While technically required by the RFC, they are usually completely
unused (DSA), or have security issues (3DES, CBC)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46814
This enables passworldless login for root via SSH whenever no root
password is set (e.g. after reset, flashing without keeping config
or in failsafe) and removes telnet support alltogether.
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46809
* ra: don't announce as default router if we aren't (regression)
* ra: reduce maximum announced dns lifetimes due to buggy clients
* dhcpv6: fix mac-based lease-matching
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46802
Add CONFIG_IEEE80211W variable to DRIVER_MAKEOPTS so that 802.11w
support is properly compiled in full variant.
This fixes#20179
Signed-off-by: Janusz Dziemidowicz <rraptorr@nails.eu.org>
SVN-Revision: 46737
Other VLAN related options are already being processed in netifd.sh
but the vlan_file option is missing. This option allows the mapping
of vlan IDs to network interfaces and will be used in dynamic VLAN
feature for binding stations to interfaces based on VLAN
assignments. The change is done similarly to the wpa_psk_file
option.
Signed-off-by: Gong Cheng <chengg11@yahoo.com>
SVN-Revision: 46652
Add /etc/samba/smbpasswd to list of samba conffiles
thus preserving samba passwords across sysupgrade
by default.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
SVN-Revision: 46606
Fixes a 100% cpu usage issue if using dhcp-script.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46550
Better synchronize RA & DHCPv6 events
Accumulate some events to avoid flooding
Restart softwires for address and prefix changes
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46518
otherwise it's not picked up by toolchain:
staging_dir/toolchain-mipsel_24kec+dsp_gcc-4.8-linaro_musl-1.1.10/lib/gcc/mipsel-openwrt-linux-musl/4.8.3/../../../../mipsel-openwrt-linux-musl/bin/ld: cannot find -lsw
Signed-off-by: Roman Yeryomin <roman@advem.lv>
SVN-Revision: 46406
Also drop the configure (not .ac) patch part as autoreconf will
overwrite it anyway with a newly generated version.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
Acked-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 46385
Add 802.11r client support to wpa_supplicant. It's only enabled in
wpa_supplicant-full. hostapd gained 802.11r support in commit r45051.
Tested on a TP-Link TL-WR710N sta psk client with two 802.11r enabled
openwrt accesspoints (TP-Link TL-WDR3600).
Signed-off-by: Stefan Hellermann <stefan@the2masters.de>
SVN-Revision: 46377
odhcpd now sends unsolicited RAs also via unicast to known link-local
neighbors. This is an attempt to work-around common smartphone issues
https://code.google.com/p/android/issues/detail?id=32662
Also NDP-relay should now work more reliably now
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46357
The musl build "fix" introduced in r45108 removed all netinet/ether.h
includes, which made the prototypes of ether_aton and ether_ntoa
unavailable. As a result, the compiler assumed they return int instead
of a pointer. This currupted the pointer on 64bit targets, causing ebtables
to segfault in commands containing MAC addresses.
Since r46161 made it possible to include both the kernel and the libc
if_ether.h as long as the libc version is included first, this patch
changes the fix to remove the linux/if_ether.h from the ebtables source
(so the fixed version from the kernel is used) and ensures netinet/ether.h
is included early.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 46292
When enabled the dnsmasq DHCP server allocates the IP addresses sequentially
starting from the lowest available IP address.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 46211
This brings curl to version 7.43.0 and contains fixes for the following
security vulnerabilities:
CVE-2015-3236: lingering HTTP credentials in connection re-use
http://curl.haxx.se/docs/adv_20150617A.html
CVE-2015-3237: SMB send off unrelated memory contents
http://curl.haxx.se/docs/adv_20150617B.html
The 100-check_long_long patch is not needed any more, because the
upstream autoconf script already checks for long long when cyassl is
selected.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46169
This is for security precautions. As persist_tun and persist_key are
already there, this should not cause compatibility issue.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 45961
- fix iconv detection because it adds host paths
- disable python detection (host python-config is found)
iconv issue is reported by buildbot config.log + replicated locally
see config.log in logs.tar.gz
python issue observed locally on Arch Linux
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 45953
Adds PPP unnumbered support via the parameter unnumbered which points to a logical OpenWRT interface.
The PPP proto shell handler will "borrow" an IP address from the unnumbered interface (if multiple
IP addresses are present the longest prefix different from 32 will be "borrowed") for which a host
interface dependency will be created. Due to the host interface dependency the PPP unnumbered interface
will only "borrow" an IP address from an interface which is up.
The borrowed IP address will be shared as local IP address by the PPP daemon and no other local IP
will be accepted from the peer in the IPCP negotiation.
A typical use case is the usage of a public IP subnet on the Lan interface which will be shared
by the PPP interface as local IP address.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45948
Commit 31214c38c8dd0f70366b523f9b0335145b9386bd removes IPv6 unneeded source-dest-routing workarounds;
as a result sourcerouting parameter is unused and can be removed.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45940
Commit 31214c38c8dd0f70366b523f9b0335145b9386bd removes IPv6 unneeded source-dest-routing workarounds;
as a result sourcerouting parameter is unused and can be removed.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 45939
This prevents auto-detection of libxml2 and thus the error:
Package lldpd is missing dependencies for the following libraries:
libxml2.so.2
Preventing a dependency to libxml2 is preferred, since libxml2
would be a out-of-(core-)tree dependency.
Reported-by: Buildbot
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
SVN-Revision: 45859
* Rework hostapd and wpa_supplicant status parsing code
* Add support for querying available HT rates
* Relax definition of restricted channels
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45766
Use shared libipt{,4,6}ext.so libraries instead of statically linking
the userspace matches into the fw3 executable.
As a side effect the match initialization is extremely simplified
compared to the weak function pointer juggling performed before.
This also fixes the initialization of the multiport match.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45764
* drop unused lenient restore patch
* instead of statically linking core extensions, build shared libraries
for reuse in fw3
* strip outdated match revisions and aliases to trim down library size
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45758
If the first resolveip call will fail, peeraddr will be now empty, and
the subsequent resolveip call will try to resolve an empty string.
Fix this by storing the result in a temporary variable.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 45712
Bump dnsmasq to v2.73rc8
Important - fixes remotely exploitable buffer overflow introduced in all v2.73 test/release candidates.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
SVN-Revision: 45693
hand over parameters to user-script e.g. $1=deconfig
Signed-off-by: Leon George <leon@georgemail.de>
Signed-off-by: Christian Mehlis <christian@m3hlis.de>
SVN-Revision: 45626
The WAN port should at least respond to IGMP and MLD queries as
otherwise a snooping bridge/switch might drop traffic.
RFC4890 recommends to leave IGMP and MLD unfiltered as they are always
link-scoped anyways.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
SVN-Revision: 45613
OpenVPN assumes that its control channel messages are sent and received
unfragmented, this assumption is broken when CBC record splitting is
enabled in mbedTLS.
The record splitting is intended as countermeasure against BEAST attacks
which do not apply to OpenVPN, therefore we simply disable it until
upstream OpenVPN gains the ability to process fragmented control
messages.
Disabling the splitting also works around a (not remotely triggerable)
segmentation fault in mbedTLS.
References:
* https://dev.openwrt.org/ticket/19101
* https://community.openvpn.net/openvpn/ticket/524
* https://github.com/ARMmbed/mbedtls/pull/185
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45602
The most significant change from the previous version is the trimming of
the 300-ip_tiny.patch to lib/utils.c where a section previously patched
had vanished. That section of the patch was removed.
Built and lightly tested on ar71xx against uClibc and musl.
Signed-off-by: Russell Senior <russell@personaltelco.net>
SVN-Revision: 45512
Hostapd's control file location was changed in 2013, and that has apparently
broken the wps button hotplug script in cases where there are multiple radios
and wps is possibly configured also for the second radio. The current wps
button hotplug script always handles only the first radio.
https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/files/wps-hotplug.sh
The reason is that the button hotplug script seeks directories like
/var/run/hostapd*, as the hostapd-phy0.conf files were earlier in
per-interface subdirectories.
Currently the *.conf files are directly in /var/run and the control sockets
are in /var/run/hostapd, but there is no subdirectory for each radio.
root@OpenWrt:/# ls /var/run/hostapd*
/var/run/hostapd-phy0.conf /var/run/hostapd-phy1.conf
/var/run/hostapd:
wlan0 wlan1
The hotplug script was attempted to be fixed after the hostapd change by
r38986 in Dec2013, but that change only unbroke the script for the first
radio, but left it broken for multiple radios.
https://dev.openwrt.org/changeset/38986/
The script fails to find subdirectories with [ -d "$dir" ], and passes just
the only found directory /var/run/hostapd, leading into activating only the
first radio, as hostapd_cli defaults to first socket found inthe passed
directory:
root@OpenWrt:/# hostapd_cli -?
...
usage: hostapd_cli [-p<path>] [-i<ifname>] [-hvB] [-a<path>] \
[-G<ping interval>] [command..]
...
-p<path> path to find control sockets (default: /var/run/hostapd)
...
-i<ifname> Interface to listen on (default: first interface found in the
socket path)
Below is a run with the default script and with my proposed solution.
Default script (with logging added):
==================================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
for dir in /var/run/hostapd*; do
[ -d "$dir" ] || continue
logger "WPS activated for: $dir"
hostapd_cli -p "$dir" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Timed-out
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:38:50 2015 user.notice root: WPS activated for: /var/run/hostapd
wlan0 got WPS activated, while wlan1 remained inactive.
I have modified the script to search for sockets instead of directories and
to use the "-i" option with hostapd_cli, and now the script properly
activates wps for both radios. As "-i" needs the interface name instead of
the full path, the script first changes dir to /var/run/hostapd to get simply
the interface names.
Modified script (with logging):
===============================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
cd /var/run/hostapd
for dir in *; do
[ -S "$socket" ] || continue
logger "WPS activated for: $socket"
hostapd_cli -i "$socket" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan0
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan1
Both radios got their WPS activated properly.
I am not sure if my solution is optimal, but it seems to work. WPS button is
maybe not that often used functionality, but it might be fixed in any case.
Routers with multiple radios are common now, so the bug is maybe more
prominent than earlier.
The modified script has been in a slightly different format in my community
build since r42420 in September 2014.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 45492