aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* xtables-addons: update to version 2.14Hauke Mehrtens2017-12-161-2/+2
| | | | | | This includes a compile fix needed for kernel 4.14. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iproute2: cake: support new operating modesKevin Darbyshire-Bryant2017-12-152-50/+129
| | | | | | | | | | | | | | | | | | | | There has been recent significant activity with the cake qdisc of late Some of that effort is related to upstreaming to kernel & iproute2 mainline but we're not quite there yet. This commit teaches tc how to activate and interprete the latest cake operating modes, namely: ingress mode: Instead of only counting packets that make it past the shaper, include packets we've decided to drop as well, since they did arrive with us on the link and took link capacity. This mode is more suitable for shaping the ingress of a link (e.g. from ISP) rather than the more normal egress. ack-filter/ack-filter-aggressive: Filter excessive TCP ACKS. Useful in highly assymetric links (downstream v upstream capacity) where the majority of upstream link capacity is occupied with ACKS for downstream traffic. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* netifd: update to latest git HEADHans Dedecker2017-12-151-3/+3
| | | | | | | | 4268193 interface-ip: harden eui64 IPv6 prefix address generation 81ff6d1 interface-ip: fix race condition in IPv6 prefix address generation d3a5df0 handler: replace is_error() helper with NULL check Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uhttpd: fix PKG_CONFIG_DEPENDS (FS#1189)Hans Dedecker2017-12-151-3/+1
| | | | | | | Remove PACKAGE_uhttpd_debug config as this is an unused leftover Add CONFIG_uhttpd_lua to PKG_CONFIG_DEPENDS Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 20171211Kevin Darbyshire-Bryant2017-12-122-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest WireGuard snapshot release: 44f8e4d version: bump snapshot bbe2f94 chacha20poly1305: wire up avx512vl for skylake-x 679e53a chacha20: avx512vl implementation 10b1232 poly1305: fix avx512f alignment bug 5fce163 chacha20poly1305: cleaner generic code 63a0031 blake2s-x86_64: fix spacing d2e13a8 global: add SPDX tags to all files d94f3dc chacha20-arm: fix with clang -fno-integrated-as. 3004f6b poly1305: update x86-64 kernel to AVX512F only d452d86 tools: no need to put this on the stack 0ff098f tools: remove undocumented unused syntax b1aa43c contrib: keygen-html for generating keys in the browser e35e45a kernel-tree: jury rig is the more common spelling 210845c netlink: rename symbol to avoid clashes fcf568e device: clear last handshake timer on ifdown d698467 compat: fix 3.10 backport 5342867 device: do not clear keys during sleep on Android 88624d4 curve25519: explictly depend on AS_AVX c45ed55 compat: support RAP in assembly 7f29cf9 curve25519: modularize dispatch Refresh patches. Compile-test-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dropbear: disable MD5 HMAC and switch to sha1 fingerprintsMartin Schiller2017-12-122-3/+5
| | | | | | | | | | | | As MD5 is known weak for many years and more and more penetration test tools complain about enabled MD5 HMAC I think it's time to drop it. By disabling the MD5 HMAC support dropbear will also automatically use SHA1 for fingerprints. This shouldn't be a problem too. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* dnsmasq: add DHCP build switch support in full variantHans Dedecker2017-12-101-5/+10
| | | | | | | | Add config option which allows to enable/disable DHCP support at compile time. Make DHCPv6 support dependant on DHCP support as DHCPv6 support implies having DHCP support. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: always send DHCPv4 hostnameMathias Kresin2017-12-081-0/+1
| | | | | | | | | | | udhcpc doesn't send a hostname by default. Use the system hostname if nothing else is specified, to always send a hostname. It syncs the behaviour to odhcpc, which always sends a hostname. Signed-off-by: Mathias Kresin <dev@kresin.me> Acked-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
* merge: uhttpd: update cert generation to match system defaultsZoltan HERPAI2017-12-081-1/+1
| | | | Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* merge: packages: update branding in core packagesZoltan HERPAI2017-12-086-9/+9
| | | | Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* merge: ssid: update default ssidZoltan HERPAI2017-12-081-2/+2
| | | | Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* odhcpd: fix faulty PKG_SOURCE_DATE in 711a816Hans Dedecker2017-12-071-1/+1
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: write atomic host fileHans Dedecker2017-12-072-4/+6
| | | | | | | | | | | Different invocations of the dnsmasq init script (e.g. at startup by procd) will rewrite the dhcp host file which might result into dnsmasq reading an empty dhcp host file as it is being rewritten by the dnsmasq init script. Let the dnsmasq init script first write to a temp dhcp host file so it does not overwrite the contents of the existing dhcp host file. Reported-by: Hartmut Birr <e9hack@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: backport fix for wnm_sleep_mode=0Timo Sigurdsson2017-12-072-1/+36
| | | | | | | | | | | | | wpa_disable_eapol_key_retries can't prevent attacks against the Wireless Network Management (WNM) Sleep Mode handshake. Currently, hostapd processes WNM Sleep Mode requests from clients regardless of the setting wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in order to ignore such requests by clients when wnm_sleep_mode is disabled (which is the default). Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> [rewrite commit subject (<= 50 characters), bump PKG_RELEASE] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: Expose the tdls_prohibit option to UCITimo Sigurdsson2017-12-071-1/+6
| | | | | | | | | | | | | | | | wpa_disable_eapol_key_retries can't prevent attacks against the Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested that the existing hostapd option tdls_prohibit can be used to further complicate this possibility at the AP side. tdls_prohibit=1 makes hostapd advertise that use of TDLS is not allowed in the BSS. Note: If an attacker manages to lure both TDLS peers into a fake AP, hiding the tdls_prohibit advertisement from them, it might be possible to bypass this protection. Make this option configurable via UCI, but disabled by default. Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
* iproute2: align ip help text for tiny variantHans Dedecker2017-12-061-1/+18
| | | | | | | | Tiny variant supports a subset of the ip commands; align the ip help text so it actually reflects which commands are supported in the tiny variant. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iproute2: update to v4.14.1Russell Senior2017-12-0610-66/+64
| | | | | | | Preserves optionality of libmnl by letting configuration script follow the HAVE_MNL environment variable. Signed-off-by: Russell Senior <russell@personaltelco.net>
* odhcpd: update to latest git HEADHans Dedecker2017-12-061-4/+4
| | | | | | c516801 dhcpv4: notify DHCP ACK and RELEASE via ubus Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: backport infinite dns retries fixHans Dedecker2017-12-063-3/+48
| | | | | | | | | | If all configured dns servers return refused in response to a query in strict mode; dnsmasq will end up in an infinite loop retransmitting the dns query resulting into high CPU load. Problem is fixed by checking for the end of a dns server list iteration in strict mode. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* samba36: backport an upstream fix for an information leak (CVE-2017-15275)Felix Fietkau2017-12-042-1/+41
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* packages: dnsmasq: remove unused stamp fileRoman Yeryomin2017-12-022-5/+1
| | | | | Signed-off-by: Roman Yeryomin <roman@advem.lv> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* curl: bump to 7.57.0 (3 CVEs)Hans Dedecker2017-11-302-4/+4
| | | | | | | | | | CVE-2017-8816: NTLM buffer overflow via integer overflow CVE-2017-8817: FTP wildcard out of bounds read CVE-2017-8818: SSL out of buffer access For other bugfixes and changes in 7.57.0 see https://curl.haxx.se/changes.html Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: add interface to ubus notificationBorja Salazar2017-11-291-5/+7
| | | | Signed-off-by: Borja Salazar <borja.salazar@fon.com>
* dnsmasq: fix dhcp-host entries with empty macsJo-Philipp Wich2017-11-281-3/+1
| | | | | | | | | | | | | | Due to improper localization of helper variables, "config host" entries without a given mac address may inherit the mac address of a preceeding, leading to invalid generated netive configuration. Fix the issue by marking the "macs" and "tags" helper variables in dhcp_host_add() local, avoiding the need for explicitely resetting them with each invocation. Reported-by: Russell Senior <russell@personaltelco.net> Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wireguard: bump to snapshot 20171127Kevin Darbyshire-Bryant2017-11-271-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | == Changes == * compat: support timespec64 on old kernels * compat: support AVX512BW+VL by lying * compat: fix typo and ranges * compat: support 4.15's netlink and barrier changes * poly1305-avx512: requires AVX512F+VL+BW Numerous compat fixes which should keep us supporting 3.10-4.15-rc1. * blake2s: AVX512F+VL implementation * blake2s: tweak avx512 code * blake2s: hmac space optimization Another terrific submission from Samuel Neves: we now have an implementation of Blake2s using AVX512, which is extremely fast. * allowedips: optimize * allowedips: simplify * chacha20: directly assign constant and initial state Small performance tweaks. * tools: fix removing preshared keys * qemu: use netfilter.org https site * qemu: take shared lock for untarring Small bug fixes. Remove myself from the maintainers list: we have enough and I'm happy to carry on doing package bumps on ad-hoc basis without the 'official' title. Run-tested: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* lldpd: bump to 0.9.9Stijn Tintel2017-11-271-2/+2
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* kmod-sched-cake: update to latest git HEADFushan Wen2017-11-251-18/+21
| | | | | | | | | | dfb2f6c pkt_sched: make compile again 5ab7026 sch_cake: make compile again 6f28803 codel5: make more checkpatch compliant bd426aa Fix build error on 4.12 e4a3628 Whitespace tidy up Signed-off-by: Fushan Wen <qydwhotmail@gmail.com>
* odhcpd: update to latest git HEADHans Dedecker2017-11-251-3/+3
| | | | | | 92e205d dhcpv6: fix compile issues when CER-ID extension is enabled Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: add a full and ipv6only variant (FS#1188)Hans Dedecker2017-11-251-27/+58
| | | | | | | | | Add an ipv6only variant providing server services for RA, stateful and stateless DHCPv6, prefix delegation and relay support for DHCPv6, NDP and RA. The full variant called odhcpd supports DHCPv4 server as before. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 20171122Kevin Darbyshire-Bryant2017-11-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest WireGuard snapshot release: ed479fa (tag: 0.0.20171122) version: bump snapshot efd9db0 chacha20poly1305: poly cleans up its own state 5700b61 poly1305-x86_64: unclobber %rbp 314c172 global: switch from timeval to timespec 9e4aa7a poly1305: import MIPS64 primitive from OpenSSL 7a5ce4e chacha20poly1305: import ARM primitives from OpenSSL abad6ee chacha20poly1305: import x86_64 primitives from OpenSSL 6507a03 chacha20poly1305: add more test vectors, some of which are weird 6f136a3 compat: new kernels have netlink fixes e4b3875 compat: stable finally backported fix cc07250 qemu: use unprefixed strip when not cross-compiling 64f1a6d tools: tighten up strtoul parsing c3a04fe device: uninitialize socket first in destruction 82e6e3b socket: only free socket after successful creation of new df318d1 compat: fix compilation with PaX d911cd9 curve25519-neon: compile in thumb mode d355e57 compat: 3.16.50 got proper rt6_get_cookie 666ee61 qemu: update kernel 2420e18 allowedips: do not write out of bounds 185c324 selftest: allowedips: randomized test mutex update 3f6ed7e wg-quick: document localhost exception and v6 rule Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* odhcpd: fix gcc7 build errorHans Dedecker2017-11-211-3/+3
| | | | | | 0573422 ndp: add switch/case fallthrough comments Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: remove unused local var declarationLeon M. George2017-11-211-2/+0
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: don't set htmode for wpa_supplicantLeon M. George2017-11-211-2/+0
| | | | | | no longer supported Signed-off-by: Leon M. George <leon@georgemail.eu>
* odhcpd: update to latest git HEAD (make dhcpv4 support optional)Hans Dedecker2017-11-201-12/+25
| | | | | | | | | fd80621 dhcpv4: make DHCPv4 support compiletime configurable cf29925 treewide: rework handling of netlink events 24cdc1b treewide: add netlink file 5dfb716 treewide: align function naming Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: load instance-specific conf-file if existsEmerson Pinter2017-11-192-8/+8
| | | | | | | Without this change, the instance-specific conf-file is being added to procd_add_jail_mount, but not used by dnsmasq. Signed-off-by: Emerson Pinter <dev@pinter.com.br>
* netifd: update to latest git HEADHans Dedecker2017-11-171-3/+3
| | | | | | c92106e interface-ip: add missing IPv6 policy rule Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* add PKG_CPE_ID ids to package and toolsAlexander Couzens2017-11-1713-0/+13
| | | | | | | | | | | CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Thanks to swalker for CPE to package mapping and keep tracking CVEs. Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* wireguard: bump to 0.0.20171111Kevin Darbyshire-Bryant2017-11-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | edaad55 (tag: 0.0.20171111) version: bump snapshot 7a989b3 tools: allow for NULL keys everywhere 46f8cbc curve25519: reject deriving from NULL private keys 9b43542 tools: remove ioctl cruft f6cea8e allowedips: rename from routingtable 23f553e wg-quick: allow for tabs in keys ab9befb netlink: make sure we reserve space for NLMSG_DONE 73405c0 compat: 4.4.0 has strange ECN function 868be0c wg-quick: stat the correct enclosing folder of config file ceb11ba qemu: bump kernel version 0a8e173 receive: hoist fpu outside of receive loop bee188a qemu: more debugging f1fdd8d device: wait for all peers to be freed before destroying 2188248 qemu: check for memory leaks c77a34e netlink: plug memory leak 0ac8efd device: please lockdep a51e196 global: revert checkpatch.pl changes 65c49d7 Kconfig: remove trailing whitespace Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: rework frequency/ht/vht selection for ibss/meshFelix Fietkau2017-11-158-178/+55
| | | | | | | | | | - Remove obsolete patch chunks regarding fixed_freq - Instead of patching in custom HT40+/- parameters, use the standard config syntax as much as possible. - Use fixed_freq for mesh - Fix issues with disabling obss scan when using fixed_freq on mesh Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: explicitly set beacon interval for wpa_supplicantSven Eckelmann2017-11-151-0/+1
| | | | | | | | | | | | | | | The beacon_int is currently set explicitly for hostapd and when LEDE uses iw to join and IBSS/mesh. But it was not done when wpa_supplicant was used to join an encrypted IBSS or mesh. This configuration is required when an AP interface is configured together with an mesh interface. The beacon_int= line must therefore be re-added to the wpa_supplicant config. The value is retrieved from the the global variable. Fixes: 1a16cb9c67f0 ("mac80211, hostapd: always explicitly set beacon interval") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> [rebase]
* hostapd: set mcast_rate in mesh modeSven Eckelmann2017-11-151-0/+68
| | | | | | | | | | | | | | | | | | The wpa_supplicant code for IBSS allows to set the mcast rate. It is recommended to increase this value from 1 or 6 Mbit/s to something higher when using a mesh protocol on top which uses the multicast packet loss as indicator for the link quality. This setting was unfortunately not applied for mesh mode. But it would be beneficial when wpa_supplicant would behave similar to IBSS mode and set this argument during mesh join like authsae already does. At least it is helpful for companies/projects which are currently switching to 802.11s (without mesh_fwding and with mesh_ttl set to 1) as replacement for IBSS because newer drivers seem to support 802.11s but not IBSS anymore. Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com> Tested-by: Simon Wunderlich <simon.wunderlich@openmesh.com> Signed-off-by: Felix Fietkau <nbd@nbd.name> [refresh]
* hostapd: refresh ubus patchFelix Fietkau2017-11-151-36/+18
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* igmpproxy: remove firewall rules when service is stoppedHans Dedecker2017-11-142-1/+5
| | | | | | | | | Remove multicast routing firewall rules when the igmpproxy is stopped by triggering a firewall config change. Keeping the firewall open from the wan for igmp and udp multicast is not desired when the igmpproxy service is inactive. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: fix swapped ubus args mac and ipJaroslav Safka2017-11-131-2/+2
| | | | | | | Fix swapped arguments "mac" and "ip" when calling function "ubus_event_bcast". Signed-off-by: Jaroslav Safka <devel@safka.org>
* openvpn: add support to start/stop single instancesMartin Schiller2017-11-132-18/+37
| | | | | Signed-off-by: Martin Schiller <ms@dev.tdt.de> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
* wireguard: fix portability issueFelix Fietkau2017-11-111-0/+18
| | | | | | | Check if the compiler defines __linux__, instead of assuming that the host OS is the same as the target OS. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wireguard: move to kernel build directoryFelix Fietkau2017-11-111-1/+1
| | | | | | It builds a kernel module, so its build dir should be target specific Signed-off-by: Felix Fietkau <nbd@nbd.name>
* layerscape: add restool packageYangbo Lu2017-11-1013-0/+794
| | | | | | | | restool is a user space application providing the ability to dynamically create and manage Layerscape DPAA2 containers and objects from Linux. Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
* firewall: update to latest git HEADHans Dedecker2017-11-071-3/+3
| | | | | | c430937 ubus: parse the firewall data within the service itself Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uhttpd: fix query string handlingJo-Philipp Wich2017-11-071-3/+3
| | | | | | | | | | Update to latest Git in order to fix potential memory corruption and invalid memory access when handling query strings in conjunction with active basic authentication. a235636 2017-11-04 file: fix query string handling Signed-off-by: Jo-Philipp Wich <jo@mein.io>