aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* odhcpd: fix managed address configuration settingHans Dedecker2018-05-271-4/+4
| | | | | | 59339a7 router: fix managed address configuration setting Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 20180519Jason A. Donenfeld2018-05-251-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * chacha20poly1305: add mips32 implementation "The OpenWRT Commit" - this significantly speeds up performance on cheap plastic MIPS routers, and presumably the remaining MIPS32r2 super computers out there. * timers: reinitialize state on init * timers: round up instead of down in slack_time * timers: remove slack_time * timers: clear send_keepalive timer on sending handshake response * timers: no need to clear keepalive in persistent keepalive Andrew He and I have helped simplify the timers and remove some old warts, making the whole system a bit easier to analyze. * tools: fix errno propagation and messages Error messages are now more coherent. * device: remove allowedips before individual peers This avoids an O(n^2) traversal in favor of an O(n) one. Before systems with many peers would grind when deleting the interface. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wireguard: no longer need portability patchKevin Darbyshire-Bryant2018-05-252-19/+1
| | | | | | | | | Drop package/network/services/wireguard/patches/100-portability.patch Instead pass 'PLATFORM=linux' to make since we are always building FOR linux. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 20180514Kevin Darbyshire-Bryant2018-05-252-9/+10
| | | | | | | | | | | | | | | 52be69b version: bump snapshot 4884b45 ncat-client-server: add wg-quick variant a333551 wg-quick: add darwin implementation f5bf84d compat: backport for OpenSUSE 15 fe1ae1b wg-quick: add wg symlink ecc1c5f wg-quick: add android implementation 3e6bb79 tools: reorganize for multiplatform wg-quick b289d12 allowedips: Fix graphviz output after endianness patch Refresh cross compile compatibility patch Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: Add support for ip6prefix config optionToke Høiland-Jørgensen2018-05-251-0/+6
| | | | | | | | | | | | This makes it easier to distribute prefixes over a wireguard tunnel interface, by simply setting the ip6prefix option in uci (just like with other protocols). Obviously, routing etc needs to be setup properly for things to work; this just adds the config option so the prefix can be assigned to other interfaces. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* wireguard: bump to 0.0.20180513Kevin Darbyshire-Bryant2018-05-251-2/+2
| | | | | | | | | | | | | | | | | | | 6b4a340 version: bump snapshot faa2103 compat: don't clear header bits on RHEL 4014532 compat: handle RHEL 7.5's recent backports 66589bc queueing: preserve pfmemalloc header bit 37f114a chacha20poly1305: make gcc 8.1 happy 926caae socket: use skb_put_data 724d979 wg-quick: preliminary support for go implementation c454c26 allowedips: simplify arithmetic 71d44be allowedips: produce better assembly with unsigned arithmetic 5e3532e allowedips: use native endian on lookup 856f105 allowedips: add selftest for allowedips_walk_by_peer 41df6d2 embeddable-wg-library: zero attribute padding 9a1bea6 keygen-html: add zip file example f182b1a qemu: retry on 404 in wget for kernel.org race Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 20180420Kevin Darbyshire-Bryant2018-05-251-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | 7cc2668 version: bump snapshot 860c7c7 poly1305: do not place constants in different sections 5f1e4ca compat: remove unused dev_recursion_level backport 7e4b991 blake2s: remove unused helper 13225fc send: simplify skb_padding with nice macro a1525bf send: account for route-based MTU bbb2fde wg-quick: account for specified fwmark in auto routing mode c452105 qemu: bump default version dbe5223 version: bump snapshot 1d3ef31 chacha20poly1305: put magic constant behind macro cdc164c chacha20poly1305: add self tests from wycheproof 1060e54 curve25519: add self tests from wycheproof 0e1e127 wg-quick.8: fix typo 2b06b8e curve25519: precomp const correctness 8102664 curve25519: memzero in batches 1f54c43 curve25519: use cmov instead of xor for cswap fa5326f curve25519: use precomp implementation instead of sandy2x 9b19328 compat: support OpenSUSE 15 3102d28 compat: silence warning on frankenkernels 8f64c61 compat: stable kernels are now receiving b87b619 62127f9 wg-quick: hide errors on save Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 20180304Jason A. Donenfeld2018-05-251-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 7c0d711 version: bump snapshot b6a5cc0 contrib: add extract-handshakes kprobe example 37dc953 wg-quick: if resolvconf/run/iface exists, use it 1f9be19 wg-quick: if resolvconf/interface-order exists, use it 4d2d395 noise: align static_identity keys 14395d2 compat: use correct -include path 38c6d8f noise: fix function prototype 302d0c0 global: in gnu code, use un-underscored asm ff4e06b messages: MESSAGE_TOTAL is unused ea81962 crypto: read only after init e35f409 Kconfig: require DST_CACHE explicitly 9d5baf7 Revert "contrib: keygen-html: rewrite in pure javascript" 6e09a46 contrib: keygen-html: rewrite in pure javascript e0af0f4 compat: workaround netlink refcount bug ec65415 contrib: embedded-wg-library: add key generation functions 06099b8 allowedips: fix comment style ce04251 contrib: embedded-wg-library: add ability to add and del interfaces 7403191 queueing: skb_reset: mark as xnet Changes: * queueing: skb_reset: mark as xnet This allows cgroups to classify packets. * contrib: embedded-wg-library: add ability to add and del interfaces * contrib: embedded-wg-library: add key generation functions The embeddable library gains a few extra tricks, for people implementing plugins for various network managers. * crypto: read only after init * allowedips: fix comment style * messages: MESSAGE_TOTAL is unused * global: in gnu code, use un-underscored asm * noise: fix function prototype Small cleanups. * compat: workaround netlink refcount bug An upstream refcounting bug meant that in certain situations it became impossible to unload the module. So, we work around it in the compat code. The problem has been fixed in 4.16. * contrib: keygen-html: rewrite in pure javascript * Revert "contrib: keygen-html: rewrite in pure javascript" We nearly moved away from emscripten'ing the fiat32 code, but the resultant floating point javascript was just too terrifying. * Kconfig: require DST_CACHE explicitly Required for certain frankenkernels. * compat: use correct -include path Fixes certain out-of-tree build systems. * noise: align static_identity keys Gives us better alignment of private keys. * wg-quick: if resolvconf/interface-order exists, use it * wg-quick: if resolvconf/run/iface exists, use it Better compatibility with Debian's resolvconf. * contrib: add extract-handshakes kprobe example Small utility for extracting ephemeral key data from the kernel's memory. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (git log --oneline description)
* wireguard: bump to 20180202Kevin Darbyshire-Bryant2018-05-251-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest wireguard release snapshot: 2675814 version: bump snapshot 381d703 qemu: update base versions c3fbd9d curve25519: break more things with more test cases 93fa0d9 curve25519: replace fiat64 with faster hacl64 6177bdd curve25519: replace hacl64 with fiat64 b9bf37d curve25519: verify that specialized basepoint implementations are correct bd3f0d8 tools: dedup secret normalization 1f87434 chacha20poly1305: better buffer alignment 78959ed chacha20poly1305: use existing rol32 function 494cdea tools: fread doesn't change errno ab89bdc device: let udev know what kind of device we are 62e8720 qemu: disable AVX-512 in userland 6342bf7 qemu: disable PIE for compilation e23e451 contrib: keygen-html: share curve25519 implementation with kernel 6b28fa6 tools: share curve25519 implementations with kernel c80cbfa poly1305: add poly-specific self-tests 10a2edf curve25519-fiat32: uninline certain functions No patch refresh required. Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 20180118Kevin Darbyshire-Bryant2018-05-251-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest wireguard release snapshot: 9a93a3d version: bump snapshot 7bc0579 contrib: keygen-html: update curve25519 implementation ffc13a3 tools: import new curve25519 implementations 0ae7356 curve25519: wire up new impls and remove donna f90e36b curve25519: resolve symbol clash between fe types 505bc05 curve25519: import 64-bit hacl-star implementation 8c02050 curve25519: import 32-bit fiat-crypto implementation 96157fd curve25519: modularize implementation 4830fc7 poly1305: remove indirect calls bfd1a5e tools: plug memleak in config error path 09bf49b external-tests: add python implementation b4d5801 wg-quick: ifnames have max len of 15 6fcd86c socket: check for null socket before fishing out sport ddb8270 global: year bump 399d766 receive: treat packet checking as irrelevant for timers No patch refresh required. Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* rpcd: update to lastest HEADRafał Miłecki2018-05-141-3/+3
| | | | | | | | | | | | | | | | | All these changes are important enough to have them in the 17.01. 8206219 uci: fix memory leak in rpc_uci_replace_savedir() 10f7878 exec: close stdout and stderr streams on child signal 92d0d75 uci: use correct sort index when reordering sections 66a9bad uci: fix memory leak in rpc_uci_apply_timeout() 2423162 uci: switch to proper save directory on apply/rollback edd37f8 uci: add rpc_uci_replace_savedir() helper eb09f3a session: ignore non-string username attribute upon restore 3d400c7 session: support reclaiming pending apply session f0f6f81 session: remove redundant key attribute to rpc_session_set() 6994c87 uci: fix session delta isolation Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* base-files: /lib/functions.sh: ignore errors in insert_modulesMatthias Schiffer2018-04-172-2/+2
| | | | | | | | | | Package postinst will pass even names of builtin modules to insert_modules, leading to postinst failing with error 255. This has been fixed in master in r5279, but for lede-17.01 this minimal change is preferable. Fixes FS#645, FS#893. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* fstools: update to latest lede-17.01 branchRafał Miłecki2018-04-161-3/+3
| | | | | | | 6609e98 libfstools: add "const" to char pointer arguments in mount_move() 95c07d5 libfstools: fix foreachdir() to pass dir with a trailing slash Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* mbedtls: change libmbedcrypto.so soversion back to 0Hauke Mehrtens2018-04-146-5/+31
| | | | | | | | | | | | | | | | | | mbedtls changed in version 2.7.0 and 2.7.2 the soversion of the libmbedcrypto.so library, use the old version again to be able to use the new library with binaries compiled against the old mbedtls library. Some binaries got rebuild to for the 2.7.0 release and are now using libmbedcrypto.so.1, the older ones are still using libmbedcrypto.so.0. Go back to libmbedcrypto.so.0 and make the system rebuild the binaries which were rebuild for 2.7.0 again. This should make the libmbedcrypto.so library be compatible with the old version shipped with 17.01. Fixes: 3ca1438ae0 ("mbedtls: update to version 2.7.2") Fixes: f609913b5c ("mbedtls: update to version 2.7.0") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* intel-microcode: update to 20180312Zoltan HERPAI2018-04-041-3/+3
| | | | | | | | | | | | | | | | | - Update microcode for 24 CPU types - Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation for: Sandybridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake - Missing production updates: - Broadwell-E/EX Xeons (sig 0x406f1) - Anniedale/Morefield, Apollo Lake, Avoton, Cherry Trail, Braswell, Gemini Lake, Denverton - New Microcodes: - sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140 - sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009 Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu> (cherry picked from commit 3db9d6e57def2912314c7ce0bc0c282f313ed654)
* mac80211: brcmfmac: add support for BCM4366E chipsetRafał Miłecki2018-04-032-1/+47
| | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* mbedtls: update to version 2.7.2Hauke Mehrtens2018-04-012-23/+23
| | | | | | This fixes some minor security problems. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* openssl: update to 1.0.2oPaul Wassi2018-04-014-11/+11
| | | | | | Fixes CVE-2018-0739 Signed-off-by: Paul Wassi <p.wassi@gmx.at>
* mac80211: brcmfmac: backport commit dropping IAPP packets by defaultRafał Miłecki2018-03-212-1/+158
| | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* mbedtls: update to version 2.7.0Hauke Mehrtens2018-03-106-53/+42
| | | | | | | | | | | | | | | | | | | This fixes the following security problems: * CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled * CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures This release is also ABI incompatible with the previous one, but it is API compatible. Some functions used by a lot of other software was renamed and the old function names are provided as a static inline now, but they are only active when deprecated functions are allowed, deactivate the removal of deprecated functions for now. Also increase the PKG_RELEASE version to force a rebuild and update of packages depending on mbedtls to handle the changed ABI. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* base-files: tune fragment queue thresholds for available system memoryMatthias Schiffer2018-03-072-10/+21
| | | | | | | | | The default fragment low/high thresholds are 3 and 4 MB. On devices with only 32MB RAM, these settings may lead to OOM when many fragments that cannot be reassembled are received. Decrease fragment low/high thresholds to 384 and 512 kB on devices with less than 64 MB RAM. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* base-files: sysupgrade: do not rely on opkg to list changed conffilesMatthias Schiffer2018-03-072-2/+21
| | | | | | | Many packages use the opkg conffiles field to list configuration files that are to be retained on upgrades. Make this work on systems without opkg. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* firmware: add microcode package for IntelZoltan HERPAI2018-03-041-0/+49
| | | | | | | | | | | | | | | | Compiling the Intel microcode package results in a microcode.bin and a microcode-64.bin. As we can decide based on the subtarget which should be used, we'll only split the required .bin file with iucode-tool. x64 will get the intel-microcode-64.bin All other variants will get intel-microcode.bin The microcodes will be updated from preinit via a common script - that's the earliest place where we can do it. Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* firmware: add microcode package for AMDZoltan HERPAI2018-03-041-0/+45
| | | | | | | | | | | Use the Debian repository for sourcing the ucode files. Current (20171205) includes support for fam17h CPUs already. The microcodes will be updated from preinit via a common script - that's the earliest place where we can do it. Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* tools: add iucode-toolZoltan HERPAI2018-03-041-0/+47
| | | | | | | | | | | | Add tool to "compile" Intel microcode files. The tool will be compiled for host (to split the microcode.dat) and for target (to forcibly reload the microcode if required). Instead of using the large microcode.bin/microcode-64.bin, the splitted ucode files (separate for CPU families) will be installed. Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* odhcpd: fix interop with wide DHCPv6 client (FS#1377)Hans Dedecker2018-03-021-4/+4
| | | | | | aedc154 dhcpv6-ia: don't always send reconf accept option (FS#1377) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* base-files: fix off-by-one in counting seconds for factory resetRafał Miłecki2018-03-011-1/+1
| | | | | | | | | There was a mismatch between indicating factory reset and code actually starting it. After 5 seconds status LED started blinking rapidly letting user know it's ready to release reset button. In practice button had to stay pressed for another second in order to relly start the process. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* mountd: update to the latest version from 2018-02-26Rafał Miłecki2018-02-261-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | This significantly improves mountd stability & reliability by: 1) Sending hotplug.d event when appropriate 2) Properly unmounting 3) Handling corner cases when unmounting fails 4) Improving log messages 5f2c419 mount: drop duplicated includes aaf2743 mount: call hotplug-call with ACTION=remove before trying to unmount 97da4ed mount: try lazy unmount if normal one fails 1b62489 mount: create not working symlink when unmounting fails e77dc6d mount: reorder deleting code in the mount_enum_drives() 76766ae mount: rename tmp variables in the mount_add_list() 04b897f mount: drop duplicated rmdir() call from the mount_enum_drives() a27ea3f mount: drop duplicated unlink() call from the mount_dev_del() bf7cc33 mount: fix/improve unmounting log messages 36f9197 mount: fix removing mount point if it's expired ed4270f mount: struct mount: replace "mounted" and "ignore" fileds with a "status" 1af9ca2 mount: change mount_dev_del() argument to struct mount * 7c8fea8 mount: rename /proc/mount parser to mount_update_mount_list() 7aadd1c mount: improve handling mounts table size Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* perf: restrict libunwind dependency to archs that actually support libunwindMatthias Schiffer2018-02-251-1/+1
| | | | | | | | | | Allow building perf on uncommon targets again. Depending on the kernel version, not all of these archs will actually use libunwind in perf. Still, it seems simpler and less error-prone to use the same list that is defined in the libunwind package. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* libunwind: fix build with musl on PPCMatthias Schiffer2018-02-251-0/+383
| | | | | | | | | | | Works around two incompatiblities between glibc and (POSIX-compliant) musl: - missing register definitions from asm/ptrace.h - non-POSIX-compliant ucontext_t on PPC32 with glibc Compile tested on mpc85xx. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* uqmi: ensure CID is a numeric value before proceedingKoen Vandeputte2018-02-201-4/+4
| | | | | | | | | | | The current implementation only checked if uqmi itself executed correctly which is also the case when the returned value is actually an error. Rework this, checking that CID is a numeric value, which can only be true if uqmi itself also executed correctly. Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* uqmi: use built-in command for data-link verificationKoen Vandeputte2018-02-182-2/+20
| | | | | | | | | | | uqmi contains a command for directly querying the modem if there is a valid data connection, so let's use it. This avoids the cases were all previous tests are succesful, but the actual data link is not up for some reasons, leading to states were we thought the link was up when it actually wasn't .. Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* uqmi: use correct value for connection checkingKoen Vandeputte2018-02-181-4/+8
| | | | | | | | | | | | | | Originally, the implementation only checked if uqmi command execution succeeded properly without actually checking it's returned data. This lead to a pass, even when the returned data was indicating an error. Rework the verification to actually check the returned data, which can only be correct if the uqmi command itself also executed correctly. On command execution success, value "pdh_" is a pure numeric value. Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* uqmi: use general method for state cleaningKoen Vandeputte2018-02-181-10/+4
| | | | | | | | | | Debugging shows that using the general method properly cleans on each run, while the method specifying the client-ID shows "No effect" even while in connected state. Fixes several connectivity issues seen on specific modems. Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* uqmi: silence error on pin verificationKoen Vandeputte2018-02-181-1/+1
| | | | | | | | | | | | If a device only supports the 2nd verification method (uim), the first method will fail as expected reporting an error: "Command not supported" Silence both separate methods and only report an error regarding pin verification if both fail. Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* uqmi: fix raw-ip mode for newer lte modemsKoen Vandeputte2018-02-182-2/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some newer LTE modems, like the MC7455 or EC25-E do not support "802.3" mode, and will stay in "raw-ip" regardless of the mode being set. In this case, the driver must be informed that it should handle all packets in raw mode. [1] This commit fixes connectivity issues for these devices. Before: [ Node 5 ] udhcpc -i wwan0 udhcpc: started, v1.27.2 udhcpc: sending discover udhcpc: sending discover udhcpc: sending discover After: [ Node 5 ] udhcpc -i wwan0 udhcpc: started, v1.27.2 udhcpc: sending discover udhcpc: sending select for 100.66.245.226 udhcpc: lease of 100.66.245.226 obtained, lease time 7200 udhcpc: ifconfig wwan0 100.66.245.226 netmask 255.255.255.252 broadcast + udhcpc: setting default routers: 100.66.245.225 [1] https://lists.freedesktop.org/archives/libqmi- devel/2017-January/002064.html Tested on cns3xxx using a Sierra Wireless MC7455 LTE-A Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> [bumped PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* net: uqmi: fix blocking in endless loops when unplugging deviceAlexandru Ardelean2018-02-181-0/+2
| | | | | | | | | | | If you unplug a QMI device, the /dev/cdc-wdmX device disappears but uqmi will continue to poll it endlessly. Then, when you plug it back, you have 2 uqmi processes, and that's bad, because 2 processes talking QMI to the same device [and the same time] doesn't seem to work well. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* base-files: don't evaluate block-device ueventDaniel Golle2018-02-151-5/+8
| | | | | | | | | | Backport commits fixing the detection of GPT partition names during preinit and sysupgrade, closing a shell-injection vulnerability. da52dd0c83 ("base-files: quote values when evaluating uevent") 267873ac9b ("base-files: don't evaluate block-device uevent") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* perf: use libunwindMaxim Gorbachyov2018-02-131-1/+1
| | | | | | | Without libunwind perf does not show userspace stack frames. Tested on mvebu. Signed-off-by: Maxim Gorbachyov <maxim.gorbachyov@gmail.com>
* libunwind: enable build for armMaxim Gorbachyov2018-02-131-1/+1
| | | | | | Tested with perf on mvebu. Signed-off-by: Maxim Gorbachyov <maxim.gorbachyov@gmail.com>
* procd: update to latest git HEADHans Dedecker2018-02-091-3/+3
| | | | | | 9a4036f trace: add missing limits.h include Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iptables: make kmod-ipt-debug part of default ALL buildYousong Zhou2018-01-262-4/+3
| | | | | | | | | The iptables TRACE target is only available in raw table that's why the dependency was moved from iptables-mod-trace into kmod-ipt-debug Fixes FS#1219 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* iptables: Fix target TRACE issueMartin Wetterwald2018-01-261-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | The package kmod-ipt-debug builds the module xt_TRACE, which allows users to use '-j TRACE' as target in the chain PREROUTING of the table raw in iptables. The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so that this feature which is implemented deep inside the linux IP stack (for example in sk_buff) is compiled. But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which fails as this dynamic library is not present on the system. I created the package iptables-mod-trace which takes care of that, and target TRACE now works! https://dev.openwrt.org/ticket/16694 https://dev.openwrt.org/ticket/19661 Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com> [Jo-Philipp Wich: also remove trace extension from builtin extension list and depend on kmod-ipt-raw since its required for rules] Signed-off-by: Jo-Philipp Wich <jo@mein.io> Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
* curl: fix libcurl/mbedtls async interfaceDarren Tucker2018-01-242-1/+28
| | | | | | | | | | | | When using mbedtls, curl's nonblocking interface will report a request as done immediately after the socket is written to and never read from the connection. This will result in a HTTP status code of 0 and zero length replies. Cherry-pick the patch from curl 7.53.0 to fix this (https://github.com/curl/curl/commit/b993d2cc). Fixes https://bugs.openwrt.org/index.php?do=details&task_id=1285. Signed-off-by: Darren Tucker <dtucker@dtucker.net>
* dnsmasq: backport validation fix in dnssec security fixKevin Darbyshire-Bryant2018-01-202-2/+2
| | | | | | | | | A DNSSEC validation error was introduced in the fix for CVE-2017-15107 Backport the upstream fix to the fix (a simple typo) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (backported from commit adaf1cbcc8b253ea807dbe0416b4b04c33dceadf)
* dnsmasq: backport dnssec security fix for 17.01Kevin Darbyshire-Bryant2018-01-192-1/+203
| | | | | | | | | | | | | | | | | | | | | | | | | CVE-2017-15107 An interesting problem has turned up in DNSSEC validation. It turns out that NSEC records expanded from wildcards are allowed, so a domain can include an NSEC record for *.example.org and an actual query reply could expand that to anything in example.org and still have it signed by the signature for the wildcard. So, for example !.example.org NSEC zz.example.org is fine. The problem is that most implementers (your author included, but also the Google public DNS people, powerdns and Unbound) then took that record to prove the nothing exists between !.example.org and zz.example.org, whereas in fact it only provides that proof between *.example.org and zz.example.org. This gives an attacker a way to prove that anything between !.example.org and *.example.org doesn't exists, when it may well do so. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* mountd: bump to git HEAD versionHans Dedecker2018-01-171-4/+4
| | | | | | | | c54e5c6 mount: check if block was mounted before cleaning it up e31565a mount: remove directory if mounting fails 0f4f20b mount: call hotplug mount scripts only on success Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* kmod-sched-cake: bump to latest cake bake for 17.01Kevin Darbyshire-Bryant2018-01-161-3/+3
| | | | | | | | | | | | | | | | | More important bug fix: 402f05c Use full-rate mtu_time in all tins. Fixes an issue where some cake tins experienced excessive latency since 49776da (dynamically adjust target) Minor bug fixes: 31277c2 Avoid unsigned comparison against zero. Fix compiler warning, no known impact. 8cf5278 ack_filter: fix TCP flag check. A very contrived case may have lead to dropping a SYN packet that should not be dropped. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* lantiq: activate noise margin delta for VDSL tooHauke Mehrtens2018-01-071-2/+2
| | | | | | | | | | | Previously this was only activated for ADSL, this patch activates the same setting also for VDSL, this feature is also support for VDSL in the same way it works for ADSL. I tested it with DSL FW 5.7.9.5.1.7 against a Broadcom 177.140 DSLCO (Deutsche Telekom) and saw different data rates and Max. Attainable Data Rates depending on the ds_snr_offset settings I choose. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* Lantiq: make possible to tweak DSL SRN from UCIAndrea Merello2018-01-071-1/+26
| | | | | | | | | | | | | | | | | | | | | This patch makes possible to tweak the downstream SNR margin on Lantiq DSL devices. The UCI parameter 'network.dsl.ds_snr_offset' is used to set the SNR margin offset. It accepts values in range -50 to +50 in 0.1 dB units. The SNR margin can thus be modified in range -5.0 to +5.0 dB in 0.1 dB steps. Currently this should only affect ADSL (not VDSL). It should be very easy to make this work also on VDSL lines, but since I couldn't test on VDSL lines this patch does not do that yet. I have also a patch for LUCI about this, that I could submit. Tested on FB3370 (Lantiq VR9) and Telecom Italia ADSL2+ line. Signed-off-by: Andrea Merello <andrea.merello@gmail.com>