summaryrefslogtreecommitdiff
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* branding: add LEDE brandingJohn Crispin2016-03-249-15/+15
| | | | Signed-off-by: John Crispin <blogic@openwrt.org>
* dnsmasq: run as dedicated UID/GIDJohn Crispin2016-04-262-2/+5
| | | | | | | | | | | Running dnsmasq in a dedicated user/group allows matching its outgoing traffic more easily using iptables' owner match. Add UID/GID to the package metadata and append the user/group parameters to the init script. Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 49252
* dnsmasq: Add enable parameter in the UCI DHCP host sectionHauke Mehrtens2016-04-171-0/+3
| | | | | | | | | | Parameter allows to enable/disable static leases; by default the value is 1 to keep backwards compatibility Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 49187
* hostapd.sh: Add support for "anonymous_identity" config fieldHauke Mehrtens2016-04-171-2/+3
| | | | | | | | | | | | | | | | | | The wpa_supplicant supports an "anonymous_identity" field, which some EAP networks require. From the documentation: anonymous_identity: Anonymous identity string for EAP (to be used as the unencrypted identity with EAP types that support different tunnelled identity, e.g., EAP-TTLS). This change modifies the hostapd.sh script to propagate this field from the UCI config to the wpa_supplicant.conf file. Signed-off-by: Kevin O'Connor <kevin@koconnor.net> Reviewed-by: Manuel Munz <freifunk@somakoma.de> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 49181
* samba: fix some security problemsHauke Mehrtens2016-04-1621-46/+20105
| | | | | | | | | | | | | | | This fixes the following security problems: * CVE-2015-7560 * CVE-2015-5370 * CVE-2016-2110 * CVE-2016-2111 * CVE-2016-2112 * CVE-2016-2115 * CVE-2016-2118 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 49175
* openvpn: add support for X.509 name optionsJohn Crispin2016-03-081-0/+1
| | | | | | | | | x509-username-field was added in OpenVPN 2.2, and verify-x509-name was added in 2.3. This fixes ticket #18807. Signed-off-by: Jeffery To <jeffery.to@gmail.com> SVN-Revision: 48969
* dnsmasq: add host-specific lease time option for static hostsJohn Crispin2016-02-262-3/+5
| | | | | | | | | | | | | | | | | | | | | | | Enable setting a host-specific lease time for static hosts. The new option is called "leasetime" and the format is similar as for the default lease time: e.g. 12h, 3d, infinite Default lease time is used for all hosts for which there is no host-specific definition. The option is added to /etc/config/dhcp for the selected hosts: config host option name 'Nexus' option mac 'd8:50:66:55:59:7c' option ip '192.168.1.245' option leasetime '2h' It gets appended to /var/etc/dnsmasq.conf like this: dhcp-host=d8:50:66:55:59:7c,192.168.1.245,Nexus,2h Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> SVN-Revision: 48801
* dnsmasq: add dhcp relay optionJohn Crispin2016-02-261-0/+19
| | | | | | Signed-off-by: dbugnar <dnbugnar@ocedo.com> SVN-Revision: 48800
* dnsmasq: export tftp root to the procd jailFelix Fietkau2016-02-251-11/+17
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48761
* dnsmasq: only enable tftp if the tftp root existsFelix Fietkau2016-02-251-1/+2
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48760
* lldp: Upgrade to 0.9.0John Crispin2016-02-181-2/+2
| | | | | | Signed-off-by: Ben Kelly <ben@benjii.net> SVN-Revision: 48738
* dropbear: honor CONFIG_TARGET_INIT_PATHJo-Philipp Wich2016-02-082-6/+17
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 48679
* relayd: update to the latest version, fixes some more connectivity issues ↵Felix Fietkau2016-02-081-2/+2
| | | | | | | | (#21817) Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48655
* relayd: update to the latest version, fixes route table issues when ↵Felix Fietkau2016-02-051-2/+2
| | | | | | | | connecting to the router Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48635
* hostapd: remove useless TLS provider selection override for ↵Felix Fietkau2016-01-281-2/+1
| | | | | | | | wpad-mesh/wpa_supplicant-mesh Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48537
* hostapd: fix mesh interface bridge handlingFelix Fietkau2016-01-285-10/+22
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48529
* hostapd: fix wpad-mesh and wpa-supplicant-mesh configuration issuesFelix Fietkau2016-01-282-417/+9
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48528
* hostapd: update to version 2016-01-15Felix Fietkau2016-01-2842-945/+243
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48527
* dnsmasq: Don't add local hostname if ula prefix is not specifiedJo-Philipp Wich2016-01-252-3/+3
| | | | | | | | | | | | Commit 6a7e56b adds support for adding local hostname for own lan ula adress but if ula prefix is not specified results into an invalid config (address=/OpenWrt.lan/1) causing dnsmasq not to start up. Use lanaddr6 when adding local hostname as the lan ula address is constructed based on the UCI parameters ip6hint and ip6ifaceid and thus not always ula prefix suffixed with 1 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> SVN-Revision: 48495
* package/uhttpd: generate 2048 bit RSA keyFelix Fietkau2016-01-252-2/+2
| | | | | | | | | | RSA keys should be generated with sufficient length. Using 1024 bits is considered unsafe. In other packages the used key length is 2048 bits. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> SVN-Revision: 48494
* uhttpd: fix typo in default config for px5gFelix Fietkau2016-01-191-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48385
* wpa_supplicant: add support for EAP-TLS phase2Felix Fietkau2016-01-191-2/+12
| | | | | | | | | Introduce config options client_cert2, priv_key2 and priv_key2_pwd used for EAP-TLS phase2 authentication in WPA-EAP client mode. Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48345
* hostap/wpa_supplicant: enable EAP-FAST in -full buildsFelix Fietkau2016-01-192-0/+6
| | | | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48344
* uhttpd: add option for mbedtlsFelix Fietkau2016-01-191-0/+4
| | | | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48343
* wpa_supplicant: improve generating phase2 config line for WPA-EAPFelix Fietkau2016-01-181-2/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WPA-EAP supports several phase2 (=inner) authentication methods when using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first step towards the UCI model supporting EAP-FAST by this commit) The value of the auth config variable was previously expected to be directly parseable as the content of the 'phase2' option of wpa_supplicant. This exposed wpa_supplicant's internals, leaving it to view-level to set the value properly. Unfortunately, this is currently not the case, as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'. Users thus probably diverged and set auth to values like 'auth=MSCHAPV2' as a work-around. This behaviour isn't explicitely documented anywhere and is not quite intuitive... The phase2-string is now generated according to $eap_type and $auth, following the scheme also found in hostap's test-cases: http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py The old behaviour is also still supported for the sake of not breaking existing, working configurations. Examples: eap_type auth 'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2" 'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2" 'peap' 'EAP-GTC' -> phase2="auth=GTC" Deprecated syntax supported for compatibility: 'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2" I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to the list of Authentication methods available. Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48309
* dnsmasq: Add option --min-portFelix Fietkau2016-01-152-1/+2
| | | | | | | | | | | By default dnsmasq uses random ports for outbound dns queries; when the minport UCI option is specified the ports used will always be larger than the specified value. This is usefull for systems behind firewalls. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> SVN-Revision: 48244
* dropbear: update version to 2015.71Felix Fietkau2016-01-155-10/+10
| | | | | | | | | Update dropbear to version 2015.71, released on 3 Dec 2015. Refresh patches. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> SVN-Revision: 48243
* dnsmasq: add local hostname record for own lan ula address as wellJo-Philipp Wich2016-01-122-4/+18
| | | | | | Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 48214
* hostapd: fix disassociation with FullMAC drivers and multi-BSSRafał Miłecki2016-01-111-0/+67
| | | | | | Signed-off-by: Rafał Miłecki <zajec5@gmail.com> SVN-Revision: 48202
* openvpn: update to version 2.3.10Felix Fietkau2016-01-115-276/+5
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48201
* dropbear: enable curve25519 support by default, increases compressed binary ↵Felix Fietkau2016-01-101-1/+1
| | | | | | | | size by ~5 kb Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48196
* dropbear: split out curve25519 support into a separate config optionFelix Fietkau2016-01-102-4/+19
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48195
* hostapd: fix post v2.4 security issuesFelix Fietkau2016-01-1011-0/+554
| | | | | | | | | | | | | | | | | | | | | | | - WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141) - EAP-pwd peer: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd server: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd peer: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd server: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146) - NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041) - WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use (CVE-2015-5310) - EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315) - EAP-pwd server: Fix last fragment length validation (CVE-2015-5314) - EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316) Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> SVN-Revision: 48185
* openvpn: added service_triggers() to init scriptFelix Fietkau2016-01-071-0/+4
| | | | | | | | | Follow up of #21469 This patch enables autoreloading openvpn via procd. Signed-off-by: Federico Capoano <nemesis@ninux.org> SVN-Revision: 48150
* samba36: add three CVE patches from 2015-12-16Felix Fietkau2016-01-054-1/+253
| | | | | | | | | This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A patchset for these vulnerabilities was published on 16th December 2015. Signed-off-by: Jan Čermák <jan.cermak@nic.cz> SVN-Revision: 48133
* relayd: move to git.openwrt.orgFelix Fietkau2016-01-041-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48129
* uhttpd: move to git.openwrt.orgFelix Fietkau2016-01-041-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48122
* packages: use OPENWRT_GIT to point at the main openwrt git repoFelix Fietkau2016-01-041-1/+1
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48118
* wpa_supplicant: set regulatory domain the same way as hostapdFelix Fietkau2016-01-031-0/+6
| | | | | | | | | | | | | In sta-only configuration, wpa_supplicant needs correct regulatory domain because otherwise it may skip channel of its AP during scan. Another alternative is to fix "iw reg set" in mac80211 netifd script. Currently it fails if some phy has private regulatory domain which matches configured one. Signed-off-by: Dmitry Ivanov <dima@ubnt.com> SVN-Revision: 48099
* openvpn: fix configure optionsJohn Crispin2015-12-231-2/+1
| | | | | | | | | | | | | | | - eurephia: commit: Remove the --disable-eurephia configure option - fix option name: http proxy option is now called http-proxy (see configure.ac) fixes: configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de> SVN-Revision: 47979
* package/lldpd: Remove extraneous selectJohn Crispin2015-12-231-1/+0
| | | | | | | | | | Only the conditional dependency ought to be required; if build fails with JSON there is some other problem at work. Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com> SVN-Revision: 47976
* dnsmasq: Add option --no-pingJohn Crispin2015-12-231-0/+1
| | | | | | | | | | By default dnsmasq sends an ICMP echo request before allocating an IP address to a host; the uci option noping allows to disable this check. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> SVN-Revision: 47974
* dnsmasq: changed option nonwildcard to --bind-dynamicFelix Fietkau2015-12-191-1/+1
| | | | | | | | | | | | | | | | Changed option nonwildcard from --bind-interfaces into --bind-dynamic. With this, Dnsmasq binds the address of individual interfaces, allowing multiple dnsmasq instances, but if new interfaces or addresses appear, it automatically listens on those. This makes dynamically created interfaces work in the same way as the default, but allows also use of other DNS-servers (like Named) at the same time on diffirent interfaces where Dnsmasq is NOT configured, whereas with --bind-interfaces will still reserve every interface even if not used and thus disallowing use of any other DNS-program even on unused interfaces. Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi> Signed-off-by: Sami Olmari <sami@olmari.fi> SVN-Revision: 47953
* network/services/lldpd: Fix missing dependency when using JSONJohn Crispin2015-12-171-0/+1
| | | | | | | | | Using the JSON output option depends on json library so add select json-c library when JSON output is selected. Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com> SVN-Revision: 47928
* dnsmasq: Add option "--all-servers"John Crispin2015-12-111-0/+1
| | | | | | | | | Add the option "--all-servers" which forces dnsmasq to send all queries to all servers and then take the first answer. Signed-off-by: Andréas Gustafsson <gurgalof@gmail.com> SVN-Revision: 47857
* lldpd: add STOP=01 param in init scriptFelix Fietkau2015-12-051-1/+2
| | | | | | | | | | This should ensure that lldpd is among the first processes to stop, so that it has time to send the shutdown LLDPU to the other side, before the network goes down. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com> SVN-Revision: 47786
* wpa-supplicant: Get 802.11s ssid information from option mesh_idJohn Crispin2015-11-241-0/+3
| | | | | | | | | | | | The scripts for authsae and iw use the option mesh_id to get set the "meshid" during a mesh join. But the script for wpad-mesh ignores the option mesh_id and instead uses the option ssid. Unify the mesh configuration and let the wpa_supplicant script also use the mesh_id from the configuration. Signed-off-by: Sven Eckelmann <sven@open-mesh.com> SVN-Revision: 47615
* authsae: Use kbit/s as mcast_rate unit like wpadJohn Crispin2015-11-241-2/+10
| | | | | | | | | | | | | | | The OpenWrt wireless configuration for mcast_rate is defined as Kbit/s when using wpa_supplicant for IBSS/802.11s and iw for unencrypted IBSS/802.11s. But when using authsae, the unit for the same option is redefined as Mbit/s. Better use the same unit for this option independent of the backend which is used. Old values for mcast_rate (< 1000) are still interpreted Mbit/s to avoid problems during upgrades from older versions. Signed-off-by: Sven Eckelmann <sven@open-mesh.com> SVN-Revision: 47614
* authsae: Fix meshid in authsae configJohn Crispin2015-11-241-1/+1
| | | | | | | | | The variable $mesh_id was never defined in authsae_start_interface and thus the option meshid in $authsae_conf_file was always set to "". Signed-off-by: Sven Eckelmann <sven@open-mesh.com> SVN-Revision: 47613
* odhcpd: correctly handle netlink congestion caseSteven Barth2015-11-191-3/+3
| | | | | | | | Thanks to @ktgeek and @willmo for diagnosing Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 47514