aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* uci: bump to source date 2018-08-11Yousong Zhou2018-08-111-3/+3
| | | | | | | Fixes segfault when parsing malformed delta lines Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> (cherry picked from commit 3493c1cf41ecaa2f87394059a26578f723109a15)
* mwlwifi: update to version 10.3.8.0-20180615Kabuli Chana2018-08-111-4/+13
| | | | | | | | fix mcs rate for HT support 88W8997 protect rxringdone Signed-off-by: Kabuli Chana <newtownBuild@gmail.com>
* wpa_supplicant: fix CVE-2018-14526John Crispin2018-08-101-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unauthenticated EAPOL-Key decryption in wpa_supplicant Published: August 8, 2018 Identifiers: - CVE-2018-14526 Latest version available from: https://w1.fi/security/2018-1/ Vulnerability A vulnerability was found in how wpa_supplicant processes EAPOL-Key frames. It is possible for an attacker to modify the frame in a way that makes wpa_supplicant decrypt the Key Data field without requiring a valid MIC value in the frame, i.e., without the frame being authenticated. This has a potential issue in the case where WPA2/RSN style of EAPOL-Key construction is used with TKIP negotiated as the pairwise cipher. It should be noted that WPA2 is not supposed to be used with TKIP as the pairwise cipher. Instead, CCMP is expected to be used and with that pairwise cipher, this vulnerability is not applicable in practice. When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data field is encrypted using RC4. This vulnerability allows unauthenticated EAPOL-Key frames to be processed and due to the RC4 design, this makes it possible for an attacker to modify the plaintext version of the Key Data field with bitwise XOR operations without knowing the contents. This can be used to cause a denial of service attack by modifying GTK/IGTK on the station (without the attacker learning any of the keys) which would prevent the station from accepting received group-addressed frames. Furthermore, this might be abused by making wpa_supplicant act as a decryption oracle to try to recover some of the Key Data payload (GTK/IGTK) to get knowledge of the group encryption keys. Full recovery of the group encryption keys requires multiple attempts (128 connection attempts per octet) and each attempt results in disconnection due to a failure to complete the 4-way handshake. These failures can result in the AP/network getting disabled temporarily or even permanently (requiring user action to re-enable) which may make it impractical to perform the attack to recover the keys before the AP has already changes the group keys. By default, wpa_supplicant is enforcing at minimum a ten second wait time between each failed connection attempt, i.e., over 20 minutes waiting to recover each octet while hostapd AP implementation uses 10 minute default for GTK rekeying when using TKIP. With such timing behavior, practical attack would need large number of impacted stations to be trying to connect to the same AP to be able to recover sufficient information from the GTK to be able to determine the key before it gets changed. Vulnerable versions/configurations All wpa_supplicant versions. Acknowledgments Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU Leuven for discovering and reporting this issue. Possible mitigation steps - Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This can be done also on the AP side. - Merge the following commits to wpa_supplicant and rebuild: WPA: Ignore unauthenticated encrypted EAPOL-Key data This patch is available from https://w1.fi/security/2018-1/ - Update to wpa_supplicant v2.7 or newer, once available Signed-off-by: John Crispin <john@phrozen.org> (cherry picked from commit 1961948585e008ad0095d7074784893229b00d06)
* Revert "libevent2: Don't build tests and samples"Jo-Philipp Wich2018-08-091-13/+0
| | | | | | | | This reverts commit fe90d14880ad80e5cbc0eba036f8f9f83fa77396. The cherry pick does not apply cleanly to 18.06. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firmware: intel-microcode: bump to 20180703Zoltan HERPAI2018-08-091-6/+6
| | | | | | | | | | | | | | | | | | | | | | | * New upstream microcode data file 20180703 + Updated Microcodes: sig 0x000206d6, pf_mask 0x6d, 2018-05-08, rev 0x061d, size 18432 sig 0x000206d7, pf_mask 0x6d, 2018-05-08, rev 0x0714, size 19456 sig 0x000306e4, pf_mask 0xed, 2018-04-25, rev 0x042d, size 15360 sig 0x000306e7, pf_mask 0xed, 2018-04-25, rev 0x0714, size 17408 sig 0x000306f2, pf_mask 0x6f, 2018-04-20, rev 0x003d, size 33792 sig 0x000306f4, pf_mask 0x80, 2018-04-20, rev 0x0012, size 17408 sig 0x000406f1, pf_mask 0xef, 2018-04-19, rev 0xb00002e, size 28672 sig 0x00050654, pf_mask 0xb7, 2018-05-15, rev 0x200004d, size 31744 sig 0x00050665, pf_mask 0x10, 2018-04-20, rev 0xe00000a, size 18432 sig 0x000706a1, pf_mask 0x01, 2017-12-26, rev 0x0022, size 73728 + First batch of fixes for: Intel SA-00115, CVE-2018-3639, CVE-2018-3640 + Implements IBRS/IBPB/STIPB support, Spectre-v2 mitigation + SSBD support (Spectre-v4 mitigation) and fix Spectre-v3a for: Sandybridge server, Ivy Bridge server, Haswell server, Skylake server, Broadwell server, a few HEDT Core i7/i9 models that are actually gimped server dies. Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* curl: Fix CVE-2018-0500Hauke Mehrtens2018-08-082-1/+33
| | | | | | | | This backports a fix for: * CVE-2018-0500 SMTP send heap buffer overflow See here for details: https://curl.haxx.se/docs/adv_2018-70a2.html Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* ustream-ssl: update to version 2018-05-22Hauke Mehrtens2018-08-081-4/+4
| | | | | | | 5322f9d mbedtls: Fix setting allowed cipher suites e8a1469 mbedtls: Add support for a session cache Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: Update to 2.12.0Hauke Mehrtens2018-08-087-33/+123
| | | | | | | | | | | | | | | | | | | Multiple security fixes * CVE-2018-0497 Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel * CVE-2018-0498 Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel Disable OFB block mode and XTS block cipher mode, added in 2.11.0. Disable Chacha20 and Poly1305 cryptographic primitives, added in 2.12.0 Patch the so version back to the original one, the API changes are looking no so invasive. The size of mbedtls increased a little bit: ipkg for mips_24kc before: 163.967 Bytes ipkg for mips_24kc after: 164.753 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: Activate the session cacheHauke Mehrtens2018-08-081-9/+0
| | | | | | | | | | | | | | This make sit possible to store informations about a session and reuse it later. When used by a server it increases the time to create a new TLS session from about 1 second to less than 0.1 seconds. The size of the ipkg file increased by about 800 Bytes. ipkg for mips_24kc before: 163.140 Bytes ipkg for mips_24kc after: 163.967 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: cleanup config patchDaniel Engberg2018-08-081-40/+32
| | | | | | | Clean up patch, use "//" consistently. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: Deactivate platform abstractionHauke Mehrtens2018-08-081-0/+9
| | | | | | | | This makes mbedtls use the POSIX API directly and not use the own abstraction layer. The size of the ipkg decreased by about 100 bytes. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* base-files: drop fwtool_pre_upgradeJohn Crispin2018-08-082-7/+0
| | | | | | | | this feature has never worked, the fw image name was not passed and the -t parameter was missing in the tool invocation. drop the feature. Signed-off-by: John Crispin <john@phrozen.org> (cherry picked from commit 5e1b4c57ded7898be5255aef594fa18ec206f0b2)
* libevent2: Don't build tests and samplesEneas U de Queiroz2018-08-081-0/+13
| | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. This reduces build time significantly. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> (cherry picked from commit 26dbf79f4905e6b5ba5aafdc2271c3a864dd1924)
* wwan: Fix teardown for sierra_net driverMasashi Honma2018-08-081-1/+1
| | | | | | | | The sierra_net driver is using proto_directip_setup for setup. So use proto_directip_teardown for teardown. Signed-off-by: Masashi Honma <masashi.honma@gmail.com> (cherry picked from commit d05967baecca33774ab95d4ffabbcb4cc9d0a1bf)
* kernel: leds-apu2 remove boardname checkLukas Mrtvy2018-08-081-12/+0
| | | | | | | | 'In different versions of coreboot are different names of apu boardname. No need to check boardname to load module.' Signed-off-by: Lukas Mrtvy <lukas.mrtvy@gmail.com> (cherry picked from commit f21bcb4db8a12cef62e5698f0f711db8dde99db8)
* dropbear: close all active clients on shutdownChristian Schoenebeck2018-08-081-0/+5
| | | | | | | | | | | | | | | | | | | | | | Override the default shutdown action (stop) and close all processes of dropbear Since commit 498fe85, the stop action only closes the process that's listening for new connections, maintaining the ones with existing clients. This poses a problem when restarting or shutting-down a device, because the connections with existing SSH clients, like OpenSSH, are not properly closed, causing them to hang. This situation can be avoided by closing all dropbear processes when shutting-down the system, which closes properly the connections with current clients. Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com> [Luis: Rework commit message] Signed-off-by: Luis Araneda <luaraneda@gmail.com> (cherry picked from commit 1e177844bc814d3846312c91cd0f7a54df4f32b9)
* kernel: gpio-nct5104d remove boardname checkLukáš Mrtvý2018-08-081-5/+0
| | | | | | | | 'In different versions of coreboot are different names of apu boardname. No need to check boardname to load module.' Signed-off-by: Lukáš Mrtvý <lukas.mrtvy@gmail.com> (cherry picked from commit d3b8e6b2a77de8b3d5724534714ecdfd8fa6d50c)
* basefiles: Reword sysupgrade messageKevin Darbyshire-Bryant2018-08-081-1/+1
| | | | | | | sysupgrade 'upgrade' message more verbose than needs be. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit edf338f248a270f5fd85edc04775ec5ed6d46bca)
* linux: update license tag to use correct SPDX tagFlorian Eckert2018-08-081-1/+1
| | | | | | | Use SPDX tag. Signed-off-by: Florian Eckert <fe@dev.tdt.de> (cherry picked from commit c79ef6fbe39b0626214542a0de141da092be193c)
* firmware: amd64-microcode: update to 20180524Zoltan HERPAI2018-08-081-2/+2
| | | | | | | | | | | | | | * New microcode update packages from AMD upstream: + New Microcodes: sig 0x00800f12, patch id 0x08001227, 2018-02-09 + Updated Microcodes: sig 0x00600f12, patch id 0x0600063e, 2018-02-07 sig 0x00600f20, patch id 0x06000852, 2018-02-06 * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support, plus other unspecified fixes/updates. Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu> (cherry picked from commit 10e393262caeba1e9cbdcc937d20fe15ad5f448a)
* libubox: fix mirror hashJo-Philipp Wich2018-08-071-1/+1
| | | | | | | | | | | | Correct the mirror hash to reflect whats on the download server. A locally produced libubox SCM tarball was also verified to yield an identical checksum compared to the one currently on the download server. Fixes FS#1707. Fixes 5dc32620c4 ("libubox: update to latest git HEAD") Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 432eaa940fee0b8023bee122da4cb08f3216209f)
* netifd: update to latest git HEADJohn Crispin2018-08-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | a0a1e52 fix compile error 75ee790 interface-ip: fix eui64 ifaceid generation (FS#1668) ca97097 netifd: make sure the vlan ifname fits into the buffer b8c1bca iprule: remove bogus assert calls a2f952d iprule: fix broken in_dev/out_dev checks 263631a vlan: use alloca to get rid of IFNAMSIZE in vlan_dev_set_name() 291ccbb ubus: display correct prefix size for IPv6 prefix address 908a9f4 CMakeLists.txt: add -Wimplicit-fallthrough to the compiler flags b06b011 proto-shell.c: add a explicit "fall through" comment to make the compiler happy 60293a7 replace fall throughs in switch/cases where possible with simple code changes 5cf7975 iprule: rework interface based rules to handle dynamic interfaces 57f87ad Introduce new interface event "create" (IFEV_CREATE) 03785fb system-linux: fix build error on older kernels d1251e1 system-linux: adjust bridge isolate mode for upstream attribute naming e9eff34 system-linux: extend link mode speed definitions c1f6a82 system-linux: add autoneg and link-partner output Signed-off-by: John Crispin <john@phrozen.org> (cherry picked from commit 3c4eeb5d21073dea5a021012f9e65ce95f81806e) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uclient: update to latest git HEADJo-Philipp Wich2018-08-031-3/+3
| | | | | | | | | | | | | | | f2573da uclient-fetch: use package name pattern in message for missing SSL library 9fd8070 uclient-fetch: Check for nullpointer returned by uclient_get_url_filename f41ff60 uclient-http: basic auth: Handle memory allocation failure a73b23b uclient-http: auth digest: Handle multiple possible memory allocation failures 66fb58d uclient-http: Handle memory allocation failure 2ac991b uclient: Handle memory allocation failure for url 63beea4 uclient-http: Implement error handling for header-sending eb850df uclient-utils: Handle memory allocation failure for url file name ae1c656 uclient-http: Close ustream file handle only if allocated Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit e44162ffca448d024fe023944df702c9d3f6b586)
* iperf: bump to 2.0.12Koen Vandeputte2018-08-021-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 2.0.12 change set (as of June 25th 2018) o Change the unicast TTL default value from 1 to the system default (to be compatable with previous versions.) Mulitcast still defaults to 1. o adpative formatting bug fix: crash occurs when values exceed 1 Tera. Add support for Tera and Peta and eliminate the potential crash condition o configure default compile to include isochronous support (use configure --disable-isochronous to remove support) o replace 2.0.11's --vary-load option with a more general -b option to include <mean>,<stdev>, e.g. -b 100m,40m, which will pull from a log normal distribution every 0.1 seconds o fixes for windows cross compile (using mingw32) o compile flags of -fPIE for android o configure --enable-checkprograms to compile ancillary binaries used to test things such as delay, isoch, pdf generation o compile tests when trying to use 64b seq numbers on a 32b platform o Fix GCC ver 8 warnings 2.0.11 change set (as of May 24th, 2018) o support for -b on server (read rate limiting) o honor -T (ttl) for unicast. (Note: the default value is 1 so this will impact unicast tests that require routing) o support for --isochronous traffic with optional frames per second, mean and variance uses a log normal distribution (requires configure w/-enable-isochronous and compile) o support for --udp triggers (requires configure w/ --enable-udptriggers, early code with very limited support) o support for --udp-histogram with optional bin width and number of bins (default is 1 millisecond bin width and 1000 bins) o support for frame (burst) latency histograms when --isochronous is set o support for --tx-sync with -P for synchonrized writes. Initial use is for WiFi OFDMA latency testing. o support for --incr-dstip with -P for simultaneous flows to multiple destinations (use case is for OFDMA) o support for --vary-load with optional weight, uses log normal distribution (requires -b to set the mean) o support for --l2checks to detect L2 length errors not detected by v4 or v6 payload length errors (requires linux, berkeley packet filters BPFs and AF_PACKET socket support) o support for server joining mulitcast source specific multicast (S,G) and (*,G) for both v4 and v6 on platforms that support it o improved write counters (requires -e) o accounting bug fix on client when write fails, this bug was introduced in 2.0.10 o slight restructure client/server traffic thread code for maintainability o python: flow example script updates o python: ssh node object using asyncio o python: histograms in flows with plotting (assumed gnuplot available) o python: hierarchical clustering of latency histograms (early code) o man pages updates o Note: latency histograms require client and server system clock synchronization. A GPS disciplined oscillator using Precision Time Protocol works well for this. Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* ca-certificates[18.06]]: remove myself as PKG_MAINTAINERChristian Schoenebeck2018-07-311-1/+1
| | | | | | remove myself as PKG_MAINTAINER Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
* OpenWrt v18.06.0: revert to branch defaultsJo-Philipp Wich2018-07-301-2/+2
| | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* OpenWrt v18.06.0: adjust config defaultsv18.06.0Jo-Philipp Wich2018-07-301-2/+2
| | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* base-files: network.sh: gracefully handle missing network.interface ubus nsJo-Philipp Wich2018-07-302-5/+11
| | | | | | | | | | | | | | | | | | | | | When attempting to use any of the functions in network.sh while netifd is not started yet, the ubus interface dump query will fail with "Not found", yielding an empty response. Subsequently, jsonfilter is invoked with an empty string instead of a valid JSON document, causing it to emit a second "unexpected end of data" error. This caused the dnsmasq init script to log the following errors during early boot on some systems: procd: /etc/rc.d/S19dnsmasq: Command failed: Not found. procd: /etc/rc.d/S19dnsmasq: Failed to parse json data: unexpected end of data. Fix the issue by allowing the ubus query to fail with "Not found" but still logging other failures, and by passing an empty JSON object to jsonfilter if the interface status cache is empty. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iwinfo: update to version 2018-07-24Nick Hainke2018-07-301-4/+4
| | | | | | | | | | Update to new iwinfo version. Adds support for channel survey. Adds ubus support. Etc. Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit 296ae7ab89c179ff39feff973000fcb864754df7)
* iwinfo: bump to latest git HEADJohn Crispin2018-07-301-3/+3
| | | | | | | | | e59f925 hardware: add device ids for QCA9984, 88W8887 and 88W8964 radios 2a82f87 nl80211: back out early when receiving FAIL-BUSY reply 77c32f0 nl80211: fix code calculating average signal and rate Signed-off-by: John Crispin <john@phrozen.org> (cherry picked from commit 20b76c0a5bb7a13dcc739bd644f0f968e3b3c68a)
* dnsmasq: bump to dnsmasq v2.80test3Kevin Darbyshire-Bryant2018-07-2820-1565/+6
| | | | | | | | | | | | | | | | | | Refresh patches Upstream commits since last bump: 3b6eb19 Log DNSSEC trust anchors at startup. f3e5787 Trivial comment change. c851c69 Log failure to confirm an address in DHCPv6. a3bd7e7 Fix missing fatal errors when parsing some command-line/config options. ab5ceaf Document the --help option in the french manual 1f2f69d Fix recurrent minor spelling mistake in french manual f361b39 Fix some mistakes in french translation of the manual eb1fe15 When replacing cache entries, preserve CNAMES which target them. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 1e93ef84981f2722138824413a1b197fdab7fb6c)
* dnsmasq: don't use network functions at boottime (FS#1542)Hans Dedecker2018-07-282-6/+15
| | | | | | | | | | | | | As dnsmasq is started earlier than netifd usage of network.sh functions at boottime will fail; therefore don't call at boottime the functions which construct the dhcp pool/relay info. As interface triggers are installed the dhcp pool/relay info will be constructed when the interface gets reported as up by netifd. At the same time also register interface triggers based on DHCP relay config. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (cherry picked from commit 2336b942b37f265c59547d738ca558b61102833d)
* dnsmasq: bump to latest patches on 2.80rc2Kevin Darbyshire-Bryant2018-07-2819-11/+406
| | | | | | | | | | | | | | | | Refresh patches and backport upstream to current HEAD: a997ca0 Fix sometimes missing DNSSEC RRs when DNSSEC validation not enabled. 51e4eee Fix address-dependent domains for IPv6. 05ff659 Fix stupid infinite loop introduced by preceding commit. db0f488 Handle some corner cases in RA contructed interfaces with addresses changing interface. 7dcca6c Warn about the impact of cache-size on performance. 090856c Allow zone transfer in authoritative mode whenever auth-peer is specified. cc5cc8f Sane error message when pcap file header is wrong. c488b68 Handle standard and contructed dhcp-ranges on the same interface. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit fbf475403b911f46e91b57fb7a6cf3c65276464c)
* mac80211: backport brcmfmac fixes & debugging helpers from 4.18Rafał Miłecki2018-07-279-2/+341
| | | | | | | | | | | | | The most important is probably regression fix in handling platform NVRAM. That bug stopped hardware from being properly calibrated breaking e.g. 5 GHz for Netgear R8000. Other than that it triggers memory dumps when experiencing firmware problems which is important for debugging purposes. Fixes: 2811c97803e5 ("mac80211: backport brcmfmac firmware & clm_blob loading rework") Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit b26214adb53da2816ff830b6cd6e31e1dafa2635)
* odhcpd: update to latest git HEADJo-Philipp Wich2018-07-261-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: 81a281e dhcpv6-ia: fix border assignment size setting a2ffc59 dhcpv6-ia: fix status code for not on link IAs 5b087a6 dhcpv6-ia: improve error checking in assign_pd() c9114a1 config: fix wrong assignment bb8470f dhcpv4: delay forced renew transaction start 62a1b09 dhcpv4: fix DHCP address space logic d5726ff dhcpv4: improve logging when sending DHCP messages 9484351 odhcpd: call handle_error when socket error can be retrieved c45e2eb dhcpv6: fix out of bounds write in handle_nested_message() c2ff5af dhcpv6-ia: log renew messages as well 676eb38 router: fix possible segfault in send_router_advert() 392701f odhcpd: fix passing possible negative parameter 029123b treewide: switch to C-code style comments 6b79748 router: improve error checking 12e21bc netlink: fix incorrect sizeof argument d7aa414 dhcpv6: improve error checking in dhcpv6_setup_interface() 373495a ubus: fix invalid ipv6-prefix json 79d5e6f ndp: improve error checking d834ae3 dhcpv4: fix error checking in dhcpv4_setup_interface() f2aa383 dhcpv4: fix out of bound access in dhcpv4_put 4591b36 dhcpv4: improve error checking in dhcpv4_setup_interface() 4983ee5 odhcpd: fix strncpy bounds c0f6390 odhcpd: Check if open the ioctl socket failed 345bba0 dhcpv4: improve error checking in handle_dhcpv4() 44cce31 ubus: avoid dumping interface state with NULL message Cherry picked and squashed from commits: b7ef10cbf0 odhcpd: update to latest git HEAD 98a6bee09a odhcpd: update to latest git HEAD 88c88823d5 odhcpd: update to latest git HEAD Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* ubus: update to latest git HEADJo-Philipp Wich2018-07-261-3/+3
| | | | | | | 40e0931 libubus: pass an empty UBUS_ATTR_DATA block if msg is NULL on invoke Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 7316515891532a9d5f0b70db31a95d06f7b00e94)
* firewall: update to latest git HEAD and build with LTOHans Dedecker2018-07-261-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | Reduces .ipk size on MIPS from 41.6k to 41.1k Changes: 30463d0 zones: add interface/subnet bound LOG rules 0e77bf2 options: treat time strings as UTC times d2bbeb7 firewall3: make reject types selectable by user aa8846b ubus: avoid dumping interface state with NULL message Cherry picked and squashed from commits: a3f2451fba firewall: update to latest git HEAD 433d71e73e fw3: update to latest git HEAD ef96d1e34a firewall: compile with LTO enabled 1e83f775a3 firewall3: update to latest git HEAD 3ee2c76ae0 firewall: update to latest git HEAD Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* ubus: update to latest git HEADJohn Crispin2018-07-251-3/+3
| | | | | | | 884be45 libubus: check for non-NULL data before running callbacks Signed-off-by: John Crispin <john@phrozen.org> (cherry picked from commit a5c3bbaf56d6fb442ea16f26042cec83c7c00454)
* libubox: update to latest git HEADJohn Crispin2018-07-251-3/+3
| | | | | | | c83a84a fix segfault when passed blobmsg attr is NULL Signed-off-by: John Crispin <john@phrozen.org> (cherry picked from commit 5dc32620c4aa66d05eb5585784ed954854e8194c)
* wireguard-tools: add wireguard_watchdog scriptAleksandr V. Piskunov2018-07-252-2/+63
| | | | | | | | | | | | | This watchdog script tries to re-resolve hostnames for inactive WireGuard peers. Use it for peers with a frequently changing dynamic IP. persistent_keepalive must be set, recommended value is 25 seconds. Run this script from cron every minute: echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com> [bump the package release] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 20c4819c7baf6f9b91420849caf30e5137bd75d6)
* wireguard: bump to 0.0.20180718Jason A. Donenfeld2018-07-251-2/+2
| | | | | | | | | | | | | | | 80b41cd version: bump snapshot fe5f0f6 recieve: disable NAPI busy polling e863f40 device: destroy workqueue before freeing queue 81a2e7e wg-quick: allow link local default gateway 95951af receive: use gro call instead of plain call d9501f1 receive: account for zero or negative budget e80799b tools: only error on wg show if all interfaces failk Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> [Added commit log to commit description] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 57b808ec88315db6743b3159a04dbb16097597ea)
* wireguard: bump to 0.0.20180708Jason A. Donenfeld2018-07-251-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | * device: print daddr not saddr in missing peer error * receive: style Debug messages now make sense again. * wg-quick: android: support excluding applications Android now supports excluding certain apps (uids) from the tunnel. * selftest: ratelimiter: improve chance of success via retry * qemu: bump default kernel version * qemu: decide debug kernel based on KERNEL_VERSION Some improvements to our testing infrastructure. * receive: use NAPI on the receive path This is a big change that should both improve preemption latency (by not disabling it unconditionally) and vastly improve rx performance on most systems by using NAPI. The main purpose of this snapshot is to test out this technique. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (cherry picked from commit 4630159294024c0718077e49dbb440919440de87)
* iproute2: tc: backport canonical cake supportKevin Darbyshire-Bryant2018-07-212-150/+154
| | | | | | | | | | | | | | | | | | | iproute2's tc was updated to support the recently upstreamed cake qdisc. Backport this canonical support from upstream into iproute2 v4.16 There is no kernel kmod/userspace tc ABI change in this release from the previous package bump, so everyone can breath a sigh of relief. This is largely a code style change, the exception to prove the rule: option 'autorate_ingress' has been changed to 'autorate-ingress' to fit in with upstream option naming expectations. No openwrt package (e.g. sqm-scripts) has knowledge of 'autorate_ingress' thus only users who made their own scripts or used it within the 'dangerous configuration' options of sqm-scripts will be affected. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* base-files: fix wrong sysctl parameter orderLuiz Angelo Daros de Luca2018-07-181-1/+1
| | | | | | | | | | | Restarting service sysctl echos multiple errors like: sysctl: -e: No such file or directory After the first filename, all remaining arguments are treated as files. Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
* igmpproxy: run in foreground for procdKevin Darbyshire-Bryant2018-07-182-2/+2
| | | | | | | | | | procd needs processes to stay in foreground to remain under its gaze and control. Failure to do so means service stop commands fail to actually stop the process (procd doesn't think it's running 'cos the process has exited already as part of its forking routing) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 9d5a2469304eb23b6d09432a6d9b6a57d0019d2a)
* mtd: improve check for TRX header being already fixedRafał Miłecki2018-07-162-8/+9
| | | | | | | | | | | | First of all lengths should be compared after checking all blocks for being good/bad. It's because requested length may differ from a final one if there were some bad blocks. Secondly it makes sense to also compare crc32 since we already have a new one calculated. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 82498a7f7aa86ad0e93ef60d50dccaa0a9549e4c)
* mtd: support bad blocks within the mtd_fixtrx()Rafał Miłecki2018-07-162-7/+29
| | | | | | | | | | | | | | | | | Reading MTD data with (p)read doesn't return any error when accessing bad block. As the result, with current code, CRC32 covers "data" stored in bad blocks. That behavior doesn't match CFE's one (bootloader simply skips bad blocks) and may result in: 1) Invalid CRC32 2) CFE refusing to boot firmware with a following error: Boot program checksum is invalid Fix that problem by checking every block before reading its content. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 0f54489f754e7bd34e0430c57a11b6a54740d58e)
* kmod-sched-cake: bump to 20180716Kevin Darbyshire-Bryant2018-07-161-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to the latest cake recipe. This backports tc class support to kernel 4.9 and other than conditional kernel compilation pre-processor macros represents the cake that has gone upstream into kernel 4.19. Loud cheer! Fun may be had by changing cake tin classification for packets on ingress. e.g. tc filter add dev ifb4eth0 parent 800b: protocol ip u32 match \ ip dport 6981 0xffff action skbedit priority 800b:1 Where 800b: represents the filter handle for the ifb obtained by 'tc qdisc' and the 1 from 800b:1 represents the cake tin number. So the above example puts all incoming packets destined for port 6981 into the BULK (lowest priority) tin. f39ab9a Obey tin_order for tc filter classifiers 1e2473f Clean up after latest backport. 82531d0 Reorder includes to fix out of tree compilation 52cbc00 Code style cleanup 6cdb496 Fix argument order for NL_SET_ERR_MSG_ATTR() cab17b6 Remove duplicate call to qdisc_watchdog_init() 71c7991 Merge branch 'backport-classful' 32aa7fb Fix compilation on Linux 4.9 9f8fe7a Fix compilation on Linux 4.14 ceab7a3 Rework filter classification aad5436 Fixed version of class stats be1c549 Add cake-specific class stats 483399d Use tin_order for class dumps 80dc129 Add class dumping 0c8e6c1 Fix dropping when using filters c220493 Add the minimum class ops 5ed54d2 Start implementing tc filter/class support Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit c729c43b391e759b6700b28c8e02ba93fe15f8c2)
* qos-scripts: fix uci callback handlingTony Ambardar2018-07-163-29/+29
| | | | | | | | | | | | | | | | | The previous callback code was fragile, dependent on some UCI callback bugs and side-effects now fixed in master commit 73d8a6ab. Update scripts to use callbacks where appropriate and necessary, while using normal UCI config parsing for all else. This results in smaller, simpler, more robust code. Use callbacks in generate.sh to only process 'interface' defaults and the varying entries for 'reclassify', 'default' and 'classify' sections. Also switch qos-stat to use non-callback UCI handling. The current changes work independently of 73d8a6ab (i.e. both before and after), and are consistent with UCI config parsing documentation. Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
* base-files: fix UCI config parsing and callback handlingTony Ambardar2018-07-162-9/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are several long-standing issues present in the UCI shell API as documented in https://wiki.openwrt.org/doc/devel/config-scripting. They relate both to high-level, user-defined callback functions used to process UCI config files, and also to low-level functions used within scripts generally. The related problems have been encountered now and in the past, e.g. https://forum.openwrt.org/viewtopic.php?id=54295, and include: a) UCI parsing option() function and user-defined option_cb() callbacks being erroneously called during processing of "list" config file entries; b) normal usage of the low-level config_set() unexpectedy calling any defined option_cb() if present; and c) handling of the list_cb() not respecting the NO_CALLBACK variable. Root causes include a function stack "inversion", where the low-level config_set() function incorrectly calls the high-level option() function, intended only for processing the "option" keyword of UCI config files. This change addresses the inversion and other issues, making the option handling code more consistent and smaller, and simplifying developers' usage of UCI callbacks. Signed-off-by: Tony Ambardar <itugrok@yahoo.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]