dnsmasq: nftset: serve from ipset config Use existing ipset configs as source for nftsets to be compatible with existing configs. As the OS can either have iptables XOR nftables support, it's fine to provide both to dnsmasq. dnsmasq will silently fail for the present one. Depending on the dnsmasq compile time options, the ipsets or nftsets option will not be added to the dnsmasq config file. dnsmasq will try to add the IP addresses to all sets, regardless of the IP version defined for the set. Adding an IPv6 to an IPv4 set and vice versa will silently fail. Signed-off-by: Mathias Kresin <dev@kresin.me>
dnsmasq: add uci-defaults script for ipset migration When running sysupgrade from an existing configuration, move existing ipset definitions to a dedicated config section. Later on, it will allow to server ipset as well as nftable sets from the same configuration. Signed-off-by: Mathias Kresin <dev@kresin.me>
packages: nvram: add NVRAM quirks for bcm53xx target Add NVRAM quirks script for the bcm53xx target. Split NVRAM quirks for the bcm47xx and bcm53xx targets. Move clear partialboot NVRAM quirk for Linksys EA9500 here. Add set wireless LED behaviour quirk for Asus RT-AC88U. Use boot() instead of start() as nvram commands are meant to be executed only once, at boot. Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
firewall: config: remove restictions on DHCPv6 allow rule Remove restrictions on source and destination addresses, which aren't specified on RFC8415, and for some reason in openwrt are configured to allow both link-local and ULA addresses. As cleared out in issue #5066 there are some ISPs that use Gloabal Unicast addresses, so fix this rule to allow them. Fixes: #5066 Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com> [rebase onto firewall3, clarify subject, bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ltq-vdsl-app: disconnect when service is stopped Stop the connection when the control daemon is terminated. The code is a modified version of the termination routine in version 4.23.1 of the daemon (which doesn't support VR9 modems anymore). This could also be implemented by calling the acos and acs commands via dsl_cpe_pipe.sh in the init script. However, doing it in the daemon itself has the advantage of also working if it is terminated in another way (for example during sysupgrade). Signed-off-by: Jan Hoffmann <jan@3e8.eu> Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
ltq-vdsl/ltq-adsl: fix elapsed time calculation The driver maintains elapsed times by repeatedly accumulating the time since the previous update in a loop. For the elapsed showtime time, the time difference is truncated to seconds before adding it, leading to a sizable error over time. Move the truncation to before calculation of the time difference in order to remove this error. Also maintain the total elapsed time in the same way in full seconds, to prevent the unsigned 32-bit counter from wrapping around after about 50 days. Testing on a VR9 device shows that the reported line uptime now matches the actual elapsed wall time. The ADSL variant is only compile-tested, but it should also work as the relevant code is identical. Signed-off-by: Jan Hoffmann <jan@3e8.eu> Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
ltq-atm/ltq-ptm: avoid unnecessary build dependencies Right now, both ltq-adsl-mei and ltq-vdsl-mei are always built, even when they aren't necessary for the selected variant. This can cause the build to fail, for example ltq-vdsl-mei doesn't build successfully here on xway target due to the vectoring callback. Make these dependencies conditional on the specific package variants, so they are only built when actually needed. Signed-off-by: Jan Hoffmann <jan@3e8.eu> Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
base-files: simplify restorecon logic Remove forgotten redundant selinuxenabled call and skip the whole thing in case $IPKG_INSTROOT is set as labels are anyway applied only later on in fakeroot when squashfs is created. Fixes: 6d7272852e ("base-files: add missing $IPKG_INSTROOT to restorecon call") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
selinux-policy: update to version 1.1 try to clean up some labeling inconsistencies iwinfo loose ends ucode loose ends Makefile: adjust mintesttgt (adds blockmount/blockd) nftables: reads inherited netifd pipe ucode: reads inherited netifd pipes mountroot: fowner sandbox: writes inherited dropbear pipes unbound related to /tmp/etc/ssl unbound loose ends adds a sslconftmpfile for /tmp/etc/ssl README: maintain a wish list in the README iwinfo: netifd forgot write gptfdisk loose ends iwinfo: netifd wpad reads/writes inherited netifd fifo files netifd (mac80211.sh) executes iwinfo luci: executes wireguard luci-cgi: audits xtables execute access rcuhttpd: lists ssl certfile dirs iwinfo, wifi,nftables usage of ttyd pty if available urandomseed: seedrng needs cap_sys_admin iwinfo iwinfo, nftables and some chronyd rules related to ntp nts server nftables, wifi and adds iwinfo skel nftables, rpcd, ucode nftables, ucode and seedrng ucode, fw3/nftables, luci adds ucode skel and some fw3/nftables related urandomseed: some seedrng rules fw3 adds some support for fw4 urandomseed: /etc/seedrng is for seed.credit hotplugcal: runs ucode which is interpreter like adds a nftables skeleton and makes xtables optional agent: allow all agents to write inherited dropbear pipes urandomseed: this seems to be replaced by seedrng kmodloader: label /etc/modules.conf kmodloader.conffile Revert "shelexecfile: remove auditallow rule" Makefile: sort the modules to process by secilc Moves back to git.defensec.nl unbound odhcpd (ip) reads net proc tcp dump shelexecfile: remove auditallow rule rrd.cil: fixes indent Target rddtool from cgi-io instead of runnit it without transition rrd.cil related rrd, rpcd, cgiio clean ups related to luci-app-statistics Rules for rrd files and luci-statistics unboundcontrol ordering Several missing permissions blockmount, dnsmasq, hotplugcall, rpcd, unbound adds mctp_socket (linux 5.15) ip: forgot tc-tiny type transition to go along with the fc spec ip: adds a fc spec for tc-tiny (called by sqm) adds ttyACM fc spec and various assorted loose ends .gitattributes: do not export the github workflows workflow use selinux 3.3 project moved back to https://git.defensec.nl/selinux-policy.git Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
ipq40xx: fix BDF file for pcie wifi chip on the GL.Inet GL-B2200 After the switch to pre-calibration, ath10k would fail to initialize the PCIE Wi-Fi on the GL-B200 as follows: ath10k_pci 0000:01:00.0: enabling device (0140 -> 0142) ath10k_pci 0000:01:00.0: qca9888 hw2.0 target 0x01000000 chip_id 0x00000000 sub 0000:0000 [...] ath10k_pci 0000:01:00.0: failed to fetch board data for bus=pci,bmi-chip-id=0,bmi-board-id=16,variant=GL-B2200 from ath10k/QCA9888/hw2.0/board-2.bin ath10k_pci 0000:01:00.0: failed to fetch board-2.bin or board.bin from ath10k/QCA9888/hw2.0 ath10k_pci 0000:01:00.0: failed to fetch board file: -12 ath10k_pci 0000:01:00.0: could not probe fw (-12) Repackage the BDF file after renaming relevant fields and files to allow for the Wi-Fi interface to start again. Fixes: 80d34d9d593 ("ipq40xx: document pcie wifi chip on the GL.Inet GL-B2200") CC: Christian Lamparter <chunkeey@gmail.com> CC: Robert Marko <robimarko@gmail.com> Reviewed-by: Robert Marko <robert.marko@sartura.hr> Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
base-files: address sed in-place without SELinux awareness sed(1) in busybox does not support this functionality: https://git.savannah.gnu.org/cgit/sed.git/tree/sed/execute.c#n598 This causes /etc/group to become mislabeled when a package requests that a uid/gid be added on OpenWrt with SELinux Signed-off-by: Daniel Golle <daniel@makrotopia.org> [move restorecon inside lock] Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
base-files: fix sysupgrade for kernel-out-of-UBI Commit ecbcc0b59551 bricks devices on which the raw kernel and UBI mtd partitions overlap. This is the case of the ZyXEL NR7101 for example. Its OEM bootloader has no UBI support. OpenWrt splits the stock kernel mtd partition into a raw kernel part used by the bootloader and a UBI part used to store rootfs and rootfs_data. Running mtd erase on the complete partition during sysupgrade erases the UBI part and results in a soft brick. Arguably the best solution would be to fix the partition layouts so that kernel and UBI partitions do not overlap, also including a stock_kernel partition to help reverting to stock firmware. This would have the added benefit of protecting UBI from kernel images that are excessively large. Fixes: ecbcc0b59551 ("base-files: safer sysupgrade.tar for kernel-out-of-UBI") Reported-by: Bjørn Mork <bjorn@mork.no> Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>