aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* nftables: add CONFLICT between versionsEneas U de Queiroz2022-04-111-1/+2
| | | | | | | Have nftables-json conflict with nftables-nojson. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 1135b75d1fd26049a0644b304b7199e4a73c6a08)
* dropbear: bump to 2022.82Konstantin Demin2022-04-109-66/+90
| | | | | | | | | | | | | | | | | | | | | | | - update dropbear to latest stable 2022.82; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES - use $(AUTORELEASE) in PKG_RELEASE - use https for all uris - refresh all patches - rewrite patches: - 100-pubkey_path.patch - 130-ssh_ignore_x_args.patch binary/pkg size changes: - ath79/generic, mips: - binary: 215112 -> 219228 (+4116) - pkg: 111914 -> 113404 (+1490) - ath79/tiny, mips: - binary: 172501 -> 172485 (-16) - pkg: 89871 -> 90904 (+1033) Tested-by: Stijn Segers <foss@volatilesystems.org> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> (cherry picked from commit 65256aee23a5104eb0c78411fdc73640c0b757ea)
* dnsmasq: add procd interface index trackingValentyn Datsko2022-04-101-0/+5
| | | | | | | | | | | | | | Problem exist when dnsmasq is exclusively bind to particular interface. After reconfiguring or restarting this interface, its index changes, but dnsmasq uses the old one. When this problem occurs, dnsmasq does not listen on the correct interface so DHCP does not work, and clients do not get an IP address. Procd netdev param can be added to restart dnsmasq when the interface index is changed. Signed-off-by: Valentyn Datsko <valikk.d@gmail.com> [combined into a single &&-connected statement] Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 76f55e3c3f32dea63a385e9b3c8eaed1322089c7)
* uqmi: fix acquiring PIN statusDaniel Golle2022-03-271-4/+8
| | | | | | | | | | | | | Evaluating the return value of 'json_load' didn't work in the intended way resulting in PIN status no longer being read on modems where --get-pin-status doesn't fail. Fix this by trying --get-pin-status first and checking if pin1_status field exists in JSON, and if it doesn't try again with --uim-get-sim-state. Fixes: #9501 Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit ee7cb5e885118b78fb5f692d8ed6c93bb7e35853)
* qosify: update to the latest versionFelix Fietkau2022-03-221-3/+3
| | | | | | | | | | | | | | | | | 391a9fbd5ace dns: fix parsing vlan encapsulated protocol 6aeeddbc91ad interface: extend dns filters to cover vlan tagged traffic as well 1ab53d4ca601 bpf: return TC_ACT_UNSPEC to allow other filters to proceed ca21e729af23 interface: switch to using clsact for filters 5d158f6b3c15 interface: run ingress bpf filter on main device ingress instead of ifb egress bdfcb11847ce interface: fix duplicated dns filter line b97405aa632a Revert "ubus: remove dnsmasq subscriber" 8fbaf39dbc95 interface: rework adding/removing filters, do not delete clsact d7ba5804eae4 interface: replace open-coded ifb-dns string with QOSIFY_DNS_IFNAME 91cf440db9e2 loader: fix use of deprecated functions 57c7817f91c2 qosify: fix dscp values of ubus-added dns host entries Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit af434e0da2485bd7a82895b5bb63b1182154b98e)
* iptables: bump PKG_RELEASEEtienne Champetier2022-03-191-1/+1
| | | | | | Following {arp,eb}tables-nft addition, bump PKG_RELEASE Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: add {arp,eb}tables-nftEtienne Champetier2022-03-192-0/+145
| | | | | | | Add a patch to add some missing init_extensions{a,b}() calls Package lib{arp,eb}t_*.so Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: add xtables-nft packageEtienne Champetier2022-03-191-3/+14
| | | | | | | This allows to install ip6tables-nft without iptables-nft This prepare the addition of {arp,eb}tables-nft Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: add xtables-legacy packageEtienne Champetier2022-03-191-3/+14
| | | | | | This allows to install ip6tables-legacy without iptables-legacy Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* ebtables: rename to ebtables-legacyEtienne Champetier2022-03-191-14/+21
| | | | | | | | This prepare the introduction of ebtables-nft. Add PROVIDES so dependencies are not broken, use ALTERNATIVES. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* arptables: rename package to arptables-legacyEtienne Champetier2022-03-191-4/+7
| | | | | | | | This prepare the introduction of arptables-nft. Add PROVIDES so dependencies are not broken, use ALTERNATIVES. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iwinfo: update to latest Git headJosef Schlehofer2022-03-191-3/+3
| | | | | | | | | Changelog: 90bfbb9 devices: Add Cypress CYW43455 234075b devices: fix AMD RZ608 format 0e2a318 devices: add AMD RZ608 device-id Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* bpftools: fix library path on 64 bit systemsFelix Fietkau2022-03-191-3/+3
| | | | | | | drop the use of LIB_SUFFIX Fixes: 00cbf6f6ab1d ("bpftools: update to standalone bpftools + libbpf, use the latest version") Signed-off-by: Felix Fietkau <nbd@nbd.name>
* bpftools: update to standalone bpftools + libbpf, use the latest versionFelix Fietkau2022-03-196-117/+64
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iptables: backport missing init_extensions6() callsEtienne Champetier2022-03-132-1/+69
| | | | | | | This fixes ip6tables-nft no being able to use built-in extensions like icmp6. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* ipset: add backport patch for IPv6 nftables ipset-translationFlorian Eckert2022-03-132-1/+83
| | | | | | | | | | | | | | When porting mwan3 from iptables to nftables I tried the new translation tool for ipset ipset-translate. I noticed that no IPv6 ipset can be created with the tool. I have reported the problem to the upstream project and the following patch fixes the problem. Until this upsream is included in a new release, this patch should be used in Openwrt. https://lore.kernel.org/netfilter-devel/20220228190217.2256371-1-pablo@netfilter.org/T/#m09cc3cb738f2e42024c7aecf5b7240d9f6bbc19c Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uqmi: update to git HEADDaniel Golle2022-03-121-3/+3
| | | | | | 44dd095 uqmi: corrected too short received SMS Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* uqmi: set CID during 'query-data-status' operationLech Perczak2022-03-121-2/+2
| | | | | | | | | | | | | Modems used in ZTE mobile broadband routers require to query the data session status using the same CID as one used to establish the session, otherwise they will report the session as "disconnected" despite reporting correct PDH in previous step. Without this change, IPv6 connection on these modems doesn't establish properly. In IPv4 this bug is present as well, but for some reason querying of IPv4 status works using temporary CID, this however seems noncompliant with QMI specifications, so fix it as well. Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
* iptables: add iptables-mod-socketYousong Zhou2022-03-101-4/+15
| | | | | | | | | Previously libxt_socket.so was included in iptables-mod-tproxy. It was missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy separate packages Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy") Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* nftables: update to version 1.0.2Josef Schlehofer2022-03-073-47/+32
| | | | | | | | | | | | | | | | | | | | | | | | | Changelog: https://lwn.net/ml/netdev/YhO5Pn+6+dgAgSd9@salvia/ Patches: removed: - 001-parser-allow-quoted-string-in-flowtable_expr_member: it is now part of upstream release [1] added: - 001-examples-compile-with-make-check.patch: backported from [2], it fixes: nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or directory 3 | #include <nftables/libnftables.h> | ^~~~~~~~~~~~~~~~~~~~~~~~ compilation terminated. [1] https://git.netfilter.org/nftables/commit/?h=v1.0.2&id=07af4429241c9832a613cb8620331ac54257d9df [2] https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3 Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* qosify: update to the latest versionFelix Fietkau2022-03-061-3/+3
| | | | | | | | | | | 3276aed81c73 move run_cmd() to main.c 558eabc13c64 map: move dns host based lookup code to a separate function 6ff06d66c36c dns: add code for snooping dns packets a78bd43c4a54 ubus: remove dnsmasq subscriber 9773ffa70f1f map: process dns patterns in the order in which they were defined f13b67c9a786 dns: allow limiting dns entry matching to cname name Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iproute2: Remove libxtables from some tc variantsHauke Mehrtens2022-03-051-3/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the new tc-bpf variant and removes libxtables dependency from the tc-tiny variant. The tc-full variant stays like before and contains everything. This allows to use tc without libxtables. The variants have the following sizes: root@OpenWrt:/# ls -al /usr/libexec/tc-* -rwxr-xr-x 1 root root 282453 Mar 1 21:55 /usr/libexec/tc-bpf -rwxr-xr-x 1 root root 282533 Mar 1 21:55 /usr/libexec/tc-full -rwxr-xr-x 1 root root 266037 Mar 1 21:55 /usr/libexec/tc-tiny They are linking the following shared libraries: root@OpenWrt:/# ldd /usr/libexec/tc-tiny /lib/ld-musl-mips-sf.so.1 (0x77d6e000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000) root@OpenWrt:/# ldd /usr/libexec/tc-bpf /lib/ld-musl-mips-sf.so.1 (0x77da6000) libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000) libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000) libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000) root@OpenWrt:/# ldd /usr/libexec/tc-full /lib/ld-musl-mips-sf.so.1 (0x77de8000) libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000) libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000) libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000) libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000) This is based on a patch from Tiago Gaspar. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* qosify: bump to git HEADStijn Tintel2022-03-042-4/+4
| | | | | | | | interface: disable autorate-ingress by default Also change the example config to reflect this. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* qosify: add PKG_RELEASEStijn Tintel2022-03-041-0/+1
| | | | | | | | | Without PKG_RELEASE, it's impossible to trigger package updates when changing files included in the package that are not in the qosify git repository. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Felix Fietkau <nbd@nbd.name>
* ipset: update to 7.15Florian Eckert2022-03-012-2/+14
| | | | | | | | | Update to the latest upstream version. In this version there is a new tool with which you can convert ipsets into nftables sets. Since we are now using nftables as default firewall, this could be a useful tool for porting ipsets to nftables sets. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* layerscape: use semantic versions for LSDKPaul Spooren2022-03-011-1/+1
| | | | | | PKG_VERSION should not contain the package name but the version only. Signed-off-by: Paul Spooren <mail@aparcar.org>
* iptables: bump PKG_RELEASEEtienne Champetier2022-02-281-1/+1
| | | | | | Following dependencies rework, bump PKG_RELEASE Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: move libiptext* to their own packagesEtienne Champetier2022-02-282-20/+46
| | | | | | | | iptables-nft doesn't depend on libip{4,6}tc, so move libiptext* libs in their own packages to clean up dependencies Rename libxtables-nft to libiptext-nft Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: rename to ip(6)tables-legacy, add PROVIDESEtienne Champetier2022-02-281-8/+12
| | | | | | | | Using PROVIDES allows to have other packages continue to depend on iptables and users to pick between legacy and nft version. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: move IPTABLES_{CONNLABEL,NFTABLES} to libxtablesEtienne Champetier2022-02-281-15/+15
| | | | | | Those 2 configs are not specific to iptables(-legacy) Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: make mod depend on libxtablesEtienne Champetier2022-02-281-4/+3
| | | | | | | | | 'iptables-mod-' can be used directly by firewall3, by iptables and by iptables-nft. They are not linked to iptables but to libxtables, so fix the dependencies to allow to remove iptables(-legacy) Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: fix libnftnl/IPTABLES_NFTABLES dependencyEtienne Champetier2022-02-281-5/+3
| | | | | | | | | libxtables doesn't depend on libnftnl, iptables-nft does, so move the dependency to not pull libnftnl with firewall3/iptables-legacy Also libxtables-nft depends on IPTABLES_NFTABLES Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* hostapd: SAE - Enable hunting-and-pecking and H2ENick Lowe2022-02-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | | Enable both the hunting-and-pecking loop and hash-to-element mechanisms by default in OpenWRT with SAE. Commercial Wi-Fi solutions increasingly frequently now ship with both hunting-and-pecking and hash-to-element (H2E) enabled by default as this is more secure and more performant than offering hunting-and-pecking alone for H2E capable clients. The hunting and pecking loop mechanism is inherently fragile and prone to timing-based side channels in its design and is more computationally intensive to perform. Hash-to-element (H2E) is its long-term replacement to address these concerns. For clients that only support the hunting-and-pecking loop mechanism, this is still available to use by default. For clients that in addition support, or were to require, the hash-to-element (H2E) mechanism, this is then available for use. Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
* qosify: update to the latest versionFelix Fietkau2022-02-201-3/+3
| | | | | | 65b42032063f interface: add missing autorate-ingress options Signed-off-by: Felix Fietkau <nbd@nbd.name>
* netifd: bump to version 2022-02-20Petr Štetiar2022-02-201-3/+3
| | | | | | | | | Contains following changes: 136006b88826 cmake: fix usage of implicit library and include paths bc0e84d689e2 netifd: interface-ip: don't set fib6 policies if ipv6 disabled Signed-off-by: Petr Štetiar <ynezz@true.cz>
* hostapd: fallback to psk when generating r0kh/r1khEneas U de Queiroz2022-02-191-4/+4
| | | | | | | | | | | | | | | | The 80211r r0kh and r1kh defaults are generated from the md5sum of "$mobility_domain/$auth_secret". auth_secret is only set when using EAP authentication, but the default key is used for SAE/PSK as well. In this case, auth_secret is empty, and the default value of the key can be computed from the SSID alone. Fallback to using $key when auth_secret is empty. While at it, rename the variable holding the generated key from 'key' to 'ft_key', to avoid clobbering the PSK. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> [make ft_key local] Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: add STA extended capabilities to get_clientsDavid Bauer2022-02-191-0/+10
| | | | | | | | | | Add the STAs extended capabilities to the ubus STA information. This way, external daemons can be made aware of a STAs capabilities. This field is of an array type and contains 0 or more bytes of a STAs advertised extended capabilities. Signed-off-by: David Bauer <mail@david-bauer.net>
* tcpdump: Fix CVE-2018-16301Hauke Mehrtens2022-02-122-1/+102
| | | | | | | | | | | This fixes the following security problem: The command-line argument parser in tcpdump before 4.99.0 has a buffer overflow in tcpdump.c:read_infile(). To trigger this vulnerability the attacker needs to create a 4GB file on the local filesystem and to specify the file name as the value of the -F command-line argument of tcpdump. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* firewall4: update to latest Git HEADJo-Philipp Wich2022-02-121-3/+3
| | | | | | | | | | | | | 53caa1a fw4: resolve zone layer 2 devices for hw flow offloading 9fe58f5 fw4: rework and fix family inheritance logic 8795296 tests: mocklib: fix infinite recursion in wrapped print() 281b1bc tests: change mocked wan interface type to PPPoE 93b710d tests: mocklib: forward compatibility change 1a94915 fw4: only stage reflection rules if all required addrs are known 5c21714 fw4: add device iifname/oifname matches to DSCP and MARK rules 3eacc97 tests: adjust 01_ruleset test case to latest changes Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* qosify: update to the latest versionFelix Fietkau2022-02-101-3/+3
| | | | | | | | e230e71e0a12 map: fix copy-paste error in codepoints map 580d2ccf89f3 bpf: declare tcp_ports/udp_ports without typedef 8d6c19a81f3f ubus: fix a use-after-free bug Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wireguard-tools: allow generating private_keyLeonardo Mörlein2022-02-081-0/+19
| | | | | | | | | | When the uci configuration is created automatically during a very early stage, where no entropy daemon is set up, generating the key directly is not an option. Therefore we allow to set the private_key to "generate" and generate the private key directly before the interface is taken up. Signed-off-by: Leonardo Mörlein <me@irrelefant.net> Tested-by: Jan-Niklas Burfeind <git@aiyionpri.me>
* hostapd: refresh patchesDavid Bauer2022-02-0830-132/+132
| | | | | | Refresh patches after updating to hostapd v2.10. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: update to v2.10David Bauer2022-02-089-447/+57
| | | | | | | | | | | | | | | | | | Upstreamed patches: 020-mesh-make-forwarding-configurable.patch e6db1bc5da3fd7d5f4dba24aa102543b4749912f 550-WNM-allow-specifying-dialog-token.patch 979f19716539362f8ce60a77bf1b88fdcf5ba8e5 720-ACS-fix-channel-100-frequency.patch 2341585c349231af00cdef8d51458df01bc6965f 741-proxyarp-fix-compilation-with-Hotspot-2.0-disabled.patch 08bdf4f90de61a84ed8f4dd918272dd9d36e2e1f Compile-tested: wpad-wolfssl hostapd-openssl Run-tested: ath79-generic Signed-off-by: David Bauer <mail@david-bauer.net> Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
* firewall4: update to latest Git HEADJo-Philipp Wich2022-02-071-3/+3
| | | | | | | a0518b6 fw4: gracefully handle unsupported hardware offloading ac99eba init: fix boot action in init script Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: automatically calculate channel center freq on chan_switchFelix Fietkau2022-02-071-0/+34
| | | | | | Simplifies switching to different channels when on >= VHT80 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* uhttpd: update to latest Git HEADJo-Philipp Wich2022-02-073-9/+56
| | | | | | | | | | | | | 2f8b136 main: fix leaking -p/-s argument values 881fd3b ucode: adjust to latest ucode api 8b2868e file: specify UTF-8 as charset for dirlists, add option to override 3a5bd84 main: add ucode options to help text 16aa142 examples: add ucode handler example 3ceccd0 ucode: add ucode plugin support f0f1406 examples: add example Lua handler script 9e87095 listen: avoid invalid memory access Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall4: update to latest Git HEADJo-Philipp Wich2022-02-071-3/+3
| | | | | | | | | | | | | b54f462 fw4: parse traffic rules before forwarding rules 4d5af8b fw4: consolidate helper code 300c737 fw4: fix applying zone family restrictions to forwardings eb9c25a tests: implement fs.opendir() mock interface d30ff48 tests: fix mocked fs.popen() trace log 52831a0 fw4: improve flowtable handling 7cb10c8 fw4: disable "flow_offloading_hw" option for now b2241a1 fw4: fix enabling NAT reflection rules for DNATs without explicit family Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netifd: update to latest Git HEADJo-Philipp Wich2022-02-071-3/+3
| | | | | | | | | fd4c9e1 system-linux: expose hw-tc-offload ethtool feature in device status dump 3d76f2e system-linux: add wrapper function for creating link config messages 88af2f1 system-linux: delete bridge devices using netlink 85c3548 system-linux: create bridge devices using netlink Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* mac80211: backport MBSSID/EMA support patchesFelix Fietkau2022-02-031-98/+32
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iptables: add ip{,6}tables-legacy{,-restore,-save} symlinksEtienne Champetier2022-02-031-0/+2
| | | | | | | Now that we can have both legacy and nft iptables variants installed at the same time, install the legacy symlinks Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>