aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* wireguard: bump to 20180514Kevin Darbyshire-Bryant2018-05-172-9/+10
| | | | | | | | | | | | | | | 52be69b version: bump snapshot 4884b45 ncat-client-server: add wg-quick variant a333551 wg-quick: add darwin implementation f5bf84d compat: backport for OpenSUSE 15 fe1ae1b wg-quick: add wg symlink ecc1c5f wg-quick: add android implementation 3e6bb79 tools: reorganize for multiplatform wg-quick b289d12 allowedips: Fix graphviz output after endianness patch Refresh cross compile compatibility patch Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: Add support for ip6prefix config optionToke Høiland-Jørgensen2018-05-151-0/+6
| | | | | | | | | | | | This makes it easier to distribute prefixes over a wireguard tunnel interface, by simply setting the ip6prefix option in uci (just like with other protocols). Obviously, routing etc needs to be setup properly for things to work; this just adds the config option so the prefix can be assigned to other interfaces. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* hostapd: fix VHT80 for encrypted mesh channel settingsSven Eckelmann2018-05-142-1/+46
| | | | | | | | | | | | | | | | | | | The max_oper_chwidth settings was parsed incorrectly for big endian system. This prevented the system to switch to VHT80 (or VHT160). Instead they were mapped to: * HT20: 20MHz * VHT20: 20MHz * HT40: 40MHz * VHT40: 40MHz * VHT80: 40MHz * VHT160: 40MHz This happened because each max_oper_chwidth setting in the config file was parsed as "0" instead of the actual value. Fixes: a4322eba2b12 ("hostapd: fix encrypted mesh channel settings") Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
* hostapd: fix mesh+APDaniel Golle2018-05-1415-220/+171
| | | | | | | | Fix encrypted (or DFS) AP+MESH interface combination in a way similar to how it's done for AP+STA and fix netifd shell script. Refresh patches while at it. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* wireguard: bump to 0.0.20180513Kevin Darbyshire-Bryant2018-05-141-2/+2
| | | | | | | | | | | | | | | | | | | 6b4a340 version: bump snapshot faa2103 compat: don't clear header bits on RHEL 4014532 compat: handle RHEL 7.5's recent backports 66589bc queueing: preserve pfmemalloc header bit 37f114a chacha20poly1305: make gcc 8.1 happy 926caae socket: use skb_put_data 724d979 wg-quick: preliminary support for go implementation c454c26 allowedips: simplify arithmetic 71d44be allowedips: produce better assembly with unsigned arithmetic 5e3532e allowedips: use native endian on lookup 856f105 allowedips: add selftest for allowedips_walk_by_peer 41df6d2 embeddable-wg-library: zero attribute padding 9a1bea6 keygen-html: add zip file example f182b1a qemu: retry on 404 in wget for kernel.org race Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to 2.80test2Kevin Darbyshire-Bryant2018-05-1212-8/+1172
| | | | | | | | | | | | | | | | | | | Refresh patches and backport upstream to current HEAD: 1f1873a Log warning on very large cachesize config, instead of truncating it. 0a496f0 Do unsolicited RAs for interfaces which appear after dnsmasq startup. e27825b Fix logging in previous. 1f60a18 Retry SERVFAIL DNSSEC queries to a different server, if possible. a0088e8 Handle query retry on REFUSED or SERVFAIL for DNSSEC-generated queries. 34e26e1 Retry query to other servers on receipt of SERVFAIL rcode. 6b17335 Add packet-dump debugging facility. 07ed585 Add logging for DNS error returns from upstream and local configuration. 0669ee7 Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip are set. f84e674 Be persistent with broken-upstream-DNSSEC warnings. Compile & run tested: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: add specific interface procd triggershux2018-05-112-2/+14
| | | | | | | | | | | | | | | | | | Right now interface.update events are sent out by netifd upon interface state, route, address (lifetime), prefix lifetime changes. Dnsmasq is only interested in interface state changes and currently adds an interface trigger for all the "interface.*" events. In combination with commit 23bba9cb330, which triggers a SIGHUP signal to dnsmasq, IPv6 address/prefix lifetime changes on the wan will trigger dnsmasq reloads which can become frequent in case of shorter lifetimes. To avoid frequent dnsmasq reload, this patch adds specific interface triggers. During dnsmasq init it loops dhcp uci section; if the value of the ignore option is set to 0, then the corresponding interface trigger is not installed. Otherwise, if the ignore option value is 1, then procd_add_interface_trigger is called which adds the interface trigger. Signed-off-by: hux <xinxing.huchn@gmail.com>
* igmpproxy: bump to 0.2.1Kevin Darbyshire-Bryant2018-05-0710-679/+4
| | | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Point at github which is new, maintained location for igmpproxy. Remove all patches as all have been upstreamed. Closes FS#1456 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* igmpproxy: fix creation of firewall rulesJaap Buurman2018-05-073-9/+14
| | | | | | | | The init sccript for igmpproxy uses the option 'network' both as an interface name for fetching the l3_device name and for creating the firewall rules. This only works if the name of the network and firewall zone are identical. This commit introduces a new option 'zone' for configuring the upstream and downstream firewall zones in order for the init script to create the required firewall rules automatically. When no such options are given, the init script falls back to not creating the firewall rules and the user can opt to create these manually. Signed-off-by: Jaap Buurman <jaapbuurman@gmail.com>
* hostapd: add channel utilization as config optionNick Hainke2018-05-071-2/+7
| | | | | | Add the channel utilization as hostapd configuration option. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: fix a mesh mode crash with CONFIG_TAXONOMY enabledFelix Fietkau2018-05-031-0/+23
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* samba36: add hotplug supportRosy Song2018-05-023-0/+114
| | | | | | | | Add hotplug handle script for storage devices, this will add corresponding option in the /etc/config/samba file automatically. Signed-off-by: Rosy Song <rosysong@rosinson.com>
* odhcpd: update to latest git HEADHans Dedecker2018-04-231-4/+4
| | | | | | | 4136529 dhcpv6-ia: keep tentative assignments alive for a short time 200cc8f dhcpv6-ia: make assignment lookup more strict Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 20180420Kevin Darbyshire-Bryant2018-04-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | 7cc2668 version: bump snapshot 860c7c7 poly1305: do not place constants in different sections 5f1e4ca compat: remove unused dev_recursion_level backport 7e4b991 blake2s: remove unused helper 13225fc send: simplify skb_padding with nice macro a1525bf send: account for route-based MTU bbb2fde wg-quick: account for specified fwmark in auto routing mode c452105 qemu: bump default version dbe5223 version: bump snapshot 1d3ef31 chacha20poly1305: put magic constant behind macro cdc164c chacha20poly1305: add self tests from wycheproof 1060e54 curve25519: add self tests from wycheproof 0e1e127 wg-quick.8: fix typo 2b06b8e curve25519: precomp const correctness 8102664 curve25519: memzero in batches 1f54c43 curve25519: use cmov instead of xor for cswap fa5326f curve25519: use precomp implementation instead of sandy2x 9b19328 compat: support OpenSUSE 15 3102d28 compat: silence warning on frankenkernels 8f64c61 compat: stable kernels are now receiving b87b619 62127f9 wg-quick: hide errors on save Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: fix encrypted mesh channel settingsDaniel Golle2018-04-205-1/+226
| | | | | | | | | | | | | | | Import two patches from Peter Oh to allow setting channel bandwidth in the way it already works for managed interfaces. This fixes mesh interfaces on 802.11ac devices always coming up in VHT80 mode. Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which also skips secondary channel scan just like noscan works in AP mode. This time also make sure to add all files to the patch before committing it... Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Revert "hostapd: fix encrypted mesh channel settings"Felix Fietkau2018-04-205-213/+1
| | | | | | | This reverts commit 7f52919a2f2894125b4dca611eb2d30181af7e0b, which is currently breaking the builds and needs to be reworked Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix encrypted mesh channel settingsDaniel Golle2018-04-205-1/+213
| | | | | | | | | | | | Import two patches from Peter Oh to allow setting channel bandwidth in the way it already works for managed interfaces. This fixes mesh interfaces on 802.11ac devices always coming up in VHT80 mode. Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which also skips secondary channel scan just like noscan works in AP mode. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* odhcpd: update to latest git HEAD (FS#1457)Hans Dedecker2018-04-191-4/+4
| | | | | | dcfc06a router: fix managed address configuration setting Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: mesh: make forwarding configurableDaniel Golle2018-04-183-2/+245
| | | | | | | | | | | For unencrypted mesh networks our scripts take care of setting the various mesh_param values. wpa_supplicant changes somes of them when being used for SAE encrypted mesh and previously didn't allow configuring any of them. Add support for setting mesh_fwding (which has to be set to 0 when using other routing protocols on top of 802.11s) and update our script to pass the value to wpa_supplicant. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* lldpd: bump to 1.0.1Stijn Tintel2018-04-151-2/+2
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: fix compile of -mini variantsDaniel Golle2018-04-131-0/+23
| | | | | | Fixes commit d88934aa5a (hostapd: update to git snapshot of 2018-04-09) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: update to git snapshot of 2018-04-09Daniel Golle2018-04-1332-76/+1085
| | | | | | | | | And import patchset to allow 802.11s mesh on DFS channels, see also http://lists.infradead.org/pipermail/hostap/2018-April/038418.html Fix sae_password for encryption mesh (sent upstream as well). Also refreshed existing patches and fixed 463-add-mcast_rate-to-11s. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: remove example domains from rfc6761.conf (FS#1447)Hans Dedecker2018-04-092-5/+1
| | | | | | | | | | | | RFC6771 does not exclude the forwarding of the example domain as it states : "Caching DNS servers SHOULD NOT recognize example names as special and SHOULD resolve them normally." Example domains cannot be assigned to any user or person by DNS registrars as they're registered in perpetuity to IANA meaning they can be resolved; therefore let's remove the example domains from the rfc6761.conf file. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: update to latest git HEADHans Dedecker2018-04-091-4/+4
| | | | | | 31f217f router: improve RFC7084 compliancy Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* samba36: fix some security problemsHauke Mehrtens2018-04-038-3/+322
| | | | | | | | | | This Adds fixes for the following security problems based on debians patches: CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms CVE-2017-12163: Server memory information leak over SMB1 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should CVE-2018-1050: Denial of Service Attack on external print server. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* Revert "ppp: make ppp-multilink provide ppp"Felix Fietkau2018-03-291-10/+9
| | | | | | | | | | opkg currently has some issues with Provides and this change makes the image builder fail because of that. Revert the change for now until opkg is fixed This reverts commit 092d75aa3e86db8331fffdbd0a99987df9dc438b. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: update to git snapshot of 2018-03-26Daniel Golle2018-03-2735-1530/+153
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following patches were merged upstream: 000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch replaced by commit 0e3bd7ac6 001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch replaced by commit cb5132bb3 002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch replaced by commit 87e2db16b 003-Prevent-installation-of-an-all-zero-TK.patch replaced by commit 53bb18cc8 004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch replaced by commit 0adc9b28b 005-TDLS-Reject-TPK-TK-reconfiguration.patch replaced by commit ff89af96e 006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch replaced by commit adae51f8b 007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch replaced by commit 2a9c5217b 008-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch replaced by commit a00e946c1 009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch replaced by commit b488a1294 010-Optional-AP-side-workaround-for-key-reinstallation-a.patch replaced by commit 6f234c1e2 011-Additional-consistentcy-checks-for-PTK-component-len.patch replaced by commit a6ea66530 012-Clear-BSSID-information-in-supplicant-state-machine-.patch replaced by commit c0fe5f125 013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch replaced by commit 114f2830d Some patches had to be modified to work with changed upstream source: 380-disable_ctrl_iface_mib.patch (adding more ifdef'ery) plus some minor knits needed for other patches to apply which are not worth being explicitely listed here. For SAE key management in mesh mode, use the newly introduce sae_password parameter instead of the psk parameter to also support SAE keys which would fail the checks applied on the psk field (ie. length and such). This fixes compatibility issues for users migrating from authsae. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: improve init script portability (FS#1446)Hans Dedecker2018-03-242-2/+2
| | | | | | | | | | | | | Improve portability of init script by declaring resolvfile as local in dnsmasq_stop function. Fixes resolvfile being set for older busybox versions in dnsmasq_start in a multi dnsmasq instance config when doing restart; this happens when the last instance has a resolvfile configured while the first instance being started has noresolv set to 1. Base on a patch by "Phil" Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openvpn: remove deprecated config optionsHans Dedecker2018-03-202-8/+1
| | | | | | | | Remove deprecated config options in 2.5 as described in [0] [0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to 2.79 releaseKevin Darbyshire-Bryant2018-03-191-3/+3
| | | | | | | 94b6878 Tidy crypto.c of old library compat. Now need libnettle 3. 8b96552 Fix compiler warning. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* openvpn: add config param verify_client_certChristian Bayer2018-03-172-1/+2
| | | | | | | | | Option --client-cert-not-required DEPRECATED is deprecated in v2.4 and removed in OpenVPN 2.5. Replaced by param --verify-client-cert none|optional|require in v2.4 see https://community.openvpn.net/openvpn/wiki/ DeprecatedOptions#a--client-cert-not-required Signed-off-by: Christian Bayer <cave@cavebeat.org> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_ RELEASE increase]
* dnsmasq: bump to 2.79rc2Hans Dedecker2018-03-131-2/+2
| | | | | | | | | | | | | | | | | | ae29065 Fix debian/changelog syntax. 6b2b564 Enhance --synth-domain to allow names with sequential integers. 4f7bb57 Fix deletion of dhcp-options from inotify dynamic files. 56f0623 Allow trailing dot in CNAME. f3223fb Fix nettle_hash() function to avoid ABI incompatibilities. 4c4f4c2 Debian dependency tweaking for new dnsmasq-base-lua package. 773af30 Man page typo fix. 4cc944b Merge branch 'master' of ssh://thekelleys.org.uk/var/local/git/dnsmasq 87e00fe Compiler warning fixes. e7a4af8 Compiler warning fixes. 2d69d61 Add liblua-dev to Debian build-depends. 30e4a94 Debian package: add dnsmasq-base-lua binary package. 232a8f3 Merge messages for release. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ppp: make ppp-multilink provide pppFelix Fietkau2018-03-121-9/+10
| | | | | | Fixes dependencies on ppp from other packages Signed-off-by: Felix Fietkau <nbd@nbd.name>
* openvpn: update to 2.4.5Magnus Kroken2018-03-094-24/+19
| | | | | Signed-off-by: Magnus Kroken <mkroken@gmail.com> Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* wireguard: bump to 20180304Jason A. Donenfeld2018-03-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 7c0d711 version: bump snapshot b6a5cc0 contrib: add extract-handshakes kprobe example 37dc953 wg-quick: if resolvconf/run/iface exists, use it 1f9be19 wg-quick: if resolvconf/interface-order exists, use it 4d2d395 noise: align static_identity keys 14395d2 compat: use correct -include path 38c6d8f noise: fix function prototype 302d0c0 global: in gnu code, use un-underscored asm ff4e06b messages: MESSAGE_TOTAL is unused ea81962 crypto: read only after init e35f409 Kconfig: require DST_CACHE explicitly 9d5baf7 Revert "contrib: keygen-html: rewrite in pure javascript" 6e09a46 contrib: keygen-html: rewrite in pure javascript e0af0f4 compat: workaround netlink refcount bug ec65415 contrib: embedded-wg-library: add key generation functions 06099b8 allowedips: fix comment style ce04251 contrib: embedded-wg-library: add ability to add and del interfaces 7403191 queueing: skb_reset: mark as xnet Changes: * queueing: skb_reset: mark as xnet This allows cgroups to classify packets. * contrib: embedded-wg-library: add ability to add and del interfaces * contrib: embedded-wg-library: add key generation functions The embeddable library gains a few extra tricks, for people implementing plugins for various network managers. * crypto: read only after init * allowedips: fix comment style * messages: MESSAGE_TOTAL is unused * global: in gnu code, use un-underscored asm * noise: fix function prototype Small cleanups. * compat: workaround netlink refcount bug An upstream refcounting bug meant that in certain situations it became impossible to unload the module. So, we work around it in the compat code. The problem has been fixed in 4.16. * contrib: keygen-html: rewrite in pure javascript * Revert "contrib: keygen-html: rewrite in pure javascript" We nearly moved away from emscripten'ing the fiat32 code, but the resultant floating point javascript was just too terrifying. * Kconfig: require DST_CACHE explicitly Required for certain frankenkernels. * compat: use correct -include path Fixes certain out-of-tree build systems. * noise: align static_identity keys Gives us better alignment of private keys. * wg-quick: if resolvconf/interface-order exists, use it * wg-quick: if resolvconf/run/iface exists, use it Better compatibility with Debian's resolvconf. * contrib: add extract-handshakes kprobe example Small utility for extracting ephemeral key data from the kernel's memory. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (git log --oneline description)
* hostapd: do not register ubus objects for mesh interfacesFelix Fietkau2018-02-241-0/+5
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* samba36: fix build (issue #5574)Jakub Tymejczyk2018-02-241-0/+1
| | | | | | | | | | | | As indicated in #5574 samba fails to build with linker error due to lack of talloc_* functions when the packet libtalloc also gets build. According to Makefile it is compiled with "--without-libtalloc" option. Running ./configure --help shows that there is another option connected to libtalloc: --enable/disable-external-libtalloc. Adding this option fixes build. Signed-off-by: Jakub Tymejczyk <jakub@tymejczyk.pl>
* hostapd: add support for sending 802.11v disassoc imminent notifications to ↵Felix Fietkau2018-02-211-0/+97
| | | | | | clients via ubus Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: add support for issuing 802.11k beacon measurement requests via ubusFelix Fietkau2018-02-211-0/+90
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: expose client 802.11k capabilities via ubusFelix Fietkau2018-02-211-0/+6
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: return with 80211 codes in handle event functionNick Hainke2018-02-212-23/+36
| | | | | | | | | | | If the auth or assoc request was denied the reason was always WLAN_STATUS_UNSPECIFIED_FAILURE. That's why for example the wpa supplicant was always trying to reconnect to the AP. Now it's possible to give reasoncodes why the auth or assoc was denied. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: add IEEE 802.11v supportLorenzo Santina2018-02-213-2/+21
| | | | | | | | | | | | | | | | | | Add Wireless Network Management (IEEE 802.11v) support to: - hostapd-full - wpa_supplicant-full It must be enabled at runtime via UCI with: - option ieee80211v '1' Add UCI support for: - time_advertisement - time_zone - wnm_sleep_mode - bss_transition Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
* hostapd: add support for turning on 802.11k/v features via ubusFelix Fietkau2018-02-212-7/+125
| | | | | | | Neighbor reports are enabled implicitly on use, beacon reports and BSS transition management need to be enabled explicitly Signed-off-by: Felix Fietkau <nbd@nbd.name>
* ppp: fix build with kernel 4.14.9+Mathias Kresin2018-02-201-1/+6
| | | | | | | | With a9772285a724 ("linux/compiler.h: Split into compiler.h and compiler_types.h") compiler.h was refactored and most its content was moved to compiler_types.h. Both files are required to build ppp-mod-pppoa. Signed-off-by: Mathias Kresin <dev@kresin.me>
* odhcpd: fix interop with wide DHCPv6 client (FS#1377)Hans Dedecker2018-02-201-4/+4
| | | | | | 96033e9 dhcpv6-ia: don't always send reconf accept option (FS#1377) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to 2.79rc1Kevin Darbyshire-Bryant2018-02-186-376/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1721453 Remove special handling of A-for-A queries. 499d8dd Fix boundary for test introduced in 3e3f1029c9ec6c63e430ff51063a6301d4b2262 6f1cbfd Fix debian/readme typo. 55ecde7 Inotify: Ignore backup files created by editors 6b54d69 Make failure to chown() pidfile a warning. 246a31c Change ownership of pid file, to keep systemd happy. 83e4b73 Remove confusion between --user and --script-user. 6340ca7 Tweak heuristic for initial DNSSEC memory allocation. baf553d Default min-port to 1024 to avoid reserved ports. 486bcd5 Simplify and correct bindtodevice(). be9a74d Close Debian bug for CVE-2017-15107. ffcbc0f Example config typo fixes. a969ba6 Special case NSEC processing for root DS record, to avoid spurious BOGUS. f178172 Add homepage to Debian control file. cd7df61 Fix DNSSEC validation errors introduced in 4fe6744a220eddd3f1749b40cac3dfc510787de6 c1a4e25 Try to be a little more clever at falling back to smaller DNS packet sizes. 4fe6744 DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies. 3bd4c47 Remove limit on length of command-line options. 98196c4 Typo fix. 22cd860 Allow more than one --bridge-interface option to refer to an interface. 3c973ad Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation. faaf306 Spelling fixes. c7e6aea Change references to gPXE to iPXE. Development of EtherBoot gPXE was always development of iPXE core developer Michael Brown. e541245 Handle duplicate RRs in DNSSEC validation. 84a01be Bump year in Debian copyright notice. d1ced3a Update copyrights to 2018. a6cee69 Fix exit code from dhcp_release6. 0039920 Severely fix code formating of contrib/lease-tools/dhcp_release6.c 39d8550 Run Debian startup regex in "C" locale. ef3d137 Fix infinite retries in strict-order mode. 8c707e1 Make 373e91738929a3d416e6292e65824184ba8428a6 compile without DNSSEC. 373e917 Fix a6004d7f17687ac2455f724d0b57098c413f128d to cope with >256 RRs in answer section. 74f0f9a Commment language tweaks. ed6bdb0 Man page typos. c88af04 Modify doc.html to mention git-over-http is now available. ae0187d Fix trust-anchor regexp in Debian init script. 0c50e3d Bump version in Debian package. 075366a Open inotify socket only when used. 8e8b2d6 Release notes update. 087eb76 Always return a SERVFAIL response to DNS queries with RD=0. ebedcba Typo in printf format string added in 22dee512f3738f87539a79aeb52b9e670b3bd104 0954a97 Remove RSA/MD5 DNSSEC algorithm. b77efc1 Tidy DNSSEC algorithm table use. 3b0cb34 Fix manpage which said ZSK but meant KSK. aa6f832 Add a few DNS RRs to the table. ad9c6f0 Add support for Ed25519 DNSSEC signature algorithm. a6004d7 Fix caching logic for validated answers. c366717 Tidy up add_resource_record() buffer size checks. 22dee51 Log DNS server max packet size reduction. 6fd5d79 Fix logic on EDNS0 headers. 9d6918d Use IP[V6]_UNICAST_IF socket option instead of SO_BINDTODEVICE for DNS. a49c5c2 Fix search_servers() segfault with DNSSEC. 30858e3 Spaces in CNAME options break parsing. Refresh patches. Remove upstreamed patches: 250-Fix-infinite-retries-in-strict-order-mode.patch 260-dnssec-SIGINT.patch 270-dnssec-wildcards.patch Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dropbear: add option to set receive window sizeStijn Tintel2018-02-181-1/+4
| | | | | | | | | | | | | | | | | The default receive window size in dropbear is hardcoded to 24576 byte to limit memory usage. This value was chosen for 100Mbps networks, and limits the throughput of scp on faster networks. It also severely limits scp throughput on high-latency links. Add an option to set the receive window size so that people can improve performance without having to recompile dropbear. Setting the window size to the highest value supported by dropbear improves throughput from my build machine to an APU2 on the same LAN from 7MB/s to 7.9MB/s, and to an APU2 over a link with ~65ms latency from 320KB/s to 7.5MB/s. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* openvpn: fix interface with mbedtls_sha256Russell Senior2018-02-171-0/+11
| | | | | | | | | Between mbedtls 2.6.0 and 2.7.0, the void returning mbedtls_MODULE* functions were deprecated in favor of functions returning an int error code. Use the new function mbedtls_sha256_ret(). Signed-off-by: Russell Senior <russell@personaltelco.net> Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* wireguard: bump to 20180202Kevin Darbyshire-Bryant2018-02-031-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest wireguard release snapshot: 2675814 version: bump snapshot 381d703 qemu: update base versions c3fbd9d curve25519: break more things with more test cases 93fa0d9 curve25519: replace fiat64 with faster hacl64 6177bdd curve25519: replace hacl64 with fiat64 b9bf37d curve25519: verify that specialized basepoint implementations are correct bd3f0d8 tools: dedup secret normalization 1f87434 chacha20poly1305: better buffer alignment 78959ed chacha20poly1305: use existing rol32 function 494cdea tools: fread doesn't change errno ab89bdc device: let udev know what kind of device we are 62e8720 qemu: disable AVX-512 in userland 6342bf7 qemu: disable PIE for compilation e23e451 contrib: keygen-html: share curve25519 implementation with kernel 6b28fa6 tools: share curve25519 implementations with kernel c80cbfa poly1305: add poly-specific self-tests 10a2edf curve25519-fiat32: uninline certain functions No patch refresh required. Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: add support for hostapd's radius_client_addrStephan Brunner2018-01-271-1/+3
| | | | | | | | Add support for hostapd's radius_client_addr in order to force hostapd to send RADIUS packets from the correct source interface rather than letting linux select the most appropriate. Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>