aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* hostapd: add WEP as queryable build featureDavid Bauer2020-05-221-0/+4
| | | | | | | | | | | Commit 472fd98c5b12 ("hostapd: disable support for Wired Equivalent Privacy by default") made support for WEP optional. Expose the WEP support to LuCi or other userspace tools using the existing interface. This way they are able to remove WEP from the available ciphers if hostapd is built without WEP support. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: bring back mesh patchesDaniel Golle2020-05-2128-108/+792
| | | | | | | | | | | | | Bring back 802.11s mesh features to the level previously available before the recent hostapd version bump. This is mostly to support use of 802.11s on DFS channels, but also making mesh forwarding configurable which is crucial for use of 802.11s MAC with other routing protocols, such as batman-adv, on top. While at it, fix new compiler warning by adapting 700-wifi-reload.patch to upstream changes, now building without any warnings again. Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* wireguard: bump to 1.0.20200520Jason A. Donenfeld2020-05-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This version has the various slew of bug fixes and compat fixes and such, but the most interesting thing from an OpenWRT perspective is that WireGuard now plays nicely with cake and fq_codel. I'll be very interested to hear from OpenWRT users whether this makes a measurable difference. Usual set of full changes follows. This release aligns with the changes I sent to DaveM for 5.7-rc7 and were pushed to net.git about 45 minutes ago. * qemu: use newer iproute2 for gcc-10 * qemu: add -fcommon for compiling ping with gcc-10 These enable the test suite to compile with gcc-10. * noise: read preshared key while taking lock Matt noticed a benign data race when porting the Linux code to OpenBSD. * queueing: preserve flow hash across packet scrubbing * noise: separate receive counter from send counter WireGuard now works with fq_codel, cake, and other qdiscs that make use of skb->hash. This should significantly improve latency spikes related to buffer bloat. Here's a before and after graph from some data Toke measured: https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png * compat: support RHEL 8 as 8.2, drop 8.1 support * compat: support CentOS 8 explicitly * compat: RHEL7 backported the skb hash renamings The usual RHEL churn. * compat: backport renamed/missing skb hash members The new support for fq_codel and friends meant more backporting work. * compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4 The main motivation for releasing this now: three stable kernels were released at the same time, with a patch that necessitated updating in our compat layer. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: disable support for Wired Equivalent Privacy by defaultPetr Štetiar2020-05-212-0/+14
| | | | | | | | | | | | | | | | | | | Upstream in commit 200c7693c9a1 ("Make WEP functionality an optional build parameter") has made WEP functionality an optional build parameter disabled as default, because WEP should not be used for anything anymore. As a step towards removing it completely, they moved all WEP related functionality behind CONFIG_WEP blocks and disabled it by default. This functionality is subject to be completely removed in a future release. So follow this good security advice, deprecation notice and disable WEP by default, but still allow custom builds with WEP support via CONFIG_WPA_ENABLE_WEP config option till upstream removes support for WEP completely. Signed-off-by: Petr Štetiar <ynezz@true.cz>
* hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848edPetr Štetiar2020-05-2147-1327/+262
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump package to latest upstream Git HEAD which is commit dd2daf0848ed ("HE: Process HE 6 GHz band capab from associating HE STA"). Since last update there was 1238 commits done in the upstream tree with 618 files changed, 53399 insertions, 24928 deletions. I didn't bothered to rebase mesh patches as the changes seems not trivial and I don't have enough knowledge of those parts to do/test that properly, so someone else has to forward port them, ideally upstream them so we don't need to bother anymore. I've just deleted them for now: 004-mesh-use-setup-completion-callback-to-complete-mesh-.patch 005-mesh-update-ssid-frequency-as-pri-sec-channel-switch.patch 006-mesh-inform-kernel-driver-DFS-handler-in-userspace.patch 007-mesh-apply-channel-attributes-before-running-Mesh.patch 011-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch 013-mesh-do-not-allow-pri-sec-channel-switch.patch 015-mesh-do-not-use-offchan-mgmt-tx-on-DFS.patch 016-mesh-fix-channel-switch-error-during-CAC.patch 018-mesh-make-forwarding-configurable.patch Refreshed all other patches, removed upstreamed patches: 051-wpa_supplicant-fix-race-condition-in-mesh-mpm-new-pe.patch 067-0001-AP-Silently-ignore-management-frame-from-unexpected-.patch 070-driver_nl80211-fix-WMM-queue-mapping-for-regulatory-.patch 071-driver_nl80211-fix-regulatory-limits-for-wmm-cwmin-c.patch 090-wolfssl-fix-crypto_bignum_sum.patch 091-0001-wolfssl-Fix-compiler-warnings-on-size_t-printf-forma.patch 091-0002-wolfssl-Fix-crypto_bignum_rand-implementation.patch 091-0003-wolfssl-Do-not-hardcode-include-directory-in-wpa_sup.patch 800-usleep.patch Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq8065/NBG6817; ipq40xx/MAP-AC2200] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* hostapd: backport wolfssl bignum fixesDaniel Golle2020-05-164-1/+107
| | | | | | | | crypto_bignum_rand() use needless time-consuming filtering which resulted in SAE no longer connecting within time limits. Import fixes from hostap upstream to fix that. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* umdns: re-enable address-of-packed-member warningKevin Darbyshire-Bryant2020-05-101-1/+1
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: hotplug script tidyupKevin Darbyshire-Bryant2020-05-102-6/+3
| | | | | | | | Hotplug scripts are sourced so the #!/bin/sh is superfluous/deceptive. Re-arrange script to only source 'procd' if we get to the stage of needing to signal the process, reduce hotplug processing load a little. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* lldpd: add management IP settingDaniel A. Maierhofer2020-05-083-2/+10
| | | | | | | | | | | | | add option to set management IP pattern also add missing 'unconfigure system hostname' for example pattern '!192.168.1.1' makes it possible that WAN IP is selected instead of LAN IP Signed-off-by: Daniel A. Maierhofer <git@damadmai.at> [grammar and spelling fixes in commit message] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* samba36: RemoveRosen Penev2020-05-0841-32012/+0
| | | | | | | | | | | | | | | | | | | | | | | | | Samba 3.6 is completely unsupported, in addition to having tons of patches It also causes kernel panics on some platforms when sendfile is enabled. Example: https://github.com/gnubee-git/GnuBee_Docs/issues/45 I have reproduced on ramips as well as mvebu in the past. Samba 4 is an alternative available in the packages repo. cifsd is a lightweight alternative available in the packages repo. It is also a faster alternative to both Samba versions (lower CPU usage). It was renamed to ksmbd. To summarize, here are the alternatives: - ksmbd + luci-app-cifsd - samba4 + luci-app-samba4 Signed-off-by: Rosen Penev <rosenp@gmail.com> [drop samba36-server from GEMINI_NAS_PACKAGES, ksmbd rename + summary] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* wireguard: bump to 1.0.20200506Jason A. Donenfeld2020-05-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * compat: timeconst.h is a generated artifact Before we were trying to check for timeconst.h by looking in the kernel source directory. This isn't quite correct on configurations in which the object directory is separate from the kernel source directory, for example when using O="elsewhere" as a make option when building the kernel. The correct fix is to use $(CURDIR), which should point to where we want. * compat: use bash instead of bc for HZ-->USEC calculation This should make packaging somewhat easier, as bash is generally already available (at least for dkms), whereas bc isn't provided by distros by default in their build meta packages. * socket: remove errant restriction on looping to self It's already possible to create two different interfaces and loop packets between them. This has always been possible with tunnels in the kernel, and isn't specific to wireguard. Therefore, the networking stack already needs to deal with that. At the very least, the packet winds up exceeding the MTU and is discarded at that point. So, since this is already something that happens, there's no need to forbid the not very exceptional case of routing a packet back to the same interface; this loop is no different than others, and we shouldn't special case it, but rather rely on generic handling of loops in general. This also makes it easier to do interesting things with wireguard such as onion routing. At the same time, we add a selftest for this, ensuring that both onion routing works and infinite routing loops do not crash the kernel. We also add a test case for wireguard interfaces nesting packets and sending traffic between each other, as well as the loop in this case too. We make sure to send some throughput-heavy traffic for this use case, to stress out any possible recursion issues with the locks around workqueues. * send: cond_resched() when processing tx ringbuffers Users with pathological hardware reported CPU stalls on CONFIG_ PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning these workers would never terminate. That turned out not to be okay on systems without forced preemption. This commit adds a cond_resched() to the bottom of each loop iteration, so that these workers don't hog the core. We don't do this on encryption/decryption because the compat module here uses simd_relax, which already includes a call to schedule in preempt_enable. * selftests: initalize ipv6 members to NULL to squelch clang warning This fixes a worthless warning from clang. * send/receive: use explicit unlikely branch instead of implicit coalescing Some code readibility cleanups. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ppp: Fix mirror hashHauke Mehrtens2020-05-061-1/+1
| | | | | Fixes: ae06a650d680 ("ppp: update to version 2.4.8.git-2020-03-21") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* odhcpd: update to latest git HEAD (FS#3056)Hans Dedecker2020-05-041-3/+3
| | | | | | 5ce0770 router: fix Lan host reachibility due to identical RIO and PIO prefixes (FS#3056) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 1.0.20200429Jason A. Donenfeld2020-04-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * compat: support latest suse 15.1 and 15.2 * compat: support RHEL 7.8's faulty siphash backport * compat: error out if bc is missing * compat: backport hsiphash_1u32 for tests We now have improved support for RHEL 7.8, SUSE 15.[12], and Ubuntu 16.04. * compat: include sch_generic.h header for skb_reset_tc A fix for a compiler error on kernels with weird configs. * compat: import latest fixes for ptr_ring * compat: don't assume READ_ONCE barriers on old kernels * compat: kvmalloc_array is not required anyway ptr_ring.h from upstream was imported, with compat modifications, to our compat layer, to receive the latest fixes. * compat: prefix icmp[v6]_ndo_send with __compat Some distros that backported icmp[v6]_ndo_send still try to build the compat module in some corner case circumstances, resulting in errors. Work around this with the usual __compat games. * compat: ip6_dst_lookup_flow was backported to 3.16.83 * compat: ip6_dst_lookup_flow was backported to 4.19.119 Greg and Ben backported the ip6_dst_lookup_flow patches to stable kernels, causing breaking in our compat module, which these changes fix. * git: add gitattributes so tarball doesn't have gitignore files Distros won't need to clean this up manually now. * crypto: do not export symbols These don't do anything and only increased file size. * queueing: cleanup ptr_ring in error path of packet_queue_init Sultan Alsawaf reported a memory leak on an error path. * main: mark as in-tree Now that we're upstream, there's no need to set the taint flag. * receive: use tunnel helpers for decapsulating ECN markings ECN markings are now decapsulated using RFC6040 instead of the old RFC3168. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* dnsmasq: always inform about disabled dhcp servicePetr Štetiar2020-04-301-6/+6
| | | | | | | | | | | | | | | | | Init script checks for an already active DHCP server on the interface and if such DHCP server is found, then it logs "refusing to start DHCP" message, starts dnsmasq without DHCP service unless `option force 1` is set and caches the DHCP server check result. Each consecutive service start then uses this cached DHCP server check result, but doesn't provide log feedback about disabled DHCP service anymore. So this patch ensures, that the log message about disabled DHCP service on particular interface is always provided. Acked-by: Hans Dedecker <dedeckeh@gmail.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
* wpad-wolfssl: fix crypto_bignum_sub()Antonio Quartulli2020-04-281-0/+26
| | | | | | | | | | | | | | Backport patch from hostapd.git master that fixes copy/paste error in crypto_bignum_sub() in crypto_wolfssl.c. This missing fix was discovered while testing SAE over a mesh interface. With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with wpad-mesh-wolfssl. Cc: Sean Parkinson <sean@wolfssl.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* relayd: bump to version 2020-04-25Kevin Darbyshire-Bryant2020-04-261-3/+3
| | | | | | | | f4d759b dhcp.c: further improve validation Further improve input validation for CVE-2020-11752 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* umdns: update to version 2020-04-25Kevin Darbyshire-Bryant2020-04-261-3/+3
| | | | | | | | | | | cdac046 dns.c: fix input validation fix Due to a slight foobar typo, failing to de-reference a pointer, previous fix not quite as complete as it should have been. Improve CVE-2020-11750 fix Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* relayd: bump to version 2020-04-20Kevin Darbyshire-Bryant2020-04-201-3/+3
| | | | | | | | 796da66 dhcp.c: improve input validation & length checks Addresses CVE-2020-11752 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* umdns: update to version 2020-04-20Kevin Darbyshire-Bryant2020-04-201-4/+4
| | | | | | | | e74a3f9 dns.c: improve input validation Addresses CVE-2020-11750 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* openvpn: update to 2.4.9Magnus Kroken2020-04-183-4/+4
| | | | | | | | | | | | | | | This is primarily a maintenance release with bugfixes and improvements. This release also fixes a security issue (CVE-2020-11810) which allows disrupting service of a freshly connected client that has not yet negotiated session keys. The vulnerability cannot be used to inject or steal VPN traffic. Release announcement: https://openvpn.net/community-downloads/#heading-13812 Full list of changes: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* hostapd: reduce to a single instance per serviceDaniel Golle2020-04-148-174/+62
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: backport usleep patchRosen Penev2020-04-132-1/+54
| | | | | | Optionally fixes compilation with uClibc-ng. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* wpa_supplicant: disable CONFIG_WRITE functionalityKirill Lukonin2020-04-132-2/+2
| | | | | | | | | CONFIG_WRITE functionality is not used and could be removed. Looks helpful for devices with small flash because wpad is also affected. Little testing shows that about 6 KB could be saved. Signed-off-by: Kirill Lukonin <klukonin@gmail.com>
* dnsmasq: bump to v2.81Kevin Darbyshire-Bryant2020-04-121-3/+3
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* ppp: update to version 2.4.8.git-2020-03-21Hans Dedecker2020-04-069-137/+10
| | | | | | | | | | | | | | | | | | | Use upstream latest git HEAD as it allows to remove the patches 700-radius-Prevent-buffer-overflow-in-rc_mksid, 701-pppd-Fix-bounds-check-in-EAP-code and 702-pppd-Ignore-received-EAP-messages-when-not-doing-EAP and take in other fixes. 41a7323 pppd: Fixed spelling 'unkown' => 'unknown' (#141) 6b014be pppd: Print version information to stdout instead of stderr (#133) cba2736 pppd: Add RFC1990 (Multilink) to the See Also section of the man page f2f9554 pppd: Add mppe.h to the list of headers to install if MPPE is defined ae54fcf pppd: Obfuscate password argument string 8d45443 pppd: Ignore received EAP messages when not doing EAP 8d7970b pppd: Fix bounds check in EAP code 858976b radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to 2.81rc5Kevin Darbyshire-Bryant2020-04-063-67/+181
| | | | | | | | | | | | | | | | | | | | Bump to 2.81rc5 and re-work ipset-remove-old-kernel-support. More runtime kernel version checking is done in 2.81rc5 in various parts of the code, so expand the ipset patch' scope to inlude those new areas and rename to something a bit more generic.:wq Upstream changes from rc4 532246f Tweak to DNSSEC logging. 8caf3d7 Fix rare problem allocating frec for DNSSEC. d162bee Allow overriding of ubus service name. b43585c Fix nameserver list in auth mode. 3f60ecd Fixed resource leak on ubus_init failure. 0506a5e Handle old kernels that don't do NETLINK_NO_ENOBUFS. e7ee1aa Extend stop-dns-rebind to reject IPv6 LL and ULA addresses. We also reject the loopback address if rebind-localhost-ok is NOT set. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dropbear: backport add ip address to exit without auth messagesKevin Darbyshire-Bryant2020-04-052-1/+120
| | | | | | | 201e359 Handle early exit when addrstring isn't set fa4c464 Improve address logging on early exit messages (#83) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: Move hostapd variants to WirelessAPD menuKevin Darbyshire-Bryant2020-04-051-0/+9
| | | | | | | | | | | It seemed very confusing when trying to select the different variants of hostapd which are somewhat scattered about under the menu 'Network'. Moving all hostapd variants under a common submenu helps avoid confusion. Inspired-by: Kevin Mahoney <kevin.mahoney@zenotec.net> [Fixup badly formatted patch, change menu name] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* umdns: update to the version 2020-04-05Kevin Darbyshire-Bryant2020-04-051-4/+4
| | | | | | | ab7a39a umdns: fix unused error 45c4953 dns: explicitly endian-convert all fields in header and question Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* umdns: suppress address-of-packed-member warningKevin Darbyshire-Bryant2020-04-041-2/+2
| | | | | | | | | | | | | | | | | gcc 8 & 9 appear to be more picky with regards access alignment to packed structures, leading to this warning in dns.c: dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer (alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer (alignment 2) may result in an unaligned pointer value [-Werror=address-of-packed-member] 261 | uint16_t *swap = (uint16_t *) q; Work around what I think is a false positive by turning the warning off. Not ideal, but not quite as not ideal as build failure. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 1.0.20200401Jason A. Donenfeld2020-04-011-2/+2
| | | | | | | Recent backports to 5.5 and 5.4 broke our compat layer. This release is to keep things running with the latest upstream stable kernels. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wireguard: bump to 1.0.20200330Jason A. Donenfeld2020-03-311-2/+2
| | | | | | | | | | | | | | | | | * queueing: backport skb_reset_redirect change from 5.6 * version: bump This release has only one slight change, to put it closer to the 5.6 codebase, but its main purpose is to bump us to a 1.0.y version number. Now that WireGuard 1.0.0 has been released for Linux 5.6 [1], we can put the same number on the backport compat codebase. When OpenWRT bumps to Linux 5.6, we'll be able to drop this package entirely, which I look forward to seeing. [1] https://lists.zx2c4.com/pipermail/wireguard/2020-March/005206.html Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: add abridged flag in disassoc_imminentNick Hainke2020-03-301-0/+5
| | | | | | | | | | | | | If the abridged flag is set to 1 the APs that are listed in the BSS Transition Candidate List are prioritized. If the bit is not set, the APs have the same prioritization as the APs that are not in the list. If you want to steer a client, you should set the flag! The flag can be set by adding {...,'abridged': true,...} to the normal ubus call. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: expose beacon reports through ubusNick Hainke2020-03-303-0/+51
| | | | | | | | | | | | | | | | | | | Subscribe to beacon reports through ubus. Can be used for hearing map and client steering purposes. First enable rrm: ubus call hostapd.wlan0 bss_mgmt_enable '{"beacon_report":True}' Subscribe to the hostapd notifications via ubus. Request beacon report: ubus call hostapd.wlan0 rrm_beacon_req '{"addr":"00:xx:xx:xx:xx:xx", "op_class":0, "channel":1, "duration":1,"mode":2,"bssid":"ff:ff:ff:ff:ff:ff", "ssid":""}' Signed-off-by: Nick Hainke <vincent@systemli.org> [rework identation] Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: Add 802.11r support for WPA3-EnterpriseJesus Fernandez Manzano2020-03-301-0/+1
| | | | Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
* dnsmasq: bump to 2.81rc4Kevin Darbyshire-Bryant2020-03-291-2/+2
| | | | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)Henrique de Moraes Holschuh2020-03-252-4/+3
| | | | | | | | | | | | | | | | | | | | | | | Fix the test for an enabled sysntp initscript in dnsmasq.init, and get rid of "test -o" while at it. Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an RTC-less ath79 router. dnssec-no-timecheck would be clearly missing from /var/etc/dnsmasq.conf.* while the router was still a few days in the past due to non-working DNSSEC + DNS-based NTP server config. The fix was tested with the router in the "DNSSEC broken state": it properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp was able to resolve the server name to an IP address, and set the system time. DNSSEC was then enabled by SIGINT through the ntp hotplug hook, as expected. A missing system.ntp.enabled UCI node is required for the bug to show up. The reasons for why it would be missing in the first place were not investigated. Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* dnsmasq: init: get rid of test -a and test -oHenrique de Moraes Holschuh2020-03-251-17/+17
| | | | | | | Refer to shellcheck SC2166. There are just too many caveats that are shell-dependent on test -a and test -o to use them. Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
* uhttpd: bump to latest Git HEADJo-Philipp Wich2020-03-251-3/+3
| | | | | | | 5e9c23c client: allow keep-alive for POST requests 5fc551d tls: support specifying accepted TLS ciphers Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: add 'scriptarp' optionJordan Sokolic2020-03-222-1/+3
| | | | | | | | | | | Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions. The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute. Also enable --script-arp if has_handlers returns true. Signed-off-by: Jordan Sokolic <oofnik@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* samba36: log error if getting device info failedRafał Miłecki2020-03-212-4/+10
| | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* wireguard: bump to 0.0.20200318Jason A. Donenfeld2020-03-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WireGuard had a brief professional security audit. The auditors didn't find any vulnerabilities, but they did suggest one defense-in-depth suggestion to protect against potential API misuse down the road, mentioned below. This compat snapshot corresponds with the patches I just pushed to Dave for 5.6-rc7. * curve25519-x86_64: avoid use of r12 This buys us 100 extra cycles, which isn't much, but it winds up being even faster on PaX kernels, which use r12 as a RAP register. * wireguard: queueing: account for skb->protocol==0 This is the defense-in-depth change. We deal with skb->protocol==0 just fine, but the advice to deal explicitly with it seems like a good idea. * receive: remove dead code from default packet type case A default case of a particular switch statement should never be hit, so instead of printing a pretty debug message there, we full-on WARN(), so that we get bug reports. * noise: error out precomputed DH during handshake rather than config All peer keys will now be addable, even if they're low order. However, no handshake messages will be produced successfully. This is a more consistent behavior with other low order keys, where the handshake just won't complete if they're being used anywhere. * send: use normaler alignment formula from upstream We're trying to keep a minimal delta with upstream for the compat backport. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: fix segfault in wpa_supplicant ubusDaniel Golle2020-03-182-1/+3
| | | | | | | | | | | | | | When introducing ubus reload support, ubus initialization was moved to the service level instead of being carried out when adding a BSS configuration. While this works when using wpa_supplicant in that way, it breaks the ability to run wpa_supplicant on the command line, eg. for debugging purposes. Fix that by re-introducing ubus context intialization when adding configuration. Reported-by: @PolynomialDivision https://github.com/openwrt/openwrt/pull/2417 Fixes: 60fb4c92b6 ("hostapd: add ubus reload") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: fix pointer cast warningsLeon M. George2020-03-172-8/+15
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove trailing whitespaceLeon M. George2020-03-171-2/+2
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* odhcpd: update to latest git HEADHans Dedecker2020-03-151-3/+3
| | | | | | | | 6594c6b ubus: use dhcpv6 ia assignment flag a90cc2e dhcpv6-ia: avoid setting lifetime to infinite for static assignments bb07fa4 dhcpv4: avoid setting lifetime to infinite for static assignments Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: bump to v2.81rc3Kevin Darbyshire-Bryant2020-03-103-79/+2
| | | | | | | Bump to latest release candidate and drop 2 local patches that have been upstreamed. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to 2.81rc2 + 2 localKevin Darbyshire-Bryant2020-03-063-2/+79
| | | | | | | | | Bump to dnsmasq 2.81rc2. In the process discovered several compiler warnings one with a logical error. 2 relevant patches sent upstream, added as 2 local patches for OpenWrt Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.81rc1Kevin Darbyshire-Bryant2020-03-0435-8841/+5
| | | | | | | | | | 1st release candidate for v2.81 after 18 months. Refresh patches & remove all upstreamed leaving: 110-ipset-remove-old-kernel-support.patch Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>