In sta-only configuration, wpa_supplicant needs correct regulatory
domain because otherwise it may skip channel of its AP during scan.
Another alternative is to fix "iw reg set" in mac80211 netifd script.
Currently it fails if some phy has private regulatory domain which
matches configured one.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 48099
Only the conditional dependency ought to be required;
if build fails with JSON there is some other problem
at work.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
SVN-Revision: 47976
By default dnsmasq sends an ICMP echo request before allocating
an IP address to a host; the uci option noping allows to disable
this check.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 47974
Changed option nonwildcard from --bind-interfaces into --bind-dynamic.
With this, Dnsmasq binds the address of individual interfaces, allowing multiple
dnsmasq instances, but if new interfaces or addresses appear, it automatically
listens on those. This makes dynamically created interfaces work in the same way as
the default, but allows also use of other DNS-servers (like Named) at the same time
on diffirent interfaces where Dnsmasq is NOT configured, whereas with
--bind-interfaces will still reserve every interface even if not used and thus
disallowing use of any other DNS-program even on unused interfaces.
Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi>
Signed-off-by: Sami Olmari <sami@olmari.fi>
SVN-Revision: 47953
Using the JSON output option depends on json library so
add select json-c library when JSON output is selected.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
SVN-Revision: 47928
Add the option "--all-servers" which forces dnsmasq to send all
queries to all servers and then take the first answer.
Signed-off-by: Andréas Gustafsson <gurgalof@gmail.com>
SVN-Revision: 47857
This should ensure that lldpd is among the first processes to stop,
so that it has time to send the shutdown LLDPU to the other side,
before the network goes down.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 47786
The scripts for authsae and iw use the option mesh_id to get set the
"meshid" during a mesh join. But the script for wpad-mesh ignores the
option mesh_id and instead uses the option ssid. Unify the mesh
configuration and let the wpa_supplicant script also use the mesh_id from
the configuration.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47615
The OpenWrt wireless configuration for mcast_rate is defined as Kbit/s when
using wpa_supplicant for IBSS/802.11s and iw for unencrypted IBSS/802.11s.
But when using authsae, the unit for the same option is redefined as
Mbit/s. Better use the same unit for this option independent of the backend
which is used.
Old values for mcast_rate (< 1000) are still interpreted Mbit/s to avoid
problems during upgrades from older versions.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47614
The variable $mesh_id was never defined in authsae_start_interface and thus
the option meshid in $authsae_conf_file was always set to "".
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47613
Only costs about 3k compressed, but significantly improves handling of
configuration mismatch
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 47439
Seems the default one is not working as expected.
The way that reload should work is that the 'start' service
call should return 1 (if lldpd is running) and then a normal
restart would be called.
However, for lldpd a reload would mean just clearing all custom TLVs
(if they're configured) and reloading the configuration.
So, this patch adds a reload hook, which would:
- 'start' lldpd if it's not running (because we return 1 if not running)
- reload configuration if it is running (also previously
clearing custom TLVs if present)
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 47367
r46861 introduced a new option eapol_version to hostapd, but did not
provide a default value. When the option value is evaluated,
the non-existing value causes errors to the systen log:
"netifd: radio0: sh: out of range"
Add a no-op default value 0 for eapol_version. Only values 1 or 2 are
actually passed on, so 0 will not change the default action in hostapd.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 47361
The two commits
5162e3b0ee7bd1d0fd6e75e1ca7993a1834b5291
"allow request handlers to disable chunked reponses"
and
618493e378e2239f0d30902e47adfa134e649fdc
"file: disable chunked encoding for file responses"
broke the chunked transfer encoding handling for proc responses in keep-alive
connections that followed a file response with http status 204 or 304.
The effect of this bug is that cgi responses following a 204 or 304 one where
sent neither in chunked encoding nor with a content-length header, causing
browsers to stall until the keep alive timeout was reached.
Fix the logic flaw by inverting the chunk prevention flag in the client state
and by testing the chunked encoding preconditions every time instead of
once upon client (re-)initialization.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 47161
One second is not enough for some devices to ackowledge null data frame
which is sent at the end of ap_max_inactivity interval. In particular,
this causes severe Wi-Fi instability with Apple iPhone which may take
up to 3 seconds to respond.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 47149
Seems the match pattern was being adapted from 'eth0' to ' eth0'
because of the way I added the procd command args.
This did not seem to be a problem when there were multiple interfaces,
just on devices with single interfaces for lldpd to listen on.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 47136
OpenVPN 2.3 added a route-pre-down option, to run a command before
routes are removed upon disconnection.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 47134
When using FullMAC drivers (e.g. brcmfmac) we don't get mgmt frames so
check for banned client in probe request handler won't ever be used.
Since cfg80211 provides us info about STA associating let's put a check
there.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 47064
Since r46834, IPv6 support is builtin if selected. Therefor, dependencies
on kmod-ipv6 can no longer be fulfilled, since it is not a module anymore.
Signed-off-by: Arjen de Korte <arjen+openwrt@de-korte.org>
SVN-Revision: 47022
This call is no longer supported.
Maybe a come-back for it would be to use a config /etc/lldpd.conf
or /etc/lldpd.d/<some-file>.conf
Signed-off-by: Alexandru Ardelean <aa@ocedo.com>
SVN-Revision: 46966
Add eapol_version to the openwrt wireless config ssid section.
Only eapol_version=1 and 2 will get passed to hostapd, the default
in hostapd is 2.
This is only useful for really old client devices that don't
accept eapol_version=2.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 46861
As the OpenWrt build system only resolves build dependencies per directory,
all hostapd variants were causing libopenssl to be downloaded and built,
not only wpad-mesh. Fix this by applying the same workaround as in
ustream-ssl.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 46851
While technically required by the RFC, they are usually completely
unused (DSA), or have security issues (3DES, CBC)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46814
This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46809
* ra: don't announce as default router if we aren't (regression)
* ra: reduce maximum announced dns lifetimes due to buggy clients
* dhcpv6: fix mac-based lease-matching
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46802
Add CONFIG_IEEE80211W variable to DRIVER_MAKEOPTS so that 802.11w
support is properly compiled in full variant.
This fixes#20179
Signed-off-by: Janusz Dziemidowicz <rraptorr@nails.eu.org>
SVN-Revision: 46737
Other VLAN related options are already being processed in netifd.sh
but the vlan_file option is missing. This option allows the mapping
of vlan IDs to network interfaces and will be used in dynamic VLAN
feature for binding stations to interfaces based on VLAN
assignments. The change is done similarly to the wpa_psk_file
option.
Signed-off-by: Gong Cheng <chengg11@yahoo.com>
SVN-Revision: 46652
Add /etc/samba/smbpasswd to list of samba conffiles
thus preserving samba passwords across sysupgrade
by default.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
SVN-Revision: 46606
Fixes a 100% cpu usage issue if using dhcp-script.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46550
Add 802.11r client support to wpa_supplicant. It's only enabled in
wpa_supplicant-full. hostapd gained 802.11r support in commit r45051.
Tested on a TP-Link TL-WR710N sta psk client with two 802.11r enabled
openwrt accesspoints (TP-Link TL-WDR3600).
Signed-off-by: Stefan Hellermann <stefan@the2masters.de>
SVN-Revision: 46377
odhcpd now sends unsolicited RAs also via unicast to known link-local
neighbors. This is an attempt to work-around common smartphone issues
https://code.google.com/p/android/issues/detail?id=32662
Also NDP-relay should now work more reliably now
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46357
When enabled the dnsmasq DHCP server allocates the IP addresses sequentially
starting from the lowest available IP address.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 46211
This is for security precautions. As persist_tun and persist_key are
already there, this should not cause compatibility issue.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 45961
- fix iconv detection because it adds host paths
- disable python detection (host python-config is found)
iconv issue is reported by buildbot config.log + replicated locally
see config.log in logs.tar.gz
python issue observed locally on Arch Linux
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 45953
Adds PPP unnumbered support via the parameter unnumbered which points to a logical OpenWRT interface.
The PPP proto shell handler will "borrow" an IP address from the unnumbered interface (if multiple
IP addresses are present the longest prefix different from 32 will be "borrowed") for which a host
interface dependency will be created. Due to the host interface dependency the PPP unnumbered interface
will only "borrow" an IP address from an interface which is up.
The borrowed IP address will be shared as local IP address by the PPP daemon and no other local IP
will be accepted from the peer in the IPCP negotiation.
A typical use case is the usage of a public IP subnet on the Lan interface which will be shared
by the PPP interface as local IP address.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45948
This prevents auto-detection of libxml2 and thus the error:
Package lldpd is missing dependencies for the following libraries:
libxml2.so.2
Preventing a dependency to libxml2 is preferred, since libxml2
would be a out-of-(core-)tree dependency.
Reported-by: Buildbot
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
SVN-Revision: 45859
Bump dnsmasq to v2.73rc8
Important - fixes remotely exploitable buffer overflow introduced in all v2.73 test/release candidates.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
SVN-Revision: 45693
OpenVPN assumes that its control channel messages are sent and received
unfragmented, this assumption is broken when CBC record splitting is
enabled in mbedTLS.
The record splitting is intended as countermeasure against BEAST attacks
which do not apply to OpenVPN, therefore we simply disable it until
upstream OpenVPN gains the ability to process fragmented control
messages.
Disabling the splitting also works around a (not remotely triggerable)
segmentation fault in mbedTLS.
References:
* https://dev.openwrt.org/ticket/19101
* https://community.openvpn.net/openvpn/ticket/524
* https://github.com/ARMmbed/mbedtls/pull/185
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45602
Hostapd's control file location was changed in 2013, and that has apparently
broken the wps button hotplug script in cases where there are multiple radios
and wps is possibly configured also for the second radio. The current wps
button hotplug script always handles only the first radio.
https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/files/wps-hotplug.sh
The reason is that the button hotplug script seeks directories like
/var/run/hostapd*, as the hostapd-phy0.conf files were earlier in
per-interface subdirectories.
Currently the *.conf files are directly in /var/run and the control sockets
are in /var/run/hostapd, but there is no subdirectory for each radio.
root@OpenWrt:/# ls /var/run/hostapd*
/var/run/hostapd-phy0.conf /var/run/hostapd-phy1.conf
/var/run/hostapd:
wlan0 wlan1
The hotplug script was attempted to be fixed after the hostapd change by
r38986 in Dec2013, but that change only unbroke the script for the first
radio, but left it broken for multiple radios.
https://dev.openwrt.org/changeset/38986/
The script fails to find subdirectories with [ -d "$dir" ], and passes just
the only found directory /var/run/hostapd, leading into activating only the
first radio, as hostapd_cli defaults to first socket found inthe passed
directory:
root@OpenWrt:/# hostapd_cli -?
...
usage: hostapd_cli [-p<path>] [-i<ifname>] [-hvB] [-a<path>] \
[-G<ping interval>] [command..]
...
-p<path> path to find control sockets (default: /var/run/hostapd)
...
-i<ifname> Interface to listen on (default: first interface found in the
socket path)
Below is a run with the default script and with my proposed solution.
Default script (with logging added):
==================================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
for dir in /var/run/hostapd*; do
[ -d "$dir" ] || continue
logger "WPS activated for: $dir"
hostapd_cli -p "$dir" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Timed-out
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:38:50 2015 user.notice root: WPS activated for: /var/run/hostapd
wlan0 got WPS activated, while wlan1 remained inactive.
I have modified the script to search for sockets instead of directories and
to use the "-i" option with hostapd_cli, and now the script properly
activates wps for both radios. As "-i" needs the interface name instead of
the full path, the script first changes dir to /var/run/hostapd to get simply
the interface names.
Modified script (with logging):
===============================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
cd /var/run/hostapd
for dir in *; do
[ -S "$socket" ] || continue
logger "WPS activated for: $socket"
hostapd_cli -i "$socket" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan0
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan1
Both radios got their WPS activated properly.
I am not sure if my solution is optimal, but it seems to work. WPS button is
maybe not that often used functionality, but it might be fixed in any case.
Routers with multiple radios are common now, so the bug is maybe more
prominent than earlier.
The modified script has been in a slightly different format in my community
build since r42420 in September 2014.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 45492
Two errors "netifd: radio0: sh: bad number" have recently surfaced in system
log in trunk when wifi interfaces come up. I tracked the errors to checking
numerical values of some config options without ensuring that the option has
any value.
The errors I see have apparently been introduced by r45051 (ieee80211r in
hostapd) and r45326 (start_disabled in mac80211). My patches fix two
instances of "bad number", but there may be a third one, as the original
report in bug 19345 pre-dates r45326 and already has two "bad number" errors
for radio0.
https://dev.openwrt.org/ticket/19345
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 45380
r45270 removed ieee80211n=%d from the format string but didn't remove
the parameter itself. Though this probably doesn't cause any harm, it's
quite confusing and unneeded.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 45351
Enables last error support for the PPP protocol handlers.
In generic teardown the PPP daemon exit code is translated into
a self explaining error string which is set as interface error
by proto_notify_error in case of failure.
Signed-off-by: Johan Peeters <johan.peeters111@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45333
The arg argument is missing to the printer call in the print_option
utility when the option flag OPT_A2STRVAL is set.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45264
PPPD crashes (SEGV) when the dump or dryrun options are specified and an option
is internally defined as "o_special" with an option flag of "OPT_A2STRVAL".
As the option value is not saved when the parameter is processed, a reference
to the option will result into a crash (e.g. when printing).
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45263
User might have modified/extended template direct or by LuCI application.
So do not overwrite on update/upgrade.
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
SVN-Revision: 45258
This patch backports the option --tftp-no-fail to dnsmasq and prevents the
service from aborting if the specified TFTP root directory is not available;
this might be the case if TFTP files are located on external media that might
occasionally not be present at startup.
Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>
SVN-Revision: 45213
To enable 802.11r, wpa_key_mgmt should contain FT-EAP or FT-PSK. Allow
multiple key management algorithms to make this possible.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
SVN-Revision: 45050
The 802.11r implementation in hostapd uses nas_identifier as PMK-R0 Key
Holder identifier. As 802.11r can also be used with WPA Personal, nasid
should be appended to the hostapd config for all WPA types.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
SVN-Revision: 45049
'hostapd-common' is needed by all of the variants for wifi to function
correctly (a number of the target profiles simply select 'wpad-mini').
Signed-off-by: Nathan Hintz <nlhintz@hotmail.com>
SVN-Revision: 45048
These new variants include support for mesh mode and SAE crypto.
They always depend on openssl as EC operations are not provided by
the internal crypto implementation.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 45047
madwifi was dropped upstream, can't find it anywhere in OpenWrt
either, thus finally burrying madwifi.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45045
Helpful to disable when debugging lldpd crashes (when working on it).
When privilege separation is on, some crashes are stack-traced to
some privilege separation code.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 44967
from Erik Tews <erik@datenzone.de>
This patch has two effects. First, the quickleave feature/behaviour is
disabled for all groups that are used on more than one interface. The
idea of quickleave is to leave a group fast and later figure out whether
there is still somebody interested in that group. For groups used on
more than one interface, it is already known that there is still
somebody interested in that group.
Second, when a leave is received for a group that is used on more than
one interface, igmpproxy sends queries on all interface to discover
remeining listeners for that group. Previously these queries were only
send on the interface the leave was received on, so that listeners on
the other interfaces were not discovered and the group might be left on
the upstream router incorrectly.
This patch can be improved by sending the queries only on the interface
the leave was received on and adapting the algorithm in
internAgeRoute(...) in rttable.c in a way that only one interface is
actually processed and all other interfaces of the route are silently
assumed to be still active.
Signed-off-by: Erik Tews <erik@datenzone.de>
SVN-Revision: 44859
DNSMASQ has the ability to provide a menu to a pxeboot system, using
the --pxe-prompt and --pxe-service configuration options. The current
init.d script converting the "dhcp" file to "dnsmasq.conf" does not
find these options, but they are supported. This patch thus enables
the options.
Signed-off-by: Derek LaHousse <dlahouss@mtu.edu>
SVN-Revision: 44747
The --dhcp-boot option of dnsmasq does not require servername and serveraddress
arguments if the builtin tftp server is used.
Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>
SVN-Revision: 44744
The names for the config options were taken from lldpd's
configure.ac file.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 44743
In a dual-WAN setup, it's useful to specify an interface over which to
have PPTP.
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
SVN-Revision: 44507
This change adds the configuration options "bssid_whitelist" and
"bssid_blacklist" used to limit the AP selection of a network to a
specified (finite) set or discard certain APs.
This can be useful for environments where multiple networks operate
using the same SSID and roaming between those is not desired. It is also
useful to ignore a faulty or otherwise unwanted AP.
In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).
This is especially useful if an OpenWrt device with two radios is used to
retransmit the same network (one in AP mode for other clients, one as STA for
the uplink); the following configuration prevents the device from associating
with itself, given that the own AP to be avoided is using the bssid
'C0:FF:EE:D0:0D:42':
config wifi-iface
option device 'radio2'
option network 'uplink'
option mode 'sta'
option ssid 'MyNetwork'
option encryption 'none'
list bssid_blacklist 'C0:FF:EE:D0:0D:42/00:FF:FF:FF:FF:FF'
This change consists of the following cherry-picked upstream commits:
b3d6a0a8259002448a29f14855d58fe0a624ab76
b83e455451a875ba233b3b8ac29aff8b62f064f2
79cd993a623e101952b81fa6a29c674cd858504f
(squashed to implement bssid_{white,black}lists)
0047306bc9ab7d46e8cc22ff9a3e876c47626473
(Add os_snprintf_error() helper)
Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>
SVN-Revision: 44438
Align init behaviour with other distros by starting an OpenVPN instance
for each config file found in /etc/openvpn/. This removes the additional
requirement to "register" the configs with uci and thus simplifies the
setup.
Make sure to respect the disabled state in uci to not suddenly autostart
instances which have been previously set to disabled, also skip configs
which are already started due to uci configuration.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44310
The previous update introducing LFS support unconditionally changed the
sprintf() pattern used to print the file modification time to use PRIx64.
Explicitely convert the st_mtime member of the stat struct to uint64_t in
order to avoid type mismatch errors when building for non-64bit targets.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44138
* Fix the ubus plugin to not make its uhttpd_plugin entry symbol
constant as uhttpd needs to modify its list_head member
* Make sure that uhttpd supports large files by using 64bit ints
where appropriate and by passing _FILE_OFFSET_BITS=64 to the build
* Plug a possible memleak in the directory listing code
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44135
The previous implementation of the "host-uniq" option used plain strings for
passing the value to pppd which made it impossible to specify binary data.
Switch the format to a hex encoded string to support binary data.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44094
This patch adds a simple check to silence logging of messages about
unrecognized igmp packets which originate from devices in local network.
Without this patch igmpproxy floods openwrt syslog with messages such as:
user.warn igmpproxy[19818]: The source address 192.168.1.175 for group
239.255.250.250, is not in any valid net for upstream VIF.
Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
SVN-Revision: 44020
The --quiet-dhcp setting increases privacy by omitting DHCP lease logs including MAC addresses.
Signed-off-by: Lars Kruse <devel@sumpfralle.de>
SVN-Revision: 44006
Introduce configuration options to build an "hardened" OpenWRT.
Options to enable Stack-Smashing Protection, FORTIFY_SOURCE and RELRO
have been introduced.
uClibc makefile now automatically detects if SSP support is necessary.
hostapd makefile has been fixed to use "^" as sed separator since
using a comma was problematic when using "-Wl,-z,now" and the like in
TARGET_CFLAGS.
Currently enabling SSP on user space depends on enabling SSP kernel
side, this is due to the fact that TARGET_CFLAGS are used to build
kernel modules (at least). Suggestions on how to avoid this are welcome.
Using "select" instead of "depends on" doesn't seem to work with choice
entries.
Tested with a lantiq (WBMR) router, GCC 4.8, uClibc and a subset of
the available packages.
Needs to be tested with GCC 4.9 and the remaining packages.
PIE not currently included.
Signed-off-by: Alessandro Di Federico <ale+owrt@clearmind.me>
SVN-Revision: 44005
This patch fixes adding new stations for some specific drivers when
using more than 1 BSS.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 43951
Makes sure that the openvpn instance gets restarted in case of a crash.
Intentional stops using /etc/init.d/openvpn stop will not result in
respawning. Anything else will, e.g. killall openvpn.
Signed-off-by: Lars Gierth <larsg@systemli.org>
SVN-Revision: 43886
This patch tries to
- Let the DHCPv6 feature depend on CONFIG_IPV6.
- Conditionally select libnettle, kmod-ipv6, kmod-ipt-ipset only if the
corresponding features are enabled.
- Install `trust-anchors.conf` only if DNSSEC is selected.
- Add PKG_CONFIG_DEPENDS for the configurable options.
- Add a patch to let the Makefile of dnsmasq be aware of changes in
COPTS variable.
Big thanks goes to Frank Schäfer <fschaefer.oss@googlemail.com> for
providing necessary information on connections and dependency relations
between these CONFIGs and packages.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 43851
The uapsd option sets the uapsd_advertisement_enabled flag in hostapd.
The check for phy support is already implemented here in hostapd since 2011:
http://w1.fi/cgit/hostap/commit/?id=70619a5d8a3d32faa43d66bcb1b670cacf0c243e
So this can be safely set to 1 as default.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
SVN-Revision: 43846
In r41872 and r42787 Dynamic VLAN support was reintroduced, but the vlan_bridge
parameter is not read while setting up the config, so the default is used which
is undesirable for some uses.
Signed-off-by: Ben Franske <ben.mm@franske.com>
SVN-Revision: 43473
Note, that licensing stuff is a nightmare: many packages does not clearly
state their licenses, and often multiple source files are simply copied
together - each with different licensing information in the file headers.
I tried hard to ensure, that the license information extracted into the OpenWRT's
makefiles fit the "spirit" of the packages, e.g. such small packages which
come without a dedicated source archive "inherites" the OpenWRT's own license
in my opinion.
However, I can not garantee that I always picked the correct information
and/or did not miss license information.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
SVN-Revision: 43155
Port Debians adaptive LCP echo patch to pppd, make it configurable with UCI
and enable it by default.
When adaptive LCP echo is enabled, LCP echo requests are only sent if the
link is idle, this avoids the common situation where a congested PPP link
(e.g. during torrenting) is falsely detected as disconnected because the
LCP replies are not received in time.
Also bump the copyright year in the Makefile, remove a redundant maintainer
entry and fix the shell processing of the keepalive option when the two-
value syntax is used.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43143
* Fixes sending an extraneous message body for 204 and 304 resoponses which
breaks Chrome in keep-alive mode.
* Adds mimetypes for JSON and JSONP.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43078
The wpa_psk_file option offers the possibility to use a different WPA-PSK key for each client. The directive points to a file with the following syntax:
mac_address wpa_passphrase_or_hex_key
Example:
00:11:22:33:44:55 passphrase_for_client_1
00:11:22:33:44:67 passphrase_for_client_2
00:11:22:33:44:89 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
So it is possible to specify both ASCII passphrases and raw 64-chars hex keys.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
SVN-Revision: 43001
* Rewrite ndp proxy using kernel proxying
* Aid flash-renumbering in hybrid DHCPv6-mode
* Unicast RAs to RS senders
* Add support for router address
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 42944
[base-files] shell-scripting: fix wrong usage of '==' operator
normally the '==' is used for invoking a regex parser and is a bashism.
all of the fixes just want to compare a string. the used busybox-ash
will silently "ignore" this mistake, but make it portable/clean at least.
this patch does not change the behavior/logic of the scripts.
Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>
SVN-Revision: 42911
This is not needed after all:
Omitting option ipv6 or setting it to 'auto' will
fire up a dhcpv6 subprotocol (this was added).
Setting ipv6 to 1 will only cause the IPv6 link to
be brought up and an accompanying dhcpv6 or static
interface with ifname @wan can be used to configure addresses.
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 42859
Use network_get_ipaddrs_all to get all ip-addresses of an interface. If the
function fails, the interface does not exists or has not any suiteable ip
addresses assigned.
Use the returned ip-address(es) to construct the dropbear listen address.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 42857
In r41872 Dynamic VLAN support was reintroduced, but the vlan_naming
parameter is not read while setting up the config, so it always
defaults to 1.
Signed-off-by: Reiner Herrmann <reiner@reiner-h.de>
SVN-Revision: 42787
Send a netlink call to leave the mesh when meshd exits
Make hunting-and-pecking loop (more) resistant to side channel attack
Signed-off-by: Michel Stam <m.stam@fugro.nl>
SVN-Revision: 42750
With this patch WPS discovery can be started or canceled over ubus if
WPS is enabled in wireless configuration. This is equivalent of
'hostapd_cli wps_pbc' and 'hostapd_cli wps_cancel' commands.
Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
SVN-Revision: 42459
* ipv6
* 4 bugs in the dns parser
* service announcement
* tx goodbye support
* proper handling of rx goodbye
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 42325
Use an if/else statement to cover the two different syntaxes. Add
comments explaining what the end results should look like.
This patch should not change the script's output.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
SVN-Revision: 42320
An entry like this in /etc/config/dhcp:
config 'host'
option 'name' 'pc2'
option 'ip' '192.168.100.56'
option 'dns' '1'
results in a /tmp/hosts/dhcp entry that looks like this:
192.168.100.56 .lan
Obviously it should say "pc2.lan".
This happens because $name is set to "" in order to support the MAC-less
syntax: "--dhcp-host=lap,192.168.0.199". Fix this by reordering the
operations. Also, refuse to add a DNS entry if the hostname or IP is
missing.
Fixes#17683
Reported-by: Kostas Papadopoulos <kpapad75@travelguide.gr>
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
SVN-Revision: 42319
LuCI creates "domain" UCI config sections, which the dnsmasq init file
then, currently, translates into "address" config lines. This is not
the correct usage of "address" (see r36943), and also causes rDNS
records to not be created. This patches dnsmasq.init to utilize the
additional hosts file introduced in r40799 for such domain names,
resolving both issues.
Signed-off-by: Tyler Fenby <tylerf@securecominc.com>
SVN-Revision: 42318
A quite frequent problem after sysupgrading from an older, SSL enabled build
is that ustream-ssl is not installed so uhttpd fails to come up again due to
https listening directives in the preserved configuration.
Skip key/cert and ssl listen options when libustream-ssl.so is not present.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 42284
somebody started to set a function returncode in the validation
stuff and everybody copies it, e.g.
myfunction()
{
fire_command
return $?
}
a function automatically returns with the last returncode,
so we can safely remove the command 'return $?'. reference:
http://tldp.org/LDP/abs/html/exit-status.html
"The last command executed in the function or script determines the exit status."
Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>
SVN-Revision: 42278
Disable MIPS16 to prevent it negatively affecting performance.
Observed was a increase of connection delay from ~6 to ~11 seconds
and a reduction of scp speed from 1.1MB/s to 710kB/s on brcm63xx.
Fixes#15209.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 42250
Add a further upstream commit to more closely match the keepalive
to OpenSSH.
Should now really fix#17523.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 42249
Don't send SSH_MSG_UNIMPLEMENTED for keepalive responses, which broke
at least putty.
Fixes#17522 / #17523.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 42162
This patch brings full dynamic vlan support to netifd that existed in hostapd.sh in Attitude Adjustment.
Signed-off-by: Joseph CG Walker <Joe@ChubbyPenguin.net>
[jow@openwrt.org: changed commit message, rebased on top of current hostapd.sh]
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 41872
currently the keepalive option needs to be removed to fully disable it. this patch allows us to set it to 0.
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 41438
this is still wip, you can use the following ubus calls.
ubus call mdns scan # triggers a scan
ubus call mdns browse # look at the currenlty cached records
ubus call mdns hosts # look at the currenlty cached hosts
TODO
- ipv6, currenlty AAAA records are handled but only on v4 sockets
- finish the service announce code
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 41345
* Add Authoritative DNS and IPSET to full variant
* Remove some bloat from IPSET support
* Reintroduce "DHCP no address warning"-patch
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 41246
Ship keys for the root zone and add two uci options to enable
DNSSEC checks:
Option 'dnssec': Activate DNSSEC validation
Option 'dnsseccheckunsigned': Ensure answers without DNSSEC are in
unsigned zones.
Signed-off-by: Andre Heider <a.heider@gmail.com>
SVN-Revision: 41245
This variant includes support for DHCPv6 and DNSSEC.
DNSSEC adds a dependency on libnettle.
Signed-off-by: Andre Heider <a.heider@gmail.com>
SVN-Revision: 41244
As documented in config.h.
Doing otherwise will break dnsmasq's pkg-wrapper script to find its
libs to link to.
Signed-off-by: Andre Heider <a.heider@gmail.com>
SVN-Revision: 41241
Fixed wpa_supplicant when the radio is in 40MHz mode so that it no
longer restarts hostapd with the second channel disabled.
Signed-off-by: Lance Chaney <furryfur1@gmail.com>
SVN-Revision: 41019
rsn_preauth is used outside of "case $auth_type", so if it is set
for an EAP-enabled SSID, it would also be set for the following
non-EAP-enabled SSIDs, because it would not be read again.
Signed-off-by: Reiner Herrmann <reiner@reiner-h.de>
SVN-Revision: 41012
`own_ip_addr` is used by hostapd as NAS-IP-Address.
This is used to identify the AP that is requesting the authentication of the
user and could be used to define which AP's can authenticate users.
Some vendors implement only NAS-Identifier or NAS-IP-Address and not both.
This patch adds ownip as an optional parameter in /etc/config/wireless.
Signed-off-by: Thomas Wouters <thomaswouters@gmail.com>
SVN-Revision: 40934
allows to set PPP interface name manually via new
network interface option pppname.
If not set, default naming will be used (e.g. pppoe-eth0)
Signed-off-by: Ulrich Weber <uw@ocedo.com>
SVN-Revision: 40933
DHCP entries in /etc/config/dhcp will not automatically create A or PTR
records. Add an "option dns" directive which appends an entry to
/tmp/hosts/dhcp to facilitate forward and reverse DNS lookups. For
instance, this item:
config host
option ip '192.168.0.10'
option mac '00:13:57:9b:df:02'
option name 'winpc'
option dns '1'
will add a corresponding entry to /tmp/hosts/dhcp:
192.168.0.10 winpc.lan
This keeps the hostname/IP/MAC in a single place, for easy maintenance.
Related: ticket #13854 reports an regression involving missing PTR
records when using "config domain" to define static DNS entries for
individual hosts. However, per Simon Kelley[1], the --address feature
used by "config domain" was never intended to generate DNS A records for
hosts. It would probably be better for the reporter to apply this patch,
and then use "config host" sections instead of "config domain" sections.
[1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q4/002498.html
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: Florian Fainelli <florian@openwrt.org>
SVN-Revision: 40799
This updates samba to the most recent minor version.
This patch is based on a patch by Anton van Bohemen <avbohemen@ziggo.nl>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 40618
This patch fixes compilation failure for hostapd when using eglibc 2.15.
Signed-off-by: Zachery Stoddard <zacherystoddard@gmail.com>
SVN-Revision: 40575
This patch implements support for 802.11s protected mesh wireless networks (using authsae) in the netifd framework.
Until meshd-nl80211 implements a proper -P option for the PID file, this uses shell backgrounding in order to be able to get the PID for the process.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
SVN-Revision: 40497
r39995 introduced a new parameter wps_pbc_in_m1 to wifi wps config, but
apparently did not provide a default value 0.
When that option's non-existing value is later evaluated in
/lib/netifd/hostapd.sh, it causes the "bad number" error to be logged in
syslog if user has not set the wps_pbc_in_m1 option. The error materialises
only if user has enabled wps.
Sat Apr 12 13:25:01 2014 daemon.notice netifd: radio1 (1254): sh: bad number
Sat Apr 12 13:25:01 2014 daemon.notice netifd: radio0 (1253): sh: bad number
Discussion in bug 15508: https://dev.openwrt.org/ticket/15508#comment:3
Error is caused by line 282:
https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/files/netifd.sh#L282
My patch sets the parameter's default value to 0, which does nothing. The
default might also be set a bit later in the function, but this felt like the
most clear place to do that.
Signed-off-by hnyman <hannu.nyman@iki.fi>
SVN-Revision: 40469
fixes incremental build with change to CONFIG_DROPBEAR_ECC
drop --with-shared which is unknown to configure
Patch by Catalin Patulea <cat@vv.carleton.ca>
SVN-Revision: 40300
Without timeout mechanism, if ssh client disconnected without sending
FIN or RST, forked dropbear servers would hang there for
KEX_RETRY_TIMEOUT seconds (8 hours).
TCP keepalive is not implemented in dropbear yet, thus the name
SSHKeepAlive.
300 seconds in this patch is selected from the default value of
ServerAliveInterval for Debian ssh client (See man ssh_config).
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 40299
Option pbc_in_m1 is being used as a WPS capability discovery
workaround for PBC with Windows 7.
Add possibility to enable this workaround from UCI.
To enable it, turn on wps and set wps_pbc_in_m1 parameter to 1.
Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
SVN-Revision: 39995
This patch removes dependancy of PPP from chat application as chat application can be used for other serial communication as well that is not dependant on PPP and therefore one should be able to install chat without PPP. There also are no dependencies within chat application for PPP.
Signed-off-by: Oskari Rauta <oskari.rauta at gmail.com>
SVN-Revision: 39992
Similarly to the previously broken address pools, DNS-servers and some
MSRs could be advertised incorrectly as well. This is now fixed.
SVN-Revision: 39739
This patch introduces 802.11ac support to mac80211 and hostapd. The split of
VHT160 in two 80 MHz bands is not yet supported, since it requires an
additional user supplied parameter for the channel of the second band.
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
Signed-off-by: Simon Wunderlich <simon@open-mesh.com>
[sven@open-mesh.com: Rebased patch, merged htmode and vhtmode,
removed special hwmode, replaced uci vht_capab list with overwritable
autoconfig, fixed hostapd integration, fixed commit description, add HT40+/-
for VHT modes, add VHT40 center_freq autoconfig, refactored major parts]
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 39456
Introduced by ("netifd: add wireless configuration support and port mac80211 to
the new framework")
Reported-by: René van Weert <r.vanweert@sowifi.com>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
SVN-Revision: 39288
Introduced by ("netifd: add wireless configuration support and port mac80211 to
the new framework")
Reported-by: René van Weert <rene@sowifi.com>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
SVN-Revision: 39231
- cache udhcp check results to speed up subsequent reloads
- enable procd file tracking for /var/etc/dnsmasq.conf to only reload service if needed
- implement reload action to only restart dnsmasq if /var/etc/dnsmasq.conf actually changed
- launch dnsmasq from interface hotplug to avoid race conditions with network bringup
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 39152
This commit changes the dnsmasq init script to use the interface
status exposed by netifd. The old references to scan_interfaces()
and (indirect) accesses to uci state variables are removed and
replaced with corresponding network_*() calls.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 39101
Before this patch, if we specify a plugin specific option through
`pppd_options` in /etc/config/network, e.g. `rp_pppoe_verbose 1`, pppd
would quit with the following error in log.
Wed Oct 9 09:42:58 2013 daemon.notice netifd: GORG (1689): /usr/sbin/pppd: unrecognized option 'rp_pppoe_verbose'
Wed Oct 9 09:42:58 2013 daemon.err pppd[1689]: unrecognized option 'rp_pppoe_verbose'
Wed Oct 9 09:42:58 2013 daemon.notice netifd: GORG (1689): pppd version 2.4.5
Wed Oct 9 09:42:58 2013 daemon.notice netifd: GORG (1689): Usage: /usr/sbin/pppd [ options ], where options are:
This is due to the requirement that function add_option() should be
called by the plugin_init() function first before pppd can parse those
options.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 38911
Changeset r36943 ("dnsmasq: use host-record instead of address") removed
the automatic domain expansion for config domain sections, this breaks
existing setups and alters the old behaviour in unexpected ways, therfore
restore behaviour of the current stable release.
Additionally handle fully qualified hostnames properly when setting up the
own hostrecord by stripping the local domain part form the given name
instead of unconditionally appending it, so that "example.lan" results
in "example example.lan" and not "example.lan example.lan.lan".
SVN-Revision: 38648
- clean up duplication of procd instance handling code
- using --cd *after* --config is rather pointless
- to be able to log errors properly, --syslog needs to be passed before --config
- tell procd about the generated or referenced config file instead of
the uci file. this avoids having to restart all instances if only one
of them changes.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 38632
Possible parameters are yes, no and adaptive. See manpage for more information.
Signed-off-by: Philipp Borgers <borgers@mi.fu-berlin.de>
SVN-Revision: 38412
There are certain consumer devices which are outliers in protocol conformance.
An example is Samsung bluray players, which require broadcast DHCP responses
(on Ethernet only, strangely not on Wifi).
By specifying:
config host
...
option broadcast 1
this will enable the response to be sent as an Ethernet broadcast and not as
a unicast.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
SVN-Revision: 38365
proto_pptp_setup is responsible for loading the required modules to establish
a pptp connection to a foreign peer. The function checks whether all required
modules are already loaded, before actually loading them.
It seems that the filter being used to accomplish this, is not restrictive
enough in some cases. For instance when pptp nat helper modules are present on
a system, and already loaded before a pptp connection is enabled. Then the
search filter (possibly) returns the following for module=pptp, where actually
no matches are expected, resulting in the pptp.ko module not being loaded,
thereby failing to establish the pptp connection.
# module="pptp" ; grep "$module" /proc/modules
nf_nat_pptp 1312 0 - Live 0x86ce7000
nf_conntrack_pptp 3072 1 nf_nat_pptp, Live 0x86cb9000
nf_nat_proto_gre 784 1 nf_nat_pptp, Live 0x86cba000
nf_conntrack_proto_gre 2368 1 nf_conntrack_pptp, Live 0x86cbf000
nf_nat 9792 13 nf_nat_rtsp,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_h323,nf_nat_proto_gre,nf_nat_amanda,nf_nat_irc,nf_nat_ftp,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,iptable_nat, Live 0x86ca8000
nf_conntrack 37264 31 nf_nat_rtsp,nf_conntrack_rtsp,nf_nat_tftp,nf_conntrack_tftp,nf_nat_snmp_basic,nf_conntrack_snmp,nf_nat_sip,nf_conntrack_sip,nf_nat_pptp,nf_conntrack_pptp,nf_nat_h323,nf_conntrack_h323,nf_conntrack_proto_gre,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_broadcast,nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,xt_helper,xt_connmark,xt_connbytes,xt_conntrack,xt_CT,xt_NOTRACK,xt_state,nf_conntrack_ipv4, Live 0x86c90000
The search filter can be made more accurate/restrictive, by requiring the
occurance of the exact name of the module at the beginning of a line in
/proc/modules.
# module="pptp" ; grep "^$module " /proc/modules
pptp 13296 2 - Live 0x86e80000
Signed-off-by: Tijs Van Buggenhout <tvb@able.be>
SVN-Revision: 38358
Currently, in order to configure the authentication daemon in
8021x mode, we need to set wireless.@wifi-iface[0].encryption="wpa"
Though it works it confuses folks as 8021x is using WEP
encryption and not WPA. Therefore the terminology itself is
confusing. This change adds 8021x as a recognized string for 8021x
authentication.
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
SVN-Revision: 38339
Setting wireless.@wifi-iface[N].ext_registrar=1 will enable UPNP
advertising and add an external registrar to the interface this vif
belongs to (br-lan if the vif is included in the LAN bridge). By
enabling this we append upnp_iface=xxx to the hostapd config file.
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
SVN-Revision: 38338
Enable CONFIG_WPS2 for hostapd. This is required to support
options like Virtual Push Button in WPS.
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
SVN-Revision: 38337
In 2009 OpenWrt's hostapd config added an "auth_cache" boolean
to be used to address a reported issue #12129 [0] on a forum [1].
The reported issue on the ticket is different that the one
described on the forum. The commit was r33359. This change broke
proper RSN preauthentication [2] [3] [4] expectations on hostapd's
configuration for WPA2 and this in turn disabled PMKSA caching and
Opportunistic Key Caching. This change:
* Leaves the "auth_cache" to be used only for WPA networks for those
looking to use this as a workaround to a reported issue but annotates
a warning over its usage.
* Separate "auth_cache" from WPA2 RSN preauthentication, leaving
WPA2 RSN preauthentication to enabled only with "rsn_preauth" with
the expected and recommended settings.
* Adds a new WPA2 RSN preauthentication "rsn_preauth_testing" to
be used when evaluating funcionality for WPA2 RSN preauthentication
with the expected and recommended settings with the only difference
so far with what should be enabled by default to disable Opportunistic
Key Caching.
Disabling the PMKSA cache should mean the STA could not roam off and back
onto the AP that had PMKSA caching disabled and would require a full
authentication cycle. This fixes this for WPA2 networks with
RSN preauthentication enabled.
This change should be applied to AA as well as trunk.
TL DR;
The issue described on the forum has to do with failure of a STA
being able to try to authenticate again with the AP if it failed
its first try. This may have been an issue with hostapd in 2009
but as per some tests I cannot reproduce this today on a WPA2
network.
The issue described on the ticket alludes to a security issue with the
design of using a Radius server to authenticate to an AP. The issue
vaguely alludes to the circumstances of zapping a user, deleting their
authentication credentials to log in to the network, and that if
RSN preauthentication is enabled with PMKSA caching that the user
that was zapped would still be able to authenticate.
Lets treat these as separate issues.
I cannot reproduce the first issue reported on the forums of not
being able to authenticate anymore on a WPA2 network.
The issue reported on the ticket modified WPA2 RSN preauthentication
by adding two fields to the hostapd configuration if auth_cache
was enabled:
* disable_pmksa_caching=1
* okc=0
The first one disables PMKSA authentication cache.
The second one disables Opportunistic Key Caching.
The issue reported on the ticket was fixed by implementing a workaround
in hostapd's configuration. Disabling PMKSA caching breaks proper use
of WPA2 RSN pre authentication. The usage of disable_pmksa_caching=1
prevents hostapd from adding PMKSA entries into its cache when a successful
802.1x authentication occurs. In practice RSN preauthentication would
trigger a STA to perform authentication with other APs on the same SSID,
it would then have its own supplicant PMKSA cache held. If a STA roams
between one AP to another no new authenitcation would need to be performed
as the new AP would already have authenticated the STA. The purpose of the
PMKSA cache on the AP side would be for the AP to use the same PMKID for
a STA when the STA roams off onto another BSSID and later comes back to it.
Disabling Opportunistic Key Caching could help the reported issue
as well but its not the correct place to address this. Opportunistic
Key Caching enables an AP with different interfaces to share the
PMKSA cache. Its a technical enhancement and disabling it would
be useful to let a testing suite properly test for RSN preauthentication
given that otherwise Opportunistic Key Caching would enable an
interface being tested to derive its own derive the PMKSA entry.
In production though okc=1 should be enabled to help with RSN
preauthentication.
The real fix for this particular issue outside of the scope of hostapd's
configuration and it should not be dealt with as a workaround to
its configuration and breaking expected RSN preauthentication and
technical optimizations. Revert this change and enable users to pick
and choose to enable or disable disable_pmksa_caching and okc expecting them
to instead have read clearly more what these do.
As for the core issure ported, the correct place to fix this is to
enable a sort of messaging between the RADIUS server and its peers
so that if caching for authentication is enabled that cache can be
cleared upon user credential updates. Updating a user password
(not just zapping a user) is another possible issue that would need
to be resolved here. Another part of the solution might be to reduce
the cache timing to account for any systematic limitations (RADIUS
server not able to ask peers to clear cache might be
one).
[0] https://dev.openwrt.org/changeset/33359
[1] https://forum.openwrt.org/viewtopic.php?id=19596
[2] http://wireless.kernel.org/en/users/Documentation/hostapd#IEEE_802.11i.2FRSN.2FWPA2_pre-authentication
[3] http://wireless.kernel.org/en/users/Documentation/wpa_supplicant#RSN_preauthentication
[4] http://wiki.openwrt.org/doc/recipes/rsn_preauthentication
Signed-off-by: Luis R. Rodriguez <mcgrof@do-not-panic.com>
SVN-Revision: 38336
This adds the eap_reauth_period to be used for modifying
the RADIUS server reauthentication authentication period,
a parameter that gets passed directly to the hostapd
configuration file.
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
SVN-Revision: 38334
Changes include:
* removing unused variables
* replacing spaces with tabs where appropriate
* more consistency with variable declarations
Signed-off-by: Luka Perkov <luka@openwrt.org>
SVN-Revision: 38142
- fixes buffer corruption with JSON-RPC list calls
- change JSON-RPC protocol to include the session ID into the call
attributes instead of passing it via the URL
- forcibly pass effective session ID as "ubus_rpc_session" attribute
to called procedures
- change ubus acl checking to conform with new ubus session namespace
SVN-Revision: 37962
hostapd supports "Dynamic Authorization Extensions", making it possible
to forcibly disconnect a user by sending it a RADIUS "Disconnect-Request"
packet.
I've added three new variables to enable setting of the
"radius_das_client" and "radius_das_port" variables in the hostapd
configuration, which enable these extensions.
* dae_client - IP of the client that can send disconnect requests
* dae_secret - shared secret for DAE packets
These are combined into the "radius_das_client" option in hostapd.conf
To enable the server, both dae_client and dae_secret must be set.
* dae_port - optional, default value is 3799 as specified in RFC 5176
Signed-off-by: Martijn van de Streek <martijn@vandestreek.net>
SVN-Revision: 37734
WEP in WDS is currently broken in hostapd. Add a patch
to fix the issue.
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
SVN-Revision: 37733
Add a patch for hostapd that introduces a config option
"start_disabled" which can be used to bring up an AP
interface with beaconing disabled. This is useful in
a Repeater-AP setup where the Repeater AP has to start
beaconing only after the WDS link has been established.
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
SVN-Revision: 37730
this patches updates openvpn to v2.3.2
and adds a PKG_MD5SUM to the Makefile
This release fixes a memory access violation when cipher none is used
on ar71xx - at least with my config
Signed-off-by: Peter Wagner <tripolar@gmx.at>
SVN-Revision: 37560
This patch modifies the uci scripts to be able to
start meshd-nl80211 for encrypted mesh networks,
therefor a new script (authsae.sh) is inserted.
Signed-off-by: Emanuel Taube <emanuel.taube@gmail.com>
[etienne.champetier@free.fr: just update mac80211.sh path]
Signed-off-by: Etienne CHAMPETIER <etienne.champetier@free.fr>
SVN-Revision: 37554
This patch adds authsae open80211s authentication daemon (http://open80211s.org)
It's a rework of Peter Naulls patch (http://patchwork.openwrt.org/patch/1350/)
I've excluded the sample conf file as it's useless when used with mac80211.sh (Emanuel Taube patch)
It now link against libnl-tiny instead of libnl (patch merged in authsae git)
Authsae is 58 Ko (OPENSSL_WITH_EC option adds 35Ko to libopenssl)
Signed-off-by: Peter Naulls <peter@chocky.org>
Signed-off-by: Etienne CHAMPETIER <etienne.champetier@free.fr>
SVN-Revision: 37553
lldpd 0.7.1 has several alignment issues that trip a system configured
to fault on misaligned accesses. Version 0.7.5 fixes that along with a
few other minor issues.
Signed-off-by: John Szakmeister <john@szakmeister.net>
SVN-Revision: 37168
this cause the wps trigegr to be copied to the wrong place
https://dev.openwrt.org/ticket/13753
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 37031
Make hostapd.sh correctly handle the macfile uci option.
Such option specifies the macfile name to pass into the
hostapd configuration file. Moreover, if a maclist option
has been specified, copy the macfile before appending new
entries.
Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
SVN-Revision: 36944
Using "--address" for individual host A records is broken, use "--host-record" instead.
The following patch changes dnsmasq.init to build individual host records using "--host-record" instead of "--address".
Signed-off-by: Adam Gensler <openwrt at gnslr.us>
[jow: shorter description, simplified shell script code]
SVN-Revision: 36943
This patch simply adds support for the "--proxy-dnssec" command in dnsmasq into the init file so it can be used with /etc/config/dhcp.
Signed-off-by: Adam Gensler <openwrt@kristenandadam.net>
SVN-Revision: 36570
- introduce "list interface" options to specify the ifaces to listen on, takes uci- or network device name
- set the default system description to distrib @ hostname, e.g. "OpenWrt Barrier Breaker r34744 @ vbox"
- introduce "option lldp_description" to override the automatically generated description
SVN-Revision: 34970
Using variables from the outer scope unnecessarily complicates the code and
leads to issues.
This patch fixes the bug when having an "adhoc" wifi-iface section before a
"sta" section prevents wpa_supplicant from using the key specified in the
corresponding section as it tries to use the "adhoc" key instead (1 by
default).
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
SVN-Revision: 34716
Since the switch to netifd, proto handlers may always set the defaultroute
and provide dns server addresses, netifd will decide in the generic code
path whether the announced values are masked or not.
Additionally protocol handlers should not modify the routing tables themselves
and prevent any launched services from doing so.
Remove the additional defaultroute and peerdns option handling from the ppp.sh
protocol handler and rely on netifd to mask or not mask the values.
SVN-Revision: 34536
Upstream has a few code cleanups, more eagerly burns sensitive memory and
includes the fix for CVE-2012-0920. Full changelog:
https://matt.ucc.asn.au/dropbear/CHANGES
Local changes:
- Removed PKG_MULTI which is no longer in options.h (even before 2011.54)
- Merged DO_HOST_LOOKUP into 120-openwrt_options.patch
- Removed LD from make opts (now included in TARGET_CONFIGURE_OPTS)
- Removed 400-CVE-2012-0920.patch which is included in 2012.55
Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
Signed-off-by: Florian Fainelli <florian@openwrt.org>
SVN-Revision: 34496
Previously only the first macfilter configuration would have been used
on all interfaces. However, the configuration was always done per vif
already. Hence, move the macfilter setup into hostapd.sh where and
create one mac list file per vif.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 34470