a4355a6 firewall3: clean up the flow table detection logic
edd0dc5 firewall3: create a common helper to find strings in files
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This includes several improvements and fixes:
61db17e rules: fix device and chain usage for DSCP/MARK targets
7b844f4 zone: avoid duplicates in devices list
c2c72c6 firewall3: remove last remaining sprintf()
12f6f14 iptables: fix serializing multiple weekdays
00f27ab firewall3: fix duplicate defaults section detection
e8f2d8f ipsets: allow blank/commented lines with loadfile
8c2f9fa fw3: zones: limit zone names to 11 bytes
78d52a2 options: fix parsing of boolean attributes
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Moved to packages repo because it was considered
non-essential for most router configurations.
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[shorten commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Now that ujail supports seccomp also on Aarch64, add missing syscall
'fstat' to the list of allowed syscalls.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This change was investigated previously [1] but not deemed necessary. With
the recent addition [2] of modern BPF loader support, however, tc gained
dependencies on libelf and libbpf, with a larger installation footprint.
Similar to ip-tiny/ip-full, split tc into tc-full and tc-tiny variants,
where the latter excludes the eBPF loader, uses a smaller executable, and
avoids libelf and libbpf package dependencies. Both variants provide the
'tc' virtual package, with tc-tiny as the default.
The previous tc package included a loadable module for iptables actions.
Separate this out into a common package, tc-mod-iptables, which both
variants depend on. Some package sizes on mips_24kc:
Before:
148343 tc_5.11.0-1_mips_24kc.ipk
After:
144833 tc-full_5.11.0-2_mips_24kc.ipk
138430 tc-tiny_5.11.0-2_mips_24kc.ipk (and no libelf or libbpf)
4115 tc-mod-iptables_5.11.0-2_mips_24kc.ipk
Also fix up some Makefile indentation.
[1] https://github.com/openwrt/openwrt/pull/1627#issuecomment-447619962
[2] b048a305a3 ("iproute2: update to 5.11.0")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The link equalizer sch_teql.ko of package kmod-sched relies on a hotplug
script historically included in iproute2's tc package. In previous
discussion [1], consensus was the hotplug script is best located together
with the module in kmod-sched, but this change was deferred at the time.
Relocate the hotplug script now. This change also simplifies adding a tc
variant for minimal size with reduced functionality.
[1] https://github.com/openwrt/openwrt/pull/1627#issuecomment-447923636
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This patch has been submitted upstream to fix an error reported by a few
users. One instance seen using gcc 10.2.0, binutils 2.35.1 and musl 1.1.24:
bpf_glue.c: In function 'get_libbpf_version':
bpf_glue.c:46:11: error: 'PATH_MAX' undeclared (first use in this function);
did you mean 'AF_MAX'?
46 | char buf[PATH_MAX], *s;
| ^~~~~~~~
| AF_MAX
Reported-by: Rui Salvaterra <rsalvaterra@gmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
If the environment variable FILTER is set before compilation,
compilation of the ppp-package will fail with the error message
Package ppp is missing dependencies for the following libraries:
libpcap.so.1
The reason is that the OpenWrt-patch for the Makefile only comments
out the line FILTER=y. Hence the pcap-library will be dynamically
linked if the environment variable FILTER is set elsewhere, which
causes compilation to fail. The fix consists on explicitly unsetting
the variable FILTER instead.
Signed-off-by: Eike Ritter <git@rittere.co.uk>
[ -d /sys/module/xfrm_interface ] is enough to check if
CONFIG_XFRM_INTERFACE support was enabled in kernel.
Signed-off-by: Alin Nastac <alin.nastac@technicolor.com>
Fix: bpftools 5.11.2 does not compile on macOS, because the -m option
was placed between src and dst. Corrected by moving -m 644 before src.
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
The pkgconfig file hardcodes a host library directory which cannot be
overridden by OpenWrt during builds. Use SED to fix this and potential
include directory problems, as is done with several other packages.
This fixes a strange issue intermittently seen building iproute2 on the
oxnas target:
iptables modules directory: /usr/lib/iptables
libc has setns: yes
SELinux support: no
libbpf support: no
libbpf version 0.3.0 is too low, please update it to at least 0.1.0
LIBBPF_FORCE=on set, but couldn't find a usable libbpf
Fixes: 2f0d672088 ("bpftools: add utility and library packages
supporting eBPF usage")
Reported-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This will use the new application led trigger backend. For now this is
the only package that uses leds trigger in user space to configure the
kernel led triggers.
The callback script only emmits a message for now, so that this LED is now
managed by the rssileds service. Until now a generic warning was emitted that
this LED trigger is not supported. But that is not true.
-> Skipping trigger 'rssileds' for led '<name>' due to missing kernel module
I think this callback should be changed in the future to restart the
service.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Compile and run-tested on malta/mip32be, using bpftool directly and also
libbpf (linked with tc) to inspect and load simple eBPF programs.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The latest iproute2 version brings various improvements and fixes:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?qt=range&q=v5.10.0..v5.11.0
In particular, ip and tc now use libbpf as the standard way to load BPF
programs, rather than the old, limited custom loader. This allows more
consistent and featureful BPF program handling e.g. support for global
initialized variables.
Also fix a longstanding problem with iproute2 builds where unneeded DSO
dependencies are added to most utilities, bloating their installation
footprint. From research and testing, explicitly using a "--as-needed"
linker flag avoids the issue. Update accordingly and drop extra package
dependencies from Makefile.
Additional build and packaging updates include:
- install missing development header to iproute2/bpf_elf.h
- propagate OpenWrt verbose flag during build
- update and refresh patches
Compile and run tested: QEMU/malta-mips32be on kernels 5.4 & 5.10.
All iproute2 packages were built and installed to the test image. Some
regression testing using ip-full and tc was successfully performed to
exercise several kmods, tc modules, and simple BPF programs.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Changes:
- Remove custom Build/Compile because it's no longer needed
- Remove std=gnu99 which is added automaticaly by igmpproxy if needed
- Remove -Dlog from CFLAGS because igmpproxy doesn't have log function
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
To the vast majority of the users, wireguard-tools are not useful
without the underlying kernel module. The cornercase of only generating
keys and not using the secure tunnel is something that won't be done on
an embedded OpenWrt system often. On the other hand, maintaining a
separate meta-package only for this use case introduces extra
complexity. WireGuard changes for Linux 5.10 remove the meta-package.
So let's make wireguard-tools depend on kmod-wireguard
to make WireGuard easier to use without having to install multiple
packages.
Fixes: ea980fb9 ("wireguard: bump to 20191226")
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Tianling Shen <cnsztl@project-openwrt.eu.org>
Multiple sources are hosted on OpenWrts source server only. The source
URLs to point to the server vary based on different epochs in OpenWrts
history.
Replace all by @OPENWRT which is an "empty" mirror, therefore using the
fallback servers sources.cdn.openwrt.org and sources.openwrt.org.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Abort the dhcp-check based on the interface instead of the carrier
state. In cases where the interface is up but the carrier is down,
netifd won't cause a dnsmasq reload, thus dhcp won't become active
on this interface.
Signed-off-by: David Bauer <mail@david-bauer.net>
Use the latest stable kernel since the previous 5.8.x series is EOL.
Also drop the following patches recently accepted upstream:
* 001-libbpf-ensure-no-local-symbols-counted-in-ABI-check.patch
* 002-libbpf-fix-build-failure-from-uninitialized-variable.patch
* 003-bpftool-allow-passing-BPFTOOL_VERSION-to-make.patch
* 004-v5.9-bpftool-use-only-ftw-for-file-tree-parsing.patch
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
dnsmasq v2.83 has a bug in handling duplicate queries which means it may
try to reply using the incorrect network socket. This is especially
noticeable in dual stack environments where replies may be mis-directed to
IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket.
This results in system log spam such as:
dnsmasq[16020]: failed to send packet: Network unreachable
dnsmasq[16020]: failed to send packet: Address family not supported by protocol
dnsmasq v2.84test3 resolves these issues.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This is a helpful utility, but it does not have any dependencies
in this repository. Move it to packages feed.
The package does not seem to have a maintainer.
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Nick Hainke <vincent@systemli.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This is a helpful utility, but it does not have any dependencies
in this repository. Move it to packages feed.
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Nick Hainke <vincent@systemli.org>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This package is not needed in base. It will be imported in the packages
feed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: CN_SZTL <cnsztl@project-openwrt.eu.org>
This package is not needed in base. It will be imported in the packages
feed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: CN_SZTL <cnsztl@project-openwrt.eu.org>
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
overflow in sort_rrset() when DNSSEC is used. This can allow a remote
attacker to write arbitrary data into target device's memory that can
lead to memory corruption and other unexpected behaviors on the target
device.
* CVE-2020-25682:
Dnsmasq versions before 2.83 is susceptible to buffer overflow in
extract_name() function due to missing length check, when DNSSEC is
enabled. This can allow a remote attacker to cause memory corruption
on the target device.
* CVE-2020-25683:
Dnsmasq version before 2.83 is susceptible to a heap-based buffer
overflow when DNSSEC is enabled. A remote attacker, who can create
valid DNS replies, could use this flaw to cause an overflow in a heap-
allocated memory. This flaw is caused by the lack of length checks in
rtc1035.c:extract_name(), which could be abused to make the code
execute memcpy() with a negative size in get_rdata() and cause a crash
in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
A lack of proper address/port check implemented in Dnsmasq version <
2.83 reply_query function makes forging replies easier to an off-path
attacker.
* CVE-2020-25685:
A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
versions before 2.83 reply_query function allows remote attackers to
spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
Multiple DNS query requests for the same resource name (RRNAME) by
Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
traffic, using a birthday attack (RFC 5452), that can lead to DNS
cache poisoning.
* CVE-2020-25687:
Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
remote attacker, who can create valid DNS replies, could use this flaw
to cause an overflow in a heap-allocated memory. This flaw is caused
by the lack of length checks in rtc1035.c:extract_name(), which could
be abused to make the code execute memcpy() with a negative size in
sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
Service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: CN_SZTL <cnsztl@project-openwrt.eu.org>
The "cidr_contains6" functions clones the given cidr. The contains4
does not clone the cidr. Both functions do not behave the same.
I see no reason to push the cidr. I think that we get only a negligible
performance gain, but it makes ipv4 and ipv6 equal again.
Signed-off-by: Nick Hainke <vincent@systemli.org>
The cidr_parse6 function parses a string to an ipv6-address.
The cidr struct contains a union called buf for the ipv4 and ipv6
address. Since it is a char pointer and the struct is initialized with
the maximum size (so ipv6 string) it does not make any difference.
However, we should access the buffer using the v6 name, since it could
be confusing otherwise.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This patch was already applied upstream and not needed here.
Fixes: 06403981e1 ("ppp: update to version 2.4.7.git-2019-05-06")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
By setting 'auto', the zero address or the empty string as source
address (option ipaddr, option ip6addr), vxlan will choose one
dynamically. This helps in setups where a wan ip or prefix changes.
This corresponse to setting up an vxlan tunnel with:
proto vxlan6:
# ip link add vx0 type vxlan id ID local :: ...
proto vxlan:
# ip link add vx0 type vxlan id ID local 0.0.0.0 ...
While it is possible to not specify a source ip at all, the kernel will
default to setting up a ipv4 tunnel. The kernel will take any hint from
source and peer ips to figure out, what tunnel type to use. To make sure
we setup an ipv6 tunnel for proto vxlan6, this workaround is needed.
This will not change the behaviour of currently working configurations.
However this will allow former broken configurations, namely those not
specifying both a source address and tunnel interface, to setup a
tunnel interface. Previously those configurations weren't reporting an
error and were stueck in a setup loop like in Bug FS#3426.
This change lifts the currently very strict behaviour and should fix the
following bug:
Fixes: FS#3426
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3426
Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
