aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* wireguard: bump to 20180118Kevin Darbyshire-Bryant2018-01-251-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest wireguard release snapshot: 9a93a3d version: bump snapshot 7bc0579 contrib: keygen-html: update curve25519 implementation ffc13a3 tools: import new curve25519 implementations 0ae7356 curve25519: wire up new impls and remove donna f90e36b curve25519: resolve symbol clash between fe types 505bc05 curve25519: import 64-bit hacl-star implementation 8c02050 curve25519: import 32-bit fiat-crypto implementation 96157fd curve25519: modularize implementation 4830fc7 poly1305: remove indirect calls bfd1a5e tools: plug memleak in config error path 09bf49b external-tests: add python implementation b4d5801 wg-quick: ifnames have max len of 15 6fcd86c socket: check for null socket before fishing out sport ddb8270 global: year bump 399d766 receive: treat packet checking as irrelevant for timers No patch refresh required. Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* vxlan: add options to enable and disable UDP checksumsMatthias Schiffer2018-01-242-3/+5
| | | | Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* netifd: update to latest git HEADMatthias Schiffer2018-01-241-3/+3
| | | | | | af3cadb system-linux: VXLAN: add options to enable and disable UDP checksums Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* uqmi: silence error on pin verificationKoen Vandeputte2018-01-221-1/+1
| | | | | | | | | | | | If a device only supports the 2nd verification method (uim), the first method will fail as expected reporting an error: "Command not supported" Silence both separate methods and only report an error regarding pin verification if both fail. Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* kernel: use upstream patches for muslHauke Mehrtens2018-01-203-136/+164
| | | | | | | | | | This replaces the current patches used to make the kernel headers compatible with musl with the version which was accepted upstream. This is included in upstream kernel 4.15. This was compile tested with iproute2 build on all supported kernel versions with musl and one one with glibc. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* nftables: update to 0.8.1Philip Prindeville2018-01-202-81/+6
| | | | | | | Note this requires libnftnl-1.0.8 or higher, so that update needs to be merged first. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* dnsmasq: backport validation fix in dnssec security fixKevin Darbyshire-Bryant2018-01-202-2/+2
| | | | | | | | A DNSSEC validation error was introduced in the fix for CVE-2017-15107 Backport the upstream fix to the fix (a simple typo) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: backport dnssec security fixKevin Darbyshire-Bryant2018-01-192-1/+203
| | | | | | | | | | | | | | | | | | | | | | | | | CVE-2017-15107 An interesting problem has turned up in DNSSEC validation. It turns out that NSEC records expanded from wildcards are allowed, so a domain can include an NSEC record for *.example.org and an actual query reply could expand that to anything in example.org and still have it signed by the signature for the wildcard. So, for example !.example.org NSEC zz.example.org is fine. The problem is that most implementers (your author included, but also the Google public DNS people, powerdns and Unbound) then took that record to prove the nothing exists between !.example.org and zz.example.org, whereas in fact it only provides that proof between *.example.org and zz.example.org. This gives an attacker a way to prove that anything between !.example.org and *.example.org doesn't exists, when it may well do so. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* odhcp6c: add sendopts config support and update to latest git HEADHans Dedecker2018-01-182-5/+11
| | | | | | | | | | | | | | | | | | | | | Add sendopts config support allowing to add options in sent DHCPv6 packets. Options can be configured as follows : uci set network.wan6.sendopts="sntpservers:3001:3001::1,3001:3001::2 11:00000000000000000000006674692F 0x3e8:ABCDEF" Based on a patch by Frank Andrieu <fandrieu@gmail.com> See https://git.openwrt.org/?p=project/odhcp6c.git;a=commit;h=510aaf6d528210c5e8a6159f9b80b32615e88c5f for a more detailed description. Latest git changes : 1f93bd4 dhcpv6: rework option passthrough logic a477e95 odhcp6c: rework userclass and vendorclass command handling 510aaf6 odhcp6c: add -x opt:val support ab75be1 treewide: update copyrights to 2018 f3a4609 odhcp6c: let odhcp6c_add_state return a success/failure indication Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* authsae: remove packageFelix Fietkau2018-01-173-131/+0
| | | | | | | It is no longer actively maintained and does not work well in many configurations. Fully replaced by wpad-mesh Signed-off-by: Felix Fietkau <nbd@nbd.name>
* xtables-addons: remove from baseJo-Philipp Wich2018-01-166-19989/+0
| | | | | | | The package has been moved to the package feed repository to allow for non-base dependencies such as Perl. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iwinfo: update to latest git HEADJo-Philipp Wich2018-01-161-3/+3
| | | | | | 5a5e21b nl80211: skip event notifications in wpa_supplicant scan result reply Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: use SIGINT for dnssec time validKevin Darbyshire-Bryant2018-01-153-2/+122
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Dnsmasq used SIGHUP to do too many things: 1) set dnssec time validation enabled, 2) bump SOA zone serial, 3) clear dns cache, 4) reload hosts files, 5) reload resolvers/servers files. Many subsystems within LEDE can send SIGHUP to dnsmasq: 1) ntpd hotplug (to indicate time is valid for dnssec) 2) odhcpd (to indicate a new/removed host - typically DHCPv6 leases) 3) procd on interface state changes 4) procd on system config state changes, 5) service reload. If dnssec time validation is enabled before the system clock has been set to a sensible time, name resolution will fail. Because name resolution fails, ntpd is unable to resolve time server names to addresses, so is unable to set time. Classic chicken/egg. Since commits 23bba9cb330cd298739a16e350b0029ed9429eef (service reload) & 4f02285d8b4a66359a8fa46f22a3efde391b5419 (system config) make it more likely a SIGHUP will be sent for events other than 'ntpd has set time' it is more likely that an errant 'name resolution is failing for everything' situation will be encountered. Fortunately the upstream dnsmasq people agree and have moved 'check dnssec timestamp enable' from SIGHUP handler to SIGINT. Backport the upstream patch to use SIGINT. ntpd hotplug script updated to use SIGINT. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* uqmi: fix raw-ip mode for newer lte modemsKoen Vandeputte2018-01-152-2/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some newer LTE modems, like the MC7455 or EC25-E do not support "802.3" mode, and will stay in "raw-ip" regardless of the mode being set. In this case, the driver must be informed that it should handle all packets in raw mode. [1] This commit fixes connectivity issues for these devices. Before: [ Node 5 ] udhcpc -i wwan0 udhcpc: started, v1.27.2 udhcpc: sending discover udhcpc: sending discover udhcpc: sending discover After: [ Node 5 ] udhcpc -i wwan0 udhcpc: started, v1.27.2 udhcpc: sending discover udhcpc: sending select for 100.66.245.226 udhcpc: lease of 100.66.245.226 obtained, lease time 7200 udhcpc: ifconfig wwan0 100.66.245.226 netmask 255.255.255.252 broadcast + udhcpc: setting default routers: 100.66.245.225 [1] https://lists.freedesktop.org/archives/libqmi- devel/2017-January/002064.html Tested on cns3xxx using a Sierra Wireless MC7455 LTE-A Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> [bumped PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* 6rd: pass ipcalc as argument to evalHans Dedecker2018-01-152-3/+3
| | | | | | | | Instead of grepping for NETWORK after calling ipcalc.sh; pass ipcalc.sh as argument to eval allowing to use $NETWORK to retrieve the IPv4 prefix (ip4prefix). Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* treewide: fix build depends to refer to source package namesMatthias Schiffer2018-01-132-2/+2
| | | | | | | Build depends must refer to source packages rather than binary package names. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* ebtables: update to latest git 2017-10-24Matthias Schiffer2018-01-111-3/+3
| | | | | | | 6a82659 Use flock() for --concurrent option 73c2371 ebtables: extensions: Constify option struct Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* omcproxy: silence fw3 warningsHans Dedecker2018-01-102-3/+3
| | | | | | Silence fw3 warnings in omcproxy init script in case fw3 is not enabled Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* treewide: replace LEDE_GIT with PROJECT_GITJo-Philipp Wich2018-01-1010-10/+10
| | | | | | | Remove LEDE_GIT references in favor to the new name-agnostic PROJECT_GIT variable. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netifd: update dhcp.script to handle dynamic routingMogula Pranay2018-01-102-2/+8
| | | | | | | | | | | | Certain DHCP servers push a gateway outside of the assigned interface subnet, to support those situations, install a host route towards the gateway. If Gateway and IP are served in same network, openwrt quagga cannot learn routes (rip routes are not getting added, showing inactive) whereas working fine when Gateway and IP are in different network. Signed-off-by: Mogula Pranay <mogula.pranay@nxp.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ltq-xdsl-app: drop script for renaming the netdevMathias Kresin2018-01-104-22/+6
| | | | | | | Our netdevs are named dsl by default now, the rename via scripts isn't required anymore. Signed-off-by: Mathias Kresin <dev@kresin.me>
* ltq-xdsl-app: drop manual br2684ctl reloadMathias Kresin2018-01-102-4/+0
| | | | | | | | | | br2684ctl starts automatically, set up reload triggers, which fire as soon as a atm driver is loaded. No need to do the reload via the script. The reload is only required as soon as we can reliable switch between atm and ptm driver and need to be implemented in a race free way. Signed-off-by: Mathias Kresin <dev@kresin.me>
* linux-atm: add br2684ctl option to specify the netdev nameMartin Schiller2018-01-102-2/+79
| | | | | | | | | | | Add the uci option nameprefix to specifc a target netdev name. Patch the br2684ctl code to accept and set a netdev name via commandline parameters. It allows to use the same netdev name for ATM and PTM lines on lantiq xdsl hardware. Signed-off-by: Martin Schiller <ms@dev.tdt.de> Signed-off-by: Mathis Kresin <dev@kresin.me>
* lantiq: activate noise margin delta for VDSL tooHauke Mehrtens2018-01-071-2/+2
| | | | | | | | | | | Previously this was only activated for ADSL, this patch activates the same setting also for VDSL, this feature is also support for VDSL in the same way it works for ADSL. I tested it with DSL FW 5.7.9.5.1.7 against a Broadcom 177.140 DSLCO (Deutsche Telekom) and saw different data rates and Max. Attainable Data Rates depending on the ds_snr_offset settings I choose. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: bump PKG_RELEASE after 802.11w changesJo-Philipp Wich2018-01-071-1/+1
| | | | | Fixes: 8a57531855 "hostapd: set group_mgmt_cipher when ieee80211w is enabled" Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: set group_mgmt_cipher when ieee80211w is enabledJo-Philipp Wich2018-01-071-1/+3
| | | | | | | | | | | | In order to properly support 802.11w, hostapd needs to advertise a group management cipher when negotiating associations. Introduce a new per-wifi-iface option "ieee80211w_mgmt_cipher" which defaults to the standard AES-128-CMAC cipher and always emit a "group_mgmt_cipher" setting in native hostapd config when 802.11w is enabled. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netifd: update to latest git HEADHans Dedecker2018-01-041-3/+3
| | | | | | fd5c399 proto: allow dumping protocol handlers without config_params Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* umdns: update to latest git HEADJohn Crispin2018-01-021-3/+3
| | | | | | 7897441 umdnsd: Replace strerror(errno) with %m. Signed-off-by: John Crispin <john@phrozen.org>
* nftables: fix sha256sumHauke Mehrtens2017-12-311-1/+1
| | | | | | The mirror was delivering a file with a different hash. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iptables: fix nftables compile issue (FS#711)rektide de la faye2017-12-291-0/+20
| | | | | | | | | | | | | | | | Enabling IPTABLES_NFTABLES resulted in an error during build:# *** No rule to make target '../extensions/libext.a', needed by 'xtables-compat-multi'." Comments from Alexander Lochmann and Fedor Konstantinov in FS#711 provided fixes for this build error, allowing iptables to compile. https://bugs.lede-project.org/index.php?do=details&task_id=711. This commit updates the Makefile.am xtables_compat_multi_LDFLAGS and _LDADD, moving linking of extensions to LDFLAGS. Signed-off-by: rektide de la faye <rektide@voodoowarez.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: send procd signal on service reloadFlorian Eckert2017-12-262-2/+2
| | | | | | | Send a SIGHUP signal via procd to the dnsmasq service so the instance(s) re-read(s) the /tmp/hosts/dhcp config. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* dnsmasq: rewrite config on host name modificationFlorian Eckert2017-12-261-1/+1
| | | | | | | If the hostname in /etc/config/system is modified the dnsmasq should also get triggered to rewrite/reload the config. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* wireguard: bump to 20171221Kevin Darbyshire-Bryant2017-12-231-2/+2
| | | | | | | | | | | | | | | | 7e945a8 version: bump snapshot f2168aa compat: kernels < 3.13 modified genl_ops 52004fd crypto: compile on UML 6b69b65 wg-quick: dumber matching for default routes aa35d9d wg-quick: add the "Table" config option 037c389 keygen-html: remove prebuilt file No patch refresh required. Compile-test-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* odhcpd: update to latest git HEADHans Dedecker2017-12-221-4/+4
| | | | | | | 7aa2594 odhcpd: Replace strerror(errno) with %m format 750e457 Support muliple RAs on single interface Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* layerscape: fix package downloadHauke Mehrtens2017-12-211-2/+2
| | | | | | | | | | | | | | | | The git hash was changed for multiple layerscape packages without changing the version number. The LEDE build system will not download the packages again if the old version is already there and so some people and the build bots are using wrong version of some packages. Use PKG_SOURCE_DATE instead of PKG_VERSION to generate packages with the date and the first charterers of the git hash. This will change the file name and make the build system download them again, also if in future the git hash is changed the file name will change and trigger a new download. This should fix a problem spotted by build bot. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* xtables-addons: fix compile with kernel 4.14Hauke Mehrtens2017-12-161-0/+9
| | | | | | This fixes a compile problems seen with kernel 4.14. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* xtables-addons: update to version 2.14Hauke Mehrtens2017-12-161-2/+2
| | | | | | This includes a compile fix needed for kernel 4.14. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iproute2: cake: support new operating modesKevin Darbyshire-Bryant2017-12-152-50/+129
| | | | | | | | | | | | | | | | | | | | There has been recent significant activity with the cake qdisc of late Some of that effort is related to upstreaming to kernel & iproute2 mainline but we're not quite there yet. This commit teaches tc how to activate and interprete the latest cake operating modes, namely: ingress mode: Instead of only counting packets that make it past the shaper, include packets we've decided to drop as well, since they did arrive with us on the link and took link capacity. This mode is more suitable for shaping the ingress of a link (e.g. from ISP) rather than the more normal egress. ack-filter/ack-filter-aggressive: Filter excessive TCP ACKS. Useful in highly assymetric links (downstream v upstream capacity) where the majority of upstream link capacity is occupied with ACKS for downstream traffic. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* netifd: update to latest git HEADHans Dedecker2017-12-151-3/+3
| | | | | | | | 4268193 interface-ip: harden eui64 IPv6 prefix address generation 81ff6d1 interface-ip: fix race condition in IPv6 prefix address generation d3a5df0 handler: replace is_error() helper with NULL check Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uhttpd: fix PKG_CONFIG_DEPENDS (FS#1189)Hans Dedecker2017-12-151-3/+1
| | | | | | | Remove PACKAGE_uhttpd_debug config as this is an unused leftover Add CONFIG_uhttpd_lua to PKG_CONFIG_DEPENDS Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 20171211Kevin Darbyshire-Bryant2017-12-122-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest WireGuard snapshot release: 44f8e4d version: bump snapshot bbe2f94 chacha20poly1305: wire up avx512vl for skylake-x 679e53a chacha20: avx512vl implementation 10b1232 poly1305: fix avx512f alignment bug 5fce163 chacha20poly1305: cleaner generic code 63a0031 blake2s-x86_64: fix spacing d2e13a8 global: add SPDX tags to all files d94f3dc chacha20-arm: fix with clang -fno-integrated-as. 3004f6b poly1305: update x86-64 kernel to AVX512F only d452d86 tools: no need to put this on the stack 0ff098f tools: remove undocumented unused syntax b1aa43c contrib: keygen-html for generating keys in the browser e35e45a kernel-tree: jury rig is the more common spelling 210845c netlink: rename symbol to avoid clashes fcf568e device: clear last handshake timer on ifdown d698467 compat: fix 3.10 backport 5342867 device: do not clear keys during sleep on Android 88624d4 curve25519: explictly depend on AS_AVX c45ed55 compat: support RAP in assembly 7f29cf9 curve25519: modularize dispatch Refresh patches. Compile-test-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dropbear: disable MD5 HMAC and switch to sha1 fingerprintsMartin Schiller2017-12-122-3/+5
| | | | | | | | | | | | As MD5 is known weak for many years and more and more penetration test tools complain about enabled MD5 HMAC I think it's time to drop it. By disabling the MD5 HMAC support dropbear will also automatically use SHA1 for fingerprints. This shouldn't be a problem too. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* dnsmasq: add DHCP build switch support in full variantHans Dedecker2017-12-101-5/+10
| | | | | | | | Add config option which allows to enable/disable DHCP support at compile time. Make DHCPv6 support dependant on DHCP support as DHCPv6 support implies having DHCP support. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: always send DHCPv4 hostnameMathias Kresin2017-12-081-0/+1
| | | | | | | | | | | udhcpc doesn't send a hostname by default. Use the system hostname if nothing else is specified, to always send a hostname. It syncs the behaviour to odhcpc, which always sends a hostname. Signed-off-by: Mathias Kresin <dev@kresin.me> Acked-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
* merge: uhttpd: update cert generation to match system defaultsZoltan HERPAI2017-12-081-1/+1
| | | | Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* merge: packages: update branding in core packagesZoltan HERPAI2017-12-086-9/+9
| | | | Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* merge: ssid: update default ssidZoltan HERPAI2017-12-081-2/+2
| | | | Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* odhcpd: fix faulty PKG_SOURCE_DATE in 711a816Hans Dedecker2017-12-071-1/+1
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: write atomic host fileHans Dedecker2017-12-072-4/+6
| | | | | | | | | | | Different invocations of the dnsmasq init script (e.g. at startup by procd) will rewrite the dhcp host file which might result into dnsmasq reading an empty dhcp host file as it is being rewritten by the dnsmasq init script. Let the dnsmasq init script first write to a temp dhcp host file so it does not overwrite the contents of the existing dhcp host file. Reported-by: Hartmut Birr <e9hack@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: backport fix for wnm_sleep_mode=0Timo Sigurdsson2017-12-072-1/+36
| | | | | | | | | | | | | wpa_disable_eapol_key_retries can't prevent attacks against the Wireless Network Management (WNM) Sleep Mode handshake. Currently, hostapd processes WNM Sleep Mode requests from clients regardless of the setting wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in order to ignore such requests by clients when wnm_sleep_mode is disabled (which is the default). Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> [rewrite commit subject (<= 50 characters), bump PKG_RELEASE] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>