aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
...
* odhcpd: update to latest git HEADHans Dedecker2021-01-301-3/+3
| | | | | | 8d8a8cd dhcpv6-ia: apply prefix_filter on dhcpv6 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* umdns: bump to 2021-01-26Paul Spooren2021-01-261-5/+5
| | | | | | | | * i78aa36b umdns: fix 64-bit time format string * start using $(AUTORELEASE) * Update Copyright Signed-off-by: Paul Spooren <mail@aparcar.org>
* bpftools: update to 5.10.10Tony Ambardar2021-01-255-326/+2
| | | | | | | | | | | | | Use the latest stable kernel since the previous 5.8.x series is EOL. Also drop the following patches recently accepted upstream: * 001-libbpf-ensure-no-local-symbols-counted-in-ABI-check.patch * 002-libbpf-fix-build-failure-from-uninitialized-variable.patch * 003-bpftool-allow-passing-BPFTOOL_VERSION-to-make.patch * 004-v5.9-bpftool-use-only-ftw-for-file-tree-parsing.patch Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
* dnsmasq: Update to 2.84test3Kevin Darbyshire-Bryant2021-01-241-3/+3
| | | | | | | | | | | | | | | dnsmasq v2.83 has a bug in handling duplicate queries which means it may try to reply using the incorrect network socket. This is especially noticeable in dual stack environments where replies may be mis-directed to IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket. This results in system log spam such as: dnsmasq[16020]: failed to send packet: Network unreachable dnsmasq[16020]: failed to send packet: Address family not supported by protocol dnsmasq v2.84test3 resolves these issues. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* maccalc: remove packageAdrian Schmutzler2021-01-233-313/+0
| | | | | | | | | | | This is a helpful utility, but it does not have any dependencies in this repository. Move it to packages feed. The package does not seem to have a maintainer. Cc: Jo-Philipp Wich <jo@mein.io> Cc: Nick Hainke <vincent@systemli.org> Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* owipcalc: remove packageAdrian Schmutzler2021-01-232-994/+0
| | | | | | | | | This is a helpful utility, but it does not have any dependencies in this repository. Move it to packages feed. Cc: Jo-Philipp Wich <jo@mein.io> Cc: Nick Hainke <vincent@systemli.org> Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* iperf3: removeFlorian Eckert2021-01-221-83/+0
| | | | | | | This package is not needed in base. It will be imported in the packages feed. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* iperf: removeFlorian Eckert2021-01-223-100/+0
| | | | | | | This package is not needed in base. It will be imported in the packages feed. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* owipcalc: remove clone in cidr_contains6Nick Hainke2021-01-192-6/+5
| | | | | | | | | | The "cidr_contains6" functions clones the given cidr. The contains4 does not clone the cidr. Both functions do not behave the same. I see no reason to push the cidr. I think that we get only a negligible performance gain, but it makes ipv4 and ipv6 equal again. Signed-off-by: Nick Hainke <vincent@systemli.org>
* dnsmasq: Update to version 2.83Hauke Mehrtens2021-01-192-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems in dnsmasq: * CVE-2020-25681: Dnsmasq versions before 2.83 is susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device's memory that can lead to memory corruption and other unexpected behaviors on the target device. * CVE-2020-25682: Dnsmasq versions before 2.83 is susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. * CVE-2020-25683: Dnsmasq version before 2.83 is susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap- allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in Dnsmasq, resulting in a Denial of Service. * CVE-2020-25684: A lack of proper address/port check implemented in Dnsmasq version < 2.83 reply_query function makes forging replies easier to an off-path attacker. * CVE-2020-25685: A lack of query resource name (RRNAME) checks implemented in Dnsmasq's versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. * CVE-2020-25686: Multiple DNS query requests for the same resource name (RRNAME) by Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. * CVE-2020-25687: Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* netifd: fix IPv6 routing loop on point-to-point linksHans Dedecker2021-01-171-3/+3
| | | | | | | | c00c833 interface-ip: add unreachable route if address is offlink e71909c interface-ip: coding style fixes Tested-by: Karl Vogel <karl.vogel@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcp6c: fix routing loop on point-to-point linksHans Dedecker2021-01-171-3/+3
| | | | | | | | 53f07e9 ra: fix routing loop on point to point links 2b6959d ra: align ifindex resolving Tested-by: Karl Vogel <karl.vogel@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: fix setting wps_state to "not configured"Leon M. George2021-01-152-2/+2
| | | | | | | | | | | | | | | With encryption disabled, it was intended to set wpa_state=1 (enabled, not configured) through the 'wps_not_configured' flag. The flag is set appropriately but the condition using it is broken. Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled, configured). Fix it by using the correct variable name. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu> [commit title/message improvements] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* owipcalc: use v6 in cidr_parse6 functionNick Hainke2021-01-152-5/+5
| | | | | | | | | | | The cidr_parse6 function parses a string to an ipv6-address. The cidr struct contains a union called buf for the ipv4 and ipv6 address. Since it is a char pointer and the struct is initialized with the maximum size (so ipv6 string) it does not make any difference. However, we should access the buffer using the v6 name, since it could be confusing otherwise. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: fix key_mgmt typoLeon M. George2021-01-142-2/+2
| | | | | | | | | | | The key_mgmt variable was mistyped when checking against "WPS", so the if clause was never entered. Fixes: f5753aae233f ("hostapd: add support for WPS pushbutton station") Signed-off-by: Leon M. George <leon@georgemail.eu> [add commit message, bump PKG_RELEASE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* hostapd: remove trailing whitespacesLeon M. George2021-01-141-2/+2
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove unused variableLeon M. George2021-01-141-1/+0
| | | | | | | | | 'base' was never used. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove unused variableLeon M. George2021-01-141-1/+0
| | | | | | | | | 'enc_str' was never used. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: run as user 'network' if procd-ujail is installedDaniel Golle2021-01-144-2/+55
| | | | | | | Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running hostapd and wpa_supplicant without root priviledges. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: improve error handling when adding supplicant configDaniel Golle2021-01-142-5/+5
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add multicast_to_unicast and per_sta_vifEtan Kissling2021-01-142-2/+15
| | | | | | | | This allows configuration of multicast_to_unicast and per_sta_vif options. - multicast_to_unicast requests multicast-to-unicast conversion. - per_sta_vif assigns each station its own AP_VLAN interface. Signed-off-by: Etan Kissling <etan_kissling@apple.com>
* iw: enable HE PHY information for iw-tinyDavid Bauer2021-01-142-28/+12
| | | | | | | | | | Currently PHY information obtained from "iw phy" lacks information about a PHYs HE capabilities when using the by default installed iw-tiny. As there are already 802.11ax supported devices, enabled printing this information for the by-default installed iw variant. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: return PID on config_add callDaniel Golle2021-01-104-4/+11
| | | | | | | | | To simplify the way netifd acquires the PIDs of wpa_supplicant and hostapd let the config_add method of both of them return the PID of the called process. Use the returned PID instead of querying procd when adding wpa_supplicant configuration. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* iptables: update to 1.8.6Curtis Deptuck2021-01-097-39/+32
| | | | | | | | | | | | | Update iptables to 1.8.6 ChangeLog: https://netfilter.org/projects/iptables/files/changes-iptables-1.8.6.txt Refresh patch: 101-remove-check-already.patch Signed-off-by: Curtis Deptuck <curtdept@me.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [refresh patches]
* iwinfo: improve ABI version handling and bump to git HEADJo-Philipp Wich2021-01-071-7/+10
| | | | | | | | | | | | | | | | | | - Encode ABI version in compiled shared object file - Only ship versioned shared library a17f561 iwinfo: detect QCA IPQ4019 WiSoC from FDT ea28dfb iwinfo: export ht and vht operation in scan results 4e22953 iwinfo: export center_chan info for local wifi 74d13fb cli: account for additional digit for frequencies above 10GHz 8bfd8d8 iwinfo: add support for GCMP cipher 618c1e8 iwinfo: add hardware description for QCA MIPS WiSoCs 0702f32 iwinfo: improve center channel handling 51c1336 iwinfo: set center chan unsupported for not-nl80211 driver 23d2722 build: add ability to specify shared object version Signed-off-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Revert "iwinfo: update to git HEAD"Jo-Philipp Wich2021-01-061-4/+4
| | | | | | | | | | | | | This reverts commit f1620630e9f3407780ddc554361841f05c996c49. This update introduces potentially remote exploitable buffer overreads in IE parsing logic. It also breaks the ABI without introdcing SOVERSION library versioning. Furthermore, HT information is incorrectly added for non-HT BSSes. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iwinfo: update to git HEADDaniel Golle2021-01-051-4/+4
| | | | | | | | | | a17f561 iwinfo: detect QCA IPQ4019 WiSoC from FDT ea28dfb iwinfo: export ht and vht operation in scan results 4e22953 iwinfo: export center_chan info for local wifi 74d13fb cli: account for additional digit for frequencies above 10GHz 8bfd8d8 iwinfo: add support for GCMP cipher Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: wpa_supplicant: Enable proper GCMP cipher supportRobert Marko2021-01-052-1/+6
| | | | | | | | | This patch enables hostapd.sh to properly configure wpa_supplicant for when GCMP is used as cipher in station mode. Without this wpa_supplicant will be unable to connect to AP. This is needed for wil6210 as it does not support CCMP. Signed-off-by: Robert Marko <robimarko@gmail.com>
* netifd: update to git HEADDaniel Golle2021-01-051-3/+3
| | | | | | 0c83439 netifd: wireless: default to GCMP WPA cipher on 802.11ad Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* odhcpd: bump to latest versionNick Hainke2021-01-041-3/+3
| | | | | | 3bda900 odhcpd: add option for setting preferred lifetime Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: add support for custom per-BSS optionsFlorian Beverborg2021-01-032-1/+8
| | | | | | | | | | | | This adds an option "hostapd_bss_options" that does the same as "hostapd_options" but on a per-BSS level, instead of a per-device level. This can be used, for example, to configure different per-devce sae_passwords per BSS or to augment some of the existing per-BSS options. Signed-off-by: Florian Beverborg <flo@beverb.org> [remove whitespace errors, bump release] Signed-off-by: Paul Spooren <mail@aparcar.org>
* ppp: Remove already applied patchHauke Mehrtens2021-01-012-14/+1
| | | | | | | This patch was already applied upstream and not needed here. Fixes: 06403981e1f2 ("ppp: update to version 2.4.7.git-2019-05-06") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iproute2: update to 5.10.0Russell Senior2021-01-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | c8faeca5 (ss: mptcp: fix add_addr_accepted stat print, 2020-11-18) 0d78e8ea (tc: pedit: fix memory leak in print_pedit, 2020-12-11) ec1346ac (devlink: fix memory leak in cmd_dev_flash(), 2020-12-11) 309e6027 (man: tc-flower: fix manpage, 2020-12-11) 376367d9 (uapi: merge in change to bpf.h, 2020-12-14) 2e80ae89 (Merge branch 'gcc-10' into main, 2020-12-03) 755b1c58 (tc/mqprio: json-ify output, 2020-12-02) 975c4944 (ip/netns: use flock when setting up /run/netns, 2020-11-27) fb054cb3 (uapi: update devlink.h, 2020-11-29) c95d63e4 (uapi: update devlink.h, 2020-11-29) cae2e929 (f_u32: fix compiler gcc-10 compiler warning, 2020-11-29) c0149839 (misc: fix compiler warning in ifstat and nstat, 2020-11-29) 2319db90 (tc: fix compiler warnings in ip6 pedit, 2020-11-29) 5bdc4e91 (bridge: fix string length warning, 2020-11-29) f8176999 (devlink: fix uninitialized warning, 2020-11-29) 7a49ff9d (bridge: report correct version, 2020-11-15) 8682f588 (tc-mpls: fix manpage example and help message string, 2020-11-02) 7c7a0fe0 (tc-vlan: fix help and error message strings, 2020-11-02) 72f88bd4 (uapi: update kernel headers from 5.10-rc2, 2020-11-08) b90c39be (rdma: fix spelling error in comment, 2020-11-08) c8424b73 (man: fix spelling errors, 2020-11-08) cbf64817 (tc/m_gate: fix spelling errors, 2020-11-08) 14b189f0 (uapi: updates from 5.10-rc1, 2020-11-03) 9fc5bf73 (libnetlink: define __aligned conditionally, 2020-10-26) eb12cc9a (Merge branch 'main' into next, 2020-10-25) f1298d76 (m_mpls: test the 'mac_push' action after 'modify', 2020-10-22) 2b7a7684 (Merge branch 'tipc-encryption' into next, 2020-10-20) 2bf1ba5a (tipc: add option to set rekeying for encryption, 2020-10-16) 5fb36818 (tipc: add option to set master key for encryption, 2020-10-16) b4edd6a8 (Merge branch 'tc-mpls-l2-vpn' into next Guillaume Nault says:, 2020-10-20) 02a261b5 (m_mpls: add mac_push action, 2020-10-19) d61167dd (m_vlan: add pop_eth and push_eth actions, 2020-10-19) 3342688a (devlink: display elapsed time during flash update, 2020-10-14) cb7ce51c (v5.9.0, 2020-10-15) b5a583fb (Merge branch 'main' into next Signed-off-by: David Ahern <dsahern@gmail.com>, 2020-10-11) 78120128 (genl: ctrl: print op -> policy idx mapping, 2020-10-03) 91c54917 (Merge branch 'bridge-igmpv3-mldv2' into next Nikolay Aleksandrov says:, 2020-10-11) 86588450 (bridge: mdb: print protocol when available, 2020-10-08) 2de81d1e (bridge: mdb: print source list when available, 2020-10-08) 1d28c480 (bridge: mdb: print filter mode when available, 2020-10-08) e331677e (bridge: mdb: show igmpv3/mldv2 flags, 2020-10-08) f94e8b07 (bridge: mdb: print fast_leave flag, 2020-10-08) 547b3197 (bridge: mdb: add support for source address, 2020-10-08) f905191a (Update kernel headers, 2020-10-11) 4322b13c (ip xfrm: support setting XFRMA_SET_MARK_MASK attribute in states, 2020-10-02) 8dc1db80 (devlink: Add health reporter test command support, 2020-10-01) 01216471 (devlink: support setting the overwrite mask attribute, 2020-09-30) 34be2d26 (Update kernel headers, 2020-10-07) d2be31d9 (ss: add support for xdp statistics, 2020-09-24) f481515c (Update kernel headers, 2020-09-29) b8663da0 (ip: promote missed packets to the -s row, 2020-09-16) cec67df9 (Merge branch 'devlink-controller-external-info' into next Parav Pandit says:, 2020-09-22) 748cbad3 (devlink: Show controller number of a devlink port, 2020-09-18) 8fadd011 (devlink: Show external port attribute, 2020-09-18) 454429e8 (Update kernel headers, 2020-09-22) ad34d5fa (iproute2: ss: add support to expose various inet sockopts, 2020-08-19) c8eb4b52 (Update kernel headers, 2020-09-08) abee772f (tipc: support 128bit node identity for peer removing, 2020-08-27) 6fd53b2a (iplink: add support for protodown reason, 2020-08-28) af27494d (ip xfrm: support printing XFRMA_SET_MARK_MASK attribute in states, 2020-08-28) 275eed9b (Merge branch 'main' into next, 2020-09-01) cc889b82 (genl: ctrl: support dumping netlink policy, 2020-08-24) d5acae24 (libnetlink: add nl_print_policy() helper, 2020-08-24) 784fa9f6 (libnetlink: add rtattr_for_each_nested() iteration macro, 2020-08-24) OpenWrt patches unchanged. Successfully built for ramips/mt7621 and x86/geode with: CONFIG_PACKAGE_devlink=m CONFIG_PACKAGE_genl=m CONFIG_PACKAGE_ip-bridge=m CONFIG_PACKAGE_ip-full=m CONFIG_PACKAGE_ip-tiny=m CONFIG_PACKAGE_nstat=m CONFIG_PACKAGE_rdma=m CONFIG_PACKAGE_ss=m CONFIG_PACKAGE_tc=m Minimally run-tested ip-tiny on ramips/mt7621 (ubnt-erx). Signed-off-by: Russell Senior <russell@personaltelco.net>
* hostapd: do not restart hostapd instance on wireless restartsFelix Fietkau2020-12-311-1/+1
| | | | | | Add the flag that prevents netifd from killing hostapd/wpa_supplicant Signed-off-by: Felix Fietkau <nbd@nbd.name>
* netifd: update to the latest versionFelix Fietkau2020-12-311-3/+3
| | | | | | 39fb8c3edc74 wireless: add support for not killing processes on teardown Signed-off-by: Felix Fietkau <nbd@nbd.name>
* vxlan: allow for dynamic source ip selection (FS#3426)Johannes Kimmel2020-12-312-25/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By setting 'auto', the zero address or the empty string as source address (option ipaddr, option ip6addr), vxlan will choose one dynamically. This helps in setups where a wan ip or prefix changes. This corresponse to setting up an vxlan tunnel with: proto vxlan6: # ip link add vx0 type vxlan id ID local :: ... proto vxlan: # ip link add vx0 type vxlan id ID local 0.0.0.0 ... While it is possible to not specify a source ip at all, the kernel will default to setting up a ipv4 tunnel. The kernel will take any hint from source and peer ips to figure out, what tunnel type to use. To make sure we setup an ipv6 tunnel for proto vxlan6, this workaround is needed. This will not change the behaviour of currently working configurations. However this will allow former broken configurations, namely those not specifying both a source address and tunnel interface, to setup a tunnel interface. Previously those configurations weren't reporting an error and were stueck in a setup loop like in Bug FS#3426. This change lifts the currently very strict behaviour and should fix the following bug: Fixes: FS#3426 Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3426 Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
* odhcp6c: update to git HEADHans Dedecker2020-12-301-3/+3
| | | | | | | eac1961 dhcpv6: fix displaying IA info 0475e18 dhcpv6: display status code as a string Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ethtool: update to version 5.10Hans Dedecker2020-12-261-2/+2
| | | | | | | | The ipkg sizes changes as follows for mips 24kc : 5.9 : ethtool_5.9-1_mips_24kc.ipk 35246 5.10 : ethtool_5.10-1_mips_24kc.ipk 35385 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: update to latest git HEADHans Dedecker2020-12-241-3/+3
| | | | | | | | b75bcad dhcpv6-ia: remove assignment equal to 0 checks d1ae052 dhcpv6-ia: fix logic to include IA_PD prefix with lifetimes set to 0 9d5e379 dhcpv6-ia: fix prefix delegation behavior Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* treewide: nuke DRIVER_11W_SUPPORTDobroslaw Kijowski2020-12-233-11/+1
| | | | | | | | | | | | | | As of hostapd upstream commit 7d2ed8ba "Remove CONFIG_IEEE80211W build parameter" https://w1.fi/cgit/hostap/commit?id=7d2ed8bae86a31dd2df45c24b3f7281d55315482 802.11w feature is always enabled in the build time. It doesn't make sense to opt-in 802.11w per driver as hostapd will always be compiled with this feature enabled. As suggested by Hauke Mehrtens, for now keep 11w enabled in build_features.h for compatibility reasons. This option will be dropped when LuCI is adjusted. Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
* netifd: update to the latest versionFelix Fietkau2020-12-231-3/+3
| | | | | | 88c6003e2b4f netifd: fix a typo in vlandev hotplug support Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: pass respawn settings when registering the serviceJohn Crispin2020-12-221-2/+2
| | | | | | | | When hostapd gets restarted to often/quickly will cause procd to not restart it anymore. it will think that hapd is in a crash loop. Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> [adjust respawn time]
* hostapd: Use EAPOLv1 (802.1X-2001) if WPA enabledNick Lowe2020-12-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, EAPOLv2 (802.1X-2004) is used by default for legacy clients that are not WPA2 (RSN) capable. These legacy clients are often intolerant to this EAPOL version and fail to connect. hostapd.conf upstream documents for eapol_version the following and that this is a known compatibility issue with version 2: // IEEE 802.1X/EAPOL version // hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL // version 2. However, there are many client implementations that do not handle // the new version number correctly (they seem to drop the frames completely). // In order to make hostapd interoperate with these clients, the version number // can be set to the older version (1) with this configuration value. // Note: When using MACsec, eapol_version shall be set to 3, which is // defined in IEEE Std 802.1X-2010. //eapol_version=2 For the wpa parameter, hostapd.conf upstream documents that this is a bitfield, configured as follows: // Enable WPA. Setting this variable configures the AP to require WPA (either // WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either // wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. // Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice. // For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), // RADIUS authentication server must be configured, and WPA-EAP must be included // in wpa_key_mgmt. // This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) // and/or WPA2 (full IEEE 802.11i/RSN): // bit0 = WPA // bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) // Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2. // In other words, for WPA3, wpa=2 is used the configuration (and // wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK). //wpa=2 For client compatibility therefore: EAPOLv1 (802.1X-2001) should be used by default where WPA is enabled. EAPOLv2 (802.1X-2004) should be used by default where WPA is disabled. To fix this, we can therefore change in the script: set_default eapol_version 0 To the following: set_default eapol_version $((wpa & 1)) This therefore: 1) Sets eapol_version to 1 where WPA has been enabled via wpa bit0 being set. 2) Sets eapol_version to 0 where WPA has been disabled via wpa bit0 being unset. For usual configurations that only have WPA2 enabled, EAPOLv2 is then used. Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
* tcpdump: fix pcap-config issuesRosen Penev2020-12-222-115/+4
| | | | | | | | | | | | | | The patch removes a libpcap check to avoid a problem with libpcap. Fix libpcap instead. Modernize Makefile: Use a normal autoconf bool instead of checking for CONFIG_IPV6. Remove old configure and MAKE_FLAGS hacks. Removing them results in compilation continuing to work without a problem. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* hostapd: parse skip_inactivity_poll optionNadim Atiya2020-12-222-3/+5
| | | | | | | | | | | | hostapd.sh does not parse skip_inactivity_poll boolean from /etc/config/wireless despite being mentioned in the documentation [1]. This change fixes this, and by default sets its value to 0 [1]. [1] https://openwrt.org/docs/guide-user/network/wifi/basic Signed-off-by: Nadim Atiya <nadim.atiya@gmail.com> Signed-off-by: Daniel Golle <daniel@makrotopia.org> [fix and reformat commit message, make patch apply]
* uhttpd: don't redirect to HTTPS by defaultPetr Štetiar2020-12-201-1/+1
| | | | | | | | | | | | | | | | | | | So we can ship px5g-wolfssl by default in the release image, but still make the HTTPS for LuCI optional. This small change with addition of `CONFIG_PACKAGE_px5g-wolfssl=y` into the buildbot's seed config for the next release should provide optional HTTPS in the next release. Disabling the current default automatic uhttpd's redirect to HTTPS should make the HTTPS optional. That's it, user would either need to switch to HTTPS by manually switching to https:// protocol in the URL or by issuing the following commands to make the HTTPS automatic redirect permanent: $ uci set uhttpd.main.redirect_https=1 $ uci commit uhttpd $ service uhttpd reload Signed-off-by: Petr Štetiar <ynezz@true.cz>
* netifd: update to latest versionNick Hainke2020-12-141-3/+3
| | | | | | 458b1a7e9473 netifd: add segment routing support Signed-off-by: Nick Hainke <vincent@systemli.org>
* odhcpd: remove local mkdir_p implementationDaniel Golle2020-12-131-3/+3
| | | | | | | Replace local mkdir_p implementation in favour of using mkdir_p now added to libubox. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* xfrm: support 'multicast' attribute on interfacesPhilip Prindeville2020-12-112-3/+6
| | | | | | | | | | | | | | You shouldn't need the overhead of GRE just to add multicast capability on a point-to-point interface (for instance, you might want to run mDNS over IPsec transport connections, and Avahi requires IFF_MULTICAST be set on interfaces, even point-to-point ones). Borrowed heavily from: b3c9321b9e gre: Support multicast configurable gre interfaces Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* dropbear: bump package versionKonstantin Demin2020-12-111-1/+1
| | | | | | | | Bump package version after previous changes. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> [added missing commit description] Signed-off-by: Petr Štetiar <ynezz@true.cz>