summaryrefslogtreecommitdiff
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* openvpn: update to 2.4.3Magnus Kroken2017-06-265-13/+14
| | | | | | | | | | | | | | | | | | | | Fixes for security and other issues. See security announcement for more details: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 * Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508) * Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520) * Potential double-free in --x509-alt-username (CVE-2017-7521) * Remote-triggerable memory leaks (CVE-2017-7512) * Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522) * Null-pointer dereference in establish_http_proxy_passthru() * Restrict --x509-alt-username extension types * Fix potential 1-byte overread in TCP option parsing * Fix mbedtls fingerprint calculation * openssl: fix overflow check for long --tls-cipher option * Ensure option array p[] is always NULL-terminated * Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6) Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* treewide: add license tagsFlorian Eckert2017-06-241-0/+1
| | | | | | Add licence tags where missing. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* hostapd: add support for acs_chan_bias optionKevin Darbyshire-Bryant2017-06-242-2/+6
| | | | | | | | | | During auto channel selection we may wish to prefer certain channels over others. e.g. we can just squeeze 4 channels into europe so '1:0.8 5:0.8 9:0.8 13:0.8' does that. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: add dhcp-range tags configurationGrégoire Delattre2017-06-202-2/+9
| | | | | | | | | | | | | | | | | | | dnsmasq can match tags in its dhcp-range configuration, this commit adds the option to configure it in the dhcp section uci configuration: config dhcp 'lan' option interface 'lan' list tag 'blue' list tag '!red' option start '10' option limit '150' option leasetime '12h' generated dnsmasq configuration: dhcp-range=tag:blue,tag:!red,set:lan,192.168.1.10,192.168.1.159,255.255.255.0,12h Signed-off-by: Grégoire Delattre <gregoire.delattre@gmail.com>
* netifd: update to the latest versionHans Dedecker2017-06-181-3/+3
| | | | | | | | ef5f7a0 ubus: remove superfluous error check in netifd_add_dynamic 5a68693 iprule: coding style line up 90e2e2c iprule: Add option to suppress unspecific routing lookups Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: fix service trigger syntax errorKevin Darbyshire-Bryant2017-06-162-2/+2
| | | | | | The classic single '&' when double '&&' conditional was meant. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* Revert "dnsmasq: manage resolv.conf if when listening on 127.0.0.1#53"Hans Dedecker2017-06-142-36/+26
| | | | | | This reverts commit a53f8ba6771de64c9c82a2e6867791226f3003cb. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: manage resolv.conf if when listening on 127.0.0.1#53Paul Oranje2017-06-122-26/+36
| | | | | | | | | | With this patch the dnsmasq init script manages resolv.conf if and only if when dnsmasq will listen on 127.0.0.1#53 (is main resolver instance). Also, resolvfile is now set irrespective of the value of noresolv. Fixes (partially) FS#785 Signed-off-by: Paul Oranje <por@xs4all.nl>
* dnsmasq: make bind-dynamic 'non-wildcard' interfaces defaultKevin Darbyshire-Bryant2017-06-113-4/+6
| | | | | | | | | | | | | | | 'non-wildcard' interfaces enables dnsmasq's '--bind-dynamic' mode. This binds to interfaces rather than wildcard addresses *and* keeps track of interface comings/goings via a unique Linux api. Quoting dnsmasq's author "bind-dynamic (bind individual addresses, keep up with changes in interface config) ... On linux, there's actually no sane reason not to use --bind-dynamic, and it's only not the default for historical reasons." Let's change history, well on LEDE at least, and change the default! Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* dnsmasq: add dhcp-script hook conditionallyHans Dedecker2017-06-092-2/+14
| | | | | | | | | | | | Commit b32689afd6a661339861086c669e15c936293cf8 added support for dhcp-script hook. Adding dhcp-script config option results into two instances of dnsmasq being run which triggered oom issues on platforms having low memory. The dnsmasq dhcp-script config option will now only be added if at least one of the dhcp, tftp, neigh hotplug dirs has a regular hotplug file or if the dhcpscript uci config option is specified. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* Lantiq: make possible to tweak DSL SRN from UCIAndrea Merello2017-06-031-1/+26
| | | | | | | | | | | | | | | | | | | | | This patch makes possible to tweak the downstream SNR margin on Lantiq DSL devices. The UCI parameter 'network.dsl.ds_snr_offset' is used to set the SNR margin offset. It accepts values in range -50 to +50 in 0.1 dB units. The SNR margin can thus be modified in range -5.0 to +5.0 dB in 0.1 dB steps. Currently this should only affect ADSL (not VDSL). It should be very easy to make this work also on VDSL lines, but since I couldn't test on VDSL lines this patch does not do that yet. I have also a patch for LUCI about this, that I could submit. Tested on FB3370 (Lantiq VR9) and Telecom Italia ADSL2+ line. Signed-off-by: Andrea Merello <andrea.merello@gmail.com>
* umdns: remove superfluous include in init scriptJo-Philipp Wich2017-06-021-2/+0
| | | | | | | | | | | | | The umdns init script includes function/network.sh globally, outside of any service procedure. This causes init script activation to fail in buildroot and IB context if umdns is set to builtin. Additionally, the network.sh helper is not actually used. Drop the entire include in order to repair init script activation in build host context. Fixes FS#658. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: bump to 2.77Kevin Darbyshire-Bryant2017-06-011-4/+4
| | | | | | Bump to the 2.77 release after quite a few test & release candidates. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* ppp: propagate master firewall zone to dynamic slave interfaceHans Dedecker2017-05-312-1/+4
| | | | | | | | | | Assign the virtual DHCPv6 interface the firewall zone of the parent interface so fw3 knows the zone to which the virtual DHCPv6 interface belongs. This guarantees the firewall settings are applied correctly for the virtual DHCPv6 interface and allows to query the zone to which the virtual DHCPv6 interface belongs via the fw3 network option. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openvpn-easy-rsa: update to 3.0.1Luiz Angelo Daros de Luca2017-05-315-169/+26
| | | | | | | | | | | | | | | | | | | | | | easy-rsa v3 is now a single script. It expects a 'vars' configuration file which path can be set using easy-rsa options, environment variables or just looking in the current directory. The default usage would be: # cd /etc/easy-rsa # easy-rsa COMMAND [command-options] Following upstream changes, /etc/easy-rsa/pki replaces /etc/easy-rsa/keys directory. The default /etc/easy-rsa/pki dir is marked to be kept during upgrade (WARN: priv keys are saved in the system backup) /etc/easy-rsa/openssl.1.0.cnf is now marked as config file while index and serial got removed. Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
* iproute2: bump to 4.11Kevin Darbyshire-Bryant2017-05-3016-529/+228
| | | | Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* firewall: fix stray continue statementJo-Philipp Wich2017-05-271-4/+4
| | | | | | | The previous commit introduced a faulty continue statement which might lead to faulty rules not getting freed or reported. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netifd: fix 6rd regression (FS#812)Hans Dedecker2017-05-271-3/+3
| | | | | | 08f1875 system-linux: fix 6rd regression Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* firewall: extend ubus support, exception handling, parse fixesJo-Philipp Wich2017-05-271-3/+3
| | | | | | | | | | | | | | | | | | | | | | | Update to latest Git HEAD in order to import a number of fixes and other improvements: 3d2c18a options: improve handling of negations when parsing space separated values 0e5dd73 iptables: support -i, -o, -s and -d in option extra 4cb06c7 ubus: increase ubus network interface dump timeout e5dfc82 iptables: add exception handling f625954 firewall3: add check_snat() function 7d3d9dc firewall3: display the section type for UBUS rules 53ef9f1 firewall3: add UBUS support for include scripts 5cd4af4 firewall3: add UBUS support for ipset sections 02d6832 firewall3: add UBUS support for forwarding sections 0a7d36d firewall3: add UBUS support for redirect sections d44f418 firewall3: add fw3_attr_parse_name_type() function e264c8e firewall3: replace warn_rule() by warn_section() 6039c7f firewall3: check the return value of fw3_parse_options() Fixes FS#548, FS#806, FS#811. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* samba: bump PKG_RELEASEJo-Philipp Wich2017-05-271-1/+1
| | | | | | | | | | | The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the fixed samba package does not appear as opkg update. Bump the PKG_RELEASE to signify upgrades to downstream users. Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Move enablemodem from ramips to new package adb-enablemodem and make it used ↵Filip Moc2017-05-272-0/+90
| | | | | | also by TL-MR6400 Signed-off-by: Filip Moc <lede@moc6.cz>
* dnsmasq: add dhcp-script hook for other packagesNick Brassel2017-05-263-5/+59
| | | | | | | | | | | | | Adds a script which acts as a hook for when dnsmasq creates/destroys a lease, or completes a TFTP file transfer. The hook loops through scripts in appropriate directories inside '/etc/hotplug.d', executing each one with the same arguments supplied by dnsmasq. In case dnsmasq is jailed by ujail the dhcp-script hook will not work as expected as ujail does not yet support executing a script within a jail. Signed-off-by: Nick Brassel <nick@tzarc.org> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iptables: fix typos in 600-shared-libext.patch (FS#711)Felix Fietkau2017-05-251-2/+2
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* DWR-512: adding wwan support for the dwr-512 3G modemGiuseppe Lippolis2017-05-253-15/+49
| | | | | | | | | This PR allow the 3G modem embedded in the DWR-512 to be managed by the wwan-ncm scripts. The modem will use the usb-option and usb-cdc-ether drivers. The DWR-512 DT is updated accordingly. Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
* firewall: update to the latest version, fixes a gcc7 build errorFelix Fietkau2017-05-251-3/+3
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* lldpd: bump to 0.9.7Stijn Tintel2017-05-241-2/+2
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* samba: fix CVE-2017-7494Stijn Tintel2017-05-242-4/+33
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* dnsmasq: bump to 2.77rc5Hans Dedecker2017-05-221-3/+3
| | | | | | | | | | | | | Some small tweaks and improvements : 9828ab1 Fix compiler warning. f77700a Fix compiler warning. 0fbd980 Fix compiler warning. 43cdf1c Remove automatic IDN support when building i18n. ff19b1a Fix &/&& confusion. 2aaea18 Add .gitattributes to substitute VERSION on export. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* 6rd: add 6rd specific settings as nested json objectHans Dedecker2017-05-222-3/+7
| | | | | | Add 6rd specific settings prefix, relay-prefix as a nested data json object Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to git HEAD versionHans Dedecker2017-05-221-3/+3
| | | | | | | | | | | 7573880 system-linux: parse 6rd specific settings as nested json data object a063705 system-linux: remove redundant check for strtoul() return value e6ebe0b build: disable unknown warning option error in clang 08d8f47 interface: add new "ifup-failed" hotplug event 20a1bac bridge: reset primary only after marking the member not present 6b9c267 build: suppress format truncation warnings to avoid errors with gcc7 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* umdns: update to the version 2017-05-22Rafał Miłecki2017-05-221-3/+3
| | | | | | | | | | | | | | | | This includes following changes: 0e8b948 Support specifying instance name in JSON file 49fdb9f Support PTR queries for a specific service 26ce7dc Allow filtering with instance name in service_reply 920c62a Store instance name in the struct service ff09d9a Rename service_name function to the service_instance_name 64f78f1 Rename mdns_hostname variable to the umdns_host_label Previous package update pulled commit 70c66fbbcde86 ("Fix sending replies to PTR questions") which introduced a regression which this update fixes. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* dropbear: bump to 2017.75Kevin Darbyshire-Bryant2017-05-212-17/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | - Security: Fix double-free in server TCP listener cleanup A double-free in the server could be triggered by an authenticated user if dropbear is running with -a (Allow connections to forwarded ports from any host) This could potentially allow arbitrary code execution as root by an authenticated user. Affects versions 2013.56 to 2016.74. Thanks to Mark Shepard for reporting the crash. CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c - Security: Fix information disclosure with ~/.ssh/authorized_keys symlink. Dropbear parsed authorized_keys as root, even if it were a symlink. The fix is to switch to user permissions when opening authorized_keys A user could symlink their ~/.ssh/authorized_keys to a root-owned file they couldn't normally read. If they managed to get that file to contain valid authorized_keys with command= options it might be possible to read other contents of that file. This information disclosure is to an already authenticated user. Thanks to Jann Horn of Google Project Zero for reporting this. CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123 Refresh patches, rework 100-pubkey_path.patch to work with new authorized_keys validation. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* lldpd: drop specific respawn params [use system-wide]Alexandru Ardelean2017-05-181-3/+0
| | | | | | | I think I added these respawn params [a while back], when I did the conversion to procd init script format. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* comgt-3g: enable modem before to setpinGiuseppe Lippolis2017-05-182-1/+2
| | | | | | some modems needs to be enabled with CFUN=1 before to set the pin Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
* dnsmasq: add IPv6 nameserver configuration in server modeArjen de Korte2017-05-162-1/+11
| | | | | | | | | | | When in ra server mode, configure nameservers passed in router announcements from the dns value (which is already used by odhcpd). This also fixes FS#677 by using the global IPv6 address of the router instead of the link local address (if no nameservers are configured). Signed-off-by: Arjen de Korte <build+lede@de-korte.org> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* network/utils/curl: Update to 7.54.0Daniel Engberg2017-05-163-16/+16
| | | | | | | Update curl to 7.54.0 Update and fresh patches Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* network/utils/ipset: Update to 6.32Daniel Engberg2017-05-161-2/+2
| | | | | | Update ipset to 6.32 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* uhttpd: Enable integrated Lua by defaultAnsuel Smith2017-05-162-4/+17
| | | | | | We enabled lua interpreter by default as it doesn't make any problem in the uhttpd config file and we modify the index page to use it. Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* odhcpd: update to git HEAD versionHans Dedecker2017-05-151-3/+3
| | | | | | | | | | | | | | | | | | 93abe6f config: fix invalid hoplimit in RA message 2ae08d1 config: fix invalid retranstime in RA message 0005cb4 config: fix invalid reachabletime in RA message 5683dd2 config: limit ra_mtu to 65535 f8d40a5 router: fix interface mtu read error f8f4b87 config: limit ra_retranstime to 60000 a2d8bf6 dhcpv4: display two hex digits per octet in syslog a9e9bc4 config: make RA retransTime configurable via uci 2cb6b48 config: make RA reachableTime configurable via uci e4504db config: make RA curHopLimit configurable via uci 9dd5316 config: make RA mtu configurable via UCI 29cb2ff config: fix dhcpv4 server being started 0ef74ec ndp.c: add switch/case fallthrough comments Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* mac80211, hostapd: always explicitly set beacon intervalMatthias Schiffer2017-05-132-4/+3
| | | | | | | | | | | | | | | | One of the latest mac80211 updates added sanity checks, requiring the beacon intervals of all VIFs of the same radio to match. This often broke AP+11s setups, as these modes use different default intervals, at least in some configurations (observed on ath9k). Instead of relying on driver or hostapd defaults, change the scripts to always explicitly set the beacon interval, defaulting to 100. This also applies the beacon interval to 11s interfaces, which had been forgotten before. VIF-specific beacon_int setting is removed from hostapd.sh. Fixes FS#619. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* hostapd: remove unused variable declarations in hostapd.shMatthias Schiffer2017-05-131-1/+0
| | | | | | | None of the variables in this "local" declaration are actually set in wpa_supplicant_add_network(). Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* dnsmasq: bump to 2.77rc3Kevin Darbyshire-Bryant2017-05-122-10/+10
| | | | | | Fix [FS#766] Intermittent SIGSEGV crash of dnsmasq-full Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* openvpn: update to v2.4.2Jo-Philipp Wich2017-05-121-2/+2
| | | | | | | | | | | | | Update to version 2.4.2 in order to address two potential Denial-of-Service vectors in OpenVPN. CVE-2017-7478 - Don't assert out on receiving too-large control packets CVE-2017-7479 - Drop packets instead of assert out if packet id rolls over Ref: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.2 Ref: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: don't propagate DUID from one host to anotherArjen de Korte2017-05-111-1/+1
| | | | | | If no DUID is set for a host, it should be empty, not the last one set for a previous host. Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
* dnsmasq: use append_interface_name when using option --interface-nameHans Dedecker2017-05-092-4/+4
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: add interface-name uci list.Daniel Danzberger2017-05-092-1/+7
| | | | | | | | | | | | | | | | | | This patch adds the interface-name option for each dhcp config in /etc/config/dhcp. With the interface_name option users can define a DNS name for each dhcp section that will be resolved by dnsmasq with the underlaying interface address. For example: config dhcp 'lan' option interface 'lan' ... list interface_name 'home.lan' ... Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* dnsmasq: make tftp root if not existingAlberto Bursi2017-05-041-1/+1
| | | | | | | | | | If there's a TFTP root directory configured, create it with mkdir -p (which does not throw an error if the folder exists already) before starting dnsmasq. This is useful for TFTP roots in /tmp, for example. Originally submitted by nfw user aka Nathaniel Wesley Filardo Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
* dnsmasq: fix dhcp_option usage warningHans Dedecker2017-05-041-1/+2
| | | | | | | Don't display unnecessary dhcp_option usage warning in case dhcp_option is empty Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: add legacy_rates option to disable 802.11b data rates.Nick Lowe2017-05-031-8/+20
| | | | | | | | | | | | | | | | | | Setting legacy_rates to 0 disables 802.11b data rates. Setting legacy_rates to 1 enables 802.11b data rates. (Default) The basic_rate option and supported_rates option are filtered based on this. The rationale for the change, stronger now than in 2014, can be found in: https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx The balance of equities between compatibility with b clients and the detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b rates by default. Signed-off-by: Nick Lowe <nick.lowe@gmail.com> Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]
* hostapd: fix reload frequency change patchAbhilash Tuse2017-05-032-7/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When sta is configured, hostapd receives 'stop' and 'update' command from wpa_supplicant. In the update command, hostapd gets sta parameters with which it configures ap. Problem is, with the default wireless configuration: mode:11g freq:2.4GHz channel:1 If sta is connected to 5GHz network, then ap does not work. Ideally with 340-reload_freq_change.patch hostapd should reload the frequency changes and start ap in 5GHz, but ap becomes invisible in the network. This issue can be reproduced with following /etc/config/wireless: config wifi-device radio0 option type mac80211 option channel 1 option hwmode 11g option path 'virtual/uccp420/uccwlan' option htmode 'none' config wifi-iface 'ap' option device 'radio0' option encryption 'none' option mode 'ap' option network 'ap' option ssid 'MyTestNet' option encryption none config wifi-iface 'sta' option device radio0 option network sta option mode sta option ssid TestNet-5G option encryption psk2 option key 12345 This change updates current_mode structure based on configured hw_mode received from wpa_supplicant. Also prepare rates table after frequency selection. Signed-off-by: Abhilash Tuse <Abhilash.Tuse@imgtec.com> Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, patch refresh]