aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* firewall: config: remove restictions on DHCPv6 allow ruleTiago Gaspar2022-05-042-4/+2
| | | | | | | | | | | | | | | Remove restrictions on source and destination addresses, which aren't specified on RFC8415, and for some reason in openwrt are configured to allow both link-local and ULA addresses. As cleared out in issue #5066 there are some ISPs that use Gloabal Unicast addresses, so fix this rule to allow them. Fixes: #5066 Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com> [rebase onto firewall3, clarify subject, bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 65258f5d6093809c541050256646795bc0a460a9)
* dnsmasq: add logfacility file to jail mountsDaniel Golle2022-05-011-2/+6
| | | | | | | | | If logfacility is a path to a file it needs to be r/w mounted in the sandbox as well for dnsmasq to work. Reported-by: @iointerrupt Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 2b5fa44f60165d66d74131778df0b64b706887e2)
* iwinfo: update to latest HEADDavid Bauer2022-04-271-3/+3
| | | | | | | dc6847e iwinfo: nl80211: omit A-hwmode on non-5GHz hardware Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit f757a8a09885e3c8bb76371e037b8c0731111980)
* firewall4: update to latest Git HEADJo-Philipp Wich2022-04-251-4/+4
| | | | | | | | | | | | | | fc83d46 ruleset: set auto-merge directive for interval sets 9bce873 fw4: fix skipping invalid ipset entries 425ea8a fw4: fix applying zone flags for source bound rules a378883 fw4: fix emitting family specific redirect rules without any addrs 11feddf fw4: bracketize IPv6 addresses in dnat addr:port notation 9972f7d fw4: ensure to capitalize weekday names fde8070 treewide: forward compatibility changes Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commits 1a35ac99905adc35059489d6e19c7de42ef4cc01 and af02a12d7ccb64a3abbd9683dd22275b538f6d50)
* iwinfo: update to latest HEADDavid Bauer2022-04-241-3/+3
| | | | | | | a479b9b devices: remove whitespace 562d015 iwinfo: nl80211: fix hwmode parsing for multi-band NICs Signed-off-by: David Bauer <mail@david-bauer.net>
* comgt: support ZTE MF286R modemCezary Jackiewicz2022-04-172-1/+23
| | | | | | | | | | | | | The modem is based on Marvell PXA1826 and uses ACM+RNDIS interface to establish connection with custom commands specific to ZTE modems. Two variants of modems were discovered, some identifying themselves as "ZTE", and others as plain "Marvell", the chipset manufacturer. The modem itself runs a fork of OpenWrt inside, which root shell can be accessed via ADB interface. Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl> Signed-off-by: Lech Perczak <lech.perczak@gmail.com> (cherry picked from commit e02fb42c53bad5dd36726c6ef5a46bfe31d2e400)
* comgt: ncm: try to detect interface for ttyACM portsLech Perczak2022-04-171-0/+4
| | | | | | | | | | | | Some modems expose ttyACM as their control ports, which have the "device" symlink pointing one level down in sysfs tree. Try to find network interfaces for them as well, this is commonly used for modems exposing ACM + RNDIS or ACM + ECM interface combinations. Co-developed-by: Cezary Jackiewicz <cezary@eko.one.pl> Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl> Signed-off-by: Lech Perczak <lech.perczak@gmail.com> (cherry picked from commit ed7957810c0aee04943559be9b0ed23431ee0654)
* comgt: ncm: select first available network interface for deviceLech Perczak2022-04-171-3/+4
| | | | | | | | | | | | | | Some modems expose multiple network interfaces on the same USB device, causing the connection setup script to fail, because glob matching in the detection phase causes 'ls' to output more than one interface name plus their base directories in sysfs. Avoid that by listing the directories explicitly and then selecting first available interface. This is the case for some variants of ZTE MF286R built-in modem, which exposes both RNDIS and CDC-ECM network interfaces, causing the connection setup to fail. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> (cherry picked from commit b2940bb8b2878ce193f2edaee3e7d4c44f4a2065)
* comgt: ncm: allow specification of interface nameLech Perczak2022-04-171-14/+18
| | | | | | | | | | | | | Add ifname property to UCI, which can be used to override the autodetected interface name in case the detection fails due to having none or more than one interface exposed by the modem, which is not explicitly linked to TTY port. This is needed on certain variants of ZTE MF286R built-in modem, which exposes both RNDIS and CDC-ECM interfaces on the modem, on which the automatic detection may select the wrong network interface. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> (cherry picked from commit a67629bbe25ef3d0e159db1e0c6ca81affd06898)
* hostapd: add ubus link-measurements notificationsDavid Bauer2022-04-173-0/+43
| | | | | | | Notify external ubus subscribers of received link-measurement reports. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit f6445cfa1acb32676723c49da3e3158b64a4b3d2)
* hostapd: add ubus method for requesting link measurementsDavid Bauer2022-04-171-0/+65
| | | | | | | | | | | Add a ubus method to request link-measurements from connected STAs. In addition to the STAs address, the used and maximum transmit power can be provided by the external process for the link-measurement. If they are not provided, 0 is used as the default value. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 965aa33a18c76bb2d5a1eeb0cfa01501b08e784a)
* hostapd: add support for enabling link measurementsDavid Bauer2022-04-171-0/+10
| | | | | | | | Allow external processes to enable advertisement of link-measurement RRM capability. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 2ca5c3da04c3f05a7477ae484768e03d4ca30711)
* netifd: relax check in dhcp proto handlerDaniel Golle2022-04-151-1/+1
| | | | | | | | | | Checking whether /sbin/udhcpc is a symbolic link breaks using the DHCP proto handler inside procd-ujail where bind-mounts are used for the resolved link. Check whether /sbin/udhcpc is executable instead to allow using the proto handler for DHCP-provisioned containers. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit c5f113c43f43c20555298c8500bf91bffbe1f58b)
* nftables: add CONFLICT between versionsEneas U de Queiroz2022-04-111-1/+2
| | | | | | | Have nftables-json conflict with nftables-nojson. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 1135b75d1fd26049a0644b304b7199e4a73c6a08)
* dropbear: bump to 2022.82Konstantin Demin2022-04-109-66/+90
| | | | | | | | | | | | | | | | | | | | | | | - update dropbear to latest stable 2022.82; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES - use $(AUTORELEASE) in PKG_RELEASE - use https for all uris - refresh all patches - rewrite patches: - 100-pubkey_path.patch - 130-ssh_ignore_x_args.patch binary/pkg size changes: - ath79/generic, mips: - binary: 215112 -> 219228 (+4116) - pkg: 111914 -> 113404 (+1490) - ath79/tiny, mips: - binary: 172501 -> 172485 (-16) - pkg: 89871 -> 90904 (+1033) Tested-by: Stijn Segers <foss@volatilesystems.org> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> (cherry picked from commit 65256aee23a5104eb0c78411fdc73640c0b757ea)
* dnsmasq: add procd interface index trackingValentyn Datsko2022-04-101-0/+5
| | | | | | | | | | | | | | Problem exist when dnsmasq is exclusively bind to particular interface. After reconfiguring or restarting this interface, its index changes, but dnsmasq uses the old one. When this problem occurs, dnsmasq does not listen on the correct interface so DHCP does not work, and clients do not get an IP address. Procd netdev param can be added to restart dnsmasq when the interface index is changed. Signed-off-by: Valentyn Datsko <valikk.d@gmail.com> [combined into a single &&-connected statement] Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 76f55e3c3f32dea63a385e9b3c8eaed1322089c7)
* uqmi: fix acquiring PIN statusDaniel Golle2022-03-271-4/+8
| | | | | | | | | | | | | Evaluating the return value of 'json_load' didn't work in the intended way resulting in PIN status no longer being read on modems where --get-pin-status doesn't fail. Fix this by trying --get-pin-status first and checking if pin1_status field exists in JSON, and if it doesn't try again with --uim-get-sim-state. Fixes: #9501 Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit ee7cb5e885118b78fb5f692d8ed6c93bb7e35853)
* qosify: update to the latest versionFelix Fietkau2022-03-221-3/+3
| | | | | | | | | | | | | | | | | 391a9fbd5ace dns: fix parsing vlan encapsulated protocol 6aeeddbc91ad interface: extend dns filters to cover vlan tagged traffic as well 1ab53d4ca601 bpf: return TC_ACT_UNSPEC to allow other filters to proceed ca21e729af23 interface: switch to using clsact for filters 5d158f6b3c15 interface: run ingress bpf filter on main device ingress instead of ifb egress bdfcb11847ce interface: fix duplicated dns filter line b97405aa632a Revert "ubus: remove dnsmasq subscriber" 8fbaf39dbc95 interface: rework adding/removing filters, do not delete clsact d7ba5804eae4 interface: replace open-coded ifb-dns string with QOSIFY_DNS_IFNAME 91cf440db9e2 loader: fix use of deprecated functions 57c7817f91c2 qosify: fix dscp values of ubus-added dns host entries Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit af434e0da2485bd7a82895b5bb63b1182154b98e)
* iptables: bump PKG_RELEASEEtienne Champetier2022-03-191-1/+1
| | | | | | Following {arp,eb}tables-nft addition, bump PKG_RELEASE Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: add {arp,eb}tables-nftEtienne Champetier2022-03-192-0/+145
| | | | | | | Add a patch to add some missing init_extensions{a,b}() calls Package lib{arp,eb}t_*.so Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: add xtables-nft packageEtienne Champetier2022-03-191-3/+14
| | | | | | | This allows to install ip6tables-nft without iptables-nft This prepare the addition of {arp,eb}tables-nft Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: add xtables-legacy packageEtienne Champetier2022-03-191-3/+14
| | | | | | This allows to install ip6tables-legacy without iptables-legacy Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* ebtables: rename to ebtables-legacyEtienne Champetier2022-03-191-14/+21
| | | | | | | | This prepare the introduction of ebtables-nft. Add PROVIDES so dependencies are not broken, use ALTERNATIVES. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* arptables: rename package to arptables-legacyEtienne Champetier2022-03-191-4/+7
| | | | | | | | This prepare the introduction of arptables-nft. Add PROVIDES so dependencies are not broken, use ALTERNATIVES. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iwinfo: update to latest Git headJosef Schlehofer2022-03-191-3/+3
| | | | | | | | | Changelog: 90bfbb9 devices: Add Cypress CYW43455 234075b devices: fix AMD RZ608 format 0e2a318 devices: add AMD RZ608 device-id Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* bpftools: fix library path on 64 bit systemsFelix Fietkau2022-03-191-3/+3
| | | | | | | drop the use of LIB_SUFFIX Fixes: 00cbf6f6ab1d ("bpftools: update to standalone bpftools + libbpf, use the latest version") Signed-off-by: Felix Fietkau <nbd@nbd.name>
* bpftools: update to standalone bpftools + libbpf, use the latest versionFelix Fietkau2022-03-196-117/+64
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iptables: backport missing init_extensions6() callsEtienne Champetier2022-03-132-1/+69
| | | | | | | This fixes ip6tables-nft no being able to use built-in extensions like icmp6. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* ipset: add backport patch for IPv6 nftables ipset-translationFlorian Eckert2022-03-132-1/+83
| | | | | | | | | | | | | | When porting mwan3 from iptables to nftables I tried the new translation tool for ipset ipset-translate. I noticed that no IPv6 ipset can be created with the tool. I have reported the problem to the upstream project and the following patch fixes the problem. Until this upsream is included in a new release, this patch should be used in Openwrt. https://lore.kernel.org/netfilter-devel/20220228190217.2256371-1-pablo@netfilter.org/T/#m09cc3cb738f2e42024c7aecf5b7240d9f6bbc19c Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uqmi: update to git HEADDaniel Golle2022-03-121-3/+3
| | | | | | 44dd095 uqmi: corrected too short received SMS Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* uqmi: set CID during 'query-data-status' operationLech Perczak2022-03-121-2/+2
| | | | | | | | | | | | | Modems used in ZTE mobile broadband routers require to query the data session status using the same CID as one used to establish the session, otherwise they will report the session as "disconnected" despite reporting correct PDH in previous step. Without this change, IPv6 connection on these modems doesn't establish properly. In IPv4 this bug is present as well, but for some reason querying of IPv4 status works using temporary CID, this however seems noncompliant with QMI specifications, so fix it as well. Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
* iptables: add iptables-mod-socketYousong Zhou2022-03-101-4/+15
| | | | | | | | | Previously libxt_socket.so was included in iptables-mod-tproxy. It was missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy separate packages Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy") Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* nftables: update to version 1.0.2Josef Schlehofer2022-03-073-47/+32
| | | | | | | | | | | | | | | | | | | | | | | | | Changelog: https://lwn.net/ml/netdev/YhO5Pn+6+dgAgSd9@salvia/ Patches: removed: - 001-parser-allow-quoted-string-in-flowtable_expr_member: it is now part of upstream release [1] added: - 001-examples-compile-with-make-check.patch: backported from [2], it fixes: nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or directory 3 | #include <nftables/libnftables.h> | ^~~~~~~~~~~~~~~~~~~~~~~~ compilation terminated. [1] https://git.netfilter.org/nftables/commit/?h=v1.0.2&id=07af4429241c9832a613cb8620331ac54257d9df [2] https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3 Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* qosify: update to the latest versionFelix Fietkau2022-03-061-3/+3
| | | | | | | | | | | 3276aed81c73 move run_cmd() to main.c 558eabc13c64 map: move dns host based lookup code to a separate function 6ff06d66c36c dns: add code for snooping dns packets a78bd43c4a54 ubus: remove dnsmasq subscriber 9773ffa70f1f map: process dns patterns in the order in which they were defined f13b67c9a786 dns: allow limiting dns entry matching to cname name Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iproute2: Remove libxtables from some tc variantsHauke Mehrtens2022-03-051-3/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the new tc-bpf variant and removes libxtables dependency from the tc-tiny variant. The tc-full variant stays like before and contains everything. This allows to use tc without libxtables. The variants have the following sizes: root@OpenWrt:/# ls -al /usr/libexec/tc-* -rwxr-xr-x 1 root root 282453 Mar 1 21:55 /usr/libexec/tc-bpf -rwxr-xr-x 1 root root 282533 Mar 1 21:55 /usr/libexec/tc-full -rwxr-xr-x 1 root root 266037 Mar 1 21:55 /usr/libexec/tc-tiny They are linking the following shared libraries: root@OpenWrt:/# ldd /usr/libexec/tc-tiny /lib/ld-musl-mips-sf.so.1 (0x77d6e000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000) root@OpenWrt:/# ldd /usr/libexec/tc-bpf /lib/ld-musl-mips-sf.so.1 (0x77da6000) libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000) libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000) libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000) root@OpenWrt:/# ldd /usr/libexec/tc-full /lib/ld-musl-mips-sf.so.1 (0x77de8000) libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000) libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000) libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000) libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000) This is based on a patch from Tiago Gaspar. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* qosify: bump to git HEADStijn Tintel2022-03-042-4/+4
| | | | | | | | interface: disable autorate-ingress by default Also change the example config to reflect this. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* qosify: add PKG_RELEASEStijn Tintel2022-03-041-0/+1
| | | | | | | | | Without PKG_RELEASE, it's impossible to trigger package updates when changing files included in the package that are not in the qosify git repository. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Felix Fietkau <nbd@nbd.name>
* ipset: update to 7.15Florian Eckert2022-03-012-2/+14
| | | | | | | | | Update to the latest upstream version. In this version there is a new tool with which you can convert ipsets into nftables sets. Since we are now using nftables as default firewall, this could be a useful tool for porting ipsets to nftables sets. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* layerscape: use semantic versions for LSDKPaul Spooren2022-03-011-1/+1
| | | | | | PKG_VERSION should not contain the package name but the version only. Signed-off-by: Paul Spooren <mail@aparcar.org>
* iptables: bump PKG_RELEASEEtienne Champetier2022-02-281-1/+1
| | | | | | Following dependencies rework, bump PKG_RELEASE Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: move libiptext* to their own packagesEtienne Champetier2022-02-282-20/+46
| | | | | | | | iptables-nft doesn't depend on libip{4,6}tc, so move libiptext* libs in their own packages to clean up dependencies Rename libxtables-nft to libiptext-nft Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: rename to ip(6)tables-legacy, add PROVIDESEtienne Champetier2022-02-281-8/+12
| | | | | | | | Using PROVIDES allows to have other packages continue to depend on iptables and users to pick between legacy and nft version. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: move IPTABLES_{CONNLABEL,NFTABLES} to libxtablesEtienne Champetier2022-02-281-15/+15
| | | | | | Those 2 configs are not specific to iptables(-legacy) Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: make mod depend on libxtablesEtienne Champetier2022-02-281-4/+3
| | | | | | | | | 'iptables-mod-' can be used directly by firewall3, by iptables and by iptables-nft. They are not linked to iptables but to libxtables, so fix the dependencies to allow to remove iptables(-legacy) Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: fix libnftnl/IPTABLES_NFTABLES dependencyEtienne Champetier2022-02-281-5/+3
| | | | | | | | | libxtables doesn't depend on libnftnl, iptables-nft does, so move the dependency to not pull libnftnl with firewall3/iptables-legacy Also libxtables-nft depends on IPTABLES_NFTABLES Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* hostapd: SAE - Enable hunting-and-pecking and H2ENick Lowe2022-02-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | | Enable both the hunting-and-pecking loop and hash-to-element mechanisms by default in OpenWRT with SAE. Commercial Wi-Fi solutions increasingly frequently now ship with both hunting-and-pecking and hash-to-element (H2E) enabled by default as this is more secure and more performant than offering hunting-and-pecking alone for H2E capable clients. The hunting and pecking loop mechanism is inherently fragile and prone to timing-based side channels in its design and is more computationally intensive to perform. Hash-to-element (H2E) is its long-term replacement to address these concerns. For clients that only support the hunting-and-pecking loop mechanism, this is still available to use by default. For clients that in addition support, or were to require, the hash-to-element (H2E) mechanism, this is then available for use. Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
* qosify: update to the latest versionFelix Fietkau2022-02-201-3/+3
| | | | | | 65b42032063f interface: add missing autorate-ingress options Signed-off-by: Felix Fietkau <nbd@nbd.name>
* netifd: bump to version 2022-02-20Petr Štetiar2022-02-201-3/+3
| | | | | | | | | Contains following changes: 136006b88826 cmake: fix usage of implicit library and include paths bc0e84d689e2 netifd: interface-ip: don't set fib6 policies if ipv6 disabled Signed-off-by: Petr Štetiar <ynezz@true.cz>
* hostapd: fallback to psk when generating r0kh/r1khEneas U de Queiroz2022-02-191-4/+4
| | | | | | | | | | | | | | | | The 80211r r0kh and r1kh defaults are generated from the md5sum of "$mobility_domain/$auth_secret". auth_secret is only set when using EAP authentication, but the default key is used for SAE/PSK as well. In this case, auth_secret is empty, and the default value of the key can be computed from the SSID alone. Fallback to using $key when auth_secret is empty. While at it, rename the variable holding the generated key from 'key' to 'ft_key', to avoid clobbering the PSK. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> [make ft_key local] Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: add STA extended capabilities to get_clientsDavid Bauer2022-02-191-0/+10
| | | | | | | | | | Add the STAs extended capabilities to the ubus STA information. This way, external daemons can be made aware of a STAs capabilities. This field is of an array type and contains 0 or more bytes of a STAs advertised extended capabilities. Signed-off-by: David Bauer <mail@david-bauer.net>