aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* omcproxy: use PROJECT_GIT in PKG_SOURCE_URLHans Dedecker2018-12-161-1/+1
| | | | | | Switch PKG_SOURCE_URL to git.openwrt.org Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* omcproxy: switch to OpenWrt github repoHans Dedecker2018-12-162-40/+5
| | | | | | | Switch to OpenWrt github repo in PKG_SOURCE_URL so we can remove the out of tree patch Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: Make eapol-test depend on libubusHauke Mehrtens2018-12-161-3/+3
| | | | | | | | The eapol-test application also uses the code with the newly activated ubus support, add the missing dependency. Fixes: f5753aae233 ("hostapd: add support for WPS pushbutton station") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* swconfig: Add missing includeRosen Penev2018-12-162-1/+2
| | | | | | | | | Fixes these warnings: swlib.c:455:18: warning: implicit declaration of function 'isspace' swlib.c:461:9: warning: implicit declaration of function 'isdigit' Signed-off-by: Rosen Penev <rosenp@gmail.com>
* omcproxy: fix compilation on little-endian CPUsEneas U de Queiroz2018-12-162-1/+36
| | | | | | Don't use cpu_to_be32 outside of a function. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* dnsmasq: Fix dhcp-boot, dhcp-reply-delay and pxe-prompt regressionsKevin Darbyshire-Bryant2018-12-142-1/+41
| | | | | | | The above options were incorrectly changed to required tags. Make them optional again. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* iproute2: backport patch fixing incorrect usage of LDFLAGSHans Dedecker2018-12-142-1/+36
| | | | | | | Backport upstream patch fixing incorrect passing of -lxtables to LDFLAGS instead of LDLIBS in the tc/Makefile Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to latest git HEADHans Dedecker2018-12-131-3/+3
| | | | | | 1ac1c78 system-linux: get rid of SIOCSDEVPRIVATE Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openvpn: re-add option comp_lzoMartin Schiller2018-12-122-1/+2
| | | | | | | | This option is deprecated but needs to be kept for backward compatibility. [0] [0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--comp-lzo Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* dnsmasq: fix ipv6 ipset bugKevin Darbyshire-Bryant2018-12-122-1/+22
| | | | | | | | | During upstream removal of conditional ipv6 support an order swap error was made in a ternary operator usage. This patch sent upstream. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* iproute2: backport upstream patch to fix print_0xhex on 32 bitHans Dedecker2018-12-121-0/+343
| | | | | | | | | The argument to print_0xhex is converted to unsigned long long so the format string give for normal printout has to be some variant of %llx. Backport the patch as otherwise, bogus values will be printed on 32 bit platforms. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: add support for WPS pushbutton stationDaniel Golle2018-12-1210-14/+467
| | | | | | | | | | | | | | | | | | | | | | similar to hostapd, also add a ubus interface for wpa_supplicant which will allow handling WPS push-button just as it works for hostapd. In order to have wpa_supplicant running without any network configuration (so you can use it to retrieve credentials via WPS), configure wifi-iface in /etc/config/wireless: config wifi-iface 'default_radio0' option device 'radio0' option network 'wwan' option mode 'sta' option encryption 'wps' This section will automatically be edited if credentials have successfully been acquired via WPS. Size difference (mips_24kc): roughly +4kb for the 'full' variants of wpa_supplicant and wpad which do support WPS. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dnsmasq: follow upstream dnsmasq pre-v2.81 v2Kevin Darbyshire-Bryant2018-12-1014-3/+4550
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Backport upstream commits. Most interesting 122392e which changes how SERVFAIL is handled especially in event of genuine server down/failure scenarios with multiple servers. a799ca0 also interesting in that answered received via TCP are now cached, DNSSEC typically using TCP meant until now answers weren't cached, hence reducing performance. 59e4703 Free config file values on parsing errors. 48d12f1 Remove the NO_FORK compile-time option, and support for uclinux. 122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e 3a5a84c Fix Makefile lines generating UBUS linker config. 24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant. 6f7812d Fix spurious AD flags in some DNS replies from local config. cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab cf59843 Don't forward *.bind/*.server queries upstream ee87504 Remove ability to compile without IPv6 support. a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>. a799ca0 Impove cache behaviour for TCP connections. Along with an additional patch to fix compilation without DHCPv6, sent upstream. I've been running this for aaaages without obvious issue hence brave step of opening to wider openwrt community. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* Revert "dnsmasq: follow upstream dnsmasq pre-v2.81"Kevin Darbyshire-Bryant2018-12-1013-4523/+3
| | | | | | | | | | | | | This reverts commit a6a8fe0be5cd2edb1560bfc3f3094c3d34f2d2b0. buildbot found an error option.c: In function 'dhcp_context_free': option.c:1042:15: error: 'struct dhcp_context' has no member named 'template_interface' free(ctx->template_interface); revert for the moment Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: follow upstream dnsmasq pre-v2.81Kevin Darbyshire-Bryant2018-12-1013-3/+4523
| | | | | | | | | | | | | | | | | | | | | | | | | Backport upstream commits. Most interesting 122392e which changes how SERVFAIL is handled especially in event of genuine server down/failure scenarios with multiple servers. a799ca0 also interesting in that answered received via TCP are now cached, DNSSEC typically using TCP meant until now answers weren't cached, hence reducing performance. 59e4703 Free config file values on parsing errors. 48d12f1 Remove the NO_FORK compile-time option, and support for uclinux. 122392e Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e 3a5a84c Fix Makefile lines generating UBUS linker config. 24b8760 Do not rely on dead code elimination, use array instead. Make options bits derived from size and count. Use size of option bits and last supported bit in computation. No new change would be required when new options are added. Just change OPT_LAST constant. 6f7812d Fix spurious AD flags in some DNS replies from local config. cbb5b17 Fix logging in cf5984367bc6a949e3803a576512c5a7bc48ebab cf59843 Don't forward *.bind/*.server queries upstream ee87504 Remove ability to compile without IPv6 support. a220545 Ensure that AD bit is reset on answers from --address=/<domain>/<address>. a799ca0 Impove cache behaviour for TCP connections. I've been running this for aaaages without obvious issue hence brave step of opening to wider openwrt community. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: drop dnssec timestamp file patchKevin Darbyshire-Bryant2018-12-102-48/+1
| | | | | | | | | | | | Openwrt no longer uses and has not used since 5acfe55d71 Jun 2016 the timestamp file (/etc/dnsmasq.time) method of resolving the dnssec/ntp dnslookup chicken/egg problem, having used signals from ntp since that change. Drop the 'dnssec-improve-timestamp-heuristic' patch since it is neither used nor sent upstream. One less thing to refresh & maintain. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* firewall: update to latest git HEADHans Dedecker2018-12-091-3/+3
| | | | | | 14589c8 redirects: properly handle src_dport in SNAT rules Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iptables: fix ebtables vlan compile issue (FS#1990)Ansuel Smith2018-12-082-1/+42
| | | | | | | Backport an upstream patch which fixes an userspace/kernel headers collison Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* iptables: bump to 1.8.2Ansuel Smith2018-12-089-116/+204
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Drop 030-extensions-libxt_bpf-Fix-build-with-old-kernel-versi.patch as pushed upstream Added patches : 001-extensions_format-security_fixes_in_libip.patch 002-include_fix_build_with_kernel_headers_before_4_2.patch 101-remove-register-check.patch The first and the second patch are upsteam fixes for compilation errors. The third patch remove check if one target lib is already registred; this is caused by shared libs that are loaded before the iptables execution. Iptables changelog: bba6bc6 (tag: v1.8.2) configure: bump versions for 1.8.2 release 61d6c38 xtables: add 'printf' attribute to xlate_add 5edb249 libxtables: xlate: init buffer to zero 9afd2a6 tests: shell: fix expected arptables-save output 6387941 arptables: fix --version info d703c1f arptables: ignore --table argument. d5754e3 arptables: make uni/multicast mac masks static 1b63e66 arptables: add test cases 5aecb2d arptables: pre-init hlen and ethertype 9677ed1 arptables: fix src/dst mac handling ab0b6d5 arptables: fix target ip offset c0c75ce arptables: fix -s/-d handling for negation and mask 3ac65af arptables: add basic test infra for arptables-nft e31564f arptables: fix rule deletion/compare 2345ff6 arptables: remove code that is also commented-out in original arptables 50c2397 arptables-save: add -c option, like xtables-save d9a518e arptables: use ->save for arptables-save, like xtables 5a52e6a extensions: test protocol and interface negation 85d7df9 xtables: Fix error return code in nft_chain_user_rename() 3ccb443 xtables: Clarify error message when deleting by index 95db364 xtables: Fix typo in do_command() error message 5f508b7 ebtables: use extrapositioned negation consistently 583b27e ebtables-save: add -c option, using xtables-style counters e6723ab nft: add NFT_TABLE_* enumeration 21ec111 nft: replace nft_chain_dump() by nft_chain_list_get() 05947c8 iptables-nft: fix -f fragment option 7bd9feb libxtables: add and use mac print helpers a10eb88 extensions: libebt_ip: fix tos negation 9b127b7 extensions: libebt_ip6: fix ip6-dport negation c59ba1b xtables-nft: make -Z option work 1bf4a13 nft: add missing error string a9f9377 iptables-tests: add % to run iptables commands b81c8da iptables-tests: do not append xtables-multi to external commands edf2b7c ebtables-nft: add arpreply target 2d1372e ebtables: add redirect test case c3e8dbd ebtables: add test cases cd90cef ebtables: relax -t table restriction, add snat/dnat test cases fd95f1f ebtables: fix -j CONTINUE handling for add/delete fb747f8 tests: add basic ebtables test support d4bc5a3 iptables-nft: fix bogus handling of zero saddr/daddr 9ff9915 iptables-test: fix netns test 8c918db xtables: Fix for matching rules with wildcard interfaces b2fc2a3 extensions: limit: unbreak build without libnftnl 682f39a xtables: Fix for spurious errors from iptables-translate 90f7dc3 (tag: v1.8.1) configure: bump versions for 1.8.1 release 0123183 iptables-test: add -N option to exercise netns removal path abae556 libxtables: expose new etherdb lookup function through libxtables API c2d9ed9 libxtables: prefix exported new functions for etherdb lookups 5a44360 Revert "extensions: libxt_quota: Allow setting the remaining quota" 2673faf xtables: Remove target_maxnamelen field 8ca3436 extensions: cgroup: fix option parsing for v2 0a8f2bc extensions: libxt_quota: Allow setting the remaining quota b373a91 nft-shared: Use xtables_calloc() 5a40961 arptables: Use the shared nft_ipv46_parse_target() 9f07503 Combine parse_target() and command_jump() implementations 7373297 Combine command_match() implementations a76ba54 libiptc: NULL-terminate errorname a3716cc libxtables: Check extension real_name length 0195b64 iptables: Gitignore xtables-{legacy, nft}-multi scripts 671e40a xtables: Drop pointless check 7c9a152 arptables: Fix incorrect strcmp() in nft_arp_rule_find() 11e91a4 xtables: Don't read garbage in nft_ipv4_parse_payload() d95c1e8 libxtables: Use posix_spawn() instead of vfork() 7e50eba Fix a few cases of pointless assignments f40ce2d extensions: libebt_ip{, 6}: Drop pointless error checking 47fb86c nft-arp: Drop ineffective conditional 80aae9b iptables: Use print_ifaces() from xtables 8da04ff Share print_ipv{4,6}_addr() from xtables b686594 iptables-apply: Replace signal numbers by names f175dee iptables-apply: Quote strings passed to echo 52aa150 nfnl_osf: Replace deprecated nfnl_talk() by nfnl_query() 61ebf3f libxtables: Don't read garbage in xtables_strtoui() ab639f2 libxtables: Avoid calling memcpy() with NULL source 22ef371 libiptc: Simplify alloc_handle() function signature 6b7145f libxt_time: Drop initialization of variable 'year' 749d3c2 libxt_ipvs: Avoid potential buffer overrun 8e798e0 libxt_conntrack: Avoid potential buffer overrun 74eb239 libxt_conntrack: Version 0 does not support XT_CONNTRACK_DIRECTION d0c1f1b libxt_LED: Avoid string overrun while parsing led-trigger-id 23ef6f0 xtables: Remove unused variable in nft_is_table_compatible() 4e499d5 ip{, 6}tables-restore: Fix for uninitialized array 'curtable' 1788f54 Mark fall through cases in switch() statements 31f1434 libxtables: Integrate getethertype.c from xtables core 7ae4fb1 xtables: Fix for wrong assert() in __nft_table_flush() 8c786a3 nfnl_osf: Drop pointless check in xt_osf_strchr() 6fc7762 libxt_string: Fix array out of bounds check 2a68be1 xtables-save: Ignore uninteresting tables f9efc8c extensions: add cgroup revision 2 9b8cb16 extensions: REJECT: Merge reject tables 56d7ab4 libxt_string: Avoid potential array out of bounds access bfd41c8 ebtables: Fix for potential array boundary overstep e6f9867 libiptc: Avoid side-effect in memset() calls 4144571 libxtables: Fix potential array overrun in xtables_option_parse() 9242b5d xtables: Accept --wait in iptables-nft-restore c9f4f04 xtables: Don't check all rules for being compatible 15606f2 doc: Improve layout of u32 instructions 7345037 xtables-restore: Fix flushing referenced custom chains 7df11d1 xtables: Drop use of IP6T_F_PROTO b6a06c1 xtables: Align return codes with legacy iptables 3bb497c xtables: Fix for deleting rules with comment 0800d9b ip6tables-translate: Fix libip6t_mh.txlate test 4cf650c ebtables-translate: Fix for libebt_limit.txlate 783e9c2 xtables: Add missing deinitialization 9771d06 ebtables: Review match/target lookup once more 85ed1ab extensions: libebt_mark: Drop mark_supplied check 6a46ca0 xtables: Add a few missing exit calls acde6be ebtables-translate: Fix segfault while parsing extension options 2c4e4d2 ebtables: trivial: Leverage C99-style initializers a bit more 9f5b28a xlate-test: Fix for calling wrong command name 1a878a7 extensions: AUDIT: Provide translation 5ee03e6 xtables: Use meta l4proto for -p match 37b68b2 xtables: Fix for segfault when registering hashlimit extension 92f7b04 xtables: Fix for segfault in iptables-nft 294f9ef ebtables: Fix entries count in chain listing 6f29aa8 xtables: Make 'iptables -S nonexisting' return non-zero 7bccf30 ebtables: Fix for listing of non-existent chains 3d9a13d xtables: Fix for no output in iptables-nft -S a33c6fd arptables: Drop extensions/libxt_mangle.c 02b8097 ebtables: Merge libebt_limit.c into libxt_limit.c 5de8dcf xtables: Use native nftables limit expression 514de48 ebtables: Remove flags misinterpretations 528cbf9 xtables: Fix for wrong counter format in -S output 9ca32c4 xtables: Don't pass full invflags to add_compat() e055aeb xtables: Improve xtables-monitor first impression b925733 tests: Fix skipping for recent nft-only tests 277f374 xtables: Spelling fixes in xtables-monitor a9d9f64 xtables: Fix potential segfault in nft_rule_append() fbf0bf7 tests: Add ebtables-{save,restore} testcases f1d8508 tests: Add arptables-{save,restore} testcases 63c3dae xtables: Implement arptables-{save,restore} aa7fb04 ebtables: Review match/target lookup 3f123dc ebtables-restore: Use xtables_restore_parse() 295d5a8 xtables-restore: Make COMMIT support configurable 1679b2c xtables-restore: Improve user-defined chain detection 2ce9f65 xtables: Match verbose ip{,6}tables output with legacy cd79556 xtables: Reserve space for 'opt' column in ip6tables output 0357254 xtables: Print error when listing non-existent chains 206033e xtables: Fix for no output on first iptables-nft invocation a0698de xtables: Do not count rules as chain references d11b6b8 arptables: Fix jumps into user-defined chains 3f27955 arptables: Fix opcode printing in numeric output f988fe4 xtables: Fix symlinks/names for ebtables-{save, restore} 3319c61 ebtables: Support --init-table command 3ec8aac arptables: Print policy only for base chains 83bc189 arptables: Fix for trailing spaces in output aaed1b6 arptables: Fix memleaks in do_commandarp() d67d85d ebtables: Print non-standard target parameters 2e478e9 ebtables: Fix match_list insertion a192f03 ebtables: Fix for wrong program name in error messages a2ed880 xshared: Consolidate argv construction routines 1cc0918 xshared: Consolidate parse_counters() 78b9d43 Consolidate DEBUGP macros 14ad525 xtables: Fix program name in xtables_error() f7bbdb0 xtables: Use correct built-in chain count ae574b2 xtables: Fix compilation with NLDEBUG defined 82d278c xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs c2895ea xtables: Free chains in NFT_COMPAT_CHAIN_USER_DEL jobs 89d3443 xtables: Fix for nft_rule_flush() returning garbage c259447 xtables: Allocate rule cache just once ed30b93 nft: don't print rule counters unless verbose 31e4b59 iptables-restore: free the table lock when skipping a table f8e29a1 xtables: avoid bogus 'is incompatible' warning 6ea7579 nft: decode meta l4proto 922508e xtables: implement ebtables-{save,restore} 25ef908 xtables: introduce nft_init_eb() de8574a xtables: parameter to add_argv() may be const 6f60f22 xtables: pass format to nft_rule_save() f3b772c xtables: introduce save_chain callback fa1681f xtables: rename {print,save}_rule functions 444d581 xtables: get rid of nft_ipv{4,6}_save_counters() 34e1e23 xtables: eliminate nft_ipv{4,6}_rule_find() de782e8 xtables: merge nft_ipv{4,6}_parse_target() ae8eece xtables: get rid of nft_ipv{4,6}_print_header() 2687794 xtables: arp: make rule_to_cs callback private 1bf73c4 xtables: Use new callbacks in nft_rule_print_save() 1866625 xtables: introduce rule_to_cs/clear_cs callbacks 0589457 xtables: simplify struct nft_xt_ctx d9c6a5d xtables: merge {ip,arp}tables_command_state structs 87b5b9e iptables: replace memset by c99-style initializers 907da5c xtables: fix crash if nft_rule_list_get() fails 565a223 xtables: Support nft suffix for arptables and ebtables c468f01 tests: check iptables retval, not echo 47d1484 iptables: tests: add test for iptables-save and iptables-restore e4e0704 extensions: don't bother to build libebt/libarp extensions if nft backend was disabled 17c66a5 iptables: tests: shell: Add README 6c2118c (tag: v1.8.0) configure: bump version and libnftnl dependency 7b66fc2 man: clarify translate tools do not modify any state f7fec51 xtables-monitor: add --version option b470b8e xtables-legacy: fix argv0 name for ip6tables-legacy 2028e54 xtables: display legacy/nf_tables flavor in error messages, too fd8d7d7 ebtables-nft: add stp match f15639b tests: add script that mimics firewalld startup 27f7db2 tests: fix variable name to multi-binary 2a89ec5 tests: add a few simple tests for list/new/delete 37d9d5b ebtables-nft: make -L, -X CHAINNAME work 816bd1f ebtables-nft: remove exec_style b81708f ebtables-nft: don't crash on ebtables -X de02a75 doc: fix some spellos and the dash escape dcf4529 tests: add firewalld default ruleset from fedora 27 f23abd5 tests: add another ipv4 only ruleset ed9cfe1 tests: add initial save/restore test cases 9933dc5 tests: adapt test suite to run with legacy+nftables based binaries be70918 xtables: rename xt-multi binaries to -nft, -legacy d49ba50 xtables-restore: init table before processing policies 344c6eb doc: Fix spelling error in hashlimit section e063873 tests: make duplicate test work d26c538 xtables: add xtables-monitor db84371 xtables: translate nft meta trace set 1 to -j TRACE 20eac2a xtables: warn in case old-style (set/getsockopt) tables exist c9f5e18 xtables: add nf_tables vs. legacy postfix to version strings e5fed16 iptables8.in: Update coreteam names 672accf include: update kernel netfilter header files 856a875 xtables: silence two compiler warnings ae6e159 xtables: remove dead code inherited from ebtables 107b7eb configure: add -Wlogical-op warning to cflags bc7f49d ebtables-translate: remove --change-counters code 38b4166 iptables: tests: shell: add shell test-suite 1e6427a xtables-compat: skip invalid tables cb368b6 xtables: more error printing fixes b1b828f xtables: homogenize error message 4caa559 xtables: initialize basechains for rule flush command too 9b89622 xtables: rework rule cache logic 01e25e2 xtables: add chain cache 8d190e9 xtables: initialize basechains only once on ruleset restore 0a86351 xtables-compat: ignore '+' interface name 125d1ce xtables-compat: append all errors into single line 437746c xtables: extended error reporting d1c79cd xtables: allocate struct xt_comment_info for comments 4e20209 xtables: use libnftnl batch API 49709e2 xtables-compat: remove nft_is_ruleset_compatible 03e1377 xtables: allow dumping of chains in specific table 94fd83d xtables: inconsistent error reporting for -X and no empty chain c4f1622 ebtables-compat: add arp match extension 24ce746 ebtables-compat: add redirect match extension 84c04e3 ebtables-compat: add nat match extensions 14ec998 xtables-compat: ebtables: prefer snprintf to strncpy 5e2b473 xtables-compat: extend generic tests for masks and wildcards 1a696c9 libxtables: store all requested match types bb436ce xtables-compat: ip6table-save: fix save of ip6 address masks 6454d7d ebtables-translate: suppress redundant protocols 07f4ca9 xtables-compat: ebtables: allow checking for zero-mac 0ca2d2a xtables-compat: ebtables: add helpers to print interface and mac addresses 3d9f300 xtables-compat: ebtables: remove interface masks from ebt_entry struct 20e2758 xtables-compat: ebtables: fix logical interface negation 2682bb0 xtables-compat: ebtables: add and use helper to parse all interface names 564862d xtables-compat: ebtables: split match/target print from nft_bridge_print_firewall 0ae81d0 xtables-compat: ebtables: kill ebtables_command_state 651cfee xtables-compat: pass correct table skeleton 652b98e xtables-compat: fix wildcard detection 49f4993 extensions: libip6t_srh.t: Add test cases for psid, nsid, and lsid 429143b extensions: libxt_CONNMARK: incorrect translation after v2 db7b4e0 extensions: libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark 155e1c0 extensions: libip6t_srh: support matching previous, next and last SID f4ffda1 extensions: libipt_DNAT: tests added for shifted portmap range 6a9ffb1 xtables-compat-restore: flush table and its content with no -n 07ae37c xtables-compat: fix bogus error with -X and no user-defined chains df3d92b xtables-compat-restore: flush user-defined chains with -n ca16584 xtables-compat-restore: flush rules and delete user-defined chains ac1e85a extensions: libipt_DNAT: use size of nf_nat_range2 for rev2 e25d99a xtables-compat: pass larger socket buffer 838746e xtables-compat: xtables-save: don't return 1 2211679 xtables-compat: ebtables: support concurrent option a77a7d8 iptables-test: fix bug with rateest de87405 xtables-compat: fix ipv4 frag (-f) c7b2fd6 xtables-compat: also check tg2->userspacesize 5685938 xtables-compat: avoid unneeded bitwise ops b9d7b49 xtables-compat: restore: sync options with iptables-restore c0ef861 extensions: add xlate test for ipables -f d79a7f1 xtables-compat: output -s,d first during save, just like iptables d1eb4d5 iptables-compat: chains are purge out already from table flush 09f0d47 iptables-compat: do not fail on restore if user chain exists 8798eb8 iptables-compat: remove non-batching routines b633ef9 xtables.conf: fix hook skeletons 7af2178 xtables-compat: fall back to comment match in case name is too long e9aeecf xlate-test: use locally installed xlate tools 0ab58e3 xtables-compat: ebtables: handle mac masks properly 734ad40 xtables-compat: nft-arp: fix warning wrt. sprintf-out-of-bounds fb7ae9f xtables-compat: truncate comments to 254 bytes 36976c4 extensions: libipt_DNAT: support shifted portmap ranges d7ac61b iptables-test: add nft switch and test binaries from git 992e17d xtables-compat: only fetch revisions for ip/ip6 12a52ff xtables: Fix rules print/save after iptables update 1197c5e xtables: Register all match/target revisions supported by us and kernel e3bb24c xtables: Check match/target size vs XT_ALIGN(size) at register time 3b2530c xtables: Do not register matches/targets with incompatible revision d3f1437 xtables: Introduce and use common function to print val[/mask] arguments 29b1d97 xtables: Introduce and use common function to parse val[/mask] arguments 56aadc0 extensions: Initialize linear mapping of symbols in _init() of extension 79c2da9 extensions: ULOG: remove test a0956ce ebtables-translate: turn off useless compat queries 9840869 nft: arptables: remove obsolete forward hook definition 7a37d14 iptables-compat: statify nft_restart() a3aac1d iptables-compat: handle netlink dump EINTR errors a567dc3 ebtables-compat: add 'vlan' match extension 7564bba ebtables-compat: add 'pkttype' match extension 4d40904 ebtables-translate: update table name on -t 5c8ce9c ebtables-compat: add 'ip6' match extension 8a85a14 libebt_ip: fix translations for tos and icmp b6f0bec libebt_ip: add icmp support f38ed1e xt-translate: quote interface names in translated output 71a6e37 icmp: split icmp type printing to header file e67c088 ebtables-translate: add initial test cases 207dd5e xt-compat: add ebtables-translate d988274 xlate-translate: split common parts into helper 1650806 xtables-eb: export 3 functions 6b2041c nft-bridge: add eb-translate backend functions 3063c37 nft-bridge: fix mac address printing 394a400 nft: fix crash when getprotobynumber() returns 0 6a1dbdf ebtables-compat: support intra-positioned negations 3e94f0a nft-bridge: add forward declaration for struct nftnl_rule 5024efe libebt_limit: print 'minute' and 'seconds', not 'min' and 'secs' ce3c780 nft: make nft_init self-contained cb151d5 xtables-translate: rm duplicate includes 69c089b xt-compat: constify a few struct members 03ecffe ebtables-compat: add initial translations 57af67d iptables: constify option struct 88231c4 ebtables-compat: load mark target 6b4e167 ebtables-compat: don't make failing extension load fatal 24110b5 libxt_comment: silence truncation warning 98fc8ce xtables-compat: only validate the xtables builtin tables 9d9b724 xtables-compat: skip unsupported tables 59d15cf xtables-compat: also validate priorities and hook points match expected values eb35854 xtables-compat: fix snprintf truncation warnings fc04c8a extensions: CLUSTERIP: do not allow --local-node 0 eb2c052 extensions: CLUSTERIP: add tests ca3c397 iptables: add xtables-translate.8 manpage 5beb158 extensions: libxt_bpf: Fix build with old kernel versions 147a891 extenstions: ecn: add tcp ecn/cwr translation ed928a8 extensions: add tests for comp match options 632ace7 xtables-compat-multi.c: Allow symlink of ebtables d7ccc68 iptables: add xtables-compat.8 manpage 043da5b extensions: connmark: remove non-working translation a93b502 extensions: prefer plain 'set' over 'set mark and' 577b7e2 xtables-compat-restore: use correct hook priorities Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* comgt: Fix 3g.sh permissionsRosen Penev2018-12-061-2/+2
| | | | | | 3g.sh needs to be executable. 600 is not correct for that. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* openvpn: add list element parsingFlorian Eckert2018-12-033-3/+20
| | | | | | | | | | | | | For the parameters tls-cipher and ncp-ciphers more than one option can be used in the OpenVPN configuration, separated by a colon, which should be implemented as a list in order to configure it more clearly. By adding the new OPENVPN_LIST option to the openvpn.options file with the tls-cipher and ncp-cipher parameters, uci can now add this option as a "list" and the init script will generate the appropriate OpenVPN configuration from it. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* odhcpd: update to latest git HEADHans Dedecker2018-11-291-4/+4
| | | | | | | d404c7e netlink: fix triggering of NETEV_ADDR6LIST_CHANGE event ae6cf80 config: correctly break string for prefix filter Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openvpn: update to 2.4.6Jo-Philipp Wich2018-11-285-37/+8
| | | | | | | | | | | | Update the OpenVPN package to version 2.4.6, refresh patches and drop menuconfig options which are not supported upstream anymore. Also fix the x509-alt-username configure flag - it is not supported by mbedtls and was syntactically wrong in the Makefile - and the port-share option which has been present in menuconfig but not been used in the Makefile. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* uhttpd: update to latest Git headJo-Philipp Wich2018-11-281-3/+3
| | | | | | | | | | cdfc902 cgi: escape url in 403 error output 0bba1ce uhttpd: fix building without TLS and Lua support 2ed3341 help: document -A option fa5fd45 file: fix CPP syntax error 77b774b build: avoid redefining _DEFAULT_SOURCE Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netifd: update to latest git HEADHans Dedecker2018-11-261-4/+4
| | | | | | | | | dfa4ede interface: fix return code of __interface_add() a82a8f6 netifd: fix resource leak on error in netifd_add_dynamic() fa2403d config: fix resource leaks on error in config_parse_interface() 85de9de interface: fix memory leak on error in __interface_add() Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 0.0.20181119Jason A. Donenfeld2018-11-191-2/+2
| | | | | | | | | | | | | | | | | | | * chacha20,poly1305: fix up for win64 * poly1305: only export neon symbols when in use * poly1305: cleanup leftover debugging changes * crypto: resolve target prefix on buggy kernels * chacha20,poly1305: don't do compiler testing in generator and remove xor helper * crypto: better path resolution and more specific generated .S * poly1305: make frame pointers for auxiliary calls * chacha20,poly1305: do not use xlate This should fix up the various build errors, warnings, and insertion errors introduced by the previous snapshot, where we added some significant refactoring. In short, we're trying to port to using Andy Polyakov's original perlasm files, and this means quite a lot of work to re-do that had stableized in our old .S. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* netifd: update to latest git HEADHans Dedecker2018-11-191-3/+3
| | | | | | | | | 4b83102 treewide: switch to C-code style comments 70506bf treewide: make some functions static d9872db interface: fix removal of dynamic interfaces 2f7ef7d interface: rework code to get rid of interface_set_dynamic Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 0.0.20181115Jason A. Donenfeld2018-11-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Zinc no longer ships generated assembly code. Rather, we now bundle in the original perlasm generator for it. The primary purpose of this snapshot is to get testing of this. * Clarify the peer removal logic and make lifetimes more precise. * Use READ_ONCE for is_valid and is_dead. * No need to use atomic when the recounter is mutex protected. * Fix up macros and annotations in allowedips. * Increment drop counter when staged packets are dropped. * Use static constants instead of enums for 64-bit values in selftest. * Mark large constants as ULL in poly1305-donna64. * Fix sparse warnings in allowedips debugging code. * Do not use wg_peer_get_maybe_zero in timer callbacks, since we now can carefully control the lifetime of these functions and ensure they never execute after dropping the last reference. * Cleanup hashing in ratelimiter. * Do not guard timer removals, since del_timer is always okay. * We now check for PM_AUTOSLEEP, which makes the clear*on-suspend decision a bit more general. * Set csum_level to ~0, since the poly1305 authenticator certainly means that no data was modified in transit. * Use CHECKSUM_PARTIAL check for skb_checksum_help instead of skb_checksum_setup check. * wg.8: specify that wg(8) shows runtime info too * wg.8: AllowedIPs isn't actually required * keygen-html: add missing glue macro * wg-quick: android: do not choke on empty allowed-ips Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: add utf8_ssid flag & enable as defaultKevin Darbyshire-Bryant2018-11-142-3/+5
| | | | | | | | | | | | | SSIDs may contain UTF8 characters but ideally hostapd should be told this is the case so it can advertise the fact. Default enable this option. add uci option utf8_ssid '0'/'1' for disable/enable e.g. config wifi-iface option utf8_ssid '0' Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* Revert "iptables: fix dependency for libip6tc on IPV6"Petr Štetiar2018-11-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reverts commit 2dc1f54b1205094e7c6036cae6275d2c326bad3e as it breaks the build for me on x86-64 if I've IPV6 support disabled. Same config builds fine on `openwrt-18.06` branch at 55d078b2. $ grep IPV6 .config # CONFIG_KERNEL_IPV6 is not set # CONFIG_IPV6 is not set Build errors out on: Package libiptc is missing dependencies for the following libraries: libip6tc.so.0 Looking at iptables-1.6.2/libiptc/Makefile.am: libiptc_la_LIBADD = libip4tc.la libip6tc.la and to iptables-1.6.2/libiptc/libiptc.pc.in: Requires: libip4tc libip6tc It seems that libiptc needs v4/v6 libs, so v6 isn't optional. Cc: Rosy Song <rosysong@rosinson.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
* ethtool: update to 4.19Hans Dedecker2018-11-101-2/+2
| | | | | | | | | 8a1ad80 Release version 4.19. ecdf295 ethtool: Fix uninitialized variable use at qsfp dump 98c148e ethtool: better syntax for combinations of FEC modes d4b9f3f ethtool: support combinations of FEC modes Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iproute2: update to 4.19.0Hans Dedecker2018-11-085-1671/+9
| | | | | | | | Update to the latest version of iproute2; see https://lwn.net/Articles/769354/ for a full overview of the changes in 4.19. Remove 190-add-cake-to-tc patch as CAKE qdisc is now supported in 4.19.0 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iperf: allow non-ipv6 buildsAlexander Couzens2018-11-032-1/+27
| | | | | | | | Add configure argument --disable-ipv6 when ipv6 is deselected. Add fix-non-ipv6-builds.patch as long there is no new upstream release. Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* curl: noop commit to refer CVEs fixed in 7.62.0Hans Dedecker2018-11-021-1/+0
| | | | | | | | | | | | | When bumping Curl to 7.62.0 in commit 278e4eba09 I did not include the fixed CVEs in the commit message; this commit fixes this. The following CVEs were fixed in 7.62.0 : CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* curl: bump to 7.62.0Hans Dedecker2018-10-312-3/+3
| | | | | | Refresh patches, for changes in version 7.62.0 see https://curl.haxx.se/changes.html#7_62_0 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: tighten config file permissionsKevin Darbyshire-Bryant2018-10-301-6/+6
| | | | | | | | | | | | | | | | | | Install following as config files (600) perms instead of as data (644) /usr/share/dnsmasq/dhcpbogushostname.conf /usr/share/dnsmasq/trust-anchors.conf /usr/share/dnsmasq/rfc6761.conf /etc/hotplug.d/ntp/25-dnsmasqsec /etc/config/dhcp /etc/dnsmasq.conf dnsmasq reads relevant config files before dropping root privilege and running as dnsmasq:dnsmasq ntpd runs as root so the hotplug script is still accessible Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.80Kevin Darbyshire-Bryant2018-10-191-4/+4
| | | | | | | | | | dnsmasq v2.80 release Change from rc1: 91421cb Fix compiler warning. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* iproute2: install ip-tiny and ip-full in /usr/libexecHans Dedecker2018-10-181-7/+7
| | | | | | | Install the ip-tiny and ip-full variants in /usr/libexec as the suffixed ip variants are not meant to be called directly Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 0.0.20181018Jason A. Donenfeld2018-10-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | ba2ab5d version: bump snapshot 5f59c76 tools: wg-quick: wait for interface to disappear on freebsd ac7e7a3 tools: don't fail if a netlink interface dump is inconsistent 8432585 main: get rid of unloaded debug message 139e57c tools: compile on gnu99 d65817c tools: use libc's endianness macro if no compiler macro f985de2 global: give if statements brackets and other cleanups b3a5d8a main: change module description 296d505 device: use textual error labels always 8bde328 allowedips: swap endianness early on a650d49 timers: avoid using control statements in macro db4dd93 allowedips: remove control statement from macro by rewriting 780a597 global: more nits 06b1236 global: rename struct wireguard_ to struct wg_ 205dd46 netlink: do not stuff index into nla type 2c6b57b qemu: kill after 20 minutes 6f2953d compat: look in Kbuild and Makefile since they differ based on arch a93d7e4 create-patch: blacklist instead of whitelist 8d53657 global: prefix functions used in callbacks with wg_ 123f85c compat: don't output for grep errors Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* netifd: update to latest git HEADHans Dedecker2018-10-171-3/+3
| | | | | | | 841b5d1 system-linux: enable by default ignore encaplimit for grev6 tunnels 125cbee system-linux: fix a typo in gre tunnel data parsing logic Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* gre: make encaplimit support configurableHans Dedecker2018-10-172-2/+4
| | | | | | | | | | | Make inclusion of the destination option header containing the tunnel encapsulation limit configurable for IPv6 GRE packets. Setting the uci parameter encaplimit to ignore; allows to disable the insertion of the destination option header in the IPv6 GRE packets. Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255 by setting the encaplimit uci parameter accordingly. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: add basic variantKevin Darbyshire-Bryant2018-10-164-0/+1016
| | | | | | | | Add a basic variant which provides WPA-PSK only, 802.11r and 802.11w and is intended to support 11r & 11w (subject to driver support) out of the box. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* ppp: don't start ppp with IPv6 support if ipv6 is not supportedRosy Song2018-10-162-5/+8
| | | | | Signed-off-by: Rosy Song <rosysong@rosinson.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: fix MAC filter related log spamJo-Philipp Wich2018-10-164-11/+78
| | | | | | | | Backport two upstream fixes to address overly verbose logging of MAC ACL rejection messages. Fixes: FS#1468 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: fix dnsmasq failure to start when ujail'dChristian Lamparter2018-10-162-2/+2
| | | | | | | | | | | | | | This patch fixes jailed dnsmasq running into the following issue: |dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory |dnsmasq[1]: FAILED to start up |procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash Fixes: a45f4f50e16 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349") Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [bump package release] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.80rc1Kevin Darbyshire-Bryant2018-10-162-32/+4
| | | | | | | | | | | | 53792c9 fix typo df07182 Update German translation. Remove local patch 001-fix-typo which is a backport of the above 53792c9 There is no practical difference between our test8 release and this rc release, but this does at least say 'release candidate' Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix compile issueHans Dedecker2018-10-151-0/+28
| | | | | | Fix compile issue in case HAVE_BROKEN_RTC is enabled Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise)Hauke Mehrtens2018-10-143-5/+18
| | | | | | | | | | | | This adds support for the WPA3-Enterprise mode authentication. The settings for the WPA3-Enterpriese mode are defined in WPA3_Specification_v1.0.pdf. This mode also requires ieee80211w and guarantees at least 192 bit of security. This does not increase the ipkg size by a significant size. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: Activate Opportunistic Wireless Encryption (OWE)Hauke Mehrtens2018-10-143-4/+21
| | | | | | | | | | | | | | | | | | OWE is defined in RFC 8110 and provides encryption and forward security for open networks. This is based on the requirements in the Wifi alliance document Opportunistic_Wireless_Encryption_Specification_v1.0_0.pdf The wifi alliance requires ieee80211w for the OWE mode. This also makes it possible to configure the OWE transission mode which allows it operate an open and an OWE BSSID in parallel and the client should only show one network. This increases the ipkg size by 5.800 Bytes. Old: 402.541 Bytes New: 408.341 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: Activate Simultaneous Authentication of Equals (SAE)Hauke Mehrtens2018-10-143-9/+42
| | | | | | | | | | | | | | | | | | | | This build the full openssl and wolfssl versions with SAE support which is the main part of WPA3 PSK. This needs elliptic curve cryptography which is only provided by these two external cryptographic libraries and not by the internal implementation. The WPA3_Specification_v1.0.pdf file says that in SAE only mode Protected Management Frames (PMF) is required, in mixed mode with WPA2-PSK PMF should be required for clients using SAE, and optional for clients using WPA2-PSK. The defaults are set now accordingly. This increases the ipkg size by 8.515 Bytes. Old: 394.026 Bytes New: 402.541 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>