Forward the OpenWrt CPPFLAGS to the compile process. This fixes fortify
sources support.
Link: https://github.com/openwrt/openwrt/pull/22056
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit bfd57eab3d)
Forward the OpenWrt CPPFLAGS to the compile process. This fixes fortify
sources support.
Link: https://github.com/openwrt/openwrt/pull/22056
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit b497c3f68f)
Forward the OpenWrt CPPFLAGS to the compile process. This fixes fortify
sources support.
Link: https://github.com/openwrt/openwrt/pull/22056
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2ca7c2b846)
This fixes a simple logic error in the macaddr existence check in mac80211.uc.
Signed-off-by: Harin Lee <me@harin.net>
Link: https://github.com/openwrt/openwrt/pull/21277
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2ebcda1ea6)
This allows services to dynamically configure MLO interfaces without
using UCI.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 0a8bccf85d)
This helps for setups where the wifi interfaces are added dynamically
via procd data by avoiding automatically bringing up interfaces with
the default config. Internally, they are treated pretty much the same
by netifd.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 79a0aebd81)
Add optional chaining when accessing device config in the wifi-iface
loop to handle cases where a referenced device doesn't exist.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 8b994ed397)
When storing device-level data, wdev_set_data() spread the entire wdev
object into handler_data. Since handler_config.data is set from the
previous handler_data[wdev.name] before each setup, this created
exponentially growing nesting with each reload, eventually causing
"nesting too deep" JSON parse errors.
Fix by initializing cur to a simple object containing only the device
name instead of the entire wdev object.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 68c2ab8f5f)
Extract survey fetching into get_survey() and store results in iface.survey,
allowing access to full survey info (not just noise) for later use.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit e855f32bdd)
Moved interface discovery and data population into an exported update()
function that can be called on-demand to refresh wireless interface
information. This allows using iwinfo.uc as a library inside daemons.
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 26eab84f81)
When a remote peer's connection drops (device powered off, unetmsgd
crash, network failure), network_rx_cleanup_state silently removed
the remote publish/subscribe handles without notifying local
subscribers. This meant local clients had no way to detect that a
remote peer had disappeared.
Call handle_publish for each channel where a remote publish handle
is removed during connection cleanup, so local subscribers receive
the publisher change notification and can react accordingly.
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 7fd71f2c74)
handle_publish() notifies local subscribers about publisher state
changes. The publish/subscribe handler in network_socket_handle_request()
was calling it for both remote publish and subscribe changes, but
subscriber changes are not relevant to local subscribers.
Guard the handle_publish() calls with a msgtype == "publish" check,
matching the local client paths in unetmsgd-client.uc which already
have this guard.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit e0722d0ac4)
When both peers connect simultaneously, the RX side can authenticate
before the TX handshake completes. network_check_auth() was sending a
ping on the unauthenticated TX channel, which gets rejected by the
remote's pre-auth handler as "Auth failed", killing the connection and
triggering an endless reconnect cycle.
Check chan.auth before interacting with the TX channel. If TX auth
hasn't completed yet, just schedule a reconnect timer - auth_data_cb
already handles state sync when TX auth completes.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 212040b5ca)
network_close() only closed the listening socket without shutting down
established RX/TX connections. This left remote state in
core.remote_publish/core.remote_subscribe for hosts on the removed
network, causing stale entries in channel listings and failed routing
attempts.
Close all RX and TX channels before removing the network, which also
triggers remote state cleanup via network_rx_socket_close().
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 389a79d972)
The cleanup condition checked != instead of ==, inverting the logic.
This caused two problems:
When an authenticated RX connection disconnected, remote state for that
host was never cleaned up since the stored entry matched the one being
closed.
When a stale unauthenticated connection from a peer closed, any existing
authenticated connection from the same peer was incorrectly deleted and
its remote state wiped.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit f09596f84f)
When a remote peer's publish registrations arrive via RX before the
local TX connection is authenticated, handle_publish fires but the
subscriber can't reach the remote publisher yet since the TX channel
isn't ready.
Suppress publish notifications on the RX side when no authenticated TX
channel exists for the remote host. After TX authentication completes,
re-trigger handle_publish only for topics that the specific peer
publishes and that have local subscribers.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 3efcf444a1)
The condition checked !data.networks instead of !data.networks[name],
making it always false since data.networks was already validated earlier
in the function. Networks removed from unetd were never closed.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit a2368e0f69)
channel.disconnect() already closes the fd via ubus_shutdown(),
so calling socket.close() afterwards is redundant and causes EBADF.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit bdc3c1a820)
Add a 10-second timeout for outgoing auth requests to prevent
connections from getting stuck when the remote peer goes silent
after the hello handshake but before responding to auth.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 8a304d051f)
The network may be deleted before the disconnect callback fires.
Check for null to avoid crash when accessing net.tx_channels.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit f631d1576d)
This should not be defaulted to anything in the schema.
What seemed like a minor cleanup actually broke this
as the schema defines a default value already. I did
not notice as I had this explictly set in my config.
Fixes: 70ba7512 ("wifi-scripts: ucode: allow sae_pwe to be modified for AP mode")
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/22043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit f012e8d50a)
Some Android devices have issues with H2E causing downgrades to PSK
when using WPA2/3. With WPA3 it doesn't work reliably whatsoever.
My Samsung A55/6 for example has the following behavior:
daemon.info hostapd: lan5g: STA <redacted> IEEE 802.11: authenticated
daemon.notice hostapd: SAE: <redacted> indicates support for SAE H2E, but did not use it
daemon.info hostapd: lan2g: STA <redacted> IEEE 802.11: authenticated
daemon.info hostapd: lan2g: STA <redacted> IEEE 802.11: associated (aid 1)
daemon.notice hostapd: lan5g: Prune association for <redacted>
daemon.notice hostapd: lan2g: AP-STA-CONNECTED <redacted> auth_alg=open
daemon.info hostapd: lan2g: STA <redacted> RADIUS: starting accounting session 8234C696AAC1AE7D
daemon.info hostapd: lan2g: STA <redacted> WPA: pairwise key handshake completed (RSN)
daemon.notice hostapd: lan2g: EAPOL-4WAY-HS-COMPLETED <redacted>
This is also brought up in the issue: https://github.com/openwrt/openwrt/issues/9963
Ultimately this allows users to have the option to at the very least
disable H2E.
Unrelated: a minor cleanup was done so that ieee80211w uses set_default instead.
There is no functional change on that front.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/22021
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 70ba7512e7)
- uclient-fetch timeout bumped from 5s to 15s. If we do not do this
we get flagged by HE as the update request is expensive and takes
more than 5s to execute. Currently 5s timeout causes uclient-fetch
to be killed prematurely as can be seen by the following log:
10:34:57 user.notice 6in4-henet: update 1/3: timeout
10:35:07 user.notice 6in4-henet: update 2/3: timeout
10:35:17 user.notice 6in4-henet: update 3/3: timeout
10:35:22 user.notice 6in4-henet: update failed
The above is the worst case, what usually happens is:
10:53:59 user.notice 6in4-henet: update 1/3: timeout
10:54:06 user.notice 6in4-henet: update 2/3: abuse
10:54:06 user.notice 6in4-henet: updated
- We now use an exponential backoff starting from 5 seconds.
- Detect ca-bundle so we don't use --no-check-certificates
unnecessarily.
- The while loop was changed so we don't retry unnecessarily
after the final failure.
- Worst-case total time the update operation might take before
bailing out is:
(sum(15 + (5 × (2^(x − 1))), 1, 2) + 15) seconds = 1 min
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/22016
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 862b46dd8f)
When config_change is set during an active setup (e.g. by a concurrent
reconf call), wdev_mark_up() attempted to call setup() while still in
"setup" state. Since setup() requires state "up" or "down", it silently
returned, leaving the state as "setup". The subsequent wdev_setup_cb()
then treated this as a setup failure, triggering an unnecessary
teardown+restart cycle.
Fix this by removing the config_change handling from wdev_mark_up() and
moving it to wdev_setup_cb() instead. wdev_mark_up() now always
transitions to "up" state. When wdev_setup_cb() runs afterwards and
finds the device already "up" with config_change set, it initiates a
clean re-setup from the "up" state where setup() can run.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 3553eda283)
- no longer write any temporary file for peer gen
- use wg syncconf to update active interfaces (not setconf)
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21784
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 148207730a)
Link: https://github.com/openwrt/openwrt/pull/21840
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Commit 01a87f4bd0 changed the encryption
setting of the default SSID "OpenWrt" from "none" to "open". The correct
setting as per the documentation [1] is "none", though.
While this invalid setting won't cause a wrong hostapd setup, it will
at least cause malfunction in LuCI.
Change the default encryption setting back to "none".
[1] https://openwrt.org/docs/guide-user/network/wifi/basic#encryption_modes
Fixes: 01a87f4bd0
Signed-off-by: Shine <4c.fce2@proton.me>
Link: https://github.com/openwrt/openwrt/pull/21925
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 4ab5fcc04f)
The ucode wifi-scripts unconditionally set ieee80211w=1 for psk-sae
and eap-eap2 auth types, ignoring any user-configured value. This
caused ieee80211w=2 (MFP required) to be silently downgraded to 1
(MFP optional) when using sae-mixed encryption.
Change the logic to only set the default of 1 when ieee80211w is not
already configured by the user.
Fixes: https://github.com/openwrt/openwrt/issues/21751
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 1bbb60184d)
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The mobility_domain value generated by ucode differed from the previous
shell script implementation. The legacy shell script used `echo` on the
SSID, which appended a trailing newline.
To maintain roaming compatibility with pre-25.12 releases and OpenWrt
forks in default configuration, update the ucode logic to include this
newline character when generating the default value.
Fixes: #21731
Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21732
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 1d0e2859c5)
KERNEL_DCB was introduced in 40f1db9cb1, however the dcb utility is not
enabled for iproute2. Although DCB is not generally available among
Ethernet cards, not having the dcb utility renders it completely
unchangeable.
On aarch64, it takes ~85.3KiB.
Signed-off-by: David Yang <mmyangfl@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21606
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit f0f5525b75)
The `syn_flood` option name is deprecated, `synflood_protect` should
be used instead. firewall3 and firewall4 both support this option since
a long time. LuCI already replaces the option name.
0abcb39b62
Suggested-by: rparge in OpenWrt forum
Link: https://github.com/openwrt/openwrt/pull/21642
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2ae350b725)
WiFi 6E (802.11ax) clients cannot discover 6GHz APs operating at
320MHz because the HE Operation element contains uninitialized
center frequency values.
For EHT320 mode, the code sets eht_oper_centr_freq_seg0_idx but not
the corresponding HE values. Later, the HE values are copied from
VHT values, but VHT is not used on 6GHz, leaving he_oper_chwidth
and he_oper_centr_freq_seg0_idx at 0. This causes WiFi 6E clients
to see incorrect channel width information, making the AP invisible
to them during scanning.
Fix this by:
1. Setting he_oper_chwidth to 3 (160MHz) for EHT320 mode
2. Computing he_oper_centr_freq_seg0_idx based on the 160MHz segment
that contains the primary channel
3. Preserving these pre-set values instead of overwriting them with
uninitialized VHT values
WiFi 7 clients continue to see 320MHz operation via the EHT Operation
element, while WiFi 6E clients can now discover and connect at 160MHz.
Signed-off-by: Ryan Chen <rchen14b@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21588
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit a8bdb1e6d6)
The code to be replaced is a glorious no-op. A default value for
config.radius_das_client does not need to be assigned. This parameter
already has non-empty value: see the enclosing 'if' block.
As a result, the value of config.radius_das_client never gets modified
to contain both dae_client and dae_secret. This breaks hostapd.add_iface()
that expects config.radius_das_client to contain both dae_client and
dae_secret separated by a whitespace.
Fixes: #21519
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21522
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit c7f585bfc3)
Commit 9151c7015e introduced support for the global DHCP DUID to
generate a RFC4361-style client identifier.
However, the IAID introduced in those changes is based on ifindex, which
is subject to changes and causes issues on environments requiring a stable
IAID.
This commit switches the IAID to a stable one based on MD5.
(cherry picked from commit e1c125c167)
Fixes: 9151c7015e ("netifd: use the global DHCP DUID for DHCPv4")
Link: https://github.com/openwrt/openwrt/pull/21489
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
It is a BSS-level option and not radio-level. As such,
move it to wifi-iface and ap.uc.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21412
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 9b1b5a6aec)
They are being default enabled unconditionally when they should
depend on 802.11k. 802.11k should not be enabled by default
either as it can cause issues with certain older drivers and
is useless without a userspace program like usteer or DAWN.
If users want to enable 802.11k they will enable it when they
set such programs up.
Another inconsistency with rnr was dealt with so that it is not
default enabled. This is also not done with old wifi-scripts
and is generally unexpected and surprising behavior.
Moreoever, this introduces an inconsistency between old shell
wifi-scripts and ucode version. Old wifi-scripts does not do this.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21425
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit ee60b65643)
When DHCP Option 60 is specified via sendopts (hex, decimal, or named
formats), udhcpc sends its default "udhcp <version>" string alongside
the custom value, which causes authentication failures with some ISPs.
This fix detects Option 60 in sendopts and automatically passes -V ""
to udhcpc to suppress the default version string while allowing
multiple user-defined vendor classes.
Supported formats:
- Hexadecimal: 0x3c
- Decimal: 60
- Named: vendor
(cherry picked from commit 89d982d723)
Fixes: #21242
Signed-off-by: JINLIANG GU <ihipop@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21450
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
