1450e1e2b7ff odhcpd: remove fallback DNS search domain 5b0e5c412f6c router: remove some log spam in send_router_advert() eddd0f8f0d00 router: improve send_router_advert() 35f0e05a16a0 config: add default value for dhcpv6_pd_min_len 62113d007a6a config: allow minimum PD len up to 64 03c1468355c0 Revert "router: optimize duplicated PIO comparison" 6b88c314a59e statefiles: don't consider no hostname as broken
Petr Štetiar [Tue, 16 Dec 2025 16:42:19 +0000 (16:42 +0000)]
dropbear: bump to 2025.89 (CVE-2025-14282, CVE-2019-6111)
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
server. Other programs on a system may authenticate unix sockets via
SO_PEERCRED, which would be root user for Dropbear forwarded connections,
allowing root privilege escalation.
Reported by Turistu, and thanks for advice on the fix.
This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.
It is fixed by dropping privileges of the dropbear process after
authentication. Unix stream sockets are now disallowed when a
forced command is used, either with authorized_key restrictions or
"dropbear -c command".
In previous affected releases running with "dropbear -j" (will also disable
TCP fowarding) or building with localoptions.h/distrooptions.h
"#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.
- Security: Include scp fix for CVE-2019-6111. This allowed
a malicious server to overwrite arbitrary local files.
The missing fix was reported by Ashish Kunwar.
- Server dropping privileges post-auth is enabled by default. This requires
setresgid() support, so some platforms such as netbsd or macos will have to
disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
not available if DROPBEAR_SVR_DROP_PRIVS is disabled.
Remote server TCP socket forwarding will now use OS privileged port
restrictions rather than having a fixed "allow >=1024 for non-root" rule.
A future release may implement privilege dropping for netbsd/macos.
- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
to a crash at startup with bad_bufptr().
Reported by Dani Schmitt and Sebastian Priebe.
- Don't limit channel window to 500MB. That is could cause stuck connections
if peers advise a large window and don't send an increment within 500MB.
Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
Reported by Rob Hague.
- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.
- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.
- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
150-350ms or possibly negative (zero). Reported by pickaxprograms.
- Fix building without public key options. Thanks to Konstantin Demin
- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin
- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger
- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.
Dropped:
* 050-dropbear-multihop-fix.patch as its included in the release 5cc0127000db5f
* 051-fix-pubkey-options.patch as its included in the release 1d4c4a542cd5df
* 052-fix-missing-depends-for-sntrup761x25519-sha512.patch as its included
in the release 1a2c1e649a1824
* 053-Don-t-limit-channel-window-to-500MB.patch as its included in the release a8610f7b98ad
Manually rebased:
* 110-change_user.patch
Fixes: CVE-2025-14282, CVE-2019-6111 Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de> Reviewed-by: Konstantin Demin <rockdrilla@gmail.com> Tested-by: Konstantin Demin <rockdrilla@gmail.com> [mediatek/filogic (GL.iNet GL-MT6000)] Link: https://github.com/openwrt/openwrt/pull/21186 Signed-off-by: Petr Štetiar <ynezz@true.cz>
This fixes a boot hang on realtek rtl838x switches.
This is the last printed message:
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
Thread on mips mailing list:
https://lore.kernel.org/linux-mips/b35fe4b3-8f42-49f4-a6bf-9f0e56d4050c@hauke-m.de/T/#u
Rany Hany [Mon, 15 Dec 2025 17:11:24 +0000 (19:11 +0200)]
wifi-scripts: update phys after rename_phy_by_name call
This fixes a failed bring up of the radio on bootup
if the model defines a rename of phy in its /etc/board.json.
This specifically impacts Redmi AX6S and any router that does so
in its /etc/board.json. The fix fortunately is simple, just update
phy name in phys after rename.
The entry that specifically causes this issue is the following:
The issue is that after rename, referenced phy in config is going to be
wl0 but in phys array it is still phy0; and so it fails to find phy
and does not bring up radio.
Fixes: https://github.com/openwrt/openwrt/issues/20250 Fixes: https://github.com/openwrt/openwrt/issues/20339 Signed-off-by: Rany Hany <rany_hany@riseup.net> Link: https://github.com/openwrt/openwrt/pull/21175 Signed-off-by: Robert Marko <robimarko@gmail.com>
Jonas Jelonek [Tue, 16 Dec 2025 12:06:57 +0000 (12:06 +0000)]
realtek: mdio-serdes: use correct device table identifier
Use the correct identifier 'rtsds_of_match' instead of
'rtsds_mdio_of_match' because the latter doesn't exist.
This doesn't cause an error for 6.12. However, with 6.18 the
implementation of MODULE_DEVICE_TABLE has changed to use 'static' and
'used' [1] instead of 'extern' and 'unused' [2].
Jonas Jelonek [Thu, 11 Dec 2025 23:33:59 +0000 (23:33 +0000)]
realtek: pcs: move polarity into SerDes struct
As a first real usage of the new SerDes struct, move the polarity
configuration there. It was previously located in the global rtpcs_ctrl
struct as an array, indexed by SerDes id. Because this is per-SerDes
information, the new SerDes struct is the correct place to live in.
Jonas Jelonek [Sat, 13 Dec 2025 10:48:52 +0000 (10:48 +0000)]
realtek: pcs: drop unneeded SerDes number range checks
By using references to pre-initiated SerDes instances instead of plain
SerDes number, there is no need to check for the range anymore in
various places. During driver/pcs init it is ensured that only valid
SerDes will reach the configuration functions.
Jonas Jelonek [Sat, 13 Dec 2025 20:12:13 +0000 (20:12 +0000)]
realtek: pcs: make use of SerDes struct in set_autoneg
Also switch set_autoneg (and related helper rtpcs_sds_modify) to the
SerDes struct instead of the plain SerDes id by using just the reference
to the SerDes instance instead of (ctrl, sds_id) tuple. This completes
the transition.
Jonas Jelonek [Thu, 11 Dec 2025 21:42:38 +0000 (21:42 +0000)]
realtek: pcs: make use of SerDes struct in SerDes setup
Make use of the previously added SerDes struct in SerDes setup and all
functions in its call path by removing (ctrl, sds_num) being passed to
every function call and instead just pass the reference to the
corresponding SerDes instance.
Various SerDes calculations for even, odd and neighbor are unified by
switching to previously introduced helpers.
Jonas Jelonek [Sat, 13 Dec 2025 20:01:03 +0000 (20:01 +0000)]
realtek: pcs: switch to id from SerDes struct
Drop usage of the to-be-phased-out SerDes id stored in rtpcs_link and
use the reference to the SerDes instance to use the embedded id in
rtpcs_serdes instead.
Jonas Jelonek [Sat, 13 Dec 2025 10:29:56 +0000 (10:29 +0000)]
realtek: pcs: assign SerDes reference upon PCS creation
Upon creation of a phylink_pcs instance by calling rtpcs_create, assign
a reference to the corresponding SerDes to the link structure. In the
next step, this should be used everywhere instead of the plain SerDes
number.
Rename the field used to hold the SerDes number from 'sds' to 'sds_num'
and name the new field 'sds' to make clear what is what.
Jonas Jelonek [Sat, 13 Dec 2025 10:16:21 +0000 (10:16 +0000)]
realtek: pcs: add helpers for even, odd, neighbor SerDes
Add dedicated helpers to get references to even, odd and neigbor SerDes
if needed. This should replace the various calculations scattered
throughout the code, providing a unified way to work with adjacent
SerDes.
Jonas Jelonek [Sat, 13 Dec 2025 10:12:35 +0000 (10:12 +0000)]
realtek: pcs: add separate SerDes struct
Add a separate structure for a SerDes. This is needed to appropriately
store per-SerDes information, which in turn is needed for future work.
Additionally, it's intended to reduce boilerplate and several
inconsistencies.
Jonas Jelonek [Sat, 13 Dec 2025 09:10:55 +0000 (09:10 +0000)]
realtek: pcs: use per-variant SerDes count
Use a separate configuration field for the number of SerDes for each
variant of the Realtek Otto family. Add this field to the config
structure, assign it and use it during driver probe. This narrows
possible error cases and is needed for upcoming extensions.
Jonas Jelonek [Thu, 11 Dec 2025 19:17:26 +0000 (19:17 +0000)]
realtek: pcs: add dedicated enum for SerDes modes
The Realtek SerDes mode capabilities do not map 1:1 to the
PHY_INTERFACE_MODE_* modes used in the kernel and passed to the PCS.
For example, some PHY chips use the proprietary XSGMII mode for which
there isn't an equivalent in the kernel, or HSGMII.
In the past, this led to problems and confusion using kernel's XGMII to
handle the XSGMII mode, and needed a downstream patch for HSGMII. They
have been solved/worked around for now, but XSGMII is currently not
implemented at all. And who knows what might come in the future.
To make our life easier, introduce a dedicated internal representation
of SerDes modes which differs from kernel's PHY_INTERFACE_MODE_*. This
allows us to map "external" modes to different internal modes as needed
instead of carrying the PHY_INTERFACE_MODE_* through the whole SerDes
configuration code. The PCS driver needs to map PHY_INTERFACE_MODE_* to
RTPCS_SDS_MODE_* in pcs_config, and the latter should be used as the
only one.
Jonas Jelonek [Fri, 12 Dec 2025 20:05:52 +0000 (20:05 +0000)]
realtek: pcs: rtl930x: drop unused and broken function
Drop the unused and broken function rtpcs_930x_sds_clock_wait from the
PCS driver. The proper working variant is already some lines above and
called rtpcs_930x_sds_wait_clock_ready.
Jonas Jelonek [Thu, 11 Dec 2025 22:37:33 +0000 (22:37 +0000)]
realtek: pcs: drop PCS creation without SerDes ref
Since the beginning, the PCS driver had the ability to call its
rtpcs_create without a reference to a valid PCS node. A comment in the
code mentions that this is done for RTL838X and its built-in octa-PHY
which is connected directly instead of via a SerDes. Further
explanations are not provided.
Drop this ability and make the rtpcs_create call in the dsa driver
conditional. As the built-in PHY of RTL838X isn't attached to a SerDes,
there is no obvious point of having the PCS driver in that chain. The
ports are marked as internal and have no pcs-handle, thus no phylink_pcs
instance should be created.
Jonas Jelonek [Tue, 16 Dec 2025 10:20:13 +0000 (10:20 +0000)]
realtek: mdio-serdes: improve debugfs creation
Commit 3c073b5cb2 cleaned up the debugfs creation in
mdio-realtek-otto-serdes driver to not explicitly check if the root
directory already exists. This is fine because kernel handles the case
properly so there's no need to check anymore.
However, this pollutes the boot log with:
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
[..] debugfs: 'realtek_otto_serdes' already exists in '/'
Now, the root directory creation is attempted multiple times, causing
the kernel to print an error message because the directory already
exists.
Fix this by moving the SerDes loop into rtsds_debug_init and only try
to create the root debugfs directory once.
Christoph Krapp [Sat, 22 Nov 2025 21:34:04 +0000 (22:34 +0100)]
ipq40xx: convert Orbi led labels to function/color
The eight leds controlled by the LED controller are RGB leds themselves
but are flashing white by default. The color part is controlled by GPIOs
53 (green), 54 (red), 57 (blue) and 60 (white).
Therefore define the led nodes of the controller as white instead of RBG
as well as backlight as their function.
Christoph Krapp [Sat, 22 Nov 2025 19:42:33 +0000 (20:42 +0100)]
ipq40xx: fix second 5ghz radio on Netgear RBx40
When support was added for the RBR40 and RBS40 it was assumed that they
also share the same second 5ghz wifi chip as their bigger siblings.
Turns out that instead of QCA9984 (RBx50, SRx60) these devices use
QCA9886 like the RBx20 devices to.
They also load different boardfiles for the IPQ4019 chip.
This moves the wifi nodes from the orbi.dtsi to each device dts file and
change the RBx40 boardfile variants.
Christoph Krapp [Sat, 22 Nov 2025 19:20:14 +0000 (20:20 +0100)]
ipq40xx: split orbi devices in router and satellite
Netgear Orbi devices are split into router and satellite units. Even
though the hardware is mostly the same, the network configuration is
different. Router units have a designated WAN port while satellite units
have all available ports labeled as "Ethernet".
This splits the device trees into both unit types and adjusts the port
labels.
sunxi: image: sync target profiles names with DT compatible
Following up with errors reported in the ASU repo, these bananapi cases
do not match the DT compatible "bpi", sync with dts sources.
Also some profiles were overwriting SUPPORTED_DEVICES.
Sysupgrade would be failing in SUPPORTED_DEVICES check since
the DT compatible(/tmp/sysinfo/board_name) is not in SUPPORTED_DEVICES.
This should also fix errors when using ASU sysupgrade clients.
- Sync profile makefile target names with DT compatibles.
- Fix overwrites of SUPPORTED_DEVICES instead of appending.
- Adapt the uboot-sunxi profiles accordingly.
*bpi-p2-zero dts is still not upstream.
V2:
- Include fixes for arm926ejs(ARM926EJ-S) subtarget (LicheePi Nano and
PopStick v1.1) (profile rename for correct default SUPPORTED_DEVICES)
Fixes: https://forum.openwrt.org/t/luci-attended-sysupgrade-support-thread/230552/246 Fixes: https://github.com/openwrt/asu/issues/486 Fixes: https://github.com/openwrt/asu/issues/524 Fixes: 9aa66b8ce730aebff76d353392151708a897a3a0 "sunxi: add support for Banana Pi M2 Berry" Fixes: d5f615bf2a0434c15d13943b566d46f25da579bb "sunxi: add support for Sinovoip Banana Pi M2 Plus" Fixes: 3819c1638a9d300840d0f869628891f9696be112 "sunxi: Add support for Banana Pi M2 Ultra" Fixes: 6bf8193b25a147abfe3720104e63af890c1ca2b8 "sunxi: add support for Bananapi P2 Zero" Fixes: 80edfaf675364835e6d2e17d97ebec6afc6b2103 "sunxi: add support for Banana Pi M3" Fixes: 3c24a1d423a6052b101c00cb7d94e70d72702639 "sunxi: add support for NanoPi NEO Plus2 board" Fixes: a689307c970e37c247c6452ba3963be8b109eb4f "sunxi: build image/uboot for the NanoPi NEO2" Fixes: fde68cb80941a60be93ece75e808b5b407d11cc8 "sunxi: add support for FriendlyARM NanoPi R1S H5" Fixes: 3ec468ff4fa3106d459ae58ec4bc4833715118c6 "sunxi: add F1C100 (arm926ej-s) support" Signed-off-by: Mario Andrés Pérez <mapb_@outlook.com> Link: https://github.com/openwrt/openwrt/pull/21095 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Martin Nadvornik [Mon, 15 Dec 2025 15:54:52 +0000 (16:54 +0100)]
mediatek: fix IPv4 address missing on interface in failsafe mode for cudy ap3000-v1
cudy ap3000-v1 did not work correctly in failsafe mode
because the address 192.168.1.1 was missing on the eth0 inteface.
it was reachable via it's IPv6 link-local address however.
this commit fixes the issue.
Rany Hany [Sat, 29 Nov 2025 00:04:09 +0000 (00:04 +0000)]
wifi-scripts: add support for using list for iface in wifi-station/vlan
This is a trivial change to allow users to use 'list' on iface.
Old wifi-scripts already implements this, so this just ensures
that shell-based and ucode wifi-scripts are on-par with each other.
Rany Hany [Sat, 29 Nov 2025 10:37:22 +0000 (12:37 +0200)]
wifi-scripts: fix broken match all case for wifi-vlan
When iface is omitted, wifi-vlan will apply to all interfaces.
However, netifd.set_vlan call is not successful as it assumes
that every wifi-vlan section corresponds to one VIF.
For this reason in the wifi-vlan case (cur_type == "vlan")
we create a composite key in the form `${vif.name}/${vlan.name}`
allowing the same vlan section to correspond to multiple VAPs.
`/` was decided as a delimiter as it is an invalid character
for a network interface name and UCI identifier; so it is
impossible for it to cause conflicts.
It was verified that the `ubus call network.wireless status`
works as expected with this change. Moreover, wifi-station
is not susceptible to this problem.
This also means that it is now possible for wifi-vlan
to support `list` iface similar to old shell-based wifi-scripts.
This will be done in a follow-up commit.
Fixes: 98435a37a7 ("wifi-scripts: iface should be optional in wifi-vlan definition") Signed-off-by: Rany Hany <rany_hany@riseup.net> Link: https://github.com/openwrt/openwrt/pull/20977 Signed-off-by: Robert Marko <robimarko@gmail.com>
cf51aeb93220 odhcpd: fix captive_portal_uri reset e8b7fdea8d5e dhcpv4: fix DNS server option b84553e496a3 router: Modify relayed RA PIO P flag according to interface policy da3e2a9829cc router: Modify relayed RA PIO A flags according to interface policy bad7138b70f0 README.md: update dhcp ubus events
David Woodhouse [Sat, 29 Nov 2025 16:18:26 +0000 (16:18 +0000)]
image: add CONFIG_EXTRA_IMAGE_NAME
This allows an optional tag to be put in the .config file which is
included in the filename of the resulting images, so it's easier to
build images with different functionality for the same target hardware.
David Härdeman [Tue, 9 Dec 2025 22:49:48 +0000 (23:49 +0100)]
base-files: always generate default DUID
The previous logic was copied from 12_network-generate-ula, but fails to
account for upgrades where the "auto" value isn't set (it is set by
base-files/files/bin/config_generate). Fix this to always set the
default duid if it isn't set.
Also, rename the file to better reflect what it does.
Closes: #21029 Fixes: a660a076db5a ("base-files: generate a global DHCP DUID") Link: https://github.com/openwrt/openwrt/pull/21118 Signed-off-by: David Härdeman <david@hardeman.nu> Signed-off-by: Petr Štetiar <ynezz@true.cz> [fixes,closes tag]
Add the DDR4_4BG_MODE option, which supports 4GB DDR4 RAM
for the MT7987 and 8GB DDR4 RAM for the MT7988. If this mode
is not enabled, bl2 can only recognize half the size of RAM.
Based on 35f6d79, which introduced Watchguard Firebox T10 support.
The T10 and T15 are identical hardware, with the exception of the T15
having twice the flash and RAM size.
The T10-W and T15-W models have their Mini-PCIe slot populated with an ath9
(AR9582) based WiFi card. The slot is either unpopulated or empty for
non-WiFi models. All required drivers are present by default on the mpc85xx
target, so T10/T10-W resp. T15/T15-W can use the same OpenWrt image.
This commit also introduces the zImage loader from 7d768a9 to boot the
kernel. This is required, since the U-Boot version used in these devices
appears to have a hard limit of 16MB for the kernel size it can handle. The
current kernel size is around 17MB, though, due to kernel page alignment
required for memory protection.
Installation (replaces previous instructions for T10):
1. If the U-Boot password is known, proceed with step 2.
If the U-Boot password is unknown, dump the NOR flash using a SPI
programmer and patch the unknown password to a known one. You can use
blocktrron's Python script:
https://github.com/blocktrron/t10-uboot-patcher/
This script will patch the password to '1234' (without quotes).
Alternatively, you can search for the hashed password in the NOR dump
yourself and overwrite it with a known one. The SHA1 hash is:
6. The device should now boot OpenWrt from NAND flash. Enjoy.
Back to stock:
Use the vendor recovery procedure.
Stock recovery might also be necessary in case you have accidentally used
the fw_setenv command from within OpenWrt without using saveenv in U-Boot
first.
In order to use the vendor firmware recovery procedure, the NAND partitions
mtd3 to mtd6 must remain intact. Make sure not to overwrite them, or keep
dumps of them for later recovery.
Hauke Mehrtens [Mon, 8 Dec 2025 21:20:46 +0000 (22:20 +0100)]
ucode: update to Git HEAD (2025-12-01)
afe4be60628a lib/fs: fix return value for flush 5f08ecf8e372 lib/uloop: fix return value doc for run() 1affe484f302 lib/uloop: pass eof and error to cb 559860cbd76d lib: introduce io library ef07e2448a56 vm: optimize string+string concat with ucv_string_alloc
Nick Hainke [Sun, 23 Nov 2025 08:58:30 +0000 (09:58 +0100)]
libcap: update to 2.77
Update to latest release.
Add patch `003-Revert-libcap-Add-build-ldflags-to-_makenames-rule.patch`
to fix errors in the form of:
```
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(__stack_chk_fail.o): relocation R_X86_64_32 against symbol `__stack_chk_guard' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(strerror.o): relocation R_X86_64_32 against `.rodata.errmsgstr' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(realloc.o): relocation R_X86_64_32S against hidden symbol `__malloc_size_classes' can not be used when making a PIE object
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(__stdout_write.o): relocation R_X86_64_32S against hidden symbol `__stdio_write' can not be used when making a PIE object
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(ofl.o): relocation R_X86_64_32 against `.bss.ofl_lock' can not be used when making a PIE object; recompile with -fPIE
/usr/bin/ld.bfd: /external-toolchain/openwrt-toolchain-x86-64_gcc-14.3.0_musl.Linux-x86_64/toolchain-x86_64_gcc-14.3.0_musl/lib/libc.a(stderr.o): warning: relocation against `__stderr_FILE' in read-only section `.rodata.stderr'
/usr/bin/ld.bfd: /usr/lib/gcc/x86_64-linux-gnu/10/../../../x86_64-linux-gnu/Scrt1.o: in function `_start':
(.text+0x12): undefined reference to `__libc_csu_fini'
/usr/bin/ld.bfd: (.text+0x19): undefined reference to `__libc_csu_init'
collect2: error: ld returned 1 exit status
```
The apk size did not increase much:
Old size for armsr/armv8:
767 libnl200-3.11.0-r1.apk
13480 libnl-cli200-3.11.0-r1.apk
44511 libnl-core200-3.11.0-r1.apk
9101 libnl-genl200-3.11.0-r1.apk
32485 libnl-nf200-3.11.0-r1.apk
185723 libnl-route200-3.11.0-r1.apk
new size for armsr/armv8:
764 libnl200-3.12.0-r1.apk
13471 libnl-cli200-3.12.0-r1.apk
45031 libnl-core200-3.12.0-r1.apk
9098 libnl-genl200-3.12.0-r1.apk
32479 libnl-nf200-3.12.0-r1.apk
193131 libnl-route200-3.12.0-r1.apk
The apk size did not increase much:
Old size for armsr/armv8:
43778 ip-bridge-6.17.0-r1.apk
164653 ip-tiny-6.17.0-r1.apk
208236 tc-bpf-6.17.0-r1.apk
210209 tc-full-6.17.0-r1.apk
172483 tc-tiny-6.17.0-r1.apk
new size for armsr/armv8:
43781 ip-bridge-6.18.0-r1.apk
164956 ip-tiny-6.18.0-r1.apk
208578 tc-bpf-6.18.0-r1.apk
210482 tc-full-6.18.0-r1.apk
172664 tc-tiny-6.18.0-r1.apk
Linus Walleij [Thu, 19 Jun 2025 12:07:34 +0000 (14:07 +0200)]
scripts/jungo-image: Fix up whitespace
Recent Python versions are strict about whitespace and will
complain about mixtures of tabs and spaces. Convert any tabs
so the script just use spaces for indentation.
The current default prioritizes legacy compatibility over:
1. BPF program functionality across multiple subsystems
2. Performance on widely deployed modern hardware
3. Modern kernel features relying on unaligned accesses
Since BPF programs require unaligned access capabilities and most
LoongArch deployments use modern CPUs with hardware support, disable
CONFIG_ARCH_STRICT_ALIGN. Legacy system users can manually enable
it if needed.
Andreas Gnau [Wed, 10 Dec 2025 17:21:45 +0000 (18:21 +0100)]
build: depend on tools/zstd for download
Downloading packages from git requires zstd to compress their tarballs.
Make sure that zstd from host tools is compiled when running make
download. Otherwise, either the download would fail because zstd is not
present or a random version from the host would be used leading to hash
mismatches.
ca00527e5fc3 statefiles: don't write empty hosts files 24b70c5c2ff0 Revert "statefiles: fix escape sequence for broken hostname output" 5203ad13954c statefiles: fix stale pio handling for !ubus a64760b30f67 odhcpd: rename piofolder to piodir 6779344a8c8a statefiles: use tmpfile functions for pio files 9f8abcc662d0 statefiles: rename prefix information functions cb65b83e524e config: move pio json handling to statefiles.c 5b01849cc42c statefiles: add a dirfd helper function eadde3d7dd74 statefiles: add tmp helper functions c29aa7091498 statefiles: fix escape sequence for broken hostname output 00f2d7a4dbe5 dhcpv4: don't send zero IPv6-only preferred option c86d29bb83d6 Revert "dhcpv6-ia: add some noise to the T1 and T2 periods" b062769ab85f Revert "do not delegate ULA prefixes" fd4714bb2dfe do not delegate ULA prefixes 81ea5bfef775 dhcpv6-ia: add some noise to the T1 and T2 periods
Kyle Hendry [Fri, 17 Jan 2025 20:18:20 +0000 (12:18 -0800)]
bmips: b53: enable bcm63268 internal PHYs
On the smartrg sr505n the bootloader only sets registers to enable the
PHYs if it's interrupted. When Linux boots this results in a -EINVAL
error when trying to read from the EPHYs and the GPHY doesn't work.
This patch disables low power mode in the GPHY/EPHYs and properly resets
the EPHYs.
Hauke Mehrtens [Tue, 9 Dec 2025 01:06:26 +0000 (02:06 +0100)]
apk: Fix host compilation with C89
This fixes the following build error:
```
../src/apk.c: In function 'parse_options':
../src/apk.c:584:4: error: a label can only be part of a statement and a declaration is not a statement
584 | char *arg = opt_parse_arg(&st);
| ^~~~
```
MAC addresses
LAN: Label MAC (stored in Factory partition offset 0x1fef20)
WAN: LAN + 1
WiFi: LAN
Official LED layout, from left to right:
[power] [internet] [wps] [wifi] [lan3/2/1] [wan]
Redefinition for OpenWrt:
[power]: used for led-boot, led-failsafe, and led-running
[internet]: used for WAN RX/TX indication
[wps]: used for led-upgrade
[wifi] and [lan3/2/1]: unchanged
[wan]: used for WAN link indication
Installing OpenWrt:
- Setup a tftp server on your PC. Copy
xxx-preloader.bin, xxx-bl31-uboot.fip and
xxx-initramfs.itb to tftp root directory.
- Connect to the router via ssh or telnet,
username: useradmin, password is the web
login password of the router.
- Backup all critical flash partitions with
the following commands where x.x.x.x is
the IP of your PC.
IP=x.x.x.x
cd /dev
for d in /sys/class/mtd/mtd?; do
if [ "$(cat $d/name)" = "BL2" ]; then
tftp -l $(basename $d) -r bl2.img -p $IP
elif [ "$(cat $d/name)" = "FIP" ]; then
tftp -l $(basename $d) -r fip.bin -p $IP
elif [ "$(cat $d/name)" = "Factory" ]; then
tftp -l $(basename $d) -r factory.bin -p $IP
fi
done
for d in /sys/devices/virtual/ubi/ubi0/ubi0_*; do
[ "$(cat $d/name)" != "customer" ] && continue
tftp -l $(basename $d) -r customer -p $IP
break
done
- Set a static ip(192.168.1.254) for your PC.
And then reboot the router. It will run
initramfs image automatically.
- After openwrt boots up, perform sysupgrade
via web UI.
Reverting to the vendor firmware:
- Setup a tftp server on your PC with ip
address 192.168.1.254. And make sure
bl2.img, fip.bin, factory.bin and customer
are located in tftp root directory.
- Power off the router.
- Press and hold WPS key, then power on
the router.
- Release WPS key, when internet/wifi/wps
leds are blinking.
- Wait until internet/wifi/wps leds light
up, power off the router.
- Press and hold reset key, power up the
router, release reset key 15s later.
- Connect to http://192.168.1.1, now you
can upload vendor .bin firmware.
Uboot netconsole:
Uboot netconsole can be enabled by WPS
or reset key.
- Setup a linux PC with ip 192.168.1.254.
Open a new terminal and execute
'stty -isig -echo cbreak; nc -lup 6666'
- Press and hold WPS(or reset) key, then
power on the router.
- Release key once internet/wifi/wps leds
are all on.
NOTE: don't hold the key more than 5s
after internet/wifi/wps leds on, or it
will try to revert to vendor firmware.
- 5s later, uboot bootmenu will show on
the terminal.
Pawel Dembicki [Thu, 2 Oct 2025 13:49:17 +0000 (15:49 +0200)]
mediatek: filogic: add support for Kebidumei AX3000-U22
Kebidumei AX3000-U22 is one of many clones of the same range extender
that can be found on Aliexpress or other Chinese portals.
The easiest way to identify this model is by searching for "AX3000
Repeater" and picking the device that looks like mine [0].
Specification:
- SoC: MediaTek MT7981B (1.3 GHz)
- RAM: 256 MB
- Flash: 16 MB SPI NOR
- Ports: 1 x 1 GbE
- Antenna: 6 (2 fake)
- WiFi: MediaTek dual-band WiFi 6
- 2.4 GHz: b/g/n/ax, MIMO 2x2
- 5 GHz: a/n/ac/ax, MIMO 2x2
- Buttons: Reset & WPS
- LEDs: Ethernet (green), Status (red, green, blue)
- Power: 110–240 V AC (internal PSU, board uses 12 V DC)
- Serial: unmarked connector on PCB
[1: Vcc, 2: RX, 3: TX, 4: GND]
Install via OEM web UI:
1. Use reset button to perform factory reset.
2. Connect PC to LAN port and obtain DHCP address.
3. Upload the sysupgrade image via OEM firmware upgrade page,
e.g. http://192.168.18.1/upgrade.html
4. After reboot, hold reset button to clear leftover vendor config.
Install via serial:
1. Connect serial console (115200 8N1).
2. Enter the console.
3. Backup mtd4 partition if you want to restore OEM FW later.
4. Download image.
5. Run 'sysupgrade -n'.
Revert to stock:
1. Run sysupgrade without keeping config using mtd4 backup.
WLAN: MT7992AV
WLAN 2g: MediaTek MT7975N, b/g/n/ax/be, MIMO 4x4
WLAN 5g: MediaTek MT7977B, a/n/ac/ax/be, MIMO 4x4
LEDs: 5 LEDs, 1 power green, 1 internet green,
2x fn green, 1 wlan green, gpio-controlled
Button: 4 (Reset, WPS, FN1, FN2)
USB port: Yes, 1xUSB3.2 and 1xUSB2.0 (via GL850G)
Power: 12 VDC, 3 A
Notes:
* The device supports dual boot mode
* Fn2 led reassigned to wlan 2.4
Flash instruction:
The only way to flash OpenWrt image is to use tftp recovery mode in U-Boot:
1. Configure PC with static IP 192.168.1.2/24 and tftp server.
2. a) Keenetic
Rename "openwrt-mediatek-filogic-keenetic_kn-1812-squashfs-factory.bin"
to "KN-1812_recovery.bin" and place it in tftp server directory.
b) Netcraze
Rename "openwrt-mediatek-filogic-netcraze_nc-1812-squashfs-factory.bin"
to "NC-1812_recovery.bin" and place it in tftp server directory.
3. Connect PC with ethernet port, press the reset button, power up
the device and keep button pressed until status led start blinking.
4. Device will download file from server, write it to flash and reboot.
Jonas Jelonek [Fri, 7 Nov 2025 19:00:03 +0000 (19:00 +0000)]
realtek: dsa,phy: rtl838x: remove 'SerDes as PHY' leftovers
RTL838X SerDes is now completely managed by the PCS driver so it's time
to remove all the unused leftovers from DSA and PHY drivers to have that
finally separated.
Jonas Jelonek [Fri, 7 Nov 2025 18:45:27 +0000 (18:45 +0000)]
realtek: rtl838x: drop SFP pseudo-PHYs and phy-handle
Remove all pseudo-PHYs and phy-handle properties from DTS of RTL838X
devices. RTL838X SerDes is now handled by PCS driver and thus not
treated as PHY anymore.
Jonas Jelonek [Fri, 7 Nov 2025 16:15:17 +0000 (16:15 +0000)]
realtek: rtl838x: setup SDS entirely in PCS driver
After having moved the configuration code and sequences from PHY and
DSA drivers to the PCS driver, add the hooks in PCS driver and remove
calls in PHY and DSA drivers to let PCS driver setup the SerDes
entirely on its own.
Also add pcs-handle to device tree definitions for most of the switch
ports because, due to the refactoring of the SerDes configuration, this
is needed now for all SerDes-attached ports.
Jonas Jelonek [Fri, 7 Nov 2025 11:45:30 +0000 (11:45 +0000)]
realtek: pcs: rtl838x: refactor imported code
The previous commit just imported some code as-is and commented it.
It needs heavy adjustments to compile and work within the PCS driver.
Do that now to that extent that it can be used within the driver. More
cosmetics and improvements will be done later.
Split the once-for-all SerDes configuration into the usual flow where
each SerDes is configured separately and on its own, as requested by the
PCS subsystem.
Move mode setting and patching into proper functions which are called
during SerDes configuration. Some configuration sequences are broken up
and moved into the SerDes configuration flow, e.g. reset sequences
because they were usually a single/few values applied to all SerDes at
once before.
Add proper configuration for SerDes 4 QSGMII to be able to setup this
mode properly on our own.
Jonas Jelonek [Fri, 7 Nov 2025 11:47:37 +0000 (11:47 +0000)]
realtek: pcs: rtl838x: import SerDes code from DSA/PHY
Import functions 'rtl8380_sds_rst', 'rtl8380_sds_power',
'rtl8380_configure_serdes' and 'rtl83xx_config_interface' from DSA and
PHY driver respectively but comment the code for now.
The code needs heavy adjustments to make it compile and work. To make
this as transparent as possible, do that in two stages.
Jonas Jelonek [Fri, 7 Nov 2025 10:21:43 +0000 (10:21 +0000)]
realtek: pcs: rtl838x: transplant firmware config
In the PHY driver, firmware files were used to store configuration
values for the SerDes which need to be applied upon initialization.
There are several issues which prevent to just take that over into the
PCS driver:
* SerDes and PHY parts are mixed within a firmware file
* SerDes access in PHY driver is based on writing into the switch's
global register space; PCS driver uses access via MDIO interface
--> destination values do not match
* firmware file format is not SerDes-agnostic
* no documentation or script for the "old" firmware files
Unfortunately, there is no proper firmware format yet where to take over
the required sequences. Thus, extract the sequences needed for RTL838X
SerDes, transform them to work with the MDIO based access and put them
as functions in the PCS driver.
Note that this should just be a temporary solution. In a next step, a
proper firmware format should be established and all configuration
sequences currently in the code should be moved into firmware files.
Jonas Jelonek [Fri, 7 Nov 2025 12:16:45 +0000 (12:16 +0000)]
realtek: pcs: add init_serdes_common hook
Add a new hook called 'init_serdes_common' to be able to perform
initialisations or anything else subject to all SerDes. This hook is
called in the end of 'rtpcs_probe' after everything else is done.
This is meant primarily to support the transition of RTL83XX from PHY
driver to PCS driver. Thus, it may be removed later again or kept if
there is sufficient need for this.
George Sapkin [Mon, 1 Dec 2025 14:57:00 +0000 (16:57 +0200)]
scripts/kernel_bump: adjust commit messages
Due to the recent changes with the formality checks kernel_bump commit
messages no-longer pass them.
Adjust these messages to follow the updated checks:
- start the first word after prefix with lower-case
- reduce the overall subject length by removing the redundant 'kernel'
Jonas Jelonek [Fri, 7 Nov 2025 18:34:58 +0000 (18:34 +0000)]
realtek: fix SFP support on Engenius EWS2910P
EWS2910P has two SFP slots of which only one was fully supported so far.
The issue so far was that both SFP slots share the same I2C SCL line but
neither the kernel nor any downstream driver was able to deal with this.
Thus, only one SFP slot was completely working (with detection etc.) but
the other one had to be enabled manually. Networking was functional in
both though.
Since acd7ecc9ed we have a driver which is able to deal with that. Thus,
we can fix the SFP support for this device.
Further discussion with Upstream for the topic revealed an even subtle
problem that require specific driver to be fixed. Revert the wrong
generic fix in favor of specific ath11k fix.
Petr Štetiar [Sat, 6 Dec 2025 18:34:37 +0000 (18:34 +0000)]
dropbear: enable configurable port forwarding options
Currently its only possible to disable port forwarding only for specific
keys, via the OpenSSH-style restriction in `authorized_keys` file.
In some use cases it might be feasible to disable such features globally
on service level, so lets add new LocalPortForward and RemotePortForward
config knobs.
Vincent Li [Sun, 7 Dec 2025 15:53:07 +0000 (07:53 -0800)]
loongarch64: backport kernel BPF trampoline
Enable xdp-loader to attach multiple XDP programs to a single interface by
backporting the BPF trampoline implementation from Linux kernel 6.17 to
6.12 for LoongArch64.
The xdp-loader utility relies on libxdp, which in turn requires kernel
support for BPF trampoline. While x86_64 and other architectures have
this feature, LoongArch64 only gained it in kernel 6.17. Without this
backport, xdp-loader fails on LoongArch64 systems running kernel 6.12.
Changes backported include:
- BPF trampoline infrastructure for LoongArch64
- Necessary JIT compiler updates
- Related BPF subsystem changes
This allows full compatibility with the xdp-tools ecosystem on LoongArch64
systems running older kernel versions.
projects / thirdparty / openwrt.git / log
