According to openconnect --help output:
-m, --mtu=MTU Request MTU from server
--base-mtu=MTU Indicate path MTU to/from server
Fixes#2099 by allowing setting tunnel mtu
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
It was introduced with 41f8d5465 ("openconnect: fix a couple of minor
things and add an interface option") and not needed since 4083de9d7
("openconnect: use proto_add_host_dependency")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
We would not be able to search for pcap.h because CFLAGS are not passed
from src/Makefile down to src/wps/Makefile:
make[4]: Entering directory
'/home/florian/dev/openwrt/trunk/build_dir/target-mipsel-unknown-linux-gnu_glibc/reaver-1.4/src/wps'
mipsel-linux-gnu-gcc -I../utils -I ../ wps_attr_build.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_attr_parse.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_attr_process.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_common.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_dev_attr.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_enrollee.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_registrar.c -c
In file included from ../misc.h:41:0,
from wps_registrar.c:27:
../defs.h:43:18: fatal error: pcap.h: No such file or directory
#include <pcap.h>
^
compilation terminated.
Makefile:28: recipe for target 'wps_registrar.o' failed
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
There are no other "echo" debug lines in this file, and it seems
clear that this one was accidentally left as a debugging line,
since it misspelled "dependency". So, we just remove this line.
We don't bump the package version, though, because this is
pretty inconsequential.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
From upstream's changelog:
* timers: queue up killing ephemerals only if not already
We fix up a small detail in the timer logic that changed during the last
snapshot.
* receive: trim incoming packets to IP header length
Packets are now trimmed to their actual length, not their length+padding,
before handing to the rest of the network subsystem, so that packets look
pretty in tcpdump. This doesn't actually affect what userspace sees, since the
kernel trims it at a later stage, but it does make pcaps a bit nicer to use.
* curve25519: use more standard label convention in asm
This ensures that perf(1) shows the function name instead of the label name.
* compat: remove padata hotplug code
Fixes building on kernels that have HOTPLUG enabled but no PADATA support.
* config: add new line for style
* device: do-while assignment style
* peer: explicitly initialize atomic
Style.
* noise: fix race when replacing handshake
Handle a situation in which three peers, all running on the same system, begin
a handshake with all three of each other, at exactly the same time, on a
multi-CPU system.
* random: wait for random bytes when generating nonces and ephemerals
We've been working with upstream to add a new API to the kernel for ensuring
that the RNG actually is seeded. Until they merge it for 4.13, we provide a
poly-fill to the compat code. This means that WireGuard will block during
handshakes until the RNG has enough entropy, so that it's never in a
circumstance in which ephemeral keys are generated from bad randomness.
* go test: properly pad message
* go test: correct tai64n and formatting
* external-tests: add keepalive packet
* go test: use x/crypto for blake2s now that we have 128-bit mac
* external-tests: trim the fat
Improvements for the external tests.
* wg-quick: make sure we have empty table for both v6 and v4
* wg-quick: match ipv6 default route more broadly
Tiny nits with wg-quick, one of which should now allow multiple v6-only
wg-quick instances running at the same time.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
backend:
* cosmetics
frontend:
* "Save & Reply" now distinguish between normal and manual/backup mode
and triggers an appropriate reload or a start action
Signed-off-by: Dirk Brenken <dev@brenken.org>
Script priority adjusted.
Custom memory management turned off to save some memory on low-end device.
Signed-off-by: Antonio Paunovic <antonio.paunovic@sartura.hr>
backend:
* add new 'manual mode' to re-use blocklist backups during startup,
get fresh lists only via manual reload or restart action
* additional free memory check during dns restart to prevent OOM errors
* removed palevo tracker from default config,
this tracker has been discontinued
* cosmetics
LuCI frontend (see luci repo):
* add new 'manual mode' under extra options
Signed-off-by: Dirk Brenken <dev@brenken.org>
The smartsnmpd SConstruct file only accepts setting CFLAGS and does not
use CPPFLAGS, so pass both down using CFLAGS.
This fixes build errors with external toolchains that don't
automatically search for headers in $(STAGING_DIR).
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Make sure we pass down TARGET_CPPFLAGS and TARGET_LDFLAGS to fix build
with external toolchains that don't automatically search for headers and
libraries in $(STAGING_DIR).
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This was removed in LEDE commit 0b7ed65cec8084bb98ae0e2758b7aca6c447cd4b
("kernel: remove out of tree direct-io disable hack")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
After checking in the ipkg-install dir of netatalk,
it seems that the permissions it sets to the conf-files
are 644.
# ls -la lede/build_dir/target-mips_24kc_musl/netatalk-3.1.11/ipkg-install/etc
-rw-r--r-- 1 sandu sandu 226 iun 5 20:53 afp.conf
-rw-r--r-- 1 sandu sandu 1948 iun 5 20:53 dbus-session.conf
-rw-r--r-- 1 sandu sandu 25037 iun 5 20:53 extmap.conf
While the Package/netatalk/install build rule overrides
them to 600.
According to
* https://github.com/openwrt/packages/issues/4318
* https://forum.lede-project.org/t/help-with-apple-filesharing-protocol-for-time-machine/3259/5
this is a problem in some setups.
So, this patch changes them to what the netatalk
package creators intended initially (i.e. 644).
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The earlier commit ea119211b2 removed 'dsa' as one of the ssh_host_*_key
types that got generated. Problem was that it didn't remove that key
as one of the paths that the server looks for by default. As a
consequence, your log file might fill up with messages like:
2017-06-01T15:43:07-06:00 openwrt sshd[31929]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
The patch is forunately trivial. Don't set the path for the dsa
key file in the server configuration.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The author (@pprindeville) of the original commit noted that the wrong
commit was picked, see
325b7d2cd2 (commitcomment-22387528)
"Err... looks like the wrong fix got committed. I was hoping that this
commit d902e5d would have gone in instead."
This reverts commit 325b7d2cd2.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes the following build error with an external toolchain:
./bld/sqlite3.o: In function `fts5Bm25Function':
sqlite3.c:(.text+0x27234): undefined reference to `log'
./bld/piechart.o: In function `piechart_render':
piechart_.c:(.text+0x430): undefined reference to `sincos'
piechart_.c:(.text+0x47c): undefined reference to `sincos'
piechart_.c:(.text+0x548): undefined reference to `sincos'
collect2: error: ld returned 1 exit status
src/main.mk:526: recipe for target 'fossil' failed
make[3]: *** [fossil] Error 1
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This backports a patch that has been accepted upstream in linuxptp:
8b61aa2c3f3103db1d4ca1d1e49bb4f8831c1abf ("udp: Avoid including
netdb.h") to fix build errors with external glibc toolchains that
provide rpc/types.h.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Conserver is an application that allows multiple users to use
serial consoles at the same time, with logging. It has a client-
server design which makes it easy to manage a distributed set
of serial consoles. Logging makes post-crash analyses easier.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Standard assignment is immediate expansion without any extraneous spacing, RFC822 compliant email addresses and consistent section assignments
Signed-off-by: Stephen Walker <stephendwalker+github@gmail.com>
types that got generated. Problem was that it didn't remove that key
as one of the paths that the server looks for by default. As a
consequence, your log file might fill up with messages like:
2017-06-01T15:43:07-06:00 openwrt sshd[31929]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
The patch is forunately trivial. Don't set the path for the dsa
key file in the server configuration.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Peter Wagner <tripolar@gmx.at>
From upstreams changelog:
This rather large snapshot touches quite a few sensitive areas, so I'm
releasing it now rather than later to receive feedback on any possible issues.
It also contains fixes, so everybody should upgrade.
* man: fix psk mention in wg-quick man page
* man: update wg-quick(8) to show Debian resolvconf braindamage
Documentation cleanups.
* wg-quick: use src routing for default routes in v6
ip-rule(8) doesn't do the right thing with source addresses, unless we
explicitly set it inside the route. This fixes wg-quick on IPv6 systems.
* curve25519: actually, do some things on heap sometimes
* curve25519: align the basepoint to 32 bytes
* curve25519: add NEON versions for ARM
* data: enable BH during parallel crypto on ARM/NEON
* chacha20poly1305: move constants to rodata
* chacha20poly1305: add NEON versions for ARM and ARM64
We now have faster primitives on ARM and ARM64 processors, which should
improve performance.
* handshake: process in parallel
Handshakes are now processed in parallel using all cores, which should improve
throughput during a storm.
* noise: no need to store ephemeral public key
* noise: precompute static-static ECDH operation
We can precompute the ECDH(s, s) calculation, which improves handshake
initiation message performance by double.
* style: spaces after for loops
* peer: use iterator macro instead of callback
The most unreadable C ever produced. It might be wise to find a sexier-looking
alternative at some point.
* compat: remove warning for < 4.1
* compat: ship padata if kernel doesn't have it
The usual array of annoying compat things.
* rust test: convert screech test to snow
* rust test: add icmp ping
We now use Jake's snow library for Noise in the test, which we've expanded to
complete a ping.
* config: do not error out when getting if no peers
* tools: allow creating device with no peers
Fixing some small things in the tool/config interaction.
* device: keep going when share_check fails
* routingtable: remove unnecessary check in node_placement()
* config: it's faster to memcpy than strncpy
* timers: fix typo in comment
Nits.
* debug: print interface name in dmesg
For those who compile with `make debug`, you'll be happy to see a bit better
information in dmesg.
* timers: rework handshake reply control flow
* timers: the completion of a handshake also is on key confirmation
* timers: reset retry-attempt counter when not retrying
Tightening up our timer implementation, which is quite important.
Signed-off-by: Dan Luedtke <mail@danrl.com>
Since we're using the kernel's module, this is
un-necessary.
Should speed up the build a bit.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Admittedly I never used those Python libs.
And the setup I was trying it on, did not have
the Python interpreter packaged, so these build failures
went un-noticed.
That's my fault for not trying it out properly on
a full LEDE repo, with all packages.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Add UCI section general which holds the uci parameter network defining on
which interface(s) the snmp agent is reachable for inbound snmp requests
in case the firewall zone does not allow INPUT traffic by default.
For the different zones to which the different interfaces belong firewall
procd input rules are created making the snmp agent reachable on udp port
161.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Base LEDE/OpenWrt UCI for dnsmasq provides for DNS override in
/etc/config/dhcp. It is desired to be able to use dnsmasq and
Unbound as transparently as possible. Option 'add_extra_dns'
will pull 'domain', 'mxhost', 'srvhost, and 'cname' from base.
netifd/procd have an interaction with DHCPv6/RA on WAN (FS#713).
Minor IP6 parameter updates can cause Unbound reload events every
few minutes. List option 'trigger' selects which interfaces may
cause reload. For example 'lan', 'wan' but not 'wan6'.
Squash other cosmetics.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Below are changes in the packaging method
- Use tarball provided by the upstream project maintainer instead of
cloning the whole git-repo
- Drop openssl variant as it was deprecated then removed by the
upstream project
- Add dependency on libev, libsodium, libudns as they are not bundled
with the source code anymore
Addresses issue #4191
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Convert init-script to procd and allow to configure
isc-dhcp-server via UCI. Allow most by-network and by-host options
supported by dnsmasq.
User-defined dhcp-options are not supported yet, neither are tags.
Existing configurations with use-edited /etc/dhcpd.conf are still
respected, hence to enjoy the new features you have to migrate
your configuration to UCI and delete /etc/dhcpd.conf.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* made wget default parms compatible with older program versions
* shift dns detection routine to simplify dns override,
just set 'adb_dnslist' to force a particular backend priority
(default: 'dnsmasq unbound')
* reduce ubus polling during dns detection
Signed-off-by: Dirk Brenken <dev@brenken.org>
* always update the connection status, even in case of an error
* merge multiple ubus network calls in central check routine
Signed-off-by: Dirk Brenken <dev@brenken.org>
* Update to 1.9.5
* Use PKG_HASH instead of PKG_MD5SUM
* Add dnscrypt-proxy github link in PKG_SOURCE_URL
Signed-off-by: Damiano Renfer <damiano.renfer@gmail.com>
If mwan3track will not stop immediately after sending the kill signal,
the clean_up handler will delete the pid file later while the new mwan3track is
already running.
This could result in a situation that mwan3track is running
more then once because the old mwan3track service could not be killed,
because the pid file is missing.
Using pgrep to kill all mwan3track for the tracked interface and not using
pid file should fix this issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This change includes fixes for several security issues:
* CVE-2017-3138: rndc "" could trigger an assertion failure in named.
* CVE-2017-3137: Some chaining (i.e., type CNAME or DNAME) responses to
upstream queries could trigger assertion failures.
* CVE-2017-3136: dns64 with break-dnssec yes; can result in an assertion
failure.
* CVE-2017-3135: If a server is configured with a response policy zone
(RPZ) that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read triggering a
server crash.
* CVE-2016-9444: named could mishandle authority sections with missing
RRSIGs, triggering an assertion failure.
* CVE-2016-9131: named mishandled some responses where covering RRSIG
records were returned without the requested data, resulting in an
assertion failure.
* CVE-2016-9131: named incorrectly tried to cache TKEY records which could
trigger an assertion failure when there was a class mismatch.
* CVE-2016-8864: It was possible to trigger assertions when processing
responses containing answers of type DNAME.
* CVE-2016-6170: Added the ability to specify the maximum number of
records permitted in a zone (max-records #;). This provides a mechanism
to block overly large zone transfers, which is a potential risk with
slave zones from other parties.
* CVE-2016-2776: It was possible to trigger an assertion when rendering a
message using a specially crafted request.
* CVE-2016-2775: Calling getrrsetbyname() with a non absolute name could
trigger an infinite recursion bug in lwresd or named with lwres
configured if, when combined with a search list entry from resolv.conf,
the resulting name is too long.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
fixes webroot to be defined as
_currentRoot='/www'
instead of being interpreted as
_currentRoot='"/www"'
Signed-off-by: Aleksei Nosachev <nos1609@hotmail.com>
* create /etc/vsftpd directory for extra config files
like userlist, certificate and key
* modify config file to use that directory
* include that directory in conffiles for backup
* use PKG_HASH
* update URL
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
backend:
* various small fixes & optimizations
LuCI frontend (see luci repo):
* Limit Blacklist/Whitelist Online editing to max. 512 KB, approx.
20.000 domains per list
* Automatically refresh the overview page after button onclick event,
e.g. 'Suspend/Resume' or 'Save & Apply'
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Notes:
- drop un-needed patches
- bump kernel support up to 4.9
- switch from git repo to release tarball
- use OVS intree kernel module ; seems that using the kernel module
from the package has certain issues due to the glue/backport code
that tries to adapt to many kernel versions and has a potential
to mess up ; not to mention, the glue code makes the kmod
a few times larger than it should be
- tested on x86_64 VM
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Full changelog available at:
https://mosquitto.org/2017/02/version-1-4-11-released/
Mostly ipv6 and websockets fixes, but requires a patch (submitted
upstream) to work around an accidental glibc dependency upstream.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Adds the "notifications" option which is important when connecting
mosquitto to rabbitmq for instance.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Earlier, PROVIDES handling was clarified for the broker and the library.
Use the same style to properly provide the -client-ssl and -client-nossl
packages.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Added a new config entry udp_port to split UDP port from TCP. This is
useful when particular port is blocked by the ISP.
udp_port falls back to port if not set to be compatible with current
config file.
Also fixed an ifname typo from the last commit.
Signed-off-by: Qian Sheng <billsq@billsq.me>
If netifd set an interface up/down which is not tracked by mwan3 the
connected network of that interface should regardless be added/removed to the
mwan3_connected ipset.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
