Send openwrt-devel mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openwrt-devel digest..."
Today's Topics:
1. Re: [PATCH] firewall: default firewall rules tweak
(Jo-Philipp Wich)
2. Lost connection to OpenWRT router (Dani Camps)
3. Re: Lost connection to OpenWRT router (Jo-Philipp Wich)
4. [PATCH] Upgrade nginx to 1.0.14 (Mark Mentovai)
5. Re: [PATCH] update kernel-version.mk (Jonas Gorski)
6. Re: [PATCH] zabbix 1.8.11 version bump (Gioacchino Mazzurco)
7. [PATCH] ezxml segfault while removing attribute with
ezxml_set_attr (Rob Hazbun)
----------------------------------------------------------------------
Message: 1
Date: Mon, 09 Apr 2012 13:02:14 +0200
From: Jo-Philipp Wich<[email protected]>
To: OpenWrt Development List<[email protected]>
Subject: Re: [OpenWrt-Devel] [PATCH] firewall: default firewall rules
tweak
Message-ID:<[email protected]>
Content-Type: text/plain; charset=UTF-8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi.
1. Following "deny by default" principle, change the default section
policy to DROP. The firewall package already add rules to allow all
lo traffic, there should be no impact to user.
NACK. If at all it should be reject, not drop - to at least give users a
chance to see that the firewall is swallowing traffic.
2. harden the allow dhcp renew rule, source port should always be 67
ACK.
3. Refer to rfc4890 ICMPv6 Filtering Recommendations, Appendix B.
(http://www.ietf.org/rfc/rfc4890.txt) The sample ICMPv6 filter rules
indicates ip6tables can keep track most icmpv6 traffic as "RELATED".
The icmpv6 filter can be hardened.
I'm not sure about that. In theory DHCP response traffic should be kept
as related as well, in practise the idle times are too high so the
connections fall out of the conntrack table. I prefer to keep explicit
ICMP whitelists, relying on related state tracking with varying timeouts
will lead to unpredictable behaviour.
4. Allow most icmpv6 neighbour discovery traffic as kernel will
enforce "hop-limit=255" rule (packet is not forwarded)
Any reason why you remove ICMP failure notifications like "too-big" from
the whitelist?
5. remove limit 1000 to avoid possible denial of service (attacker
can stop all ICMP traffic by sending more than 1000 ICMP packet/s)
As I already mentioned in the ticket, instead of removing the limit, I'd
rather see hashlimits implemented, that rate-limit the traffic per host
or prefix.
~ Jow
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/
iEYEARECAAYFAk+CwbYACgkQdputYINPTPMi1wCglYj4VOBCxUL5se7mDz7uKAnb
akQAnjUOnmyFB/MtZQuLiuxHGc1jCCZI
=Dr9a
-----END PGP SIGNATURE-----
------------------------------
Message: 2
Date: Mon, 09 Apr 2012 13:38:25 +0200
From: Dani Camps<[email protected]>
To:[email protected],[email protected]
Subject: [OpenWrt-Devel] Lost connection to OpenWRT router
Message-ID:<[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Dear all,
I have a Netgear WNDR3700v2 with OpenWRT. The problem is that I created
a custom boot script as explained here
(http://wiki.openwrt.org/doc/techref/initscripts) and after rebooting I
was not able to connect to the router.
What the custom script contained was the following:
------------------------------------------------------------------------------------------
# Start fprobe to send NetFlow reports to ntop
fprobe -ibr-lan 192.168.1.22:2055
# Start QoS scripts (the script described here:
http://www.campsmur.cat/dani_home_network.html)
# Start the openVPN server, configured according to here:
http://wiki.openwrt.org/inbox/vpn.howto.
------------------------------------------------------------------------------------------
I do not recall at which priority in init.d this custom init script was
executed but I did not intentionally set any high priority.
Now after rebooting the connection with the router is lost. However, I
do know the MAC of the router (is in the label: Netgear_9b:7d:a6) and
the interface to which this MAC belongs, and the IP that this router
interface was supposed to have (192.168.1.1). So if I try to ping this
IP from a laptop connected with Ethernet (with IP 192.168.1.230) to the
router this is what happens:
------------------------------------------------------------------------------------------
No. Time Source Destination
Protocol Length Info
2 24.567792 192.168.1.230 192.168.1.1 ICMP
155 Echo (ping) request id=0x10eb, seq=1/256, ttl=64
3 24.576590 Netgear_9b:7d:a6 Broadcast ARP
60 Who has 192.168.1.230? Tell 192.168.1.1
4 24.576625 Sony_63:75:8e Netgear_9b:7d:a6 ARP
42 192.168.1.230 is at f0:bf:97:63:75:8e
5 25.576600 Netgear_9b:7d:a6 Broadcast ARP
60 Who has 192.168.1.230? Tell 192.168.1.1
6 25.576608 192.168.1.230 192.168.1.1 ICMP
155 Echo (ping) request id=0x10eb, seq=2/512, ttl=64
...
------------------------------------------------------------------------------------------
The laptop already has the MAC of the router in its ARP table, therefore
issues the PING. Then the router hears this PING, but his arp table is
empty and therefore sends an ARP request to find out to which MAC the
laptop's IP belongs to. Then the laptop sends a reply to this ARP
request, but the router ignores it and does not send the ICMP reply!
This is not only an ICMP problem, it also happens if I try to ssh or to
connect via the Web portal. Therefore, I have the feeling that the
problem is with the ARP process in the router.
Anyone has any idea of how to connect to the router? Would it be
possible to try to access using IPv6 (since there is no arp)? but I have
no experience with that. Otherwise is it possible to flash a new
firmware to the router without IP connectivity?
Best Regards
Daniel
------------------------------
Message: 3
Date: Mon, 09 Apr 2012 13:45:37 +0200
From: Jo-Philipp Wich<[email protected]>
To: OpenWrt Development List<[email protected]>
Subject: Re: [OpenWrt-Devel] Lost connection to OpenWRT router
Message-ID:<[email protected]>
Content-Type: text/plain; charset=ISO-8859-1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://wiki.openwrt.org/doc/howto/generic.failsafe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/
iEYEARECAAYFAk+Cy+EACgkQdputYINPTPMQkwCfXuYbhT1uSzxZ8rKTdip2NoG/
IZ0An1hB/ViErmiUntYbq3yblfHVFfpC
=CWYR
-----END PGP SIGNATURE-----
------------------------------
Message: 4
Date: Mon, 9 Apr 2012 11:17:10 -0400 (EDT)
From: Mark Mentovai<[email protected]>
To:[email protected]
Subject: [OpenWrt-Devel] [PATCH] Upgrade nginx to 1.0.14
Message-ID:<[email protected]>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Upgrade nginx to 1.0.14.
Changelog:http://nginx.org/en/CHANGES-1.0
This upgrade includes a fix for a major security vulnerability,
CVE-2012-1180.
Signed-off-by: Mark Mentovai<[email protected]>
---
Index: packages/net/nginx/Makefile
===================================================================
--- packages/net/nginx/Makefile (revision 31206)
+++ packages/net/nginx/Makefile (working copy)
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=nginx
-PKG_VERSION:=1.0.10
+PKG_VERSION:=1.0.14
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://nginx.org/download/
-PKG_MD5SUM:=930b297b00fa1018fb0a1dd3e6b7e17e
+PKG_MD5SUM:=019844e48c34952253ca26dd6e28c35c
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
------------------------------
Message: 5
Date: Mon, 9 Apr 2012 17:33:58 +0200
From: Jonas Gorski<[email protected]>
To: OpenWrt Development List<[email protected]>
Subject: Re: [OpenWrt-Devel] [PATCH] update kernel-version.mk
Message-ID:
<CAOiHx=mFgR3obcZ8G9foZpwsz5J-8fiL4w7UOBtSWqQ9_Hn=_...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hi Jim,
On 4 April 2012 17:30, Jim Cromie<[email protected]> wrote:
add 3.2.14, 3.3.1, restore entry for 3.2.13.
ISTM theres not a reason to drop 3.2.13,
I think some platforms are still using it.
There are no platforms using 3.2.12; I had previously updated all of
them to use 3.2.13 (and just now 3.2.14), so all 3.2 targets use the
same version - therefore no need to keep older versions. For the same
reason there should also be only one version for each release, so
3.3.1 would replace 3.3, simultaneously updating all 3.3 targets to
3.3.1 (this often requires more than just changing the versions in
target/linux/*/Makefile).
Regards
Jonas
Signed-off-by: Jim Cromie<[email protected]>
---
?include/kernel-version.mk | ? 10 ++++++++++
?1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/include/kernel-version.mk b/include/kernel-version.mk
index da8534f..f1cf4bf 100644
--- a/include/kernel-version.mk
+++ b/include/kernel-version.mk
@@ -2,6 +2,7 @@
?LINUX_RELEASE?=1
+# md5sums are for bz2 files
?ifeq ($(LINUX_VERSION),2.6.30.10)
? LINUX_KERNEL_MD5SUM:=eb6be465f914275967a5602cb33662f5
?endif
@@ -35,12 +36,21 @@ endif
?ifeq ($(LINUX_VERSION),3.1.10)
? LINUX_KERNEL_MD5SUM:=3649bdaa50ffd9114cc16486ec54d83a
?endif
+ifeq ($(LINUX_VERSION),3.2.12)
+ ?LINUX_KERNEL_MD5SUM:=e3dd3772f0cf14d444a3fb474bd624fe
+endif
?ifeq ($(LINUX_VERSION),3.2.13)
? LINUX_KERNEL_MD5SUM:=1966afd4474000e48fb1e22a5991882e
?endif
+ifeq ($(LINUX_VERSION),3.2.14)
+ ?LINUX_KERNEL_MD5SUM:=961da0dc037181a4a5059f763b70eabd
+endif
?ifeq ($(LINUX_VERSION),3.3)
? LINUX_KERNEL_MD5SUM:=98a6cdd7d082b7ea72df9c89842bac74
?endif
+ifeq ($(LINUX_VERSION),3.3.1)
+ ?LINUX_KERNEL_MD5SUM:=ded7229c02a53cd071e541f73b9ef547
+endif
?# disable the md5sum check for unknown kernel versions
?LINUX_KERNEL_MD5SUM?=x
--
1.7.7.6
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
------------------------------
Message: 6
Date: Mon, 09 Apr 2012 19:57:15 +0200
From: Gioacchino Mazzurco<[email protected]>
To: OpenWrt Development List<[email protected]>
Subject: Re: [OpenWrt-Devel] [PATCH] zabbix 1.8.11 version bump
Message-ID:<[email protected]>
Content-Type: text/plain; charset=ISO-8859-1
Please ignore this patch, i have discovered a severe memory leak in
zabbix_agentd 1.8.11 that rapidly eat all memory available on the device!
I now i am trying to enable ipv6 on 1.6 version I am checking if 1.6 is
also affected by the memory leak
I'll came up with a new version bump when they will fix the memory leak
On 04/05/12 16:35, Gioacchino Mazzurco wrote:
This patch update openwrt zabbix package from 1.6 to 1.8.11
the new version support also ipv6 in the agent
Signed-off-by: Gioacchino Mazzurco<[email protected]>
------------------------------
Message: 7
Date: Mon, 9 Apr 2012 18:35:01 +0000
From: Rob Hazbun<[email protected]>
To:"[email protected]"
<[email protected]>
Subject: [OpenWrt-Devel] [PATCH] ezxml segfault while removing
attribute with ezxml_set_attr
Message-ID:
<52393084586b4a4581f6cb3087e35ed30f49f...@sn2prd0510mb395.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
This patch fixes a potential segfault when removing an attribute with
ezxml_set_attr.
Complete description can be found
here:http://sourceforge.net/tracker/?func=detail&aid=1653391&group_id=122291&atid=693016
Signed-off by: Robert [email protected]<mailto:[email protected]>
----
--- ezxml-0.8.6.orig/ezxml.c 2012-04-06 17:28:38.000000000 -0700
+++ ezxml-0.8.6/ezxml.c 2012-04-06 17:34:54.000000000 -0700
@@ -1000,10 +1000,11 @@
if (value) xml->attr[l + 1] = (char *)value; // set attribute value
else { // remove attribute
if (xml->attr[c + 1][l / 2]& EZXML_NAMEM) free(xml->attr[l]);
- memmove(xml->attr + l, xml->attr + l + 2, (c - l + 2) * sizeof(char*));
+ memmove(xml->attr + l, xml->attr + l + 2, (c - l) * sizeof(char*));
xml->attr = realloc(xml->attr, (c + 2) * sizeof(char *));
+ c-=2;
memmove(xml->attr[c + 1] + (l / 2), xml->attr[c + 1] + (l / 2) + 1,
- (c / 2) - (l / 2)); // fix list of which name/vals are malloced
+ ((c + 2) / 2) - (l / 2)); // fix list of which name/vals are
malloced
}
xml->flags&= ~EZXML_DUP; // clear strdup() flag
return xml;
----
-------------- next part --------------
An HTML attachment was scrubbed...
URL:<http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20120409/c03f3974/attachment.html>
------------------------------
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
End of openwrt-devel Digest, Vol 76, Issue 24
*********************************************
