| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove restrictions on source and destination addresses, which aren't
specified on RFC8415, and for some reason in openwrt are configured
to allow both link-local and ULA addresses.
As cleared out in issue #5066 there are some ISPs that use Gloabal
Unicast addresses, so fix this rule to allow them.
Fixes: #5066
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
[rebase onto firewall3, clarify subject, bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 65258f5d6093809c541050256646795bc0a460a9)
|
|
|
|
|
|
|
|
|
| |
If logfacility is a path to a file it needs to be r/w mounted in the
sandbox as well for dnsmasq to work.
Reported-by: @iointerrupt
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 2b5fa44f60165d66d74131778df0b64b706887e2)
|
|
|
|
|
|
|
| |
dc6847e iwinfo: nl80211: omit A-hwmode on non-5GHz hardware
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f757a8a09885e3c8bb76371e037b8c0731111980)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
fc83d46 ruleset: set auto-merge directive for interval sets
9bce873 fw4: fix skipping invalid ipset entries
425ea8a fw4: fix applying zone flags for source bound rules
a378883 fw4: fix emitting family specific redirect rules without any addrs
11feddf fw4: bracketize IPv6 addresses in dnat addr:port notation
9972f7d fw4: ensure to capitalize weekday names
fde8070 treewide: forward compatibility changes
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commits 1a35ac99905adc35059489d6e19c7de42ef4cc01 and
af02a12d7ccb64a3abbd9683dd22275b538f6d50)
|
|
|
|
|
|
|
| |
a479b9b devices: remove whitespace
562d015 iwinfo: nl80211: fix hwmode parsing for multi-band NICs
Signed-off-by: David Bauer <mail@david-bauer.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The modem is based on Marvell PXA1826 and uses ACM+RNDIS interface to
establish connection with custom commands specific to ZTE modems.
Two variants of modems were discovered, some identifying themselves
as "ZTE", and others as plain "Marvell", the chipset manufacturer.
The modem itself runs a fork of OpenWrt inside, which root shell can be
accessed via ADB interface.
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit e02fb42c53bad5dd36726c6ef5a46bfe31d2e400)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some modems expose ttyACM as their control ports, which have the
"device" symlink pointing one level down in sysfs tree. Try to find
network interfaces for them as well, this is commonly used for modems
exposing ACM + RNDIS or ACM + ECM interface combinations.
Co-developed-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit ed7957810c0aee04943559be9b0ed23431ee0654)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some modems expose multiple network interfaces on the same USB device,
causing the connection setup script to fail, because glob matching in
the detection phase causes 'ls' to output more than one interface name
plus their base directories in sysfs. Avoid that by listing the
directories explicitly and then selecting first available interface.
This is the case for some variants of ZTE MF286R built-in modem, which
exposes both RNDIS and CDC-ECM network interfaces, causing the
connection setup to fail.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit b2940bb8b2878ce193f2edaee3e7d4c44f4a2065)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add ifname property to UCI, which can be used to override the
autodetected interface name in case the detection fails due to having
none or more than one interface exposed by the modem, which is not
explicitly linked to TTY port. This is needed on certain variants of ZTE
MF286R built-in modem, which exposes both RNDIS and CDC-ECM interfaces
on the modem, on which the automatic detection may select the wrong
network interface.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit a67629bbe25ef3d0e159db1e0c6ca81affd06898)
|
|
|
|
|
|
|
| |
Notify external ubus subscribers of received link-measurement reports.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f6445cfa1acb32676723c49da3e3158b64a4b3d2)
|
|
|
|
|
|
|
|
|
|
|
| |
Add a ubus method to request link-measurements from connected STAs.
In addition to the STAs address, the used and maximum transmit power can
be provided by the external process for the link-measurement. If they
are not provided, 0 is used as the default value.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 965aa33a18c76bb2d5a1eeb0cfa01501b08e784a)
|
|
|
|
|
|
|
|
| |
Allow external processes to enable advertisement of link-measurement RRM
capability.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 2ca5c3da04c3f05a7477ae484768e03d4ca30711)
|
|
|
|
|
|
|
|
|
|
| |
Checking whether /sbin/udhcpc is a symbolic link breaks using the
DHCP proto handler inside procd-ujail where bind-mounts are used for
the resolved link. Check whether /sbin/udhcpc is executable instead
to allow using the proto handler for DHCP-provisioned containers.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit c5f113c43f43c20555298c8500bf91bffbe1f58b)
|
|
|
|
|
|
|
| |
Have nftables-json conflict with nftables-nojson.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 1135b75d1fd26049a0644b304b7199e4a73c6a08)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- update dropbear to latest stable 2022.82;
for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- use $(AUTORELEASE) in PKG_RELEASE
- use https for all uris
- refresh all patches
- rewrite patches:
- 100-pubkey_path.patch
- 130-ssh_ignore_x_args.patch
binary/pkg size changes:
- ath79/generic, mips:
- binary: 215112 -> 219228 (+4116)
- pkg: 111914 -> 113404 (+1490)
- ath79/tiny, mips:
- binary: 172501 -> 172485 (-16)
- pkg: 89871 -> 90904 (+1033)
Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
(cherry picked from commit 65256aee23a5104eb0c78411fdc73640c0b757ea)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Problem exist when dnsmasq is exclusively bind to particular interface.
After reconfiguring or restarting this interface, its index changes, but
dnsmasq uses the old one. When this problem occurs, dnsmasq does not
listen on the correct interface so DHCP does not work, and clients do not
get an IP address. Procd netdev param can be added to restart dnsmasq when
the interface index is changed.
Signed-off-by: Valentyn Datsko <valikk.d@gmail.com>
[combined into a single &&-connected statement]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 76f55e3c3f32dea63a385e9b3c8eaed1322089c7)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Evaluating the return value of 'json_load' didn't work in the
intended way resulting in PIN status no longer being read on modems
where --get-pin-status doesn't fail.
Fix this by trying --get-pin-status first and checking if pin1_status
field exists in JSON, and if it doesn't try again with
--uim-get-sim-state.
Fixes: #9501
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit ee7cb5e885118b78fb5f692d8ed6c93bb7e35853)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
391a9fbd5ace dns: fix parsing vlan encapsulated protocol
6aeeddbc91ad interface: extend dns filters to cover vlan tagged traffic as well
1ab53d4ca601 bpf: return TC_ACT_UNSPEC to allow other filters to proceed
ca21e729af23 interface: switch to using clsact for filters
5d158f6b3c15 interface: run ingress bpf filter on main device ingress instead of ifb egress
bdfcb11847ce interface: fix duplicated dns filter line
b97405aa632a Revert "ubus: remove dnsmasq subscriber"
8fbaf39dbc95 interface: rework adding/removing filters, do not delete clsact
d7ba5804eae4 interface: replace open-coded ifb-dns string with QOSIFY_DNS_IFNAME
91cf440db9e2 loader: fix use of deprecated functions
57c7817f91c2 qosify: fix dscp values of ubus-added dns host entries
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit af434e0da2485bd7a82895b5bb63b1182154b98e)
|
|
|
|
|
|
| |
Following {arp,eb}tables-nft addition, bump PKG_RELEASE
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
| |
Add a patch to add some missing init_extensions{a,b}() calls
Package lib{arp,eb}t_*.so
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
| |
This allows to install ip6tables-nft without iptables-nft
This prepare the addition of {arp,eb}tables-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
| |
This allows to install ip6tables-legacy without iptables-legacy
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
|
| |
This prepare the introduction of ebtables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
|
| |
This prepare the introduction of arptables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
|
|
| |
Changelog:
90bfbb9 devices: Add Cypress CYW43455
234075b devices: fix AMD RZ608 format
0e2a318 devices: add AMD RZ608 device-id
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
|
|
|
|
|
|
| |
drop the use of LIB_SUFFIX
Fixes: 00cbf6f6ab1d ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
| |
This fixes ip6tables-nft no being able to use built-in
extensions like icmp6.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When porting mwan3 from iptables to nftables I tried the new translation
tool for ipset ipset-translate. I noticed that no IPv6 ipset can be
created with the tool. I have reported the problem to the upstream
project and the following patch fixes the problem.
Until this upsream is included in a new release, this patch should be
used in Openwrt.
https://lore.kernel.org/netfilter-devel/20220228190217.2256371-1-pablo@netfilter.org/T/#m09cc3cb738f2e42024c7aecf5b7240d9f6bbc19c
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
|
|
|
|
|
| |
44dd095 uqmi: corrected too short received SMS
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modems used in ZTE mobile broadband routers require to query the data
session status using the same CID as one used to establish the session,
otherwise they will report the session as "disconnected" despite
reporting correct PDH in previous step. Without this change, IPv6
connection on these modems doesn't establish properly. In IPv4 this bug
is present as well, but for some reason querying of IPv4 status works
using temporary CID, this however seems noncompliant with QMI
specifications, so fix it as well.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
|
|
|
|
|
|
|
|
|
| |
Previously libxt_socket.so was included in iptables-mod-tproxy. It was
missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy
separate packages
Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
https://lwn.net/ml/netdev/YhO5Pn+6+dgAgSd9@salvia/
Patches:
removed:
- 001-parser-allow-quoted-string-in-flowtable_expr_member:
it is now part of upstream release [1]
added:
- 001-examples-compile-with-make-check.patch:
backported from [2], it fixes:
nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or directory
3 | #include <nftables/libnftables.h>
| ^~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
[1] https://git.netfilter.org/nftables/commit/?h=v1.0.2&id=07af4429241c9832a613cb8620331ac54257d9df
[2] https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
3276aed81c73 move run_cmd() to main.c
558eabc13c64 map: move dns host based lookup code to a separate function
6ff06d66c36c dns: add code for snooping dns packets
a78bd43c4a54 ubus: remove dnsmasq subscriber
9773ffa70f1f map: process dns patterns in the order in which they were defined
f13b67c9a786 dns: allow limiting dns entry matching to cname name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the new tc-bpf variant and removes libxtables dependency from
the tc-tiny variant. The tc-full variant stays like before and contains
everything.
This allows to use tc without libxtables.
The variants have the following sizes:
root@OpenWrt:/# ls -al /usr/libexec/tc-*
-rwxr-xr-x 1 root root 282453 Mar 1 21:55 /usr/libexec/tc-bpf
-rwxr-xr-x 1 root root 282533 Mar 1 21:55 /usr/libexec/tc-full
-rwxr-xr-x 1 root root 266037 Mar 1 21:55 /usr/libexec/tc-tiny
They are linking the following shared libraries:
root@OpenWrt:/# ldd /usr/libexec/tc-tiny
/lib/ld-musl-mips-sf.so.1 (0x77d6e000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
root@OpenWrt:/# ldd /usr/libexec/tc-bpf
/lib/ld-musl-mips-sf.so.1 (0x77da6000)
libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000)
libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000)
libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000)
root@OpenWrt:/# ldd /usr/libexec/tc-full
/lib/ld-musl-mips-sf.so.1 (0x77de8000)
libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000)
libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000)
libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000)
libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000)
This is based on a patch from Tiago Gaspar.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
|
|
|
|
| |
interface: disable autorate-ingress by default
Also change the example config to reflect this.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
|
|
|
|
|
|
|
|
| |
Without PKG_RELEASE, it's impossible to trigger package updates when
changing files included in the package that are not in the qosify git
repository.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
| |
Update to the latest upstream version. In this version there is a new
tool with which you can convert ipsets into nftables sets. Since we are
now using nftables as default firewall, this could be a useful tool for
porting ipsets to nftables sets.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
|
|
|
|
|
| |
PKG_VERSION should not contain the package name but the version only.
Signed-off-by: Paul Spooren <mail@aparcar.org>
|
|
|
|
|
|
| |
Following dependencies rework, bump PKG_RELEASE
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
|
| |
iptables-nft doesn't depend on libip{4,6}tc, so move
libiptext* libs in their own packages to clean up dependencies
Rename libxtables-nft to libiptext-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
|
| |
Using PROVIDES allows to have other packages continue to
depend on iptables and users to pick between legacy and nft
version.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
| |
Those 2 configs are not specific to iptables(-legacy)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
|
|
| |
'iptables-mod-' can be used directly by firewall3, by
iptables and by iptables-nft. They are not linked to
iptables but to libxtables, so fix the dependencies to allow
to remove iptables(-legacy)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
|
|
| |
libxtables doesn't depend on libnftnl, iptables-nft does,
so move the dependency to not pull libnftnl with firewall3/iptables-legacy
Also libxtables-nft depends on IPTABLES_NFTABLES
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.
Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.
The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.
For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.
For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
|
|
|
|
|
|
| |
65b42032063f interface: add missing autorate-ingress options
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
|
|
|
|
|
|
|
| |
Contains following changes:
136006b88826 cmake: fix usage of implicit library and include paths
bc0e84d689e2 netifd: interface-ip: don't set fib6 policies if ipv6 disabled
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret". auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well. In
this case, auth_secret is empty, and the default value of the key can
be computed from the SSID alone.
Fallback to using $key when auth_secret is empty. While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
|
|
|
|
|
|
|
|
|
|
| |
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.
This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.
Signed-off-by: David Bauer <mail@david-bauer.net>
|