Commit graph

1758 commits

Author SHA1 Message Date
Daniel Engberg
87002c0646 package/network/utils/ipset: Update to 6.29
Updates to 6.29

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-15 11:36:50 +02:00
Hans Dedecker
1341b88732 odhcpd: Upstep to git HEAD version
Adds per-host leasetime support
Various bugfixes :
	-Prioritize ifname resolving via ubus
	-Free interface if ifindex cannot be resolved
	-...

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [update mirror sha256]
2016-10-13 17:05:21 +02:00
Felix Fietkau
db47363ff7 uqmi: re-enable autoconnect which was dropped without explanation
Fixes a regression in commit 8f24ee6382:
"uqmi: Add proper IPv6 support"

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-12 11:58:59 +02:00
Felix Fietkau
3b9b963e6e uqmi: always use DHCP for IPv4
Commit 8f24ee6382 ("uqmi: Add proper IPv6 support") changed the code
to fetch the IPv4 address via QMI by default instead of using DHCP to
make it consistent with the IPv6 codepath.
This breaks on at least some Sierra Wireless cards, where data exchanges
fail to work until the host has fetched a DHCP lease.
Leave v6 as it is, but always use DHCP for v4.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-12 11:58:57 +02:00
Felix Fietkau
175b59c59b uhttpd: update to the latest version, adds a small json handler fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-08 13:50:54 +02:00
Daniel Engberg
9edfe7dd13 source: Switch to xz for packages and tools where possible
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-06 12:16:56 +02:00
Hans Dedecker
34528c4807 dslite: Quote resolveip hostname argument
Quote resolveip hostname argument to avoid bad shell injections.
While at it fix pattern match logic in case multiple IPv6 addresses
are returned for a hostname as they're seperated by newline by
resolveip and not a white space

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-10-06 12:16:12 +02:00
Jo-Philipp Wich
eb75b6ac1f uhttpd: rename certificate defaults section
Now that the uhttpd init script can generate certificates using openssl as
well, update the section name and related comment to be more generic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-06 11:29:24 +02:00
Felix Fietkau
73c87a3cad hostapd: make -mesh and -p2p variants depend on the cfg80211 symbol
Avoids build failures when the nl80211 driver is disabled

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-05 23:02:13 +02:00
Hannu Nyman
3c4858eeb2 uhttpd: support using OpenSSL for certificate generation
Support the usage of the OpenSSL command-line tool for generating
the SSL certificate for uhttpd. Traditionally 'px5g' based on
PolarSSL (or mbedTLS in LEDE), has been used for the creation.

uhttpd init script is enhanced by adding detection of an installed
openssl command-line binary (provided by 'openssl-util' package),
and if found, the tool is used for certificate generation.

Note: After this patch the script prefers to use the OpenSSL tool
if both it and px5g are installed.

This enables creating a truly OpenSSL-only version of LuCI
without dependency to PolarSSL/mbedTLS based px5g.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-05 00:48:19 +02:00
Hans Dedecker
a79f3d11b3 gre: Support fqdn as remote tunnel endpoint
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-10-04 11:50:51 +02:00
Kevin Darbyshire-Bryant
4ef1144958 iproute2: tc cake qdisc add nat, docsis & ptm modes
Add cake nat de-masquerading mode: nat, nonat.
Also docsis & ptm overhead related keywords: nat, nonat,
ptm, docsis-downstream-ip, docsis-downstream, docsis-upstream-ip
& docsis-upstream.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-10-04 11:50:48 +02:00
Kevin Darbyshire-Bryant
34c2726ca7 iproute2: fix no fortify build failure
Fix rt_names build failure when FORTIFY_SOURCE disabled.
Include limits.h which otherwise gets automatically included
by fortify headers.

Solves FS #194

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-30 10:15:28 +02:00
Felix Fietkau
76af0eff3f netifd: update to the latest version, adds various fixes
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-09-28 09:56:32 +02:00
Jo-Philipp Wich
875cddd94c iwinfo: fix WPA cipher reporting
Within the Lua binding, use the same logic as the command line interface for
reporting the used WPA ciphers. Instead of printing the intersection of
pairwise and group ciphers, report both group and pairwise ciphers.

This fixes a case where a connection which uses CCMP for pairwise and TKIP
as groupwise cipher is getting reported as using the NONE cipher.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-09-27 16:23:48 +02:00
Jo-Philipp Wich
864b2d113a 6in4: fix invalid local variable declaration (FS#188)
Remove an invalid local variable declaration in the tunnel update subshell
invocation. Local declarations outside of function scopes are illegal since
the Busybox update to version 1.25.0 .

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-09-27 16:23:06 +02:00
Matthias Schiffer
77f54eae45
config: enable shadow passwords unconditionally
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.

The config symbol is kept (for a while), as packages from feeds depend on
it.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Hauke Mehrtens
df9efc9497 curl: update to version 7.50.3
This fixes the following security problems:
7.50.1:
 CVE-2016-5419 TLS session resumption client cert bypass
 CVE-2016-5420 Re-using connections with wrong client cert
 CVE-2016-5421 use of connection struct after free
7.50.2:
 CVE-2016-7141 Incorrect reuse of client certificates
7.50.3:
 CVE-2016-7167 curl escape and unescape integer overflows

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-09-24 13:48:05 +02:00
Hauke Mehrtens
e59bbb6fe2 ltq-vdsl-app: update to version 4.17.18.6
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
2016-09-20 22:43:43 +02:00
Hans Dedecker
32f4777530 dnsmasq: Add match section support
Match sections allow to set a tag specified by the option networkid if the client
sends an option and optionally the option value specified by the match option.
The force option will convert the dhcp-option to force-dhcp-option if set to 1 in
the dnsmasq config if options are specified in the dhcp_option option.

config match
    option networkid tag
    option match 12,myhost
    option force 1
    list dhcp_option '3,192.168.1.1'

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-09-19 15:30:32 +02:00
Florian Fainelli
559f55dffc iwinfo: Bump to 2016-07-29
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2016-09-19 15:30:32 +02:00
Rafał Miłecki
e70e3c544a hostapd: fix regression breaking brcmfmac
The latest update of hostapd broke brcmfmac due to upstream regression.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2016-09-13 12:06:42 +02:00
Kevin Darbyshire-Bryant
591755ad1a dnsmasq: make NO_ID optional in full variant
Permit users of the full variant to disable the NO_ID *.bind pseudo
domain masking.

Defaulted 'on' in all variants.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-10 12:17:39 +02:00
Kevin Darbyshire-Bryant
96f0bbe91d dropbear: hide dropbear version
As security precaution and to limit the attack surface based on
the version reported by tools like nmap mask out the dropbear
version so the version is not visible anymore by snooping on the
wire. Version is still visible by 'dropbear -V'

Based on a patch by Hans Dedecker <dedeckeh@gmail.com>

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove trailing _]
2016-09-10 12:17:39 +02:00
Kevin Darbyshire-Bryant
03cd416795 dnsmasq: Don't expose *.bind data incl version
Don't expose dnsmasq version & other data to clients via the *.bind
pseudo domain.  This uses a new 'NO_ID' compile time option which has been
discussed and submitted upstream.

This is an alternate to replacing version with 'unknown' which affects
the version reported to syslog and 'dnsmasq --version'

Run time tested with & without NO_ID on Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-08 15:28:38 +02:00
Felix Fietkau
859d940c79 hostapd: update to version 2016-09-05
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-09-08 15:28:38 +02:00
Kevin Darbyshire-Bryant
9209f4304b dnsmasq: fix remove pidfile on shutdown regression
Regression introduced by 3481d0d dnsmasq: run as dedicated UID/GID

dnsmasq is unable to remove its own pidfile as /var/run/dnsmasq is owned
by root and now dnsmasq runs as dnsmasq:dnsmasq.  Change directory
ownership to match.

dnsmasq initially starts as root, creates the pidfile, then drops to
requested non-root user.  Until this fix dnsmasq had insufficient
privilege to remove its own pidfile.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-06 11:26:05 +02:00
Johannes Römer
e8cb7d30e9 hostapd: fix typo and indentation in ap_sta_support.patch
Signed-off-by: Johannes Römer <jroemer@posteo.net>
2016-09-05 18:03:24 +02:00
Karl Palsson
a4dc9ff934 dropbear: mdns flag is a bool, not integer
Effectively the same for most purposes, but more accurate.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2016-09-05 07:27:16 +02:00
Felix Fietkau
8e0cb8f582 ebtables: fix build with glibc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-30 12:12:34 +02:00
Felix Fietkau
18c7d1c626 dante: remove -D_GNU_SOURCE to fix build errors with current glibc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-30 12:12:34 +02:00
Felix Fietkau
98206cb9c6 iperf: add -lm to fix build with newer glibc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-30 10:51:21 +02:00
Felix Fietkau
b0dcb6bfed iperf: drop PKG_BUILD_DIR override
No longer necessary since the removal of build variants

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-30 10:51:21 +02:00
Jo-Philipp Wich
885910225d iwinfo: mark as nonshared
The iwinfo library might get compiled with different backends, depending on
the driver selection of the current target, so mark it as nonshared to avoid
broken libiwinfo support on other targets with same cpu architecture but
different wireless driver types.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-25 16:51:57 +02:00
Felix Fietkau
2b0a1292f8 uqmi: update to the latest version, adds QMI-in-MBIM support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-24 15:16:01 +02:00
Magnus Kroken
2653a12c4d openvpn: update to 2.3.12
300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream.
Replaced 101-remove_polarssl_debug_call.patch with upstream backport.

Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-08-24 00:33:08 +02:00
Ash Benz
798cd261ab hostapd: use printf to improve portability.
Signed-off-by: Ash Benz <ash.benz@bk.ru>
2016-08-23 12:15:41 +02:00
Felix Fietkau
c487bde9e4 netifd: update to the latest version
Adds fixes for wireless device error handling
Adds link state fixes for shell proto handlers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-23 11:08:35 +02:00
Hans Dedecker
d7c249fa1c ppp: Extend uci datamodel with persistency sypport
PPP daemon can be put into persist mode meaning the
daemon will not exit after a connection gets terminated
but will instead try to reopen the connection.
The re-initiation after the link has been terminated
can be controlled via holdoff; this is helpfull in
scenarios where a BRAS is in denial of service mode
due to link setup requests after a BRAS has gone down

Following uci parameters have been added :
persist (boolean) : Puts the ppp daemon in persist mode
maxfail (integer) : Number of consecutive fail attempts which
puts the PPP daemon in exit mode
holdoff (interget) : Specifies how many seconds to wait
before re-initiating link setup after it has been terminated

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-08-18 09:49:18 +02:00
John Crispin
99a1888287 swconfig: revert the portmapping patches, they seem to cause a segfault
Revert "kernel/swconfig: remove obsolete portmapping feature from swconfig"

This reverts commit 675407baa4.

Revert "swconfig: remove obsolete portmapping feature"

This reverts commit fca1eb349e.

Signed-off-by: John Crispin <john@phrozen.org>
2016-08-16 10:20:01 +02:00
John Crispin
fca1eb349e swconfig: remove obsolete portmapping feature
Signed-off-by: John Crispin <john@phrozen.org>
2016-08-15 15:32:36 +02:00
Conn O'Griofa
63f6fc5c16 samba: add file/interface reload triggers & filter interfaces
* Only parse interfaces that are up during init_config (as the
  script depends on this to determine the proper IP/subnet range)
* Add reload interface triggers for samba-designated interfaces
* Force full service restart upon config change to ensure Samba
  binds to new interfaces (sending HUP signal doesn't work)
* Rename "interface" variable to "samba_iface" and move into
  global scope

Needed to fix Samba connectivity for clients connecting from a
different LAN subnet (e.g. pseudobridge configurations) due to the
'bind interfaces only' setting.

Signed-off-by: Conn O'Griofa <connogriofa@gmail.com>
2016-08-15 15:18:35 +02:00
Jo-Philipp Wich
4e8c6f3407 dropbear: security update to 2016.74
- Security: Message printout was vulnerable to format string injection.

  If specific usernames including "%" symbols can be created on a system
  (validated by getpwnam()) then an attacker could run arbitrary code as root
  when connecting to Dropbear server.

  A dbclient user who can control username or host arguments could potentially
  run arbitrary code as the dbclient user. This could be a problem if scripts
  or webpages pass untrusted input to the dbclient program.

- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
  the local dropbearconvert user when parsing malicious key files

- Security: dbclient could run arbitrary code as the local dbclient user if
  particular -m or -c arguments are provided. This could be an issue where
  dbclient is used in scripts.

- Security: dbclient or dropbear server could expose process memory to the
  running user if compiled with DEBUG_TRACE and running with -v

  The security issues were reported by an anonymous researcher working with
  Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-12 11:45:47 +02:00
Petko Bordjukov
dff6df9625 hostapd: Allow RADIUS accounting without 802.1x
RADIUS accounting can be used even when RADIUS authentication is not
used. Move the accounting configuration outside of the EAP-exclusive
sections.

Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
2016-08-11 10:45:33 +02:00
Felix Fietkau
51e70267bd hostapd: remove unused hostapd-common-old package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-05 11:02:57 +02:00
Felix Fietkau
56cf1adc50 kernel: remove esfq qdisc
It has been obsolete for years now

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-04 18:27:54 +02:00
Florian Eckert
109c55aea1 uqmi: add metric option to interface config
It is now possible to add an metric option for the qmi proto in dhcp mode.

Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
2016-07-26 08:39:36 +02:00
Florian Eckert
15867deac8 uqmi: fix option ipv6
If option ist not set then ipv6 is still enabled on this Interface.
Check if variable is zero will fix this issue.

Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
2016-07-26 08:39:36 +02:00
Felix Fietkau
9201e88f51 kernel: remove hostap driver
It has been marked as broken for well over a month now and nobody has
complained.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-31 12:25:24 +02:00
Felix Fietkau
b2ddfbc1c7 dnsmasq: drop --interface and --except-interface options when the interface cannot be found
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 20:58:14 +02:00
Felix Fietkau
009d6d6024 netifd: update to the latest version, adds an event handling fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 19:51:31 +02:00
Felix Fietkau
5cd88f4812 dnsmasq: remove use of uci state for getting network ifname
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 19:48:22 +02:00
Felix Fietkau
a1681ce39b dnsmasq: replace the iface hotplug script with a procd trigger
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Felix Fietkau
6916ca8d33 dnsmasq: make the check for existing DHCP servers more reliable
If there is no carrier yet, wait for 2 seconds (STP forwarding delay)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Ulrich Weber
712b6fdc5c dnsmasq: write atomic config file
multiple invocation of dnsmasq script (e.g. by procd and hotplugd)
might cause procd to restart dnsmasq with an incomplete config file.
Config file generation might take quite a long time on larger configs
due ubus calls for each listening interface...

Signed-off-by: Ulrich Weber <ulrich.weber@riverbed.com>
2016-07-29 16:41:09 +02:00
Felix Fietkau
d9ff187003 netifd: update to the latest version
Emits an initial event after the first link-up of a force_link
interface. This is needed for making the dnsmasq dhcp check more
reliable

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Felix Fietkau
c02f41c1d2 igmpproxy: remove procd_open_trigger/procd_close_trigger calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Felix Fietkau
8299737428 dropbear: remove procd_open_trigger/procd_close_trigger calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:08 +02:00
Merlijn Wajer
4a0c4d8151 netifd: Use -x hostname:$hostname instead of -H
Passing the hostname is currently broken in since the shipped busybox includes this commit:
https://git.busybox.net/busybox/commit/networking/udhcp/dhcpc.c?id=2017d48c0d70bef8768efb42909e605ea8eb5a21

Before:

    Sun Jan 31 18:11:32 2016 daemon.notice netifd: Interface 'wan' is now down
    Sun Jan 31 18:11:32 2016 daemon.notice netifd: Interface 'wan' is setting up now
    Sun Jan 31 18:11:32 2016 daemon.notice netifd: wan (18158): udhcpc: option -h NAME is deprecated, use -x hostname:NAME
    Sun Jan 31 18:11:32 2016 daemon.notice netifd: wan (18158): udhcpc: malformed hex string 'WR150'

After:

    Sun Jan 31 18:11:33 2016 daemon.notice netifd: wan (18169): udhcpc (v1.23.2) started
    Sun Jan 31 18:11:33 2016 daemon.notice netifd: wan (18169): Sending discover...
    Sun Jan 31 18:11:33 2016 daemon.notice netifd: wan (18169): Sending select for xxx.yyy.zzz.xyz...
    Sun Jan 31 18:11:33 2016 daemon.notice netifd: wan (18169): Lease of xxx.yyy.zzz.xyz obtained, lease time 600

Signed-off-by: Merlijn Wajer <merlijn@wizzup.org>
2016-07-24 06:59:55 +02:00
John Crispin
74766f4c4f firewall3: update to latest git HEAD
Signed-off-by: John Crispin <john@phrozen.org>
2016-07-24 06:38:30 +02:00
Felix Fietkau
da328f2865 hostapd: backport mesh/ibss HT20/HT40 related fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-27 17:22:39 +02:00
Hauke Mehrtens
bafeb90745 iperf3: update to version 3.1.3
old size:
iperf3_3.0.11-1_mips_34kc_dsp.ipk       30147

new size:
iperf3_3.1.3-1_mips_34kc_dsp.ipk        33640

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-07-24 15:05:50 +02:00
Hauke Mehrtens
9cbb51ff8c iperf: update to version 2.0.9
old size:
iperf_2.0.8-1_mips_34kc_dsp.ipk 27911

new size:
iperf_2.0.9-1_mips_34kc_dsp.ipk 28681

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-07-24 15:05:33 +02:00
Hauke Mehrtens
7d38128f6a curl: update to version 7.50.0
Changelog: https://curl.haxx.se/changes.html

old sizes:
libcurl_7.49.0-1_mips_34kc_dsp.ipk      97569
curl_7.49.0-1_mips_34kc_dsp.ipk         37925

new sizes:
libcurl_7.50.0-1_mips_34kc_dsp.ipk      97578
curl_7.50.0-1_mips_34kc_dsp.ipk         38017

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-07-24 15:04:13 +02:00
Felix Fietkau
c7a5bb5a7e samba36: avoid picking up a dependency on libunwind (fixes GH #212)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-21 17:33:17 +02:00
Felix Fietkau
ca6375ac51 hostapd: fix an error on parsing radius_das_client
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-21 16:58:50 +02:00
Felix Fietkau
56f686b710 samba36: disable local browse master by default
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-18 13:37:12 +02:00
Felix Fietkau
75329fc161 hostapd: fix VLAN support in full wpad builds
Suppress -DCONFIG_NO_VLAN if CONFIG_IBSS_RSN is enabled

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-18 13:37:10 +02:00
Hans Dedecker
99e5bec2c6 netifd: quote vendorid and hostname variables in dhcp script
Quote hostname and vendorid variables in dhcp script so they can
hold strings having white spaces

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-07-12 14:33:49 +02:00
Kevin Darbyshire-Bryant
17f4d3967e samba: update smb template socket options defaults
Removed socket options = TCP_NODELAY IPTOS_LOWDELAY

TCP_NODELAY (disables Nagle algorithm) is default since samba2.
IPTOS_LOWDELAY sets DSCP 0x10 coding (CS2)
The alternate IPTOS_THROUGHPUT sets DSCP 0x08 coding (CS1)

CS1 is a scavenger class, whilst CS2 is more OAM/interactive
(SNMP,SSH,syslog)

Using CS2 is definitely an abuse of DSCP classification, CS1 less so
however even if the ISP takes note of DSCP codings having a default that
sets traffic to CS2 is wrong.  Better to use the default Best Effort
class.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-07-11 14:19:47 +02:00
Kevin Darbyshire-Bryant
3dded42f05 iftop: fix mac address display
iftop would display portions of mac address with large ffffff prefixes.
Make if_hw_addr type consistent.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-07-11 14:19:47 +02:00
Kevin Darbyshire-Bryant
527696674a igmpproxy: logging options - make work & improve
Move logging command line option to uci:
option verbose [0]/1/2 - mono-syllabic/verbose/noisy

Previously handled as 'OPTIONS' in .init script however variable
was ignored so never worked.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-07-11 14:19:47 +02:00
Felix Fietkau
ad430c1080 hostapd: add a WDS AP fix for reconnecting clients
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-06 10:12:37 +02:00
neheb
a3e7d5e7ae samba: Update smb.conf.template
Removed some options which are default anyway and added bind interfaces
only which causes the interfaces line to actually have an effect. Can be
verified with netstat.

Signed-off by: Rosen Penev <rosenp@gmail.com>
2016-07-05 22:59:14 +02:00
John Crispin
d643ee0260 umbim: update to latest git HEAD
Signed-off-by: John Crispin <john@phrozen.org>
2016-07-05 22:59:13 +02:00
Jo-Philipp Wich
dd9afb8207 iwinfo: fix nl80211 phy lookup without platform prefix
Commit d9b20a6f35 (SVN r48426) changed the
mac80211 phy lookup logic to strip the platform/ directory component from
the phy path specification.

Fix iwinfo to follow that logic by trying to lookup phys both with and
without "platform/" prefix.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-07-04 16:26:38 +02:00
Hans Dedecker
ecbc138343 odhcp6c: Upstep to latest version
Following fixes are included in the latest version:
    -Script is launched with incorrect action
    -Possible buffer overflows
    -Lots of minor bugfixes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-06-30 14:53:21 +02:00
Kevin Darbyshire-Bryant
6d7f54ccdb iproute2: cake AQM prepare tc for COBALT algorithm
Cake AQM is experimenting with a codel/blue hybrid AQM COBALT instead
of just using codel alone. This patch updates tc to cope with some new
stats produced by COBALT.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-06-30 00:43:03 +02:00
Hans Dedecker
c2bd469521 dnsmasq: Add broken realtime clock build switch in full variant
By default dnsmasq uses the time function; which returns the time since
Epoch; to retrieve the current time. On boards which have no realtime
clock this can lead to side effects when the time is synced via ntp
as the "time wrap" forces dhcp leases to be considered as expired.
By enabling the broken realtime clock build switch dnsmasq uses the
times utility which returns the number of clock tick.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
[Jo-Philipp Wich: change symbol name, add sym to PKG_CONFIG_DEPENDS]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-30 00:42:46 +02:00
Jo-Philipp Wich
f98f4601de openvpn: fix missing cipher list for polarssl in v2.3.11
Upstream OpenSSL hardening work introduced a change in shared code that
causes polarssl / mbedtls builds to break when no --tls-cipher is specified.

Import the upstream fix commit as patch until the next OpenVPN release gets
released and packaged.

Reported-by: Sebastian Koch <seb@metafly.info>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-28 10:47:22 +02:00
Daniel Dickinson
4a3b8e0596 lldpd: Use /etc/os-release instead of /etc/openwrt_*
With the addition of /etc/os-release patching lldpd to use
/etc/openwrt_release and to have the initscript use
/etc/openwrt_release and/or /etc/openwrt_version becomes
unnecessary.

Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
2016-06-27 15:16:01 +02:00
Jo-Philipp Wich
cb7aa4b1fe ebtables: fix segmentation fault due to uninitialized extension data
The ebtables code relies on the `-nostartfiles` linker argument to execute the
extension modules' `_init()` functions automatically which is not working
reliably across all supported targets and gcc versions.

Running an ebtables executable linked this way just crashes with a segmentation
fault at runtime on program startup, e.g. on ARM architectures.

In order to fix the issue ...
 - remove the use of the -nostartfiles linker flag
 - rename the init procedures to a generic name without implicit semantics
 - explicitely annotate those init procedures as constructors

The patch has been taken from the Alpine Linux distribution at
http://git.alpinelinux.org/cgit/aports/tree/main/ebtables/fix-extension-init.patch

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-24 15:59:36 +02:00
Kevin Darbyshire-Bryant
5acfe55d71 dnsmasq: dnssec time handling uses ntpd hotplug
Change dnsmasq's dnssec time check handling to use time validity
indicated by ntpd rather than maintaining a cross boot/upgrade
/etc/dnsmasq.time timestamp file.  This saves flash device wear.

If ntpd client is configured in uci and you're using dnssec, then
dnsmasq will not check dnssec timestamp validity until ntpd hotplug
indicates sync via a stratum change. The ntpd hotplug leaves a status
flag file to indicate to dnsmasq.init that time is valid and that it
should now start in 'check dnssec timestamp valid' mode.

If ntpd client is not configured and you're using dnssec, then it is
presumed you're using an alternate time sync mechanism and that time is
correct, thus dnsmasq checks dnssec timestamps are valid from 1st start.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

V2 - stratum & step ntp changes indicate time is valid
V3 - on initial flag file step signal dnsmasq with SIGHUP if running
V4 - only accept step ntp changes. Accepting both stratum & step could
result in unpleasant script race conditions
V5 - Actually only accepting stratum is the correct thing to do after
further testing
V6 - improve handling of non busybox ntpd
if sysntpd not executable
  dnsmasq checks dnssec timestamps
else
  sysntp script disabled - look for timestamp file - allows external mechanism to use hotplug flag file
  sysntp script enabled & uci ntp enabled  - look for timestamp file
  sysntp script enabled & uci ntp disabled - dnsmasq checks dnssec
timestamps
fi
2016-06-24 13:53:39 +02:00
Hauke Mehrtens
3f38356893 packages: prefer http over git for git protocol
In company networks everything except the http and https protocol is
often causes problems, because the network administrators try to block
everything else. To make it easier to use LEDE in company networks use
the https/http protocol for git access when possible.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-06-22 19:32:06 +02:00
Daniel Gimpelevich
7385f754b1 lantiq: Correct ADSL race condition
puts br2684ctl init after ADSL init instead of before, so that the ESI
is set at the right time, and for consistency with the PTM driver.

Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
2016-06-22 19:32:06 +02:00
Felix Fietkau
475e94b1d2 uhttpd: update to the latest version, adds some extensions to handler script support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-16 19:00:16 +02:00
Felix Fietkau
4e0a533f60 hostapd: fix breakage with non-nl80211 drivers
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 19:28:55 +02:00
Jo-Philipp Wich
e2a9c638e7 hostapd: fix compilation error in wext backend
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-15 19:10:32 +02:00
Felix Fietkau
ef74d5cbf8 hostapd: implement fallback for incomplete survey data
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:31:48 +02:00
Felix Fietkau
13b44abcff hostapd: update to version 2016-06-15
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:11:43 +02:00
Michal Hrusecky
b67af71181 hostapd: Update to version 2016-05-05
Fixes CVE-2016-4476 and few possible memory leaks.

Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
2016-06-15 17:11:18 +02:00
John Crispin
abc346db0e package/lantiq: make lantiq kernel modules work with xway_legacy
Signed-off-by: John Crispin <john@phrozen.org>
2016-06-13 22:51:43 +02:00
Magnus Kroken
4260d11e8b openvpn: update to 2.3.11
Security fixes:
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data

Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-06-13 22:51:43 +02:00
John Crispin
62dc9831d3 package/*: update git urls for project repos
Signed-off-by: John Crispin <john@phrozen.org>
2016-06-13 22:51:41 +02:00
Jo-Philipp Wich
dd182011e1 swconfig: improve failure reporting
Report the translated error to the user if a get/set netlink operation failed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-11 00:51:22 +02:00
Kevin Darbyshire-Bryant
e815036460 dnsmasq: support hostid ipv6 address suffix option
Add support for hostid dhcp config entry to dnsmasq. This allows
specification of dhcpv6 hostid suffix and works in the same way as
odhcpd.

Entries in auto generated dnsmasq.conf should conform to:

dhcp-host=mm:mm:mm:mm:mm:mm,IPv4addr,[::V6su:ffix],hostname

example based on sample config/dhcp entry:

config host
        option name 'Kermit'
        option mac 'E0:3F:49:A1:D4:AA'
        option ip '192.168.235.4'
        option hostid '4'

dhcp-host=E0:3F:49:A1:D4:AA,192.168.235.4,[::0:4],Kermit

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-06-10 18:16:47 +02:00
Hans Dedecker
7eaacd4d23 dnsmasq: Add option --max-port
By default dnsmasq uses random ports for outbound dns queries;
when the maxport UCI option is specified the ports used will
always be smaller than the specified value.
This is usefull for systems behind firewalls.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-06-10 18:05:07 +02:00
Felix Fietkau
a88fc0db9d xtables-addons: add missing dependency
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-09 15:53:43 +02:00
Dirk Neukirchen
652ac2c6fd xtables-addons: update to 2.11
- fix compilation w. Kernel 4.6 due to
hash->shash crypto API
- remove a patch integrated upstream

- remove unrecognized configure option
removed upstream in 2010
commit 40d0345f1ed02de183b13a6ce38847bc1f4ac48e

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
2016-06-07 23:03:11 +02:00
Matteo Panella
20c608db0a openvpn: add support for tls-version-min
Currently, the uci data model does not provide support for specifying
the minimum TLS version supported in an OpenVPN instance (be it server
or client).

This patch adds support for writing the relevant option to the openvpn
configuration file at service startup.

Signed-off-by: Matteo Panella <morpheus@level28.org>
[Jo-Philipp Wich: shorten commit title, bump pkg release]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-07 23:02:58 +02:00