Jo-Philipp Wich [Tue, 13 Dec 2016 23:44:22 +0000 (00:44 +0100)]
firewall3: drop support for automatic NOTRACK rules
Update to current HEAD in order to drop automatic generation of per-zone
NOTRACK rules.
The NOTRACK rules used to provide a little performance improvement but the
later introduction of the netfilter conntrack cache made those rules largely
unnecessary. Additionally, those rules caused various issues which broke
stateful firewalling in some scenarios.
Hans Dedecker [Thu, 17 Nov 2016 12:34:34 +0000 (13:34 +0100)]
odhcpd: Fix dnsmasq re-reading hostfile
Depending on the dhcp uci config pidof dnsmasq can return
multiple pids. Fix re-reading of the hostfile by dnsmasq in
such case by sending SIGHUP signal to each of the returned
pids.
Track upstream changes, incl changes in packet overhead accounting
(automatically taking care of linux' packet sizing knowledge),
improvements to triple isolated DRR handling (new flow dominance),
statistics tweak & allow more packet drops in stressed conditions.
Under tests this has significantly improved latency control under
'many flows to one' scenarious as is typical of bittorrent and MS
Windows update.
I also restored 'DSCP washing' functionality in my repo which follows
upstream closely (like a hawk!) with tc keywords 'wash/nowash'. This
allows cake to limit/control packets in bands determined by a packet's
DSCP but to clear those DSCP bits on qdisc egress. This functionality
was originally removed as part of an attempt to push cake into the
kernel, which hasn't actually happened as yet.
A matching commit is required to iproute2/tc to support the new overhead
handling, keyword changes as well as the 'wash/nowash' tweak.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Magnus Kroken [Sat, 10 Dec 2016 11:02:03 +0000 (12:02 +0100)]
openvpn: quote parameters to --push in openvpn config file
OpenVPN requires arguments to --push to be enclosed in double quotes.
One set of quotes is stripped when the UCI config is parsed.
Change append_params() of openvpn.init to enclose push parameters in
double quotes.
Unquoted push parameters do not cause errors in OpenVPN 2.3,
but OpenVPN 2.4 fails to start with unquoted push parameters.
Fixes: FS#290. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Felix Fietkau [Thu, 8 Dec 2016 20:46:15 +0000 (21:46 +0100)]
ar71xx: remove AP83 reference design board support
This board is very old and unlikely to still be relevant today. Support
for it contains a significant amount of device specific baggage which is
worth getting rid of.
There are many targets using user space scripts to generate firmware but
bcm53xx doesn't need this, so let's disable that kernel option.
This lets us avoid some scary-looking kernel warnings like:
brcmfmac 0001:04:00.0: Falling back to user helper
firmware brcm!brcmfmac43602-pcie.txt: firmware_loading_store: map pages failed
lantiq: remove "init" kernel command line parameter from bootargs
/etc/preinit has been the default init-script for a very long time (at
least since Linux 2.6.30 in OpenWrt). Remove the kernel command line
"init" parameter to get rid of duplicate and inconsistent definitions
of this parameter (some boards, like FRITZ3370 for example did not use
it at all, while it's just copy and paste on others).
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
lantiq: specify console using stdout-path instead of cmdline argument
Use devicetree's /chosen/stdout-path instead of the kernel command line
(embedded in the .dts-files) to specify the serial console. Using the
chosen node is recommended on devicetree based platforms.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Piotr Dymacz [Fri, 2 Dec 2016 21:42:41 +0000 (22:42 +0100)]
ar71xx: add support for YunCore SR3200 and XD3200
YunCore SR3200 is a dual-band AC1200 router, based on Qualcomm/Atheros
QCA9563+QCA9882+QCA8337N.
YunCore XD3200 (FCC ID: 2ADUG-XD3200) is a dual-band AC1200 ceiling mount
AP with PoE support, based on Qualcomm/Atheros QCA9563+QCA9882+QCA8334.
Common specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 128 MB or RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 2T2R 2.4 GHz, with ext. PA (SKY65174-21), up to 30 dBm
- 2T2R 5 GHz, with ext. PA (SKY85405-11) and LNA (SKY85601-11), up to 30 dBm
SR3200 specification:
- 5x 10/100/1000 Mbps Ethernet
- 6x ext. RP-SMA antennas (actually, only 4 are connected with radio chips)
- 3x LED (+ 5x LED in RJ45 sockets), 1x button
- UART header on PCB
XD3200 specification:
- 2x 10/100/1000 Mbps Ethernet, with 802.3at PoE support (WAN port)
- 4x internal antennas
- 3 sets of LEDs on external PCB (+ 2x LED near RJ45 sockets), 1x button
- UART and JTAG (custom 6-pin, 2 mm pitch) headers on PCB
LED for 5 GHz WLAN is currently not supported on both devices as it is
connected directly to the QCA9882 radio chip.
Flash instruction under vendor firmware, using telnet/SSH:
1. If your firmware does not have root password, go to point 5
2. Connect PC with 192.168.1.x address to LAN or WAN port
3. Power up device, enter failsafe mode with button (no LED indicator!)
4. Change root password and reboot (mount_root, passwd ..., reboot -f)
5. Upload lede-ar71xx-...-sysupgrade.bin to /tmp using SCP
6. Connect PC with 192.168.188.x address to LAN port, SSH to 192.168.188.253
7. Invoke:
- cd /tmp
- fw_setenv bootcmd "bootm 0x9fe80000 || bootm 0x9f050000"
- mtd -e firmware -r write lede-ar71xx-...-sysupgrade.bin firmware
Julian Labus [Thu, 8 Dec 2016 16:13:09 +0000 (17:13 +0100)]
base-files: Changed UCI variable name for GPIO value from 'default' to 'value'
This changes the UCI variable for the GPIO value from system.$cfg.default back
to system.$cfg.value as it was before the change from uci-defaults [1] to board.d.
/etc/init.d/gpio_switch [2] still expects the value to be in system.$cfg.value.
Jo-Philipp Wich [Mon, 5 Dec 2016 15:44:13 +0000 (16:44 +0100)]
build: support adding version code to file names (FS#323)
Now that the VERSION_NUMBER variable holds the human friendly name and not
the commit ID anymore, we need to support adding the revision ID as well.
Introduce a new config variable CONFIG_VERSION_CODE_FILENAMES which, if set,
causes the resulting file names to contain a commit ID designation as printed
by scripts/getver.sh.
Also sanitize the input variables to ensure that the resulting strings are
lowercased and no not contain spaces.
Mathias Kresin [Mon, 5 Dec 2016 08:21:29 +0000 (09:21 +0100)]
lantiq: simplify ath9k eeprom extraction script
Add an extra function to patch the mac and fixup the checksum
afterwards. Calculate the checksum position automatically. The offset
to the mac address is the same for all checksum protected EEPROMs.
No EEPROM requires a byte swapped mac address. The mac byte swap code
was required due to an bug in the script that is now fixed.
lantiq: fix ath9k EEPROM data swapping for some devices
The EEPROM data in the flash of the ARV7518PW, ARV8539PW22,
BTHOMEHUBV2B and BTHOMEHUBV3A is stored byte-swapped (swab16), meaning
that for example the ath9k base_eep_header fields "version" (high and
low byte), "opCapFlags" and "eepMisc" are swapped (the latter ones are
just 1 byte wide, thus their position is swapped).
The old "ath,eep-endian" property enabled the corresponding swapping
logic in the ath9k driver (swab16 in ath9k_hw_nvram_swap_data, which is
based on the magic bytes in the EEPROM data which have nothing to do
with the calibration data - thus this logic should not be used
anymore).
Since we have switched to the upstream ath9k devicetree bindings there
is no binding anymore which enables swab16 in ath9k (as this logic is
not recommended anymore as explained above), leading to ath9k
initialization errors:
ath: phy0: Bad EEPROM VER 0x0001 or REV 0x00e0
(this shows that the version field is swapped, expected values are VER
0x000E and REV 0x0001)
Swapping the ath9k calibration data when extracting it from the flash
fixes the devices listed above (all other devices do not require
additional swapping, since the position of the fields is already as
expected by ath9k). This allows ath9k to read the version correctly
again, as well as the more important "eepmisc" field (which is used for
determining whether the data inside the EEPROM is Big or Little Endian
which is required to parse the EEPROM contents correctly).
Fixes: a20616863d3 ("lantiq: use ath9k device tree bindings
binding/owl-loader")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Arjen de Korte [Mon, 5 Dec 2016 11:53:16 +0000 (12:53 +0100)]
dnsmasq: Fix splitting hostid for DHCPv6 static leases
Correct splitting the 32-bit 'hostid' value to two 16-bit hexadecimal
values. Previously, the lower 16-bit value was truncated to an 8-bit
value, which would result in hostid values 100 and 200 both to be set
to [::0:0] instead of [::0:100] and [::0:200] respectively.
Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
Utilize the existing git download logic from include/download.mk and migrate
the kernel download over to it. This avoids repeatedly cloning kernel sources
after a make target/linux/clean for instance.
include/download.mk: Allow specify DownloadMethod specific options
This is going to be used to migrate the hand rolled git clone for the kernel
into using the git download method. The kernel uses custom options that we may
have to pass down.
Felix Fietkau [Tue, 29 Nov 2016 10:59:48 +0000 (11:59 +0100)]
ramips: prevent packet forwarding on mt7620 between switch ports during init (FS#103)
By default, forwarding between all ports is allowed on init. This is
problematic in cases where some ports are supposed to be isolated from
each other, most commonly LAN/WAN separation.
REG_ESW_PORT_PCR(port) has a destination mask for a particular port,
controlling what other ports it is allowed to send packets to.
Instead of initializing all to 0xff (all ports), allow each physical
port to send to the CPU port, and the CPU port to send to all other
ports.
This fixes the partition name for the firmware splitter, the cfi
address and adds the mtd-eeprom address for wmac. It adds additional
LEDs and make use of them in diag.sh and 01_leds.
Please note that the ":blue:wired" LED is used because the
":blue:router" behaviour is unpredictable for failsafe indication. The
issue with the router LED is that you have two states only.
"off" is steady on and "on" blinks. Therefore the wired LED is more
suitable.
Furthermore it reuses the correct switch configuration definition to
reflect the device ports and numbering. Additionally fixes the issue
that the default configuration is not applied as no port 6 exists on
this device.
Signed-off-by: Tobias Wolf <github-NTEO@vplace.de>
sysupgrade command fails due to missing U-Boot environment-processing
binaries on sysupgrade ramdisk. The missing binaries result in the
following output:
Switching to ramdisk...
Performing system upgrade...
ash: /usr/sbin/fw_printenv: not found
ash: fw_setenv: not found
ash: touch: not found
cannot find target partition
Mathias Kresin [Thu, 1 Dec 2016 07:57:25 +0000 (08:57 +0100)]
mvebu: fix image validation error
The name from the Device define will be used in the metadata. Due to
typo/different spelling, this name might not match the one exported in
/lib/mvebu.sh.
Hauke Mehrtens [Sat, 3 Dec 2016 20:33:48 +0000 (21:33 +0100)]
cyassl: update to wolfssl version 3.9.10
This fixes the following security problems:
CVE-2016-7440: Software AES table lookups do not properly consider cache-bank access times
CVE-2016-7439: Software RSA does not properly consider cache-bank monitoring
CVE-2016-7438: Software ECC does not properly consider cache-bank monitoring
SWEET32 Attack
Hauke Mehrtens [Sat, 3 Dec 2016 15:07:47 +0000 (16:07 +0100)]
curl: update to version 7.51.0
This fixes the following security problems:
CVE-2016-8615: cookie injection for other servers
CVE-2016-8616: case insensitive password comparison
CVE-2016-8617: OOB write via unchecked multiplication
CVE-2016-8618: double-free in curl_maprintf
CVE-2016-8619: double-free in krb5 code
CVE-2016-8620: glob parser write/read out of bounds
CVE-2016-8621: curl_getdate read out of bounds
CVE-2016-8622: URL unescape heap overflow via integer truncation
CVE-2016-8623: Use-after-free via shared cookies
CVE-2016-8624: invalid URL parsing with '#'
CVE-2016-8625: IDNA 2003 makes curl use wrong host
Jo-Philipp Wich [Fri, 2 Dec 2016 11:07:19 +0000 (12:07 +0100)]
scripts: getver.sh: append Git short hash to revision
Change getver.sh to append a short Git commit hash to the end of the artifical
revision number. This way we still have order- and comparable commit numbers
but also a direct relation to the Git commit.
The new output format will look like "r2400+2-882472e" for dirty trees or like
"r2402-882472e" for clean ones.
Jo-Philipp Wich [Thu, 1 Dec 2016 16:40:43 +0000 (17:40 +0100)]
build: adjust version number handling
Move the revision info to the VERSION_CODE variable and default VERSION_NUMBER
to CURRENT for master branch builds.
Also introduce a new menuconfig option CONFIG_VERSION_CODE which allows users
to override the revision value put into VERSION_CODE and adjust the template
files used by the base-files package to accomodate for the changed semantics.
While we're at it, also adjust the various URLs to match the current web site.
After this commit, the relevent files will look like the examples given below:
projects / thirdparty / openwrt.git / log
