Upstream renamed openssl-1.0.cnf to openssl-easyrsa.cnf.
However, pkg kept using openssl-1.0.cnf.
Upstream easyrsa searchs for vars, openssl-*, x509-types in the
same directory as easyrsa script. This was patched to revert
back to static /etc/easy-rsa/ directory (as does OpenSUSE).
EASYRSA_PKI still depends on $PWD.
Move easyrsa from /usr/sbin to /usr/bin as root is not needed.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
It is insecure to let this type of packets inside
They can e.g. open ports on some other routers with UPnP, etc
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
[0-3](none, minimal[default], more, maximum)
It is not 100% backward compatible, because now 0 disables logging
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Refresh patches
Upstream commits since last bump:
3b6eb19 Log DNSSEC trust anchors at startup.
f3e5787 Trivial comment change.
c851c69 Log failure to confirm an address in DHCPv6.
a3bd7e7 Fix missing fatal errors when parsing some command-line/config options.
ab5ceaf Document the --help option in the french manual
1f2f69d Fix recurrent minor spelling mistake in french manual
f361b39 Fix some mistakes in french translation of the manual
eb1fe15 When replacing cache entries, preserve CNAMES which target them.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The sierra_net driver is using proto_directip_setup for setup. So use
proto_directip_teardown for teardown.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Disabled libpsl to fix build issue reported by buildbots
Package libcurl is missing dependencies for the following libraries:
libpsl.so.5
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
This watchdog script tries to re-resolve hostnames for inactive WireGuard peers.
Use it for peers with a frequently changing dynamic IP.
persistent_keepalive must be set, recommended value is 25 seconds.
Run this script from cron every minute:
echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root
Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>
[bump the package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
80b41cd version: bump snapshot
fe5f0f6 recieve: disable NAPI busy polling
e863f40 device: destroy workqueue before freeing queue
81a2e7e wg-quick: allow link local default gateway
95951af receive: use gro call instead of plain call
d9501f1 receive: account for zero or negative budget
e80799b tools: only error on wg show if all interfaces failk
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
[Added commit log to commit description]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
iproute2's tc was updated to support the recently upstreamed cake qdisc.
Backport this canonical support from upstream into iproute2 v4.17
There is no kernel kmod/userspace tc ABI change in this release from the
previous package bump, so everyone can breath a sigh of relief.
This is largely a code style change, the exception to prove the rule:
option 'autorate_ingress' has been changed to 'autorate-ingress' to fit
in with upstream option naming expectations.
No openwrt package (e.g. sqm-scripts) has knowledge of
'autorate_ingress' thus only users who made their own scripts or used
it within the 'dangerous configuration' options of sqm-scripts will be
affected.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Add each variant to the matching PROVIDERS variables after evaluating
the respective hostapd*, wpad* and wpa* variant.
Each package providing the same feature will automatically conflict with
all prior packages providing the same feature.
This way we can handle the conflicts automatically without introducing
recursive dependencies.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Move common variables and/or values to the package (variant) default.
Add additional values in variant packages if necessary. Remove further
duplicates by introducing new templates.
Remove the ANY_[HOSTAPD|SUPPLICANT_PROVIDERS]_PROVIDERS. The are the
same as the variables without the any prefix. No need to maintain both
variables.
Signed-off-by: Mathias Kresin <dev@kresin.me>
procd needs processes to stay in foreground to remain under its gaze and
control. Failure to do so means service stop commands fail to actually
stop the process (procd doesn't think it's running 'cos the process has
exited already as part of its forking routing)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
As dnsmasq is started earlier than netifd usage of network.sh functions
at boottime will fail; therefore don't call at boottime the functions
which construct the dhcp pool/relay info.
As interface triggers are installed the dhcp pool/relay info will be
constructed when the interface gets reported as up by netifd.
At the same time also register interface triggers based on DHCP relay
config.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The pptp.so plugin needs to be built with -fPIC as well in order to be
linkable again.
Fixes 888a15ff83 ("ppp: add missing -fPIC to rp-pppoe.so CFLAGS")
Fixes e7397eef69 ("ppp: compile with LTO enabled")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Increase the termination timeout to 15s to let OpenVPN properly tear down
its connections, especially when weak links or complex down scripts are
involved.
Fixes FS#859.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Override the default shutdown action (stop) and close all processes
of dropbear
Since commit 498fe85, the stop action only closes the process
that's listening for new connections, maintaining the ones with
existing clients.
This poses a problem when restarting or shutting-down a device,
because the connections with existing SSH clients, like OpenSSH,
are not properly closed, causing them to hang.
This situation can be avoided by closing all dropbear processes when
shutting-down the system, which closes properly the connections with
current clients.
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
[Luis: Rework commit message]
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
Fix broken DHCPv6 servers which provide the server unicast option but
do not reply on DHCPv6 renew messages directed to the IPv6 address
contained in the server unicast option whihc results in broken IPv6
connectivity.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* device: print daddr not saddr in missing peer error
* receive: style
Debug messages now make sense again.
* wg-quick: android: support excluding applications
Android now supports excluding certain apps (uids) from the tunnel.
* selftest: ratelimiter: improve chance of success via retry
* qemu: bump default kernel version
* qemu: decide debug kernel based on KERNEL_VERSION
Some improvements to our testing infrastructure.
* receive: use NAPI on the receive path
This is a big change that should both improve preemption latency (by not
disabling it unconditionally) and vastly improve rx performance on most
systems by using NAPI. The main purpose of this snapshot is to test out this
technique.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Update to the latest version of iproute2; see https://lwn.net/Articles/756991/
for a full overview of the changes in 4.17.
Remove upstream patch 002-json_print-fix-hidden-64-bit-type-promotion.
Backport upstream patch 001-rdma-sync-some-IP-headers-with-glibc fixing
rdma compile issue.
At the same time re-organize patch numbering so the OpenWRT specific
patches start at 100.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
345bba0 dhcpv4: improve error checking in handle_dhcpv4()
c0f6390 odhcpd: Check if open the ioctl socket failed
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Update mbed TLS to 2.11.0
Disable OFB block mode and XTS block cipher mode, added in 2.11.0.
The soVersion of mbedtls changed, bump PKG_RELEASE for packages that use mbedTLS
This is to avoid having a mismatch between packages when upgrading.
The size of mbedtls increased a little bit:
ipkg for mips_24kc before:
163.846 Bytes
ipkg for mips_24kc after:
164.382 Bytes
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Refresh patches and backport upstream to current HEAD:
a997ca0 Fix sometimes missing DNSSEC RRs when DNSSEC validation not enabled.
51e4eee Fix address-dependent domains for IPv6.
05ff659 Fix stupid infinite loop introduced by preceding commit.
db0f488 Handle some corner cases in RA contructed interfaces with addresses changing interface.
7dcca6c Warn about the impact of cache-size on performance.
090856c Allow zone transfer in authoritative mode whenever auth-peer is specified.
cc5cc8f Sane error message when pcap file header is wrong.
c488b68 Handle standard and contructed dhcp-ranges on the same interface.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Bump iproute2/tc support of cake.
Add support for cake's change to u64 attribute passing for certain
attributes (rate & byte counts)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
48cff25 build: drop install -o/-g root
53d7e7a extensions: ebt_string: take action if snprintf discards data
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This was causing issues recently as samba36 is not API compatible with the
libtdb in the packages repo. It shouldn't be using it anyway. Nor tevent.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The return value of the function isn't used anywhere.
Fixes missing return value, CID 1329717.
Found-by: Coverity
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>