aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* hostapd: bump PKG_RELEASE after 802.11w changesJo-Philipp Wich2018-01-071-1/+1
| | | | | Fixes: 8a57531855 "hostapd: set group_mgmt_cipher when ieee80211w is enabled" Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: set group_mgmt_cipher when ieee80211w is enabledJo-Philipp Wich2018-01-071-1/+3
| | | | | | | | | | | | In order to properly support 802.11w, hostapd needs to advertise a group management cipher when negotiating associations. Introduce a new per-wifi-iface option "ieee80211w_mgmt_cipher" which defaults to the standard AES-128-CMAC cipher and always emit a "group_mgmt_cipher" setting in native hostapd config when 802.11w is enabled. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netifd: update to latest git HEADHans Dedecker2018-01-041-3/+3
| | | | | | fd5c399 proto: allow dumping protocol handlers without config_params Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* umdns: update to latest git HEADJohn Crispin2018-01-021-3/+3
| | | | | | 7897441 umdnsd: Replace strerror(errno) with %m. Signed-off-by: John Crispin <john@phrozen.org>
* nftables: fix sha256sumHauke Mehrtens2017-12-311-1/+1
| | | | | | The mirror was delivering a file with a different hash. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iptables: fix nftables compile issue (FS#711)rektide de la faye2017-12-291-0/+20
| | | | | | | | | | | | | | | | Enabling IPTABLES_NFTABLES resulted in an error during build:# *** No rule to make target '../extensions/libext.a', needed by 'xtables-compat-multi'." Comments from Alexander Lochmann and Fedor Konstantinov in FS#711 provided fixes for this build error, allowing iptables to compile. https://bugs.lede-project.org/index.php?do=details&task_id=711. This commit updates the Makefile.am xtables_compat_multi_LDFLAGS and _LDADD, moving linking of extensions to LDFLAGS. Signed-off-by: rektide de la faye <rektide@voodoowarez.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: send procd signal on service reloadFlorian Eckert2017-12-262-2/+2
| | | | | | | Send a SIGHUP signal via procd to the dnsmasq service so the instance(s) re-read(s) the /tmp/hosts/dhcp config. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* dnsmasq: rewrite config on host name modificationFlorian Eckert2017-12-261-1/+1
| | | | | | | If the hostname in /etc/config/system is modified the dnsmasq should also get triggered to rewrite/reload the config. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* wireguard: bump to 20171221Kevin Darbyshire-Bryant2017-12-231-2/+2
| | | | | | | | | | | | | | | | 7e945a8 version: bump snapshot f2168aa compat: kernels < 3.13 modified genl_ops 52004fd crypto: compile on UML 6b69b65 wg-quick: dumber matching for default routes aa35d9d wg-quick: add the "Table" config option 037c389 keygen-html: remove prebuilt file No patch refresh required. Compile-test-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* odhcpd: update to latest git HEADHans Dedecker2017-12-221-4/+4
| | | | | | | 7aa2594 odhcpd: Replace strerror(errno) with %m format 750e457 Support muliple RAs on single interface Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* layerscape: fix package downloadHauke Mehrtens2017-12-211-2/+2
| | | | | | | | | | | | | | | | The git hash was changed for multiple layerscape packages without changing the version number. The LEDE build system will not download the packages again if the old version is already there and so some people and the build bots are using wrong version of some packages. Use PKG_SOURCE_DATE instead of PKG_VERSION to generate packages with the date and the first charterers of the git hash. This will change the file name and make the build system download them again, also if in future the git hash is changed the file name will change and trigger a new download. This should fix a problem spotted by build bot. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* xtables-addons: fix compile with kernel 4.14Hauke Mehrtens2017-12-161-0/+9
| | | | | | This fixes a compile problems seen with kernel 4.14. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* xtables-addons: update to version 2.14Hauke Mehrtens2017-12-161-2/+2
| | | | | | This includes a compile fix needed for kernel 4.14. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iproute2: cake: support new operating modesKevin Darbyshire-Bryant2017-12-152-50/+129
| | | | | | | | | | | | | | | | | | | | There has been recent significant activity with the cake qdisc of late Some of that effort is related to upstreaming to kernel & iproute2 mainline but we're not quite there yet. This commit teaches tc how to activate and interprete the latest cake operating modes, namely: ingress mode: Instead of only counting packets that make it past the shaper, include packets we've decided to drop as well, since they did arrive with us on the link and took link capacity. This mode is more suitable for shaping the ingress of a link (e.g. from ISP) rather than the more normal egress. ack-filter/ack-filter-aggressive: Filter excessive TCP ACKS. Useful in highly assymetric links (downstream v upstream capacity) where the majority of upstream link capacity is occupied with ACKS for downstream traffic. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* netifd: update to latest git HEADHans Dedecker2017-12-151-3/+3
| | | | | | | | 4268193 interface-ip: harden eui64 IPv6 prefix address generation 81ff6d1 interface-ip: fix race condition in IPv6 prefix address generation d3a5df0 handler: replace is_error() helper with NULL check Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uhttpd: fix PKG_CONFIG_DEPENDS (FS#1189)Hans Dedecker2017-12-151-3/+1
| | | | | | | Remove PACKAGE_uhttpd_debug config as this is an unused leftover Add CONFIG_uhttpd_lua to PKG_CONFIG_DEPENDS Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 20171211Kevin Darbyshire-Bryant2017-12-122-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest WireGuard snapshot release: 44f8e4d version: bump snapshot bbe2f94 chacha20poly1305: wire up avx512vl for skylake-x 679e53a chacha20: avx512vl implementation 10b1232 poly1305: fix avx512f alignment bug 5fce163 chacha20poly1305: cleaner generic code 63a0031 blake2s-x86_64: fix spacing d2e13a8 global: add SPDX tags to all files d94f3dc chacha20-arm: fix with clang -fno-integrated-as. 3004f6b poly1305: update x86-64 kernel to AVX512F only d452d86 tools: no need to put this on the stack 0ff098f tools: remove undocumented unused syntax b1aa43c contrib: keygen-html for generating keys in the browser e35e45a kernel-tree: jury rig is the more common spelling 210845c netlink: rename symbol to avoid clashes fcf568e device: clear last handshake timer on ifdown d698467 compat: fix 3.10 backport 5342867 device: do not clear keys during sleep on Android 88624d4 curve25519: explictly depend on AS_AVX c45ed55 compat: support RAP in assembly 7f29cf9 curve25519: modularize dispatch Refresh patches. Compile-test-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dropbear: disable MD5 HMAC and switch to sha1 fingerprintsMartin Schiller2017-12-122-3/+5
| | | | | | | | | | | | As MD5 is known weak for many years and more and more penetration test tools complain about enabled MD5 HMAC I think it's time to drop it. By disabling the MD5 HMAC support dropbear will also automatically use SHA1 for fingerprints. This shouldn't be a problem too. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* dnsmasq: add DHCP build switch support in full variantHans Dedecker2017-12-101-5/+10
| | | | | | | | Add config option which allows to enable/disable DHCP support at compile time. Make DHCPv6 support dependant on DHCP support as DHCPv6 support implies having DHCP support. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: always send DHCPv4 hostnameMathias Kresin2017-12-081-0/+1
| | | | | | | | | | | udhcpc doesn't send a hostname by default. Use the system hostname if nothing else is specified, to always send a hostname. It syncs the behaviour to odhcpc, which always sends a hostname. Signed-off-by: Mathias Kresin <dev@kresin.me> Acked-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Hans Dedecker <dedeckeh@gmail.com>
* merge: uhttpd: update cert generation to match system defaultsZoltan HERPAI2017-12-081-1/+1
| | | | Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* merge: packages: update branding in core packagesZoltan HERPAI2017-12-086-9/+9
| | | | Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* merge: ssid: update default ssidZoltan HERPAI2017-12-081-2/+2
| | | | Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* odhcpd: fix faulty PKG_SOURCE_DATE in 711a816Hans Dedecker2017-12-071-1/+1
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: write atomic host fileHans Dedecker2017-12-072-4/+6
| | | | | | | | | | | Different invocations of the dnsmasq init script (e.g. at startup by procd) will rewrite the dhcp host file which might result into dnsmasq reading an empty dhcp host file as it is being rewritten by the dnsmasq init script. Let the dnsmasq init script first write to a temp dhcp host file so it does not overwrite the contents of the existing dhcp host file. Reported-by: Hartmut Birr <e9hack@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: backport fix for wnm_sleep_mode=0Timo Sigurdsson2017-12-072-1/+36
| | | | | | | | | | | | | wpa_disable_eapol_key_retries can't prevent attacks against the Wireless Network Management (WNM) Sleep Mode handshake. Currently, hostapd processes WNM Sleep Mode requests from clients regardless of the setting wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in order to ignore such requests by clients when wnm_sleep_mode is disabled (which is the default). Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> [rewrite commit subject (<= 50 characters), bump PKG_RELEASE] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: Expose the tdls_prohibit option to UCITimo Sigurdsson2017-12-071-1/+6
| | | | | | | | | | | | | | | | wpa_disable_eapol_key_retries can't prevent attacks against the Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested that the existing hostapd option tdls_prohibit can be used to further complicate this possibility at the AP side. tdls_prohibit=1 makes hostapd advertise that use of TDLS is not allowed in the BSS. Note: If an attacker manages to lure both TDLS peers into a fake AP, hiding the tdls_prohibit advertisement from them, it might be possible to bypass this protection. Make this option configurable via UCI, but disabled by default. Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
* iproute2: align ip help text for tiny variantHans Dedecker2017-12-061-1/+18
| | | | | | | | Tiny variant supports a subset of the ip commands; align the ip help text so it actually reflects which commands are supported in the tiny variant. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iproute2: update to v4.14.1Russell Senior2017-12-0610-66/+64
| | | | | | | Preserves optionality of libmnl by letting configuration script follow the HAVE_MNL environment variable. Signed-off-by: Russell Senior <russell@personaltelco.net>
* odhcpd: update to latest git HEADHans Dedecker2017-12-061-4/+4
| | | | | | c516801 dhcpv4: notify DHCP ACK and RELEASE via ubus Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: backport infinite dns retries fixHans Dedecker2017-12-063-3/+48
| | | | | | | | | | If all configured dns servers return refused in response to a query in strict mode; dnsmasq will end up in an infinite loop retransmitting the dns query resulting into high CPU load. Problem is fixed by checking for the end of a dns server list iteration in strict mode. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* samba36: backport an upstream fix for an information leak (CVE-2017-15275)Felix Fietkau2017-12-042-1/+41
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* packages: dnsmasq: remove unused stamp fileRoman Yeryomin2017-12-022-5/+1
| | | | | Signed-off-by: Roman Yeryomin <roman@advem.lv> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* curl: bump to 7.57.0 (3 CVEs)Hans Dedecker2017-11-302-4/+4
| | | | | | | | | | CVE-2017-8816: NTLM buffer overflow via integer overflow CVE-2017-8817: FTP wildcard out of bounds read CVE-2017-8818: SSL out of buffer access For other bugfixes and changes in 7.57.0 see https://curl.haxx.se/changes.html Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: add interface to ubus notificationBorja Salazar2017-11-291-5/+7
| | | | Signed-off-by: Borja Salazar <borja.salazar@fon.com>
* dnsmasq: fix dhcp-host entries with empty macsJo-Philipp Wich2017-11-281-3/+1
| | | | | | | | | | | | | | Due to improper localization of helper variables, "config host" entries without a given mac address may inherit the mac address of a preceeding, leading to invalid generated netive configuration. Fix the issue by marking the "macs" and "tags" helper variables in dhcp_host_add() local, avoiding the need for explicitely resetting them with each invocation. Reported-by: Russell Senior <russell@personaltelco.net> Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wireguard: bump to snapshot 20171127Kevin Darbyshire-Bryant2017-11-271-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | == Changes == * compat: support timespec64 on old kernels * compat: support AVX512BW+VL by lying * compat: fix typo and ranges * compat: support 4.15's netlink and barrier changes * poly1305-avx512: requires AVX512F+VL+BW Numerous compat fixes which should keep us supporting 3.10-4.15-rc1. * blake2s: AVX512F+VL implementation * blake2s: tweak avx512 code * blake2s: hmac space optimization Another terrific submission from Samuel Neves: we now have an implementation of Blake2s using AVX512, which is extremely fast. * allowedips: optimize * allowedips: simplify * chacha20: directly assign constant and initial state Small performance tweaks. * tools: fix removing preshared keys * qemu: use netfilter.org https site * qemu: take shared lock for untarring Small bug fixes. Remove myself from the maintainers list: we have enough and I'm happy to carry on doing package bumps on ad-hoc basis without the 'official' title. Run-tested: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* lldpd: bump to 0.9.9Stijn Tintel2017-11-271-2/+2
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* kmod-sched-cake: update to latest git HEADFushan Wen2017-11-251-18/+21
| | | | | | | | | | dfb2f6c pkt_sched: make compile again 5ab7026 sch_cake: make compile again 6f28803 codel5: make more checkpatch compliant bd426aa Fix build error on 4.12 e4a3628 Whitespace tidy up Signed-off-by: Fushan Wen <qydwhotmail@gmail.com>
* odhcpd: update to latest git HEADHans Dedecker2017-11-251-3/+3
| | | | | | 92e205d dhcpv6: fix compile issues when CER-ID extension is enabled Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: add a full and ipv6only variant (FS#1188)Hans Dedecker2017-11-251-27/+58
| | | | | | | | | Add an ipv6only variant providing server services for RA, stateful and stateless DHCPv6, prefix delegation and relay support for DHCPv6, NDP and RA. The full variant called odhcpd supports DHCPv4 server as before. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 20171122Kevin Darbyshire-Bryant2017-11-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump to latest WireGuard snapshot release: ed479fa (tag: 0.0.20171122) version: bump snapshot efd9db0 chacha20poly1305: poly cleans up its own state 5700b61 poly1305-x86_64: unclobber %rbp 314c172 global: switch from timeval to timespec 9e4aa7a poly1305: import MIPS64 primitive from OpenSSL 7a5ce4e chacha20poly1305: import ARM primitives from OpenSSL abad6ee chacha20poly1305: import x86_64 primitives from OpenSSL 6507a03 chacha20poly1305: add more test vectors, some of which are weird 6f136a3 compat: new kernels have netlink fixes e4b3875 compat: stable finally backported fix cc07250 qemu: use unprefixed strip when not cross-compiling 64f1a6d tools: tighten up strtoul parsing c3a04fe device: uninitialize socket first in destruction 82e6e3b socket: only free socket after successful creation of new df318d1 compat: fix compilation with PaX d911cd9 curve25519-neon: compile in thumb mode d355e57 compat: 3.16.50 got proper rt6_get_cookie 666ee61 qemu: update kernel 2420e18 allowedips: do not write out of bounds 185c324 selftest: allowedips: randomized test mutex update 3f6ed7e wg-quick: document localhost exception and v6 rule Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* odhcpd: fix gcc7 build errorHans Dedecker2017-11-211-3/+3
| | | | | | 0573422 ndp: add switch/case fallthrough comments Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: remove unused local var declarationLeon M. George2017-11-211-2/+0
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: don't set htmode for wpa_supplicantLeon M. George2017-11-211-2/+0
| | | | | | no longer supported Signed-off-by: Leon M. George <leon@georgemail.eu>
* odhcpd: update to latest git HEAD (make dhcpv4 support optional)Hans Dedecker2017-11-201-12/+25
| | | | | | | | | fd80621 dhcpv4: make DHCPv4 support compiletime configurable cf29925 treewide: rework handling of netlink events 24cdc1b treewide: add netlink file 5dfb716 treewide: align function naming Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: load instance-specific conf-file if existsEmerson Pinter2017-11-192-8/+8
| | | | | | | Without this change, the instance-specific conf-file is being added to procd_add_jail_mount, but not used by dnsmasq. Signed-off-by: Emerson Pinter <dev@pinter.com.br>
* netifd: update to latest git HEADHans Dedecker2017-11-171-3/+3
| | | | | | c92106e interface-ip: add missing IPv6 policy rule Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* add PKG_CPE_ID ids to package and toolsAlexander Couzens2017-11-1713-0/+13
| | | | | | | | | | | CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Thanks to swalker for CPE to package mapping and keep tracking CVEs. Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* wireguard: bump to 0.0.20171111Kevin Darbyshire-Bryant2017-11-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | edaad55 (tag: 0.0.20171111) version: bump snapshot 7a989b3 tools: allow for NULL keys everywhere 46f8cbc curve25519: reject deriving from NULL private keys 9b43542 tools: remove ioctl cruft f6cea8e allowedips: rename from routingtable 23f553e wg-quick: allow for tabs in keys ab9befb netlink: make sure we reserve space for NLMSG_DONE 73405c0 compat: 4.4.0 has strange ECN function 868be0c wg-quick: stat the correct enclosing folder of config file ceb11ba qemu: bump kernel version 0a8e173 receive: hoist fpu outside of receive loop bee188a qemu: more debugging f1fdd8d device: wait for all peers to be freed before destroying 2188248 qemu: check for memory leaks c77a34e netlink: plug memory leak 0ac8efd device: please lockdep a51e196 global: revert checkpatch.pl changes 65c49d7 Kconfig: remove trailing whitespace Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>