| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
| |
this takes an effect only if getusershell(3) is missing
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
|
| |
|
|
|
|
| |
fixes 65256aee
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms.
A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1]
It has no place in a potentially internet-facing daemon like dropbear.
Upstream has acknowledged this and offered this solution to disable
these two until this is made to be the default in the next release
of dropbear next year. [2]
1. https://www.openssh.com/txt/release-8.2
2. https://github.com/mkj/dropbear/issues/138
Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
- "default n" is not needed: options are not selected by default
- wrap config on 80 characters width (assuming tab is 8 characters long)
- add feature cost size and security notes for DROPBEAR_AGENTFORWARD
and DROPBEAR_DBCLIENT_AGENTFORWARD:
describe why and where it should be disabled
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
|
| |
|
|
|
|
| |
improves b78aae79
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- switch DB_OPT_COMMON and DB_OPT_CONFIG to comma-separated lists:
this allows to have values with "|" in DB_OPT_COMMON and DB_OPT_CONFIG
which is more likely to be than values with commas;
use $(comma) variable for values with commas.
- sort DB_OPT_COMMON and DB_OPT_CONFIG to have "overrides" on top of list.
- allow DB_OPT_COMMON to have values with commas.
- allow to replace multiline definitions in sysoptions.h.
improves e1bd9645
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
critical fixes:
- libtommath: possible integer overflow (CVE-2023-36328)
- implement Strict KEX mode (CVE-2023-48795)
various fixes:
- fix DROPBEAR_DSS and DROPBEAR_RSA config options
- y2038 issues
- remove SO_LINGER socket option
- make banner reading failure non-fatal
- fix "noremotetcp" behavior
- don't try to shutdown a pty
- fix test for multiuser kernels
adds new features:
- option to bind to interface
- allow inetd with non-syslog
- ignore unsupported command line options with dropbearkey
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- update dropbear to latest stable 2022.83;
for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop patches:
- 001-fix-MAX_UNAUTH_CLIENTS-regression.patch
- rework patches:
- 901-bundled-libs-cflags.patch
- refresh remaining patches
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
|
| |
|
|
|
|
| |
allow EDP support if compiled and add force EDP option
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
prevent SNMP options being passed unless lldpd supports them
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
increment Makefile package release to reflect changes to init script
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option to set LLDP transmit delay, hold timers to set update frequency
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option to override system platform instead of using kernel name
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option to force SONMP to be enabled even when no peer detected
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option to force FDP when no peers detected
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option to specify CDPv1 or CDPv2 and separately enable or force each
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option to allow LLDP disabling while using other supported protocols
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option portidsubtype to correct port identifiers and descriptions
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option to set agent-type to control propogation
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option to enable LLDP MED fast-start and set fast-start timer
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option to disable LLDP-MED inventory TLV transmission
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add option to disable advertising kernel version
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
| |
add filter option to init script.
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
|
| |
Bind to the configured system interfaces only. Switchport interfaces
are no longer ignored and uci interface values for LLDPD are honored.
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
|
|
|
|
|
| |
Init script reload with trigger to detect config file update.
Reload command added to attempt non-impactful lldpd reload where
lldpcli can be used to update config without process restart.
Config hash function used to track whether process restart is needed.
Signed-off-by: Stephen Howell <howels@allthatwemight.be>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
| |
Useful for UI and config generators. Will be used as intermediate
step for generating the default wifi configuration
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
| |
Bump PKG_RELEASE which should have been done by commit 7b1c3068b7
("uhttpd: restart when interface to listen becomes available").
Fixes: 7b1c3068b7 ("uhttpd: restart when interface to listen becomes available")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
Currently uhttpd won't start with a listening interface configured if
the interface isn't already up at the time uhttpd starts. Make sure we
attempt to start uhttpd when it comes up.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Adds MediaTek MT7916AN and Cypress CYW43455 (Raspberry Pi 5) devices.
a34977c devices: add device id for Cypress CYW43455
3eb34df devices: add device id for MediaTek MT7916AN
There are no ABI changes.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
When wpa_psk_file is used, there is a chance that no PSK is set. This means
that the FT key will be generated using only the mobility domain which
could be considered a security vulnerability but only for a very specific
and niche config.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
|
| |
|
|
|
|
|
|
| |
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
802.11r can not be used when selecting WPA. It needs at least WPA2.
This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.
Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
|
| |
|
|
|
|
| |
Leftover from authsae, which was removed a long time ago
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release Notes:
https://lwn.net/Articles/957171/
Remove patch "100-configure.patch" because support for ATM was dropped [0].
Manually refresh:
- 200-drop_libbsd_dependency.patch
Automatic refresh:
- 130-no_netem_tipc_dcb_man_vdpa.patch
- 140-keep_libmnl_optional.patch
- 145-keep_libelf_optional.patch
- 150-keep_libcap_optional.patch
- 155-keep_tirpc_optional.patch
- 190-fix-nls-rpath-link.patch
- 300-selinux-configurable.patch
[0] - https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=a66a73af6db74fdb64439316c69aa0e35dd02c47
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
| |
Use a single jsonfilter expression to yield the list of logical wireguard
interface names in shell compatible notation.
Supersedes: #12344
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
[Upstream Backport]
The range for the 5 GHz channel 118 was encoded with an incorrect
channel number.
Fixes: ed8e13decc71 (ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan())
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
|
| |
|
|
|
|
|
| |
c3488b8 uqmi: cancel all requests on SYNC indication reception
dfa612e uqmi: improve response detection
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
| |
Make the call deferred instead of blocking to avoid deadlock issues
Fixes: 3df9322771cc ("hostapd: make ubus calls to wpa_supplicant asynchronous")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
| |
This reverts commit b7f9742da82fa9b122e8d63e48a9a5c0dec298f2.
There are several reports of regressions with this commit. Will be added
back once I've figured out and fixed the cause
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
| |
Only tell netifd about vifs when the setup is complete and hostapd +
wpa_supplicant have been notified
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
| |
This fixes a deadlock issue where depending on the setup order, hostapd and
wpa_supplicant could end up waiting for each other
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
| |
Modems which are using qmi do not reply on the 1st sync but they do
on subsequent. Sometimes uqmi is hanging - even when using an early
dummy access to unlock the modem. To always guarantee a proper
initialisation, running or hanging uqmi processes must be stopped
before. All uqmi calls have now a timeout option -t to avoid hanging.
Signed-off-by: Uwe Niethammer <uwe@dr-niethammer.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use postinst script to reload service instead of uci-defaults hack. It's
possible thanks to recent base-files change that executes postinst after
uci-defaults.
This fixes support for uhttpd customizations. It's possible (again) to
adjust uhttpd config with custom uci-defaults before it gets started.
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: d25d281fd668 ("uhttpd: Reload config after uhttpd-mod-ubus was added")
Ref: b799dd3c705d ("base-files: execute package's "postinst" after executing uci-defaults")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
|
|
| |
Fixes a race condition that can lead to a hostapd crash
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
| |
4219e99eeec7 system-linux: fix race condition in netlink socket error handing
f01345ec13b9 device: restore cleared flags on device down
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
| |
Increasing the receive window size improves throughout on higher-latency
links such as WAN connections. The current default of 24KB caps out at
around 500 KB/s.
Increasing the receive buffer to 256KB increases the throughput to at
least 11 MB/s.
Signed-off-by: David Bauer <mail@david-bauer.net>
|
| |
|
|
|
|
| |
a2d32f0dcf16 Revert "system-linux: set pending to 0 on ifindex found or error for if_get_master"
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|