bump dnsmasq to latest 2.92
updated 200-ubus_dns.patch
no changes to 100-remove-old-runtime-kernel-support.patch
all remaining patches not required
Changelog for version 2.92 https://thekelleys.org.uk/dnsmasq/CHANGELOG
Signed-off-by: gongzi miao <miaogongzi0227@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21598
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
channel.disconnect() already closes the fd via ubus_shutdown(),
so calling socket.close() afterwards is redundant and causes EBADF.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add a 10-second timeout for outgoing auth requests to prevent
connections from getting stuck when the remote peer goes silent
after the hello handshake but before responding to auth.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The network may be deleted before the disconnect callback fires.
Check for null to avoid crash when accessing net.tx_channels.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The for-in loop variable 'name' was shadowing the function parameter,
causing remote subscription cleanup to fail when hosts disconnect.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Some packages with variants did not specify the default among the
alternatives, so were left without any apk 'provider_priority'
for that package. This caused the apk solver to select the wrong
variant, silently changing the requested package list.
Notable among these were busybox, procd and the hostapd/wpad suite.
This behavior presented in the imagebuilders when creating the
image as follows, silently replacing packages even when explicitly
requested:
$ make image PACKAGES=busybox
...
( 14/148) Installing busybox-selinux (1.37.0-r6)
...
We add 'DEFAULT_VARIANT:=1' to the packages that were missing one,
providing apk with sufficient information to choose the correct
package.
See link below for further examples and discussion.
Link: https://github.com/openwrt/openwrt/pull/21288#issuecomment-3704101422
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21358
Signed-off-by: Robert Marko <robimarko@gmail.com>
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
server. Other programs on a system may authenticate unix sockets via
SO_PEERCRED, which would be root user for Dropbear forwarded connections,
allowing root privilege escalation.
Reported by Turistu, and thanks for advice on the fix.
This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.
It is fixed by dropping privileges of the dropbear process after
authentication. Unix stream sockets are now disallowed when a
forced command is used, either with authorized_key restrictions or
"dropbear -c command".
In previous affected releases running with "dropbear -j" (will also disable
TCP fowarding) or building with localoptions.h/distrooptions.h
"#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.
- Security: Include scp fix for CVE-2019-6111. This allowed
a malicious server to overwrite arbitrary local files.
The missing fix was reported by Ashish Kunwar.
- Server dropping privileges post-auth is enabled by default. This requires
setresgid() support, so some platforms such as netbsd or macos will have to
disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
not available if DROPBEAR_SVR_DROP_PRIVS is disabled.
Remote server TCP socket forwarding will now use OS privileged port
restrictions rather than having a fixed "allow >=1024 for non-root" rule.
A future release may implement privilege dropping for netbsd/macos.
- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
to a crash at startup with bad_bufptr().
Reported by Dani Schmitt and Sebastian Priebe.
- Don't limit channel window to 500MB. That is could cause stuck connections
if peers advise a large window and don't send an increment within 500MB.
Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
Reported by Rob Hague.
- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.
- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.
- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
150-350ms or possibly negative (zero). Reported by pickaxprograms.
- Fix building without public key options. Thanks to Konstantin Demin
- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin
- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger
- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.
Dropped:
* 050-dropbear-multihop-fix.patch as its included in the release 5cc0127000db5f
* 051-fix-pubkey-options.patch as its included in the release 1d4c4a542cd5df
* 052-fix-missing-depends-for-sntrup761x25519-sha512.patch as its included
in the release 1a2c1e649a1824
* 053-Don-t-limit-channel-window-to-500MB.patch as its included in the release a8610f7b98ad
Manually rebased:
* 110-change_user.patch
Fixes: CVE-2025-14282, CVE-2019-6111
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Konstantin Demin <rockdrilla@gmail.com>
Tested-by: Konstantin Demin <rockdrilla@gmail.com> [mediatek/filogic (GL.iNet GL-MT6000)]
Link: https://github.com/openwrt/openwrt/pull/21186
Signed-off-by: Petr Štetiar <ynezz@true.cz>
cf51aeb93220 odhcpd: fix captive_portal_uri reset
e8b7fdea8d5e dhcpv4: fix DNS server option
b84553e496a3 router: Modify relayed RA PIO P flag according to interface policy
da3e2a9829cc router: Modify relayed RA PIO A flags according to interface policy
bad7138b70f0 README.md: update dhcp ubus events
ca00527e5f...cf51aeb932
Also remove duplicated /usr/share/libubox/jshn.sh include.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
ca00527e5fc3 statefiles: don't write empty hosts files
24b70c5c2ff0 Revert "statefiles: fix escape sequence for broken hostname output"
5203ad13954c statefiles: fix stale pio handling for !ubus
a64760b30f67 odhcpd: rename piofolder to piodir
6779344a8c8a statefiles: use tmpfile functions for pio files
9f8abcc662d0 statefiles: rename prefix information functions
cb65b83e524e config: move pio json handling to statefiles.c
5b01849cc42c statefiles: add a dirfd helper function
eadde3d7dd74 statefiles: add tmp helper functions
c29aa7091498 statefiles: fix escape sequence for broken hostname output
00f2d7a4dbe5 dhcpv4: don't send zero IPv6-only preferred option
c86d29bb83d6 Revert "dhcpv6-ia: add some noise to the T1 and T2 periods"
b062769ab85f Revert "do not delegate ULA prefixes"
fd4714bb2dfe do not delegate ULA prefixes
81ea5bfef775 dhcpv6-ia: add some noise to the T1 and T2 periods
79252ed0c0...ca00527e5f
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Currently its only possible to disable port forwarding only for specific
keys, via the OpenSSH-style restriction in `authorized_keys` file.
In some use cases it might be feasible to disable such features globally
on service level, so lets add new LocalPortForward and RemotePortForward
config knobs.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Link: https://github.com/openwrt/openwrt/pull/21071
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This will allow del_client with ban_time on a broadcast address
to also ban all clients temporarily.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/18670
Signed-off-by: Robert Marko <robimarko@gmail.com>
Similar to the hostapd control interface, treat ff:ff:ff:ff:ff:ff
as a stand in for "all clients".
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/18670
Signed-off-by: Robert Marko <robimarko@gmail.com>
The CLI tools hostapd_cli and wpa_cli are compiled with
`TARGET_LDFLAGS_C` rather than the standard `TARGET_LDFLAGS`.
This variable is empty, leading to global linker options not being
applied.
Set this variable equal to `TARGET_LDFLAGS` right after the package.mk
include to make sure global linker options are applied, but local options
such as linking to crypto libraries are not.
Signed-off-by: Matthias Van Parys <matthias.vanparys@softathome.com>
Link: https://github.com/openwrt/openwrt/pull/20345
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The function was using phydev.name (e.g., "phy0.0") instead of
phydev.phy (e.g., "phy0") when calling wpa_supplicant.phy_set_macaddr_list.
This is inconsistent with all other wpa_supplicant ubus calls in the same
file which correctly use phydev.phy.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Assign the address at wdev create time, similar to legacy interfaces.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Make it a little bit more consistant, and a bit more idiomatic.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
The support has been removed from odhcpd, so remove the Makefile options
related to homenet.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
"system" is used to get the current time zone, "network" is used to get
the global DUID.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Support for this option has been removed from odhcpd, so remove it in
the defaults as well.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
`list address` entries in /etc/config/dhcp are sometimes (I'm not sure
about the exact conditions) passed to upstream resolver, bypassing local
resolution. Adding them (minus the IP) to --local prevents this. In the
configuration, this means that
# /etc/config/dhcp
list address '/hello.com/world.com/1.2.3.4'
list address '/foo.com/bar.com/4.3.2.1'
which previously translated into
# /var/etc/dnsmasq.conf.*
address=/hello.com/world.com/1.2.3.4
address=/foo.com/bar.com/4.3.2.1
now becomes
# /var/etc/dnsmasq.conf.*
address=/hello.com/world.com/1.2.3.4
local=/hello.com/world.com/
address=/foo.com/bar.com/4.3.2.1
local=/foo.com/bar.com/
This behaviour is controlled by the `address_as_local` boolean option, which
defaults to false (old behaviour). openwrt/luci#7957 adds support for this flag
to LuCI.
A workaround for a small list of domains is to add them to `option local`,
but this is very tedious to do for every `list address` entry and dnsmasq
limits this option to 1024 characters.
Signed-off-by: Marko Zajc <marko@zajc.tel>
Link: https://github.com/openwrt/openwrt/pull/18610
Signed-off-by: Robert Marko <robimarko@gmail.com>
d44af6dd8f4e dhcpv6: create struct dhcpv6_lease
4df45c8c3722 dhcpv4: create struct dhcpv4_lease
a6dccae41b60 odhcpd: struct lease -> struct lease_cfg
fc0abb66f122 dhcpv4: use leasetime from a->lease
74eeff193848 router: always use link-local src address for RAs
b9a071b8341f router: Rewrite the ingress MTU to one configured for the interface
1ef9e0e610d5 router: utilize interface ra_mtu for RA
1480c09ee0aa config: clamp ra_mtu to interface MTU, and default ra_mtu to interface MTU
ee4f0df6bd68 netlink: Store interface MTU at link change
d174e25e85a1 github: fix CI apt dependencies
8f393d55a76e odhcpd: more fixes for IID calculations
fc27940fe9...d44af6dd8f
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This allows wpa_supplicant to process pending netlink socket messages
first. Without this change, there is a race condition where the newly
created interface processes netlink events from the removal of the
previous interface.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This makes it possible to have more flexible control over the supplicant
without having to install wpa_cli.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
AUTORELEASE has been deprecated from a long time. Drop it and hardcode
the release following the current one present in the downloads
repository.
Link: https://github.com/openwrt/openwrt/pull/20586
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
0d0fac30075f dhcpv4: bump problem scenario up to warn
bf6137092346 config: properly set log level from uci
7956f4271b4e dhcpv6: RFC4833 timezones
7000557cd8f6 dhcpv6-ia: respect prefix assigned to interface (>= /64)
e1e60601ffeb odhcpd: improve odhcpd_urandom()
c2eb4b59f107 config: fix erroneous clamp message if clamp value == max
54b9e729b00d dhcpv4: bail earlier on release/decline
417f4b11d352 dhcpv4: don't hardcode options array length
d63fa3c3612c dhcpv4: shrink struct dhcpv4_message
9653b43617e3 dhcpv4: use iovec for forcereconf messages, fix hash
bf41f4edfbe3 dhcpv4: fix padding of iovec message in dhcpv4_handle_msg()
be68f423c528 dhcpv4: some minor cleanups post-iovec
e24a371ef714 dhcpv4: use iovec for forcerenew opts
bd353e891ae6 dhcpv4: use iovec for router and DNS server
b81cfaa7859e dhcpv4: use iovec for DNS search and MTU
578a9289440b dhcpv4: use iovec for netmask/hostname/broadcast
5bafc17b79d8 dhcpv4: use iovec for leasetime/renew/rebind
b63448ffe447 dhcpv4: introduce a reply_opts array
0533eaea0a94 dhcpv4: use iovec for DNR
6329e37d595d dhcpv4: use iovec for NTP
87fee619205d dhcpv4: use iovec for message and serverid
2f97bf0b56de dhcpv4: reorder some more variables in dhcpv4_handle_msg()
18c1b02bdc20 dhcpv4: remove one more variable from dhcpv4_handle_msg()
6fd691ff29cd dhcpv4: move dest handling from dhcpv4_handle_msg()
1f803caf9a1f dhcpv4: don't copy reqopts around
b1be3984ebf8 dhcpv4: more refactoring of dhcpv4_handle_msg()
85717bedf8ce dhcpv4: clarify variable names in dhcpv4_handle_msg()
be864ccf9919 dhcpv4: some more cleanups to dhcpv4_handle_msg()
f87464520564 dhcpv4: preparations for iovec usage
f48e1c205af3 odhcdp: use a more suitable clock
7e78caac4eae dhcpv6: change dhcpv6 message type check in relay
288abd9c4046 dhcpv6: move dhcpv6 message type check for early exit
d504458ef515 odhcpd: add a simple build script
4ee309a54011 github: improve CI
ff3a241ccc98 odhcpd: shrink binary size by creating a logging function
e2ecf7ba6d72 odhcpd: support stderr logging
5de3b0d5b509 odhcpd: add log helpers
398d03a1a236 config: cap dhcpv6_pd_min_len to max instead of only logging error
4f54738d3ae7 config: clamp dhcpv6_hostid_len instead of only logging an error
465f19c9c2e3 config: clamp ra_mtu into 1280-65535 range
434b06133997 config: cap ra_retranstime and warn instead of only logging an error
e5f58a90a147 config: cap ra_hoplimit to maximum and warn instead of logging an error
208eb10307c1 config: cap ra_reachabletime to RFC maximum instead of logging error
93449f1513b4 config: drop double size lease times; they are all UINT32_MAX;
439c0ceab131 router: redefine ra_mininterval and ra_maxinterval as uint32_t
84b4dfe81363 config: clamp ra_mininterval, ra_maxinterval, ra_lifetime at load time
aa4f26232e05 router: refactor calc_ra_lifetime; redefine ra_lifetime as uint32_t
6ece28ffd475 config: do MaxRtrAdvInterval init at (ra_maxinterval) init time
dc03e02d973e router: Apply updated values from RFC9096 (updates RFC4861) to RA/ND
cc7766c12abe router: Apply updated values from RFC8319 (updates RFC4861) to RA/ND
964da13e758c config: refactor parse_leasetime() - branch amount remains same
9646c749467b github: fix CMAKE_SYSTEM_PROCESSOR copy&paste
288206c9a2ed github: add CI build
30780debd691 odhcpd: fix a compilation error
e0b2c3cf9476 odhcpd: allow assignments to be reassigned
01e5e311b0db odhcpd: support multiple per-client DUIDs
aebc647a6b7b odhcpd: support assignments on the basis of IAID
cc3ec9c20c61 odhcpd: support IAIDs for static DHCPv6 leases
e42c62725942 odhcpd: break up complex matching logic
e1123906a4bc odhcpd: document the ubus interface
c69200195263 dhcpv4: generate dbus events on lease expiry
dd7a2d474d0d dhcpv4: fix ubus events
22481d848e0d odhcpd: remove mac_len argument to ubus_bcast_dhcp_event()
d31d64efd56c odhcpd: fix ubus support flag in help msg
9bc1b4e26e10 odhcpd: reduce use of WITH_UBUS defines in code
d402cdae4316 ndp: fix macOS IPv6 compatibility by using link-local source addresses
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Whenever the first bss is removed, any pending scan still keeps a reference
to it. Cancel it in order to prevent use-after-free bugs.
Reported-by: Chad Monroe <chad.monroe@adtran.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Also implemented the med fast-start -> lldp fast-start change.
lldpd includes a backwards compat handler for the older med command,
but it's better to make these changes so they align with documentation.
Changes:
https://github.com/lldpd/lldpd/releases/tag/1.0.20
Changes:
Enable fast start unconditionally (and move its configuration in "configure lldp")
Make VLAN advertisements configurable
Fix:
Do not break zero-copy traffic on Linux
Fix crash on rapid addition/removal of interfaces
Fix management address selection when pattern is a negative IP address
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20438
Signed-off-by: Robert Marko <robimarko@gmail.com>
When lots of events are waiting to be received, the default buffer size
is not enough, and hostapd can run into "No buffer space available" on
recvmsg. This will cause the netdev state tracking to go out of sync.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Current PKG_MIRROR_HASH is wrong, but it went unnoticed, because the
tarball is being fetched from @OPENWRT project mirrors. Can be
reproduced with:
make package/ppp/{download,check} FIXUP=1 DL_DIR=/tmp PKG_MIRROR_HASH=''
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Link: https://github.com/openwrt/openwrt/pull/20322
Signed-off-by: Robert Marko <robimarko@gmail.com>
b14cf98 router: log “Sending a RA on lan” at LOG_DEBUG
c2810fe odhcpd: update cmake file
8c2c065 odhcpd: convert README to markdown
3b96480 odhcpd: allow the use of an alternative cfg file
7328bfe odhcpd: remove confusing #defines
cdb9e5b odhcpd: improve RFC9096 § 3.5 SLAAC compliance
RFC9096 § 3.5 SLAAC compliance introduces a new config option (odhcpd
piofolder), which may wear out the flash under certain conditions (for
example: ISPs with dynamic IPv6 prefixes which disconnect the clients
every X hours).
Therefore, setting "dhcp.odhcpd.piofolder" to persistent storage in the
router flash is not advisable and should be set to other kinds of
persistent storage such as USBs, SDs, NVMEs...
In order to prevent wearing out the router flash it's set to ephemeral
storage by default (tmp):
uci set dhcp.odhcpd.piofolder="/tmp/odhcpd-piofolder"
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
