there are not so many here, all are mapped.
* PSTATE_MAP_NA,
* PSTATE_MAP_L0,
* PSTATE_MAP_L1,
* PSTATE_MAP_L2,
* PSTATE_MAP_L3,
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
v6:
Add state LSTATE_MAP_NOT_INITILIZED at the beginning of the list
Start the list LSTATE_MAP with -1
Reviewed-by: Andre Heider <a.heider@gmail.com>
Placeholder DHCP user scripts were added recently.
These files make package-based installations of such scripts more difficult.
Pull user callbacks from directories instead to allow packages and users to
install co-existing scripts more easily.
References:
b4f3d93b5 odhcp6c: add a odhcp6c.user placeholder script
Signed-off-by: Leon M. George <leon@georgemail.eu>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
Placeholder DHCP user scripts were added recently.
These files make package-based installations of such scripts more difficult.
Pull user callbacks from directories instead to allow packages and users to
install co-existing scripts more easily.
References:
130118f7a netifd: add a udhcpc.user placeholder script
Signed-off-by: Leon M. George <leon@georgemail.eu>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
Looks like 'openat', 'pipe2' and 'ppoll' are now needed, possibly due
to changes on libraries used by umdns now using slightly different
calls.
Found using
/etc/init.d/umdns trace
now use umdns, ie. cover all ubus call etc., then
/etc/init.d/umdns stop
find list of syscalls traced in /tmp/umdns.*.json
Fixes: FS#3355 ("UMDNS: does not start on master with seccomp")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Now that libcap is in OpenWrt base, we can drop our custom patch to
disable libcap support and have lldpd depend on it instead. This will
allow the monitor process to drop its privileges instead of running as
root, improving security.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
f8899b9 netifd: bridge: set default value for igmp_snoop
327da98 netifd: add possibility to switch off route config
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Airtime policy configuration is extremely useful in multiple BSS scenarios.
Since nowadays most people configure both private and guest networks (at
least), it makes sense to enable it by default, except for the most limited
of the variants.
Size of the hostapd-basic-openssl binary (mipsel 24Kc -O2):
543944 bytes (airtime policy disabled)
548040 bytes (airtime policy enabled)
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Acked-by: Daniel Golle <daniel@makrotopia.org>
Switch to Actual Net Data Rate (ACTNDR) for speed reporting on lantiq VDSL modems
Refer to ITU-T G.997.1 chapter 7.5.2.8
Independent whether retransmission is used or not in a given transmit direction:
- In L0 state, this parameter reports the Net Data Rate (as specified in G.992.3, G.992.5 or G.993.2) at which the bearer channel is operating.
- In L2 state, the parameter contains the Net Data Rate (as specified in G.992.3, G.992.5 or G.993.2) in the previous L0 state.
Signed-off-by: Jeroen Peelaerts <jeroen.peelaerts@gmail.com>
Reviewed-by: Andre Heider <a.heider@gmail.com>
This commit adds monitoring for a couple of DSL line features that are
present in the lantiq firmware blobs.
* G.INP ON/OFF
* Trellis encoding ON/OFF
* Virtaul Noise ON/OFF
* Bitswap ON/OFF
Difference in size for ltq-vdsl-app = 1k
Difference in size for kmod-ltq-vdsl-vr9 < 1k
Reviewed-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Jeroen Peelaerts <jeroen.peelaerts@gmail.com>
Upstream iproute2 detects libbpf using a one-line $CC test-compile, which
normally ignores LDFLAGS. With NLS enabled however, LDFLAGS includes an
"rpath-link" linker option needed to resolve libintl.so. Its absence
causes both the compile and libbpf detection to fail:
ld: warning: libintl.so.8, needed by libbpf.so, not found (try using
-rpath or -rpath-link)
ld: libelf.so.1: undefined reference to `libintl_dgettext'
collect2: error: ld returned 1 exit status
Fix this by directly including $LDFLAGS in the test-compile command.
Reported-by: Ian Cooper <iancooper@hotmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
There is no direct linking of libintl from bpftools, only secondary linking
through libelf, so remove "-lintl" from TARGET_LDFLAGS.
Fixes: 5582fbd613 ("bpftools: support NLS, fix ppc build and update to 5.8.9")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
a4355a6 firewall3: clean up the flow table detection logic
edd0dc5 firewall3: create a common helper to find strings in files
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This includes several improvements and fixes:
61db17e rules: fix device and chain usage for DSCP/MARK targets
7b844f4 zone: avoid duplicates in devices list
c2c72c6 firewall3: remove last remaining sprintf()
12f6f14 iptables: fix serializing multiple weekdays
00f27ab firewall3: fix duplicate defaults section detection
e8f2d8f ipsets: allow blank/commented lines with loadfile
8c2f9fa fw3: zones: limit zone names to 11 bytes
78d52a2 options: fix parsing of boolean attributes
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Moved to packages repo because it was considered
non-essential for most router configurations.
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[shorten commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Instead of doing uci commit and reload_config for each setting do it
only once when one of these options was changed. This should make it a
little faster when both conditions are taken.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Without this change the config is only committed, but the uhttpd daemon
is not reloaded. This reload is needed to apply the config. Without the
reload of uhttpd, the ubus server is not available over http and returns
a Error 404.
This caused problems when installing luci on the snapshots and
accessing it without reloading uhttpd.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Now that ujail supports seccomp also on Aarch64, add missing syscall
'fstat' to the list of allowed syscalls.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This change was investigated previously [1] but not deemed necessary. With
the recent addition [2] of modern BPF loader support, however, tc gained
dependencies on libelf and libbpf, with a larger installation footprint.
Similar to ip-tiny/ip-full, split tc into tc-full and tc-tiny variants,
where the latter excludes the eBPF loader, uses a smaller executable, and
avoids libelf and libbpf package dependencies. Both variants provide the
'tc' virtual package, with tc-tiny as the default.
The previous tc package included a loadable module for iptables actions.
Separate this out into a common package, tc-mod-iptables, which both
variants depend on. Some package sizes on mips_24kc:
Before:
148343 tc_5.11.0-1_mips_24kc.ipk
After:
144833 tc-full_5.11.0-2_mips_24kc.ipk
138430 tc-tiny_5.11.0-2_mips_24kc.ipk (and no libelf or libbpf)
4115 tc-mod-iptables_5.11.0-2_mips_24kc.ipk
Also fix up some Makefile indentation.
[1] https://github.com/openwrt/openwrt/pull/1627#issuecomment-447619962
[2] b048a305a3 ("iproute2: update to 5.11.0")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The link equalizer sch_teql.ko of package kmod-sched relies on a hotplug
script historically included in iproute2's tc package. In previous
discussion [1], consensus was the hotplug script is best located together
with the module in kmod-sched, but this change was deferred at the time.
Relocate the hotplug script now. This change also simplifies adding a tc
variant for minimal size with reduced functionality.
[1] https://github.com/openwrt/openwrt/pull/1627#issuecomment-447923636
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This patch has been submitted upstream to fix an error reported by a few
users. One instance seen using gcc 10.2.0, binutils 2.35.1 and musl 1.1.24:
bpf_glue.c: In function 'get_libbpf_version':
bpf_glue.c:46:11: error: 'PATH_MAX' undeclared (first use in this function);
did you mean 'AF_MAX'?
46 | char buf[PATH_MAX], *s;
| ^~~~~~~~
| AF_MAX
Reported-by: Rui Salvaterra <rsalvaterra@gmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
If the environment variable FILTER is set before compilation,
compilation of the ppp-package will fail with the error message
Package ppp is missing dependencies for the following libraries:
libpcap.so.1
The reason is that the OpenWrt-patch for the Makefile only comments
out the line FILTER=y. Hence the pcap-library will be dynamically
linked if the environment variable FILTER is set elsewhere, which
causes compilation to fail. The fix consists on explicitly unsetting
the variable FILTER instead.
Signed-off-by: Eike Ritter <git@rittere.co.uk>
[ -d /sys/module/xfrm_interface ] is enough to check if
CONFIG_XFRM_INTERFACE support was enabled in kernel.
Signed-off-by: Alin Nastac <alin.nastac@technicolor.com>
Document the existence of this feature. This allows the user to execute a script
at each DHCPv4 event. This is useful, for example, as an ad-hoc way to update a
DDNS entry when (and only when) required.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Document the existence of this feature. This allows the user to execute a script
at each DHCPv6 event. This is useful, for example, as an ad-hoc way to update a
DDNS entry when (and only when) required.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Fix: bpftools 5.11.2 does not compile on macOS, because the -m option
was placed between src and dst. Corrected by moving -m 644 before src.
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
The pkgconfig file hardcodes a host library directory which cannot be
overridden by OpenWrt during builds. Use SED to fix this and potential
include directory problems, as is done with several other packages.
This fixes a strange issue intermittently seen building iproute2 on the
oxnas target:
iptables modules directory: /usr/lib/iptables
libc has setns: yes
SELinux support: no
libbpf support: no
libbpf version 0.3.0 is too low, please update it to at least 0.1.0
LIBBPF_FORCE=on set, but couldn't find a usable libbpf
Fixes: 2f0d672088 ("bpftools: add utility and library packages
supporting eBPF usage")
Reported-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This will use the new application led trigger backend. For now this is
the only package that uses leds trigger in user space to configure the
kernel led triggers.
The callback script only emmits a message for now, so that this LED is now
managed by the rssileds service. Until now a generic warning was emitted that
this LED trigger is not supported. But that is not true.
-> Skipping trigger 'rssileds' for led '<name>' due to missing kernel module
I think this callback should be changed in the future to restart the
service.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.
Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.
This fixes the following security vulnerabilities/bugs:
- CVE-2021-27803 - A vulnerability was discovered in how p2p/p2p_pd.c
in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision
discovery requests. It could result in denial of service or other
impact (potentially execution of arbitrary code), for an attacker
within radio range.
Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Changes:
- Remove custom Build/Compile because it's no longer needed
- Remove std=gnu99 which is added automaticaly by igmpproxy if needed
- Remove -Dlog from CFLAGS because igmpproxy doesn't have log function
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
Compile and run-tested on malta/mip32be, using bpftool directly and also
libbpf (linked with tc) to inspect and load simple eBPF programs.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The latest iproute2 version brings various improvements and fixes:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?qt=range&q=v5.10.0..v5.11.0
In particular, ip and tc now use libbpf as the standard way to load BPF
programs, rather than the old, limited custom loader. This allows more
consistent and featureful BPF program handling e.g. support for global
initialized variables.
Also fix a longstanding problem with iproute2 builds where unneeded DSO
dependencies are added to most utilities, bloating their installation
footprint. From research and testing, explicitly using a "--as-needed"
linker flag avoids the issue. Update accordingly and drop extra package
dependencies from Makefile.
Additional build and packaging updates include:
- install missing development header to iproute2/bpf_elf.h
- propagate OpenWrt verbose flag during build
- update and refresh patches
Compile and run tested: QEMU/malta-mips32be on kernels 5.4 & 5.10.
All iproute2 packages were built and installed to the test image. Some
regression testing using ip-full and tc was successfully performed to
exercise several kmods, tc modules, and simple BPF programs.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The following warnings are shown during build:
/usr/include/vdsl/cmv_message_format.h:33:6: warning: "MEI_SUPPORT_DEBUG_STREAMS" is not defined, evaluates to 0 [-Wundef]
#if (MEI_SUPPORT_DEBUG_STREAMS == 1)
^~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/vdsl/drv_mei_cpe_interface.h:2256:6: warning: "MEI_SUPPORT_OPTIMIZED_FW_DL" is not defined, evaluates to 0 [-Wundef]
#if (MEI_SUPPORT_OPTIMIZED_FW_DL == 1)
^~~~~~~~~~~~~~~~~~~~~~~~~~~
The headers are provided by the MEI driver, but the defines are never
set by the vdsl app. While the struct with the
MEI_SUPPORT_OPTIMIZED_FW_DL conditional isn't used by the vdsl app,
however CMV_USED_PAYLOAD_8BIT_SIZE which value depends on
MEI_SUPPORT_DEBUG_STREAMS is.
Since the MEI driver doesn't provide an autogenerated header with
compile flags, the flags are hardcoded for the vdsl app.
Set them for the MEI driver as well, to indicate a relation to the
values used for the vdsl app and to be not surprised by a changed
default in case the MEI driver gets updated. Use the current default
values defined in the MEI driver.
Signed-off-by: Mathias Kresin <dev@kresin.me>
To the vast majority of the users, wireguard-tools are not useful
without the underlying kernel module. The cornercase of only generating
keys and not using the secure tunnel is something that won't be done on
an embedded OpenWrt system often. On the other hand, maintaining a
separate meta-package only for this use case introduces extra
complexity. WireGuard changes for Linux 5.10 remove the meta-package.
So let's make wireguard-tools depend on kmod-wireguard
to make WireGuard easier to use without having to install multiple
packages.
Fixes: ea980fb9 ("wireguard: bump to 20191226")
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
On Linux 5.4, build WireGuard from backports. Linux 5.10 contains
wireguard in-tree.
Add in-kernel crypto libraries required by WireGuard along with
arch-specific optimizations.
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Upstream integrated multiple patches from Distributions and did other
changes:
* rp-pppoe.so was renamed to pppoe.so
* Converted to ANSI C
The following patches were applied upstream:
* 100-debian_ip-ip_option.patch
* 101-debian_close_dev_ppp.patch
* 103-debian_fix_link_pidfile.patch
* 106-debian_stripMSdomain.patch
* 107-debian_pppoatm_wildcard.patch
* 110-debian_defaultroute.patch
* 202-no_strip.patch
Compilation with musl libc was fixed upstream so
140-pppoe_compile_fix.patch is not needed any more
Parts of the 203-opt_flags.patch patch were applied in a different way
upstream.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
There are efforts underway to bring wireguard in-tree for Linux 5.4 and
to have a common build infrastructure for both 5.4 and 5.10 for
kmod-wireguard[0]. Until then, restrict kmod-wireguard to build only on
Linux 5.4, because the wireguard-compat package will not build on Linux
5.10.
[0]: https://github.com/openwrt/openwrt/pull/3885
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
This is a backport of the upstream commit 58bbbb598144 ("nl80211: Ignore
4addr mode enabling error if it was already enabled") which fixes same
issue as in the current fix contained in '130-wpa_supplicant-multi_ap_roam.patch',
but in a different way:
nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on
an interface that is in a bridge and has 4addr mode already enabled.
This operation would not have been necessary in the first place and this
failure results in disconnecting, e.g., when roaming from one backhaul
BSS to another BSS with Multi AP.
Avoid this issue by ignoring the nl80211 command failure in the case
where 4addr mode is being enabled while it has already been enabled.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[bump PKG_RELEASE, more verbose commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Automatically setup dhcpv4 server just like it's done for dhcpv6.
To select whether odhcpd or dnsmasq are serving DHCPv4 requests there
still is the 'maindhcp' option. To make things less confusing, make
sure things really work out-of-the-box in case dnsmasq is not even
installed at the time the uci-defaults script is being run.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The removed patches were applied upstream.
This adapts ath10k-ct and mt76 to changed APIs.
nl80211.h in iw is updated to match the version from backports.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
5a2dd18 iwinfo: add hardware description for MediaTek MT7622
4a32b33 iwinfo: add PCI ID for MediaTek MT7613BE
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This patch is required to be able to roam from one backhaul AP to
another one in the same ESS.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(daniel@makrotopia.org: PKG_REVISION bump and refreshed patches)
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
This patch allows other applications to get events management
frames (for example: association requests).
This is useful in Multi-AP context to be able to save association
requests from stations.
It has been sent to upstream hostapd in this series:
https://patchwork.ozlabs.org/project/hostap/list/?series=217500
'700-wifi-reload.patch' is updated due to the introduction of
'110-notify-mgmt-frames.patch'.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
luci now uses ubus directly, so remove 'lucistat'.
For manual usage just print the ubus output, use luci for a pretty
version.
Signed-off-by: Andre Heider <a.heider@gmail.com>
luci now uses ubus directly, so remove 'lucistat'.
For manual usage just print the ubus output, use luci for a pretty
version.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Martin Schiller <ms@dev.tdt.de>
procd sends sigterm to stop daemons, hook it up.
This speeds up the shutdown sequence and gets rid of the following message:
daemon.info procd: Instance dsl_control::instance1 pid 15408 not stopped on SIGTERM, sending SIGKILL instead
Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Martin Schiller <ms@dev.tdt.de>
dnsmasq v2.84rc2 has been promoted to release.
No functional difference between v2.83test3 and v2.84/v2.84rc2
Backport 2 patches to fix the version reporting
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Use new ubus-based hotplug call in dhcp-script.sh
As sysntpd now makes use of the new ubus-based hotplug calls, dnsmasq
no longer needs to ship ACL to cover ntpd-hotplug.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Multiple sources are hosted on OpenWrts source server only. The source
URLs to point to the server vary based on different epochs in OpenWrts
history.
Replace all by @OPENWRT which is an "empty" mirror, therefore using the
fallback servers sources.cdn.openwrt.org and sources.openwrt.org.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Commit 7c8c4f1be6 ("hostapd: fix P2P group information processing
vulnerability") was missing the actual patch for the vulnerability.
Fixes: 7c8c4f1be6 ("hostapd: fix P2P group information processing vulnerability")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Use the latest stable kernel since the previous 5.8.x series is EOL.
Also drop the following patches recently accepted upstream:
* 001-libbpf-ensure-no-local-symbols-counted-in-ABI-check.patch
* 002-libbpf-fix-build-failure-from-uninitialized-variable.patch
* 003-bpftool-allow-passing-BPFTOOL_VERSION-to-make.patch
* 004-v5.9-bpftool-use-only-ftw-for-file-tree-parsing.patch
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
dnsmasq v2.83 has a bug in handling duplicate queries which means it may
try to reply using the incorrect network socket. This is especially
noticeable in dual stack environments where replies may be mis-directed to
IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket.
This results in system log spam such as:
dnsmasq[16020]: failed to send packet: Network unreachable
dnsmasq[16020]: failed to send packet: Address family not supported by protocol
dnsmasq v2.84test3 resolves these issues.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This is a helpful utility, but it does not have any dependencies
in this repository. Move it to packages feed.
The package does not seem to have a maintainer.
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Nick Hainke <vincent@systemli.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This is a helpful utility, but it does not have any dependencies
in this repository. Move it to packages feed.
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Nick Hainke <vincent@systemli.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The "cidr_contains6" functions clones the given cidr. The contains4
does not clone the cidr. Both functions do not behave the same.
I see no reason to push the cidr. I think that we get only a negligible
performance gain, but it makes ipv4 and ipv6 equal again.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
overflow in sort_rrset() when DNSSEC is used. This can allow a remote
attacker to write arbitrary data into target device's memory that can
lead to memory corruption and other unexpected behaviors on the target
device.
* CVE-2020-25682:
Dnsmasq versions before 2.83 is susceptible to buffer overflow in
extract_name() function due to missing length check, when DNSSEC is
enabled. This can allow a remote attacker to cause memory corruption
on the target device.
* CVE-2020-25683:
Dnsmasq version before 2.83 is susceptible to a heap-based buffer
overflow when DNSSEC is enabled. A remote attacker, who can create
valid DNS replies, could use this flaw to cause an overflow in a heap-
allocated memory. This flaw is caused by the lack of length checks in
rtc1035.c:extract_name(), which could be abused to make the code
execute memcpy() with a negative size in get_rdata() and cause a crash
in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
A lack of proper address/port check implemented in Dnsmasq version <
2.83 reply_query function makes forging replies easier to an off-path
attacker.
* CVE-2020-25685:
A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
versions before 2.83 reply_query function allows remote attackers to
spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
Multiple DNS query requests for the same resource name (RRNAME) by
Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
traffic, using a birthday attack (RFC 5452), that can lead to DNS
cache poisoning.
* CVE-2020-25687:
Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
remote attacker, who can create valid DNS replies, could use this flaw
to cause an overflow in a heap-allocated memory. This flaw is caused
by the lack of length checks in rtc1035.c:extract_name(), which could
be abused to make the code execute memcpy() with a negative size in
sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
Service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
53f07e9 ra: fix routing loop on point to point links
2b6959d ra: align ifindex resolving
Tested-by: Karl Vogel <karl.vogel@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
With encryption disabled, it was intended to set wpa_state=1 (enabled,
not configured) through the 'wps_not_configured' flag.
The flag is set appropriately but the condition using it is broken.
Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled,
configured). Fix it by using the correct variable name.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit title/message improvements]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The cidr_parse6 function parses a string to an ipv6-address.
The cidr struct contains a union called buf for the ipv4 and ipv6
address. Since it is a char pointer and the struct is initialized with
the maximum size (so ipv6 string) it does not make any difference.
However, we should access the buffer using the v6 name, since it could
be confusing otherwise.
Signed-off-by: Nick Hainke <vincent@systemli.org>
The key_mgmt variable was mistyped when checking against "WPS", so
the if clause was never entered.
Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")
Signed-off-by: Leon M. George <leon@georgemail.eu>
[add commit message, bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
'base' was never used.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
'enc_str' was never used.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This allows configuration of multicast_to_unicast and per_sta_vif options.
- multicast_to_unicast requests multicast-to-unicast conversion.
- per_sta_vif assigns each station its own AP_VLAN interface.
Signed-off-by: Etan Kissling <etan_kissling@apple.com>
Currently PHY information obtained from "iw phy" lacks information about
a PHYs HE capabilities when using the by default installed iw-tiny.
As there are already 802.11ax supported devices, enabled printing this
information for the by-default installed iw variant.
Signed-off-by: David Bauer <mail@david-bauer.net>
To simplify the way netifd acquires the PIDs of wpa_supplicant and
hostapd let the config_add method of both of them return the PID of the
called process. Use the returned PID instead of querying procd when
adding wpa_supplicant configuration.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
- Encode ABI version in compiled shared object file
- Only ship versioned shared library
a17f561 iwinfo: detect QCA IPQ4019 WiSoC from FDT
ea28dfb iwinfo: export ht and vht operation in scan results
4e22953 iwinfo: export center_chan info for local wifi
74d13fb cli: account for additional digit for frequencies above 10GHz
8bfd8d8 iwinfo: add support for GCMP cipher
618c1e8 iwinfo: add hardware description for QCA MIPS WiSoCs
0702f32 iwinfo: improve center channel handling
51c1336 iwinfo: set center chan unsupported for not-nl80211 driver
23d2722 build: add ability to specify shared object version
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This reverts commit f1620630e9.
This update introduces potentially remote exploitable buffer overreads
in IE parsing logic.
It also breaks the ABI without introdcing SOVERSION library versioning.
Furthermore, HT information is incorrectly added for non-HT BSSes.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
a17f561 iwinfo: detect QCA IPQ4019 WiSoC from FDT
ea28dfb iwinfo: export ht and vht operation in scan results
4e22953 iwinfo: export center_chan info for local wifi
74d13fb cli: account for additional digit for frequencies above 10GHz
8bfd8d8 iwinfo: add support for GCMP cipher
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This patch enables hostapd.sh to properly configure wpa_supplicant
for when GCMP is used as cipher in station mode.
Without this wpa_supplicant will be unable to connect to AP.
This is needed for wil6210 as it does not support CCMP.
Signed-off-by: Robert Marko <robimarko@gmail.com>
This adds an option "hostapd_bss_options" that does the same as
"hostapd_options" but on a per-BSS level, instead of a per-device level.
This can be used, for example, to configure different per-devce sae_passwords
per BSS or to augment some of the existing per-BSS options.
Signed-off-by: Florian Beverborg <flo@beverb.org>
[remove whitespace errors, bump release]
Signed-off-by: Paul Spooren <mail@aparcar.org>
This patch was already applied upstream and not needed here.
Fixes: 06403981e1 ("ppp: update to version 2.4.7.git-2019-05-06")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
By setting 'auto', the zero address or the empty string as source
address (option ipaddr, option ip6addr), vxlan will choose one
dynamically. This helps in setups where a wan ip or prefix changes.
This corresponse to setting up an vxlan tunnel with:
proto vxlan6:
# ip link add vx0 type vxlan id ID local :: ...
proto vxlan:
# ip link add vx0 type vxlan id ID local 0.0.0.0 ...
While it is possible to not specify a source ip at all, the kernel will
default to setting up a ipv4 tunnel. The kernel will take any hint from
source and peer ips to figure out, what tunnel type to use. To make sure
we setup an ipv6 tunnel for proto vxlan6, this workaround is needed.
This will not change the behaviour of currently working configurations.
However this will allow former broken configurations, namely those not
specifying both a source address and tunnel interface, to setup a
tunnel interface. Previously those configurations weren't reporting an
error and were stueck in a setup loop like in Bug FS#3426.
This change lifts the currently very strict behaviour and should fix the
following bug:
Fixes: FS#3426
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3426
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
b75bcad dhcpv6-ia: remove assignment equal to 0 checks
d1ae052 dhcpv6-ia: fix logic to include IA_PD prefix with lifetimes set to 0
9d5e379 dhcpv6-ia: fix prefix delegation behavior
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
As of hostapd upstream commit 7d2ed8ba "Remove CONFIG_IEEE80211W build parameter"
https://w1.fi/cgit/hostap/commit?id=7d2ed8bae86a31dd2df45c24b3f7281d55315482
802.11w feature is always enabled in the build time.
It doesn't make sense to opt-in 802.11w per driver as hostapd will always
be compiled with this feature enabled.
As suggested by Hauke Mehrtens, for now keep 11w enabled in build_features.h
for compatibility reasons. This option will be dropped when LuCI is adjusted.
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
When hostapd gets restarted to often/quickly will cause procd to not restart it
anymore. it will think that hapd is in a crash loop.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [adjust respawn time]
Currently, EAPOLv2 (802.1X-2004) is used by default for legacy clients that
are not WPA2 (RSN) capable. These legacy clients are often intolerant to this
EAPOL version and fail to connect.
hostapd.conf upstream documents for eapol_version the following and that this
is a known compatibility issue with version 2:
// IEEE 802.1X/EAPOL version
// hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
// version 2. However, there are many client implementations that do not handle
// the new version number correctly (they seem to drop the frames completely).
// In order to make hostapd interoperate with these clients, the version number
// can be set to the older version (1) with this configuration value.
// Note: When using MACsec, eapol_version shall be set to 3, which is
// defined in IEEE Std 802.1X-2010.
//eapol_version=2
For the wpa parameter, hostapd.conf upstream documents that this is a bitfield,
configured as follows:
// Enable WPA. Setting this variable configures the AP to require WPA (either
// WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
// wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
// Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice.
// For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
// RADIUS authentication server must be configured, and WPA-EAP must be included
// in wpa_key_mgmt.
// This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
// and/or WPA2 (full IEEE 802.11i/RSN):
// bit0 = WPA
// bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
// Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2.
// In other words, for WPA3, wpa=2 is used the configuration (and
// wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
//wpa=2
For client compatibility therefore:
EAPOLv1 (802.1X-2001) should be used by default where WPA is enabled.
EAPOLv2 (802.1X-2004) should be used by default where WPA is disabled.
To fix this, we can therefore change in the script:
set_default eapol_version 0
To the following:
set_default eapol_version $((wpa & 1))
This therefore:
1) Sets eapol_version to 1 where WPA has been enabled via wpa bit0 being set.
2) Sets eapol_version to 0 where WPA has been disabled via wpa bit0 being unset.
For usual configurations that only have WPA2 enabled, EAPOLv2 is then used.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
The patch removes a libpcap check to avoid a problem with libpcap. Fix
libpcap instead.
Modernize Makefile:
Use a normal autoconf bool instead of checking for CONFIG_IPV6.
Remove old configure and MAKE_FLAGS hacks. Removing them results in
compilation continuing to work without a problem.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
hostapd.sh does not parse skip_inactivity_poll boolean from
/etc/config/wireless despite being mentioned in the documentation [1].
This change fixes this, and by default sets its value to 0 [1].
[1] https://openwrt.org/docs/guide-user/network/wifi/basic
Signed-off-by: Nadim Atiya <nadim.atiya@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[fix and reformat commit message, make patch apply]
So we can ship px5g-wolfssl by default in the release image, but still
make the HTTPS for LuCI optional. This small change with addition of
`CONFIG_PACKAGE_px5g-wolfssl=y` into the buildbot's seed config for the
next release should provide optional HTTPS in the next release.
Disabling the current default automatic uhttpd's redirect to HTTPS
should make the HTTPS optional. That's it, user would either need to
switch to HTTPS by manually switching to https:// protocol in the URL or
by issuing the following commands to make the HTTPS automatic redirect
permanent:
$ uci set uhttpd.main.redirect_https=1
$ uci commit uhttpd
$ service uhttpd reload
Signed-off-by: Petr Štetiar <ynezz@true.cz>
You shouldn't need the overhead of GRE just to add multicast
capability on a point-to-point interface (for instance, you might
want to run mDNS over IPsec transport connections, and Avahi
requires IFF_MULTICAST be set on interfaces, even point-to-point
ones).
Borrowed heavily from:
b3c9321b9e gre: Support multicast configurable gre interfaces
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Bump package version after previous changes.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
binary size cost is much less than 1k.
tested on ath79/generic:
bin: 215128 -> 215132 (+4b)
ipk: 111183 -> 111494 (+311b)
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
this commit removes manual recipes for options and introduces mapping lists:
- DB_OPT_COMMON holds option mappings which are common for all builds;
- DB_OPT_CONFIG holds option mappings which are depend on config settings.
DB_OPT_COMMON is space-separated list of 'words', each of them is in format:
'header_option|value'
'header_option' is added with value 'value' to 'localoptions.h'.
if 'header_option' is preceded by two exclamation marks ('!!')
then option is not added to 'localoptions.h' but replaced in 'sysoptions.h'.
in short:
option|value - add option to localoptions.h
!!option|value - replace option in sysoptions.h
DB_OPT_CONFIG is space-separated list of 'words', each of them is in format:
'header_option|config_variable|value_enabled|value_disabled'
'header_option' is handled likewise in DB_OPT_COMMON.
if 'config_variable' is enabled (technically: not disabled)
then 'header_option' is set to 'value_enabled' and 'value_disabled' otherwise.
in short:
option|config|enabled|disabled = add option to localoptions.h
!!option|config|enabled|disabled = replace option in sysoptions.h
option := (config) ? enabled : disabled
If you're not sure that option's value doesn't have '|' within - add your recipe
manually right after '$(Build/Configure/dropbear_headers)' and write some words
about your decision.
PS about two exclamation marks:
early idea was to use one exclamation mark to denote such header options
but then i thought single exclamation mark may be overlooked by mistake.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- add two helper functions to avoid mistakes with
choice of correct header file to work with
- update rules accordingly
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
put static options at first place, then place configurable options.
also put DROPBEAR_ECC right before DROPBEAR_ECC_FULL to ease maintainance.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
this option was disabled in 2011 and these long nine years showed us that change was definitely wrong.
binary size cost is much less than 1k.
tested on ath79/generic:
bin: 215128 -> 215128 (no change)
ipk: 111108 -> 111183 (+75b)
Fixes: 3c801b3dc0 ("tune some more options by default to decrease size")
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
The package has no reason to be in openwrt.git. Move it to packages.git.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Acked-by: Jo-Philipp Wich <jo@mein.io>
The lldpd sources ship a modified local AX_LIB_READLINE M4 macro which
conflicts with the official macro shipped by autoconf-archive.
Due to the official macro having the same name and a higher serial
number, autoconf will prefer including that one instead of the local
copy, preventing the substitution of @READLINE_LIBS@ in Makefile.in
templates, ultimately leading to the following build failure when
linking lldpcli:
...-gcc: error: READLINE_LIBS@: No such file or directory
Avoid this problem by renaming the locally shipped macro to not clash
with the official implementation anymore.
Ref: https://github.com/lldpd/lldpd/pull/423
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Set legacy_rates to 0 by default to disable 802.11b data rates by default.
The time has long come where 802.11b DSSS/CCK data rates should be disabled
by default in OpenWRT. Users in need of 802.11b client support can reasonably
enable these where they are needed.
The balance of equities has significantly, and for a long time, tipped
such that dropping backwards compatibility by default with 802.11b
devices is appropriate, proportionate and justified. By doing so,
management and control traffic is moved by default to a 20
MHz wide 6 Mb/s OFDM data rate instead of a 22 MHz wide 1 Mb/s DSSS data
rate. This is significantly more airtime efficient.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
faed29a dhcpv6: only refresh timers when reconfigure is valid
9c50975 dhcpv6: fix printing identity association id
a7b2221 dhcpv6: avoid sending continuous renew/rebind messages
d7afa2b dhcpv6: add extra syslog info traces
f5728e4 odhcp6c_find_entry: exclude priority from the list of fields that must match
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
d6bd1047d004 vlandev: dump vlan id in device status
e0c838bd06a6 vlandev: support bridge-vlan aliases in the vid config parameter
574dc4a17105 system-dummy: print configured mac address
14f0e8ff928f system-linux: simplify mask check in system_if_apply_settings
524310276f20 system-linux: move device settings handling to device.c
42c48866f1c1 config: parse default mac address from board.json
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This should fix an issue when user have a router with enabled seccomp
and tries to run umdns package which was build with SDK with disabled
seccomp support.
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
Add a cell_density option to configure data rates for normal, high and
very high cell density wireless deployments.
The purpose of using a minimum basic/mandatory data rate that is higher
than 6 Mb/s, or 5.5 Mb/s (802.11b compatible), in high cell density
environments is to transmit broadcast/multicast data frames using less
airtime or to reduce management overheads where significant co-channel
interference (CCI) exists and cannot be avoided.
Caution: Without careful design and validation, configuration of a too
high minimum basic/mandatory data rate can sacrifice connection stability
or disrupt the ability to reliably connect and authenticate for little to
no capacity benefit. This is because this configuration affects the
ability of clients to hear and demodulate management, control and
broadcast/multicast data frames.
Deployments that have not been specifically designed and validated are
usually best suited to use 6, 12 and 24 Mb/s as basic/mandatory data
rates.
Only usually seek to configure a 12 Mb/s, or 11 Mb/s (802.11b
compatible), minimum basic/mandatory rate in high cell density
deployments that have been designed and validated for this.
For many deployments, the minimum basic/mandatory data rate should not be
configured above 12 Mb/s to 18 Mb/s, 24 Mb/s or higher. Such a
configuration is only appropriate for use in very high cell density
deployment scenarios.
A cell_density of Very High (3) should only be used where a deployment
has a valid use case and has been designed and validated specifically for
this use, nearly always with highly directional antennas - an example
would be stadium deployments. For example, with a 24 Mb/s OFDM minimum
basic/mandatory data rate, approximately a -73 dBm RSSI is required to
decode frames. Many clients will not have roamed elsewhere by the time
that they experience -73 dBm and, where they do, they frequently may not
hear and be able to demodulate beacon, control or broadcast/multicast
data frames causing connectivity issues.
There is a myth that disabling lower basic/mandatory data rates will
improve roaming and avoid sticky clients. For 802.11n, 802.11ac and
802.11ax clients this is not correct as clients will shift to and use
lower MCS rates and not to the 802.11b or 802.11g/802.11a rates that are
able to be used as basic/mandatory data rates.
There is a myth that disabling lower basic/mandatory data rates will
ensure that clients only use higher data rates and that better
performance is assured. For 802.11n, 802.11ac and 802.11ax clients this
is not correct as clients will shift around and use MCS rates and not the
802.11b or 802.11g/802.11a rates that able to be used as basic/mandatory
data rates.
Cell Density
0 - Disabled (Default)
Setting cell_density to 0 does not configure data rates. This is the
default.
1 - Normal Cell Density
Setting cell_density to 1 configures the basic/mandatory rates to 6, 12
and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting cell_density to 1 configures the basic/mandatory rates to the 5.5
and 11 Mb/s DSSS rates where legacy_rates is 1. Supported rates lower
than the minimum basic/mandatory rate are not offered.
2 - High Cell Density
Setting the cell_density to 2 configures the basic/mandatory rates to the
12 and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting the cell_density to 2 configures the basic/mandatory rates to the
11 Mb/s DSSS rate where legacy_rates is 1. Supported rates lower than the
minimum basic/mandatory rate are not offered.
3 - Very High Cell Density
Setting the cell_density to 3 configures the basic/mandatory rates to the
24 Mb/s OFDM rate where legacy_rates is 0. Supported rates lower than the
minimum basic/mandatory rate are not offered.
Setting the cell_density to 3 only has effect where legacy_rates is 0,
else this has the same effect as being configured with a cell_density of 2.
Where specified, the basic_rate and supported_rates options continue to
override both the cell_density and legacy_rates options.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Several variables in hostapd.sh can be used uninitialized in numerical
comparisons, causing errors in logread:
netifd: radio24 (1668): sh: out of range
Set defaults for those variables to silence those errors.
Fixes: b518f07d4b ("hostapd: remove ieee80211v option")
Fixes: cc80cf53c5 ("hostapd: add FTM responder support")
Fixes: e66bd0eb04 ("hostapd: make rrm report independent of ieee80211k setting")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This PR backports upstream fix for CVE-2020-8037. This fix is only
relevant for tcpdump package, tcpdump-mini is not affeted by this issue.
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Setting the plmn to '0' (auto) will implicitly lead to a (delayed)
network re-registration, which could further lead to some timing
related issues in the qmi proto handler.
On the other hand, if you switch back from manual plmn selection
to auto mode you have to set it to '0', because this setting is
permanently "saved" in the wwan module.
Conclusion:
If plmn is configured, check if it's already set euqally in the module.
If so, do nothing. Otherwise set it.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes the offset of the patch added in 93bbd998aa
("hostapd: enter DFS state if no available channel is found").
Signed-off-by: Leon M. George <leon@georgemail.eu>
213748a9bcd9 system-linux: implement full device present state management for force-external devices
3abe1fc87151 system-linux: add retry for adding member devices to a bridge
Signed-off-by: Felix Fietkau <nbd@nbd.name>
There already was an option for autoconfiguring IPv4 from QMI but this
was removed by commit 3b9b963e6e ("uqmi: always use DHCP for IPv4").
DHCP does not work on MR400 LTE module (in TL-MR6400 v4) so let's readd
support for IPv4 autoconf from QMI but this time allow to configure this
for IPv4 and IPv6 independently and keep DHCP default on IPv4.
Signed-off-by: Filip Moc <lede@moc6.cz>
Give possibility to wait forever the registration by setting timeout
option to 0.
No timeout can be useful if the interface starts whereas no network is
available, because at the end of timeout the interface will be stopped
and never restarted.
Signed-off-by: Thomas Richard <thomas.richard@kontron.com>
351d690f1a09 wireless: fix passing bridge name for vlan hotplug pass-through
c1c2728946b5 config: initialize bridge and bridge vlans before other devices
5e18d5b9ccb1 interface: do not force link-ext hotplug interfaces to present by default
4544f026bb09 bridge-vlan: add support for defining aliases for vlan ids
Signed-off-by: Felix Fietkau <nbd@nbd.name>
No special changes, just get in sync with recent code.
See here for the changelog:
http://software.es.net/iperf/news.html#iperf-3-9-released
The ipkg sizes changes as follows for mips 24kc :
3.7 : iperf3_3.7-1_mips_24kc.ipk 39675
3.9 : iperf3_3.9-1_mips_24kc.ipk 41586
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This sets the validity interval for the BSS transition candidate
list to the same value as the disassociation timer.
Currently the value is always 0, which is the specification states is a
reserved value. Also, wpa_supplicant and from the looks of it some
Android implementations will outright ignore the candidate list in this
case.
Signed-off-by: David Bauer <mail@david-bauer.net>
* Add support for passing airtime_sta_weight into hostapd configuration.
* Since that commit it is possible to configure station weights. Set higher
value for larger airtime share, lower for smaller share.
I have tested this functionality by modyfing /etc/config/wireless to:
config wifi-device 'radio0'
...
option airtime_mode '1'
config wifi-iface 'default_radio0'
...
list airtime_sta_weight '01:02:03:04:05:06 1024'
Now, when the station associates with the access point it has been assigned
a higher weight value.
root@OpenWrt:~# cat /sys/kernel/debug/ieee80211/phy0/netdev\:wlan0/stations/01\:02\:03\:04\:05\:06/airtime
RX: 12656 us
TX: 10617 us
Weight: 1024
Deficit: VO: -2075 us VI: 256 us BE: -206 us BK: 256 us
[MAC address has been changed into a dummy one.]
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
airtime_mode is always parsed as an empty string since it hasn't been
added into hostapd_common_add_device_config function.
Fixes: e289f183 ("hostapd: add support for per-BSS airtime configuration")
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
This adds a new get_status method to a hostapd interface, which
provides information about the current interface status.
Signed-off-by: David Bauer <mail@david-bauer.net>
This adds information from mac80211 to hostapd get_client ubus function.
This way, TX as well as RX status information as well as the signal can
be determined.
Signed-off-by: David Bauer <mail@david-bauer.net>
procd-seccomp switched to OCI-compliant seccomp parser instead of our
(legacy, OpenWrt-specific) format. Convert ruleset to new format.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
wireguard-tools is trying to import the menuconfig section
from the wireguard package, but since it's not anymore in
the same makefile this seems to fail and wireguard-tools
ends up in "extra packages" category instead with other
odds and ends.
Same for the description, it's trying to import it from the
wireguard package but it fails so it only shows the line
written in this makefile.
remove the broken imports and add manually the entries
and description they were supposed to load
Fixes: ea980fb9c6 ("wireguard: bump to 20191226")
Signed-off-by: Alberto Bursi <bobafetthotmail@gmail.com>
[fix trailing whitespaces, add Fixes]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
