aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* dnsmasq: Don't add local hostname if ula prefix is not specifiedJo-Philipp Wich2016-01-252-3/+3
| | | | | | | | | | | | Commit 6a7e56b adds support for adding local hostname for own lan ula adress but if ula prefix is not specified results into an invalid config (address=/OpenWrt.lan/1) causing dnsmasq not to start up. Use lanaddr6 when adding local hostname as the lan ula address is constructed based on the UCI parameters ip6hint and ip6ifaceid and thus not always ula prefix suffixed with 1 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> SVN-Revision: 48495
* package/uhttpd: generate 2048 bit RSA keyFelix Fietkau2016-01-252-2/+2
| | | | | | | | | | RSA keys should be generated with sufficient length. Using 1024 bits is considered unsafe. In other packages the used key length is 2048 bits. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> SVN-Revision: 48494
* uhttpd: fix typo in default config for px5gFelix Fietkau2016-01-191-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48385
* wpa_supplicant: add support for EAP-TLS phase2Felix Fietkau2016-01-191-2/+12
| | | | | | | | | Introduce config options client_cert2, priv_key2 and priv_key2_pwd used for EAP-TLS phase2 authentication in WPA-EAP client mode. Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48345
* hostap/wpa_supplicant: enable EAP-FAST in -full buildsFelix Fietkau2016-01-192-0/+6
| | | | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48344
* uhttpd: add option for mbedtlsFelix Fietkau2016-01-191-0/+4
| | | | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48343
* wpa_supplicant: improve generating phase2 config line for WPA-EAPFelix Fietkau2016-01-181-2/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WPA-EAP supports several phase2 (=inner) authentication methods when using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first step towards the UCI model supporting EAP-FAST by this commit) The value of the auth config variable was previously expected to be directly parseable as the content of the 'phase2' option of wpa_supplicant. This exposed wpa_supplicant's internals, leaving it to view-level to set the value properly. Unfortunately, this is currently not the case, as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'. Users thus probably diverged and set auth to values like 'auth=MSCHAPV2' as a work-around. This behaviour isn't explicitely documented anywhere and is not quite intuitive... The phase2-string is now generated according to $eap_type and $auth, following the scheme also found in hostap's test-cases: http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py The old behaviour is also still supported for the sake of not breaking existing, working configurations. Examples: eap_type auth 'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2" 'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2" 'peap' 'EAP-GTC' -> phase2="auth=GTC" Deprecated syntax supported for compatibility: 'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2" I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to the list of Authentication methods available. Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48309
* dnsmasq: Add option --min-portFelix Fietkau2016-01-152-1/+2
| | | | | | | | | | | By default dnsmasq uses random ports for outbound dns queries; when the minport UCI option is specified the ports used will always be larger than the specified value. This is usefull for systems behind firewalls. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> SVN-Revision: 48244
* dropbear: update version to 2015.71Felix Fietkau2016-01-155-10/+10
| | | | | | | | | Update dropbear to version 2015.71, released on 3 Dec 2015. Refresh patches. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> SVN-Revision: 48243
* dnsmasq: add local hostname record for own lan ula address as wellJo-Philipp Wich2016-01-122-4/+18
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 48214
* hostapd: fix disassociation with FullMAC drivers and multi-BSSRafał Miłecki2016-01-111-0/+67
| | | | | | Signed-off-by: Rafał Miłecki <zajec5@gmail.com> SVN-Revision: 48202
* openvpn: update to version 2.3.10Felix Fietkau2016-01-115-276/+5
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48201
* dropbear: enable curve25519 support by default, increases compressed binary ↵Felix Fietkau2016-01-101-1/+1
| | | | | | | | size by ~5 kb Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48196
* dropbear: split out curve25519 support into a separate config optionFelix Fietkau2016-01-102-4/+19
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48195
* hostapd: fix post v2.4 security issuesFelix Fietkau2016-01-1011-0/+554
| | | | | | | | | | | | | | | | | | | | | | | - WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141) - EAP-pwd peer: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd server: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd peer: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd server: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146) - NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041) - WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use (CVE-2015-5310) - EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315) - EAP-pwd server: Fix last fragment length validation (CVE-2015-5314) - EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316) Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> SVN-Revision: 48185
* openvpn: added service_triggers() to init scriptFelix Fietkau2016-01-071-0/+4
| | | | | | | | | Follow up of #21469 This patch enables autoreloading openvpn via procd. Signed-off-by: Federico Capoano <nemesis@ninux.org> SVN-Revision: 48150
* samba36: add three CVE patches from 2015-12-16Felix Fietkau2016-01-054-1/+253
| | | | | | | | | This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A patchset for these vulnerabilities was published on 16th December 2015. Signed-off-by: Jan Čermák <jan.cermak@nic.cz> SVN-Revision: 48133
* relayd: move to git.openwrt.orgFelix Fietkau2016-01-041-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48129
* uhttpd: move to git.openwrt.orgFelix Fietkau2016-01-041-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48122
* packages: use OPENWRT_GIT to point at the main openwrt git repoFelix Fietkau2016-01-041-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48118
* wpa_supplicant: set regulatory domain the same way as hostapdFelix Fietkau2016-01-031-0/+6
| | | | | | | | | | | | | In sta-only configuration, wpa_supplicant needs correct regulatory domain because otherwise it may skip channel of its AP during scan. Another alternative is to fix "iw reg set" in mac80211 netifd script. Currently it fails if some phy has private regulatory domain which matches configured one. Signed-off-by: Dmitry Ivanov <dima@ubnt.com> SVN-Revision: 48099
* openvpn: fix configure optionsJohn Crispin2015-12-231-2/+1
| | | | | | | | | | | | | | | - eurephia: commit: Remove the --disable-eurephia configure option - fix option name: http proxy option is now called http-proxy (see configure.ac) fixes: configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de> SVN-Revision: 47979
* package/lldpd: Remove extraneous selectJohn Crispin2015-12-231-1/+0
| | | | | | | | | | Only the conditional dependency ought to be required; if build fails with JSON there is some other problem at work. Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com> SVN-Revision: 47976
* dnsmasq: Add option --no-pingJohn Crispin2015-12-231-0/+1
| | | | | | | | | | By default dnsmasq sends an ICMP echo request before allocating an IP address to a host; the uci option noping allows to disable this check. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> SVN-Revision: 47974
* dnsmasq: changed option nonwildcard to --bind-dynamicFelix Fietkau2015-12-191-1/+1
| | | | | | | | | | | | | | | | Changed option nonwildcard from --bind-interfaces into --bind-dynamic. With this, Dnsmasq binds the address of individual interfaces, allowing multiple dnsmasq instances, but if new interfaces or addresses appear, it automatically listens on those. This makes dynamically created interfaces work in the same way as the default, but allows also use of other DNS-servers (like Named) at the same time on diffirent interfaces where Dnsmasq is NOT configured, whereas with --bind-interfaces will still reserve every interface even if not used and thus disallowing use of any other DNS-program even on unused interfaces. Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi> Signed-off-by: Sami Olmari <sami@olmari.fi> SVN-Revision: 47953
* network/services/lldpd: Fix missing dependency when using JSONJohn Crispin2015-12-171-0/+1
| | | | | | | | | Using the JSON output option depends on json library so add select json-c library when JSON output is selected. Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com> SVN-Revision: 47928
* dnsmasq: Add option "--all-servers"John Crispin2015-12-111-0/+1
| | | | | | | | | Add the option "--all-servers" which forces dnsmasq to send all queries to all servers and then take the first answer. Signed-off-by: Andréas Gustafsson <gurgalof@gmail.com> SVN-Revision: 47857
* lldpd: add STOP=01 param in init scriptFelix Fietkau2015-12-051-1/+2
| | | | | | | | | | This should ensure that lldpd is among the first processes to stop, so that it has time to send the shutdown LLDPU to the other side, before the network goes down. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> SVN-Revision: 47786
* wpa-supplicant: Get 802.11s ssid information from option mesh_idJohn Crispin2015-11-241-0/+3
| | | | | | | | | | | | The scripts for authsae and iw use the option mesh_id to get set the "meshid" during a mesh join. But the script for wpad-mesh ignores the option mesh_id and instead uses the option ssid. Unify the mesh configuration and let the wpa_supplicant script also use the mesh_id from the configuration. Signed-off-by: Sven Eckelmann <sven@open-mesh.com> SVN-Revision: 47615
* authsae: Use kbit/s as mcast_rate unit like wpadJohn Crispin2015-11-241-2/+10
| | | | | | | | | | | | | | | The OpenWrt wireless configuration for mcast_rate is defined as Kbit/s when using wpa_supplicant for IBSS/802.11s and iw for unencrypted IBSS/802.11s. But when using authsae, the unit for the same option is redefined as Mbit/s. Better use the same unit for this option independent of the backend which is used. Old values for mcast_rate (< 1000) are still interpreted Mbit/s to avoid problems during upgrades from older versions. Signed-off-by: Sven Eckelmann <sven@open-mesh.com> SVN-Revision: 47614
* authsae: Fix meshid in authsae configJohn Crispin2015-11-241-1/+1
| | | | | | | | | The variable $mesh_id was never defined in authsae_start_interface and thus the option meshid in $authsae_conf_file was always set to "". Signed-off-by: Sven Eckelmann <sven@open-mesh.com> SVN-Revision: 47613
* odhcpd: correctly handle netlink congestion caseSteven Barth2015-11-191-3/+3
| | | | | | | | Thanks to @ktgeek and @willmo for diagnosing Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 47514
* hostapd: Use network_get_device instead of uci_get_stateFelix Fietkau2015-11-113-5/+13
| | | | | | | | This fixes the IAPP functionality. Signed-off-by: Petko Bordjukov <bordjukov@gmail.com> SVN-Revision: 47455
* uhttpd: add support for configuration option ubus_corsLuka Perkov2015-11-101-0/+1
| | | | | | Signed-off-by: Luka Perkov <luka@openwrt.org> SVN-Revision: 47448
* openvpn: enable options consistency check even in the small buildFelix Fietkau2015-11-101-0/+12
| | | | | | | | | Only costs about 3k compressed, but significantly improves handling of configuration mismatch Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 47439
* uhttpd: update to the latest version, adds support for redirect helper scriptsFelix Fietkau2015-11-082-3/+7
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 47419
* lldpd: implement a reload hookFelix Fietkau2015-11-031-1/+18
| | | | | | | | | | | | | | | | | | | Seems the default one is not working as expected. The way that reload should work is that the 'start' service call should return 1 (if lldpd is running) and then a normal restart would be called. However, for lldpd a reload would mean just clearing all custom TLVs (if they're configured) and reloading the configuration. So, this patch adds a reload hook, which would: - 'start' lldpd if it's not running (because we return 1 if not running) - reload configuration if it is running (also previously clearing custom TLVs if present) Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> SVN-Revision: 47367
* hostapd: add default value to eapol_version (#20641)Felix Fietkau2015-11-021-0/+1
| | | | | | | | | | | | | | r46861 introduced a new option eapol_version to hostapd, but did not provide a default value. When the option value is evaluated, the non-existing value causes errors to the systen log: "netifd: radio0: sh: out of range" Add a no-op default value 0 for eapol_version. Only values 1 or 2 are actually passed on, so 0 will not change the default action in hostapd. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> SVN-Revision: 47361
* samba: convert init script to procd, add reload supportFelix Fietkau2015-10-301-6/+24
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 47292
* relayd: update to the latest version, fixes some issues found by CoverityFelix Fietkau2015-10-301-2/+2
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 47285
* omcproxy: fix PKG_LICENSE stringJohn Crispin2015-10-261-1/+1
| | | | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 47264
* uhttpd: update to latest git HEADJohn Crispin2015-10-201-2/+2
| | | | | | Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 47240
* uhttpd: update to latest git revisionJohn Crispin2015-10-192-2/+7
| | | | | | | | adds URL alias support Signed-off-by: John Crispin <blogic@openwrt.org> SVN-Revision: 47206
* cosmetic: remove trailing whitespacesLuka Perkov2015-10-151-1/+1
| | | | | | Signed-off-by: Luka Perkov <luka@openwrt.org> SVN-Revision: 47197
* uhttpd: fix keep-alive bug (#20607, #20661)Jo-Philipp Wich2015-10-072-7/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | The two commits 5162e3b0ee7bd1d0fd6e75e1ca7993a1834b5291 "allow request handlers to disable chunked reponses" and 618493e378e2239f0d30902e47adfa134e649fdc "file: disable chunked encoding for file responses" broke the chunked transfer encoding handling for proc responses in keep-alive connections that followed a file response with http status 204 or 304. The effect of this bug is that cgi responses following a 204 or 304 one where sent neither in chunked encoding nor with a content-length header, causing browsers to stall until the keep alive timeout was reached. Fix the logic flaw by inverting the chunk prevention flag in the client state and by testing the chunked encoding preconditions every time instead of once upon client (re-)initialization. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 47161
* hostapd: wait longer for inactive client probe (empty data frame)Felix Fietkau2015-10-061-0/+11
| | | | | | | | | | | One second is not enough for some devices to ackowledge null data frame which is sent at the end of ap_max_inactivity interval. In particular, this causes severe Wi-Fi instability with Apple iPhone which may take up to 3 seconds to respond. Signed-off-by: Dmitry Ivanov <dima@ubnt.com> SVN-Revision: 47149
* lldpd: wrap procd command args in separate quotesJohn Crispin2015-10-051-3/+3
| | | | | | | | | | | | Seems the match pattern was being adapted from 'eth0' to ' eth0' because of the way I added the procd command args. This did not seem to be a problem when there were multiple interfaces, just on devices with single interfaces for lldpd to listen on. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> SVN-Revision: 47136
* openvpn: add handling for route-pre-down optionJohn Crispin2015-10-051-1/+1
| | | | | | | | | OpenVPN 2.3 added a route-pre-down option, to run a command before routes are removed upon disconnection. Signed-off-by: Jeffery To <jeffery.to@gmail.com> SVN-Revision: 47134
* hostapd: check for banned client on association eventRafał Miłecki2015-09-281-0/+26
| | | | | | | | | | | When using FullMAC drivers (e.g. brcmfmac) we don't get mgmt frames so check for banned client in probe request handler won't ever be used. Since cfg80211 provides us info about STA associating let's put a check there. Signed-off-by: Rafał Miłecki <zajec5@gmail.com> SVN-Revision: 47064
* igmpproxy: fix spurious restarts on interface events, pass used netdevs to ↵Felix Fietkau2015-09-261-1/+5
| | | | | | | | procd instead Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 47055