Brings the following change:
1fe6f48f8a50 Cmake: Find libubox/list.h

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>

thc-ipv6 did not allow an external environment to override CFLAGS, which
would lead to our CFLAGS not being passed properly (relro,
optimizations, etc...)

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>

Signed-off-by: Hsing-Wang Liao <kuoruan@gmail.com>

Drops a LEDE carried patch now upstream.
Convert to autotools.
A number of nits fixed upstream (dns & short packet handling most
notable)

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

Defer procd_open_instance only after validity check passed.

Fixes FS#541

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>

Signed-off-by: Felix Fietkau <nbd@nbd.name>

1b630f8 router: don't announce prefixes with valid lifetime equal to 0
ba0cac0 router: fix arithmetic exception fault
3495f17 router: allow RA prefix lifetime being set to leasetime value (FS#397)
e437ce9 treewide: simplify dhcp leasetime checking
942fb33 router: support ra_mininterval and ra_lifetime uci parameters (FS#397)
f913337 router.h: fix alignment style
4dc7edb Revert "odhcpd.h: fix alignment style"
62ea54f odhcpd.h: fix alignment style
a898ee5 config: make loglevel configurable via uci (FS#481)
51c756c odhcpd: display correct default log level in usage text
68ee0b5 treewide: define and use macro IN6_IS_ADDR_ULA
fa57225 ndp: deregister netlink event socket for non recoverable errors
ac70d28 odhcpd: fix white space errors

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

When not defining 'device' or 'vlan' in relevant switch_port uci
sections, behaviour is inconsistent due to *devn, *port and *vlan
pointers not being zero initialized.

Signed-off-by: Ben Kelly <ben@benjii.net>

stop() is overwritten by rc.common, so implement stop_service instead.
While at it, remove the now unnecessary restart() override

Signed-off-by: Felix Fietkau <nbd@nbd.name>

--bogus-priv now applies to IPv6 prefixes as specified in RFC6303 - this
is significantly friendlier to upstream servers.

CNAME fix in auth mode - A domain can only have a CNAME if it has no
other records

Drop 2 patches now included upstream.

Compile & run tested Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

 - Fix eap test to work with standalone hostapd builds
 - Fix 11n test to check the correct define
 - Add 11ac, 11r and 11w tests

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

New test release (since test1) includes 2 LEDE patches that are
upstream and may be dropped, along with many spelling fixes.

Add forthcoming 2017 root zone trust anchor to trust-anchors.conf.

Backport 2 patches that just missed test3:

Reduce logspam of those domains handled locally 'local addresses only'
Implement RFC-6842 (Client-ids in DHCP replies)

Compile & run tested Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

Patch from attachment to FS#512

Signed-off-by: Felix Fietkau <nbd@nbd.name>

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

fq_codel is built-in, and xt_CONNMARK is provided by the xt_connmark
module

Signed-off-by: Felix Fietkau <nbd@nbd.name>

This update includes numerous small fixes for:
1) Interfaces setup
2) Packets parsing
3) Sending replies
Without this there were multiple problems with exchanging information
between (u)mdns and other implementations (including (u)mdns as well).

This also follows project rename to umdns which was required to avoid
confusion with Apple's mdnsd from mDNSResponder project.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

Refreshed patches

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>

same name for the file on the host and target

Signed-off-by: Daniel Albers <daniel.albers@public-files.de>

as we do for IPv4 PPP interfaces. When we create the
dynamic IPv6 interface we should inherit ip6table from
main interface.

Signed-off-by: Ulrich Weber <ulrich.weber@riverbed.com>

pppoe-discovery performs the same discovery process as pppoe, but does
not initiate a session

Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

f107656 netifd: Add option to configure locktime for each device
cdc0e80 interface: add prefix assignment priority support
6397f5e device: add veth support
6228d0f wireless: fix _wireless_add_process
7cc2f10 treewide: fix white space errors

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

Signed-off-by: Felix Fietkau <nbd@nbd.name>

Signed-off-by: Felix Fietkau <nbd@nbd.name>

The only HMACs currently available use MD5 and SHA1, both of which have known
weaknesses. We already compile in the SHA256 code since we use Curve25519
by default, so there's no significant size penalty to enabling this.

Signed-off-by: Joseph C. Sible <josephcsible@users.noreply.github.com>

8df4253 ndp: harden netlink event socket error handling
b02f3e6 ndp: close proc file descriptor also during error handling
8a615ad npd: rework IPv6 relay logic (FS#396)
0129f79 config: restore interface defaults when cleaning interface

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

Update to 3.1.6

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>

cfd986c odhcp6c: fix possible stack corruption when parsing proc if_inet6

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

This fixes the following 41 security problems:
 + CVE-2016-7922: buffer overflow in print-ah.c:ah_print().
 + CVE-2016-7923: buffer overflow in print-arp.c:arp_print().
 + CVE-2016-7924: buffer overflow in print-atm.c:oam_print().
 + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print().
 + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print().
 + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print().
 + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print().
 + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header().
 + CVE-2016-7930: buffer overflow in print-llc.c:llc_print().
 + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print().
 + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum().
 + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print().
 + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print().
 + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print().
 + CVE-2016-7936: buffer overflow in print-udp.c:udp_print().
 + CVE-2016-7937: buffer overflow in print-udp.c:vat_print().
 + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame().
 + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions.
 + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions.
 + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions.
 + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions.
 + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print().
 + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print().
 + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print().
 + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print().
 + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions.
 + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print().
 + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a
      buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP,
      lightweight resolver protocol, PIM).
 + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print().
 + CVE-2016-8575: buffer overflow in print-fr.c:q933_print().
 + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print().
 + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print().
 + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print().
 + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print().
 + CVE-2017-5341: buffer overflow in print-otv.c:otv_print().
 + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH,
      OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in
      print-ether.c:ether_print().
 + CVE-2017-5482: buffer overflow in print-fr.c:q933_print().
 + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse().
 + CVE-2017-5484: buffer overflow in print-atm.c:sig_print().
 + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap().
 + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print().

The size of the package is only incread very little:
new size:
306430 tcpdump_4.9.0-1_mips_24kc.ipk
130324 tcpdump-mini_4.9.0-1_mips_24kc.ipk

old size:
302782 tcpdump_4.8.1-1_mips_24kc.ipk
129033 tcpdump-mini_4.8.1-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

Bump to dnsmasq 2.77test1 - this includes a number of fixes since 2.76
and allows dropping of 2 LEDE carried patches.

Notable fix in rrfilter code when talking to Nominum's DNS servers
especially with DNSSEC.

A patch to switch dnsmasq back to 'soft fail' for SERVFAIL responses
from dns servers is also included.  This mean dnsmasq tries all
configured servers before giving up.

A 'localise queries' enhancement has also been backported (it will
appear in test2/rc'n') this is especially important if using the
recently imported to LEDE 'use dnsmasq standalone' feature 9525743c

I have been following dnsmasq HEAD ever since 2.76 release.
Compile & Run tested: ar71xx, Archer C7 v2

Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

ref commit 9525743c
dnsmasq: make DHCPv6 viable for standalone dnsmasq install
Above commit broke instancing by missing filter_dnsmasq()
as part of the dhcp_add() execution.

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>

Do not spam the syslog with DHCPv6 lease info if quietdhcp option
is selected. This already works for DHCPv4, make it work in the same
way for DHCPv6.

Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
[Originally written by Arjen de Korte on GitHub but had issues providing
a SoB in correct format.]
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

key_direction shows up as an openvpn option in the user-interface but does not end up in the /var/etc/openvpn*.conf file. Adding it to the list here fixed the issue for me.

Signed-off-by: Brandon Koepke <bdkoepke@fastmail.com>

samba.org has started to enforce https and
currently plain http downloads with curl/wget fail,
so convert samba.org download links to use https.

Modernise links at the same time.

Also convert samba.org URL fields to have https.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

dnsmasq has sufficient services to meet the needs of DHCP
and RA with IP6 for single router router users. This is
the most common use for consumer routers. Its reenforced
as most ISP tend to only DHCP-PD /64. dnsmasq has year
over year demonstrated great flexibility in its option
set, and support for off-standard DHCP clients.

odhcpd has enhanced capabilities focused on IP6 such
as DHCP/RA relay and NDP proxy. However, it is not as
flexible in its option set. odhcpd is not as forgiving
with off-standard DHCP clients. Some points may represent
a long term TODO list, but it is the state currently.

These changes make any such combination possible. Already
odhcpd can be set as the main dhcp server. Now odhcpd
can be removed or disabled and dnsmasq will take over
if DHCPv6 compiled in. The existing DHCPv6 and RA UCI
are translated into dnsmasq.conf. The changes focus on
'--dhcp-range', '--dhcp-host', and '--dhcp-options'.

DHCP host ID is least 16 bits [::1000-::FFFF], but
leaves low range for typical infrastructure assignments.
dnsmasq accepts DHCPv6 options in the tranditional
'--dhcp-option' put they must be prefixed 'option6:'.
dnsmasq will also discover SLAAC DNS entries from DHCPv4
clients MAC, and confirm with a ping at least renew.

Long term TODO include improving use of dnsmasq relay
options for DHCPv4 and DHCPv6 in parallel. It would also
be possible to preconfigure DHCP-PD in host-with-options
records for fixed infrastructure.

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
[Jo-Philipp Wich: emit proper IPv6 hostid format in dhcp-host directive]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

ref commit 612e2276
ref commit ec63e3bf

'option add_local_hostname' scripted implementation statically assigns
this host in auto generated host file at init. If IFUP or other signals
do not occur, then address changes are not tracked. The script doesn't
apply all the addresses at an interface. This may make logs obscure.
The script only puts the bare host name (maybe not FQDN) in host file,
but if '--exapandhosts' is enabled, then /etc/hosts entries will be
suffixed, and "127.0.0.1 localhost" becomes "localhost.lan".

dnsmasq provides an option to perform this function, but it is rather
greedy. '--interface-name=<name>,<iface>' will assign the name to all
IP on the specified interface (except link local). This is a useful
feature, but some setups depend on the original restrictive behavior.

'option add_local_fqdn' is added to enhance the feature set, but
if not entered or empty string, then it will default to original
option and behavior. This new option has a few settings. At each
increased setting the most detailed name becomes the PTR record:
0 - same as add_local_hostname 0 or disabled
1 - same as add_local_hostname 1
2 - assigns the bare host name to all IP w/ --dnsmasq-interface
3 - assigns the FQDN and host to all IP w/ --dnsmasq-interface
4 - assigns <iface>.<host>.<domain> and above w/ --dnsmasq-nterface

'option add_wan_fqdn' is added to run the same procedure on
inferred WAN intefaces. If an interface has 'config dhcp' and
'option ignore 1' set, then it is considered WAN. The original
option would only run on DHCP serving interfaces.

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>