aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* dnsmasq: add logfacility file to jail mountsDaniel Golle2022-05-011-2/+6
| | | | | | | | | If logfacility is a path to a file it needs to be r/w mounted in the sandbox as well for dnsmasq to work. Reported-by: @iointerrupt Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 2b5fa44f60165d66d74131778df0b64b706887e2)
* hostapd: add ubus link-measurements notificationsDavid Bauer2022-04-173-0/+43
| | | | | | | Notify external ubus subscribers of received link-measurement reports. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit f6445cfa1acb32676723c49da3e3158b64a4b3d2)
* hostapd: add ubus method for requesting link measurementsDavid Bauer2022-04-171-0/+65
| | | | | | | | | | | Add a ubus method to request link-measurements from connected STAs. In addition to the STAs address, the used and maximum transmit power can be provided by the external process for the link-measurement. If they are not provided, 0 is used as the default value. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 965aa33a18c76bb2d5a1eeb0cfa01501b08e784a)
* hostapd: add support for enabling link measurementsDavid Bauer2022-04-171-0/+10
| | | | | | | | Allow external processes to enable advertisement of link-measurement RRM capability. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 2ca5c3da04c3f05a7477ae484768e03d4ca30711)
* dropbear: bump to 2022.82Konstantin Demin2022-04-109-66/+90
| | | | | | | | | | | | | | | | | | | | | | | - update dropbear to latest stable 2022.82; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES - use $(AUTORELEASE) in PKG_RELEASE - use https for all uris - refresh all patches - rewrite patches: - 100-pubkey_path.patch - 130-ssh_ignore_x_args.patch binary/pkg size changes: - ath79/generic, mips: - binary: 215112 -> 219228 (+4116) - pkg: 111914 -> 113404 (+1490) - ath79/tiny, mips: - binary: 172501 -> 172485 (-16) - pkg: 89871 -> 90904 (+1033) Tested-by: Stijn Segers <foss@volatilesystems.org> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> (cherry picked from commit 65256aee23a5104eb0c78411fdc73640c0b757ea)
* dnsmasq: add procd interface index trackingValentyn Datsko2022-04-101-0/+5
| | | | | | | | | | | | | | Problem exist when dnsmasq is exclusively bind to particular interface. After reconfiguring or restarting this interface, its index changes, but dnsmasq uses the old one. When this problem occurs, dnsmasq does not listen on the correct interface so DHCP does not work, and clients do not get an IP address. Procd netdev param can be added to restart dnsmasq when the interface index is changed. Signed-off-by: Valentyn Datsko <valikk.d@gmail.com> [combined into a single &&-connected statement] Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 76f55e3c3f32dea63a385e9b3c8eaed1322089c7)
* hostapd: SAE - Enable hunting-and-pecking and H2ENick Lowe2022-02-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | | Enable both the hunting-and-pecking loop and hash-to-element mechanisms by default in OpenWRT with SAE. Commercial Wi-Fi solutions increasingly frequently now ship with both hunting-and-pecking and hash-to-element (H2E) enabled by default as this is more secure and more performant than offering hunting-and-pecking alone for H2E capable clients. The hunting and pecking loop mechanism is inherently fragile and prone to timing-based side channels in its design and is more computationally intensive to perform. Hash-to-element (H2E) is its long-term replacement to address these concerns. For clients that only support the hunting-and-pecking loop mechanism, this is still available to use by default. For clients that in addition support, or were to require, the hash-to-element (H2E) mechanism, this is then available for use. Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
* hostapd: fallback to psk when generating r0kh/r1khEneas U de Queiroz2022-02-191-4/+4
| | | | | | | | | | | | | | | | The 80211r r0kh and r1kh defaults are generated from the md5sum of "$mobility_domain/$auth_secret". auth_secret is only set when using EAP authentication, but the default key is used for SAE/PSK as well. In this case, auth_secret is empty, and the default value of the key can be computed from the SSID alone. Fallback to using $key when auth_secret is empty. While at it, rename the variable holding the generated key from 'key' to 'ft_key', to avoid clobbering the PSK. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> [make ft_key local] Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: add STA extended capabilities to get_clientsDavid Bauer2022-02-191-0/+10
| | | | | | | | | | Add the STAs extended capabilities to the ubus STA information. This way, external daemons can be made aware of a STAs capabilities. This field is of an array type and contains 0 or more bytes of a STAs advertised extended capabilities. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: refresh patchesDavid Bauer2022-02-0830-132/+132
| | | | | | Refresh patches after updating to hostapd v2.10. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: update to v2.10David Bauer2022-02-089-447/+57
| | | | | | | | | | | | | | | | | | Upstreamed patches: 020-mesh-make-forwarding-configurable.patch e6db1bc5da3fd7d5f4dba24aa102543b4749912f 550-WNM-allow-specifying-dialog-token.patch 979f19716539362f8ce60a77bf1b88fdcf5ba8e5 720-ACS-fix-channel-100-frequency.patch 2341585c349231af00cdef8d51458df01bc6965f 741-proxyarp-fix-compilation-with-Hotspot-2.0-disabled.patch 08bdf4f90de61a84ed8f4dd918272dd9d36e2e1f Compile-tested: wpad-wolfssl hostapd-openssl Run-tested: ath79-generic Signed-off-by: David Bauer <mail@david-bauer.net> Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: automatically calculate channel center freq on chan_switchFelix Fietkau2022-02-071-0/+34
| | | | | | Simplifies switching to different channels when on >= VHT80 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* uhttpd: update to latest Git HEADJo-Philipp Wich2022-02-073-9/+56
| | | | | | | | | | | | | 2f8b136 main: fix leaking -p/-s argument values 881fd3b ucode: adjust to latest ucode api 8b2868e file: specify UTF-8 as charset for dirlists, add option to override 3a5bd84 main: add ucode options to help text 16aa142 examples: add ucode handler example 3ceccd0 ucode: add ucode plugin support f0f1406 examples: add example Lua handler script 9e87095 listen: avoid invalid memory access Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: add op-class to get_status outputDavid Bauer2022-01-141-2/+9
| | | | | | Include the current operation class to hostapd get_status interface. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: refresh patchsetNick Hainke2021-12-314-11/+11
| | | | | | | | | | | | | | Recently the hostapd has undergone many changes. The patches were not refreshed. Refreshed with make package/hostapd/{clean,refresh} Refreshed: - 380-disable_ctrl_iface_mib.patch - 600-ubus_support.patch - 700-wifi-reload.patch - 720-iface_max_num_sta.patch Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: add fallback for WPS on stationsRaphaël Mélotte2021-12-271-7/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Up to now the WPS script triggered WPS on the stations only if it could not trigger it successfully on any hostapd instance. In a Multi-AP context, there can be a need (to establish a new wireless backhaul link) to trigger WPS on the stations, regardless of whether there is already a hostapd instance configured or not. The current script makes it impossible, as if hostapd is running and configured, WPS would always be triggered on hostapd only. To allow both possibilities, the following changes are made: - Change the "pressed" action to "release", so that we can make use of the "$SEEN" variables (to know for how long the button was pressed). - If the button is pressed for less than 3 seconds, keep the original behavior. - If the button is pressed for 3 seconds or more, trigger WPS on the stations, regardless of the status of any running hostapd instance. - Add comments explaining both behaviors. - While at it, replace the usage of '-a' with a '[] && []' construct (see [1]). This gives users a "fallback" mechanism to onboard a device to a Multi-AP network, even if the device already has a configured hostapd instance running. [1]: https://github.com/koalaman/shellcheck/wiki/SC2166 Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
* hostapd: add missing function declarationDavid Bauer2021-12-271-0/+10
| | | | Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: only attempt to set qos map if supported by the driverFelix Fietkau2021-12-231-0/+12
| | | | | | Fixes issues with brcmfmac Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: keep HE capability after channel switch in AP+STA/MeshArnout Vandecappelle (Essensium/Mind)2021-12-211-1/+2
| | | | | | | The auto-ht option already kept HT and VHT support, but wasn't updated to support HE (11ax). Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* hostapd: make OpenWrt statistics per-BSSDavid Bauer2021-12-202-20/+20
| | | | | | | WNM and RRM statistics were incorrectly per-PHY, leading to shared statistic counters per BSS. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: provide BSS-transition-queries to ubus subscribersDavid Bauer2021-12-202-10/+69
| | | | | | | | | | | | | | | Provide incoming BSS transition queries to ubus subscribers. This allows external steering daemons to provide clients with an optimal list of transition candidates. This commit has no functional state in case no ubus subscriber is present or it does not handle this ubus message. To prevent hostapd from sending out a generic response by itself, a subscribing daemon has to return a non-zero response code to hostapd. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: WNM: allow specifying dialog-tokenDavid Bauer2021-12-202-4/+110
| | | | | | | | | | Backport a patch to allow extending the ubus BSS-transition method for specifying individual dialog tokens for BSS transition management requests. This is required for handling BSS transition queries in the future. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: close correct blobmsg tableDavid Bauer2021-12-161-1/+1
| | | | Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: add OpenWrt specific statistic countersDavid Bauer2021-12-152-1/+105
| | | | | | | | | | This adds a new struct for storing statistics not (yet) tracked by hostapd regarding RRM and WNM activity. These statistics can be read using the get_status hostapd interface ubus method. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: add support for specifying the FILS DHCP serverFelix Fietkau2021-12-103-1/+18
| | | | | | | | The 'fils_dhcp' option can be set to '*' in order to autodetect the DHCP server For proto=dhcp networks, the discovered dhcp server will be used For all other networks, udhcpc is called to discover the address Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: add support for enabling FILS on AP and client interfacesFelix Fietkau2021-12-101-4/+37
| | | | | | This is only supported with WPA-enterprise Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: enable FILS support in the full config and add build feature discoveryFelix Fietkau2021-12-109-18/+42
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: make hostapd/supplicant/wpad packages depend on a specific version ↵Felix Fietkau2021-12-011-0/+3
| | | | | | | | | of hostapd-commoon This avoids potential version mismatch between packages when upgraded individually Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: add beacon_interval to get_status ubus outputDavid Bauer2021-11-251-0/+1
| | | | | | | | | | Add the beacon interval to hostapd status output. This allows external services to discover the beacon interval for a specific VAP. This way, external wireless management daemons can correctly calculate fields containing TBTT value from absolute time-values. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: add a patch that allows processing auth requests for peers in ↵Felix Fietkau2021-11-243-6/+40
| | | | | | | | | | | | | | | blocked state If authentication fails repeatedly e.g. because of a weak signal, the link can end up in blocked state. If one of the nodes tries to establish a link again before it is unblocked on the other side, it will block the link to that other side. The same happens on the other side when it unblocks the link. In that scenario, the link never recovers on its own. To fix this, allow restarting authentication even if the link is in blocked state, but don't initiate the attempt until the blocked period is over. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: allow hostapd under ujail to communicate with hostapd_cliMark Mentovai2021-11-231-0/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When procd-ujail is available, 1f785383875a runs hostapd as user "network", with only limited additional capabilities (CAP_NET_ADMIN and CAP_NET_RAW). hostapd_cli (CONFIG_PACKAGE_hostapd-utils) communicates with hostapd over a named UNIX-domain socket. hostapd_cli is responsible for creating this socket at /tmp/wpa_ctrl_$pid_$counter. Since it typically runs as root, this endpoint is normally created with uid root, gid root, mode 0755. As a result, hostapd running as uid network is able to receive control messages sent through this interface, but is not able to respond to them. If debug-level logging is enabled (CONFIG_WPA_MSG_MIN_PRIORITY <= 2 at build, and log_level <= 2 in /etc/config/wireless wifi-device), this message will appear from hostapd: CTRL: sendto failed: Permission denied As a fix, hostapd_cli should create the socket node in the filesystem with uid network, gid network, mode 0770. This borrows the presently Android-only strategy already in hostapd intended to solve the same problem on Android. If procd-ujail is not available and hostapd falls back to running as root, it will still be able to read from and write to the socket even if the node in the filesystem has been restricted to the network user and group. This matches the logic in package/network/services/hostapd/files/wpad.init, which sets the uid and gid of /var/run/hostapd to network regardless of whether procd-ujail is available. As it appears that the "network" user and group are statically allocated uid 101 and gid 101, respectively, per package/base-files/files/etc/passwd and USERID in package/network/services/hostapd/Makefile, this patch also uses a constant 101 for the uid and gid. Signed-off-by: Mark Mentovai <mark@moxienet.com> [refreshed patch] Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: fix ismounted checkOldřich Jedlička2021-11-231-2/+2
| | | | | | | | Fix the return value, shell return codes should be 0 to indicate success (i.e. mount point found), 1 should be failure (i.e. mount point not-found). Fixes: ac4e8aa ("dnsmasq: fix more dnsmasq jail issues") Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
* hostapd: fix use after free bugsDavid Bauer2021-11-191-6/+6
| | | | | | | Using a pointer one lifter after it freed is not the best idea. Let's not do that. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: set VARIANT=* for wpa-cli, hostapd-utilsEneas U de Queiroz2021-11-151-0/+2
| | | | | | | | | | | | | | | | | | | | 19aae94 [build: avoid rebuilds of unset VARIANT packages] builds packages defined without a VARIANT only once, using the first VARIANT defined in the Makefile. This caused problems with wpa-cli, as it is only built for variants that include supplicant support, and the first VARIANT defined may not build it. The same happens to hostapd-utils, which is not built for supplicant-only variants. To circumvent this, set VARIANT=* for both packages so that they get built for every defined variant. This should not cause spurious rebuilds, since tey are not a dependency of any other package defined in this Makefile. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* lldpd: add reload triggerStijn Tintel2021-11-142-1/+5
| | | | | | | This is needed to reload the service when calling reload_config, if the UCI config has changed. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* lldpd: consolidate procd command linesStijn Tintel2021-11-142-3/+2
| | | | | | There is no need to have multiple lines for this. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* lldpd: bump to 1.0.13Stijn Tintel2021-11-141-2/+2
| | | | | | Fixes CVE-2021-43612. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* dnsmasq: fix the dynamic dns object names patchRui Salvaterra2021-11-121-7/+7
| | | | | | | | | We can't use booleans, since we're not including stdbool.h. Use integers instead. Fixes: 0b79e7c01e ("dnsmasq: generate the dns object name dynamically") Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
* dnsmasq: add ubus acl to allow calls to hotplug.tftp objectDaniel Golle2021-11-121-0/+3
| | | | | | | | dnsmasq may call hotplug.dhcp, hotplug.neigh and hotplug.tftp. Only the first two callees were listed in the ACL, so add missing hotplug.tftp. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: generate the dns object name dynamicallyFelix Fietkau2021-11-101-5/+17
| | | | | | Fixes an issue with running multiple dnsmasq instances Signed-off-by: Felix Fietkau <nbd@nbd.name>
* dnsmasq: add match_tag for --dhcp-hostPaul Fertser2021-11-091-3/+8
| | | | | | | | | | | | | | | | | | | A set of tags can be specified for --dhcp-host option to restrict the assignment to the requests which match all the tags. Example usage: config vendorclass option networkid 'udhcp' option vendorclass 'udhcp' config host option mac '*:*:*:*:*:*' list match_tag 'switch.10' list match_tag 'udhcp' option ip '192.168.25.10' Signed-off-by: Paul Fertser <fercerpav@gmail.com>
* dnsmasq: add support for monitoring and modifying dns lookup results via ubusFelix Fietkau2021-11-081-0/+270
| | | | | | The monitoring functionality will be used for dns rule support in qosify Signed-off-by: Felix Fietkau <nbd@nbd.name>
* omcproxy: bump to git HEADStijn Tintel2021-11-041-3/+3
| | | | | | bfba2aa groups: use uloop_timeout_remaining64 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: support qos_map_set without CONFIG_INTERWORKINGFelix Fietkau2021-11-041-0/+112
| | | | | | This feature is useful on its own even without full interworking support Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: add wmm qos map set by defaultFelix Fietkau2021-11-031-1/+6
| | | | | | | | | | This implements the mapping recommendations from RFC8325, with an update from RFC8622. This ensures that DSCP marked packets are properly sorted into WMM classes. The map can be disabled by setting iw_qos_map_set to something invalid like 'none' Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: avoid unnecessary package rebuildsEneas U de Queiroz2021-11-011-1/+3
| | | | | | | | | | | | | | | | | Package hostapd-common is a dependency of every other package defined in hostpad Makefile. It is currently built next to the bottom of that Makefile's package list. If you run make back to back, then check-compile will compare the hostapd-common timestamp to the variant being compiled, to decide if the varint needs to be rebuilt or not. Since the hostapd-conf package is built towards the end of the list, it will be newer than most of the variants, causing unnecessary package rebuilds. Move it to the top, so that its timestamp will be older than dependent packages, avoiding unnecessary rebuild of every selected variant. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* dnsmasq: fix jail mount in case of ignore_hosts_dir being setDaniel Golle2021-11-011-3/+2
| | | | | | | | | Commit a2fcd3900c ("dnsmasq: improve init script") broke the existing handling for hosts_dir. Remove the redundant mount again to fix it. Reported-by: Hartmut Birr <e9hack@gmail.com> Fixes: a2fcd3900c ("dnsmasq: improve init script") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: improve init scriptDaniel Golle2021-10-311-1/+4
| | | | | | | | * fix restart in LuCI (inherited umask was to restrictive) * make directory of hosts-file (!= /tmp) accessible in ujail Reported-by: Hannu Nyman <hannu.nyman@iki.fi> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dropbear: add config options for agent-forwarding supportSven Roederer2021-10-302-1/+13
| | | | | | | | | | * SSH agent forwarding might cause security issues, locally and on the jump machine (https://defn.io/2019/04/12/ssh-forwarding/). So allow to completely disabling it. * separate options for client and server * keep it enabled by default Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* umdns: add missing syscall to seccomp filterMichael Peleshenko2021-10-271-0/+1
| | | | | | | The 'madvise', syscall is missing. Found with 'utrace /usr/sbin/umdns' on an R7800 and RT3200. Signed-off-by: Michael Peleshenko <mpeleshenko@gmail.com>