Felix Fietkau [Tue, 20 Feb 2018 14:58:42 +0000 (15:58 +0100)]
netfilter: add a xt_FLOWOFFLOAD target for NAT/routing offload support
This makes it possible to add an iptables rule that offloads routing/NAT
packet processing to a software fast path. This fast path is much
quicker than running packets through the regular tables/chains.
Felix Fietkau [Mon, 5 Feb 2018 12:35:24 +0000 (13:35 +0100)]
kernel: backport netfilter NAT offload support to 4.14
This only works with nftables for now, iptables support will be added
later. Includes a number of related upstream nftables improvements to
simplify backporting follow-up changes
Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Nick Hainke [Sun, 14 Jan 2018 00:26:13 +0000 (01:26 +0100)]
hostapd: return with 80211 codes in handle event function
If the auth or assoc request was denied the reason
was always WLAN_STATUS_UNSPECIFIED_FAILURE.
That's why for example the wpa supplicant was always
trying to reconnect to the AP.
Now it's possible to give reasoncodes why the auth
or assoc was denied.
Felix Fietkau [Wed, 21 Feb 2018 13:45:48 +0000 (14:45 +0100)]
ramips: fix MT7621 switch driver IRQ storm on init with linux 4.14
The hardware emits some interrupts while initializing and handling them
can mess up the state or cause infinite loops.
Fix this by disabling IRQs during init and re-enabling them afterwards
Flash instruction using sysupgrade image:
1. Connect micro-USB cable for power supply into W06 and turn on the
router
2. Connect to wifi with SSID "tama-*" with password. Complete SSID and
password are listed on the back of the router
3. Access to 192.168.1.1 and login with user name "admin" and password
empty
4. In firmware update(ファームウェア更新) page, click "参照" button
and click "ブラウザー" button to open file browser, select the
sysupgrade image and press OK button
5. Wait ~150 seconds to complete flashing
Mathias Kresin [Sat, 17 Feb 2018 08:54:57 +0000 (09:54 +0100)]
ramips: improve GnuBee Personal Cloud Two support
Use the generic board detection for the GnuBee Personal Cloud Two
instead of the target specific one as all recent additions are doing.
Fixup the pinmux to set all pins used as GPIO to the function GPIO.
Request pins where used.
Drop the i2c from the dts. There is nothing connected. While at it fix an
indentation issue and use references instead of duplicating the whole
node path.
Use the same switch config as for the GB-PC1 and drop the led trigger for
the not supported IP1001 phy connected to second rgmii.
Fixes: c60a21532bc9 ("ramips: Add support for the GnuBee Personal Cloud Two") Signed-off-by: Mathias Kresin <dev@kresin.me>
Use our custom xrx200 ethernet phy compatible to support boards, which
have switched the vr9 revision during lifetime, with a single devicetree
source file.
By switching to the dwc2 driver + usb phy framework, we don't need to used
our custom gpio power patch and can use a fixed regulator instead.
Add a custom xrx200 ethernet phy compatible to load the firmware matching
the vr9 revision without specifing an expected revision.
We have quite a few boards in the tree were later produced ones are using
a more recent vr9. It is impossible to distinguish which revision of the
vr9 is used without opening the case and removing a heatsink for some of
them.
Mathias Kresin [Mon, 8 Jan 2018 22:04:57 +0000 (23:04 +0100)]
lantiq: kernel 4.14: don't use CPU interrupt controller IPI IRQ domain support
This reverts kernel commit 1eed40043579 ("MIPS: smp-mt: Use CPU interrupt
controller IPI IRQ domain support"). With the patch applied, the kernel
hangs during boot if SMP is active.
The Lantiq IRQ controller gets registered first and it directly handles
the MIPS native SW1/2 and HW0 - HW5 IRQs. It looks like this controller
already registers IRQ 0 - 7 and the generic driver only gets the following
IRQs starting later.
The upstream discussion can be found at
https://www.linux-mips.org/archives/linux-mips/2017-05/msg00059.html.
Mathias Kresin [Tue, 2 Jan 2018 00:01:33 +0000 (01:01 +0100)]
ppp: fix build with kernel 4.14.9+
With a9772285a724 ("linux/compiler.h: Split into compiler.h and
compiler_types.h") compiler.h was refactored and most its content was
moved to compiler_types.h. Both files are required to build ppp-mod-pppoa.
Stijn Tintel [Mon, 19 Feb 2018 22:03:00 +0000 (23:03 +0100)]
build: add --force option to gzip in Build/gzip
When using pigz, a parallel gzip implementation, the gzip step in the
image build for some targets fails, because the image filename already
has the .gz extension. This results in an emtpy image file. Fix this by
adding the --force option to gzip in the Build/gzip macro.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Tested-by: Martin Schleier <drahemmaps@gmx.net>
GNU gzip does not fail when the image filename already contains the .gz
extension, this is a problem specific to pigz. Revert the commit, as we
now gzip the image twice.
Reported-by: Martin Schleier <drahemmaps@gmx.net> Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
1721453 Remove special handling of A-for-A queries. 499d8dd Fix boundary for test introduced in 3e3f1029c9ec6c63e430ff51063a6301d4b2262 6f1cbfd Fix debian/readme typo. 55ecde7 Inotify: Ignore backup files created by editors 6b54d69 Make failure to chown() pidfile a warning. 246a31c Change ownership of pid file, to keep systemd happy. 83e4b73 Remove confusion between --user and --script-user. 6340ca7 Tweak heuristic for initial DNSSEC memory allocation. baf553d Default min-port to 1024 to avoid reserved ports. 486bcd5 Simplify and correct bindtodevice(). be9a74d Close Debian bug for CVE-2017-15107. ffcbc0f Example config typo fixes. a969ba6 Special case NSEC processing for root DS record, to avoid spurious BOGUS. f178172 Add homepage to Debian control file. cd7df61 Fix DNSSEC validation errors introduced in 4fe6744a220eddd3f1749b40cac3dfc510787de6 c1a4e25 Try to be a little more clever at falling back to smaller DNS packet sizes. 4fe6744 DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies. 3bd4c47 Remove limit on length of command-line options. 98196c4 Typo fix. 22cd860 Allow more than one --bridge-interface option to refer to an interface. 3c973ad Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation. faaf306 Spelling fixes. c7e6aea Change references to gPXE to iPXE. Development of EtherBoot gPXE was always development of iPXE core developer Michael Brown. e541245 Handle duplicate RRs in DNSSEC validation. 84a01be Bump year in Debian copyright notice. d1ced3a Update copyrights to 2018. a6cee69 Fix exit code from dhcp_release6. 0039920 Severely fix code formating of contrib/lease-tools/dhcp_release6.c 39d8550 Run Debian startup regex in "C" locale. ef3d137 Fix infinite retries in strict-order mode. 8c707e1 Make 373e91738929a3d416e6292e65824184ba8428a6 compile without DNSSEC. 373e917 Fix a6004d7f17687ac2455f724d0b57098c413f128d to cope with >256 RRs in answer section. 74f0f9a Commment language tweaks. ed6bdb0 Man page typos. c88af04 Modify doc.html to mention git-over-http is now available. ae0187d Fix trust-anchor regexp in Debian init script. 0c50e3d Bump version in Debian package. 075366a Open inotify socket only when used. 8e8b2d6 Release notes update. 087eb76 Always return a SERVFAIL response to DNS queries with RD=0. ebedcba Typo in printf format string added in 22dee512f3738f87539a79aeb52b9e670b3bd104 0954a97 Remove RSA/MD5 DNSSEC algorithm. b77efc1 Tidy DNSSEC algorithm table use. 3b0cb34 Fix manpage which said ZSK but meant KSK. aa6f832 Add a few DNS RRs to the table. ad9c6f0 Add support for Ed25519 DNSSEC signature algorithm. a6004d7 Fix caching logic for validated answers. c366717 Tidy up add_resource_record() buffer size checks. 22dee51 Log DNS server max packet size reduction. 6fd5d79 Fix logic on EDNS0 headers. 9d6918d Use IP[V6]_UNICAST_IF socket option instead of SO_BINDTODEVICE for DNS. a49c5c2 Fix search_servers() segfault with DNSSEC. 30858e3 Spaces in CNAME options break parsing.
Stijn Tintel [Sun, 18 Feb 2018 00:43:25 +0000 (01:43 +0100)]
kernel: bump 4.9 to 4.9.82
Refresh patches.
Remove upstreamed patches:
- ar7/002-MIPS-AR7-ensure-the-port-type-s-FCR-value-is-used.patch
- backport/040-crypto-fix-typo-in-KPP-dependency-of-CRYPTO_ECDH.patch
Remove layerscape/819-Revert-dmaengine-dmatest-move-callback-wait-queue-to.patch,
it is superseded by upstream commit 297c7cc4b5651b174a62925b6c961085f04979fd.
Remove pending/650-pppoe_header_pad.patch, it is superseded by
upstream commit 1bd21b158e07e0b8c5a2ce832305a0ebfe42c480.
Update patches that no longer apply:
- ar71xx/004-register_gpio_driver_earlier.patch
- hack/204-module_strip.patch
- pending/493-ubi-set-ROOT_DEV-to-ubiblock-rootfs-if-unset.patch
Stijn Tintel [Sun, 18 Feb 2018 00:15:58 +0000 (01:15 +0100)]
dropbear: add option to set receive window size
The default receive window size in dropbear is hardcoded to 24576 byte
to limit memory usage. This value was chosen for 100Mbps networks, and
limits the throughput of scp on faster networks. It also severely limits
scp throughput on high-latency links.
Add an option to set the receive window size so that people can improve
performance without having to recompile dropbear.
Setting the window size to the highest value supported by dropbear
improves throughput from my build machine to an APU2 on the same LAN
from 7MB/s to 7.9MB/s, and to an APU2 over a link with ~65ms latency
from 320KB/s to 7.5MB/s.
Stijn Tintel [Sat, 17 Feb 2018 20:00:34 +0000 (21:00 +0100)]
brcm2708: fix sdcard image
The gzip step in the sdcard image build fails because the image filename
already has the gzip extension. This results in an empty image file, to
which the metadata is finally appended.
Remove the .gz extension from the image filename to fix this.
Fixes: e79b096ee175 ("brcm2708: convert to metadata") Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Evgeniy Didin [Thu, 15 Feb 2018 17:26:04 +0000 (20:26 +0300)]
archs38: add HSDK board to network configure scripts
In the initial patch which adds HSDK board there were no update
of network configuration scripts. Without it by default static IP
is set for br-lan and there is no access to internet.
This patch fixes the issue.
Signed-off-by: Evgeniy Didin <Evgeniy.Didin@synopsys.com> CC: Alexey Brodkin <abrodkin@synopsys.com> CC: Hauke Mehrtens <hauke@hauke-m.de> CC: John Crispin <john@phrozen.org>
Russell Senior [Fri, 16 Feb 2018 12:39:00 +0000 (04:39 -0800)]
openvpn: fix interface with mbedtls_sha256
Between mbedtls 2.6.0 and 2.7.0, the void returning mbedtls_MODULE* functions
were deprecated in favor of functions returning an int error code. Use
the new function mbedtls_sha256_ret().
Signed-off-by: Russell Senior <russell@personaltelco.net> Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Russell Senior [Fri, 16 Feb 2018 12:15:21 +0000 (04:15 -0800)]
curl: fix interface with mbedtls_sha256
Between mbedtls 2.6.0 and 2.7.0, the void returning mbedtls_MODULE* functions
were deprecated in favor of functions returning an int error code. Use
the new function mbedtls_sha256_ret().
Signed-off-by: Russell Senior <russell@personaltelco.net> Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Hauke Mehrtens [Fri, 16 Feb 2018 18:48:49 +0000 (19:48 +0100)]
mbedtls: activate deprecated functions
Some functions used by a lot of other software was renamed and is only
active when deprecated functions are allowed, deactivate the removal of
deprecated functions for now.
Fixes: 75c5ab4caf9 ("mbedtls: update to version 2.7.0") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The watchdog kill command was meant for busybox watchdog. Busybox watchdog
was replaced by the procd watchdog mid 2013 with commit df7ce9301a25
("busybox: disable the watchdog utility by default"), which makes the kill
command obsolete since quite some time.
Hauke Mehrtens [Thu, 15 Feb 2018 20:58:47 +0000 (21:58 +0100)]
mbedtls: update to version 2.7.0
This fixes the following security problems:
* CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled
* CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures
Jo-Philipp Wich [Tue, 13 Feb 2018 14:58:48 +0000 (15:58 +0100)]
ramips: fix reporting effective VLAN ID on MT7621 switches
On MT7621, the REG_ESW_VLAN_VTIM reads are undefined, causing swconfig
to always report `vid: 0` in swconfig show output.
Since a 4K VLAN table is used on this platform, the VLAN ID always
correponds to the actual VLAN table index so provide a specific MT7621
implementation of the get_vid callback which returns the table index
as VLAN ID.
projects / thirdparty / openwrt.git / log
