Similar to wireguard, vxlan can configure multiple peers or add specific
entries to the fdb for a single mac address.
While you can still use peeraddr/peer6addr option within the proto
vxlan/vxlan6 section to not break existing configurations, this patch
allows to add multiple sections that conigure fdb entries via the bridge
command. As such, the bridge command is now a dependency of the vxlan
package. (To be honest without the bridge command available, vxlan isn't
very much fun to use or debug at all)
Field names are taken direclty from the bridge command.
Example with all supported parameters, since this hasn't been documented so
far:
config interface 'vx0'
option proto 'vxlan6' # use vxlan over ipv6
# main options
option ip6addr '2001:db8::1' # listen address
option tunlink 'wan6' # optional if listen address given
option peer6addr '2001:db8::2' # now optional
option port '8472' # this is the standard port under linux
option vid '42' # VXLAN Network Identifier to use
option mtu '1430' # vxlan6 has 70 bytes overhead
# extra options
option rxcsum '0' # allow receiving packets without checksum
option txcsum '0' # send packets without checksum
option ttl '16' # specifies the TTL value for outgoing packets
option tos '0' # specifies the TOS value for outgoing packets
option macaddr '11:22:33:44:55:66' # optional, manually specify mac
# default is a random address
Single peer with head-end replication. Corresponds to the following call
to bridge:
$ bridge fdb append 00:00:00:00:00:00 dev vx0 dst 2001:db8::3
config vxlan_peer
option vxlan 'vx0'
option dst '2001:db8::3' # always required
For multiple peers, this section can be repeated for each dst address.
It's possible to specify a multicast address as destination. Useful when
multicast routing is available or within one lan segment:
config vxlan_peer
option vxlan 'vx0'
option dst 'ff02::1337' # multicast group to join.
# all bum traffic will be send there
option via 'eth1' # for multicast, an outgoing interface needs
# to be specified
All available peer options for completeness:
config vxlan_peer
option vxlan 'vx0' # the interface to configure
option lladdr 'aa:bb:cc:dd:ee:ff' # specific mac,
option dst '2001:db8::4' # connected to this peer
option via 'eth0.1' # use this interface only
option port '4789' # use different port for this peer
option vni '23' # override vni for this peer
option src_vni '123' # see man 3 bridge
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
vxlan can be configured without a peer address. This is used to prepare
an interface and add peers later.
Fixes: FS#2743
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
Acked-by: Matthias Schiffer <mschiffer@universe-factory.net>
This fixes a nasty problem introduced in 2.81 which causes random
crashes on systems where there's significant DNS activity over TCP. It
also fixes DNSSEC validation problems with zero-TTL DNSKEY and DS
records.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This file is always present because it is part of the ltq-dsl-base
package on which these packages depend.
This check would not have been necessary in the past, because the script
was part of the TARGET_LANTIQ on which these packages also depend.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
It does not make sense to install this components on lantiq systems
where the dsl subsystem is not needed/used.
This also makes it possible to use the files also on other targets.
(hopefully ipq401x / FritzBox 7530 in the near future)
Signed-off-by: Martin Schiller <ms.3headeddevs@gmail.com>
In the package guidelines, PKG_VERSION is supposed to be used as
"The upstream version number that we're downloading", while
PKG_RELEASE is referred to as "The version of this package Makefile".
Thus, the variables in a strict interpretation provide a clear
distinction between "their" (upstream) version in PKG_VERSION and
"our" (local OpenWrt trunk) version in PKG_RELEASE.
For local (OpenWrt-only) packages, this implies that those will only
need PKG_RELEASE defined, while PKG_VERSION does not apply following
a strict interpretation. While the majority of "our" packages actually
follow that scheme, there are also some that mix both variables or
have one of them defined but keep them at "1".
This is misleading and confusing, which can be observed by the fact
that there typically either one of the variables is never bumped or
the choice of the variable to increase depends on the person doing the
change.
Consequently, this patch aims at clarifying the situation by
consistently using only PKG_RELEASE for "our" packages. To achieve
that, PKG_VERSION is removed there, bumping PKG_RELEASE where
necessary to ensure the resulting package version string is bigger
than before.
During adjustment, one has to make sure that the new resulting composite
package version will not be considered "older" than the previous one.
A useful tool for evaluating that is 'opkg compare-versions'. In
principle, there are the following cases:
1. Sole PKG_VERSION replaced by sole PKG_RELEASE:
In this case, the resulting version string does not change, it's
just the value of the variable put in the file. Consequently, we
do not bump the number in these cases so nobody is tempted to
install the same package again.
2. PKG_VERSION and PKG_RELEASE replaced by sole PKG_RELEASE:
In this case, the resulting version string has been "version-release",
e.g. 1-3 or 1.0-3. For this case, the new PKG_RELEASE will just
need to be higher than the previous PKG_VERSION.
For the cases where PKG_VERSION has always sticked to "1", and
PKG_RELEASE has been incremented, we take the most recent value of
PKG_RELEASE.
Apart from that, a few packages appear to have developed their own
complex versioning scheme, e.g. using x.y.z number for PKG_VERSION
_and_ a PKG_RELEASE (qos-scripts) or using dates for PKG_VERSION
(adb-enablemodem, wwan). I didn't touch these few in this patch.
Cc: Hans Dedecker <dedeckeh@gmail.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: Andre Valentin <avalentin@marcant.net>
Cc: Matthias Schiffer <mschiffer@universe-factory.net>
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Steven Barth <steven@midlink.org>
Cc: Daniel Golle <dgolle@allnet.de>
Cc: John Crispin <john@phrozen.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Bumping package version has been overlooked in a previous commit.
While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter
is meant for upstream version number only.
(The effective version string for the package would be "3" in both
cases, so there is no harm done for version comparison.)
Fixes: 0453c3866f ("vxlan: fix udp checksum control")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
So far, passing "rxcsum" and "txcsum" had no effect.
Fixes: 95ab18e012 ("vxlan: add options to enable and disable UDP
checksums")
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Feature detection doesn't recognize ipset v7 use on kernel v5.x systems
and thus disables the tc ematch function em_ipset.
- backport patch:
* 002-configure-support-ipset-v7.patch:
650591a7a70c configure: support ipset version 7 with kernel version 5
Fixes: 4e0c54bc5b ("kernel: add support for kernel 5.4")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Recent iproute2 5.x versions modified the symbols resolved for plugins,
causing "tc .. action xt .." to fail. Update the list of symbols to fix.
Fixes: b61495409b ("iproute2: tc: reduce size of dynamic symbol table")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This release brings parity with the commits Linus released a few hours
ago into 5.8-rc5.
* receive: account for napi_gro_receive never returning GRO_DROP
The napi_gro_receive function no longer returns GRO_DROP ever, making
handling GRO_DROP dead code. This commit removes that dead code.
Further, it's not even clear that device drivers have any business in
taking action after passing off received packets; that's arguably out of
their hands.
* device: implement header_ops->parse_protocol for AF_PACKET
WireGuard uses skb->protocol to determine packet type, and bails out if
it's not set or set to something it's not expecting. For AF_PACKET
injection, we need to support its call chain of:
packet_sendmsg -> packet_snd -> packet_parse_headers ->
dev_parse_header_protocol -> parse_protocol
Without a valid parse_protocol, this returns zero, and wireguard then
rejects the skb. So, this wires up the ip_tunnel handler for layer 3
packets for that case.
* queueing: make use of ip_tunnel_parse_protocol
Now that wg_examine_packet_protocol has been added for general
consumption as ip_tunnel_parse_protocol, it's possible to remove
wg_examine_packet_protocol and simply use the new
ip_tunnel_parse_protocol function directly.
* compat: backport ip_tunnel_parse_protocol and ip_tunnel_header_ops
These are required for moving wg_examine_packet_protocol out of
wireguard and into upstream.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
ddd57c2 pppd: Add lcp-echo-adaptive option
c319558 pppd: Handle SIGINT and SIGTERM during interrupted syscalls (#148)
0bc11fb Added missing options to manual pages. (#149)
b1fcf16 Merge branch 'monotonic-time' of https://github.com/themiron/ppp
c78e312 pppd: linux: use monotonic time if possible
Remove patch 121-debian_adaptive_lcp_echo as patch is upstream accepted
Remove patch 206-compensate_time_change.patch as timewrap issues are
solved by a patch making use of monotonic time
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Upstream in commit 972d723484d8 ("split signkey_type and signature_type
for RSA sha1 vs sha256") has added strict checking of pubkey algorithms
which made keys with SHA-256 hashing algorithm unusable as they still
reuse the `ssh-rsa` public key format. So fix this by disabling the
check for `rsa-sha2-256` pubkeys.
Ref: https://tools.ietf.org/html/rfc8332#section-3
Fixes: d4c80f5b17 ("dropbear: bump to 2020.80")
Tested-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This replaces deprecated backticks by more versatile $(...) syntax.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[add commit description]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Backport patches which fix compile issue for uClibc-ng :
dbrandom.c:174:8: warning: implicit declaration of function 'getrandom'; did you mean 'genrandom'? [-Wimplicit-function-declaration]
ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
^~~~~~~~~
genrandom
dbrandom.c:174:36: error: 'GRND_NONBLOCK' undeclared (first use in this function); did you mean 'SOCK_NONBLOCK'?
ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
^~~~~~~~~~~~~
SOCK_NONBLOCK
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
- drop patches (applied upstream):
* 010-backport-change-address-logging.patch
* 020-backport-ed25519-support.patch
* 021-backport-chacha20-poly1305-support.patch
- backport patches:
* 010-backport-disable-toom-and-karatsuba.patch:
reduce dropbear binary size (about ~8Kb).
- refresh patches.
- don't bother anymore with following config options
because they are disabled in upstream too:
* DROPBEAR_3DES
* DROPBEAR_ENABLE_CBC_MODE
* DROPBEAR_SHA1_96_HMAC
- explicitly disable DO_MOTD as it was before commit a1099ed:
upstream has (accidentally) switched it to 0 in release 2019.77,
but reverted back in release 2020.79.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Pass a default --up and --down executable to each started OpenVPN instance
which triggers /etc/hotplug.d/openvpn/ scripts whenever an instance
goes up or down.
User-configured up and down scripts are invoked by the default shipped
01-user hotplug handler to ensure that existing setups continue to work
as before.
As a consequence of this change, the up, down and script_security OpenVPN
options are removed from the option file, since we're always passing them
via the command line, they do not need to get included into the generated
configuration.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[reword commit message, move hotplug executable to /usr/libexec]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
IPKG_INSTROOT is only set under image builder and we won't be running
this script at build time either, so remove the reference before it gets
cargo-culted into other scripts.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
The folder for the uci-defaults file of this package is wrong, so
the file most probably has not been executed at all for several
years at least.
Fix the folder and remove the useless shebang for the file.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
d13290b Fix advertised IPv6 addresses
Don't just serve link-local addresses via mdns, offer all.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Also ensure that the error message is actually printed to stderr and that
the rule generation is aborted if an interface cannot be resolved.
Ref: https://github.com/openwrt/luci/issues/3975
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Running your firewall's "wan" zone in REJECT zone (1) exposes the
presence of the router, (2) depending on the sophistication of
fingerprinting tools might identify the OS and release running on
the firewall which then identifies known vulnerabilities with it
and (3) perhaps most importantly of all, your firewall can be
used in a DDoS reflection attack with spoofed traffic generating
ICMP Unreachables or TCP RST's to overwhelm a victim or saturate
his link.
This rule, when enabled, allows traceroute to work even when the
default input policy of the firewall for the wan zone has been
set to DROP.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
