When relying on x.509 certs for auth and / or encryption of traffic you can't
use package openvpn-nossl.
Just have your package depend on openvpn-crypto to have SSL-encryption and
X.509-support enabled in OpenVPN. If encryption / X.509 is not a must, use
virtual packge openvpn, which is provided by all OpenVPN-variants.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
ap_setup_locked is named wps_ap_setup_locked in uci for consistency with other
wps related uci options.
Signed-off-by: Steven Honson <steven@honson.id.au>
The hostapd_append_wpa_key_mgmt() procedure uses the possibly uninitialized
$ieee80211r and $ieee80211w variables in a numerical comparisation, leading
to stray "netifd: radio0 (0000): sh: out of range" errors in logread when
WPA-PSK security is enabled.
Ensure that those variables are substituted with a default value in order to
avoid emitting this (harmless) shell error.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add PROVIDES:=openvpn to the default recipe in order to let all build variants
provide a virtual openvpn package.
The advantage of this approach is that downstream packages can depend on just
"openvpn" without having to require a specific flavor.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Packets which are merely forwarded by the router and which are neither
involved in any DNAT/SNAT nor originate locally, are considered INVALID
from a conntrack point of view, causing them to get dropped in the
zone_*_dest_ACCEPT chains, since those only allow stream with state NEW
or UNTRACKED.
Remove the ctstate restriction on dest accept chains to properly pass-
through unrelated 3rd party traffic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Use ubus process signalling instead of 'kill pidof dnsmasq' for
SIGHUP signalling to dnsmasq when ntp says time is valid.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
This causes problem when a FQDN is configured in /etc/config/system. The
domain name will appear twice in reverse DNS.
Next to that, there seems to be a bug in dnsmasq. From the manual page:
--interface-name=<name>,<interface>[/4|/6]
Return a DNS record associating the name with the primary address
on the given interface. This flag specifies an A or AAAA record for the
given name in the same way as an /etc/hosts line, except that the address
is not constant, but taken from the given interface. The interface may be
followed by "/4" or "/6" to specify that only IPv4 or IPv6 addresses
of the interface should be used. If the interface is down, not configured
or non-existent, an empty record is returned. The matching PTR record is
also created, mapping the interface address to the name. More than one name
may be associated with an interface address by repeating the flag; in that
case the first instance is used for the reverse address-to-name mapping.
It does not just create an A/AAAA record for the primary address, it creates
one for all addresses. And what is worse, it seems to actually resolve to the
non-primary address first. This is quite annoying when you use floating IP
addresses (e.g. VRRP), because when the floating IP is on the other device,
SSH failes due to incorrect entry in the known hosts file.
I know that this is not a common setup, but it would be nice if there was an
option to restore the previous behaviour, rather than just forcing this new
feature on everybody.
Reported-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Delete the map-t device when tearing down the map-t interface; as such
there's no conflict when the map-t interface comes up again when trying
to add the map-t device as the map-t device was still present
(Can not add: device 'map-wan6_4' already exists!).
Only call ifdown in teardown for map-e and lw6o4 map interfaces types
in order to suppress the trace "wan6_4 (6652): Interface wan6_4_ not found"
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This reverts the following commits:
fbe522d120278ad007ee863888e44f96daf6352fcfd83555fc
This seems to trigger some mconf bugs when built with all feeds
packages, so I will try to find a less intrusive solution before the
release.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
wpa_supplicant allows only SAE as the key management
type for mesh mode. The recent key_mgmt rework unconditionally
added WPA-PSK - this breaks interface bringup and wpa_s
throws this error message:
Line 10: key_mgmt for mesh network should be open or SAE
Line 10: failed to parse network block.
Failed to read or parse configuration '/var/run/wpa_supplicant-wlan0.conf
Fix this by making sure that only SAE is used for mesh.
Signed-off-by: Sujith Manoharan <m.sujith@gmail.com>
Enabling this makes it possible to query LLDP neighbors via SNMP.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Add option keep_ra_dnslifetime which will preserve the received
lifetime for RDNSS and DNSSL RA records and not overwrite it
by the RA router lifetime as specified in RFC6106.
This allows to accept RDNNS records from RAs that don't announce
a default route by setting router lifetime to 0 in the RAs.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
ef3c563 dhcpv6-ia: filter out prefixes having invalid length
16cd87e dhcpv6-ia: fix dereference after freeing assignment
d6b0c99 dhcpv6-ia: log only IPv6 addresses which are effectively
assigned to a DHCPv6 client
08a9367 config: respect ignore uci option
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
'add_local_hostname' previous implementation may drop some addresses.
Soft addition of IP6 addresses may not cause a reload or restart event.
dnsmasq '--interface-name' robustly applies DNS to all addresses per
interface (except fe80::/10).
Change UCI 'add_local_hostname' to expand during each interface assignement
during add_dhcp().
Assign '<iface>.<host>.<domain>' as true name (reflexive A, AAAA, and PTR).
Assign '<host>.<domain>' and '<host>' as convinience aliases (no PTR, not
technically CNAME).
This is accomplished with the '--interface-name' order, first is PTR.
We could also assign each <ip4/6>.<iface>.<host>.<domain> to the respective
dual stack on the interface.
That seemed excessive so it was skipped (/4 or /6 suffix to the interface).
Add UCI 'add_wan_hostname' similar to 'add_local_hostname' function for
external WAN.
WAN IP4 are less often named by the ISP and rarely WAN IP6 due to complexity.
For logs, LuCI connection graph, and other uses assigning a WAN name is desired.
'add_local_hostname' only applies with DHCP and 'add_wam_hostname' only applies
without DHCP. Common residential users will want to set both options TRUE.
Businesses will probably have global DNS, static IP, and 'add_wan_hostname' FALSE.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Add DHCPv6 matching by DHCP Unique Identifier (RFC-3315) in addition to
existing MAC-address (RFC-6939). The latter is not widely supported yet.
Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
Enable support for stronger SHA256-based algorithms in hostapd and
wpa_supplicant when using WPA-EAP or WPA-PSK with 802.11w enabled.
We cannot unconditionally enable it, as it requires hostapd to be
compiled with 802.11w support, which is disabled in the -mini variants.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
Now that wpa_key_mgmt handling for hostapd and wpa_supplicant are
consistent, we can move parts of it to a dedicated function.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
Rework wpa_key_mgmt handling for wpa_supplicant to be consistent with
how it is done for hostapd.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit modifies the /lib/netifd/proto/gre.sh script so that, when
GRE-TAP tunnels are created, either IPv4 or IPv6, the prefix before the chosen
interface name contains the "tap" substring, to differentiate them from non-TAP
GRE tunnels.
Right now, both GRE and GRE-TAP tunnel (either IPv4 or IPv6) interfaces defined
in /etc/config/network are named equally ("gre-"+$ifname or "grev6"+$ifname)
upon creation. For instance, the following tunnels:
config interface 'tuna'
option peeraddr '172.30.22.1'
option proto 'gre'
config interface 'tunb'
option peeraddr '192.168.233.4'
option proto 'gretap'
config interface 'tunc'
option peer6addr 'fdc5:7c9e:e93d:45af::1'
option proto 'grev6'
config interface 'tund'
option peer6addr 'fdc0:6071:1348:31ff::2'
option proto 'grev6tap'
are named, respectively, "gre-tuna", "gre-tunb", "grev6-tunc" and "grev6-tund".
The current change makes that each GRE tunnel interface of the four different
types available (gre, gretap, grev6 and grev6tap) gets a different prefix.
Therefore, the abovementioned tunnels will be named, respectively:
"gre4-tuna", "gre4t-tunb", "gre6-tunc" and "gre6t-tund".
This is coherent with other types of virtual interfaces (i.e. PPP, PPPoE, PPPoA)
where the whole protocol name is used. For instance, a PPPoA interface named
"p1" and a PPPoE interface named "p2" will respectively appear as "pppoa-p1"
and "pppoe-p2", not as "ppp-p1" and "ppp-p2").
Since Linux interfaces names are limited to 15 characters, these prefixes leave,
for the worst case (TAP tunnels), 9 characters for the actual name.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
This fixes the folowing security problems:
CVE-2016-9586: printf floating point buffer overflow
CVE-2016-9952: Win CE schannel cert wildcard matches too much
CVE-2016-9953: Win CE schannel cert name out of buffer read
CVE-2016-9594: unititialized random
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
64a655d proto: allow configuring deprecated static IPv6 addresses
c99182e remove obsolete /opt/local prefix on Mac OS X
0249d5f system-linux: Don't set gre tunnel ttl by default to 64 (#FS312)
edc15ca ubus: Display the IPv6 prefix assigned address
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
add possibility to set the facility to which dnsmasq will send syslog entries, i.e. set it to '/dev/null' to mute dnsmasq output at all.
Signed-off-by: Dirk Brenken dev@brenken.org
Before the rewrite, uhttpd-mod-tls used to contain a tls plugin.
Afterwards it was left in for compatibility reasons, but given how much
has changed, and that we're about to change the default SSL
implementation again, it's better to just drop this now
Signed-off-by: Felix Fietkau <nbd@nbd.name>
OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl
variant to openvpn-mbedtls.
Some feature highlights:
* Data channel cipher negotiation
* AEAD cipher support for data channel encryption (currently only
* AES-GCM)
* ECDH key exchange for control channel
* LZ4 compression support
See https://github.com/OpenVPN/openvpn/blob/master/Changes.rst
for additional change notes.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Build seems to fail with:
```
Collected errors:
* satisfy_dependencies_for: Cannot satisfy the following dependencies for X:
* grev4 *
* opkg_install_cmd: Cannot install package X
```
After adding an empty install rule, the failure goes away.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
uqmi has the possibility to allow the modem to start a regsitration
process only to this specified plmn
Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
Let dnsmasq reread the leasefile by using procd_send_signal
which triggers procd to send SIGHUP kill signal by default
if signal is not specified
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Update to latest upstream HEAD:
- Refreshed all
- Delete patches and parts which made it upstream
Compile tested Full & Mini configs
Run-tested Mini config
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [another update, remove broken patch]
Update tc to track upstream cake changes:
diffserv3 - a simple 3 tin classifier
Also make diffserv3 and triple-isolate default
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Add uqmi 'sync' command call to release stalled cid when preparing to
setup new connection. As a result it prevents 'POLICY MISMATCH' errors.
Signed-off-by: Nickolay Ledovskikh <nledovskikh@gmail.com>
8ceeab6 uqmi: Change returned value to QMI_CMD_REQUEST for 'sync' command.
1dc7be1 uqmi: Add sync command to release all cids.
Signed-off-by: John Crispin <john@phrozen.org>
It's useful when using multiple usb devices that should be bound to
certain usb ports. Symlinks are created by hotplug handlers.
Signed-off-by: Nickolay Ledovskikh <nledovskikh@gmail.com>
It's useful when using multiple usb devices that should be bound to
certain usb ports. Symlinks are created by hotplug handlers.
Signed-off-by: Nickolay Ledovskikh <nledovskikh@gmail.com>
The build system only accepts Package/<name>/description and since the
typoed version virtually has the same content as the TITLE field, remove
them altogether
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The SIGHUP also got sent to the reload script making it bail out
with an error
Revert "dnsmasq: reload config if host name is modified"
This reverts commit 854459a2f9.
Reported-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: John Crispin <john@phrozen.org>
The sha256sum was not updated in the last commit.
Fixes: a7c231027 [odhcpd: Fix dnsmasq re-reading hostfile]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add support for specifying a call profile index instead of APN. A
specific index different from 1 must be used for some service
provider and modem combinations.
In addition, change the manufacturer detection to use the standard
AT+CGMI command, which produces more predictable output than ATI,
remove the redundant ipv6 option, since it is less ambiguous to
directly specify the PDP context type with mobile connections, and
fix missing device during teardown when using ncm through the wwan
proto.
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
Update uqmi to latest version, which brings about support for
specifying a call profile index instead of APN. A specific index
different from 1 must be used for some service provider and modem
combinations.
Also change option dhcp to dhcpv6, since IPv4 now always uses DHCP,
replace option ipv6 with pdptype, which is less ambiguous, and
make autoconnect optional and default it to off for IPv6 due to it
not working with statically configured IPv6.
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
Harmonise handling of DEFAULT_PATH by removing the patch introducing #ifndef
guards around the path, and only using one means to set the path in the
makefile.
Signed-off-by: Dario Ernst <Dario.Ernst@riverbed.com>
The xt_id match was used by the firewall3 package to track its own rules but
the approach has been changed to use xt_comment instead now, so we can drop
this nonstandard extension.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update to current HEAD in order to drop automatic generation of per-zone
NOTRACK rules.
The NOTRACK rules used to provide a little performance improvement but the
later introduction of the netfilter conntrack cache made those rules largely
unnecessary. Additionally, those rules caused various issues which broke
stateful firewalling in some scenarios.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Depending on the dhcp uci config pidof dnsmasq can return
multiple pids. Fix re-reading of the hostfile by dnsmasq in
such case by sending SIGHUP signal to each of the returned
pids.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Let dnsmasq read all hosts files in /tmp/hosts directory by specifying
/tmp/hosts as argument of --addn-host
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Support new packet overhead passing paradigm in cake qdisc, also restore
DSCP wash/nowash keywords.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
OpenVPN requires arguments to --push to be enclosed in double quotes.
One set of quotes is stripped when the UCI config is parsed.
Change append_params() of openvpn.init to enclose push parameters in
double quotes.
Unquoted push parameters do not cause errors in OpenVPN 2.3,
but OpenVPN 2.4 fails to start with unquoted push parameters.
Fixes: FS#290.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Correct splitting the 32-bit 'hostid' value to two 16-bit hexadecimal
values. Previously, the lower 16-bit value was truncated to an 8-bit
value, which would result in hostid values 100 and 200 both to be set
to [::0:0] instead of [::0:100] and [::0:200] respectively.
Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
If the hostname in /etc/config/system is modified the dnsmasq will not
reread the update host file under /tmp/hosts/dhcp.$cfg.
Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
This fixes the following security problems:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>