aboutsummaryrefslogtreecommitdiff
path: root/net
Commit message (Collapse)AuthorAge
* bonding: accept list of slaves in uci list notationJo-Philipp Wich2021-04-09
| | | | | | | | | | Rework the bonding.sh protocol handler to accept slave interface names encoded in uci list notation. Also replace ifconfig up/down with ip link calls while we're at it. Fixes: #11455 Fixes: https://github.com/openwrt/luci/issues/4473 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Merge pull request #6924 from derekyerger/strongswan-lattice-sha3Philip Prindeville2021-04-08
|\ | | | | strongswan: add more crypto plugins
| * strongswan: add more crypto pluginsDerek Yerger2021-04-05
| | | | | | | | | | | | | | | | | | Adds modules for BLISS signature scheme, NTRU and New Hope key exchange algorithms, and dependencies ChaCha20-Poly1305 AEAD, ChaCha20 XOF, MGF1 mask generation function, SHA3 hasher SHAKE XOF, and the Number Theoretic Transform library. Signed-off-by: Derek Yerger <derek@altdevs.net>
* | Merge pull request #15353 from ja-pa/knot-resolver-5.3.1Josef Schlehofer2021-04-07
|\ \ | | | | | | knot-resolver: update to version 5.3.1
| * | knot-resolver: update to version 5.3.1Jan Pavlinec2021-04-06
| | | | | | | | | | | | Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* | | ksmbd-tools: update to 3.3.8Rosen Penev2021-04-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes are: disable symlink by default. remove smack inherit leftovers. Enable guest access on IPC$ share by default. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* | | ksmbd-tools: Add a mDNS TXT record for the ksmbd serviceKirill Nikolaev2021-04-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | MacOS ignores Bonjour services for which TXT records are not returned. This changes forces umdns service to return a TXT record (`daemon=ksmbd`) for the ksmbd service. The exact content is unimportant and to the best of my knowledge nothing reads the `daemon` tag. Symptoms of the problem (which are also debugging steps): * Finder refuses to open the OpenWRT "computer" in the Network list. * Discovery.app (Bonjour Browser) lists the _ssh._tcp service, but the submenu for it doesn't unfold and no address is shown. * `dns-sd -L OpenWrt _smb._tcp` doesn't return any address. Signed-off-by: Kirill Nikolaev <cyril7@gmail.com>
* | | ooniprobe: update to version 3.9.0Jan Pavlinec2021-04-07
| | | | | | | | | | | | | | | | | | | | | Remove getrescources call because it is no longer required. Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* | | mosquitto: bump to 2.0.10Karl Palsson2021-04-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a security fix, affecting 2.0.0 through to 2.0.9. Mosquitto instances could be remotely DoS'd by authenticated clients. Release notes at: https://github.com/eclipse/mosquitto/blob/v2.0.10/ChangeLog.txt CVE number has not yet been assigned. Signed-off-by: Karl Palsson <karlp@etactica.com>
* | | haproxy: Update HAProxy to v2.2.13Christian Lachner2021-04-06
|/ / | | | | | | | | | | - Update haproxy download URL and hash Signed-off-by: Christian Lachner <gladiac@gmail.com>
* | Merge pull request #15337 from SvenRoederer/xinetd-includeFlorian Eckert2021-04-06
|\ \ | | | | | | xinetd: honor ${IPKG_INSTROOT} when sourcing /lib/functions.sh
| * | xinetd: honor ${IPKG_INSTROOT} when sourcing /lib/functions.shSven Roederer2021-04-04
| | | | | | | | | | | | | | | | | | Avoid "file not found"-error when embedding via Imagebuilder. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* | | strongswan: bump to 5.9.2Philip Prindeville2021-04-05
| | | | | | | | | | | | | | | | | | Retire weak algorithms like MD5 and 3DES. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | | strongswan: force PIC on all buildsPhilip Prindeville2021-04-05
| | | | | | | | | | | | Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | | uacme: add retriesLeonardo Mörlein2021-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prior to this commit, the acme service attempted to obtain certificates once and then terminated, regardless of whether the certificate could be obtained or not. This commit introduces a new uci option "retries" to the "certificate" section. If this option is set to N, the acme service will attempt to obtain the certificate up to N times before terminating. There is a waiting pause between the retries to comply with the rate limits of Let'sEncrypt. The waiting pause is: - 2 minutes for staging certificates - 24 minutes for production certificates The current "Failed Validation" rate limits of Let'sEncrypt are: - staging: 60 per hour -> 1 failure every 1 minute in avg. - production: 5 per hour -> 1 failure every 12 minutes in avg. This means that we are within rate limits by a factor of two. By default the option "retries" is set to "1", which means that acme behaves as before by default. If the variable is set to "0", infinite retries are performed. This feature is helpful, when you already want to initiate the certificate request, but you are still waiting for your dns server to be configured, your network to appear or other conditions. Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
* | | uacme: propagate rc of uacme in issue_cert()Leonardo Mörlein2021-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | Before this commit, issue_cert always returned 1 no matter if uacme returned 1, 2, 3, ... With this commit, the return code of the uacme binary is propagated. Therefore the caller of issue_cert can differentiate between "no renew necessary" and "an error occurred". Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
* | | uacme: allow including run-uacmeLeonardo Mörlein2021-04-04
| | | | | | | | | | | | | | | | | | | | | With this commit, the run-acme script can be included into other scripts by setting INLCUDE_ONLY=1. Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
* | | jool: Update to 4.1.5Ondřej Caletka2021-04-04
| | | | | | | | | | | | | | | Compile and run tested on: mvebu (Turris Omnia) Signed-off-by: Ondřej Caletka <ondrej@caletka.cz>
* | | strongswan: migrate to swanctl configsPhilip Prindeville2021-04-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Derived from the ipsec initd script, with the following changes: (1) various code improvements, corrections (get rid of left/right updown scripts, since there's only one), etc; (2) add reauth and fragmentation parameters; (3) add x.509 certificate-based authentication; and other minor changes. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | | Merge pull request #15339 from pprindeville/strongswan-reset-ipsec.confPhilip Prindeville2021-04-03
|\ \ \ | | | | | | | | strongswan: remove synthesized ipsec conf files
| * | | strongswan: remove synthesized ipsec conf filesPhilip Prindeville2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If you shutdown ipsec service, and it doesn't clean up /var/ipsec/ipsec.conf, then when you start swanctl service it might see an incompatible file on startup. Remedy is to remove unneeded files when shutting down the service. They can always be regenerated when the service starts again. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | | | Merge pull request #15330 from 1715173329/xrayRosen Penev2021-04-03
|\ \ \ \ | | | | | | | | | | xray-core: Update to 1.4.2
| * | | | xray-core: Update to 1.4.2Tianling Shen2021-04-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Updated geo datas to latest version. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
| * | | | xray-core: init: add browser dialer supportTianling Shen2021-04-02
| | |/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since v1.4.1, Xray has introduced a new feature to transfer data via browsers, which can disguise itself as a normal browser to cheat network censorship. For more details, see https://github.com/XTLS/Xray-core/pull/421. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* | | | overture: update to 1.7Huangbin Zhan2021-04-03
| | | | | | | | | | | | | | | | Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
* | | | netifyd: support filter parameterKevin Darbyshire-Bryant2021-04-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | netifyd supports a '-F' filter option in 'bpf' notation to filter packets from its consideration. Add support for a uci 'filter' option. eg. filter to exclude SSDP multicasts from a particularly noisy device: option filter 'not (udp and dst 239.255.255.250 and dst port 1900 and src 192.168.1.5)' Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* | | | restic-rest-server: fix configuration option namesAnton Ryzhov2021-04-03
| | | | | | | | | | | | | | | | Signed-off-by: Anton Ryzhov <anton@ryzhov.me>
* | | | yggdrasil: bump to 0.3.16George Iv2021-04-03
| | | | | | | | | | | | | | | | Signed-off-by: George Iv <zhoreeq@users.noreply.github.com>
* | | | rp-pppoe: use pppoe.so instead of rp-pppoe.soJianhui Zhao2021-04-03
| | | | | | | | | | | | | | | | Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
* | | | nut: fix typo in nutshutdown scriptSven Roederer2021-04-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Even it's only cosmetic and should not affect the function of regular system, fix the name of the IPKG_INSTROOT variable. Typo was added long ago with 8400c9a6ec799. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* | | | banip: bugfix 0.7.6-2Dirk Brenken2021-04-03
|/ / / | | | | | | | | | | | | * fix housekeeping of external list sources Signed-off-by: Dirk Brenken <dev@brenken.org>
* | | Merge pull request #15301 from ja-pa/git-lfs-2.13.3Josef Schlehofer2021-04-02
|\ \ \ | |/ / |/| | git-lfs: update to version 2.13.3
| * | git-lfs: update to version 2.13.3Jan Pavlinec2021-03-29
| | | | | | | | | | | | Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* | | Merge pull request #15286 from pprindeville/strongswan-move-ipsec.secretsPhilip Prindeville2021-04-01
|\ \ \ | | | | | | | | strongswan: move ipsec conf files to subpackage
| * | | strongswan: move ipsec conf files to subpackagePhilip Prindeville2021-03-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | These config files are only used by the ipsec interface to charon, and shouldn't be part of the base package. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | | | openvpn: fix invoking user up & down commands from hotplug wrapperJo-Philipp Wich2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a number of fixes to the OpenVPN up/down hotplug command wrapper which currently fails to actually invoke user defined up and down commands for uci configurations not using external native configurations. - Use the `--setenv` to pass the user configured `up` and `down` commands as `user_up` and `user_down` environment variables respectively - Instead of attempting to scrape the `up` and `down` settings from the (possibly generated) native OpenVPN configuration in `/etc/hotplug.d/openvpn/01-user`, read them from the respective environment variables instead - Fix parsing of native configuration values in `get_openvpn_option()`; first try to parse a given setting as single quoted value, then as double quoted and finally as non-quoted, potentially white-space escaped one. This ensures that `up '/bin/foo'` is interpreted as `/bin/foo` and not `'/bin/foo'` Ref: https://forum.openwrt.org/t/openvpn-up-down-configuration-ignored/91126 Supersedes: #15121, #15284 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* | | | Merge pull request #15327 from ja-pa/curl-7.76.0Rosen Penev2021-04-01
|\ \ \ \ | | | | | | | | | | curl: update to version 7.76.0 (security fix)
| * | | | curl: update to version 7.76.0Jan Pavlinec2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes CVE-2021-22876 and CVE-2021-22890 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* | | | | tmate-ssh-server: add packagePaul Spooren2021-03-31
|/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | The `tmate` tool is a fork of `tmux` which allows remote access to a device without setting up any port forwarding. This commits adds the backend server which handles connections. Signed-off-by: Paul Spooren <mail@aparcar.org>
* | | | xray-core: Update to 1.4.1Tianling Shen2021-03-31
| | | | | | | | | | | | | | | | | | | | | | | | Updated geodata to latest version. Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* | | | ovsd: add packageDaniel Golle2021-04-01
| | | | | | | | | | | | | | | | | | | | | | | | Add Open vSwtich configuration daemon for netifd. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* | | | knot: update to version 3.0.5Jan Hak2021-03-29
| |/ / |/| | | | | | | | Signed-off-by: Jan Hak <jan.hak@nic.cz>
* | | Merge pull request #15289 from dibdot/banipDirk Brenken2021-03-28
|\ \ \ | | | | | | | | banip: update to 0.7.6
| * | | banip: update to 0.7.6Dirk Brenken2021-03-28
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | * rework the central iptables function to significantly reduce the code complexity and the overall number of iptables calls * check early and only once in the chain for ctstate NEW and return otherwise (thanks @ldir-EDB0) * made the whitelist ordering within the chain more flexible Signed-off-by: Dirk Brenken <dev@brenken.org>
* / | frr: update to 7.5.1 and backportsLucian Cristian2021-03-28
|/ / | | | | | | Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
* / treewide: build CMake projects with NinjaRosen Penev2021-03-27
|/ | | | | | | | | | | | | | | | | | | | faster to compile. A small selection of packages was tested going from: Executed in 696.30 secs fish external usr time 82.98 mins 395.00 micros 82.98 mins sys time 9.02 mins 0.00 micros 9.02 mins to: Executed in 592.20 secs fish external usr time 84.84 mins 361.00 micros 84.84 mins sys time 8.85 mins 57.00 micros 8.85 mins Tested by running make -j 12 and wiping staging/build_dir/target_x Signed-off-by: Rosen Penev <rosenp@gmail.com>
* Merge pull request #14711 from pprindeville/strongswan-make-includes-persistentPhilip Prindeville2021-03-26
|\ | | | | strongswan: make the include's in the .conf files persistent
| * strongswan: make the include's in the .conf files persistentPhilip Prindeville2021-03-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Having scripts diddle user written config files seems potentially dangerous. Plus there's really no downside to including some empty files. Best to just make the includes be permanent. Additional feature suggested by Luiz: if a -opkg version of the config file was created unnecessarily, remove it as part of the upgrade process since changes won't be happening to that file as an artifact of the service starting. The include lines are now permanent, which means that (1) additional configuration synthesized by UCI won't be anywhere that opkg (or sysupgrade, for that matter) cares about since it won't be persistent, and (2) if changes are being made, then they're being done by a person with an editor and they really should be distinguished. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* | Merge pull request #15276 from dibdot/banipDirk Brenken2021-03-26
|\ \ | | | | | | banip: update to 0.7.5-4
| * | banip: update to 0.7.5-4Dirk Brenken2021-03-26
| | | | | | | | | | | | | | | | | | | | | | | | * fix another IPv4/IPv6 related iptables chain creation problem * fix counter during ipset creation * fix regex for debug counters * fix ipset housekeeping for local sources Signed-off-by: Dirk Brenken <dev@brenken.org>
Powered by cgit, Themed by Ted Yin.