aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* relayd: bump to version 2020-04-20Kevin Darbyshire-Bryant2020-04-201-3/+3
| | | | | | | | 796da66 dhcp.c: improve input validation & length checks Addresses CVE-2020-11752 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* umdns: update to version 2020-04-20Kevin Darbyshire-Bryant2020-04-201-4/+4
| | | | | | | | e74a3f9 dns.c: improve input validation Addresses CVE-2020-11750 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dante: Fix compile with glibcHauke Mehrtens2020-04-182-1/+54
| | | | | | | | | | | | | | | | | | | When compiled with glibc the config_scan.c wants to use the cpupolicy2numeric() function which is only available when HAVE_SCHED_SETSCHEDULER is set. It looks like the wrong define was used here. This fixes a build problem with glibc in combination with the force ac_cv_func_sched_setscheduler=no in the OpenWrt CONFIGURE_VARS. This fixes the following compile error with glibc: ---------------------------------------------------------------------- /bin/ld: config_scan.o: in function `socks_yylex': dante-1.4.1/sockd/config_scan.l:461: undefined reference to `cpupolicy2numeric' collect2: error: ld returned 1 exit status make[5]: *** [Makefile:522: sockd] Error 1 Fixes: aaf46a8fe23e ("dante: disable sched_getscheduler() - not implemented in musl") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* openvpn: update to 2.4.9Magnus Kroken2020-04-183-4/+4
| | | | | | | | | | | | | | | This is primarily a maintenance release with bugfixes and improvements. This release also fixes a security issue (CVE-2020-11810) which allows disrupting service of a freshly connected client that has not yet negotiated session keys. The vulnerability cannot be used to inject or steal VPN traffic. Release announcement: https://openvpn.net/community-downloads/#heading-13812 Full list of changes: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* netifd: clean up netns functionalityDaniel Golle2020-04-141-3/+3
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* netifd: fix jail ifdown and jails without jail_ifnameDaniel Golle2020-04-141-3/+3
| | | | | | | | The previous commit introduced a regression for netns jails without jail_ifname set. Fix that. Fixes: 4e4f7c6d2d ("netifd: network namespace jail improvements") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* netifd: network namespace jail improvementsDaniel Golle2020-04-141-3/+3
| | | | | | | aaaca2e interface: allocate and free memory for jail name d93126d interface: allow renaming interface when moving to jail netns Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: reduce to a single instance per serviceDaniel Golle2020-04-148-174/+62
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: backport usleep patchRosen Penev2020-04-132-1/+54
| | | | | | Optionally fixes compilation with uClibc-ng. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* wpa_supplicant: disable CONFIG_WRITE functionalityKirill Lukonin2020-04-132-2/+2
| | | | | | | | | CONFIG_WRITE functionality is not used and could be removed. Looks helpful for devices with small flash because wpad is also affected. Little testing shows that about 6 KB could be saved. Signed-off-by: Kirill Lukonin <klukonin@gmail.com>
* dnsmasq: bump to v2.81Kevin Darbyshire-Bryant2020-04-121-3/+3
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* iproute2: update to 5.6.0Hans Dedecker2020-04-114-9/+9
| | | | | | Update iproute2 to latest stable 5.6.0; for the changes see https://lwn.net/Articles/816778/ Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* linux-atm: Include linux/sockios.h for SIOCGSTAMPNorbert van Bolhuis2020-04-091-0/+21
| | | | | | | | | | | | Since linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115 (2019-04-19) the asm-generic/sockios.h header no longer defines SIOCGSTAMP. Instead it provides only SIOCGSTAMP_OLD. The linux/sockios.h header now defines SIOCGSTAMP using either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. This linux only header file is not included so we get a build failure. Signed-off-by: Norbert van Bolhuis <nvbolhuis@aimvalley.nl>
* iproute2: add kmod-netlink-diag for ssRosen Penev2020-04-071-2/+2
| | | | | | | | | | | | | | | | | Allows proper usage of the ss tool. Otherwise, several errors and bad data gets thrown: Cannot open netlink socket: Protocol not supported Cannot open netlink socket: Protocol not supported Cannot open netlink socket: Protocol not supported Cannot open netlink socket: Protocol not supported Cannot open netlink socket: Protocol not supported Cannot open netlink socket: Protocol not supported Cannot open netlink socket: Protocol not supported Originally reported here: https://github.com/openwrt/packages/issues/8232 Signed-off-by: Rosen Penev <rosenp@gmail.com>
* ppp: update to version 2.4.8.git-2020-03-21Hans Dedecker2020-04-069-137/+10
| | | | | | | | | | | | | | | | | | | Use upstream latest git HEAD as it allows to remove the patches 700-radius-Prevent-buffer-overflow-in-rc_mksid, 701-pppd-Fix-bounds-check-in-EAP-code and 702-pppd-Ignore-received-EAP-messages-when-not-doing-EAP and take in other fixes. 41a7323 pppd: Fixed spelling 'unkown' => 'unknown' (#141) 6b014be pppd: Print version information to stdout instead of stderr (#133) cba2736 pppd: Add RFC1990 (Multilink) to the See Also section of the man page f2f9554 pppd: Add mppe.h to the list of headers to install if MPPE is defined ae54fcf pppd: Obfuscate password argument string 8d45443 pppd: Ignore received EAP messages when not doing EAP 8d7970b pppd: Fix bounds check in EAP code 858976b radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to 2.81rc5Kevin Darbyshire-Bryant2020-04-063-67/+181
| | | | | | | | | | | | | | | | | | | | Bump to 2.81rc5 and re-work ipset-remove-old-kernel-support. More runtime kernel version checking is done in 2.81rc5 in various parts of the code, so expand the ipset patch' scope to inlude those new areas and rename to something a bit more generic.:wq Upstream changes from rc4 532246f Tweak to DNSSEC logging. 8caf3d7 Fix rare problem allocating frec for DNSSEC. d162bee Allow overriding of ubus service name. b43585c Fix nameserver list in auth mode. 3f60ecd Fixed resource leak on ubus_init failure. 0506a5e Handle old kernels that don't do NETLINK_NO_ENOBUFS. e7ee1aa Extend stop-dns-rebind to reject IPv6 LL and ULA addresses. We also reject the loopback address if rebind-localhost-ok is NOT set. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* netifd: fix 14_migrate-dhcp-release scriptPeter Stadler2020-04-051-1/+1
| | | | | | prepend 'uci' to 'commit network' Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
* dropbear: backport add ip address to exit without auth messagesKevin Darbyshire-Bryant2020-04-052-1/+120
| | | | | | | 201e359 Handle early exit when addrstring isn't set fa4c464 Improve address logging on early exit messages (#83) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: Move hostapd variants to WirelessAPD menuKevin Darbyshire-Bryant2020-04-051-0/+9
| | | | | | | | | | | It seemed very confusing when trying to select the different variants of hostapd which are somewhat scattered about under the menu 'Network'. Moving all hostapd variants under a common submenu helps avoid confusion. Inspired-by: Kevin Mahoney <kevin.mahoney@zenotec.net> [Fixup badly formatted patch, change menu name] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* umdns: update to the version 2020-04-05Kevin Darbyshire-Bryant2020-04-051-4/+4
| | | | | | | ab7a39a umdns: fix unused error 45c4953 dns: explicitly endian-convert all fields in header and question Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* umdns: suppress address-of-packed-member warningKevin Darbyshire-Bryant2020-04-041-2/+2
| | | | | | | | | | | | | | | | | gcc 8 & 9 appear to be more picky with regards access alignment to packed structures, leading to this warning in dns.c: dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer (alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer (alignment 2) may result in an unaligned pointer value [-Werror=address-of-packed-member] 261 | uint16_t *swap = (uint16_t *) q; Work around what I think is a false positive by turning the warning off. Not ideal, but not quite as not ideal as build failure. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 1.0.20200401Jason A. Donenfeld2020-04-011-2/+2
| | | | | | | Recent backports to 5.5 and 5.4 broke our compat layer. This release is to keep things running with the latest upstream stable kernels. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wireguard: bump to 1.0.20200330Jason A. Donenfeld2020-03-311-2/+2
| | | | | | | | | | | | | | | | | * queueing: backport skb_reset_redirect change from 5.6 * version: bump This release has only one slight change, to put it closer to the 5.6 codebase, but its main purpose is to bump us to a 1.0.y version number. Now that WireGuard 1.0.0 has been released for Linux 5.6 [1], we can put the same number on the backport compat codebase. When OpenWRT bumps to Linux 5.6, we'll be able to drop this package entirely, which I look forward to seeing. [1] https://lists.zx2c4.com/pipermail/wireguard/2020-March/005206.html Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: add abridged flag in disassoc_imminentNick Hainke2020-03-301-0/+5
| | | | | | | | | | | | | If the abridged flag is set to 1 the APs that are listed in the BSS Transition Candidate List are prioritized. If the bit is not set, the APs have the same prioritization as the APs that are not in the list. If you want to steer a client, you should set the flag! The flag can be set by adding {...,'abridged': true,...} to the normal ubus call. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: expose beacon reports through ubusNick Hainke2020-03-303-0/+51
| | | | | | | | | | | | | | | | | | | Subscribe to beacon reports through ubus. Can be used for hearing map and client steering purposes. First enable rrm: ubus call hostapd.wlan0 bss_mgmt_enable '{"beacon_report":True}' Subscribe to the hostapd notifications via ubus. Request beacon report: ubus call hostapd.wlan0 rrm_beacon_req '{"addr":"00:xx:xx:xx:xx:xx", "op_class":0, "channel":1, "duration":1,"mode":2,"bssid":"ff:ff:ff:ff:ff:ff", "ssid":""}' Signed-off-by: Nick Hainke <vincent@systemli.org> [rework identation] Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: Add 802.11r support for WPA3-EnterpriseJesus Fernandez Manzano2020-03-301-0/+1
| | | | Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
* odhcp6c: update to latest git HEADHans Dedecker2020-03-291-3/+3
| | | | | | f575351 ra: fix sending router solicitations Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to 2.81rc4Kevin Darbyshire-Bryant2020-03-291-2/+2
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* nftables: implement no/json variantsKevin Darbyshire-Bryant2020-03-291-14/+26
| | | | | | | | | | | Replace the build time choice of json support with a package based choice. Users requiring a json aware version of 'nft' may now install nftables-json. The default choice to fulfill the 'nftables' package dependency is 'nftables-nojson' Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* curl: rebuild when libopenssl config changesDENG Qingfang2020-03-291-1/+5
| | | | | | | | | | | | When some libopenssl options change curl will have to be rebuild to adapt to those changes, avoiding undefined reference errors or features disabled in curl. Add CONFIG_OPENSSL_ENGINE, CONFIG_OPENSSL_WITH_COMPRESSION and CONFIG_OPENSSL_WITH_NPN to PKG_CONFIG_DEPENDS so it will trigger rebuild every time the options are changed. Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
* netifd: fix compilation with musl 1.2.0Hans Dedecker2020-03-261-3/+3
| | | | | | 1e8328 system-linux: fix compilation with musl 1.2.0 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcp6c: fix compilation with musl 1.2.0Hans Dedecker2020-03-261-3/+3
| | | | | | 49305e6 odhcp6c: fix compilation with musl 1.2.0 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)Henrique de Moraes Holschuh2020-03-252-4/+3
| | | | | | | | | | | | | | | | | | | | | | | Fix the test for an enabled sysntp initscript in dnsmasq.init, and get rid of "test -o" while at it. Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an RTC-less ath79 router. dnssec-no-timecheck would be clearly missing from /var/etc/dnsmasq.conf.* while the router was still a few days in the past due to non-working DNSSEC + DNS-based NTP server config. The fix was tested with the router in the "DNSSEC broken state": it properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp was able to resolve the server name to an IP address, and set the system time. DNSSEC was then enabled by SIGINT through the ntp hotplug hook, as expected. A missing system.ntp.enabled UCI node is required for the bug to show up. The reasons for why it would be missing in the first place were not investigated. Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* dnsmasq: init: get rid of test -a and test -oHenrique de Moraes Holschuh2020-03-251-17/+17
| | | | | | | Refer to shellcheck SC2166. There are just too many caveats that are shell-dependent on test -a and test -o to use them. Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
* uhttpd: bump to latest Git HEADJo-Philipp Wich2020-03-251-3/+3
| | | | | | | 5e9c23c client: allow keep-alive for POST requests 5fc551d tls: support specifying accepted TLS ciphers Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* nftables: bump to 0.9.3Kevin Darbyshire-Bryant2020-03-241-2/+2
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: add 'scriptarp' optionJordan Sokolic2020-03-222-1/+3
| | | | | | | | | | | Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions. The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute. Also enable --script-arp if has_handlers returns true. Signed-off-by: Jordan Sokolic <oofnik@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* iwinfo: update to latest Git HEADDavid Bauer2020-03-222-12/+3
| | | | | | | | | | | | 9f5a7c4 iwinfo: add missing HT modename for HT-None 06a03c9 Revert "iwinfo: add BSS load element to scan result" 9a4bae8 iwinfo: add device id for Qualcomm Atheros QCA9990 eba5a20 iwinfo: add device id for BCM43602 a6914dc iwinfo: add BSS load element to scan result bb21698 iwinfo: add device id for Atheros AR9287 7483398 iwinfo: add device id for MediaTek MT7615E Signed-off-by: David Bauer <mail@david-bauer.net>
* samba36: log error if getting device info failedRafał Miłecki2020-03-212-4/+10
| | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* wireguard: bump to 0.0.20200318Jason A. Donenfeld2020-03-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WireGuard had a brief professional security audit. The auditors didn't find any vulnerabilities, but they did suggest one defense-in-depth suggestion to protect against potential API misuse down the road, mentioned below. This compat snapshot corresponds with the patches I just pushed to Dave for 5.6-rc7. * curve25519-x86_64: avoid use of r12 This buys us 100 extra cycles, which isn't much, but it winds up being even faster on PaX kernels, which use r12 as a RAP register. * wireguard: queueing: account for skb->protocol==0 This is the defense-in-depth change. We deal with skb->protocol==0 just fine, but the advice to deal explicitly with it seems like a good idea. * receive: remove dead code from default packet type case A default case of a particular switch statement should never be hit, so instead of printing a pretty debug message there, we full-on WARN(), so that we get bug reports. * noise: error out precomputed DH during handshake rather than config All peer keys will now be addable, even if they're low order. However, no handshake messages will be produced successfully. This is a more consistent behavior with other low order keys, where the handshake just won't complete if they're being used anywhere. * send: use normaler alignment formula from upstream We're trying to keep a minimal delta with upstream for the compat backport. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wireguard-tools: bump to 1.0.20200319Jason A. Donenfeld2020-03-211-2/+2
| | | | | | | | | | | | | | | | * netlink: initialize mostly unused field * curve25519: squelch warnings on clang Code quality improvements. * man: fix grammar in wg(8) and wg-quick(8) * man: backlink wg-quick(8) in wg(8) * man: add a warning to the SaveConfig description Man page improvements. We hope to rewrite our man pages in mdocml at some point soon. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: fix segfault in wpa_supplicant ubusDaniel Golle2020-03-182-1/+3
| | | | | | | | | | | | | | When introducing ubus reload support, ubus initialization was moved to the service level instead of being carried out when adding a BSS configuration. While this works when using wpa_supplicant in that way, it breaks the ability to run wpa_supplicant on the command line, eg. for debugging purposes. Fix that by re-introducing ubus context intialization when adding configuration. Reported-by: @PolynomialDivision https://github.com/openwrt/openwrt/pull/2417 Fixes: 60fb4c92b6 ("hostapd: add ubus reload") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: fix pointer cast warningsLeon M. George2020-03-172-8/+15
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove trailing whitespaceLeon M. George2020-03-171-2/+2
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* curl: bump to 7.69.1Hans Dedecker2020-03-161-2/+2
| | | | | | For changes in 7.69.1; see https://curl.haxx.se/changes.html#7_69_1 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wwan: fix hotplug event handlingRozhuk Ivan2020-03-162-2/+3
| | | | | | | | | Hotplug manager send: "remove" -> "add" -> "bind" events, script interpret bind as "not add" = "remove" and mark device as unavailable. Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* comgt: fix hotplug event handlingRozhuk Ivan2020-03-162-5/+5
| | | | | | | | | Hotplug manager send: "remove" -> "add" -> "bind" events, script interpret bind as "not add" = "remove" and mark device as unavailable. Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* netifd: update to latest git HEADHans Dedecker2020-03-161-3/+3
| | | | | | dbdef93 interface-ip: transfer prefix route ownership for deprecated ipv6addr to kernel Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iproute2: revert add libcap support, enabled in ip-fullMathias Kresin2020-03-151-9/+9
| | | | | | | | | | | | | This reverts commit a6da3f9ef746101b84a6f530f5a40de28341b69a. The libcap isn't as optional as the commit messages suggests. A hard dependency to the libcap package is added, which is only available in the external packages feed. Therefore it is impossible to package ip-full without having the external packages feed up and running, which is a regression to the former behaviour. Signed-off-by: Mathias Kresin <dev@kresin.me> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: update to latest git HEADHans Dedecker2020-03-151-3/+3
| | | | | | | | 6594c6b ubus: use dhcpv6 ia assignment flag a90cc2e dhcpv6-ia: avoid setting lifetime to infinite for static assignments bb07fa4 dhcpv4: avoid setting lifetime to infinite for static assignments Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>