Update to latest Git in order to fix potential memory corruption and invalid
memory access when handling query strings in conjunction with active basic
authentication.
a235636 2017-11-04 file: fix query string handling
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
commit fbde9ac718 set an incorrect sha256sum which doesn't match the
file http://sources.lede-project.org/netifd-2017-10-31-0f96606b.tar.xz
or a locally packaged checkout (which resulted in a file identical with
the one referenced by the URL above).
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
By default, hostapd assumes r1_key_holder equal to bssid. If LEDE
configures the same static r1 key holder ID on two different APs (BSSes) the
RRB exchanges fails behind them.
Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
Defining it will let the build tool download the tarball file from
a buildbot server, avoiding a clone of the source repo.
Signed-off-by: Arjun AK <lede@arjunak.com>
Newer devices tend to only support the newer version of the pin
verification command, so also try that one.
Fixes PIN issues with modems like the Sierra Wireless MC7455
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Update wireguard to latest snapshot:
9fc5daf version: bump snapshot
748ca6b compat: unbreak unloading on kernels 4.6 through 4.9
7be9894 timers: switch to kees' new timer_list functions
6be9a66 wg-quick: save all hooks on save
752e7af version: bump snapshot
2cd9642 wg-quick: fsync the temporary file before renaming
b139499 wg-quick: allow for saving existing interface
582c201 contrib: add reresolve-dns
8e04be1 tools: correct type for CTRL_ATTR_FAMILY_ID
c138276 wg-quick: allow for the hatchet, but not by default
d03f2a0 global: use fewer BUG_ONs
6d681ce timers: guard entire setting in block
4bf32ca curve25519: only enable int128 if compiler support is sound
86e06a3 device: expand scope of destruct lock
e3661ab global: get rid of useless forward declarations
bedc77a device: only take reference if netns is different
7c07e22 wg-quick: remember to rewind DNS settings on failure
2352ec0 wg-quick: allow specifiying multiple hooks
573cb19 qemu: test using four cores
e09ec4d global: style nits
4d3deae qemu: work around ccache bugs
7491cd4 global: infuriating kernel iterator style
78e079c peer: store total number of peers instead of iterating
d4e2752 peer: get rid of peer_for_each magic
6cf12d1 compat: be sure to include header before testing
3ea08d8 qemu: allow for cross compilation
d467551 crypto/avx: make sure we can actually use ymm registers
c786c46 blake2: include headers for macros
328e386 global: accept decent check_patch.pl suggestions
a473592 compat: fix up stat calculation for udp tunnel
9d930f5 stats: more robust accounting
311ca62 selftest: initialize mutex in routingtable selftest
8a9a6d3 netns: use time-based test instead of quantity-based
e480068 netns: use read built-in instead of ncat hack for dmesg
Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Unmodified dns and domain variables could be needed in user script (/etc/udhcpc.user).
Signed-off-by: Tero Jänkä <tero.janka@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (cleanup)
Refresh patches
Remove 320-curl-confopts.m4-fix-disable-threaded-resolver.patch as
integrated upstream
See https://curl.haxx.se/changes.html for the bugfixes in 7.56.0 and
7.56.1
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The build system already defines KERNEL_CROSS which defaults to TARGET_CROSS.
Make use of this variable for kernel makefiles.
Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
This reverts commit e7373e489d.
Support of "-s" depends on the CONFIG_DEBUG_SYSLOG compile time flag which
is not enabled for all build variants.
Revert the change for now until we can properly examine the size impact of
CONFIG_DEBUG_SYSLOG.
Fixes FS#1117.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The package kmod-ipt-debug builds the module xt_TRACE, which allows
users to use '-j TRACE' as target in the chain PREROUTING of the table
raw in iptables.
The kernel compilation flag NETFILTER_XT_TARGET_TRACE is also enabled so
that this feature which is implemented deep inside the linux IP stack
(for example in sk_buff) is compiled.
But a strace of iptables -t raw -I PREROUTING -p icmp -j TRACE reveals
that an attempt is made to read /usr/lib/iptables/libxt_TRACE.so, which
fails as this dynamic library is not present on the system.
I created the package iptables-mod-trace which takes care of that, and
target TRACE now works!
https://dev.openwrt.org/ticket/16694https://dev.openwrt.org/ticket/19661
Signed-off-by: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
[Jo-Philipp Wich: also remove trace extension from builtin extension list
and depend on kmod-ipt-raw since its required for rules]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
Backport HANDSHAKE and TRAINING notification from ltq-vdsl-app. It
unifies the dsl led blinking pattern accross all subtargets and allows
to get the current line status from the dsl led.
Signed-off-by: Mathias Kresin <dev@kresin.me>
This change makes it possible to configure the wan/dsl ppp interface
settings independantly from the used TC-Layer (ATM/PTM).
By using dsl0 as interface name as for the xrx200 we can get rid of a
few conditionals which were introduced because of the different default
TC-Layer in xway and xrx200.
Signed-off-by: Mathias Kresin <dev@kresin.me>
The previous commit did not adjust PKG_RELEASE, therefore the
hostapd/wpad/wpa_supplicant packages containing the AP-side workaround
for KRACK do not appear as opkg update.
Bump the PKG_RELEASE to signify upgrades to downstream users.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This is a simple version bump. Changes:
* noise: handshake constants can be read-only after init
* noise: no need to take the RCU lock if we're not dereferencing
* send: improve dead packet control flow
* receive: improve control flow
* socket: eliminate dead code
* device: our use of queues means this check is worthless
* device: no need to take lock for integer comparison
* blake2s: modernize API and have faster _final
* compat: support READ_ONCE
* compat: just make ro_after_init read_mostly
Assorted cleanups to the module, including nice things like marking our
precomputations as const.
* Makefile: even prettier output
* Makefile: do not clean before cloc
* selftest: better test index for rate limiter
* netns: disable accept_dad for all interfaces
Fixes in our testing and build infrastructure. Now works on the 4.14 rc
series.
* qemu: add build-only target
* qemu: work on ubuntu toolchain
* qemu: add more debugging options to main makefile
* qemu: simplify shutdown
* qemu: open /dev/console if we're started early
* qemu: phase out bitbanging
* qemu: always create directory before untarring
* qemu: newer packages
* qemu: put hvc directive into configuration
This is the beginning of working out a cross building test suite, so we do
several tricks to be less platform independent.
* tools: encoding: be more paranoid
* tools: retry resolution except when fatal
* tools: don't insist on having a private key
* tools: add pass example to wg-quick man page
* tools: style
* tools: newline after warning
* tools: account for padding being in zero attribute
Several important tools fixes, one of which suppresses a needless warning.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Commit 2127425434 introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.
Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefore the
fixed hostapd/wpad/wpa_supplicant packages do not appear as opkg update.
Bump the PKG_RELEASE to signify upgrades to downstream users.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This fixes a compile problem recently introduced by me.
Fixes: f40fd43ab2 ("ppp: fix compile warning")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Move wireguard from openwrt/packages to base a package.
This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.
WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Felix Fietkau <nbd@nbd.name>
This change makes it possible to configure the wan/dsl ppp interface
settings independantly from the used TC-Layer (ATM/PTM).
Now you can move a device from an ADSL/ATM port to an VDSL/PTM port
without any configuration changes for example.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[use the dsl0 interface name for the default netdev trigger in 01_led,
add ip dependency]
Signed-off-by: Mathias Kresin <dev@kresin.me>
This patch adds the help tool wpan-ping to test the 6LoWPAN
network to help the user debug network problem.
Signed-off-by: Yunhui Fu <yhfudev@gmail.com>
This patch adds a parser for the uci representation of
dnsmasq's "-a | --listen-address" option.
In summary, this option forces dnsmasq to listen on the
given IP address(es). Both interface and listen-address
options may be given, in which case the set of both
interfaces and addresses is used.
Note that if no interface option is given, but listen_address is,
dnsmasq will not automatically listen on the loopback interface.
To achieve this, the loopback IP addresses, 127.0.0.1 and/or ::1
must be explicitly added.
This option is useful for ujailed dnsmasq instances, that would
otherwise fail to work properly, because listening to the
"This host on this network" address (aka 0.0.0.0 see rfc1700 page 4)
may not be allowed.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
If you unplug a QMI device, the /dev/cdc-wdmX device
disappears but uqmi will continue to poll it endlessly.
Then, when you plug it back, you have 2 uqmi processes,
and that's bad, because 2 processes talking QMI to the
same device [and the same time] doesn't seem to work well.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
There have been a number of interesting fixes in conntrack-tools since
the current latest release. Most notable is that this fixes IPv6
conntrack table syncing when cross-compiling conntrack-tools.
7e7748d src/main: refresh help message
fe32043 conntrackd.8: refresh file
47a4dda conntrackd.8: add reference to systemd
0cfe7ff doc/manual: include some bits about init systems
74a418b conntrackd: cthelper: ftp: Set match offset/len for PORT mangling
d833bed conntrackd: cthelper: ftp: Fix debug print
dd4b5a1 conntrackd: cthelper: Add new mdns helper
498d698 Link nfct and helper modules with `-z lazy`
9e94e85 sync-mode: print errno message on failure
ab81c35 log: print messages to stdout/sderr if running in console mode
631d92b log: introduce a mechanism to know if log was initialized
ccb1c8b conntrackd: replace error reporting in the config parser with dlog()
bee121e conntrackd: replace fprintf calls with dlog()
5a51b04 conntrack-tools: update Arturo Borrero Gonzalez email address
abb9984 helper: remove copy and paste from uapi kernel header
a91a004 src: add log message when resync is requested by other node
c2d8be1 systemd: fix missing log.h include
f6ca216 config: drop old/obsolete/deprecated conntrackd.conf config options
8b83771 conntrack: send mark filter to kernel iff set
1ba5e76 conntrackd: cthelper: Don't leak nat_tuple
832166d conntrackd: cthelper: Free pktb after use
ff843bc conntrackd: config: Do not strdup() tokens
b61c454 conntrackd: cthelper: ssdp: Track UPnP eventing
8ea394e conntrackd: Remove obsolete rule to catch ambiguous Checksum option
39398cd conntrackd: CommitTimeout breaks DisableExternalCache set On
29b390a conntrack: Support IPv6 NAT
381827a conntrackd: factorice tx_queue functions
131df89 conntrackd: factorize resync operations
d31bacc conntrackd: consolidate more code to use resync_send()
3d98496 conntrackd: request resync at startup
ef410bf conntrackd: remove use of HAVE_INET_PTON_IPV6
9d38445 conntrackd: evaluate configuration earlier
6feded7 conntrackd: cleanup if failed forking
dbfdea7 conntrackd: deprecate unix backlog configuration
210f542 conntrackd: make the daemon run in RT mode by default
37cc7f0 conntrackd: remove warning for -S
d2849d1 conntrack: Show multiple CPUs stats from proc
bc0b49a conntrackd: cthelper: ssdp: fix build with musl
0c77a25 tests: don't fail on modprobe since the driver might be built-in
eefe649 conntrack.8: refresh manpage
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
As git.netfilter.org seems to support HTTPS, use that instead of HTTP
which is insecure, or GIT which is blocked on many corporate networks.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
A recent commit in hostapd added a build option to specify the default
TLS ciphers. This build option is passed via CFLAGS. Due to the way
CFLAGS are handled when building wpad, the compiler tries to recursively
expand TLS_DEFAULT_CIPHERS, resulting in the following error:
../src/crypto/tls_openssl.c: In function 'tls_init':
<command-line>:0:21: error: 'DEFAULT' undeclared (first use in this function)
../src/crypto/tls_openssl.c:1028:13: note: in expansion of macro 'TLS_DEFAULT_CIPHERS'
ciphers = TLS_DEFAULT_CIPHERS;
^
Escape double quotes in the .cflags file to avoid this.
Fixes: 2f78034c3e ("hostapd: update to version 2017-08-24")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
5df3f01 config: suppress error if no wireless config present (FS#1030)
3429bd8 system-linux: add support for hotplug event 'move'
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This updates mac80211 to backprots-4.14-rc2.
This was compile and runtime tested with ath9k, ath10k and b43
with multiple stations and ieee80211w and in different scenarios by many
other people.
To create the backports-4.14-rc2-1.tar.xz use this repository:
https://git.kernel.org/pub/scm/linux/kernel/git/backports/backports.git
from tag v4.14-rc2-1
Then run this:
./gentree.py --git-revision v4.14-rc2 --clean <path to linux repo> ../backports-4.14-rc2-1
This also adapts the ath10k-ct and mt76 driver to the changed cfg80211
APIs and syncs the nl80211.h file in iw with the new version from
backports-4.14-rc2.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The empty version.sh script causes a problem when run by make:
make[3]: /usr/bin/env bash: Shell program not found
Adding a shebang line in version.sh seems to solve it.
Fixes FS#977.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This is useful for tuning some more exotic parameters where it doesn't
make sense to attempt to cover everything in uci directly
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Adds config option to enable compression support which is usefull
when using a terminal sessions over a slow link. Impact on binary
size is negligible but additional 60 kB (uncompressed) is needed for
a shared zlib library.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
b84fdac Add debug output for service_timeout
8f7e3bc Remove incorrect comma in http service json config
9f40133 Remove ttl==255 restriction for queries
Signed-off-by: John Crispin <john@phrozen.org>
Fixes CVE-2017-12166: out of bounds write in key-method 1.
Remove the mirror that was temporarily added during the
2.4.3 release.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Update the config file to the latest version.
Added CONFIG_EAP_FAST=y because it was the only
missing flag about EAP compared to full config.
Removed NEED_80211_COMMON flag because it is not part
of config file, it is set by the hostapd upstream Makefile.
Other flags are the same as before.
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Update the config file to the latest version.
Enabled flags are the same as before.
Removed NEED_80211_COMMON flag because it is not part
of config file, it is set by the hostapd upstream Makefile.
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Update the config file to the latest version.
Enabled flags are the same as before.
Commented CONFIG_IEEE80211W=y flag because it is
set in the Makefile, only if the driver supports it.
Removed NEED_80211_COMMON flag because it is not part
of config file, it is set by the hostapd upstream Makefile.
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Update the config file to the latest version.
Enabled flags are the same as before.
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Update the config file to the latest version.
Enabled flags are the same as before.
Removed flag CONFIG_WPS2 because it is no more
needed due to this changelog (2014-06-04 - v2.2):
"remove WPS 1.0 only support, i.e., WSC 2.0
support is now enabled whenever CONFIG_WPS=y is set".
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Bump to 7.55.1 broke the disable threaded resolver feature as reported
in https://github.com/curl/curl/issues/1784.
As a result curl is always compiled with the threaded resolver feature
enabled which causes a dependency issue on pthread for uclibc.
Fix this issue by backporting the upstream curl commit which fixes
disable threaded resolver.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
3fd58e9 2017-08-19 uhttpd: add manifest support
88c0b4b 2017-07-09 file: fix basic auth regression
99957f6 2017-07-02 file: remove unused "auth" member from struct
path_info
c0a569d 2017-07-02 proc: expose HTTP_AUTH_USER and HTTP_AUTH_PASS
ad93be7 2017-07-02 auth: store parsed username and password
fa51d7f 2017-07-02 proc: do not declare empty process variables
a8bf9c0 2017-01-26 uhttpd: Add TCP_FASTOPEN support
e6cfc91 2016-10-25 lua: ensure that PATH_INFO starts with a slash
Signed-off-by: Adrian Panella <ianchi74@outlook.com>
This option is used to specify a file containing PEM certs, to complete the
local certificate chain. Which is quite usefull for "split-CA" setups.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Add support for ft_psk_generate_local flag in ieee80211r
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[original author]
Signed-off-by: Sergio <mailbox@sergio.spb.ru>
Init script won't append --no-dhcp-interface option if interface
protocol is one of: ncm, directip, qmi, mbim.
This is caused by IP address assigned to dynamically created netifd
interfaces. As a result there's no netmask assigned to the main
interface and dhcp_add() function returns prematurely.
By moving network subnet check we can ensure that --no-dhcp-interface is
properly generated for wwan interfaces.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase; move network checks]
When bumping tcpdump from 4.9.1 to 4.9.2, I did not include the fixed
CVEs in the commit message. As the list of fixed CVEs is quite long,
we should probably mention them in the changelogs of the releases to
come. This commit will make sure this happens.
The following CVEs were fixed in 21014d9708:
CVE-2017-11541
CVE-2017-11541
CVE-2017-11542
CVE-2017-11542
CVE-2017-11543
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
With the introduction of the ubus notifications, we would now fail building
dnsmasq with external toolchains that don't automatically search for headers.
Pass TARGET_CPPFLAGS to the Makefile to resolve that.
Fixes: 34a206bc11 ("dnsmasq: add ubus notifications for new leases")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This is to eliminate any ambiguity about the cyassl/wolfssl lib.
The rename happened some time ago (~3+ years).
As time goes by, people will start to forget cyassl and
start to get confused about the wolfSSL vs cyassl thing.
It's a good idea to keep up with the times (moving forward).
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Method used:
```
cd package/network/utils/wwan/files/data
sed -e 's/}}/}/g' -i *
sed -e 's/}\t"acm": 1/\t"acm": 1/g' -i *
sed -e 's/}\t"generic": 1/\t"generic": 1/g' -i *
```
Manually adjusted commas.
Validated with
```
for f in `ls` ; do echo $f ; python -m json.tool < $f || break ; done
```
Thanks to @lynxis for pointing out the commas.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Instead of blindly enabling the odhcpd v6 server and RA server on the
lan port, only do that if the lan port protocol is "static"
This prevents the unhelpful case of a device being a dhcpv4 client and
v6 server on the same ethernet port.
Signed-off-by: Karl Palsson <karlp@etactica.com>
[PKG_SOURCE_DATE increase; odhcpd.defaults script cleanup]
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Fix multiple syntax errors in shelscripts (of packages only)
These errors were causing many conditions to not working properly
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[increase PKG_RELEASE, drop command substitution from directip.sh]
Signed-off-by: Mathias Kresin <dev@kresin.em>
ifname variable were not assigned due to syntax error
causing the hostapd config file to have an empty iapp_interface= option
Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
Don't return arcount=1 if EDNS0 RR won't fit in the packet.
Omitting the EDNS0 RR but setting arcount gives a malformed packet.
Also, don't accept UDP packet size less than 512 in received EDNS0.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Remove LEDE partial fix for CVE-2017-13704.
Backport official fix from upstream.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
Extendprefix is typically used to extend an IPv6 RA prefix from a mobile
wan link to the LAN; such scenario requires correct RA prefix settings
like the on link flag not being set.
However some mobile manufacter set the RA prefix on link flag which breaks
basic IPv6 routing.
Work around this issue by filtering out the route being equal to the
extended prefix.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
51733a6 ra: align RA update interval with RFC4861 (FS#964)
Add ra_holdoff config option which allows to configure the RA minimum
update interval which is by default 3 seconds as stated in RFC4861.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
ssh and scp commands interfere with OpenSSH when installed in /usr/bin .
One use case is when installing dropbear to get root access when only OpenSSH is available (OpenSSH disallows root password logins). Once dropbear installs, it replaces OpenSSH's executables, even when removed with opkg. OpenSSH must be reinstalled to get them back.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
printer support is removed using 200-remove_printer_support.patch. the syslog parameter requires samba to be compiled with --with-syslog. Currently samba does not log to syslog and probably has not for a long time.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
It's redundant and also buggy. IPv6 link local addresses and ::1 are not resolved for example. Doesn't matter since lo and br-lan for example, resolve to them.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
guest ok is set per share and as such, don't override it. also, fix an error introduced in the last commit.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.
answer_request() is called with an invalid edns packet size provided by
the client. Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"
The client that exposed the problem provided a payload udp size of 0.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Replace the string array containing the fmrs parameters by a nested data
json object holding an array of fmrs parameters
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Currently, dnsmasq support assigning multiple tags to a host record
(--dhcp-host), but we only support only 1 tag for a host. The commit
makes the following config to be valid:
config host
option name 'computer'
option mac '00:11:22:33:44:55'
option ip '192.168.1.100'
list tag 'vendor_class'
list tag 'vendor_id'
config tag 'vendor_class'
list dhcp_option 'option:vendor-class,00:...<omitted>'
config tag 'vendor_id'
option force '1'
list dhcp_option 'option:vendor-id-encap,00:...<omitted>'
Signed-off-by: Kuang Rufan <kuangrufan@pset.suntec.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Changes:
89d1b80 xt_condition: namespace support #2
c839e87 xt_geoip: check for allocation overflow
a587f95 compat_xtables: use more accurate printf format for NIPQUAD
1874fcd xt_DNETMAP: fix a buffer overflow
21ea7b7 xt_LOGMARK: resolve new gcc7 warnings
ee8da2b build: support for Linux 4.12
19a4359 xt_condition: add support for namespaces
1b37966 xt_psd: resolve compiler warning
Tested on cns3xxx
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>