aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* ppp: backport security fixesPetr Štetiar2020-02-264-1/+129
| | | | | | | | | | 8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Petr Štetiar <ynezz@true.cz> Fixes: CVE-2020-8597 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "ppp: backport security fixes"Jo-Philipp Wich2020-02-264-129/+1
| | | | | | | | This reverts commit 215598fd03899c19a9cd26266221269dd5ec8cee since it didn't contain a reference to the CVE it addresses. The next commit will re-add the commit including a CVE reference in its commit message. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: enhance wifi reloadJohn Crispin2020-02-252-18/+134
| | | | | | | Add a radio_config_id property. If the radio config changes return an error upon receiving the reconf call. Signed-off-by: John Crispin <john@phrozen.org>
* hostapd: start hostapd/wpa_supplicant for all wiphy devicesPiotr Dymacz2020-02-242-2/+2
| | | | | | | | | | | | | | c888e17e06 ("hostapd: manage instances via procd instead of pidfile") added procd support for managing hostapd and wpa_supplicant daemons but at the same time limited wiphy names to 'phy*'. This brings back initial behaviour (introduced in 60fb4c92b6 ("hostapd: add ubus reload") and makes procd manage daemons for any wiphy device found in '/sys/class/ieee80211'. CC: Felix Fietkau <nbd@nbd.name> CC: Daniel Golle <daniel@makrotopia.org> Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* umbim: move package to 'WWAN' submenuPiotr Dymacz2020-02-241-0/+1
| | | | | | | 'uqmi' was moved to 'WWAN' submenu in 9abdeee0b7. Let's be consistent and do the same with 'umbim'. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* linux-atm: Fix compile warningHauke Mehrtens2020-02-241-1/+15
| | | | | | | | | | | | The function trace_on_exit() is given to atexit() as a parameter, but atexit() only takes a function pointer to a function with a void parameter. This problem was introduced when the on_exit() function was incompletely replaced by atexit(). Fixes: ba6c8bd6142f ("linux-atm: add portability fixes") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iw: update to 5.4DENG Qingfang2020-02-223-118/+43
| | | | | | | Update iw to 5.4 This increases the ipk size of iw-tiny/full by about 400 bytes Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
* rssileds: add dependencies based on LDFLAGSAdrian Schmutzler2020-02-221-1/+1
| | | | | | | | | | | | | | | | | This adds the direct dependencies introduced by TARGET_LDFLAGS to the package's DEPENDS variable. This was found by accidentally building rssileds on octeon, which resulted in: "Package rssileds is missing dependencies for the following libraries: libnl-tiny.so" Though the dependencies are provided when building for the relevant targets ar71xx, ath79 and ramips, it seems more tidy to specify them explicitly. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* lldpd: bump to 1.0.5Stijn Tintel2020-02-223-23/+4
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* ppp: backport security fixesPetr Štetiar2020-02-204-1/+129
| | | | | | | | 8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Petr Štetiar <ynezz@true.cz>
* dnsmasq: fix uci-defaults script to exit 0 so it is cleaned upRussell Senior2020-02-191-0/+2
| | | | | | | | | | A file, package/network/services/dnsmasq/files/50-dnsmasq-migrate-resolv-conf-auto.sh, was added in commit 6a2855212096d2c486961a0841b037bae4b75de7, but it does not exit in a way that tells the uci-defaults mechanism that it succeeded, and so it is not cleaned up after running successfully. Add an exit 0 to the end to correct that. Signed-off-by: Russell Senior <russell@personaltelco.net>
* wireguard: bump to 0.0.20200215Jason A. Donenfeld2020-02-151-2/+2
| | | | | | | | | | * send: cleanup skb padding calculation * socket: remove useless synchronize_net Sorry for the back-to-back releases. This fixes a regression spotted by Eric Dumazet. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* iproute2: update to 5.5.0, enable LTODENG Qingfang2020-02-139-16/+16
| | | | | | | Update iproute2 to 5.5.0 Enable LTO to save several KB of size Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
* uhttpd: update to latest Git HEADJo-Philipp Wich2020-02-121-4/+4
| | | | | | 2ee323c file: poke ustream after starting deferred program Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wireguard-tools: bump to 1.0.20200206Jason A. Donenfeld2020-02-091-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * wg-quick: android: split uids into multiple commands Newer android's ndc implementations have limits on uid size, so we have to break these into several lists. * man: document dynamic debug trick for Linux This comes up occasionally, so it may be useful to mention its possibility in the man page. At least the Arch Linux and Ubuntu kernels support dynamic debugging, so this advice will at least help somebody. So that you don't have to go digging into the commit, this adds this helpful tidbit to the man page for getting debug logs on Linux: # modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control * extract-{handshakes,keys}: rework for upstream kernel These tools will now use the source code from the running kernel instead of from the old monolithic repo. Essential for the functioning of Wireshark. * netlink: remove libmnl requirement We no longer require libmnl. It turns out that inlining the small subset of libmnl that we actually use results in a smaller binary than the overhead of linking to the external library. And we intend to gradually morph this code into something domain specific as a libwg emerges. Performance has also increased, thanks to the inliner. On all platforms, wg(8) only needs a normal libc. Compile time on my system is still less than one second. So all in all we have: smaller binary, zero dependencies, faster performance. Packagers should no longer have their wireguard-tools package depend on libmnl. * embeddable-wg-library: use newer string_list * netlink: don't pretend that sysconf isn't a function Small cleanups. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: remove erroneous $(space) redefinitionJo-Philipp Wich2020-02-081-3/+0
| | | | | | | | | | | | | | | | The $(space) definition in the hostapd Makefile ceased to work with GNU Make 4.3 and later, leading to syntax errors in the generated Kconfig files. Drop the superfluous redefinition and reuse the working $(space) declaration from rules.mk to fix this issue. Fixes: GH#2713 Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469 Reported-by: Karel Kočí <cynerd@email.cz> Suggested-by: Jonas Gorski <jonas.gorski@gmail.com> Tested-by: Shaleen Jain <shaleen@jain.sh> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wireguard: bump to 0.0.20200205Jason A. Donenfeld2020-02-051-2/+2
| | | | | | | | | | | | | | | | | | | | | | | * compat: support building for RHEL-8.2 * compat: remove RHEL-7.6 workaround Bleeding edge RHEL users should be content now (which includes the actual RedHat employees I've been talking to about getting this into the RHEL kernel itself). Also, we remove old hacks for versions we no longer support anyway. * allowedips: remove previously added list item when OOM fail * noise: reject peers with low order public keys With this now being upstream, we benefit from increased fuzzing coverage of the code, uncovering these two bugs. * netns: ensure non-addition of peers with failed precomputation * netns: tie socket waiting to target pid An added test to our test suite for the above and a small fix for high-load CI scenarios. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* Revert "iwinfo: update to latest Git HEAD"Jo-Philipp Wich2020-02-052-3/+12
| | | | | | | | | This reverts commit 96424c143dd818b391d9b8da18249eca1d2e6c83. The commit changed libiwinfo's internal ABI which breaks a number of downstream projects, including LuCI and rpcd-mod-iwinfo. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iwinfo: update to latest Git HEADDavid Bauer2020-02-042-12/+3
| | | | | | | | | eba5a20 iwinfo: add device id for BCM43602 a6914dc iwinfo: add BSS load element to scan result bb21698 iwinfo: add device id for Atheros AR9287 7483398 iwinfo: add device id for MediaTek MT7615E Signed-off-by: David Bauer <mail@david-bauer.net>
* bcm4xxx: fix iwinfo behaviourJohn Crispin2020-02-041-0/+9
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* iptables: set-dscpmark follow upstreamimg attemptKevin Darbyshire-Bryant2020-01-313-215/+460
| | | | | | | | | | | I'm having another attempt at trying to getting the 'store dscp into conntrack connmark' functionality into upstream kernel, since the restore function (act_ctinfo) has been accepted. The syntax has changed from 'savedscp' to 'set-dscpmark' since that conforms more closely with existing functionality. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: add back support for passing CSA events from sta/mesh to AP interfacesFelix Fietkau2020-01-291-0/+129
| | | | | | | | Fixes handling CSA when using AP+STA or AP+Mesh This change was accidentally dropped in commit 167028b75 ("hostapd: Update to version 2.9 (2019-08-08)") Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wireguard: bump to 0.0.20200128Jason A. Donenfeld2020-01-281-2/+2
| | | | | | This fixes a few small oversights for the 5.5 compat layer. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: unconditionally enable ap/mesh for wpa-cliFelix Fietkau2020-01-281-1/+7
| | | | | | | Without this change, wpa-cli features depend on which wpad build variant was used to build the wpa-cli package Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: remove some bashismsSven Roederer2020-01-261-3/+3
| | | | | | | | | "[[" is a bash extension for test. As the ash-implementation is not fully compatible we drop its usage. Signed-off-by: Sven Roederer <devel-sven@geroedel.de> [remove shebang, slightly facelift commit title/message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* 6in4/6in4.sh: remove some bashism (usage of [[)Sven Roederer2020-01-261-1/+1
| | | | | | | "[[" is a bash extension for test. As the ash-implementation is not fully compatible we drop its usage. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* netifd/config.sh: remove some bashism (usage of [[)Sven Roederer2020-01-261-1/+1
| | | | | | | "[[" is a bash extension for test. As the ash-implementation is not fully compatible we drop its usage. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* wireguard-tools: bump to 1.0.20200121Jason A. Donenfeld2020-01-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Makefile: remove pwd from compile output * Makefile: add standard 'all' target * Makefile: evaluate git version lazily Quality of life improvements for packagers. * ipc: simplify inflatable buffer and add fuzzer * fuzz: add generic command argument fuzzer * fuzz: add set and setconf fuzzers More fuzzers and a slicker string list implementation. These fuzzers now find themselves configuring wireguard interfaces from scratch after several million mutations, which is fun to watch. * netlink: make sure to clear return value when trying again Prior, if a dump was interrupted by a concurrent set operation, we'd try again, but forget to reset an error flag, so we'd keep trying again forever. Now we do the right thing and succeed when we succeed. * Makefile: sort inputs to linker so that build is reproducible Earlier versions of make(1) passed GLOB_NOSORT to glob(3), resulting in the linker receiving its inputs in a filesystem-dependent order. This screwed up reproducible builds. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wireguard: bump to 0.0.20200121Jason A. Donenfeld2020-01-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Makefile: strip prefixed v from version.h This fixes a mistake in dmesg output and when parsing the sysfs entry in the filesystem. * device: skb_list_walk_safe moved upstream This is a 5.6 change, which we won't support here, but it does make the code cleaner, so we make this change to keep things in sync. * curve25519: x86_64: replace with formally verified implementation This comes from INRIA's HACL*/Vale. It implements the same algorithm and implementation strategy as the code it replaces, only this code has been formally verified, sans the base point multiplication, which uses code similar to prior, only it uses the formally verified field arithmetic alongside reproducable ladder generation steps. This doesn't have a pure-bmi2 version, which means haswell no longer benefits, but the increased (doubled) code complexity is not worth it for a single generation of chips that's already old. Performance-wise, this is around 1% slower on older microarchitectures, and slightly faster on newer microarchitectures, mainly 10nm ones or backports of 10nm to 14nm. This implementation is "everest" below: Xeon E5-2680 v4 (Broadwell) armfazh: 133340 cycles per call everest: 133436 cycles per call Xeon Gold 5120 (Sky Lake Server) armfazh: 112636 cycles per call everest: 113906 cycles per call Core i5-6300U (Sky Lake Client) armfazh: 116810 cycles per call everest: 117916 cycles per call Core i7-7600U (Kaby Lake) armfazh: 119523 cycles per call everest: 119040 cycles per call Core i7-8750H (Coffee Lake) armfazh: 113914 cycles per call everest: 113650 cycles per call Core i9-9880H (Coffee Lake Refresh) armfazh: 112616 cycles per call everest: 114082 cycles per call Core i3-8121U (Cannon Lake) armfazh: 113202 cycles per call everest: 111382 cycles per call Core i7-8265U (Whiskey Lake) armfazh: 127307 cycles per call everest: 127697 cycles per call Core i7-8550U (Kaby Lake Refresh) armfazh: 127522 cycles per call everest: 127083 cycles per call Xeon Platinum 8275CL (Cascade Lake) armfazh: 114380 cycles per call everest: 114656 cycles per call Achieving these kind of results with formally verified code is quite remarkable, especialy considering that performance is favorable for newer chips. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: fix faulty WMM IE parameters with ETSI regulatory domainsFelix Fietkau2020-01-232-0/+88
| | | | | | | | hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP. The code for applying those values had a few bugs leading to bogus values, which caused significant latency and packet loss. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* curl: update to version 7.68.0 (security fix)Jan Pavlinec2020-01-211-3/+3
| | | | | | | Fixes CVE-2019-15601 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* netifd: add basic support for jail network namespacesDaniel Golle2020-01-211-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prepare netifd for handling procd service jails having their own network namespace. Intefaces having the jail attribute will only be brought up inside the jail's network namespace by procd calling the newly introduced ubus method 'netns_updown'. Currently proto 'static' is supported and configuration changes are not yet being handled (ie. you'll have to restart the jailed service for changes to take effect). Example /etc/config/network snippet: config device 'veth0' option type 'veth' option name 'vhost0' option peer_name 'virt0' config interface 'virt' option type 'bridge' list ifname 'vhost0' option proto 'static' option ipaddr '10.0.0.1' option netmask '255.255.255.0' config interface 'virt0' option ifname 'virt0' option proto 'static' option ipaddr '10.0.0.2' option netmask '255.255.255.0' option gateway '10.0.0.1' option dns '10.0.0.1' option jail 'transmission' Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* odhcpd: update to version 2020-01-14Hans Dedecker2020-01-161-3/+3
| | | | | | | | | 6db312a dhcpv6-ia: use dhcp leasetime to set preferred/valid statefull lifetimes 2520c48 dhcpv6-ia: introduce DHCPv6 pd and ia assignments flags b413d8a dhcpv6-ia: cleanup prefix delegation routes b0902af dhcpv6-ia: remove passing interface as parameter to apply_lease Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: add support for system cert bundle validationDavid Lam2020-01-162-6/+15
| | | | | | | | | | | | | | Currently, it is very cumbersome for a user to connect to a WPA-Enterprise based network securely because the RADIUS server's CA certificate must first be extracted from the EAPOL handshake using tcpdump or other methods before it can be pinned using the ca_cert(2) fields. To make this process easier and more secure (combined with changes in openwrt/openwrt#2654), this commit adds support for validating against the built-in CA bundle when the ca-bundle package is installed. Related LuCI changes in openwrt/luci#3513. Signed-off-by: David Lam <david@thedavid.net> [bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: cleanup IBSS-RSNDaniel Golle2020-01-162-6/+2
| | | | | | set noscan also for IBSS and remove redundant/obsolete variable. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dropbear: fix compile errorJohn Crispin2020-01-151-1/+2
| | | | | Fixes: 0da193ee6943 ("dropbear: move failsafe code out of base-files") Signed-off-by: John Crispin <john@phrozen.org>
* wireguard: skip peer config if public key of the peer is not definedFlorian Eckert2020-01-151-0/+5
| | | | | | | | | | | | | | | If a config section of a peer does not have a public key defined, the whole interface does not start. The following log is shown daemon.notice netifd: test (21071): Line unrecognized: `PublicKey=' daemon.notice netifd: test (21071): Configuration parsing erro The command 'wg show' does only show the interface name. With this change we skip the peer for this interface and emit a log message. So the other peers get configured. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uhttpd: add enable instance optionFlorian Eckert2020-01-152-1/+5
| | | | | | | | With this change it is now possible to switch off single instances of the uhttpd config. Until now it was only possible to switch all instances of uhttpd on or off. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* hostapd: add wpa_strict_rekey supportKyle Copperfield2020-01-151-1/+3
| | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Rekey GTK on STA disassociate Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_requiredKyle Copperfield2020-01-152-3/+12
| | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Allows dtim_period to be configurable, the default is from hostapd. Adds additional regulatory tunables for power constraint and spectrum managment. Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* dropbear: move failsafe code out of base-filesKyle Copperfield2020-01-152-1/+10
| | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Failsafe code of dropbear should be in the dropbear package not the base-files package. Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* hostapd: add support for subject validationDavid Lam2020-01-142-1/+93
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The wpa_supplicant supports certificate subject validation via the subject match(2) and altsubject_match(2) fields. domain_match(2) and domain_suffix_match(2) fields are also supported for advanced matches. This validation is especially important when connecting to access points that use PAP as the Phase 2 authentication type. Without proper validation, the user's password can be transmitted to a rogue access point in plaintext without the user's knowledge. Most organizations already require these attributes to be included to ensure that the connection from the STA and the AP is secure. Includes LuCI changes via openwrt/luci#3444. From the documentation: subject_match - Constraint for server certificate subject. This substring is matched against the subject of the authentication server certificate. If this string is set, the server sertificate is only accepted if it contains this string in the subject. The subject string is in following format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as .example.com subject_match2 - Constraint for server certificate subject. This field is like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. altsubject_match - Constraint for server certificate alt. subject. Semicolon separated string of entries to be matched against the alternative subject name of the authentication server certificate. If this string is set, the server sertificate is only accepted if it contains one of the entries in an alternative subject name extension. altSubjectName string is in following format: TYPE:VALUE Example: EMAIL:server@example.com Example: DNS:server.example.com;DNS:server2.example.com Following types are supported: EMAIL, DNS, URI altsubject_match2 - Constraint for server certificate alt. subject. This field is like altsubject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_match - Constraint for server domain name. If set, this FQDN is used as a full match requirement for the server certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same full match comparison. This behavior is similar to domain_suffix_match, but has the requirement of a full match, i.e., no subdomains or wildcard matches are allowed. Case-insensitive comparison is used, so "Example.com" matches "example.com", but would not match "test.Example.com". More than one match string can be provided by using semicolons to separate the strings (e.g., example.org;example.com). When multiple strings are specified, a match with any one of the values is considered a sufficient match for the certificate, i.e., the conditions are ORed together. domain_match2 - Constraint for server domain name. This field is like domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_suffix_match - Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for the AAA server certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Suffix match here means that the host/domain name is compared one label at a time starting from the top-level domain and all the labels in domain_suffix_match shall be included in the certificate. The certificate may include additional sub-level labels in addition to the required labels. More than one match string can be provided by using semicolons to separate the strings (e.g., example.org;example.com). When multiple strings are specified, a match with any one of the values is considered a sufficient match for the certificate, i.e., the conditions are ORed together. For example, domain_suffix_match=example.com would match test.example.com but would not match test-example.com. This field is like domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_suffix_match2 - Constraint for server domain name. This field is like domain_suffix_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. Signed-off-by: David Lam <david@thedavid.net>
* odhcpd: activate PIE ASLR by defaultPetr Štetiar2020-01-141-0/+1
| | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. Size increase on x86/64: odhcpd-ipv6only Installed-Size: 36821 -> 38216 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* uhttpd: Activate PIE by defaultHauke Mehrtens2020-01-131-0/+1
| | | | | | | | | | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. This increases the binary size by 39% uncompressed and 21% compressed on MIPS BE. old: 33,189 /usr/sbin/uhttpd 23,016 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk new: 46,212 /usr/sbin/uhttpd 27,979 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* hostapd: Activate PIE by defaultHauke Mehrtens2020-01-131-0/+1
| | | | | | | | | | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. This increases the binary size by 26% uncompressed and 16% compressed on MIPS BE. old: 460,933 /usr/sbin/wpad 283,891 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk new: 584,508 /usr/sbin/wpad 330,281 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* dropbear: Activate PIE by defaultHauke Mehrtens2020-01-131-0/+1
| | | | | | | | | | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. This increases the binary size by 18% uncompressed and 17% compressed on MIPS BE. old: 164,261 /usr/sbin/dropbear 85,648 dropbear_2019.78-2_mips_24kc.ipk new: 194,492 /usr/sbin/dropbear 100,309 dropbear_2019.78-2_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* dnsmasq: Activate PIE by defaultHauke Mehrtens2020-01-131-0/+1
| | | | | | | | | | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. This increases the binary size by 37% uncompressed and 18% compressed on MIPS BE. old: 146,933 /usr/sbin/dnsmasq 101,837 dnsmasq_2.80-14_mips_24kc.ipk new: 202,020 /usr/sbin/dnsmasq 120,577 dnsmasq_2.80-14_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* ethtool: bump to 5.4Hans Dedecker2020-01-121-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 7dc0af7 Release version 5.4. 914912e ethtool: add 0x16 and 0x1c extended compliance codes 600b779 ethtool: mark 10G Base-ER as SFF-8472 revision 10.4 onwards 696565d ethtool: correctly interpret bitrate of 255 2941970 fix unused parameter warning in e1000_get_mac_type() 5e814f2 fix unused parameter warning in fjes_dump_regs() b1a5279 fix unused parameter warning in ixgb_dump_regs() 6608751 fix unused parameter warning in ibm_emac_dump_regs() 1c30119 fix unused parameter warning in et131x_dump_regs() a56aba4 fix unused parameter warning in amd8111e_dump_regs() f40d32d fix unused parameter warning in fec_dump_regs() 8b84f1a fix unused parameter warning in at76c50x_usb_dump_regs() f725f5a fix unused parameter warning in smsc911x_dump_regs() a12cd66 fix unused parameter warning in e1000_dump_regs() e058656 fix unused parameter warning in igb_dump_regs() debac02 fix unused parameter warning in de2104[01]_dump_regs() d434eea fix unused parameter warning in e100_dump_regs() 8df12f3 fix unused parameter warning in vioc_dump_regs() 92d716b fix unused parameter warning in tg3_dump_{eeprom, regs}() 211c99e fix unused parameter warning in fec_8xx_dump_regs() 362fb8b fix unused parameter warning in ixgbevf_dump_regs() 87903c2 fix unused parameter warning in st_{mac100, gmac}_dump_regs() c1eaddf fix unused parameter warning in vmxnet3_dump_regs() 313c9f8 fix unused parameter warning in dsa_dump_regs() 183e8a2 fix unused parameter warning in {skge, sky2}_dump_regs() 7f84c13 fix unused parameter warning in lan78xx_dump_regs() 02d0aaa fix unused parameter warning in realtek_dump_regs() 726d607 fix unused parameter warning in ixgbe_dump_regs() 967177c fix unused parameter warning in netsemi_dump_eeprom() 710a414 fix unused parameter warning in natsemi_dump_regs() 283398a fix unused parameter warning in print_simple_table() 0404267 fix unused parameter warning in sfc_dump_regs() 57c7298 fix unused parameter warning in altera_tse_dump_regs() 302e91a fix unused parameter warning in dump_eeprom() 2054a8c fix unused parameter warning in find_option() d5432a9 fix unused parameter warnings in do_version() and show_usage() c430e75 fix arithmetic on pointer to void is a GNU extension warning e568431 ethtool: implement support for Energy Detect Power Down e391f4c ethtool: sync ethtool-copy.h: adds support for EDPD Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard-tools: bump to 1.0.20200102Jason A. Donenfeld2020-01-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * systemd: update documentation URL * global: bump copyright Usual house keeping. * Makefile: DEBUG_TOOLS -> DEBUG and document * Makefile: port static analysis check * dns-hatchet: adjust path for new repo layout * Makefile: rework automatic version.h mangling These are some important-ish cleanups for downstream package maintainers that should make packaging this a lot smoother. * man: add documentation about removing explicit listen-port Documentation improvement. * wg-quick: linux: quote ifname for nft This should fix issues with weirdly named ifnames and odd versions of nft(8). * fuzz: find bugs in the config syntax parser * fuzz: find bugs when parsing uapi input These are two fuzzers that have been laying around without a repo for a while. Perhaps somebody with enough compute power will find bugs with them. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wireguard: bump to 0.0.20200105Jason A. Donenfeld2020-01-091-2/+2
| | | | | | | | | | | | | | | | | | | * socket: mark skbs as not on list when receiving via gro Certain drivers will pass gro skbs to udp, at which point the udp driver simply iterates through them and passes them off to encap_rcv, which is where we pick up. At the moment, we're not attempting to coalesce these into bundles, but we also don't want to wind up having cascaded lists of skbs treated separately. The right behavior here, then, is to just mark each incoming one as not on a list. This can be seen in practice, for example, with Qualcomm's rmnet_perf driver. This lead to crashes on OnePlus devices and possibly other Qualcomm 4.14 devices. But I fear that it could lead to issues on other drivers on weird OpenWRT routers. This commit is upstream in net-next as: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=736775d06bac60d7a353e405398b48b2bd8b1e54 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>