aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* hostapd: properly build hostapd-only SSL variantsDaniel Golle2018-06-051-11/+11
| | | | | | | Make sure hostapd-openssl is actually build against OpenSSL, same for wolfSSL. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: expose device taxonomy signature via ubusFelix Fietkau2018-06-051-0/+6
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: add support for client taxonomy in the full configFelix Fietkau2018-06-052-5/+29
| | | | | | | This can be used to fingerprint clients to try to identify the exact model Signed-off-by: Felix Fietkau <nbd@nbd.name>
* map: make tunnel encapsulation limit support configurable (FS#1501)Hans Dedecker2018-06-042-8/+10
| | | | | | | | | | | | Be compatible with ISPs which don't support the destination option header containing the tunnel encapsulation limit as reported in FS#1501. Setting the uci parameter encaplimit to ignore; allows to disable the insertion of the destination option header in the map-e packets. Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255 by setting the encaplimit uci parameter accordingly. If no encaplimit value is specified the default value is 4 as before. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to latest git HEAD (FS#1501)Hans Dedecker2018-06-041-4/+4
| | | | | | a580028 system-linux: make encaplimit configurable for ip6 tunnels (FS#1501) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcp6c: make ds-lite/map tunnel encapsulation limit support configurable ↵Hans Dedecker2018-06-043-3/+9
| | | | | | | | | | | | | | (FS#1501) Be compatible with ISPs which don't support the destination option header containing the tunnel encapsulation limit as reported in FS#1501 for dynamic created ds-lite/map interfaces. Setting the uci parameter encaplimit_dslite/map to ignore; allows to disable the insertion of the destination option header for the dynamic created ds-lite/map interface. Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255 by setting the encaplimit_dslite/map uci parameter accordingly. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ds-lite: make tunnel encapsulation limit support configurable (FS#1501)Hans Dedecker2018-06-042-3/+7
| | | | | | | | | | | | Be compatible with ISPs which don't support the destination option header containing the tunnel encapsulation limit as reported in FS#1501. Setting the uci parameter encaplimit to ignore; allows to disable the insertion of the destination option header in the ds-lite packets. Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255 by setting the encaplimit uci parameter accordingly. If no encaplimit value is specified the default value is 4 as before. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: drop conflicting 'device' interface propertyIvan Shapovalov2018-06-013-5/+1
| | | | | | | | | | Do not set device runtime property on interfaces in the hotplug handler and in fixup_interfaces(). This property conflicts with device option in several proto handlers (mainly QMI and other WWAN/3G protos) and does not seem to be used anywhere. Signed-off-by: Ivan Shapovalov <intelfx@intelfx.name> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* wireguard: bump to 0.0.20180531 to fix flow offloadingJason A. Donenfeld2018-05-311-6/+5
| | | | | | | | | | This version bump was made upstream mostly for OpenWRT, and should fix an issue with a null dst when on the flow offloading path. While we're at it, Kevin and I are the only people actually taking care of this package, so trim the maintainer list a bit. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: update packaging and patchesDaniel Golle2018-05-3137-496/+417
| | | | | | | | | | Clean up conflicts/provides/depends hell and add PROVIDES for eapol-test variants while at it. Update mesh-DFS patchset from Peter Oh to v5 (with local fixes) which allows to drop two revert-patches for upstream commits which previously were necessary to un-break mesh-DFS support. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* curl: Add ca-bundle dependencyRosen Penev2018-05-301-2/+2
| | | | | | | | While building, curl complains that the path specified is missing. Also, without ca-bundle, something like 'curl https://www.google.com' does not work due to a certificate verify error. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* curl: Use ca-bundle for all TLS libraries.Rosen Penev2018-05-301-4/+6
| | | | | | | | | | | | | | | | It simplifies the Makefile a bit. In addition, using ca-bundle saves some space as well. It also fixes an issue with at least transmission, which has a dependency on ca-bundle, but currently libcurl with OpenSSL or GnuTLS cause it not to work. This has been tested on mt7621 with OpenSSL and GnuTLS just by running 'curl https://www.google.com' and seeing if there's a verify error. The rest are already using ca-bundle and therefore work fine. Signed-off-by: Rosen Penev <rosenp@gmail.com> Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: convert ssl provider build options to variantsDaniel Golle2018-05-252-85/+285
| | | | | | | | | | | Instead of selecting the SSL provider at compile time, build package variants for each option so users can select the binary package without having to build it themselves. Most likely not all variants have actually ever been user by anyone. We should reduce the selection to the reasonable and most used combinations at some point in future. For now, build them all. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* firewall: update to latest git HEADHans Dedecker2018-05-251-3/+3
| | | | | | | 30463d0 zones: add interface/subnet bound LOG rules 0e77bf2 options: treat time strings as UTC times Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: update to git HEAD of 2018-05-21, allow build against wolfsslDaniel Golle2018-05-2437-296/+603
| | | | | | | Support for building wpa_supplicant/hostapd against wolfssl has been added upstream recently, add build option to allow users using it. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Revert "dnsmasq: use "hostsdir" instead of "addn-hosts""Hans Dedecker2018-05-241-1/+1
| | | | | | | | | This reverts commit a03035dad198cd4b51645ceb43c1170f9cf95f16 as it has several issues: -Host file is located in a directory which is not unique per dnsmasq instance -odhcpd writes host info into the same directory but still sends a SIGHUP to dnsmasq Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: use "hostsdir" instead of "addn-hosts"Christian Schoenebeck2018-05-231-1/+1
| | | | | | | 1.) "addn-hosts" per default point to a file (but it supports directory) 2.) "hostsdir" only support directory with the additional benefit: New or changed files are read automatically. Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
* mbedtls: update to version 2.9.0Hauke Mehrtens2018-05-222-2/+2
| | | | | | | | The soversion was changed in this version again and is now aligned with the 2.7.2 version. The size of the ipkg file stayed mostly the same. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* nftables: bump to 0.8.5 versionRosy Song2018-05-218-1594/+8
| | | | Signed-off-by: Rosy Song <rosysong@rosinson.com>
* wireguard: bump to 20180519Jason A. Donenfeld2018-05-191-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * chacha20poly1305: add mips32 implementation "The OpenWRT Commit" - this significantly speeds up performance on cheap plastic MIPS routers, and presumably the remaining MIPS32r2 super computers out there. * timers: reinitialize state on init * timers: round up instead of down in slack_time * timers: remove slack_time * timers: clear send_keepalive timer on sending handshake response * timers: no need to clear keepalive in persistent keepalive Andrew He and I have helped simplify the timers and remove some old warts, making the whole system a bit easier to analyze. * tools: fix errno propagation and messages Error messages are now more coherent. * device: remove allowedips before individual peers This avoids an O(n^2) traversal in favor of an O(n) one. Before systems with many peers would grind when deleting the interface. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: fix IEEE 802.11r (fast roaming) defaultsGospod Nassa2018-05-181-21/+27
| | | | | | | | | | | | | | | | | | | | | | | Use ft_psk_generate_local=1 by default, as it makes everything else fairly trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd fairly much does it all for us. We do need to provide nas_identifier, which can be derived from the BSSID, and we need to generate a mobility_domain, for which we default to the first four chars of the md5sum of the SSID. The complex manual setup should also still work, but the defaults also now work easily out of the box. Verified by manually running hostapd (with the autogenerated config) and watching the debug output: wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake This was previous submitted to LEDE in https://github.com/lede-project/source/pull/1382 [dwmw2: Rewrote commit message] Signed-off-by: Gospod Nassa <devianca@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
* iwinfo: bump to latest git HEADJohn Crispin2018-05-181-3/+3
| | | | | | | | e59f925 hardware: add device ids for QCA9984, 88W8887 and 88W8964 radios 2a82f87 nl80211: back out early when receiving FAIL-BUSY reply 77c32f0 nl80211: fix code calculating average signal and rate Signed-off-by: John Crispin <john@phrozen.org>
* wireguard: no longer need portability patchKevin Darbyshire-Bryant2018-05-182-19/+1
| | | | | | | | | Drop package/network/services/wireguard/patches/100-portability.patch Instead pass 'PLATFORM=linux' to make since we are always building FOR linux. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 20180514Kevin Darbyshire-Bryant2018-05-172-9/+10
| | | | | | | | | | | | | | | 52be69b version: bump snapshot 4884b45 ncat-client-server: add wg-quick variant a333551 wg-quick: add darwin implementation f5bf84d compat: backport for OpenSUSE 15 fe1ae1b wg-quick: add wg symlink ecc1c5f wg-quick: add android implementation 3e6bb79 tools: reorganize for multiplatform wg-quick b289d12 allowedips: Fix graphviz output after endianness patch Refresh cross compile compatibility patch Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* ltq-xdsl-app: start after led scriptMathias Kresin2018-05-172-3/+2
| | | | | | | | | | | | During handshake we are highjack and reset a LED to the configured trigger afterwards. ltq-xdsl-app need to start after the LED init script, to ensure that the LED init script doesn't re-highjack the LED we are currently using for handshake indication. Drop the comment about the atm dependency. The dependency was fixed quite some time ago by using hotplug scripts for br2684ctl. Signed-off-by: Mathias Kresin <dev@kresin.me>
* curl: bump to 7.60.0Hans Dedecker2018-05-163-15/+4
| | | | | | | | | Refresh patches; remove 320-mbedtls_dont_use_deprecated_sha256_function patch as upstream fixed For changes in version 2.60 see https://curl.haxx.se/changes.html#7_60_0 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ebtables: update to latest git 2018-05-15Hans Dedecker2018-05-152-3/+14
| | | | | | | | 66a9701 ebtables: Fix build errors and warnings 9fff3d5 include: Fix musl libc compatibility b1cdae8 extensions: Add string filter to ebtables Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: Add support for ip6prefix config optionToke Høiland-Jørgensen2018-05-151-0/+6
| | | | | | | | | | | | This makes it easier to distribute prefixes over a wireguard tunnel interface, by simply setting the ip6prefix option in uci (just like with other protocols). Obviously, routing etc needs to be setup properly for things to work; this just adds the config option so the prefix can be assigned to other interfaces. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* hostapd: fix VHT80 for encrypted mesh channel settingsSven Eckelmann2018-05-142-1/+46
| | | | | | | | | | | | | | | | | | | The max_oper_chwidth settings was parsed incorrectly for big endian system. This prevented the system to switch to VHT80 (or VHT160). Instead they were mapped to: * HT20: 20MHz * VHT20: 20MHz * HT40: 40MHz * VHT40: 40MHz * VHT80: 40MHz * VHT160: 40MHz This happened because each max_oper_chwidth setting in the config file was parsed as "0" instead of the actual value. Fixes: a4322eba2b12 ("hostapd: fix encrypted mesh channel settings") Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
* firewall3: update to latest git HEADJohn Crispin2018-05-141-4/+4
| | | | | | | | b45e162 helpers: fix the set_helper in the rule structure f742ba7 helpers.conf: support also tcp in the CT sip helper 08b2c61 helpers: make the proto field as a list rather than one option Signed-off-by: John Crispin <john@phrozen.org>
* hostapd: fix mesh+APDaniel Golle2018-05-1415-220/+171
| | | | | | | | Fix encrypted (or DFS) AP+MESH interface combination in a way similar to how it's done for AP+STA and fix netifd shell script. Refresh patches while at it. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* wireguard: bump to 0.0.20180513Kevin Darbyshire-Bryant2018-05-141-2/+2
| | | | | | | | | | | | | | | | | | | 6b4a340 version: bump snapshot faa2103 compat: don't clear header bits on RHEL 4014532 compat: handle RHEL 7.5's recent backports 66589bc queueing: preserve pfmemalloc header bit 37f114a chacha20poly1305: make gcc 8.1 happy 926caae socket: use skb_put_data 724d979 wg-quick: preliminary support for go implementation c454c26 allowedips: simplify arithmetic 71d44be allowedips: produce better assembly with unsigned arithmetic 5e3532e allowedips: use native endian on lookup 856f105 allowedips: add selftest for allowedips_walk_by_peer 41df6d2 embeddable-wg-library: zero attribute padding 9a1bea6 keygen-html: add zip file example f182b1a qemu: retry on 404 in wget for kernel.org race Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to 2.80test2Kevin Darbyshire-Bryant2018-05-1212-8/+1172
| | | | | | | | | | | | | | | | | | | Refresh patches and backport upstream to current HEAD: 1f1873a Log warning on very large cachesize config, instead of truncating it. 0a496f0 Do unsolicited RAs for interfaces which appear after dnsmasq startup. e27825b Fix logging in previous. 1f60a18 Retry SERVFAIL DNSSEC queries to a different server, if possible. a0088e8 Handle query retry on REFUSED or SERVFAIL for DNSSEC-generated queries. 34e26e1 Retry query to other servers on receipt of SERVFAIL rcode. 6b17335 Add packet-dump debugging facility. 07ed585 Add logging for DNS error returns from upstream and local configuration. 0669ee7 Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip are set. f84e674 Be persistent with broken-upstream-DNSSEC warnings. Compile & run tested: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: add specific interface procd triggershux2018-05-112-2/+14
| | | | | | | | | | | | | | | | | | Right now interface.update events are sent out by netifd upon interface state, route, address (lifetime), prefix lifetime changes. Dnsmasq is only interested in interface state changes and currently adds an interface trigger for all the "interface.*" events. In combination with commit 23bba9cb330, which triggers a SIGHUP signal to dnsmasq, IPv6 address/prefix lifetime changes on the wan will trigger dnsmasq reloads which can become frequent in case of shorter lifetimes. To avoid frequent dnsmasq reload, this patch adds specific interface triggers. During dnsmasq init it loops dhcp uci section; if the value of the ignore option is set to 0, then the corresponding interface trigger is not installed. Otherwise, if the ignore option value is 1, then procd_add_interface_trigger is called which adds the interface trigger. Signed-off-by: hux <xinxing.huchn@gmail.com>
* igmpproxy: bump to 0.2.1Kevin Darbyshire-Bryant2018-05-0710-679/+4
| | | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Point at github which is new, maintained location for igmpproxy. Remove all patches as all have been upstreamed. Closes FS#1456 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* igmpproxy: fix creation of firewall rulesJaap Buurman2018-05-073-9/+14
| | | | | | | | The init sccript for igmpproxy uses the option 'network' both as an interface name for fetching the l3_device name and for creating the firewall rules. This only works if the name of the network and firewall zone are identical. This commit introduces a new option 'zone' for configuring the upstream and downstream firewall zones in order for the init script to create the required firewall rules automatically. When no such options are given, the init script falls back to not creating the firewall rules and the user can opt to create these manually. Signed-off-by: Jaap Buurman <jaapbuurman@gmail.com>
* hostapd: add channel utilization as config optionNick Hainke2018-05-071-2/+7
| | | | | | Add the channel utilization as hostapd configuration option. Signed-off-by: Nick Hainke <vincent@systemli.org>
* iproute2: import latest cakeKevin Darbyshire-Bryant2018-05-072-446/+425
| | | | | | | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Bearing fruits of the latest upstreaming efforts on cake. Changes: diffserv-llt dropped. The paper describing this DSCP allocation has gone stale and doesn't appear used. The userspace to kernel netlink messages for cake have been reworked in a backwards incompatible way, so tc & cake must be bumped together this once. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* iproute2: backport json_print-fix-hidden-64-bit-type-promotionKevin Darbyshire-Bryant2018-05-072-1/+289
| | | | | | | | | | | | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. print_uint() will silently promote its variable type to uint64_t, but there is nothing that ensures that the format string specifier passed along with it fits (and the function name suggest to pass "%u"). Fix this by changing print_uint() to use a native 'unsigned int' type, and introduce a separate print_u64() function for printing 64-bit values. All call sites that were actually printing 64-bit values using print_uint() are converted to use print_u64() instead. Since print_int() was already using native int types, just add a print_s64() to match, but don't convert any call sites. Fixes wonkyness in some stats from some qdiscs under tc Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: fix a mesh mode crash with CONFIG_TAXONOMY enabledFelix Fietkau2018-05-031-0/+23
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* samba36: add hotplug supportRosy Song2018-05-023-0/+114
| | | | | | | | Add hotplug handle script for storage devices, this will add corresponding option in the /etc/config/samba file automatically. Signed-off-by: Rosy Song <rosysong@rosinson.com>
* iproute2: update to 4.16Hans Dedecker2018-05-024-17/+7
| | | | | | | | | Update to latest version of iproute2, refresh patches. See https://lkml.org/lkml/2018/4/2/349 for a full overview of the changes in 4.16. Build and tested on AR7xxx against musl Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iptables: fix per object LDFLAGS for aggragate object buildsJohn Crispin2018-05-011-5/+5
| | | | | | | Without this patch the extra LDFLAGS of objects were selected based on the name of the extension being built, which breaks for aggregate so builds. Signed-off-by: John Crispin <john@phrozen.org>
* odhcp6c: update to latest git HEADHans Dedecker2018-04-291-3/+3
| | | | | | | 5316d7f ra: always trigger update in case of RA parameter change 327f73d dhcpv6: fix strncpy bounds Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to latest git HEAD (Coverity fixes)Hans Dedecker2018-04-271-3/+3
| | | | | | | 56ceced interface-ip: remove superfluous iface check in interface_ip_set_enabled() 4f4a8c0 system-linux: fix strncpy bounds Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iftop: bump to latestKevin Darbyshire-Bryant2018-04-271-3/+3
| | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Choose first running interface, rather than first "up" interface (Redhat #1403025) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* odhcpd: update to latest git HEADHans Dedecker2018-04-231-4/+4
| | | | | | | 4136529 dhcpv6-ia: keep tentative assignments alive for a short time 200cc8f dhcpv6-ia: make assignment lookup more strict Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 20180420Kevin Darbyshire-Bryant2018-04-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | 7cc2668 version: bump snapshot 860c7c7 poly1305: do not place constants in different sections 5f1e4ca compat: remove unused dev_recursion_level backport 7e4b991 blake2s: remove unused helper 13225fc send: simplify skb_padding with nice macro a1525bf send: account for route-based MTU bbb2fde wg-quick: account for specified fwmark in auto routing mode c452105 qemu: bump default version dbe5223 version: bump snapshot 1d3ef31 chacha20poly1305: put magic constant behind macro cdc164c chacha20poly1305: add self tests from wycheproof 1060e54 curve25519: add self tests from wycheproof 0e1e127 wg-quick.8: fix typo 2b06b8e curve25519: precomp const correctness 8102664 curve25519: memzero in batches 1f54c43 curve25519: use cmov instead of xor for cswap fa5326f curve25519: use precomp implementation instead of sandy2x 9b19328 compat: support OpenSUSE 15 3102d28 compat: silence warning on frankenkernels 8f64c61 compat: stable kernels are now receiving b87b619 62127f9 wg-quick: hide errors on save Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: fix encrypted mesh channel settingsDaniel Golle2018-04-205-1/+226
| | | | | | | | | | | | | | | Import two patches from Peter Oh to allow setting channel bandwidth in the way it already works for managed interfaces. This fixes mesh interfaces on 802.11ac devices always coming up in VHT80 mode. Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which also skips secondary channel scan just like noscan works in AP mode. This time also make sure to add all files to the patch before committing it... Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Revert "hostapd: fix encrypted mesh channel settings"Felix Fietkau2018-04-205-213/+1
| | | | | | | This reverts commit 7f52919a2f2894125b4dca611eb2d30181af7e0b, which is currently breaking the builds and needs to be reworked Signed-off-by: Felix Fietkau <nbd@nbd.name>