aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* curl: update to version 7.51.0Hauke Mehrtens2016-12-033-6/+6
| | | | | | | | | | | | | | | | | This fixes the following security problems: CVE-2016-8615: cookie injection for other servers CVE-2016-8616: case insensitive password comparison CVE-2016-8617: OOB write via unchecked multiplication CVE-2016-8618: double-free in curl_maprintf CVE-2016-8619: double-free in krb5 code CVE-2016-8620: glob parser write/read out of bounds CVE-2016-8621: curl_getdate read out of bounds CVE-2016-8622: URL unescape heap overflow via integer truncation CVE-2016-8623: Use-after-free via shared cookies CVE-2016-8624: invalid URL parsing with '#' CVE-2016-8625: IDNA 2003 makes curl use wrong host Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* xtables-addons: add CONFIG_NF_CONNTRACK_MARK=y to all kmod-* packagesFelix Fietkau2016-12-011-2/+2
| | | | | | | Not all kmod packages depends on kmod-ipt-compat-xtables, but this kernel config option is required for building the whole package Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iw: drop TX power patch that is part of upstream version nowRafał Miłecki2016-11-291-30/+0
| | | | | | | | | | | | | | | | Applying it again was resulting in duplicated TX info like: Interface wlan0 ifindex 6 wdev 0x1 addr 00:23:6a:a3:7d:00 ssid LEDE2 type AP wiphy 0 channel 11 (2462 MHz), width: 20 MHz, center1: 2462 MHz txpower 31.00 dBm txpower 31.00 dBm Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* ipset: Add InstallDev to provide libipset as libraryJulian Kornberger2016-11-261-1/+8
|
* netifd: update to the latest versionFelix Fietkau2016-11-221-3/+3
| | | | | | Fixes config reload on bridge MAC address changes Signed-off-by: Felix Fietkau <nbd@nbd.name>
* odhcpd: update to latest git HEADJohn Crispin2016-11-211-2/+2
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* odhcpd: update to latest git HEADJohn Crispin2016-11-211-4/+4
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* openvpn: update to 2.3.13Magnus Kroken2016-11-211-2/+2
| | | | | | Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* hostapd: fix PKG_CONFIG_DEPENDS for CONFIG_WPA_SUPPLICANT_*Matthias Schiffer2016-11-161-1/+1
| | | | | | These symbols don't affect wpa-supplicant only, but also wpad. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* odhcpd: Add reload supportHans Dedecker2016-11-142-1/+5
| | | | | | | | odhcpd daemon has hitless config reload support by means of the sighup signal; add reload_service function which uses sighup signal to reload the config Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* arptables: bump to 2015-05-20Ralph Sennhauser2016-11-143-64/+13
| | | | | | | | | | | | | | | | | | This fixes building with musl and drops the dependency on the OpenWrt kernel-header patches: 270-uapi-kernel.h-glibc-specific-inclusion-of-sysinfo.h.patch 271-uapi-libc-compat.h-do-not-rely-on-__GLIBC__.patch 272-uapi-if_ether.h-prevent-redefinition-of-struct-ethhd.patch Use the new upstream location at netfilter.org and use a define instead of a patch to "optimize". See also: https://git.netfilter.org/arptables/log/ Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com> [Jo-Philipp Wich: add mirror SHA256 sum] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* conntrack-tools: update to v1.4.4Jo-Philipp Wich2016-11-141-6/+2
| | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iw: fix build error caused by redeclaration of NL80211_ATTR_PADRafał Miłecki2016-11-121-6/+2
| | | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl> Fixes: 7aff00ab199 ("iw: update to version 4.9")
* iw: update to version 4.9Rafał Miłecki2016-11-125-88/+24
| | | | | | | This adds support for "channels" command which displays more details about channels. It includes e.g. info about available widths. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* iw: update to version 4.7Rafał Miłecki2016-11-128-634/+48
| | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* firewall: update to fix FS#31, FS#73, FS#154, FS#248Jo-Philipp Wich2016-11-081-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update to latest Git head in order to import several fixes and enhancements. - Disable drop invalid by default (FS#73, FS#154) Instead of dropping packets with conntrack state INVALID, only allow streams with explicit NEW or UNTRACKED conntrack state. This change gives user defined rules the chance to accept traffic like ICMPv6 multicast which would be filtered away by the very early ctstate INVALID drop rule otherwise. The old behaviour can be restored by explicitely setting "drop_invalid" to 1 in the global firewall config section. - Fix re-initialization of loadable iptables extensions on musl (FS#31) Since musl does not implement actual dlclose() semantics, it is impossible to re-run initializers on subsequent dlopen() calls. The firewall3 executable now intercepts the extension registration calls instead in order to be able to re-call them when needed. This also allowed us to switch to libxtables' builtin extension loader as a positive side-effect. - Fix masquerade rules for multiple negated IP addresses (FS#248) When building MASQUERADE rules for zones which specify multiple negated addresses in masq_src or masq_dest, emit -j RETURN rules which jump out of the masquerading chain instead of creating multiple rules with inverted "-s" arguments. - Tag own rules using comments Instead of relying on the nonstandard xt_id match, use the xt_comment match to mark own rules. Existing comments are prefixed with "!fw3: " while uncommented rules are marked with a sole "!fw3" string. This allows removing the xt_id match entirely in a later commit. - Make missing ubus connection nonfatal Technically, firewall3 is able to operate without ubus just fine as long as the zones are declared using "option device" or "option subnet" instead of "option network" so do not abort execution if ubus could not be connected or of no network namespace is exported in ubus. This allows running firewall3 on ordinary Linux systems. - Fix conntrack requirement detection for indirectly connected zones The current code fails to apply the conntrack requirement flag recursively to zones, leading to stray NOTRACK rules which break conntrack based traffic policing. Change the implementation to iteratively reapply the conntrack fixup logic until no more zones had been changed in order to ensure that all directly and indirectly connected zones receive the conntrack requirement flag. - Add support for iptables 1.6.x Adds support for the xtables version 11 api in order to allow building against iptables 1.6.x Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iperf3: update to version 3.1.4Christian Lamparter2016-11-081-2/+2
| | | | | | | | | "This release fixes a few minor bugs, including a (non-security-impacting) buffer overflow fix ported from upstream cjson." <http://software.es.net/iperf/news.html#iperf-3-1-4-released> Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* dnsmasq: Support add-mac optionHans Dedecker2016-11-082-1/+7
| | | | | | | | | | | | | | | | Adds the mac address of the DNS requestor to DNS queries which are forwarded upstream and can be used to do filtering by the upstream servers. This only works if the requestor is on the same subnet as the dnsmasq server The addmac parameter can hold the following values: 0 : mac address is not added 1 : mac address is added in binary format base64 : mac address is added base64 encoded text: : mac address is added in human readable format as hex and colons Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* comgt: move to WWAN submenu, fixed linkAlberto Bursi2016-11-081-3/+4
| | | | | | | | moving comgt and its modules to WWAN submenu to join uqmi as both are tools for WWAN modems. I replaced the link with comgt's ubuntu manpage because the old link isn't working anymore. Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
* uqmi: moved to WWAN submenuAlberto Bursi2016-11-081-0/+1
| | | | | | Moving uqmi to WWAN submenu Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
* gcom: Fix 'mode' option for ncmCezary Jackiewicz2016-11-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For Huawei devices like E3372 proper command for set lte mode is: AT^SYSCFGEX="03",3fffffff,2,4,7fffffffffffffff,, Eval is required for proper quotation. Without this fix: Fri Nov 4 19:07:49 2016 daemon.notice netifd: Interface 'wan' is setting up now Fri Nov 4 19:07:52 2016 daemon.notice netifd: wan (2060): sending -> AT Fri Nov 4 19:07:52 2016 daemon.notice netifd: wan (2060): sending -> ATZ Fri Nov 4 19:07:53 2016 daemon.notice netifd: wan (2060): sending -> ATQ0 Fri Nov 4 19:07:53 2016 daemon.notice netifd: wan (2060): sending -> ATV1 Fri Nov 4 19:07:54 2016 daemon.notice netifd: wan (2060): sending -> ATE1 Fri Nov 4 19:07:55 2016 daemon.notice netifd: wan (2060): sending -> ATS0=0 Fri Nov 4 19:07:55 2016 daemon.notice netifd: wan (2060): sending -> AT+CGDCONT=1,"IP","internet" Fri Nov 4 19:07:57 2016 daemon.notice netifd: wan (2060): sending -> AT^SYSCFGEX=\"03\",3fffffff,2,4,7fffffffffffffff,, Fri Nov 4 19:07:58 2016 daemon.notice netifd: wan (2060): Error running AT-command Fri Nov 4 19:07:58 2016 daemon.notice netifd: wan (2060): Failed to set operating mode Fri Nov 4 19:07:58 2016 daemon.notice netifd: wan (2092): Stopping network ... With this fix: Fri Nov 4 19:10:59 2016 daemon.notice netifd: Interface 'wan' is setting up now Fri Nov 4 19:11:01 2016 daemon.notice netifd: wan (2539): sending -> AT Fri Nov 4 19:11:01 2016 daemon.notice netifd: wan (2539): sending -> ATZ Fri Nov 4 19:11:02 2016 daemon.notice netifd: wan (2539): sending -> ATQ0 Fri Nov 4 19:11:03 2016 daemon.notice netifd: wan (2539): sending -> ATV1 Fri Nov 4 19:11:03 2016 daemon.notice netifd: wan (2539): sending -> ATE1 Fri Nov 4 19:11:04 2016 daemon.notice netifd: wan (2539): sending -> ATS0=0 Fri Nov 4 19:11:05 2016 daemon.notice netifd: wan (2539): sending -> AT+CGDCONT=1,"IP","internet" Fri Nov 4 19:11:06 2016 daemon.notice netifd: wan (2539): sending -> AT^SYSCFGEX="03",3fffffff,2,4,7fffffffffffffff,, Fri Nov 4 19:11:07 2016 daemon.notice netifd: wan (2539): sending -> AT^NDISDUP=1,1,"internet" Fri Nov 4 19:11:08 2016 daemon.notice netifd: wan (2539): Connected, starting DHCP on wwan0 Fri Nov 4 19:11:08 2016 daemon.notice netifd: Interface 'wan' is now up Fri Nov 4 19:11:08 2016 daemon.notice netifd: Network device 'wwan0' link is up Fri Nov 4 19:11:08 2016 daemon.notice netifd: Network alias 'wwan0' link is up Fri Nov 4 19:11:08 2016 daemon.notice netifd: Interface 'wan_4' is enabled Fri Nov 4 19:11:08 2016 daemon.notice netifd: Interface 'wan_4' has link connectivity Fri Nov 4 19:11:08 2016 daemon.notice netifd: Interface 'wan_4' is setting up now ... Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
* dnsmasq: support log-dhcp optionKarl Palsson2016-11-021-0/+1
| | | | | | Helpful when trying to resolve issues with quirky dhcp client devices. Signed-off-by: Karl Palsson <karlp@etactica.com>
* iproute2: rename ip to ip-tiny and let both ip-tiny and ip-full provide "ip"Jo-Philipp Wich2016-11-021-6/+7
| | | | | | | | | | | | | | | | | | Rename the "ip" package declaration to "ip-tiny" and let both "ip-tiny" and "ip-full" provide the virtual "ip" package. This allows users to freely choose the "ip" command variant while other packages can continue to depend on "ip" without needing to enforce a specific variant. Note that this commit does not add busybox as "ip" provider due to the following reasons: - The builtin Busybox ip applet cannot be added or removed at runtime - Both "ip-tiny" and "ip-full" are able to install without file clashes even if the busybox applet is enabled - The system is preferring full "ip-tiny" and "ip-full" at runtime, even if Busybox ip is still present. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: properly package wpa-supplicant-meshAlexis Green2016-10-311-1/+2
| | | | | | | | | Ensure that selecting the wpa-supplicant-mesh package actually packages the wpa_supplicant binary with SAE support and add missing dependency on OpenSSL. Signed-off-by: Alexis Green <alexis@cessp.it> [Jo-Philipp Wich: slightly reword commit message for clarity] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd support for VLANs through a file in addition to Radius.Petr Konecny2016-10-311-18/+25
| | | | Signed-off-by: Petr Konecny <pekon@google.com>
* uhttpd: Add Basic Auth configDaniel Dickinson2016-10-312-1/+38
| | | | | | | | | | | | | | | | | We add an 'httpauth' section type that contains the options: prefix: What virtual or real URL is being protected username: The username for the Basic Auth dialogue password: Hashed (crypt()) or plaintext password for the Basic Auth dialogue httpauth section names are given included as list items to the instances to which they are to be applied. Further any existing httpd.conf file (really whatever is configured in the instance, but default of /etc/httpd.conf) is appended to the per-instance httpd.conf Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
* lldpd: freeze execution of lldpd during reloadAlexandru Ardelean2016-10-311-1/+5
| | | | | | | | | | During reload, we could send invalid information to the other side and confuse it. That's why, during reload we'll pause execution, do the reconfig and resume + update when reload is done. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* lldpd: fix reload function for when interfaces changeAlexandru Ardelean2016-10-312-20/+44
| | | | | | | | | | | | | | | | The problem is that interfaces are specified at start as command line arguments, making them unchange-able via reload. That means, we have to move (since lldpd allows this) the interfaces-match-pattern option to be in a config file and reload the configuration. It's either that, or do a 'restart'. Since we're generating the lldpd.conf file, we'll have to move the 'sysconfdir' of lldpd to /tmp, where the files will get written ; this will prevent any unncessary flash writes. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* openvpn: cacert does not existJohn Crispin2016-10-271-2/+2
| | | | | | cacert is really called ca and already in the script Signed-off-by: John Crispin <john@phrozen.org>
* openvpn: add handling for capath and cafileJohn Crispin2016-10-271-1/+1
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* package/network/utils/ipset: Update to 6.30Daniel Engberg2016-10-271-2/+2
| | | | | | Updates to 6.30 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* netifd: update to latest git HEADJohn Crispin2016-10-271-3/+3
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* dnsmasq: Multiple dnsmasq instances supportHans Dedecker2016-10-261-185/+270
| | | | | | | | | | | | | | | | | | | Adds support in uci for configuring multiple dnsmasq instances via multiple dnsmasq sections. The uci sections host, boot, mac, tag, vendorclass, userclass, circuitid, ... will refer to a dnsmasq instance via the instance parameter defined in the section; if the instance parameter is not specified backwards compatibility is preserved. Start/Stopping a dnsmasq instance can be achieved by passing the dnsmasq instance name as argument to start/stop via the init script. Multiple dnsmasq instances is usefull in scenarios where you want to bind a dnsmasq instance to an interface in order to isolate networks. This patch is a rework of a multiple dnsmasq instance patch by Daniel Dickinson Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ipip: Support fqdn as remote tunnel endpointHans Dedecker2016-10-262-3/+16
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uhttpd: create self-signed certificates with unique subjectsHannu Nyman2016-10-261-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | Add a partially random O= item to the certificate subject in order to make the automatically generated certificates' subjects unique. Firefox has problems when several self-signed certificates with CA:true attribute and identical subjects have been seen (and stored) by the browser. Reference to upstream bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=1147544 https://bugzilla.mozilla.org/show_bug.cgi?id=1056341 https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34 Certificates created by the OpenSSL one-liner fall into that category. Avoid identical certificate subjects by including a new 'O=' item with CommonName + a random part (8 chars). Example: /CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ That ensures that the browser properly sees the accumulating certificates as separate items and does not spend time trying to form a trust chain from them. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* uhttpd: prefer px5g for certificate creationHannu Nyman2016-10-261-2/+2
| | | | | | | Prefer the old default 'px5g' for certificate creation as Firefox seems to dislike OpenSSL-created certs. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* netifd: Request DHCP option 121 (classless route) by defaultBaptiste Jonglez2016-10-261-2/+5
| | | | | | | | | | | | | | | | | | | This option, defined by RFC3442, allows a DHCP server to send static routes to a client. But the client has to request this option explicitely. Static routes are useful when the gateway configured by DHCP cannot be in the same subnet as the client. This happens, for instance, when using DHCP to hand out addresses in /32 subnets. A new configuration option "classlessroute" is available, allowing users to disable this feature (the option defaults to true). Other DHCP clients already request this option by default (dhcpcd, for instance, and possibly Windows). If a DHCP server does not support this option, it will simply ignore it. Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
* wwan: rename data filesSimon Hailes2016-10-26348-0/+10
| | | | | | This is to ensure that git can be cloned onto a windows drive without failing. Signed-off-by: Simon Hailes <btsimonh@googlemail.com>
* qmi: add metric, defaultroute and peerdns options for qmi protocolMarcin Jurkowski2016-10-261-8/+10
| | | | | | | | | | | | | Adds generic network options for qmi protocol dynamic interfaces as suggested by Felix in https://lists.openwrt.org/pipermail/openwrt-devel/2016-February/039794.html. IPv6-related code taken from Bruno's patch https://patchwork.ozlabs.org/patch/584816. This depends on netifd patch https://patchwork.ozlabs.org/patch/686820/. Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com> Signed-off-by: Bruno Randolf <br1@einfach.org>
* mbim: add metric, defaultroute and peerdns options for mbim protocolMarcin Jurkowski2016-10-261-2/+5
| | | | | | | | | | Adds generic network options for mbim protocol dynamic interfaces as suggested by Felix in https://lists.openwrt.org/pipermail/openwrt-devel/2016-February/039794.html. This depends on netifd patch https://patchwork.ozlabs.org/patch/686820/. Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
* comgt: add metric, defaultroute and peerdns options for directip protocolMarcin Jurkowski2016-10-261-2/+5
| | | | | | | | | | Adds generic network options for directip protocol dynamic interfaces as suggested by Felix in https://lists.openwrt.org/pipermail/openwrt-devel/2016-February/039794.html. This depends on netifd patch https://patchwork.ozlabs.org/patch/686820/. Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
* comgt: add metric, defaultroute and peerdns options for ncm protocolMarcin Jurkowski2016-10-261-2/+5
| | | | | | | | | | Adds generic network options for ncm protocol dynamic interfaces as suggested by Felix in http://lists.openwrt.org/pipermail/openwrt-devel/2016-February/039794.html. This depends on netifd patch https://patchwork.ozlabs.org/patch/686820/. Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
* uhttpd: fix handling of special "/" prefix when matching handlersJo-Philipp Wich2016-10-251-3/+3
| | | | | | | | | | The special prefix of "/" should match any url by definition but the final assertion which ensures that the matched prefix ends in '\0' or '/' is causing matches against the "/" prefix to fail. Update to current HEAD in order to fix this particular case. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iperf: used an updated renamed tarball instead of main upstream URLFelix Fietkau2016-10-171-3/+8
| | | | | | | | | | iperf upstream added some bugfixes to the already released 2.0.9 version without changing the filename. This conflicts with old mirrored files and the hash that we previously used. To avoid conflict, use a renamed tarball from mirror2.openwrt.org containing the new upstream changes Signed-off-by: Felix Fietkau <nbd@nbd.name>
* network/utils/maccalc: drop Build/Prepare rule in favor of default oneAlexandru Ardelean2016-10-151-5/+0
| | | | Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* network/utils/rssileds: drop Build/Prepare rule in favor of default oneAlexandru Ardelean2016-10-151-5/+0
| | | | Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* network/utils/resolveip: drop Build/Prepare rule in favor of default oneAlexandru Ardelean2016-10-151-5/+0
| | | | Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* network/utils/owipcalc: drop Build/Prepare rule in favor of default oneAlexandru Ardelean2016-10-151-6/+0
| | | | Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* network/ipv6/map: drop Build/Prepare rule in favor of default oneAlexandru Ardelean2016-10-151-5/+0
| | | | Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* network/utils/iwcap: drop Build/Prepare rule in favor of default oneAlexandru Ardelean2016-10-151-5/+0
| | | | Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>