Re: [OpenWrt-Devel] hostapd 2.7 released
On 2018-12-12 14:37, Hauke Mehrtens wrote: On 12/12/18 10:39 AM, Daniel Golle wrote: Hi! hostapd 2.7 has been released on December 2nd: http://w1.fi/cgit/hostap/plain/hostapd/ChangeLog I've updated the hostapd package to use the hostapd_2_7 tag with our patches on top, find it in my staging tree: https://git.openwrt.org/?p=openwrt/staging/dangole.git;a=commit;h=c494eadb6555c02eb5d00b4274c4fc955291516c I've compile-tested all build variants and run-time tested wpad(-full). Please test and report back, so we shall have this merged in master asap. Cheers Daniel Hi Daniel, I also prepared this yesterday, see here: https://git.openwrt.org/?p=openwrt/staging/hauke.git;a=commit;h=95215ae8eb738fd47a991cfcae0fe20ab44f4116 When I activate psk3-mixed mode + iee80211r mode my Debian stable client does not can to connect any more, I do not know if this is a regression, an already existing problem or a problem on the client side. Hauke ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel I have a problem similar to that, except only on certain Android devices. Both of my Ubuntu laptops can connect fine. (Disabling FT-SAE allows the androids to connect again.) There also isn't any useful logging output on the androids. Does the Debian system log anything when it fails? Michael ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] CC: toolchain: use latest glibc 2.21 revision
OK, I was planning on making a patch for 2.23 in trunk later today. Michael On 03/16/16 06:23, John Crispin wrote: > > On 16/03/2016 11:21, Michael Marley wrote: >> When I originally posted this patch, GLIBC 2.23 had not yet been >> released. Additionally, this was a patch to fix the issue for the >> stable release (CC), so I didn't figure bumping the GLIBC version would >> be a good idea. The issue is fixed because the patch was backported to >> the 2.21 branch, which is why this patch switched from the 2.21 release >> to the head of the 2.21 branch. >> >> Michael >> >> > i was just about to post the same. happy to include a patch for the > latest version though > > John > >> On 03/16/16 05:14, Naresh Kumar Mehta wrote: >>> From http://www.gnu.org/software/libc/, it seems CVE-2015-7547 was fixed in >>> v2.23. How come using v2.21 will fix this issue? >>> >>> -----Original Message- >>> From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org] On >>> Behalf Of Michael Marley >>> Sent: Wednesday, February 17, 2016 7:46 PM >>> To: openwrt-devel@lists.openwrt.org >>> Subject: [OpenWrt-Devel] [PATCH] CC: toolchain: use latest glibc 2.21 >>> revision >>> >>> Fixes "CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow" >>> >>> Signed-off-by: Michael Marley <mich...@michaelmarley.com> >>> --- >>> toolchain/glibc/Config.version | 6 -- >>> toolchain/glibc/common.mk | 12 >>> +++- >>> toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch | 2 +- >>> 3 files changed, 12 insertions(+), 8 deletions(-) >>> >>> diff --git a/toolchain/glibc/Config.version b/toolchain/glibc/Config.version >>> index 2ac01d7..4ceed09 100644 >>> --- a/toolchain/glibc/Config.version >>> +++ b/toolchain/glibc/Config.version >>> @@ -12,12 +12,6 @@ config EGLIBC_VERSION_2_19 config GLIBC_VERSION_2_21 >>> bool >>> >>> -config GLIBC_REVISION >>> - string >>> - default "25243" if EGLIBC_VERSION_2_19 >>> - default "4e42b5b8f8" if GLIBC_VERSION_2_21 >>> - default "" >>> - >>> endif >>> >>> menu "eglibc configuration" >>> diff --git a/toolchain/glibc/common.mk b/toolchain/glibc/common.mk index >>> 7487ca2..3d680bb 100644 >>> --- a/toolchain/glibc/common.mk >>> +++ b/toolchain/glibc/common.mk >>> @@ -6,9 +6,19 @@ >>> # >>> include $(TOPDIR)/rules.mk >>> >>> + >>> +MD5SUM_2.19 = 42dad4edd3bcb38006d13b5640b00b38 >>> +REVISION_2.19 = 25243 >>> + >>> +MD5SUM_2.21 = 76050a65c444d58b5c4aa0d6034736ed >>> +REVISION_2.21 = 16d0a0c >>> + >>> + >>> PKG_NAME:=glibc >>> PKG_VERSION:=$(call qstrip,$(CONFIG_GLIBC_VERSION)) -PKG_REVISION:=$(call >>> qstrip,$(CONFIG_GLIBC_REVISION)) >>> + >>> +PKG_REVISION:=$(REVISION_$(PKG_VERSION)) >>> +PKG_MIRROR_MD5SUM:=$(MD5SUM_$(PKG_VERSION)) >>> >>> PKG_SOURCE_PROTO:=git >>> PKG_SOURCE_URL:=git://sourceware.org/git/glibc.git >>> diff --git a/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch >>> b/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch >>> index a6200f7..070f938 100644 >>> --- a/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch >>> +++ b/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch >>> @@ -2,7 +2,7 @@ add /usr/lib to default search path for the dynamic linker >>> >>> --- a/Makeconfig >>> +++ b/Makeconfig >>> -@@ -501,6 +501,9 @@ else >>> +@@ -499,6 +499,9 @@ else >>> default-rpath = $(libdir) >>> endif >>> >>> -- >>> 2.7.1 >>> ___ >>> openwrt-devel mailing list >>> openwrt-devel@lists.openwrt.org >>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >>> >> ___ >> openwrt-devel mailing list >> openwrt-devel@lists.openwrt.org >> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel >> ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] CC: toolchain: use latest glibc 2.21 revision
When I originally posted this patch, GLIBC 2.23 had not yet been released. Additionally, this was a patch to fix the issue for the stable release (CC), so I didn't figure bumping the GLIBC version would be a good idea. The issue is fixed because the patch was backported to the 2.21 branch, which is why this patch switched from the 2.21 release to the head of the 2.21 branch. Michael On 03/16/16 05:14, Naresh Kumar Mehta wrote: > From http://www.gnu.org/software/libc/, it seems CVE-2015-7547 was fixed in > v2.23. How come using v2.21 will fix this issue? > > -Original Message- > From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org] On > Behalf Of Michael Marley > Sent: Wednesday, February 17, 2016 7:46 PM > To: openwrt-devel@lists.openwrt.org > Subject: [OpenWrt-Devel] [PATCH] CC: toolchain: use latest glibc 2.21 > revision > > Fixes "CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow" > > Signed-off-by: Michael Marley <mich...@michaelmarley.com> > --- > toolchain/glibc/Config.version | 6 -- > toolchain/glibc/common.mk | 12 > +++- > toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch | 2 +- > 3 files changed, 12 insertions(+), 8 deletions(-) > > diff --git a/toolchain/glibc/Config.version b/toolchain/glibc/Config.version > index 2ac01d7..4ceed09 100644 > --- a/toolchain/glibc/Config.version > +++ b/toolchain/glibc/Config.version > @@ -12,12 +12,6 @@ config EGLIBC_VERSION_2_19 config GLIBC_VERSION_2_21 > bool > > -config GLIBC_REVISION > - string > - default "25243" if EGLIBC_VERSION_2_19 > - default "4e42b5b8f8" if GLIBC_VERSION_2_21 > - default "" > - > endif > > menu "eglibc configuration" > diff --git a/toolchain/glibc/common.mk b/toolchain/glibc/common.mk index > 7487ca2..3d680bb 100644 > --- a/toolchain/glibc/common.mk > +++ b/toolchain/glibc/common.mk > @@ -6,9 +6,19 @@ > # > include $(TOPDIR)/rules.mk > > + > +MD5SUM_2.19 = 42dad4edd3bcb38006d13b5640b00b38 > +REVISION_2.19 = 25243 > + > +MD5SUM_2.21 = 76050a65c444d58b5c4aa0d6034736ed > +REVISION_2.21 = 16d0a0c > + > + > PKG_NAME:=glibc > PKG_VERSION:=$(call qstrip,$(CONFIG_GLIBC_VERSION)) -PKG_REVISION:=$(call > qstrip,$(CONFIG_GLIBC_REVISION)) > + > +PKG_REVISION:=$(REVISION_$(PKG_VERSION)) > +PKG_MIRROR_MD5SUM:=$(MD5SUM_$(PKG_VERSION)) > > PKG_SOURCE_PROTO:=git > PKG_SOURCE_URL:=git://sourceware.org/git/glibc.git > diff --git a/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch > b/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch > index a6200f7..070f938 100644 > --- a/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch > +++ b/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch > @@ -2,7 +2,7 @@ add /usr/lib to default search path for the dynamic linker > > --- a/Makeconfig > +++ b/Makeconfig > -@@ -501,6 +501,9 @@ else > +@@ -499,6 +499,9 @@ else > default-rpath = $(libdir) > endif > > -- > 2.7.1 > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel > ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] CC: toolchain: use latest glibc 2.21 revision
Fixes "CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow" Signed-off-by: Michael Marley <mich...@michaelmarley.com> --- toolchain/glibc/Config.version | 6 -- toolchain/glibc/common.mk | 12 +++- toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch | 2 +- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/toolchain/glibc/Config.version b/toolchain/glibc/Config.version index 2ac01d7..4ceed09 100644 --- a/toolchain/glibc/Config.version +++ b/toolchain/glibc/Config.version @@ -12,12 +12,6 @@ config EGLIBC_VERSION_2_19 config GLIBC_VERSION_2_21 bool -config GLIBC_REVISION - string - default "25243" if EGLIBC_VERSION_2_19 - default "4e42b5b8f8" if GLIBC_VERSION_2_21 - default "" - endif menu "eglibc configuration" diff --git a/toolchain/glibc/common.mk b/toolchain/glibc/common.mk index 7487ca2..3d680bb 100644 --- a/toolchain/glibc/common.mk +++ b/toolchain/glibc/common.mk @@ -6,9 +6,19 @@ # include $(TOPDIR)/rules.mk + +MD5SUM_2.19 = 42dad4edd3bcb38006d13b5640b00b38 +REVISION_2.19 = 25243 + +MD5SUM_2.21 = 76050a65c444d58b5c4aa0d6034736ed +REVISION_2.21 = 16d0a0c + + PKG_NAME:=glibc PKG_VERSION:=$(call qstrip,$(CONFIG_GLIBC_VERSION)) -PKG_REVISION:=$(call qstrip,$(CONFIG_GLIBC_REVISION)) + +PKG_REVISION:=$(REVISION_$(PKG_VERSION)) +PKG_MIRROR_MD5SUM:=$(MD5SUM_$(PKG_VERSION)) PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=git://sourceware.org/git/glibc.git diff --git a/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch b/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch index a6200f7..070f938 100644 --- a/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch +++ b/toolchain/glibc/patches/2.21/200-add-dl-search-paths.patch @@ -2,7 +2,7 @@ add /usr/lib to default search path for the dynamic linker --- a/Makeconfig +++ b/Makeconfig -@@ -501,6 +501,9 @@ else +@@ -499,6 +499,9 @@ else default-rpath = $(libdir) endif -- 2.7.1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] qos-scripts: Add IPv6 support
The problem still happens for me even without the txqueuelen change. Michael On 01/22/16 07:15, Felix Fietkau wrote: > On 2016-01-22 13:12, Weedy wrote: >> ~Off topic~ >> >> So I'm going to guess this means both of you have qos-scripts running >> on current trunk builds? >> >> Have you seen anyone complaining about kernel panic in hfsc? Should I >> make a trac ticket? >> >> ar71xx/TLWDR4300 >> WARNING: CPU: 0 PID: 0 at net/sched/sch_hfsc.c:1429 0x831f5b2c() > Can you please test if my recent removal of the txqueuelen override > makes a difference here? > > - Felix ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] qos-scripts: Add IPv6 support
Here is an updated version with three improvements. The problem with the rules not being removed (which was not new and actually caused by a grep command incompatible with musl) was fixed by using an updated grep command (thanks nbd!). The problems pertaining to the xtables lock (including "too many links" and "directory not empty") were fixed by always executing ip[6]tables with the "-w" command-line argument to make it wait for the xtables lock. Lastly, I fixed a place where I hardcoded "iptables" and "ip6tables" instead of looping over the array like everywhere else. --trim here-- This adds IPv6 support to qos-scripts for both tc/qdisc and the iptables classification rules. The tc/qdisc part is accomplished by removing "protocol ip" from the tc command line, causing the rule to be applied to all protocols. The iptables part is accomplished by adding each rule using both iptables and ip6tables. This patch is based on previous work by Ilkka Ollakka and Dominique Martinet. Signed-off-by: Michael Marley <mich...@michaelmarley.com> --- .../qos-scripts/files/usr/lib/qos/generate.sh | 90 +++--- .../qos-scripts/files/usr/lib/qos/tcrules.awk | 2 +- 2 files changed, 64 insertions(+), 28 deletions(-) diff --git a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh index caa1125..4a39411 100755 --- a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh +++ b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh @@ -336,11 +336,11 @@ tc class add dev $dev parent 1: classid 1:1 hfsc sc rate ${rate}kbit ul rate ${r if [ -n "$halfduplex" ]; then export dev_up="tc qdisc del dev $device root >&- 2>&- tc qdisc add dev $device root handle 1: hfsc -tc filter add dev $device parent 1: protocol ip prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb$ifbdev" +tc filter add dev $device parent 1: prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb$ifbdev" elif [ -n "$download" ]; then append dev_${dir} "tc qdisc del dev $device ingress >&- 2>&- tc qdisc add dev $device ingress -tc filter add dev $device parent : protocol ip prio 1 u32 match u32 0 0 flowid 1:1 action connmark action mirred egress redirect dev ifb$ifbdev" "$N" +tc filter add dev $device parent : prio 1 u32 match u32 0 0 flowid 1:1 action connmark action mirred egress redirect dev ifb$ifbdev" "$N" fi add_insmod cls_fw add_insmod sch_hfsc @@ -397,17 +397,23 @@ start_cg() { local pktrules local sizerules enum_classes "$cg" -add_rules iptrules "$ctrules" "iptables -t mangle -A qos_${cg}_ct" +for command in $iptables; do +add_rules iptrules "$ctrules" "$command -w -t mangle -A qos_${cg}_ct" +done config_get classes "$cg" classes for class in $classes; do config_get mark "$class" classnr config_get maxsize "$class" maxsize [ -z "$maxsize" -o -z "$mark" ] || { add_insmod xt_length -append pktrules "iptables -t mangle -A qos_${cg} -m mark --mark $mark/0x0f -m length --length $maxsize: -j MARK --set-mark 0/0xff" "$N" +for command in $iptables; do +append pktrules "$command -w -t mangle -A qos_${cg} -m mark --mark $mark/0x0f -m length --length $maxsize: -j MARK --set-mark 0/0xff" "$N" +done } done -add_rules pktrules "$rules" "iptables -t mangle -A qos_${cg}" +for command in $iptables; do +add_rules pktrules "$rules" "$command -w -t mangle -A qos_${cg}" +done for iface in $INTERFACES; do config_get classgroup "$iface" classgroup config_get device "$iface" device @@ -416,18 +422,40 @@ start_cg() { config_get download "$iface" download config_get halfduplex "$iface" halfduplex download="${download:-${halfduplex:+$upload}}" -append up "iptables -t mangle -A OUTPUT -o $device -j qos_${cg}" "$N" -append up "iptables -t mangle -A FORWARD -o $device -j qos_${cg}" "$N" +for command in $iptables; do +append up "$command -w -t mangle -A OUTPUT -o $device -j qos_${cg}" "$N" +append up "$command -w -t mangle -A FORWARD -o $device -j qos_${cg}" "$N" +done done cat <&- 2>&- -iptables -t mangle -N qos_${cg}_ct >&- 2>&- -${iptrules:+${iptrules}${N}iptables -t mangle -A qos_${cg}_ct -j CONNMARK --save-mark --mask 0xff} -iptables -t mangle -A qos_${cg} -j CONNMARK --restore-mark --mask 0x0f -iptables -t mangle -A qos_${cg} -m mark --mark 0/0x0f -j qos_${cg}_ct +EOF + +for command in $iptables; do +cat <https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] qos-scripts: Add IPv6 support
I apologize, my client mangled my previous attempt at resubmission. Here is an updated version with three improvements. The problem with the rules not being removed (which was not new and actually caused by a grep command incompatible with musl) was fixed by using an updated grep command (thanks nbd!). The problems pertaining to the xtables lock (including "too many links" and "directory not empty") were fixed by always executing ip[6]tables with the "-w" command-line argument to make it wait for the xtables lock. Lastly, I fixed a place where I hardcoded "iptables" and "ip6tables" instead of looping over the array like everywhere else. --trim here-- This adds IPv6 support to qos-scripts for both tc/qdisc and the iptables classification rules. The tc/qdisc part is accomplished by removing "protocol ip" from the tc command line, causing the rule to be applied to all protocols. The iptables part is accomplished by adding each rule using both iptables and ip6tables. This patch is based on previous work by Ilkka Ollakka and Dominique Martinet. Signed-off-by: Michael Marley <mich...@michaelmarley.com> --- .../qos-scripts/files/usr/lib/qos/generate.sh | 90 +++--- .../qos-scripts/files/usr/lib/qos/tcrules.awk | 2 +- 2 files changed, 64 insertions(+), 28 deletions(-) diff --git a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh index caa1125..4a39411 100755 --- a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh +++ b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh @@ -336,11 +336,11 @@ tc class add dev $dev parent 1: classid 1:1 hfsc sc rate ${rate}kbit ul rate ${r if [ -n "$halfduplex" ]; then export dev_up="tc qdisc del dev $device root >&- 2>&- tc qdisc add dev $device root handle 1: hfsc -tc filter add dev $device parent 1: protocol ip prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb$ifbdev" +tc filter add dev $device parent 1: prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb$ifbdev" elif [ -n "$download" ]; then append dev_${dir} "tc qdisc del dev $device ingress >&- 2>&- tc qdisc add dev $device ingress -tc filter add dev $device parent : protocol ip prio 1 u32 match u32 0 0 flowid 1:1 action connmark action mirred egress redirect dev ifb$ifbdev" "$N" +tc filter add dev $device parent : prio 1 u32 match u32 0 0 flowid 1:1 action connmark action mirred egress redirect dev ifb$ifbdev" "$N" fi add_insmod cls_fw add_insmod sch_hfsc @@ -397,17 +397,23 @@ start_cg() { local pktrules local sizerules enum_classes "$cg" - add_rules iptrules "$ctrules" "iptables -t mangle -A qos_${cg}_ct" + for command in $iptables; do + add_rules iptrules "$ctrules" "$command -w -t mangle -A qos_${cg}_ct" + done config_get classes "$cg" classes for class in $classes; do config_get mark "$class" classnr config_get maxsize "$class" maxsize [ -z "$maxsize" -o -z "$mark" ] || { add_insmod xt_length - append pktrules "iptables -t mangle -A qos_${cg} -m mark --mark $mark/0x0f -m length --length $maxsize: -j MARK --set-mark 0/0xff" "$N" + for command in $iptables; do + append pktrules "$command -w -t mangle -A qos_${cg} -m mark --mark $mark/0x0f -m length --length $maxsize: -j MARK --set-mark 0/0xff" "$N" + done } done - add_rules pktrules "$rules" "iptables -t mangle -A qos_${cg}" + for command in $iptables; do + add_rules pktrules "$rules" "$command -w -t mangle -A qos_${cg}" + done for iface in $INTERFACES; do config_get classgroup "$iface" classgroup config_get device "$iface" device @@ -416,18 +422,40 @@ start_cg() { config_get download "$iface" download config_get halfduplex "$iface" halfduplex download="${download:-${halfduplex:+$upload}}" - append up "iptables -t mangle -A OUTPUT -o $device -j qos_${cg}" "$N" - append up "iptables -t mangle -A FORWARD -o $device -j qos_${cg}" "$N" + for command in $iptables; do + append up "$command -w -t mangle -A OUTPUT -o $
[OpenWrt-Devel] [PATCH] qos-scripts: Fix classification of ingress traffic
Set the save-mark mask for the qos_${cg} chain to 0xff instead of 0xf0. With the old value, the nibble that was saved would be masked during the restore, preventing ingress traffic from being classified. Thanks to nbd for recommending the fix. Signed-off-by: Michael Marley <mich...@michaelmarley.com> --- package/network/config/qos-scripts/files/usr/lib/qos/generate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh index 8d22b67..caa1125 100755 --- a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh +++ b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh @@ -427,7 +427,7 @@ ${iptrules:+${iptrules}${N}iptables -t mangle -A qos_${cg}_ct -j CONNMARK --save iptables -t mangle -A qos_${cg} -j CONNMARK --restore-mark --mask 0x0f iptables -t mangle -A qos_${cg} -m mark --mark 0/0x0f -j qos_${cg}_ct $pktrules -${iptrules:+${iptrules}${N}iptables -t mangle -A qos_${cg} -j CONNMARK --save-mark --mask 0xf0} +${iptrules:+${iptrules}${N}iptables -t mangle -A qos_${cg} -j CONNMARK --save-mark --mask 0xff} $up$N${down:+${down}$N} EOF unset INSMOD -- 2.7.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] qos-scripts: Allow classification by the traffic's source interface
This adds a "srciface" option that can be used on classification rules in /etc/config/qos. This is useful to allow prioritization based on the local network from which the traffic originates, for example to deprioritize traffic from a guest network. Signed-off-by: Michael Marley <mich...@michaelmarley.com> --- package/network/config/qos-scripts/files/usr/lib/qos/generate.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh index 8d22b67..67988fa 100755 --- a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh +++ b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh @@ -141,6 +141,9 @@ parse_matching_rule() { append "$var" "-i $device" fi ;; + *:srciface) + append "$var" "-i $value" + ;; 1:pktsize) value="$(echo "$value" | sed -e 's,-,:,g')" add_insmod xt_length -- 2.7.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH] qos-scripts: Add IPv6 support
This adds IPv6 support to qos-scripts for both tc/qdisc and the iptables classification rules. The tc/qdisc part is accomplished by removing "protocol ip" from the tc command line, causing the rule to be applied to all protocols. The iptables part is accomplished by adding each rule using both iptables and ip6tables. This patch is based on previous work by Ilkka Ollakka and Dominique Martinet. Signed-off-by: Michael Marley <mich...@michaelmarley.com> --- .../qos-scripts/files/usr/lib/qos/generate.sh | 86 +++--- .../qos-scripts/files/usr/lib/qos/tcrules.awk | 2 +- 2 files changed, 62 insertions(+), 26 deletions(-) diff --git a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh index caa1125..765926b 100755 --- a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh +++ b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh @@ -336,11 +336,11 @@ tc class add dev $dev parent 1: classid 1:1 hfsc sc rate ${rate}kbit ul rate ${r if [ -n "$halfduplex" ]; then export dev_up="tc qdisc del dev $device root >&- 2>&- tc qdisc add dev $device root handle 1: hfsc -tc filter add dev $device parent 1: protocol ip prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb$ifbdev" +tc filter add dev $device parent 1: prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb$ifbdev" elif [ -n "$download" ]; then append dev_${dir} "tc qdisc del dev $device ingress >&- 2>&- tc qdisc add dev $device ingress -tc filter add dev $device parent : protocol ip prio 1 u32 match u32 0 0 flowid 1:1 action connmark action mirred egress redirect dev ifb$ifbdev" "$N" +tc filter add dev $device parent : prio 1 u32 match u32 0 0 flowid 1:1 action connmark action mirred egress redirect dev ifb$ifbdev" "$N" fi add_insmod cls_fw add_insmod sch_hfsc @@ -397,17 +397,23 @@ start_cg() { local pktrules local sizerules enum_classes "$cg" - add_rules iptrules "$ctrules" "iptables -t mangle -A qos_${cg}_ct" + for command in $iptables; do + add_rules iptrules "$ctrules" "$command -t mangle -A qos_${cg}_ct" + done config_get classes "$cg" classes for class in $classes; do config_get mark "$class" classnr config_get maxsize "$class" maxsize [ -z "$maxsize" -o -z "$mark" ] || { add_insmod xt_length - append pktrules "iptables -t mangle -A qos_${cg} -m mark --mark $mark/0x0f -m length --length $maxsize: -j MARK --set-mark 0/0xff" "$N" + for command in $iptables; do + append pktrules "$command -t mangle -A qos_${cg} -m mark --mark $mark/0x0f -m length --length $maxsize: -j MARK --set-mark 0/0xff" "$N" + done } done - add_rules pktrules "$rules" "iptables -t mangle -A qos_${cg}" + for command in $iptables; do + add_rules pktrules "$rules" "$command -t mangle -A qos_${cg}" + done for iface in $INTERFACES; do config_get classgroup "$iface" classgroup config_get device "$iface" device @@ -416,18 +422,40 @@ start_cg() { config_get download "$iface" download config_get halfduplex "$iface" halfduplex download="${download:-${halfduplex:+$upload}}" + append up "ip6tables -t mangle -A OUTPUT -o $device -j qos_${cg}" "$N" + append up "ip6tables -t mangle -A FORWARD -o $device -j qos_${cg}" "$N" append up "iptables -t mangle -A OUTPUT -o $device -j qos_${cg}" "$N" append up "iptables -t mangle -A FORWARD -o $device -j qos_${cg}" "$N" done cat <&- 2>&- -iptables -t mangle -N qos_${cg}_ct >&- 2>&- -${iptrules:+${iptrules}${N}iptables -t mangle -A qos_${cg}_ct -j CONNMARK --save-mark --mask 0xff} -iptables -t mangle -A qos_${cg} -j CONNMARK --restore-mark --mask 0x0f -iptables -t mangle -A qos_${cg} -m mark --mark 0/0x0f -j qos_${cg}_ct +EOF + +for command in $iptables; do + cat <https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel