aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* uhttpd: make organization (O=) of the cert configurable via uciMartin Schiller2021-10-062-3/+4
| | | | | | | | | Make the organization (O=) of the cert configurable via uci. If not configured, use a combination of "OpenWrt" and an unique id like it was done before. Signed-off-by: Martin Schiller <ms@dev.tdt.de> (cherry picked from commit 2c6c1501af664490ec9b701b46a201e21c670b96)
* hostapd: fix segfault when deinit mesh ifacesJesus Fernandez Manzano2021-09-241-0/+5
| | | | | | | | | | | | In hostapd_ubus_add_bss(), ubus objects are not registered for mesh interfaces. This provokes a segfault when accessing the ubus object in mesh deinit. This commit adds the same condition to hostapd_ubus_free_bss() for discarding those mesh interfaces. Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net> (cherry picked from commit 5269c47e8db549695ceaf6a19afdd0cb90074622)
* dnsmasq: reset EXTRA_MOUNT in the right placeDaniel Golle2021-08-021-2/+2
| | | | | | | | | | EXTRA_MOUNT variable should be reset in dnsmasq_start() rather than just once at the beginning of the script. Fixes: ac4e8aa2f8 ("dnsmasq: fix more dnsmasq jail issues") Reported-by: Hartmut Birr <e9hack@gmail.com> Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit ddc8d085f39dea998f59680fb556ca72d779a3b1)
* dnsmasq: fix more dnsmasq jail issuesDaniel Golle2021-08-021-10/+26
| | | | | | | | | | | | | * remove superflus mounts of /dev/null and /dev/urandom * reset EXTRA_MOUNTS at the beginning of the script * add mount according to ignore_hosts_dir * don't add mount for file which is inside a directory already in the EXTRA_MOUNTS list Fixes: 59c63224e1 ("dnsmasq: rework jail mounts") Reported-by: Hartmut Birr <e9hack@gmail.com> Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit ac4e8aa2f8d98158ea7b749f877269f1f5fa9c5a)
* dnsmasq: rework jail mountsDaniel Golle2021-08-021-1/+7
| | | | | | | | | | | | | * split into multiple lines to improve readability * use EXTRA_MOUNT for addnhosts instead of blindly adding /tmp/hosts * remove no longer needed mount for /sbin/hotplug-call * add dhcp-script.sh dependencies (jshn, ubus) Fixes: 3a94c2ca5c ("dnsmasq: add /tmp/hosts/ to jail_mount") Fixes: aed95c4cb8 ("dnsmasq: switch to ubus-based hotplug call") Reported-by: Stijn Tintel <stijn@linux-ipv6.be> Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 59c63224e11d6c4eca27131a73bf16218e47a271)
* dnsmasq: use local option for local domain parameterKevin Darbyshire-Bryant2021-08-021-1/+1
| | | | | | | | | | | '--local' is a synonym for '--server' so let's use '--local' in the resultant config file for uci's 'local' instead of uci's local parameter being turned into '--server'. Slightly less confusion all round. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit e4cfefa9fc3d22da5705b554785ba9c533c373d0) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: add ignore hosts dir to dnsmasq init scriptJoão Henriques2021-08-021-1/+6
| | | | | | | | | | When running multiple instances of dnsmasq, for example one being for the lan and another for a guest network, it might not be desirable to have the same dns names configured in both networks Signed-off-by: João Henriques <joaoh88@gmail.com> (cherry picked from commit e8a5670122e04574fdb5855ecd63d18f317c5bfd) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: distinct Ubus names for multiple instancesEtan Kissling2021-07-191-3/+29
| | | | | | | | | | | | | | | | | | | | | | | | | Currently, when using multiple dnsmasq instances they are all assigned to the same Ubus instance name. This does not work, as only a single instance can register with Ubus at a time. In the log, this leads to `Cannot add object to UBus: Invalid argument` error messages. Furthermore, upstream 3c93e8eb41952a9c91699386132d6fe83050e9be changes behaviour so that instead of the log, dnsmasq exits at start instead. With this patch, all dnsmasq instances are assigned unique names so that they can register with Ubus concurrently. One of the enabled instances is always assigned the previous default name "dnsmasq" to avoid breaking backwards compatibility with other software relying on that default. Previously, a random instance got assigned that name (while the others produced error logs). Now, the first unnamed dnsmasq config section is assigned the default name. If there are no unnamed dnsmasq sections the first encountered named dnsmasq config section is assigned instead. A similar issue exists for Dbus and was similarly addressed. Signed-off-by: Etan Kissling <etan.kissling@gmail.com> [tweaked commit message] dnsmasq was not crashing it is exiting Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit ba5bd8e556b2e7573d27b16e005ba287e066f795)
* dnsmasq: add /tmp/hosts/ to jail_mountNick Hainke2021-07-191-1/+1
| | | | | | | | Programs like the olsr-name-plugin write hostname files to "/tmp/hosts/". If you don't add this to the jail_mount, dnsmasq can't read it anymore. Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit 3a94c2ca5cf7c11ca150fa3ae884e7be8d07a281)
* odhcpd: fix invalid DHCPv6 ADVERTSIE with small configured leasetime (FS#3935)Hans Dedecker2021-07-191-3/+3
| | | | | | | bc9d317 dhcpv6-ia: fix invalid preferred lifetime Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (cherry picked from commit 033d5ff25eaf4facbaab09153982e7321fe282e6)
* hostapd: make wnm_sleep_mode_no_keys configurableTimo Sigurdsson2021-07-052-4/+8
| | | | | | | | | | | | | | | In the aftermath of the KRACK attacks, hostapd gained an AP-side workaround against WNM-Sleep Mode GTK/IGTK reinstallation attacks. WNM Sleep Mode is not enabled by default on OpenWrt, but it is configurable through the option wnm_sleep_mode. Thus, make the AP-side workaround configurable as well by exposing the option wnm_sleep_mode_no_keys. If you use the option wpa_disable_eapol_key_retries and have wnm_sleep_mode enabled, you might consider using this workaround. Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> [bump PKG_RELEASE] Signed-off-by: Paul Spooren <mail@aparcar.org> (cherry picked from commit bf98faaac8ed24cf7d3d93dd4fcd7304d109363b)
* hostapd: make country3 option configurableTimo Sigurdsson2021-07-052-3/+4
| | | | | | | | | | | | | The country3 option in hostapd.conf allows the third octet of the country string to be set. It can be used e.g. to indicate indoor or outdoor use (see hostapd.conf for further details). Make this option configurable but optional in OpenWrt. Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> [bump PKG_RELEASE, rebase] Signed-off-by: Paul Spooren <mail@aparcar.org> (cherry picked from commit 9f09c1936a4a13b67fcba632f7ca02331f685359) Signed-off-by: Paul Spooren <mail@aparcar.org>
* hostapd: fix handling of the channel utilization optionsTimo Sigurdsson2021-06-221-0/+2
| | | | | | | | | | | | | Commit 0a7657c ("hostapd: add channel utilization as config option") added the two new uci options bss_load_update_period and chan_util_avg_period. However, the corresponding "config_add_int" calls for these options weren't added, so attempting to actually use these options and change their values is bound to fail - they always stay at their defaults. Add the missing code to actually make these options work. Fixes: 0a7657c ("hostapd: add channel utilization as config option") Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> (cherry picked from commit 85ce590705072be78c3ef7dc6b64e3b1facc892b)
* hostapd: wolfssl: add RNG to EC keyDavid Bauer2021-06-212-1/+49
| | | | | | | | | | | Since upstream commit 6467de5a8840 ("Randomize z ordinates in scalar mult when timing resistant") WolfSSL requires a RNG for the EC key when built hardened which is the default. Set the RNG for the EC key to fix connections for OWE clients. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit ddcb970274c011d3db611ec39350ee4704ff0e02)
* dnsmasq: Update to version 2.85Alan Swanson2021-05-054-92/+6
| | | | | | | | | | | | | | | | | | | | | | Fixes issue with merged DNS requests in 2.83/2.84 not being retried on the firsts failed request causing lookup failures. Also fixes the following security problem in dnsmasq: * CVE-2021-3448: If specifiying the source address or interface to be used when contacting upstream name servers such as: server=8.8.8.8@1.2.3.4, server=8.8.8.8@1.2.3.4#66 and server=8.8.8.8@eth0 then all would use the same socket bound to the explicitly configured port. Now only server=8.8.8.8@1.2.3.4#66 will use the explicitly configured port and the others random source ports. Remove upstreamed patches and update remaining patch. Signed-off-by: Alan Swanson <reiver@improbability.net> [refreshed old runtime support patch] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 3980daffa4e284377cd1ae803fba78331c1fc40b)
* umdns: add missing syscalls to seccomp filterDaniel Golle2021-04-181-27/+30
| | | | | | | | | | | | | | | | Looks like 'openat', 'pipe2' and 'ppoll' are now needed, possibly due to changes on libraries used by umdns now using slightly different calls. Found using /etc/init.d/umdns trace now use umdns, ie. cover all ubus call etc., then /etc/init.d/umdns stop find list of syscalls traced in /tmp/umdns.*.json Fixes: FS#3355 ("UMDNS: does not start on master with seccomp") Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 00a85a163405fdf9bee4d8c3f0ee87ca9ed259d6)
* umdns: add syscalls needed on Aarch64Daniel Golle2021-04-181-0/+1
| | | | | | | | Now that ujail supports seccomp also on Aarch64, add missing syscall 'fstat' to the list of allowed syscalls. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit d28880cdd86e10142fd86936f5da188eaeeaf9eb)
* kernel: migrate wireguard into the kernel treeIlya Lipnitskiy2021-04-101-88/+0
| | | | | | | | | | | | On Linux 5.4, build WireGuard from backports. Linux 5.10 contains wireguard in-tree. Add in-kernel crypto libraries required by WireGuard along with arch-specific optimizations. Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com> (cherry picked from commit 06351f1bd0455abacb700db5098bb798f66948fc) (cherry picked from commit 464451d9ab824c2ed62f7da33f0a965f562714c8)
* ppp: compile fix: unset FILTER variable in MakefileEike Ritter2021-03-291-0/+12
| | | | | | | | | | | | | | | | | If the environment variable FILTER is set before compilation, compilation of the ppp-package will fail with the error message Package ppp is missing dependencies for the following libraries: libpcap.so.1 The reason is that the OpenWrt-patch for the Makefile only comments out the line FILTER=y. Hence the pcap-library will be dynamically linked if the environment variable FILTER is set elsewhere, which causes compilation to fail. The fix consists on explicitly unsetting the variable FILTER instead. Signed-off-by: Eike Ritter <git@rittere.co.uk> (cherry picked from commit 46cd0765d0c585dc0b48c8c0a3f116ef83cd580f)
* uhttpd: update to git HEADHauke Mehrtens2021-03-211-4/+4
| | | | | | | 15346de client: Always close connection with request body in case of error Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 1170655f8b792b34f899350cb0272ad94bb2d3e2)
* uhttpd: Execute uci commit and reload_config onceHauke Mehrtens2021-03-211-4/+6
| | | | | | | | | Instead of doing uci commit and reload_config for each setting do it only once when one of these options was changed. This should make it a little faster when both conditions are taken. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 501221af542b5154fbf8788f8426bc7f5443764a)
* uhttpd: Reload config after uhttpd-mod-ubus was addedHauke Mehrtens2021-03-212-1/+3
| | | | | | | | | | | | | Without this change the config is only committed, but the uhttpd daemon is not reloaded. This reload is needed to apply the config. Without the reload of uhttpd, the ubus server is not available over http and returns a Error 404. This caused problems when installing luci on the snapshots and accessing it without reloading uhttpd. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit d25d281fd6686bda67636f6c1df918145b6cb738)
* hostapd: P2P: Fix a corner case in peer addition based on PD RequestStefan Lippers-Hollmann2021-03-011-0/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | p2p_add_device() may remove the oldest entry if there is no room in the peer table for a new peer. This would result in any pointer to that removed entry becoming stale. A corner case with an invalid PD Request frame could result in such a case ending up using (read+write) freed memory. This could only by triggered when the peer table has reached its maximum size and the PD Request frame is received from the P2P Device Address of the oldest remaining entry and the frame has incorrect P2P Device Address in the payload. Fix this by fetching the dev pointer again after having called p2p_add_device() so that the stale pointer cannot be used. This fixes the following security vulnerabilities/bugs: - CVE-2021-27803 - A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> (cherry picked from commit 1ca5de13a153061feae260864d73d96f7c463785)
* hostapd: backport ignoring 4addr mode enabling errorRaphaël Mélotte2021-02-203-38/+79
| | | | | | | | | | | | | | | | | | | | | This is a backport of the upstream commit 58bbbb598144 ("nl80211: Ignore 4addr mode enabling error if it was already enabled") which fixes same issue as in the current fix contained in '130-wpa_supplicant-multi_ap_roam.patch', but in a different way: nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on an interface that is in a bridge and has 4addr mode already enabled. This operation would not have been necessary in the first place and this failure results in disconnecting, e.g., when roaming from one backhaul BSS to another BSS with Multi AP. Avoid this issue by ignoring the nl80211 command failure in the case where 4addr mode is being enabled while it has already been enabled. Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be> [bump PKG_RELEASE, more verbose commit description] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit fb860b4e418c28a0f388f215e5acce103dcee1bf)
* odhcpd: setup dhcpv4 server automagicallyDaniel Golle2021-02-152-6/+26
| | | | | | | | | | Automatically setup dhcpv4 server just like it's done for dhcpv6. To select whether odhcpd or dnsmasq are serving DHCPv4 requests there still is the 'maindhcp' option. To make things less confusing, make sure things really work out-of-the-box in case dnsmasq is not even installed at the time the uci-defaults script is being run. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add patch for setting 4addr mode in multi_apRaphaël Mélotte2021-02-137-47/+57
| | | | | | | | | This patch is required to be able to roam from one backhaul AP to another one in the same ESS. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (daniel@makrotopia.org: PKG_REVISION bump and refreshed patches) Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
* hostapd: reconfigure wps credentials on reloadRaphaël Mélotte2021-02-121-0/+187
| | | | | | | | | | This patch fixes a bug that prevents updating Multi-AP credentials after hostapd has started. It was sent to upstream hostapd here: https://patchwork.ozlabs.org/bundle/rmelotte/hostapd:%20update%20WPS%20credentials%20on%20SIGHUP/ Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
* hostapd: add notifications for management framesRaphaël Mélotte2021-02-122-2/+131
| | | | | | | | | | | | | | | | This patch allows other applications to get events management frames (for example: association requests). This is useful in Multi-AP context to be able to save association requests from stations. It has been sent to upstream hostapd in this series: https://patchwork.ozlabs.org/project/hostap/list/?series=217500 '700-wifi-reload.patch' is updated due to the introduction of '110-notify-mgmt-frames.patch'. Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
* dnsmasq: Bump to v2.84Kevin Darbyshire-Bryant2021-02-083-3/+76
| | | | | | | | | | dnsmasq v2.84rc2 has been promoted to release. No functional difference between v2.83test3 and v2.84/v2.84rc2 Backport 2 patches to fix the version reporting Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: switch to ubus-based hotplug callDaniel Golle2021-02-085-39/+46
| | | | | | | | Use new ubus-based hotplug call in dhcp-script.sh As sysntpd now makes use of the new ubus-based hotplug calls, dnsmasq no longer needs to ship ACL to cover ntpd-hotplug. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add forgotten patch for P2P vulnerability fixPetr Štetiar2021-02-042-1/+39
| | | | | | | | Commit 7c8c4f1be648 ("hostapd: fix P2P group information processing vulnerability") was missing the actual patch for the vulnerability. Fixes: 7c8c4f1be648 ("hostapd: fix P2P group information processing vulnerability") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* hostapd: fix P2P group information processing vulnerabilityDaniel Golle2021-02-041-1/+1
| | | | | | | | | | | A vulnerability was discovered in how wpa_supplicant processing P2P (Wi-Fi Direct) group information from active group owners. This issue was discovered by fuzz testing of wpa_supplicant by Google's OSS-Fuzz. https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* odhcpd: update to latest git HEADHans Dedecker2021-01-301-3/+3
| | | | | | 8d8a8cd dhcpv6-ia: apply prefix_filter on dhcpv6 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* umdns: bump to 2021-01-26Paul Spooren2021-01-261-5/+5
| | | | | | | | * i78aa36b umdns: fix 64-bit time format string * start using $(AUTORELEASE) * Update Copyright Signed-off-by: Paul Spooren <mail@aparcar.org>
* dnsmasq: Update to 2.84test3Kevin Darbyshire-Bryant2021-01-241-3/+3
| | | | | | | | | | | | | | | dnsmasq v2.83 has a bug in handling duplicate queries which means it may try to reply using the incorrect network socket. This is especially noticeable in dual stack environments where replies may be mis-directed to IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket. This results in system log spam such as: dnsmasq[16020]: failed to send packet: Network unreachable dnsmasq[16020]: failed to send packet: Address family not supported by protocol dnsmasq v2.84test3 resolves these issues. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: Update to version 2.83Hauke Mehrtens2021-01-192-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems in dnsmasq: * CVE-2020-25681: Dnsmasq versions before 2.83 is susceptible to a heap-based buffer overflow in sort_rrset() when DNSSEC is used. This can allow a remote attacker to write arbitrary data into target device's memory that can lead to memory corruption and other unexpected behaviors on the target device. * CVE-2020-25682: Dnsmasq versions before 2.83 is susceptible to buffer overflow in extract_name() function due to missing length check, when DNSSEC is enabled. This can allow a remote attacker to cause memory corruption on the target device. * CVE-2020-25683: Dnsmasq version before 2.83 is susceptible to a heap-based buffer overflow when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap- allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in get_rdata() and cause a crash in Dnsmasq, resulting in a Denial of Service. * CVE-2020-25684: A lack of proper address/port check implemented in Dnsmasq version < 2.83 reply_query function makes forging replies easier to an off-path attacker. * CVE-2020-25685: A lack of query resource name (RRNAME) checks implemented in Dnsmasq's versions before 2.83 reply_query function allows remote attackers to spoof DNS traffic that can lead to DNS cache poisoning. * CVE-2020-25686: Multiple DNS query requests for the same resource name (RRNAME) by Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS traffic, using a birthday attack (RFC 5452), that can lead to DNS cache poisoning. * CVE-2020-25687: Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. This flaw is caused by the lack of length checks in rtc1035.c:extract_name(), which could be abused to make the code execute memcpy() with a negative size in sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of Service. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: fix setting wps_state to "not configured"Leon M. George2021-01-152-2/+2
| | | | | | | | | | | | | | | With encryption disabled, it was intended to set wpa_state=1 (enabled, not configured) through the 'wps_not_configured' flag. The flag is set appropriately but the condition using it is broken. Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled, configured). Fix it by using the correct variable name. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu> [commit title/message improvements] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* hostapd: fix key_mgmt typoLeon M. George2021-01-142-2/+2
| | | | | | | | | | | The key_mgmt variable was mistyped when checking against "WPS", so the if clause was never entered. Fixes: f5753aae233f ("hostapd: add support for WPS pushbutton station") Signed-off-by: Leon M. George <leon@georgemail.eu> [add commit message, bump PKG_RELEASE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* hostapd: remove trailing whitespacesLeon M. George2021-01-141-2/+2
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove unused variableLeon M. George2021-01-141-1/+0
| | | | | | | | | 'base' was never used. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove unused variableLeon M. George2021-01-141-1/+0
| | | | | | | | | 'enc_str' was never used. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: run as user 'network' if procd-ujail is installedDaniel Golle2021-01-144-2/+55
| | | | | | | Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running hostapd and wpa_supplicant without root priviledges. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: improve error handling when adding supplicant configDaniel Golle2021-01-142-5/+5
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add multicast_to_unicast and per_sta_vifEtan Kissling2021-01-142-2/+15
| | | | | | | | This allows configuration of multicast_to_unicast and per_sta_vif options. - multicast_to_unicast requests multicast-to-unicast conversion. - per_sta_vif assigns each station its own AP_VLAN interface. Signed-off-by: Etan Kissling <etan_kissling@apple.com>
* hostapd: return PID on config_add callDaniel Golle2021-01-104-4/+11
| | | | | | | | | To simplify the way netifd acquires the PIDs of wpa_supplicant and hostapd let the config_add method of both of them return the PID of the called process. Use the returned PID instead of querying procd when adding wpa_supplicant configuration. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: wpa_supplicant: Enable proper GCMP cipher supportRobert Marko2021-01-052-1/+6
| | | | | | | | | This patch enables hostapd.sh to properly configure wpa_supplicant for when GCMP is used as cipher in station mode. Without this wpa_supplicant will be unable to connect to AP. This is needed for wil6210 as it does not support CCMP. Signed-off-by: Robert Marko <robimarko@gmail.com>
* odhcpd: bump to latest versionNick Hainke2021-01-041-3/+3
| | | | | | 3bda900 odhcpd: add option for setting preferred lifetime Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: add support for custom per-BSS optionsFlorian Beverborg2021-01-032-1/+8
| | | | | | | | | | | | This adds an option "hostapd_bss_options" that does the same as "hostapd_options" but on a per-BSS level, instead of a per-device level. This can be used, for example, to configure different per-devce sae_passwords per BSS or to augment some of the existing per-BSS options. Signed-off-by: Florian Beverborg <flo@beverb.org> [remove whitespace errors, bump release] Signed-off-by: Paul Spooren <mail@aparcar.org>
* ppp: Remove already applied patchHauke Mehrtens2021-01-012-14/+1
| | | | | | | This patch was already applied upstream and not needed here. Fixes: 06403981e1f2 ("ppp: update to version 2.4.7.git-2019-05-06") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: do not restart hostapd instance on wireless restartsFelix Fietkau2020-12-311-1/+1
| | | | | | Add the flag that prevents netifd from killing hostapd/wpa_supplicant Signed-off-by: Felix Fietkau <nbd@nbd.name>