The mobility_domain value generated by ucode differed from the previous
shell script implementation. The legacy shell script used `echo` on the
SSID, which appended a trailing newline.
To maintain roaming compatibility with pre-25.12 releases and OpenWrt
forks in default configuration, update the ucode logic to include this
newline character when generating the default value.
Fixes: #21731
Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21732
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 1d0e2859c5)
KERNEL_DCB was introduced in 40f1db9cb1, however the dcb utility is not
enabled for iproute2. Although DCB is not generally available among
Ethernet cards, not having the dcb utility renders it completely
unchangeable.
On aarch64, it takes ~85.3KiB.
Signed-off-by: David Yang <mmyangfl@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21606
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit f0f5525b75)
The `syn_flood` option name is deprecated, `synflood_protect` should
be used instead. firewall3 and firewall4 both support this option since
a long time. LuCI already replaces the option name.
0abcb39b62
Suggested-by: rparge in OpenWrt forum
Link: https://github.com/openwrt/openwrt/pull/21642
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2ae350b725)
WiFi 6E (802.11ax) clients cannot discover 6GHz APs operating at
320MHz because the HE Operation element contains uninitialized
center frequency values.
For EHT320 mode, the code sets eht_oper_centr_freq_seg0_idx but not
the corresponding HE values. Later, the HE values are copied from
VHT values, but VHT is not used on 6GHz, leaving he_oper_chwidth
and he_oper_centr_freq_seg0_idx at 0. This causes WiFi 6E clients
to see incorrect channel width information, making the AP invisible
to them during scanning.
Fix this by:
1. Setting he_oper_chwidth to 3 (160MHz) for EHT320 mode
2. Computing he_oper_centr_freq_seg0_idx based on the 160MHz segment
that contains the primary channel
3. Preserving these pre-set values instead of overwriting them with
uninitialized VHT values
WiFi 7 clients continue to see 320MHz operation via the EHT Operation
element, while WiFi 6E clients can now discover and connect at 160MHz.
Signed-off-by: Ryan Chen <rchen14b@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21588
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit a8bdb1e6d6)
The code to be replaced is a glorious no-op. A default value for
config.radius_das_client does not need to be assigned. This parameter
already has non-empty value: see the enclosing 'if' block.
As a result, the value of config.radius_das_client never gets modified
to contain both dae_client and dae_secret. This breaks hostapd.add_iface()
that expects config.radius_das_client to contain both dae_client and
dae_secret separated by a whitespace.
Fixes: #21519
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21522
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit c7f585bfc3)
Commit 9151c7015e introduced support for the global DHCP DUID to
generate a RFC4361-style client identifier.
However, the IAID introduced in those changes is based on ifindex, which
is subject to changes and causes issues on environments requiring a stable
IAID.
This commit switches the IAID to a stable one based on MD5.
(cherry picked from commit e1c125c167)
Fixes: 9151c7015e ("netifd: use the global DHCP DUID for DHCPv4")
Link: https://github.com/openwrt/openwrt/pull/21489
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
It is a BSS-level option and not radio-level. As such,
move it to wifi-iface and ap.uc.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21412
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 9b1b5a6aec)
They are being default enabled unconditionally when they should
depend on 802.11k. 802.11k should not be enabled by default
either as it can cause issues with certain older drivers and
is useless without a userspace program like usteer or DAWN.
If users want to enable 802.11k they will enable it when they
set such programs up.
Another inconsistency with rnr was dealt with so that it is not
default enabled. This is also not done with old wifi-scripts
and is generally unexpected and surprising behavior.
Moreoever, this introduces an inconsistency between old shell
wifi-scripts and ucode version. Old wifi-scripts does not do this.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21425
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit ee60b65643)
When DHCP Option 60 is specified via sendopts (hex, decimal, or named
formats), udhcpc sends its default "udhcp <version>" string alongside
the custom value, which causes authentication failures with some ISPs.
This fix detects Option 60 in sendopts and automatically passes -V ""
to udhcpc to suppress the default version string while allowing
multiple user-defined vendor classes.
Supported formats:
- Hexadecimal: 0x3c
- Decimal: 60
- Named: vendor
(cherry picked from commit 89d982d723)
Fixes: #21242
Signed-off-by: JINLIANG GU <ihipop@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21450
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Mesh mode interface creation fails when the freq parameter is empty or
undefined. Unlike adhoc mode which checks if freq exists before using it,
mesh mode blindly constructs the iw command with freq parameter, resulting
in invalid syntax like:
iw dev mesh0 mesh join ssid freq NOHT
This causes the mesh interface to be created without joining the mesh
network, leaving it in a DOWN state with no channel assigned.
Fix by adding freq validation check similar to adhoc mode.
Tested on two routers in parallel as mesh peers:
- Xiaomi AX3000T (MediaTek MT7981)
- OpenWrt One (MediaTek MT7981)
- OpenWrt 6.6.119, 802.11s mesh on 5GHz (Channel 36, HE80)
Signed-off-by: Valent Turkovic <valent@meshpointone.com>
Link: https://github.com/openwrt/openwrt/pull/21373
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7214acd759)
The for-in loop variable 'name' was shadowing the function parameter,
causing remote subscription cleanup to fail when hosts disconnect.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit e782341848)
Inadvertently defining 'DEFAULT_VARIANT' on both ethool and
ethtool-full variants resulted in
$ make defconfig
tmp/.config-package.in:121615:error: recursive dependency detected!
tmp/.config-package.in:121615: symbol PACKAGE_ethtool-full is selected by PACKAGE_ethtool
tmp/.config-package.in:121605: symbol PACKAGE_ethtool depends on PACKAGE_ethtool-full
Fix this by simply undefining 'DEFAULT_VARIANT' on the ethtool-full
variant, which is ugly, but expedient.
Fixes: https://github.com/openwrt/openwrt/commit/f4fdb996
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21363
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 7a78dc4a5d)
Some packages with variants did not specify the default among the
alternatives, so were left without any apk 'provider_priority'
for that package. This caused the apk solver to select the wrong
variant, silently changing the requested package list.
Notable among these were busybox, procd and the hostapd/wpad suite.
This behavior presented in the imagebuilders when creating the
image as follows, silently replacing packages even when explicitly
requested:
$ make image PACKAGES=busybox
...
( 14/148) Installing busybox-selinux (1.37.0-r6)
...
We add 'DEFAULT_VARIANT:=1' to the packages that were missing one,
providing apk with sufficient information to choose the correct
package.
See link below for further examples and discussion.
Link: https://github.com/openwrt/openwrt/pull/21288#issuecomment-3704101422
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21358
(cherry picked from commit f4fdb9964a)
Link: https://github.com/openwrt/openwrt/pull/21355
Signed-off-by: Robert Marko <robimarko@gmail.com>
Wifi on the 6GHz band does not support open networks, configure owe by
default. 6GHz wifi also needs a country code, configure a broken country
code '00' by default to hint the user to change it.
Link: https://github.com/openwrt/openwrt/pull/21313
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 01a87f4bd0)
Without this patch, the
if (!config.wpa)
config.wpa_pairwise = null;
is overwritten immediately.
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
Link: https://github.com/openwrt/openwrt/pull/21215
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit bc4e7fd38e)
When wdev interfaces and hostapd interfaces are mixed, race conditions
can occur. Sometimes all interfaces are started correctly, sometimes only
the wdev interface and some of the hostapd interfaces, and sometimes only
the wdev interface.
Fix this by creating the wdev interfaces first, before processing
wpa_supplicant or hostapd interfaces.
Link: https://github.com/openwrt/openwrt/pull/21303
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 2015a40c38)
Add EHT* check so that the hwmode will display 802.11be capability correctly.
Signed-off-by: Elwin Huang <s09289728096@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21267
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 95112a4939)
Mesh interfaces may not define an encryption setting. This results in
a ucode runtime error when parse_encryption() is called:
Reference error: left-hand side expression is null
In parse_encryption(), file /usr/share/ucode/wifi/iface.uc, line 20, byte 32:
called from function setup_sta (/usr/share/ucode/wifi/supplicant.uc:59:31)
called from function generate (/usr/share/ucode/wifi/supplicant.uc:243:41)
called from function setup (./mac80211.sh:254:61)
called from anonymous function (./mac80211.sh:342:14)
` config.auth_type = encryption[0] ?? 'none';`
Near here ------------------------^
Link: https://github.com/openwrt/openwrt/pull/21293
(cherry picked from commit 00e6c18a93)
Link: https://github.com/openwrt/openwrt/pull/21295
Signed-off-by: Nick Hainke <vincent@systemli.org>
The ncm proto handler ignored ip4table, ip6table, and mtu settings.
The fix is based on the existing code in the mbim proto handler.
Fixes: #20216.
Signed-off-by: Alexander Patrakov <patrakov@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20217
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit b289edd84b)
0779ee287db5 dhcpv6-ia: reconfigure message length bug fix
d69896b0ac7c all: remove dead code
3f6b3b4b9f8a odhcpd: remove fallback DNS search domain
ff3f72fdd01d router: remove some log spam in send_router_advert()
c1cc541e1065 router: improve send_router_advert()
901851b883da router: Modify relayed RA PIO P flag according to interface policy
179429ba477d router: Modify relayed RA PIO A flags according to interface policy
cb1b8770b7...0779ee287d
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
cb1b8770b782 config: add default value for dhcpv6_pd_min_len
20eb94d02dfe config: allow minimum PD len up to 64
7ebd96083971 Revert "router: optimize duplicated PIO comparison"
90ae6fc6e478 statefiles: don't consider no hostname as broken
1ff1328a4f...cb1b8770b7
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
server. Other programs on a system may authenticate unix sockets via
SO_PEERCRED, which would be root user for Dropbear forwarded connections,
allowing root privilege escalation.
Reported by Turistu, and thanks for advice on the fix.
This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.
It is fixed by dropping privileges of the dropbear process after
authentication. Unix stream sockets are now disallowed when a
forced command is used, either with authorized_key restrictions or
"dropbear -c command".
In previous affected releases running with "dropbear -j" (will also disable
TCP fowarding) or building with localoptions.h/distrooptions.h
"#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.
- Security: Include scp fix for CVE-2019-6111. This allowed
a malicious server to overwrite arbitrary local files.
The missing fix was reported by Ashish Kunwar.
- Server dropping privileges post-auth is enabled by default. This requires
setresgid() support, so some platforms such as netbsd or macos will have to
disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
not available if DROPBEAR_SVR_DROP_PRIVS is disabled.
Remote server TCP socket forwarding will now use OS privileged port
restrictions rather than having a fixed "allow >=1024 for non-root" rule.
A future release may implement privilege dropping for netbsd/macos.
- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
to a crash at startup with bad_bufptr().
Reported by Dani Schmitt and Sebastian Priebe.
- Don't limit channel window to 500MB. That is could cause stuck connections
if peers advise a large window and don't send an increment within 500MB.
Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
Reported by Rob Hague.
- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.
- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.
- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
150-350ms or possibly negative (zero). Reported by pickaxprograms.
- Fix building without public key options. Thanks to Konstantin Demin
- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin
- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger
- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.
Dropped:
* 050-dropbear-multihop-fix.patch as its included in the release 5cc0127000db5f
* 051-fix-pubkey-options.patch as its included in the release 1d4c4a542cd5df
* 052-fix-missing-depends-for-sntrup761x25519-sha512.patch as its included
in the release 1a2c1e649a1824
* 053-Don-t-limit-channel-window-to-500MB.patch as its included in the release a8610f7b98ad
Manually rebased:
* 110-change_user.patch
Fixes: CVE-2025-14282, CVE-2019-6111
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Konstantin Demin <rockdrilla@gmail.com>
Tested-by: Konstantin Demin <rockdrilla@gmail.com> [mediatek/filogic (GL.iNet GL-MT6000)]
Link: https://github.com/openwrt/openwrt/pull/21186
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 70a4da1ceb)
This fixes a failed bring up of the radio on bootup
if the model defines a rename of phy in its /etc/board.json.
This specifically impacts Redmi AX6S and any router that does so
in its /etc/board.json. The fix fortunately is simple, just update
phy name in phys after rename.
The entry that specifically causes this issue is the following:
{
<omitted>
"wlan": {
"wl0": {
"path": "platform/18000000.wmac",
"info": {
"antenna_rx": 15,
"antenna_tx": 15,
"bands": {
"2G": {
"ht": true,
"max_width": 40,
"modes": [
"NOHT",
"HT20",
"HT40"
],
"default_channel": 1
}
},
"radios": [
]
}
},
...
}
The issue is that after rename, referenced phy in config is going to be
wl0 but in phys array it is still phy0; and so it fails to find phy
and does not bring up radio.
Fixes: https://github.com/openwrt/openwrt/issues/20250
Fixes: https://github.com/openwrt/openwrt/issues/20339
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21175
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit e4d5e76af0)
Convert to MBit/s like all other fields and specify the unit.
Most users probably aren't aware that this is in kilobits/s.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20567
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 36da03a6c1)
This is a trivial change to allow users to use 'list' on iface.
Old wifi-scripts already implements this, so this just ensures
that shell-based and ucode wifi-scripts are on-par with each other.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20977
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 1ead4e6e16)
When iface is omitted, wifi-vlan will apply to all interfaces.
However, netifd.set_vlan call is not successful as it assumes
that every wifi-vlan section corresponds to one VIF.
For this reason in the wifi-vlan case (cur_type == "vlan")
we create a composite key in the form `${vif.name}/${vlan.name}`
allowing the same vlan section to correspond to multiple VAPs.
`/` was decided as a delimiter as it is an invalid character
for a network interface name and UCI identifier; so it is
impossible for it to cause conflicts.
It was verified that the `ubus call network.wireless status`
works as expected with this change. Moreover, wifi-station
is not susceptible to this problem.
This also means that it is now possible for wifi-vlan
to support `list` iface similar to old shell-based wifi-scripts.
This will be done in a follow-up commit.
Fixes: 98435a37a7 ("wifi-scripts: iface should be optional in wifi-vlan definition")
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20977
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 211b11a56e)
ca00527e5fc3 statefiles: don't write empty hosts files
24b70c5c2ff0 Revert "statefiles: fix escape sequence for broken hostname output"
5203ad13954c statefiles: fix stale pio handling for !ubus
a64760b30f67 odhcpd: rename piofolder to piodir
6779344a8c8a statefiles: use tmpfile functions for pio files
9f8abcc662d0 statefiles: rename prefix information functions
cb65b83e524e config: move pio json handling to statefiles.c
5b01849cc42c statefiles: add a dirfd helper function
eadde3d7dd74 statefiles: add tmp helper functions
c29aa7091498 statefiles: fix escape sequence for broken hostname output
00f2d7a4dbe5 dhcpv4: don't send zero IPv6-only preferred option
c86d29bb83d6 Revert "dhcpv6-ia: add some noise to the T1 and T2 periods"
b062769ab85f Revert "do not delegate ULA prefixes"
fd4714bb2dfe do not delegate ULA prefixes
81ea5bfef775 dhcpv6-ia: add some noise to the T1 and T2 periods
79252ed0c0...ca00527e5f
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Currently its only possible to disable port forwarding only for specific
keys, via the OpenSSH-style restriction in `authorized_keys` file.
In some use cases it might be feasible to disable such features globally
on service level, so lets add new LocalPortForward and RemotePortForward
config knobs.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Link: https://github.com/openwrt/openwrt/pull/21071
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This will allow del_client with ban_time on a broadcast address
to also ban all clients temporarily.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/18670
Signed-off-by: Robert Marko <robimarko@gmail.com>
Similar to the hostapd control interface, treat ff:ff:ff:ff:ff:ff
as a stand in for "all clients".
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/18670
Signed-off-by: Robert Marko <robimarko@gmail.com>
f19dd37fb467 odhcp6c: accept EUI64 and random for interface ID
e955729c781f formal: fix workflow permissions
9557d3e245aa vscode: set tabs to 8 whitespaces by default
98dfd156f399 src: fix shadowed local variables
f98b6ec823...f19dd37fb4
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
