aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* dnsmasq: Set the default dhcp lease file and resolv fileDaniel Dickinson2016-05-241-4/+12
| | | | | | | | Instead of making assumptions about the leasefile and resolv file make sure we use what the user configures, but fall back to defaults if no configuration is specified Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
* dnsmasq: update to dnsmasq v2.76Kevin Darbyshire-Bryant2016-05-244-10/+28
| | | | | | | Update to dnsmasq2.76. Refresh patches. Add new patch to fix musl 'poll.h' location warning. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* mdns: update to latest git HEADJohn Crispin2016-05-231-2/+2
| | | | | | * fixes loopback handling Signed-off-by: John Crispin <john@phrozen.org>
* uhttpd: use configured distribution name for SSL certificate CNFelix Fietkau2016-05-212-1/+3
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.timeKevin Darbyshire-Bryant2016-05-192-0/+18
| | | | | | | | | | | | conditionally save dnsmasq.time across sysupgrade dnsmasq uses /etc/dnsmasq.time as record of the last known good system time to aid its validation of dnssec timestamps. dnsmasq updates the timestamp on process start/stop once it considers the system time as valid. The timestamp file should be preserved across system upgrade but should not be included as part of normal configuration backups to prevent restores corrupting the current timestamp. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* Revert "dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time"Jo-Philipp Wich2016-05-192-18/+0
| | | | | | | | This reverts commit d830cb08826dc593406d9003d061016061b6c3c4. Reverting this commit due to a missing Signed-off-by. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.timeKevin Darbyshire-Bryant2016-05-182-0/+18
| | | | | | | | | | conditionally save dnsmasq.time across sysupgrade dnsmasq uses /etc/dnsmasq.time as record of the last known good system time to aid its validation of dnssec timestamps. dnsmasq updates the timestamp on process start/stop once it considers the system time as valid. The timestamp file should be preserved across system upgrade but should not be included as part of normal configuration backups to prevent restores corrupting the current timestamp.
* dropbear: update to 2016.73Jo-Philipp Wich2016-05-136-28/+18
| | | | | | | | | | | | | Update the dropbear package to version 2016.73, refresh patches. The measured .ipk sizes on an x86_64 build are: 94588 dropbear_2015.71-3_x86_64.ipk 95316 dropbear_2016.73-1_x86_64.ipk This is an increase of roughly 700 bytes after compression. Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* global: change my email addressJohn Crispin2016-05-121-1/+1
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* dropbear: Add --disable-utmpx againHans Dedecker2016-05-121-0/+1
| | | | | | | The option --disable-utmpx was deleted by accident in commit 7545c1d; add it again to the CONFIGURE_ARGS list Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ppp: Add ppp-mod-passwordfd subpackage to pppHans Dedecker2016-04-281-1/+19
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: Add conntrack support in the full variantHans Dedecker2016-04-281-6/+12
| | | | | | | | | | Conntrack support reads the connection track mark associated with incoming DNS queries and sets the same mark value on the upstream forwarded DNS query. This can be usefull to track traffic generated by dnsmasq to associate it with the clients who generate the queries, usefull for bandwidth accouting and firewall. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: Add procd interface triggers when interface config is specifiedHans Dedecker2016-04-282-2/+22
| | | | | | | | | A dropbear instance having an interface config won't start if the interface is down as no IP address is available. Adding interface triggers for each configured interface executing the dropbear reload script will start the dropbear instance when the interface is up. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: Make utmp and putuline support configurable via seperate config ↵Hans Dedecker2016-04-282-3/+17
| | | | | | | | | options Utmp support tracks who is currenlty logged in by logging info to the file /var/run/utmp (supported by busybox) Putuline support will use the utmp structure to write to the utmp file Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* branding: add LEDE brandingJohn Crispin2016-03-249-15/+15
| | | | Signed-off-by: John Crispin <blogic@openwrt.org>
* dnsmasq: run as dedicated UID/GIDJohn Crispin2016-04-262-2/+5
| | | | | | | | | | | Running dnsmasq in a dedicated user/group allows matching its outgoing traffic more easily using iptables' owner match. Add UID/GID to the package metadata and append the user/group parameters to the init script. Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 49252
* dnsmasq: Add enable parameter in the UCI DHCP host sectionHauke Mehrtens2016-04-171-0/+3
| | | | | | | | | | Parameter allows to enable/disable static leases; by default the value is 1 to keep backwards compatibility Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 49187
* hostapd.sh: Add support for "anonymous_identity" config fieldHauke Mehrtens2016-04-171-2/+3
| | | | | | | | | | | | | | | | | | The wpa_supplicant supports an "anonymous_identity" field, which some EAP networks require. From the documentation: anonymous_identity: Anonymous identity string for EAP (to be used as the unencrypted identity with EAP types that support different tunnelled identity, e.g., EAP-TTLS). This change modifies the hostapd.sh script to propagate this field from the UCI config to the wpa_supplicant.conf file. Signed-off-by: Kevin O'Connor <kevin@koconnor.net> Reviewed-by: Manuel Munz <freifunk@somakoma.de> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 49181
* samba: fix some security problemsHauke Mehrtens2016-04-1621-46/+20105
| | | | | | | | | | | | | | | This fixes the following security problems: * CVE-2015-7560 * CVE-2015-5370 * CVE-2016-2110 * CVE-2016-2111 * CVE-2016-2112 * CVE-2016-2115 * CVE-2016-2118 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 49175
* openvpn: add support for X.509 name optionsJohn Crispin2016-03-081-0/+1
| | | | | | | | | x509-username-field was added in OpenVPN 2.2, and verify-x509-name was added in 2.3. This fixes ticket #18807. Signed-off-by: Jeffery To <jeffery.to@gmail.com> SVN-Revision: 48969
* dnsmasq: add host-specific lease time option for static hostsJohn Crispin2016-02-262-3/+5
| | | | | | | | | | | | | | | | | | | | | | | Enable setting a host-specific lease time for static hosts. The new option is called "leasetime" and the format is similar as for the default lease time: e.g. 12h, 3d, infinite Default lease time is used for all hosts for which there is no host-specific definition. The option is added to /etc/config/dhcp for the selected hosts: config host option name 'Nexus' option mac 'd8:50:66:55:59:7c' option ip '192.168.1.245' option leasetime '2h' It gets appended to /var/etc/dnsmasq.conf like this: dhcp-host=d8:50:66:55:59:7c,192.168.1.245,Nexus,2h Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> SVN-Revision: 48801
* dnsmasq: add dhcp relay optionJohn Crispin2016-02-261-0/+19
| | | | | | Signed-off-by: dbugnar <dnbugnar@ocedo.com> SVN-Revision: 48800
* dnsmasq: export tftp root to the procd jailFelix Fietkau2016-02-251-11/+17
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48761
* dnsmasq: only enable tftp if the tftp root existsFelix Fietkau2016-02-251-1/+2
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48760
* lldp: Upgrade to 0.9.0John Crispin2016-02-181-2/+2
| | | | | | Signed-off-by: Ben Kelly <ben@benjii.net> SVN-Revision: 48738
* dropbear: honor CONFIG_TARGET_INIT_PATHJo-Philipp Wich2016-02-082-6/+17
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 48679
* relayd: update to the latest version, fixes some more connectivity issues ↵Felix Fietkau2016-02-081-2/+2
| | | | | | | | (#21817) Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48655
* relayd: update to the latest version, fixes route table issues when ↵Felix Fietkau2016-02-051-2/+2
| | | | | | | | connecting to the router Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48635
* hostapd: remove useless TLS provider selection override for ↵Felix Fietkau2016-01-281-2/+1
| | | | | | | | wpad-mesh/wpa_supplicant-mesh Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48537
* hostapd: fix mesh interface bridge handlingFelix Fietkau2016-01-285-10/+22
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48529
* hostapd: fix wpad-mesh and wpa-supplicant-mesh configuration issuesFelix Fietkau2016-01-282-417/+9
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48528
* hostapd: update to version 2016-01-15Felix Fietkau2016-01-2842-945/+243
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48527
* dnsmasq: Don't add local hostname if ula prefix is not specifiedJo-Philipp Wich2016-01-252-3/+3
| | | | | | | | | | | | Commit 6a7e56b adds support for adding local hostname for own lan ula adress but if ula prefix is not specified results into an invalid config (address=/OpenWrt.lan/1) causing dnsmasq not to start up. Use lanaddr6 when adding local hostname as the lan ula address is constructed based on the UCI parameters ip6hint and ip6ifaceid and thus not always ula prefix suffixed with 1 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> SVN-Revision: 48495
* package/uhttpd: generate 2048 bit RSA keyFelix Fietkau2016-01-252-2/+2
| | | | | | | | | | RSA keys should be generated with sufficient length. Using 1024 bits is considered unsafe. In other packages the used key length is 2048 bits. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> SVN-Revision: 48494
* uhttpd: fix typo in default config for px5gFelix Fietkau2016-01-191-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48385
* wpa_supplicant: add support for EAP-TLS phase2Felix Fietkau2016-01-191-2/+12
| | | | | | | | | Introduce config options client_cert2, priv_key2 and priv_key2_pwd used for EAP-TLS phase2 authentication in WPA-EAP client mode. Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48345
* hostap/wpa_supplicant: enable EAP-FAST in -full buildsFelix Fietkau2016-01-192-0/+6
| | | | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48344
* uhttpd: add option for mbedtlsFelix Fietkau2016-01-191-0/+4
| | | | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48343
* wpa_supplicant: improve generating phase2 config line for WPA-EAPFelix Fietkau2016-01-181-2/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WPA-EAP supports several phase2 (=inner) authentication methods when using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first step towards the UCI model supporting EAP-FAST by this commit) The value of the auth config variable was previously expected to be directly parseable as the content of the 'phase2' option of wpa_supplicant. This exposed wpa_supplicant's internals, leaving it to view-level to set the value properly. Unfortunately, this is currently not the case, as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'. Users thus probably diverged and set auth to values like 'auth=MSCHAPV2' as a work-around. This behaviour isn't explicitely documented anywhere and is not quite intuitive... The phase2-string is now generated according to $eap_type and $auth, following the scheme also found in hostap's test-cases: http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py The old behaviour is also still supported for the sake of not breaking existing, working configurations. Examples: eap_type auth 'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2" 'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2" 'peap' 'EAP-GTC' -> phase2="auth=GTC" Deprecated syntax supported for compatibility: 'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2" I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to the list of Authentication methods available. Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48309
* dnsmasq: Add option --min-portFelix Fietkau2016-01-152-1/+2
| | | | | | | | | | | By default dnsmasq uses random ports for outbound dns queries; when the minport UCI option is specified the ports used will always be larger than the specified value. This is usefull for systems behind firewalls. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> SVN-Revision: 48244
* dropbear: update version to 2015.71Felix Fietkau2016-01-155-10/+10
| | | | | | | | | Update dropbear to version 2015.71, released on 3 Dec 2015. Refresh patches. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> SVN-Revision: 48243
* dnsmasq: add local hostname record for own lan ula address as wellJo-Philipp Wich2016-01-122-4/+18
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 48214
* hostapd: fix disassociation with FullMAC drivers and multi-BSSRafał Miłecki2016-01-111-0/+67
| | | | | | Signed-off-by: Rafał Miłecki <zajec5@gmail.com> SVN-Revision: 48202
* openvpn: update to version 2.3.10Felix Fietkau2016-01-115-276/+5
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48201
* dropbear: enable curve25519 support by default, increases compressed binary ↵Felix Fietkau2016-01-101-1/+1
| | | | | | | | size by ~5 kb Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48196
* dropbear: split out curve25519 support into a separate config optionFelix Fietkau2016-01-102-4/+19
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48195
* hostapd: fix post v2.4 security issuesFelix Fietkau2016-01-1011-0/+554
| | | | | | | | | | | | | | | | | | | | | | | - WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141) - EAP-pwd peer: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd server: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd peer: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd server: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146) - NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041) - WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use (CVE-2015-5310) - EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315) - EAP-pwd server: Fix last fragment length validation (CVE-2015-5314) - EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316) Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> SVN-Revision: 48185
* openvpn: added service_triggers() to init scriptFelix Fietkau2016-01-071-0/+4
| | | | | | | | | Follow up of #21469 This patch enables autoreloading openvpn via procd. Signed-off-by: Federico Capoano <nemesis@ninux.org> SVN-Revision: 48150
* samba36: add three CVE patches from 2015-12-16Felix Fietkau2016-01-054-1/+253
| | | | | | | | | This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A patchset for these vulnerabilities was published on 16th December 2015. Signed-off-by: Jan Čermák <jan.cermak@nic.cz> SVN-Revision: 48133
* relayd: move to git.openwrt.orgFelix Fietkau2016-01-041-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48129