aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* mac80211: disable ft-over-ds by defaultFelix Fietkau2022-08-301-1/+1
| | | | | | | | Testing has shown it to be very unreliable in variety of configurations. It is not mandatory, so let's disable it by default until we have a better solution. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* unetd: update to the latest version, makes VXLAN/eBPF optionalFelix Fietkau2022-08-291-8/+22
| | | | | | | | | | b75791a6db25 scripts/update-cmd.pl: reorder add/remove calls to better deal with dynamic changes c29e1ad045d0 scripts/update-cmd.pl: set device up before adding routes/addresses 5ad35ce4beea scripts/update-cmd.pl: run update two times 5d79b88f00c1 add support for overriding peer-exchange-port for individual hosts 0041fcacb624 add support for disabling VXLAN/eBPF support Signed-off-by: Felix Fietkau <nbd@nbd.name>
* unetd: update to the latest versionFelix Fietkau2022-08-281-3/+3
| | | | | | | | 5cbd55f60346 unet-cli: fix formatting of help text 59b97448b636 build.sh: force use of -fPIC on static libraries to fix build error 74a14c00abb0 pex-msg: fix siphash key initializer Signed-off-by: Felix Fietkau <nbd@nbd.name>
* nftables: update to 1.0.5Nick Hainke2022-08-282-52/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove upstreamed patch: - 0001-meta-don-t-use-non-POSIX-formats-in-strptime.patch Changes: 13248670 build: Bump version to 1.0.5 3432eebd tests/py: disable arp family for queue statement 180ce4d7 meta: don't use non-POSIX formats in strptime() c1c223f1 src: allow anon set concatenation with ether and vlan 87c3041b evaluate: search stacked header list for matching payload dep b1e3ed03 netlink_delinearize: also postprocess OP_AND in set element context f680055c tests: add a test case for ether and vlan listing dbd5f348 debug: dump the l2 protocol stack 0d9daa04 proto: track full stack of seen l2 protocols, not just cumulative offset 89688c94 netlink_delinearize: postprocess binary ands in concatenations 0542a431 netlink_delinearize: allow postprocessing on concatenated elements 8efab552 parser_json: fix device parsing in netdev family 76fae8f5 src: proto: support DF, LE PHB, VA for DSCP 446e76db doc: Document limitations of ipsec expression with xfrm_interface a2ddb38f cache: report an error message if cache initialization fails 649b8ce3 cache: validate handle string length 64c74ba5 cache: prepare nft_cache_evaluate() to return error 46980cdd rule: crash when uncollapsing command with unexisting table or set 8a6cdfaf cache: release pending rules when chain binding lookup fails e17337df evaluate: report missing interval flag when using prefix/range in concatenation 45c097c6 scanner: allow prefix in ip6 scope 6c23bfa5 segtree: fix map listing with interface wildcard 8623772a scanner: don't pop active flex scanner scope 994bf500 parser: add missing synproxy scope closure ed2426bc tests/py: Add a test for failing ipsec after counter 27107b49 evaluate: fix segfault when adding elements to invalid set 0f82b07f mnl: store netlink error location for set elements 15b3be2e src: remove NFT_NLATTR_LOC_MAX limit for netlink location error reporting f56e901a parser_bison: fix error location for set elements 6d1ee926 intervals: check for EXPR_F_REMOVE in case of element mismatch 5357cb7b intervals: fix crash when trying to remove element in empty set d54510f8 netlink_delinearize: memleak when parsing concatenation data 12a223ce libnftables: release top level scope b91bbf88 optimize: limit statement is not supported yet 45a61a75 optimize: assume verdict is same when rules have no verdict fa409176 optimize: only merge OP_IMPLICIT and OP_EQ relational 29e62111 tests: shell: run -c -o on ruleset 887405df optimize: add unsupported statement 8f61a69e optimize: add hash expression support ca8fd77a optimize: add numgen expression support 721efd64 optimize: add binop expression support f7e901a2 optimize: add fib expression support 54b1e49f optimize: add xfrm expression support 0beaea37 optimize: add osf expression support d07fe8e8 optimize: fix verdict map merging 38d48fe5 optimize: fix reject statement f9939f89 optimize: remove comment after merging 8f10f33a optimize: do not print stateful information 3ac932e9 optimize: do not merge rules with set reference in rhs 64ebb03a optimize: do not compare relational expression rhs when collecting statements 59e3a592 intervals: Do not sort cached set elements over and over again d434de8b intervals: do not empty cache for maps 87ba510f intervals: do not report exact overlaps for new elements 498a5f0c rule: collapse set element commands 8fafe4e6 tests: shell: runtime set element automerge 638af0ce Revert "scanner: flags: move to own scope" Signed-off-by: Nick Hainke <vincent@systemli.org>
* iproute2: replace musl-compilation-fix with upstream fixNick Hainke2022-08-282-27/+23
| | | | | | | | | | | | | Instead of defining the MIN version it is enough to include "#include <sys/param.h>". Delete patch: - 105-ipstats-Define-MIN-function-to-fix-undefined-referen.patch Add patch: - 010-ipstats-Add-param.h-for-musl.patch Signed-off-by: Nick Hainke <vincent@systemli.org>
* wireguard-tools: update to v1.0.20210914Nick Hainke2022-08-281-2/+2
| | | | | | Update to latest version. Signed-off-by: Nick Hainke <vincent@systemli.org>
* ethtool: update to 5.19Nick Hainke2022-08-281-2/+2
| | | | | | | Release Notes: https://lore.kernel.org/netdev/20220821234539.f7nslwyd53bsftsy@lion.mk-sys.cz/T/ Signed-off-by: Nick Hainke <vincent@systemli.org>
* iptables: default to ip(6)tables-nft when using buildrootEtienne Champetier2022-08-271-2/+2
| | | | | | | | 35fec487e30f05c81bd135326a993dad7f861812 fixed opkg usage, but when using buildroot we were still defaulting to ip(6)tables-legacy Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* unetd: add WireGuard based VPN connection manager for OpenWrtFelix Fietkau2022-08-273-0/+187
| | | | | | | | | | | | This package simplifies setting up wireguard networks on OpenWrt by a wireguard network as a JSON file, which can be shared across all participating nodes. It can be signed with an authentication key and automatically kept in sync. unetd also supports deterministically generating ipv6 addresses for each host based on the public key and storing those in a hosts file that can be used with dnsmasq. It also supports automatically creating VXLAN tunnels between multiple endpoints. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* netifd: update to the latest versionFelix Fietkau2022-08-251-3/+3
| | | | | | 76d2d41b7355 interface: fix use-after-free bug when rewriting resolv.conf Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall4: update to latest Git HEADJo-Philipp Wich2022-08-241-3/+3
| | | | | | | | | a4484d4 fw4: support automatic includes ca7e3a1 fw4: honour enabled option of include sections 5a02f74 tests: add missing fs.stat) mock data for `nf_conntrack_dummy` 111a7f7 fw4: don't inherit zone family from ct helpers Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* uhttpd: update to latest Git HEADJo-Philipp Wich2022-08-241-3/+3
| | | | | | | | | | | | e3395cd ucode: initialize search path before VM init 8cb3f85 ucode: initialize default library search path 188dea2 utils: accept '?' as path terminator in uh_path_match() c5eac5d file: support using dynamic script handlers as error pages 290ff88 relay: trigger close if in header read state with pending data f9db538 ucode: ignore exit exceptions 8ba0b64 cmake: use variables and find_library for dependency Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: fix WPA3 enterprise keys and ciphersJoerg Werner2022-08-201-3/+10
| | | | | | | | WPA3 enterprise requires group_mgmt_cipher=BIP-GMAC-256 and if 802.11r is active also wpa_key_mgmt FT-EAP-SHA384. This commit also requires corresponding changes in netifd. Signed-off-by: Joerg Werner <schreibubi@gmail.com>
* netifd: update to git HEADHauke Mehrtens2022-08-201-3/+3
| | | | | | | 87fbefd interface: support "zone" config option bfa039c netifd: fix WPA3 enterprise ciphers Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iwinfo: update to latest HEADHauke Mehrtens2022-08-201-3/+3
| | | | | | 0dad3e6 Add support for CCMP-256 and GCMP-256 ciphers Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iproute2: Fix KERNEL_INCLUDE in SDKHauke Mehrtens2022-08-181-1/+1
| | | | | | | | | | | | | | | | | In the SDK the folder $(LINUX_DIR)/user_headers/include does not exist, but it more or less contains the same content as $(LINUX_DIR)/include/uapi which also exists in the SDK. Since iproute2 commit 1d819dcc741e ("configure: fix parsing issue on include_dir option") it checks if this folder exists and aborts the build if it does not exists. https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=1d819dcc741e25958190e31f8186c940713fa0a8 With this commit the KERNEL_INCLUDE variable points to a valid folder with the kernel include headers. I am not sure if they are actually needed because the build worked before even with an invalid path. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: add mbo flag to get_clients ubus methodStijn Tintel2022-08-151-0/+4
| | | | | | | | | There is no WLAN_STA_MBO flag, but according to the hostapd source code, when an STA does not support MBO, cell_capa will be 0. Use this to indicate MBO support in the get_clients ubus method. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Reviewed-by: David Bauer <mail@david-bauer.net>
* umbim: bump to git HEADHauke Mehrtens2022-08-131-3/+3
| | | | | | 146bc77 umbim: fix invalid mbim message string encoding Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iwinfo: update to latest HEADHauke Mehrtens2022-08-131-3/+3
| | | | | | 705d3b5 iwinfo: Add missing auth_suites mappings for WPA3 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iproute2: shrink ip-tiny size by disabling featuresNick Hainke2022-08-131-8/+6
| | | | | | | | | | | | | | | With the 5.18 and 5.19 update ip-tiny grows in size. Remove some features bringing it back to the size before 5.18. Remove - Identifier-locator addressing (ila) - MACsec Device Configuration (macsec) - Multicast Routing Cache Management (mroute) - mrule - Virtual Routing and Forwarding (vrf) - Segment Routing (sr) Signed-off-by: Nick Hainke <vincent@systemli.org>
* iproute2: update to 5.19.0Nick Hainke2022-08-134-6/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add patch: - 105-ipstats-Define-MIN-function-to-fix-undefined-referen.patch Refreshed: - 170-ip_tiny.patch - 195-build_variant_ip_tc.patch Changes: deb48554 v5.19.0 f8decf82 bpf_glue: include errno.h 71178ae0 rdma: update uapi/ib_user_verbs.h 96594fd2 vdpa: update uapi headers from 5.19-rc7 30c7b77f Revert "uapi: add vdpa.h" c5433c4b ip neigh: Fix memory leak when doing 'get' 2cb76253 mptcp: Fix memory leak when getting limits afdbb020 mptcp: Fix memory leak when doing 'endpoint show' 6db01afd bridge: Fix memory leak when doing 'fdb get' 1d540336 ip address: Fix memory leak when specifying device 325f706b uapi: add virtio_ring.h 291898c5 uapi: add vdpa.h 6e2fb804 uapi: update bpf.h 329fda18 ip: Fix size_columns() invocation that passes a 32-bit quantity 2a00a4b1 man: tc-fq_codel: add drop_batch 6bf5abef uapi: update mptcp.h 02410392 ip: Fix size_columns() for very large values ed243312 man: tc-ct.8: fix example 2bb37e90 l2tp: fix typo in AF_INET6 checksum JSON print 855edb3d man: tc-fq_codel: Fix a typo. 4044a453 tc: declaration hides parameter a44a7918 genl: fix duplicate include guard 703f2de6 uapi: change name for zerocopy sendfile in tls 248ad98e uapi: update socket.h 11e41a63 ip: Convert non-constant initializers to macros 8d3977ef Update kernel headers 5a1ad9f8 man: ip-stats.8: Describe groups xstats, xstats_slave and afstats d9976d67 ipstats: Expose bond stats in ipstats 36e10429 ipstats: Expose bridge stats in ipstats 79f5ad95 iplink_bridge: Split bridge_print_stats_attr() 1247ed51 ipstats: Add groups "xstats", "xstats_slave" c6900b79 ipstats: Add a third level of stats hierarchy, a "suite" 2ed73b9a iplink: Add JSON support to MPLS stats formatter 5ed8fd9d ipstats: Add a group "afstats", subgroup "mpls" dff392fd iplink: Publish a function to format MPLS stats 72623b73 iplink: Fix formatting of MPLS stats ce41750f ip: ipstats: Do not assume length of response attribute payload 40b50f15 bridge: vni: add support for stats dumping c7f12a15 ip: iplink_vxlan: add support to set vnifiltering flag on vxlan device 45cd32f9 bridge: vxlan device vnifilter support 837294e4 libbpf: Remove use of bpf_map_is_offload_neutral 64e5ed77 libbpf: Remove use of bpf_program__set_priv and bpf_program__priv ba6519cb libbpf: Use bpf_object__load instead of bpf_object__load_xattr a6eb654d f_flower: add number of vlans man entry 5788732e f_flower: Check args with num_of_vlans 5ba31bcf f_flower: Add num of vlans parameter b28eb051 man: Add man pages for the "stats" functions a05a27c0 ipmonitor: Add monitoring support for stats events 0f1fd40c ipstats: Add offload subgroup "l3_stats" 179030fa ipstats: Add offload subgroup "hw_stats_info" af5e7955 ipstats: Add a group "offload", subgroup "cpu_hit" 0517a2fd ipstats: Add a group "link" df0b2c6d ipstats: Add a shell of "show" command 82f6444f ipstats: Add a "set" command 54d82b06 ip: Add a new family of commands, "stats" 5520cf16 ip: Publish functions for stats formatting a463d6b1 libnetlink: Add filtering to rtnl_statsdump_req_filter() 38ae12d3 devlink: introduce -[he]x cmdline option to allow dumping numbers in hex format bba95837 Update kernel headers f6559bea ip-link: put types on man page in alphabetic order ee53174b ip/iplink_virt_wifi: add support for virt_wifi Signed-off-by: Nick Hainke <vincent@systemli.org>
* iproute2: update to 5.18.0Nick Hainke2022-08-137-10/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ip-tiny size grows from 124k (5.17.0) to 128k (5.18.0). The update introduces a commit "configure: add check_libtirpc()" that introduces a check for libtirpc. However, if libtirpc is already in the staging directory due to an other dependency the check yields that the library is installed and should be used resulting in failures like: Package ss is missing dependencies for the following libraries: libtirpc.so.3 To fix it add a patch making libtirpc optional again and setting it "HAVE_TIRPC=n": - 155-keep_tirpc_optional.patch Fix patches: - 130-no_netem_tipc_dcb_man_vdpa.patch Refresh patches: - 140-keep_libmnl_optional.patch - 150-keep_libcap_optional.patch - 180-drop_FAILED_POLICY.patch - 200-drop_libbsd_dependency.patch Changes: 6474b7c8 v5.18.0 4429a6c9 tipc: fix keylen check 6b6979b9 iplink: remove GSO_MAX_SIZE definition 19c3e009 doc: fix 'infact' --> 'in fact' typo ed706c78 man: fix some typos 03589beb man: devlink-region: fix typo in example b84fc332 tc: em_u32: fix offset parsing b6d17086 uapi: update of virtio_ids 17bf51b7 libbpf: Remove use of bpf_map_is_offload_neutral fa305925 libbpf: Remove use of bpf_program__set_priv and bpf_program__priv 9e0057b4 libbpf: Use bpf_object__load instead of bpf_object__load_xattr e81fd551 devlink: fix "devlink health dump" command without arg 6f3b5843 man: use quote instead of acute accent 42d351fa man: 'allow to' -> 'allow one to' d8a7a0f4 uapi: upstream update to stddef.h 5b2ff061 uapi: update from 5.18-rc1 292509f9 ss: remove an implicit dependency on rpcinfo 1ee309a4 configure: add check_libtirpc() 41848100 ip/geneve: add support for IFLA_GENEVE_INNER_PROTO_INHERIT 28add137 f_flower: Implement gtp options support b25599c5 ip: GTP support in ip link e4880869 man: bridge: document per-port mcast_router settings 9e82e828 bridge: support for controlling mcast_router per port f1d18e2e Update kernel headers 8130653d vdpa: Update man page with added support to configure max vq pair 56eb8bf4 vdpa: Support reading device features 16482fd4 vdpa: Support for configuring max VQ pairs for a device bd91c764 vdpa: Allow for printing negotiated features of a device 2d1954c8 vdpa: Remove unsupported command line option 93fb6810 Makefile: move HAVE_MNL check to top-level Makefile 2dee2101 man: ip-link: whitespace fixes to odd line breaks mid sentence 609b90aa man: ip-link: mention bridge port's default mcast_flood state b1c3ad84 man: ip-link: document new bcast_flood flag on bridge ports c354a434 ip: iplink_bridge_slave: support for broadcast flooding 909f0d51 man: bridge: add missing closing " in bridge show mdb 3b681cf9 man: bridge: document new bcast_flood flag for bridge ports a6c848eb bridge: support for controlling flooding of broadcast per port 8acb5247 ip/batadv: allow to specify RA when creating link 0431d8e8 Import batman_adv.h header from last kernel sync point 239bfd45 Revert "configure: Allow command line override of toolchain" a93c90c7 tc: separate action print for filter and action dump d9977eaf bpf: Remove use of bpf_create_map_xattr ac4e0913 bpf: Export bpf syscall wrapper 873bb975 bpf_glue: Remove use of bpf_load_program from libbpf 5e17b715 ss: display advertised TCP receive window and out-of-order counter 712ec66e tc: bash-completion: Add profinet and ethercat to procotol completion list 75061b35 lib: add profinet and ethercat as link layer protocol names 0a685b98 man8/ip-link.8: add locked port feature description and cmd syntax d4fe3673 man8/bridge.8: add locked port feature description and cmd syntax 092af16b ip: iplink_bridge_slave: add locked port flag support 0e51a185 bridge: link: add command to set port in locked mode 04a0077d Update kernel headers 386ae64c configure: Allow command line override of toolchain bea92cb0 mptcp: add port support for setting flags 2dbc6c90 mptcp: add fullmesh support for setting flags 5fb6bda0 mptcp: add fullmesh check for adding address 9831202f bond: add ns_ip6_target option e8fd4d4b devlink: Remove strtouint8_t in favor of get_u8 2688abf0 devlink: Remove strtouint16_t in favor of get_u16 95c03f40 devlink: Remove strtouint32_t in favor of get_u32 7cb0e24d devlink: Remove strtouint64_t in favor of get_u64 7848f6bb Update kernel headers 4f015972 f_flower: fix indentation for enc_key_id and u32 25a9c4fa tunnel: Fix missing space after local/remote print ff14875e Update documentation 8908cb25 Add support for the IOAM insertion frequency cd24451e Update kernel headers e4ba36f7 iplink: add ip-link documentation 5d57e130 iplink: add gro_max_size attribute handling 721435dc tc: u32: add json support in `print_raw`, `print_ipv4`, `print_ipv6` c733722b tc: u32: add support for json output 5f44590d tc/f_flower: fix indentation 9948b6cb tc_util: fix breakage from clang changes f4cd4f12 tc: add skip_hw and skip_sw to control action offload ba5ac984 json_print: suppress clang format warning bf71c8f2 libbpf: fix clang warning about format non-literal 5632cf69 tunnel: fix clang warning c0248878 tipc: fix clang warning about empty format string 371c13e8 can: fix clang warning 8d27eee5 ipl2tp: fix clang warning 560d2336 tc_util: fix clang warning in print_masked_type b2450e46 flower: fix clang warnings 4e27d538 netem: fix clang warnings 9d5e29e6 utils: add format attribute 343c4f52 tc: add format attribute to tc_print_rate Signed-off-by: Nick Hainke <vincent@systemli.org>
* iproute2: update to 5.17.0Nick Hainke2022-08-132-33/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove backports: - 0001-lib-fix-ax25.h-include-for-musl.patch Changes: 4c424dfd v5.17.0 7846496b link_xfrm: if_id must be non zero eed4bb1a testsuite: link xfrm delete no if_id test ac0a54b2 rdma: make RES_PID and RES_KERN_NAME alternative to each other 885e281e uapi: update vdpa.h 19c0def1 ipaddress: remove 'label' compatibility with Linux-2.0 net aliases 1808f002 lib/fs: fix memory leak in get_task_name() 62c0700c uapi: update magic.h c8d9d925 rdma: Fix the logic to print unsigned int. a42dfaa4 Revert "rdma: Fix res_print_uint() and add res_print_u64()" 9d0badec rdma: Fix res_print_uint() and add res_print_u64() 86a1452b uapi: update to xfrm.h 09c6a3d2 bridge: Remove vlan listing from `bridge link` e4fda259 bridge: Fix error string typo cc143bda lnstat: fix strdup leak in -w argument parsing 90bbf861 iplink_can: print_usage: typo fix, add missing spaces 1b5c7414 dcb: Fix error reporting when accessing "dcb app" a38d305d tc: fix duplicate fall-through f8beda6e libnetlink: fix socket leak in rtnl_open_byproto() 7f70eb2a tc_util: Fix parsing action control with space and slash 29da83f8 iprule: Allow option dsfield in 'ip rule show' 07012a1f ss: use freecon() instead of free() when appropriate 03b4de0b man: Fix a typo in the flag documentation of ip address 924f6b4a dcb: app: Add missing "dcb app show dev X default-prio" 5c9571bc uapi: update kernel headers from 5.17-rc1 d542543b tc/action: print error to stderr 52370c61 mptcp: add id check for deleting address c556f577 dcb: Rewrite array-formatting code to not cause warnings with Clang 0dc5da8e f_flower: fix checkpatch warnings ffbcb246 netem: fix checkpatch warnings 8bced38a lib: fix ax25.h include for musl e27bb8e5 uapi: add missing virtio headers 26ff0afa uapi: add missing rose and ax25 files eb4206ec q_cake: allow changing to diffserv3 db530529 iplink_can: add ctrlmode_{supported,_static} to the "--details --json" output ac2e9148 Update kernel headers bb4cc9cc rdma: Don't allocate sparse array b8767168 rdma: Limit copy data by the destination size 167e33f3 vdpa: Enable user to set mtu of the vdpa device 384938f9 vdpa: Enable user to set mac address of vdpa device a311f0c4 vdpa: Enable user to query vdpa device config layout 9d8882d5 vdpa: Update kernel headers 5cb7ec0c Update kernel headers and import virtio_net 26113360 mptcp: add support for changing the backup flag 4b301b87 tc: Add support for ce_threshold_value/mask in fq_codel 99d09ee9 bond: add arp_missed_max option 432cb06b mptcp: add support for fullmesh flag 2d777dfe Update kernel headers a21458fc vdpa: Remove duplicate vdpa UAPI header file Signed-off-by: Nick Hainke <vincent@systemli.org>
* iproute2: update to 5.16.0Nick Hainke2022-08-1312-18/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Import patch: - 0001-lib-fix-ax25.h-include-for-musl.patch Refreshed patches: - 100-configure.patch - 130-no_netem_tipc_dcb_man_vdpa.patch - 140-keep_libmnl_optional.patch - 145-keep_libelf_optional.patch - 150-keep_libcap_optional.patch - 170-ip_tiny.patch - 190-fix-nls-rpath-link.patch - 195-build_variant_ip_tc.patch - 200-drop_libbsd_dependency.patch - 300-selinux-configurable.patch Size ip-full (mips_24kc): - 176K ip-full_5.16.0-1_mips_24kc.ipk - 172K ip-full_5.15.0-2_mips_24kc.ipk Size ip-tiny (mips_24kc): - 124K ip-tiny_5.16.0-1_mips_24kc.ipk - 124K ip-tiny_5.15.0-2_mips_24kc.ipk Changes: ade99e20 v5.16.0 1225e307 testsuite: Fix tc/vlan.t test 4734fdb9 uapi: update to mptcp.h c04e45d0 lib/bpf: fix verbose flag when using libbpf 73590d95 tc: flower: Fix buffer overflow on large labels 3f77bc62 uapi: update to if_ether.h 5f8bb902 ip/ipnexthop: fix unsigned overflow in parse_nh_group_type_res() 3184de37 lib/bpf_legacy: remove always-true check 79026c12 rdma: update uapi headers fa58de9b vdpa: align uapi headers be31c264 lnstat: fix buffer overflow in header output 0e949725 tc/m_vlan: fix print_vlan() conditional on TCA_VLAN_ACT_PUSH_ETH 9bd5ab0f mptcp: fix JSON output when dumping endpoints by id a787d9ae man: tc-u32: Fix page to match new firstfrag behavior af96c7b5 Fix some typos detected by Lintian in manpages 35c81b18 uapi: update vdpa.h 0c263d7c iplink_can: add new CAN FD bittiming parameters: Transmitter Delay Compensation (TDC) 0f7bb8d8 iplink_can: print brp and dbrp bittiming variables 67f3c7a5 iplink_can: use PRINT_ANY to factorize code and fix signedness fd5e958c iplink_can: code refactoring of print_ctrlmode() 8316df6e iplink_can: fix configuration ranges in print_usage() and add unit 6e15d27a ip: add AMT support 9cae1de5 Import amt.h 258e350c Update kernel headers 047e9ae5 devlink: Fix cmd_dev_param_set() to check configuration mode 9e009e78 ip, neigh: Add NTF_EXT_MANAGED support 040e5252 ip, neigh: Add missing NTF_USE support c76a3849 ip, neigh: Fix up spacing in netlink dump 76b30805 xfrm: enable to manage default policies 95cd2a62 iplink: enable to specify index when changing netns cee0cf84 configure: add the --libdir option 0ee1950b configure: add the --prefix option 4b8bca5f configure: support --param=value style 99245d17 configure: simplify options parsing c330d097 configure: fix parsing issue with more than one value per option 48c379bc configure: fix parsing issue on libbpf_dir option 1d819dcc configure: fix parsing issue on include_dir option 19ba785f rdma: Add optional-counters set/unset support 7d5cb70e rdma: Add stat "mode" support d480cb71 rdma: Update uapi headers e4ca6a49 Update kernel headers a31e7b79 mptcp: cleanup include section. 41020eb0 Update documentation 8fb522cd Add support for IOAM encap modes b840c620 ip: nexthop: keep cache netlink socket open b9017435 devlink: print maximum number of snapshots if available 6448ed37 Update kernel headers 7ca868a7 ip: nexthop: add print_cache_nexthop which prints and manages the nh cache 5d5dc549 ip: route: print and cache detailed nexthop information when requested cb3d18c2 ip: nexthop: add a helper which retrieves and prints cached nh entry 60a97030 ip: nexthop: add cache helpers 53d7c43b ip: nexthop: factor out ipnh_get_id rtnl talk into a helper a2ca4312 ip: nexthop: factor out print_nexthop's nh entry printing 945c26db ip: nexthop: parse attributes into nh entry structure before printing 7ec1cee6 ip: nexthop: add nh entry structure 60a7515b ip: nexthop: split print_nh_res_group into parse and print parts cfb0a872 ip: nexthop: add resilient group structure 371e889d ip: export print_rta_gateway version which outputs prepared gateway string f7278996 ip: print_rta_if takes ifindex as device argument instead of attribute e2cc9840 ROSE: Print decoded addresses rather than hex numbers. 26c5782f ROSE: Add rose_ntop implementation. fd4c1c81 NETROM: Print decoded addresses rather than hex numbers. c63b769a NETROM: Add netrom_ntop implementation. 399ae00a AX.25: Print decoded addresses rather than hex numbers. 3a92669b AX.25: Add ax25_ntop implementation. ebbb7017 lib: bpf_legacy: add prog name, load time, uid and btf id in prog info dump 0431e1e7 ip: Support filter links/neighs with no master 12b3d6a2 man: ip-macsec: fix gcm-aes-256 formatting issue ae895504 bridge: vlan: add support for mcast_router option 12fbe3e4 bridge: vlan: set vlan option attributes while parsing db28c944 Update kernel headers 6d676ad9 ip: rewrite routel in python 1eaebad2 ip: remove routef script adddf30c ip: remove ifcfg script 2c811088 ip: remove old rtpr script 72222cd4 bridge: vlan: add support for dumping router ports 7ad5505b bridge: vlan: add global mcast_querier option 061da2e2 bridge: vlan: add global mcast_startup_query_interval option 60dcd5c3 bridge: vlan: add global mcast_query_response_interval option 0e4cfa03 bridge: vlan: add global mcast_query_interval option ebcee09c bridge: vlan: add global mcast_querier_interval option 3ae784f5 bridge: vlan: add global mcast_membership_interval option 2b6cc38d bridge: vlan: add global mcast_last_member_interval option 7cc7dbf4 bridge: vlan: add global mcast_startup_query_count option 3399c075 bridge: vlan: add global mcast_last_member_count option a8d7212a bridge: vlan: add global mcast_mld_version option 29fada0f bridge: vlan: add global mcast_igmp_version option 1f608d59 bridge: vlan: add global mcast_snooping option dee5eb05 bridge: vlan: add support to set global vlan options ecf6d8b4 bridge: vlan: add support for vlan filtering when dumping options 720f8613 bridge: vlan: add support to show global vlan options d3a961a9 bridge: vlan: skip unknown attributes when printing options 312e22fe bridge: vlan: factor out vlan option printing d2eecb9d ip: bridge: add support for mcast_vlan_snooping ebaa603b ip/bond: add lacp active support 8d6134b2 Update kernel headers 51d8fc70 ip/tunnel: always print all known attributes 71ba9c18 ipioam6: use print_nl instead of print_null e7841194 tc/skbmod: Introduce SKBMOD_F_ECN option 78832863 IOAM man8 32f4969d New IOAM6 encap type for routes 29098125 Add, show, link, remove IOAM namespaces and schemas e53f4cd5 Import ioam6 uapi headers 236696e5 Update kernel headers cf866f0a ipneigh: add support to print brief output of neigh cache in tabular format Signed-off-by: Nick Hainke <vincent@systemli.org>
* kernel: kmod-ipt-ulog: Remove packageHauke Mehrtens2022-08-101-14/+0
| | | | | | | The ulog iptables target was removed with kernel 3.17, remove the kernel and also the iptables package in OpenWrt too. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* kernel: kmod-nft-nat6: Remove packageHauke Mehrtens2022-08-101-1/+1
| | | | | | | | | | | The nft NAT packages for IPv4 and IPv6 were merged into the common packages with kernel 5.1. The kmod-nft-nat6 package was empty in our build, remove it. Multiple kernel configuration options were also removed, remove them from our generic kernel configuration too. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* nftables: fix parsing date expressionsJo-Philipp Wich2022-08-092-1/+50
| | | | | | | | Musl libc does not support the non-POSIX "%F" format for strptime() so replace all occurrences of it with an equivalent "%Y-%m-%d" format. Fixes: #10419 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "nftables: fix parsing date expressions"Jo-Philipp Wich2022-08-092-50/+1
| | | | | | | | This reverts commit eada8925776aafa3ec47d66fb89bf7eae730edf7. The commit contained unrelated target changes. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* nftables: fix parsing date expressionsJo-Philipp Wich2022-08-092-1/+50
| | | | | | | | Musl libc does not support the non-POSIX "%F" format for strptime() so replace all occurrences of it with an equivalent "%Y-%m-%d" format. Fixes: #10419 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* odhcp6c: update to git HEADHans Dedecker2022-08-051-3/+3
| | | | | | 7d21e8d dhcpv6: add option to ignore stateless advertise Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* umdns: add missing syscall to seccomp filterChen Minqiang2022-08-051-0/+4
| | | | | | | | | | | | | There is some syscall missing: 'getdents64' 'getrandom' 'statx' 'newfstatat' Found with: 'mkdir /etc/umdns; ln -s /tmp/1.json /etc/umdns/; utrace /usr/sbin/umdns' Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
* ltq-vdsl-app: Fix counter overflow resulting in negative valuesRoland Barenbrug2022-08-051-1/+1
| | | | | | | | | | | | The re-transmit counters can overflow the 32 bit representation resulting in negative values being displayed. Background being that the numbers are treated at some point as signed INT rather than unsigned INT. Change the counters from 32 bit to 64 bit, should provide sufficient room to avoid any overflow. Not the nicest solution but it works Fixes: #10077 Signed-off-by: Roland Barenbrug <roland@treslong.com> Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
* hostapd: prevent unused crypto lib dependencies from being compiledBoris Krasnovskiy2022-07-311-16/+16
| | | | | | Prevented unused crypto lib dependencies from being compiled Signed-off-by: Boris Krasnovskiy <borkra@gmail.com>
* odhcp6c: update to latest git HEADDávid Benko2022-07-301-3/+3
| | | | | | 9212bfc odhcp6c: fix IA discard when T1 > 0 and T2 = 0 Signed-off-by: Dávid Benko <davidbenko@davidbenko.dev>
* layerscape: update remaining PKG_HASH / PKG_MIRROR_HASHChristian Lamparter2022-07-221-1/+1
| | | | | | | | | The change of the PKG_VERSION caused the hash of the package to change. This is because the PKG_VERSION is present in the internal directory structure of the archive. Fixes: e879cccaa215 ("uboot-layerscape: update PKG_HASH") Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* hostapd: add ppsk option (private psk)Manuel Giganto2022-07-151-3/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This PR allows a user to enable a private psk, where each station may have it's own psk or use a common psk if it is not defined. The private psk is defined using the sta's mac and a radius server is required. ppsk option should be enabled in the wireless configuration along with radius server details. When using PPSK, the key is ignored, it will be retrieved from radius server. SAE is not yet supported (private sae) in hostapd. Wireless example configuration: option encryption 'psk2+ccmp' option ppsk '1' option auth_server '127.0.0.1' option auth_secret 'radiusServerPassword' If you want to use dynamic VLAN on PPSK also include: option dynamic_vlan '2' option vlan_tagged_interface 'eth0' option vlan_bridge 'br-vlan' option vlan_naming '0' It works enabling mac address verification on radius server and requiring the tunnel-password (the private psk) from radius server. In the radius server we need to configure the users. In case of freeradius: /etc/freeradius3/mods-config/files/authorize The user and Cleartext-Password should be the mac lower case using the format "aabbccddeeff" <sta mac> Cleartext-Password := "<sta mac>" Tunnel-Password = <Private Password> Example of a user configured in radius and using dynamic VLAN5: 8cb84a000000 Cleartext-Password := "8cb84a000000" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 5, Tunnel-Password = MyPrivPw If we want to have a default or shared psk, used when the mac is not found in the list, we need to add the following at the end of the radius authorize file: DEFAULT Auth-Type := Accept Tunnel-Password = SharedPw And if using VLANs, for example VLAN6 for default users: DEFAULT Auth-Type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 6, Tunnel-Password = SharedPw Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
* firewall3: update file hashMichael Pratt2022-07-141-1/+1
| | | | | | | | the hash and timestamp of the remote copy of the archive has changed since last bump meaning the remote archive copy was recreated Signed-off-by: Michael Pratt <mcpratt@pm.me>
* hostapd: apply patch to fix building openssl variantPaul Blazejowski2022-07-111-0/+32
| | | | | | | | Add patch from: https://patchwork.ozlabs.org/project/hostap/patch/20220622121355.1337612-1-a.heider@gmail.com/ Fixes: dab9103 ("hostapd: update to 2022-06-02") Signed-off-by: Paul Blazejowski <paulb@blazebox.homeip.net>
* iptables: update to 1.8.8Nick Hainke2022-07-1013-192/+362
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove upstreamed patches: - 001-xtables-Call-init_extensions6-for-static-builds.patch - 002-xtables-Call-init_extensions_a_b.patch Fix patches: - 102-iptables-disable-modprobe.patch Fix warnings in the form of: xtables.c:475:14: warning: 'get_modprobe' defined but not used [-Wunused-function] 475 | static char *get_modprobe(void) | ^~~~~~~~~~~~ Backport patches: - 020-treewide-use-uint-instead-of-u_int.patch - 030-revert-fix-build-for-missing-ETH_ALEN-definition.patch - 040-xshared-Fix-build-for-Werror-format-security.patch - 050-build-fix-error-during-out-of-tree-build.patch - 060-libxtables-unexport-init_extensions-declarations.patch Refresh patches: - 101-remove-check-already.patch - 102-iptables-disable-modprobe.patch - 200-configurable_builtin.patch - 600-shared-libext.patch - 700-disable-legacy-revisions.patch Remove from Makefile: $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/ Changelog: fa0ccdbd configure: bump version for 1.8.8 release 8468fd4f nft: Fix EPERM handling for extensions without rev 0 ce9195c6 extensions: LOG: Document --log-macdecode in man page 404f304d man: *NAT: Review --random* option descriptions 0a538259 extensions: DNAT: Merge core printing functions a7c2b728 libxtables: Revert change to struct xtables_pprot fd64a587 libxtables: Drop xtables_globals 'optstring' field 3b8a6a6f xshared: Extend xtables_printhelp() for arptables 8ff84eaf xshared: Move arp_opcodes into shared space adbfec0b extensions: MARK: Drop extra newline at end of help 1dcfb81e nft: split gen_payload() to allocate register and initialize expression 7e38890c nft: prepare for dynamic register allocation 165cafec nft: pass handle to helper functions to build netlink payload 94309632 nft: native mark matching support aa92ec96 nft: pass struct nft_xt_ctx to parse_meta() 4c70c42f nft-shared: update context register for bitwise expression 18c96821 extensions: man: Document service name support in DNAT and REDIRECT 72d542b6 extensions: Merge REDIRECT into DNAT 14d77c8a extensions: Merge IPv4 and IPv6 DNAT targets 9621318b extensions: DNAT: Rename from libipt to libxt 2e0c9a40 extensions: ipt_DNAT: Combine xlate functions also 7adef314 extensions: ipt_DNAT: Merge v1/v2 print/save code 3f4f1cf0 extensions: ipt_DNAT: Merge v1 and v2 parsers 070a8626 Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified" 08c14fa6 man: DNAT: Describe shifted port range feature 24fff5d7 xlate-test: Fix for empty source line on failure ac4c84cc libxtables: Boost rule target checks by announcing chain names f58b0d74 libxtables: Implement notargets hash table b1aee6b2 nft: Reject standard targets as chain names when restoring b555bfed tests: shell: Fix 0004-return-codes_0 for static builds c293e116 nft: Review static extension loading 0836524f xtables: Call init_extensions{,a,b}() for static builds 6c689b63 Simplify static build extension loading 0c8e2535 libxtables: Fix for warning in xtables_ipmask_to_numeric 0c0cd434 nft: Don't pass command state opaque to family ops callbacks b6196c75 xshared: Prefer xtables_chain_protos lookup over getprotoent 07ee529f nft: Speed up immediate parsing b5f2faea nft: Simplify immediate parsing 17534cb1 Improve error messages for unsupported extensions 2dbb49d1 libxtables: Register only the highest revision extension 07e2107e xshared: Implement xtables lock timeout using signals a3980769 tests: NFLOG: enable `--nflog-range` tests b8e8ac27 tests: support explicit variant test result adb03c3f tests: add `NOMATCH` test result 7a006c7d tests: iptables-test: rename variable b7f15b42 iptables.8: Describe the effect of multiple -v flags 1407a9c4 tests: iptables-test: Support variant deviation fc8f7289 nft: cache: Dump rules if debugging 73b91292 nft: Add debug output to table creation 51d9d9e0 ebtables: Support verbose mode ad1ed75f nft: Set NFTNL_CHAIN_FAMILY in new chains 17ed253f iptables-restore: Support for extra debug output a761a026 nft: Use verbose flag to toggle debug output 98e69b7e nft: add support for native tcp flag matching 92808bd5 nft-shared: add tcp flag dissection 6aba94ef nft: prefer native expressions instead of tcp match c034cf31 nft: prefer native expressions instead of udp match 5489493e nft-shared: support native udp port delinearize 5795a1b5 nft-shared: support native tcp port range delinearize 250dce87 nft-shared: support native tcp port delinearize ea5d45dc extensions: libxt_NFLOG: fix typo 26ecdf53 xshared: Fix response to unprivileged users b32ae771 build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT` 05286bab extensions: libxt_NFLOG: remove extra space when saving targets with prefixes f0d02998 extensions: libxt_NFLOG: fix `--nflog-prefix` Python test-cases f9df828a extensions: libxt_NFLOG: disable `--nflog-range` Python test-cases 62ad29e9 extensions: libxt_NFLOG: don't truncate log prefix on print/save db99f601 extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG 30b178b9 extensions: *NAT: Kill multiple IPv4 range support 7ee5b970 tests: iptables-test: correct misspelt variable 223f02ca nft: fix indentation error. 5c2c2eea ip6tables: Use the shared do_parse, too 9baf3bf0 iptables: Use xtables' do_parse() function e4f5185d nft: Move proto_parse and post_parse callbacks to xshared ded7b579 xshared: Store parsed wait and wait_interval in xtables_args 62c3c93d xshared: Move do_parse to shared space 3039a52c xtables: Do not pass nft_handle to do_parse() ece001c2 xtables: Pass xtables_args to check_inverse() 17abaeb1 xtables: Pass xtables_args to check_empty_interface() dc8d8fce xtables: Move struct nft_xt_cmd_parse to xshared.h 98a4462f xtables: Pull table validity check out of do_parse() d83371c7 xtables: Drop xtables' family on demand feature 49aa44ba nft-shared: set correct register value b129b1cf iptables-*-restore: Drop pointless line reference 316d8efb libxtables: Extend basic_exit_err() 4bff5aef xtables_globals: Embed variant name in .program_version 51e5d293 xshared: Share exit_tryhelp() 56ac0452 xshared: Share a common printhelp function 4149b5d8 xshared: Share print_match_save() between legacy ip*tables 273d88a7 extensions: tcpmss: add iptables-translate support 7213561d xshared: Make load_proto() static cf14b92b nft-shared: Drop unused function print_proto() 24f30842 xshared: Share print_header() with legacy iptables a323c283 xshared: Share print_fragment() with legacy 1d73cec0 xshared: Share print_rule_details() with legacy e5fb9f8e xshared: Share save_ipv{4,6}_addr() with legacy 22f2e1fc xshared: Share save_rule_details() with legacy 766e4872 xshared: Share print_iface() function b5881e7f nft: Change whitespace printing in save_rule callback 1189d830 xshared: Merge and share parse_chain() 1eab8e83 extensions: hashlimit: Fix tests with HZ=1000 afa525ee xlate-test: Print full path if testing all files b8d5271d Unbreak xtables-translate 0af80a91 nft: Merge xtables-arp-standalone.c into xtables-standalone.c 142cf724 xtables: arptables accepts empty interface names ab0a785a xtables: Derive xtables_globals from family 6cf3976e nft-shared: Make nft_check_xt_legacy() family agnostic 832a0e2b nft-arp: Introduce post_parse callback 0aea399d arptables: Use standard data structures when parsing fe83b12f libxtables: Introduce xtables_globals print_help callback 0687852d xtables-standalone: Drop version number from init errors dded8ff3 nft: Add family ops callbacks wrapping different nft_cmd_* functions 38e1fe58 xtables: Simplify addr_mask freeing cfdda180 nft-shared: Introduce init_cs family ops callback 65b150ae xshared: Store optstring in xtables_globals 2e6014c7 nft: Introduce builtin_tables_lookup() db90ff64 tests: shell: fix bashism 45d8f769 nft: Delete builtin chains compatibly e865a853 nft-chain: Introduce base_slot field f9b33967 nft: Check base-chain compatibility when adding to cache 43189612 nft: cache: Avoid double free of unrecognized base-chains 040a15f2 xtables-translate: add missing argument and option to usage 2ed6dc75 tests: iptables-test: Fix conditional colors on stderr 63ab4fe3 ebtables: Avoid dropping policy when flushing b714d45d iptables-test.py: print with color escapes only when stdout isatty 481626bb tests: shell: Return non-zero on error 7559af83 tests: iptables-test: Exit non-zero on error c057939d tests: xlate-test: Exit non-zero on error a8da7186 tests: iptables-test: Print errors to stderr 5166c445 tests: xlate-test: Print errors to stderr fa78ff15 tests: xlate-test: Don't skip any input after the first empty line fcbe454b tests: iptables-test: Fix missing chain case 61e85e31 iptables-nft: allow removal of empty builtin chains 544e7dc1 Fix a few doc typos e438b976 nft: Use xtables_{m,c}alloc() everywhere ca11c7b7 nft: Use xtables_malloc() in mnl_err_list_node_add() cf410aa6 extensions: libxt_mac: Fix for missing space in listing 7ae14dc1 iptables-test: Make netns spawning more robust bef9dc57 extensions: hashlimit: Fix tests with HZ=100 943fbf3e ip6tables: masquerade: use fully-random so that nft can understand the rule ef7781eb libxtables: exit if called by setuid executeable 8629c53f tests/shell: Assert non-verbose mode is silent 57d1422d nft: Fix for non-verbose check command 26318637 ebtables: Dump atomic waste 765bf04e doc: ebtables-nft.8: Adjust for missing atomic-options e727ccad xtables: Call init_extensions6() for static builds 9e1fffdf extensions: libxt_multiport: add translation for -m multiport --ports c8145139 extensions: libxt_conntrack: simplify translation using negation 1c934617 extensions: libxt_tcp: rework translation to use flags match representation bb01e33d extensions: libxt_connlimit: add translation 62828a6a tests: xlate-test: support multiline expectation ba863c4b libxtables: extend xlate infrastructure 68ed965b extensions: libxt_string: Avoid buffer size warning for strncpy() 9b85e1ab libxtables: Introduce xtables_strdup() and use it everywhere ca840c20 extensions: libebt_ip6: Use xtables_ip6parse_any() 084671d5 iptables-apply: Drop unused variable 0729ab37 nft: Avoid buffer size warnings copying iface names eab75ed3 nft: Avoid memleak in error path of nft_cmd_new() ffe88f8f libxtables: Fix memleak in xtopt_parse_hostmask() 8bb5bcae extensions: libebt_ip6: Drop unused variables 97fabae7 libxtables: Drop leftover variable in xtables_numeric_to_ip6addr() 5818be17 extensions: sctp: Translate --chunk-types option a61282ec extensions: sctp: Fix nftables translation 556f7044 Use proto_to_name() from xshared in more places eea68ca8 ebtables-translate: Use shared ebt_get_current_chain() function 9dc50b5b xshared: Merge invflags handling code 3664249f xshared: Eliminate iptables_command_state->invert f647f61f xtables: Make invflags 16bit wide 616800af extensions: SECMARK: Implement revision 1 1e984079 nft-arp: Make use of ipv4_addr_to_string() acac2dbe Eliminate inet_aton() and inet_ntoa() 9084ef29 extensions: sctp: Explain match types in man page a3e81c62 nft: Increase BATCH_PAGE_SIZE to support huge rulesets fdf64dcd nft: cache: Sort chains on demand only c5d9a723 fix build for missing ETH_ALEN definition 18d7535d extensions: libxt_conntrack: use bitops for status negation 18e334da extensions: libxt_conntrack: use bitops for state negation 831f57c7 libxtables: Simplify xtables_ipmask_to_cidr() a bit 46f9d3a9 xtables-translate: Fix translation of odd netmasks 330f5df0 nft: Fix bitwise expression avoidance detection 5f1fcace iptables-nft: fix -Z option c9441657 include: Drop libipulog.h 30c1d443 ebtables: Exit gracefully on invalid table names Signed-off-by: Nick Hainke <vincent@systemli.org>
* lldpd: update to 1.0.14Nick Hainke2022-07-101-3/+3
| | | | | | | | | | | | Changes - Add configure commands to alter inventory TLVs Fixes - Update seccomp rules for newer kernel/libc - Correctly handle an interface whose index has changed - Don't send VLANs when there are too many Signed-off-by: Nick Hainke <vincent@systemli.org>
* lldpd: switch to codeload.github.comNick Hainke2022-07-101-3/+3
| | | | | | | The mirror does not seem to work well anymore. Switch to codeload.github.com. Signed-off-by: Nick Hainke <vincent@systemli.org>
* wpan-tools: update to 0.9Nick Hainke2022-07-101-2/+2
| | | | | | | | | | | | | | Changes: - wpan-ping: fix ifname setting - wpan-hwsim: hardware simulator configuration utility - wpan-hwsim: fix long option argument option for dot - Don't install examples - hwsim: make sure lqi is always initialized - iwpan: fix clang compiler warning on absolute-value - examples: fix wrongly used unsigned attribute - build: hwsim: fix list of files needed for dist build Signed-off-by: Nick Hainke <vincent@systemli.org>
* wpan-tools: update to 0.8Nick Hainke2022-07-102-46/+2
| | | | | | | | | | | | | | | | | | | | Remove upstreamed patches: - 001-src-nl_extras.h-fix-compatibility-with-libnl-3.3.0.patch Changes: - examples: add README with details to the various examples - examples: af_ieee802154_tx example - examples: af_ieee802154_rx example - examples: add af_packet_rx example - examples: af_inet6_rx example - examples: af_packet_tx example - examples: af_inet6_tx example - examples: add .gitignore file for examples directory - src/nl_extras.h: fix compatibility with libnl 3.3.0 - wpan-ping: add the support to set wpan-ping interval - wpan-ping: Add the filtering function for frame receiving Signed-off-by: Nick Hainke <vincent@systemli.org>
* wpan-tools: cleanup MakefileNick Hainke2022-07-101-7/+6
| | | | | | | | | - Use SPDX - Add PKG_RELEASE - Change wpan.cakelab.org to linux-wpan.org/wpan-tools.html - Switch to github.com as PKG_SOURCE_URL Signed-off-by: Nick Hainke <vincent@systemli.org>
* xdp-tools: fix build with NLS enabledDaniel Golle2022-07-062-0/+32
| | | | | | | | | Make sure the 'configure' shell script finds the libintl when linking the test programs for discovering libpcap and libbpf. Reported-by: @trippleflux Fixes: 6ad1bea2a603 ("xdp-tools: add package") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* xdp-tools: mark as nonsharedNick Hainke2022-07-061-0/+1
| | | | | | | | | | | The SDK does not have the LLVM toolchain yet. Hopefully fixes errors in the form: xsk_def_xdp_prog.c:4:10: fatal error: 'bpf/bpf_helpers.h' file not found #include <bpf/bpf_helpers.h> Fixes: 6ad1bea2a603 ("xdp-tools: add package") Signed-off-by: Nick Hainke <vincent@systemli.org>
* xdp-tools: add packageDaniel Golle2022-07-041-0/+131
| | | | | | | | | | | | | | xdp-tools - Library and utilities for use with the eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel * libxdp: library for attaching XDP programs and using AF_XDP sockets * xdp-filter: a simple XDP-powered packet filter * xdp-loader: an XDP program loader * xdpdump: tool for capturing packets at the XDP layer Thanks to Nick @PolynomialDivision Hainke for testing and fixing! Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* tcpdump: update to 4.99.1Nick Hainke2022-07-035-506/+361
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adjust - 100-tcpdump_mini.patch Remove upstreamed patches: - 101-CVE-2020-8037.patch - 102-CVE-2018-16301.patch Changelog: Wednesday, June 9, 2021 by gharris Summary for 4.99.1 tcpdump release Source code: Squelch some compiler warnings ICMP: Update the snapend for some nested IP packets. MACsec: Update the snapend thus the ICV field is not payload for the caller. EIGRP: Fix packet header fields SMB: Disable printer by default in CMake builds OLSR: Print the protocol name even if the packet is invalid MSDP: Print ": " before the protocol name ESP: Remove padding, padding length and next header from the buffer DHCPv6: Update the snapend for nested DHCPv6 packets OpenFlow 1.0: Get snapend right for nested frames. TCP: Update the snapend before decoding a MPTCP option Ethernet, IEEE 802.15.4, IP, L2TP, TCP, ZEP: Add bounds checks ForCES: Refine SPARSEDATA-TLV length check. ASCII/hex: Use nd_trunc_longjmp() in truncation cases GeoNet: Add a ND_TCHECK_LEN() call Replace ND_TCHECK_/memcpy() pairs with GET_CPY_BYTES(). BGP: Fix overwrites of global 'astostr' temporary buffer ARP: fix overwrites of static buffer in q922_string(). Frame Relay: have q922_string() handle errors better. Building and testing: Rebuild configure script when building release Fix "make clean" for out-of-tree autotools builds CMake: add stuff from CMAKE_PREFIX_PATH to PKG_CONFIG_PATH. Documentation: man: Update a reference as www.cifs.org is gone. [skip ci] man: Update DNS sections Solaris: Fix a compile error with Sun C Wednesday, December 30, 2020, by mcr@sandelman.ca, denis and fxl. Summary for 4.99.0 tcpdump release CVE-2018-16301: For the -F option handle large input files safely. Improve the contents, wording and formatting of the man page. Print unsupported link-layer protocol packets in hex. Add support for new network protocols and DLTs: Arista, Autosar SOME/IP, Broadcom LI and Ethernet switches tag, IEEE 802.15.9, IP-over-InfiniBand (IPoIB), Linux SLL2, Linux vsockmon, MACsec, Marvell Distributed Switch Architecture, OpenFlow 1.3, Precision Time Protocol (PTP), SSH, WHOIS, ZigBee Encapsulation Protocol (ZEP). Make protocol-specific updates for: AH, DHCP, DNS, ESP, FRF.16, HNCP, ICMP6, IEEE 802.15.4, IPv6, IS-IS, Linux SLL, LLDP, LSP ping, MPTCP, NFS, NSH, NTP, OSPF, OSPF6, PGM, PIM, PPTP, RADIUS, RSVP, Rx, SMB, UDLD, VXLAN-GPE. User interface: Make SLL2 the default for Linux "any" pseudo-device. Add --micro and --nano shorthands. Add --count to print a counter only instead of decoding. Add --print, to cause packet printing even with -w. Add support for remote capture if libpcap supports it. Display the "wireless" flag and connection status. Flush the output packet buffer on a SIGUSR2. Add the snapshot length to the "reading from file ..." message. Fix local time printing (DST offset in timestamps). Allow -C arguments > 2^31-1 GB if they can fit into a long. Handle very large -f files by rejecting them. Report periodic stats only when safe to do so. Print the number of packets captured only as often as necessary. With no -s, or with -s 0, don't specify the snapshot length with newer versions of libpcap. Improve version and usage message printing. Building and testing: Install into bindir, not sbindir. autoconf: replace --with-system-libpcap with --disable-local-libpcap. Require the compiler to support C99. Better detect and use various C compilers and their features. Add CMake as the second build system. Make out-of-tree builds more reliable. Use pkg-config to detect libpcap if available. Improve Windows support. Add more tests and improve the scripts that run them. Test both with "normal" and "x87" floating-point. Eliminate dependency on libdnet. FreeBSD: Print a proper error message about monitor mode VAP. Use libcasper if available. Fix failure to capture on RDMA device. Include the correct capsicum header. Source code: Start the transition to longjmp() for packet truncation handling. Introduce new helper functions, including GET_*(), nd_print_protocol(), nd_print_invalid(), nd_print_trunc(), nd_trunc_longjmp() and others. Put integer signedness right in many cases. Introduce nd_uint*, nd_mac_addr, nd_ipv4 and nd_ipv6 types to fix alignment issues, especially on SPARC. Fix many C compiler, Coverity, UBSan and cppcheck warnings. Fix issues detected with AddressSanitizer. Remove many workarounds for older compilers and OSes. Add a sanity check on packet header length. Add and remove plenty of bounds checks. Clean up pcap_findalldevs() call to find the first interface. Use a short timeout, rather than immediate mode, for text output. Handle DLT_ENC files *not* written on the same OS and byte-order host. Add, and use, macros to do locale-independent case mapping. Use a table instead of getprotobynumber(). Get rid of ND_UNALIGNED and ND_TCHECK(). Make roundup2() generally available. Resync SMI list against Wireshark. Fix many typos. Co-Developed-by: Ivan Pavlov <AuthorReflex@gmail.com> Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com> Signed-off-by: Nick Hainke <vincent@systemli.org>
* wpa_supplicant: compile with OCV supportMichael Yartys2022-07-033-3/+5
| | | | | | | | | | | | | Operating Channel Validation (OCV) is a security feature designed to prevent person-in-the-middle multi-channel attacks. Compile -basic and -full variants with support for OCV. This feature can be configured in the wireless config by setting ocv equal to one of the following values: 0 = disabled (hostapd/wpa_supplicant default) 1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the driver indicates support for operating channel validation. Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
* hostapd: enable compilation of OCV and add build feature discoveryMichael Yartys2022-07-034-3/+11
| | | | | | | | | | | | | | | Operating Channel Validation (OCV) is a security feature designed to prevent person-in-the-middle multi-channel attacks. Compile the -basic and -full variants of hostapd with this feature, and enable discovery of this feature for future luci integration. OCV can be configured by setting ocv equal to one of the following values in the wireless config: 0 = disabled (hostapd/wpa_supplicant default) 1 = enabled 2 = enabled in workaround mode - Allow STA that claims OCV capability to connect even if the STA doesn't send OCI or negotiate PMF. Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>