aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* dnsmasq: Specify directory /tmp/hosts as argument for --addn-hostsHans Dedecker2016-12-132-2/+2
| | | | | | | Let dnsmasq read all hosts files in /tmp/hosts directory by specifying /tmp/hosts as argument of --addn-host Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openvpn: quote parameters to --push in openvpn config fileMagnus Kroken2016-12-121-1/+2
| | | | | | | | | | | | | | OpenVPN requires arguments to --push to be enclosed in double quotes. One set of quotes is stripped when the UCI config is parsed. Change append_params() of openvpn.init to enclose push parameters in double quotes. Unquoted push parameters do not cause errors in OpenVPN 2.3, but OpenVPN 2.4 fails to start with unquoted push parameters. Fixes: FS#290. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* dnsmasq: Fix splitting hostid for DHCPv6 static leasesArjen de Korte2016-12-061-1/+1
| | | | | | | | | Correct splitting the 32-bit 'hostid' value to two 16-bit hexadecimal values. Previously, the lower 16-bit value was truncated to an 8-bit value, which would result in hostid values 100 and 200 both to be set to [::0:0] instead of [::0:100] and [::0:200] respectively. Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
* dnsmasq: reload config if host name is modifiedFlorian Eckert2016-12-041-1/+2
| | | | | | | If the hostname in /etc/config/system is modified the dnsmasq will not reread the update host file under /tmp/hosts/dhcp.$cfg. Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
* ppp: Split the ppp-up for the IPv6 partPierre Lebleu2016-12-044-12/+29
| | | | Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
* odhcpd: update to latest git HEADJohn Crispin2016-11-211-2/+2
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* odhcpd: update to latest git HEADJohn Crispin2016-11-211-4/+4
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* openvpn: update to 2.3.13Magnus Kroken2016-11-211-2/+2
| | | | | | Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* hostapd: fix PKG_CONFIG_DEPENDS for CONFIG_WPA_SUPPLICANT_*Matthias Schiffer2016-11-161-1/+1
| | | | | | These symbols don't affect wpa-supplicant only, but also wpad. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* odhcpd: Add reload supportHans Dedecker2016-11-142-1/+5
| | | | | | | | odhcpd daemon has hitless config reload support by means of the sighup signal; add reload_service function which uses sighup signal to reload the config Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: Support add-mac optionHans Dedecker2016-11-082-1/+7
| | | | | | | | | | | | | | | | Adds the mac address of the DNS requestor to DNS queries which are forwarded upstream and can be used to do filtering by the upstream servers. This only works if the requestor is on the same subnet as the dnsmasq server The addmac parameter can hold the following values: 0 : mac address is not added 1 : mac address is added in binary format base64 : mac address is added base64 encoded text: : mac address is added in human readable format as hex and colons Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: support log-dhcp optionKarl Palsson2016-11-021-0/+1
| | | | | | Helpful when trying to resolve issues with quirky dhcp client devices. Signed-off-by: Karl Palsson <karlp@etactica.com>
* hostapd: properly package wpa-supplicant-meshAlexis Green2016-10-311-1/+2
| | | | | | | | | Ensure that selecting the wpa-supplicant-mesh package actually packages the wpa_supplicant binary with SAE support and add missing dependency on OpenSSL. Signed-off-by: Alexis Green <alexis@cessp.it> [Jo-Philipp Wich: slightly reword commit message for clarity] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd support for VLANs through a file in addition to Radius.Petr Konecny2016-10-311-18/+25
| | | | Signed-off-by: Petr Konecny <pekon@google.com>
* uhttpd: Add Basic Auth configDaniel Dickinson2016-10-312-1/+38
| | | | | | | | | | | | | | | | | We add an 'httpauth' section type that contains the options: prefix: What virtual or real URL is being protected username: The username for the Basic Auth dialogue password: Hashed (crypt()) or plaintext password for the Basic Auth dialogue httpauth section names are given included as list items to the instances to which they are to be applied. Further any existing httpd.conf file (really whatever is configured in the instance, but default of /etc/httpd.conf) is appended to the per-instance httpd.conf Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
* lldpd: freeze execution of lldpd during reloadAlexandru Ardelean2016-10-311-1/+5
| | | | | | | | | | During reload, we could send invalid information to the other side and confuse it. That's why, during reload we'll pause execution, do the reconfig and resume + update when reload is done. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* lldpd: fix reload function for when interfaces changeAlexandru Ardelean2016-10-312-20/+44
| | | | | | | | | | | | | | | | The problem is that interfaces are specified at start as command line arguments, making them unchange-able via reload. That means, we have to move (since lldpd allows this) the interfaces-match-pattern option to be in a config file and reload the configuration. It's either that, or do a 'restart'. Since we're generating the lldpd.conf file, we'll have to move the 'sysconfdir' of lldpd to /tmp, where the files will get written ; this will prevent any unncessary flash writes. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* openvpn: cacert does not existJohn Crispin2016-10-271-2/+2
| | | | | | cacert is really called ca and already in the script Signed-off-by: John Crispin <john@phrozen.org>
* openvpn: add handling for capath and cafileJohn Crispin2016-10-271-1/+1
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* dnsmasq: Multiple dnsmasq instances supportHans Dedecker2016-10-261-185/+270
| | | | | | | | | | | | | | | | | | | Adds support in uci for configuring multiple dnsmasq instances via multiple dnsmasq sections. The uci sections host, boot, mac, tag, vendorclass, userclass, circuitid, ... will refer to a dnsmasq instance via the instance parameter defined in the section; if the instance parameter is not specified backwards compatibility is preserved. Start/Stopping a dnsmasq instance can be achieved by passing the dnsmasq instance name as argument to start/stop via the init script. Multiple dnsmasq instances is usefull in scenarios where you want to bind a dnsmasq instance to an interface in order to isolate networks. This patch is a rework of a multiple dnsmasq instance patch by Daniel Dickinson Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uhttpd: create self-signed certificates with unique subjectsHannu Nyman2016-10-261-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | Add a partially random O= item to the certificate subject in order to make the automatically generated certificates' subjects unique. Firefox has problems when several self-signed certificates with CA:true attribute and identical subjects have been seen (and stored) by the browser. Reference to upstream bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1147544 https://bugzilla.mozilla.org/show_bug.cgi?id=1056341 https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34 Certificates created by the OpenSSL one-liner fall into that category. Avoid identical certificate subjects by including a new 'O=' item with CommonName + a random part (8 chars). Example: /CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ That ensures that the browser properly sees the accumulating certificates as separate items and does not spend time trying to form a trust chain from them. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* uhttpd: prefer px5g for certificate creationHannu Nyman2016-10-261-2/+2
| | | | | | | Prefer the old default 'px5g' for certificate creation as Firefox seems to dislike OpenSSL-created certs. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* uhttpd: fix handling of special "/" prefix when matching handlersJo-Philipp Wich2016-10-251-3/+3
| | | | | | | | | | The special prefix of "/" should match any url by definition but the final assertion which ensures that the matched prefix ends in '\0' or '/' is causing matches against the "/" prefix to fail. Update to current HEAD in order to fix this particular case. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* network/services/ead: drop Build/Prepare rule in favor of default oneAlexandru Ardelean2016-10-151-5/+0
| | | | Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* network/services/hostapd: move whole files outside of patches and drop ↵Alexandru Ardelean2016-10-155-640/+631
| | | | | | | | | | Build/Prepare rule in favor of default one This more of a demo for the previous commit that comes with this one, where I added support for copying source from 'src' to the build dir(s). Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* package/network/services/lldpd: Update to 0.9.5Daniel Engberg2016-10-151-2/+2
| | | | | | Updates lldpd to 0.9.5 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* odhcpd: Upstep to git HEAD versionHans Dedecker2016-10-131-3/+3
| | | | | | | | | | | Adds per-host leasetime support Various bugfixes : -Prioritize ifname resolving via ubus -Free interface if ifindex cannot be resolved -... Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Signed-off-by: Felix Fietkau <nbd@nbd.name> [update mirror sha256]
* uhttpd: update to the latest version, adds a small json handler fixFelix Fietkau2016-10-081-3/+3
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* source: Switch to xz for packages and tools where possibleDaniel Engberg2016-10-069-10/+18
| | | | | | | | | | | * Change git packages to xz * Update mirror checksums in packages where they are used * Change a few source tarballs to xz if available upstream * Remove unused lines in packages we're touching, requested by jow- and blogic * We're relying more on xz-utils so add official mirror as primary source, master site as secondary. * Add SHA256 checksums to multiple git tarball packages Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* uhttpd: rename certificate defaults sectionJo-Philipp Wich2016-10-061-2/+2
| | | | | | | Now that the uhttpd init script can generate certificates using openssl as well, update the section name and related comment to be more generic. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: make -mesh and -p2p variants depend on the cfg80211 symbolFelix Fietkau2016-10-051-3/+3
| | | | | | Avoids build failures when the nl80211 driver is disabled Signed-off-by: Felix Fietkau <nbd@nbd.name>
* uhttpd: support using OpenSSL for certificate generationHannu Nyman2016-10-052-3/+8
| | | | | | | | | | | | | | | | | | Support the usage of the OpenSSL command-line tool for generating the SSL certificate for uhttpd. Traditionally 'px5g' based on PolarSSL (or mbedTLS in LEDE), has been used for the creation. uhttpd init script is enhanced by adding detection of an installed openssl command-line binary (provided by 'openssl-util' package), and if found, the tool is used for certificate generation. Note: After this patch the script prefers to use the OpenSSL tool if both it and px5g are installed. This enables creating a truly OpenSSL-only version of LuCI without dependency to PolarSSL/mbedTLS based px5g. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* config: enable shadow passwords unconditionallyMatthias Schiffer2016-09-261-1/+0
| | | | | | | | | | | | | Configurations without shadow passwords have been broken since the removal of telnet: as the default entry in /etc/passwd is not empty (but rather unset), there will be no way to log onto such a system by default. As disabling shadow passwords is not useful anyways, remove this configuration option. The config symbol is kept (for a while), as packages from feeds depend on it. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* dnsmasq: Add match section supportHans Dedecker2016-09-191-0/+17
| | | | | | | | | | | | | | | Match sections allow to set a tag specified by the option networkid if the client sends an option and optionally the option value specified by the match option. The force option will convert the dhcp-option to force-dhcp-option if set to 1 in the dnsmasq config if options are specified in the dhcp_option option. config match option networkid tag option match 12,myhost option force 1 list dhcp_option '3,192.168.1.1' Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: fix regression breaking brcmfmacRafał Miłecki2016-09-134-7/+46
| | | | | | The latest update of hostapd broke brcmfmac due to upstream regression. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* dnsmasq: make NO_ID optional in full variantKevin Darbyshire-Bryant2016-09-101-5/+10
| | | | | | | | | Permit users of the full variant to disable the NO_ID *.bind pseudo domain masking. Defaulted 'on' in all variants. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dropbear: hide dropbear versionKevin Darbyshire-Bryant2016-09-101-0/+4
| | | | | | | | | | | | As security precaution and to limit the attack surface based on the version reported by tools like nmap mask out the dropbear version so the version is not visible anymore by snooping on the wire. Version is still visible by 'dropbear -V' Based on a patch by Hans Dedecker <dedeckeh@gmail.com> Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove trailing _]
* dnsmasq: Don't expose *.bind data incl versionKevin Darbyshire-Bryant2016-09-082-1/+150
| | | | | | | | | | | | | Don't expose dnsmasq version & other data to clients via the *.bind pseudo domain. This uses a new 'NO_ID' compile time option which has been discussed and submitted upstream. This is an alternate to replacing version with 'unknown' which affects the version reported to syslog and 'dnsmasq --version' Run time tested with & without NO_ID on Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* hostapd: update to version 2016-09-05Felix Fietkau2016-09-0823-198/+98
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* dnsmasq: fix remove pidfile on shutdown regressionKevin Darbyshire-Bryant2016-09-061-0/+1
| | | | | | | | | | | | | | Regression introduced by 3481d0d dnsmasq: run as dedicated UID/GID dnsmasq is unable to remove its own pidfile as /var/run/dnsmasq is owned by root and now dnsmasq runs as dnsmasq:dnsmasq. Change directory ownership to match. dnsmasq initially starts as root, creates the pidfile, then drops to requested non-root user. Until this fix dnsmasq had insufficient privilege to remove its own pidfile. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* hostapd: fix typo and indentation in ap_sta_support.patchJohannes Römer2016-09-051-2/+2
| | | | Signed-off-by: Johannes Römer <jroemer@posteo.net>
* dropbear: mdns flag is a bool, not integerKarl Palsson2016-09-051-1/+1
| | | | | | Effectively the same for most purposes, but more accurate. Signed-off-by: Karl Palsson <karlp@etactica.com>
* openvpn: update to 2.3.12Magnus Kroken2016-08-245-67/+37
| | | | | | | | | 300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream. Replaced 101-remove_polarssl_debug_call.patch with upstream backport. Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* hostapd: use printf to improve portability.Ash Benz2016-08-231-4/+4
| | | | Signed-off-by: Ash Benz <ash.benz@bk.ru>
* ppp: Extend uci datamodel with persistency sypportHans Dedecker2016-08-182-3/+13
| | | | | | | | | | | | | | | | | | | | PPP daemon can be put into persist mode meaning the daemon will not exit after a connection gets terminated but will instead try to reopen the connection. The re-initiation after the link has been terminated can be controlled via holdoff; this is helpfull in scenarios where a BRAS is in denial of service mode due to link setup requests after a BRAS has gone down Following uci parameters have been added : persist (boolean) : Puts the ppp daemon in persist mode maxfail (integer) : Number of consecutive fail attempts which puts the PPP daemon in exit mode holdoff (interget) : Specifies how many seconds to wait before re-initiating link setup after it has been terminated Signed-off-by: Alin Nastac <alin.nastac@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* samba: add file/interface reload triggers & filter interfacesConn O'Griofa2016-08-151-9/+10
| | | | | | | | | | | | | | | | * Only parse interfaces that are up during init_config (as the script depends on this to determine the proper IP/subnet range) * Add reload interface triggers for samba-designated interfaces * Force full service restart upon config change to ensure Samba binds to new interfaces (sending HUP signal doesn't work) * Rename "interface" variable to "samba_iface" and move into global scope Needed to fix Samba connectivity for clients connecting from a different LAN subnet (e.g. pseudobridge configurations) due to the 'bind interfaces only' setting. Signed-off-by: Conn O'Griofa <connogriofa@gmail.com>
* dropbear: security update to 2016.74Jo-Philipp Wich2016-08-121-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | - Security: Message printout was vulnerable to format string injection. If specific usernames including "%" symbols can be created on a system (validated by getpwnam()) then an attacker could run arbitrary code as root when connecting to Dropbear server. A dbclient user who can control username or host arguments could potentially run arbitrary code as the dbclient user. This could be a problem if scripts or webpages pass untrusted input to the dbclient program. - Security: dropbearconvert import of OpenSSH keys could run arbitrary code as the local dropbearconvert user when parsing malicious key files - Security: dbclient could run arbitrary code as the local dbclient user if particular -m or -c arguments are provided. This could be an issue where dbclient is used in scripts. - Security: dbclient or dropbear server could expose process memory to the running user if compiled with DEBUG_TRACE and running with -v The security issues were reported by an anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: Allow RADIUS accounting without 802.1xPetko Bordjukov2016-08-111-10/+9
| | | | | | | | RADIUS accounting can be used even when RADIUS authentication is not used. Move the accounting configuration outside of the EAP-exclusive sections. Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
* hostapd: remove unused hostapd-common-old packageFelix Fietkau2016-08-053-606/+0
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: remove hostap driverFelix Fietkau2016-07-316-7/+5
| | | | | | | It has been marked as broken for well over a month now and nobody has complained. Signed-off-by: Felix Fietkau <nbd@nbd.name>