Without this patch, the
if (!config.wpa)
config.wpa_pairwise = null;
is overwritten immediately.
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
Link: https://github.com/openwrt/openwrt/pull/21215
Signed-off-by: Robert Marko <robimarko@gmail.com>
When wdev interfaces and hostapd interfaces are mixed, race conditions
can occur. Sometimes all interfaces are started correctly, sometimes only
the wdev interface and some of the hostapd interfaces, and sometimes only
the wdev interface.
Fix this by creating the wdev interfaces first, before processing
wpa_supplicant or hostapd interfaces.
Link: https://github.com/openwrt/openwrt/pull/21303
Signed-off-by: Nick Hainke <vincent@systemli.org>
The multicast rate (mcast_rate) is defined as a single numeric value,
not an array. The ucode scripts already expect a single number, and
the OpenWrt documentation specifies this option as an integer [0].
Adjust the wireless schema accordingly. This also fixes the wdev.uc
call path for the iw fallback mesh setup.
[0] - https://openwrt.org/docs/guide-user/network/wifi/basic
Link: https://github.com/openwrt/openwrt/pull/21291
Signed-off-by: Nick Hainke <vincent@systemli.org>
The previous wdev.uc invocation failed for mesh interfaces.
Rewrite it as a loop so the mesh interface is created correctly
when no wpa_supplicant mesh support is installed.
Link: https://github.com/openwrt/openwrt/pull/21291
Signed-off-by: Nick Hainke <vincent@systemli.org>
Mesh interfaces may not define an encryption setting. This results in
a ucode runtime error when parse_encryption() is called:
Reference error: left-hand side expression is null
In parse_encryption(), file /usr/share/ucode/wifi/iface.uc, line 20, byte 32:
called from function setup_sta (/usr/share/ucode/wifi/supplicant.uc:59:31)
called from function generate (/usr/share/ucode/wifi/supplicant.uc:243:41)
called from function setup (./mac80211.sh:254:61)
called from anonymous function (./mac80211.sh:342:14)
` config.auth_type = encryption[0] ?? 'none';`
Near here ------------------------^
Link: https://github.com/openwrt/openwrt/pull/21293
Signed-off-by: Nick Hainke <vincent@systemli.org>
Add EHT* check so that the hwmode will display 802.11be capability correctly.
Signed-off-by: Elwin Huang <s09289728096@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21267
Signed-off-by: Nick Hainke <vincent@systemli.org>
This fixes a simple logic error in the macaddr existence check in mac80211.uc.
Signed-off-by: Harin Lee <me@harin.net>
Link: https://github.com/openwrt/openwrt/pull/21277
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The ncm proto handler ignored ip4table, ip6table, and mtu settings.
The fix is based on the existing code in the mbim proto handler.
Fixes: #20216.
Signed-off-by: Alexander Patrakov <patrakov@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/20217
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
server. Other programs on a system may authenticate unix sockets via
SO_PEERCRED, which would be root user for Dropbear forwarded connections,
allowing root privilege escalation.
Reported by Turistu, and thanks for advice on the fix.
This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.
It is fixed by dropping privileges of the dropbear process after
authentication. Unix stream sockets are now disallowed when a
forced command is used, either with authorized_key restrictions or
"dropbear -c command".
In previous affected releases running with "dropbear -j" (will also disable
TCP fowarding) or building with localoptions.h/distrooptions.h
"#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.
- Security: Include scp fix for CVE-2019-6111. This allowed
a malicious server to overwrite arbitrary local files.
The missing fix was reported by Ashish Kunwar.
- Server dropping privileges post-auth is enabled by default. This requires
setresgid() support, so some platforms such as netbsd or macos will have to
disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
not available if DROPBEAR_SVR_DROP_PRIVS is disabled.
Remote server TCP socket forwarding will now use OS privileged port
restrictions rather than having a fixed "allow >=1024 for non-root" rule.
A future release may implement privilege dropping for netbsd/macos.
- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
to a crash at startup with bad_bufptr().
Reported by Dani Schmitt and Sebastian Priebe.
- Don't limit channel window to 500MB. That is could cause stuck connections
if peers advise a large window and don't send an increment within 500MB.
Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
Reported by Rob Hague.
- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.
- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.
- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
150-350ms or possibly negative (zero). Reported by pickaxprograms.
- Fix building without public key options. Thanks to Konstantin Demin
- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin
- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger
- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.
Dropped:
* 050-dropbear-multihop-fix.patch as its included in the release 5cc0127000db5f
* 051-fix-pubkey-options.patch as its included in the release 1d4c4a542cd5df
* 052-fix-missing-depends-for-sntrup761x25519-sha512.patch as its included
in the release 1a2c1e649a1824
* 053-Don-t-limit-channel-window-to-500MB.patch as its included in the release a8610f7b98ad
Manually rebased:
* 110-change_user.patch
Fixes: CVE-2025-14282, CVE-2019-6111
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Konstantin Demin <rockdrilla@gmail.com>
Tested-by: Konstantin Demin <rockdrilla@gmail.com> [mediatek/filogic (GL.iNet GL-MT6000)]
Link: https://github.com/openwrt/openwrt/pull/21186
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This fixes a failed bring up of the radio on bootup
if the model defines a rename of phy in its /etc/board.json.
This specifically impacts Redmi AX6S and any router that does so
in its /etc/board.json. The fix fortunately is simple, just update
phy name in phys after rename.
The entry that specifically causes this issue is the following:
{
<omitted>
"wlan": {
"wl0": {
"path": "platform/18000000.wmac",
"info": {
"antenna_rx": 15,
"antenna_tx": 15,
"bands": {
"2G": {
"ht": true,
"max_width": 40,
"modes": [
"NOHT",
"HT20",
"HT40"
],
"default_channel": 1
}
},
"radios": [
]
}
},
...
}
The issue is that after rename, referenced phy in config is going to be
wl0 but in phys array it is still phy0; and so it fails to find phy
and does not bring up radio.
Fixes: https://github.com/openwrt/openwrt/issues/20250
Fixes: https://github.com/openwrt/openwrt/issues/20339
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/21175
Signed-off-by: Robert Marko <robimarko@gmail.com>
Convert to MBit/s like all other fields and specify the unit.
Most users probably aren't aware that this is in kilobits/s.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20567
Signed-off-by: Robert Marko <robimarko@gmail.com>
This is a trivial change to allow users to use 'list' on iface.
Old wifi-scripts already implements this, so this just ensures
that shell-based and ucode wifi-scripts are on-par with each other.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20977
Signed-off-by: Robert Marko <robimarko@gmail.com>
When iface is omitted, wifi-vlan will apply to all interfaces.
However, netifd.set_vlan call is not successful as it assumes
that every wifi-vlan section corresponds to one VIF.
For this reason in the wifi-vlan case (cur_type == "vlan")
we create a composite key in the form `${vif.name}/${vlan.name}`
allowing the same vlan section to correspond to multiple VAPs.
`/` was decided as a delimiter as it is an invalid character
for a network interface name and UCI identifier; so it is
impossible for it to cause conflicts.
It was verified that the `ubus call network.wireless status`
works as expected with this change. Moreover, wifi-station
is not susceptible to this problem.
This also means that it is now possible for wifi-vlan
to support `list` iface similar to old shell-based wifi-scripts.
This will be done in a follow-up commit.
Fixes: 98435a37a7 ("wifi-scripts: iface should be optional in wifi-vlan definition")
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20977
Signed-off-by: Robert Marko <robimarko@gmail.com>
cf51aeb93220 odhcpd: fix captive_portal_uri reset
e8b7fdea8d5e dhcpv4: fix DNS server option
b84553e496a3 router: Modify relayed RA PIO P flag according to interface policy
da3e2a9829cc router: Modify relayed RA PIO A flags according to interface policy
bad7138b70f0 README.md: update dhcp ubus events
ca00527e5f...cf51aeb932
Also remove duplicated /usr/share/libubox/jshn.sh include.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
ca00527e5fc3 statefiles: don't write empty hosts files
24b70c5c2ff0 Revert "statefiles: fix escape sequence for broken hostname output"
5203ad13954c statefiles: fix stale pio handling for !ubus
a64760b30f67 odhcpd: rename piofolder to piodir
6779344a8c8a statefiles: use tmpfile functions for pio files
9f8abcc662d0 statefiles: rename prefix information functions
cb65b83e524e config: move pio json handling to statefiles.c
5b01849cc42c statefiles: add a dirfd helper function
eadde3d7dd74 statefiles: add tmp helper functions
c29aa7091498 statefiles: fix escape sequence for broken hostname output
00f2d7a4dbe5 dhcpv4: don't send zero IPv6-only preferred option
c86d29bb83d6 Revert "dhcpv6-ia: add some noise to the T1 and T2 periods"
b062769ab85f Revert "do not delegate ULA prefixes"
fd4714bb2dfe do not delegate ULA prefixes
81ea5bfef775 dhcpv6-ia: add some noise to the T1 and T2 periods
79252ed0c0...ca00527e5f
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Currently its only possible to disable port forwarding only for specific
keys, via the OpenSSH-style restriction in `authorized_keys` file.
In some use cases it might be feasible to disable such features globally
on service level, so lets add new LocalPortForward and RemotePortForward
config knobs.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Link: https://github.com/openwrt/openwrt/pull/21071
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This will allow del_client with ban_time on a broadcast address
to also ban all clients temporarily.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/18670
Signed-off-by: Robert Marko <robimarko@gmail.com>
Similar to the hostapd control interface, treat ff:ff:ff:ff:ff:ff
as a stand in for "all clients".
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/18670
Signed-off-by: Robert Marko <robimarko@gmail.com>
f19dd37fb467 odhcp6c: accept EUI64 and random for interface ID
e955729c781f formal: fix workflow permissions
9557d3e245aa vscode: set tabs to 8 whitespaces by default
98dfd156f399 src: fix shadowed local variables
f98b6ec823...f19dd37fb4
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This adds support for beacon_prot and spp_amsdu in hostapd and
beacon_prot in wpa_supplicant (spp_amsdu is not relevant there).
Both options are disabled by default unless set in the config.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20793
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In the past PR[1] to add SAE wifi-station support, a commenter[2] requested
that the mac option be changed into a list. After trying to migrate my old
RADIUS setup I found myself wanting this change as well as it would simplify
my config. This patch does precisely that. Old configs that specify
`option mac ....` still work without any issues.
This change was done for both PSK and SAE. The schema was updated as well.
[1]: https://github.com/openwrt/openwrt/pull/17145
[2]: https://github.com/openwrt/openwrt/pull/17145#issuecomment-2523507953
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/17650
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is useful as there are cases where no network is configured
or the configured network is isolated (APs are blocked from
communicating with each other over it). In both cases, it would make
sense to set ft_iface to another interface dedicated to FT over DS
traffic.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20797
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The Quectel RG255C modem used in the Teltonika RUT976 does not support
the 'Get Serving System' QMI command, returning "Invalid QMI command".
Without this change, the script would fail even though the connection
could be established successfully.
This patch skips the registration state check if the command is not
supported and relies on subsequent checks instead.
Signed-off-by: Til Kaiser <mail@tk154.de>
Link: https://github.com/openwrt/openwrt/pull/20933
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Since now we default to 6.12 and we dropped any support for kernel 6.6,
drop any dependency on it.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Adds missing default value for na_mcast_to_ucast when proxy_arp is not enabled
in order to silence the following msg:
daemon.notice: netifd: radio1 (xxxx): sh: out of range
Fixes: bcdb29f78f ("wifi-scripts: add na_mcast_to_ucast option")
Reported-by: Antony Kolitsos <zeusomighty@hotmail.com>
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20806
Signed-off-by: Robert Marko <robimarko@gmail.com>
When transitioning from a config with one or more wifi-stations, to a configuration
that has no wifi-station; the file would not be empty/reset and the old wifi-station
entries would remain.
This is because iface_wpa_stations and iface_sae_stations return early if there
are no wifi-stations present, which is an incorrect behavior as it causes the
file to actually have old entries.
'sae_password_file' and 'wpa_psk_file' are also set by default inside
of iface_auth_type to same path as the one used by wifi-station, so it
is indeed going to be set in the config and would contain the old
entries.
This happens with reload and wifi restart. So the only solution
would be to manually remove the file.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20700
Signed-off-by: Robert Marko <robimarko@gmail.com>
Similar to "wifi-scripts: iface should be optional in wifi-vlan definition"
(98435a3), wifi-station iface should also be optional. By default, it is
supposed to match all interfaces if omitted.
Fixes: https://github.com/openwrt/openwrt/issues/20705
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20694
Signed-off-by: Robert Marko <robimarko@gmail.com>
Most users on forums face a broken 802.11r setup when having
a very simple 802.11r config (i.e., just ieee80211r enabled).
In most cases, simply bumping reassociation_deadline to
20000 fixes their problems and allows 802.11r to just work.
Reassociation Deadline is already set to 20 seconds on Cisco
equipment by default[1] which is why this value has been
chosen.
It is also mentioned on the OpenWRT Wiki as a value that should
be changed in order for 802.11r to work on Apple devices. I think
it would be better to change the defaults instead so users don't
have to do much work for a working setup.
[1]: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html
Fixes: https://github.com/openwrt/openwrt/issues/7907
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20799
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is useful to alter the default ban time after an STA
association is rejected for being below RSSI threshold.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/20811
Signed-off-by: Robert Marko <robimarko@gmail.com>
