Re: [LEDE-DEV] [RFC 2/3] ipq: Don't force selection of the IPQ4019 firmware.
On 11/03/2017 05:58 PM, Christian Lamparter wrote: On Friday, November 3, 2017 5:05:39 PM CET gree...@candelatech.com wrote: From: Ben GreearThis will allow us to select the CT IPQ4019 firmware instead if desired. Signed-off-by: Ben Greear --- package/firmware/ipq-wifi/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/firmware/ipq-wifi/Makefile b/package/firmware/ipq-wifi/Makefile index aec8bf2..31d0fbf 100644 --- a/package/firmware/ipq-wifi/Makefile +++ b/package/firmware/ipq-wifi/Makefile @@ -20,7 +20,7 @@ define Package/ipq-wifi-default SUBMENU:=ath10k IPQ4019 Boarddata SECTION:=firmware CATEGORY:=Firmware - DEPENDS:=@TARGET_ipq806x +ath10k-firmware-qca4019 + DEPENDS:=@TARGET_ipq806x Hm, this would break the WIFI in the default configuration for the FritzBox 4040 image. Currently it only has a dependency on the ipq-wifi-fritz4040. (So it will end up without a firmware-5.bin) Please also note that the ipq-wifi boards need to overwrite the board-2.bin provided by the ath10k-firmware-qca4019(-ct) packages. So switching (or up-/downgrading) these wifi-firmwares will always require the (manual) reinstallation of the ipq-wifi board (if available). Maybe have the custom board.data file named slightly differently and then have an early fixup script to copy it into the proper place on first boot? And, we could hack the driver to look for a custom board-2.bin first and just install both board-x.bin images. And, can we have the IPQ boards select the stock 4019 firmware by default but still allow it to be de-selected so CT firmware can be selected? Or if not, then I can call my firmware something different, and have my driver look for it before the firmware-5.bin. Thanks, Ben -- Ben Greear Candela Technologies Inc http://www.candelatech.com ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] [RFC 2/3] ipq: Don't force selection of the IPQ4019 firmware.
On Friday, November 3, 2017 5:05:39 PM CET gree...@candelatech.com wrote: > From: Ben Greear> > This will allow us to select the CT IPQ4019 firmware instead if > desired. > > Signed-off-by: Ben Greear > --- > package/firmware/ipq-wifi/Makefile | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/package/firmware/ipq-wifi/Makefile > b/package/firmware/ipq-wifi/Makefile > index aec8bf2..31d0fbf 100644 > --- a/package/firmware/ipq-wifi/Makefile > +++ b/package/firmware/ipq-wifi/Makefile > @@ -20,7 +20,7 @@ define Package/ipq-wifi-default >SUBMENU:=ath10k IPQ4019 Boarddata >SECTION:=firmware >CATEGORY:=Firmware > - DEPENDS:=@TARGET_ipq806x +ath10k-firmware-qca4019 > + DEPENDS:=@TARGET_ipq806x Hm, this would break the WIFI in the default configuration for the FritzBox 4040 image. Currently it only has a dependency on the ipq-wifi-fritz4040. (So it will end up without a firmware-5.bin) Please also note that the ipq-wifi boards need to overwrite the board-2.bin provided by the ath10k-firmware-qca4019(-ct) packages. So switching (or up-/downgrading) these wifi-firmwares will always require the (manual) reinstallation of the ipq-wifi board (if available). ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [RFC 3/3] ath10k-firmware: Support CT IPQ4019 firmware.
From: Ben GreearInitial beta release of the CT IPQ4019 firmware. Features are somewhat similar to the CT 9984 firmware, but more testing and tweaking is yet to come. Signed-off-by: Ben Greear --- package/firmware/ath10k-firmware/Makefile | 33 +++ 1 file changed, 33 insertions(+) diff --git a/package/firmware/ath10k-firmware/Makefile b/package/firmware/ath10k-firmware/Makefile index 1c6f4df..6255699 100644 --- a/package/firmware/ath10k-firmware/Makefile +++ b/package/firmware/ath10k-firmware/Makefile @@ -85,6 +85,13 @@ define Download/ath10k-firmware-qca9984-ct endef $(eval $(call Download,ath10k-firmware-qca9984-ct)) +QCA4019_FIRMWARE_FILE_CT:=firmware-5-ct-full-community-10.bin-lede.001 +define Download/ath10k-firmware-qca4019-ct + $(call Download/ct-firmware,QCA4019,ath10k-4019-10-4) + HASH:=1a1881eb204d295684773b483046dfd3f33d3fc02500ea203ad6676d670837c4 +endef +$(eval $(call Download,ath10k-firmware-qca4019-ct)) + QCA9888_FIRMWARE_FILE_CT:=firmware-5-ct-full-community-9.bin-lede.004 define Download/ath10k-firmware-qca9888-ct $(call Download/ct-firmware,QCA9888,ath10k-9888-10-4) @@ -146,6 +153,14 @@ This firmware conflicts with the standard 9984 firmware, so select only one. endef +define Package/ath10k-firmware-qca4019-ct/description +Alternative ath10k firmware for IPQ4019 radio from Candela Technologies. +Enables IBSS and other features. See: +http://www.candelatech.com/ath10k-10.4.php +This firmware conflicts with the standard IPQ4019 firmware, so select only +one. +endef + define Package/ath10k-firmware-qca9888-ct/description Alternative ath10k firmware for QCA9886 and QCA9888 from Candela Technologies. Enables IBSS and other features. See: @@ -174,6 +189,13 @@ $(Package/ath10k-firmware-default) CATEGORY:=Firmware endef +define Package/ath10k-firmware-qca4019-ct +$(Package/ath10k-firmware-default) + TITLE:=ath10k CT 10.4.3 firmware for QCA4019 devices + SECTION:=firmware + CATEGORY:=Firmware +endef + define Package/ath10k-firmware-qca9888-ct $(Package/ath10k-firmware-default) TITLE:=ath10k CT 10.4.3 firmware for QCA9886 and QCA9888 devices @@ -328,6 +350,16 @@ define Package/ath10k-firmware-qca9984-ct/install $(1)/lib/firmware/ath10k/QCA9984/hw1.0/firmware-5.bin endef +define Package/ath10k-firmware-qca4019-ct/install + $(INSTALL_DIR) $(1)/lib/firmware/ath10k/QCA4019/hw1.0 + $(INSTALL_DATA) \ + $(PKG_BUILD_DIR)/QCA4019/hw1.0/board-2.bin \ + $(1)/lib/firmware/ath10k/QCA4019/hw1.0/ + $(INSTALL_DATA) \ + $(DL_DIR)/$(call CT_FIRMWARE_FILE,QCA4019) \ + $(1)/lib/firmware/ath10k/QCA4019/hw1.0/firmware-5.bin +endef + define Package/ath10k-firmware-qca9888-ct/install $(INSTALL_DIR) $(1)/lib/firmware/ath10k/QCA9888/hw2.0 ln -s \ @@ -353,4 +385,5 @@ $(eval $(call BuildPackage,ath10k-firmware-qca9887-ct)) $(eval $(call BuildPackage,ath10k-firmware-qca988x-ct)) $(eval $(call BuildPackage,ath10k-firmware-qca99x0-ct)) $(eval $(call BuildPackage,ath10k-firmware-qca9984-ct)) +$(eval $(call BuildPackage,ath10k-firmware-qca4019-ct)) $(eval $(call BuildPackage,ath10k-firmware-qca9888-ct)) -- 2.4.11 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [RFC 2/3] ipq: Don't force selection of the IPQ4019 firmware.
From: Ben GreearThis will allow us to select the CT IPQ4019 firmware instead if desired. Signed-off-by: Ben Greear --- package/firmware/ipq-wifi/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/firmware/ipq-wifi/Makefile b/package/firmware/ipq-wifi/Makefile index aec8bf2..31d0fbf 100644 --- a/package/firmware/ipq-wifi/Makefile +++ b/package/firmware/ipq-wifi/Makefile @@ -20,7 +20,7 @@ define Package/ipq-wifi-default SUBMENU:=ath10k IPQ4019 Boarddata SECTION:=firmware CATEGORY:=Firmware - DEPENDS:=@TARGET_ipq806x +ath10k-firmware-qca4019 + DEPENDS:=@TARGET_ipq806x TITLE:=Custom Board endef -- 2.4.11 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [RFC 1/3] Update to latest ath10k-ct driver, enable AHB.
From: Ben GreearThe driver updates include: ath10k driver backport to fix WPA 'pn' related security bugs (4.13 based driver only currently), a fix for off-channel TX for CT wave-1 firmware, a likely fix for napi related crashes, and a backport of the firmware fetch patch. AHB is needed for the IPQ4019 platform radios. Signed-off-by: Ben Greear --- package/kernel/ath10k-ct/Makefile | 12 +--- ...ctivate-user-space-firmware-loading-again.patch | 36 -- 2 files changed, 7 insertions(+), 41 deletions(-) delete mode 100644 package/kernel/ath10k-ct/patches/130-ath10k-activate-user-space-firmware-loading-again.patch diff --git a/package/kernel/ath10k-ct/Makefile b/package/kernel/ath10k-ct/Makefile index 82d7664..5669a9f 100644 --- a/package/kernel/ath10k-ct/Makefile +++ b/package/kernel/ath10k-ct/Makefile @@ -9,7 +9,7 @@ PKG_LICENSE_FILES:= PKG_SOURCE_URL:=https://github.com/greearb/ath10k-ct.git PKG_SOURCE_PROTO:=git PKG_SOURCE_DATE:=2017-06-13 -PKG_SOURCE_VERSION:=bded1823912549017d819d1796273b3134c3de20 +PKG_SOURCE_VERSION:=df29a72a16b54ce337b80ccc1ca0389bc1f77a6f PKG_MIRROR_HASH:=616174650e12a82edb6b6bd18ac186e2c6a48fdad0082df9d2011ab20940814b PKG_MAINTAINER:=Ben Greear @@ -29,7 +29,7 @@ include $(INCLUDE_DIR)/package.mk define KernelPackage/ath10k-ct SUBMENU:=Wireless Drivers TITLE:=ath10k-ct driver optimized for CT ath10k firmware - DEPENDS:=+kmod-mac80211 +kmod-ath +@DRIVER_11N_SUPPORT +@DRIVER_11AC_SUPPORT @PCI_SUPPORT +@KERNEL_RELAY +kmod-hwmon-core + DEPENDS:= @PCI_SUPPORT +kmod-ath +@DRIVER_11N_SUPPORT +@DRIVER_11AC_SUPPORT +@DRIVER_11W_SUPPORT +@KERNEL_RELAY +kmod-hwmon-core FILES:=\ $(PKG_BUILD_DIR)/ath10k$(CT_KVER)/ath10k_pci.ko \ $(PKG_BUILD_DIR)/ath10k$(CT_KVER)/ath10k_core.ko @@ -50,9 +50,11 @@ ifdef CONFIG_PACKAGE_MAC80211_MESH endif CT_MAKEDEFS += CONFIG_ATH10K=m CONFIG_ATH10K_PCI=m -# No AHB support enabled yet. Could conditionally enable it later. -#CT_MAKEDEFS += CONFIG_ATH10K_AHB=y -#NOSTDINC_FLAGS += -DCONFIG_ATH10K_AHB + +# This AHB logic is needed for IPQ4019 radios +CT_MAKEDEFS += CONFIG_ATH10K_AHB=m +NOSTDINC_FLAGS += -DCONFIG_ATH10K_AHB + NOSTDINC_FLAGS += -DSTANDALONE_CT ifdef CONFIG_PACKAGE_MAC80211_DEBUGFS diff --git a/package/kernel/ath10k-ct/patches/130-ath10k-activate-user-space-firmware-loading-again.patch b/package/kernel/ath10k-ct/patches/130-ath10k-activate-user-space-firmware-loading-again.patch deleted file mode 100644 index dc02a9d..000 --- a/package/kernel/ath10k-ct/patches/130-ath10k-activate-user-space-firmware-loading-again.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c0cc00f250e19c717fc9cdbdb7f55aaa569c7498 Mon Sep 17 00:00:00 2001 -From: Hauke Mehrtens -Date: Thu, 24 Aug 2017 23:06:41 +0200 -Subject: [PATCH] ath10k: activate user space firmware loading again - -In commit 9f5bcfe93315 ("ath10k: silence firmware file probing -warnings") the firmware loading was changed from request_firmware() to -request_firmware_direct() to silence some warnings in case it fails. -request_firmware_direct() directly searches in the file system only and -does not send a hotplug event to user space in case it could not find -the firmware directly. -In LEDE we use a user space script to extract the calibration data from -the flash memory which gets triggered by the hotplug event. This way the -firmware gets extracted from some vendor specific partition when the -driver requests this firmware. This mechanism does not work any more -after this change. - -Fixes: 9f5bcfe93315 ("ath10k: silence firmware file probing warnings") -Signed-off-by: Hauke Mehrtens -Cc: Michal Kazior -Signed-off-by: Kalle Valo - ath10k-4.13/core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - a/ath10k-4.13/core.c -+++ b/ath10k-4.13/core.c -@@ -556,7 +556,7 @@ static const struct firmware *ath10k_fet - dir = "."; - - snprintf(filename, sizeof(filename), "%s/%s", dir, file); -- ret = request_firmware_direct(, filename, ar->dev); -+ ret = request_firmware(, filename, ar->dev); - ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot fw request '%s': %d\n", - filename, ret); - -- 2.4.11 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [PATCH procd] service: Start services normally when seccomp is disabled
When service init file declares seccomp support (procd_set_param seccomp), but procd is compiled without seccomp support, the service should be started normally, because seccomp-trace and utrace are not available. Older procd versions decided about whether to start a service in seccomp sandbox or not based on existence of seccomp whitelist in the filesystem. This was recently removed (c8faedc "Do not disable seccomp when configuration is not found", 2017-09-12) because it could be easy for attackers to disable seccomp support. This changes is a follow-up to the mentioned commit. With it, procd decides about whether to use seccomp sandbox based only on compile-time configuration. Signed-off-by: Michal Sojka--- CMakeLists.txt | 1 + service/instance.c | 9 ++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7d05e97..4b3eebd 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -88,6 +88,7 @@ ADD_CUSTOM_COMMAND( ADD_CUSTOM_TARGET(capabilities-names-h DEPENDS capabilities-names.h) IF(SECCOMP_SUPPORT) +ADD_DEFINITIONS(-DSECCOMP_SUPPORT) ADD_LIBRARY(preload-seccomp SHARED jail/preload.c jail/seccomp.c) TARGET_LINK_LIBRARIES(preload-seccomp dl ubox blobmsg_json) INSTALL(TARGETS preload-seccomp diff --git a/service/instance.c b/service/instance.c index 7703686..29d6ea6 100644 --- a/service/instance.c +++ b/service/instance.c @@ -141,8 +141,6 @@ static const struct rlimit_name rlimit_names[] = { { NULL, 0 } }; -static char trace[] = "/sbin/utrace"; - static void closefd(int fd) { if (fd > STDERR_FILENO) @@ -315,10 +313,15 @@ instance_run(struct service_instance *in, int _stdout, int _stderr) argv = alloca(sizeof(char *) * (argc + in->jail.argc)); argc = 0; +#ifdef SECCOMP_SUPPORT if (in->trace) - argv[argc++] = trace; + argv[argc++] = "/sbin/utrace"; else if (seccomp) argv[argc++] = "/sbin/seccomp-trace"; +#else + if (in->trace || seccomp) + ULOG_WARN("Seccomp support for %s::%s not available\n", in->srv->name, in->name); +#endif if (in->has_jail) argc = jail_run(in, argv); -- 2.15.0.rc2 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [PATCH] procd: Always tell cmake whether to include seccomp support or not
Without this change, when a user disables seccomp support in .config, procd does not get recompiled unless the package is cleaned manually. It is because when -D option is missing from cmake command line, cmake uses cached value from the previous run where seccomp was enabled. Signed-off-by: Michal Sojka--- package/system/procd/Makefile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile index f424cea57d..3d413266e4 100644 --- a/package/system/procd/Makefile +++ b/package/system/procd/Makefile @@ -107,9 +107,8 @@ ifdef CONFIG_PACKAGE_procd-ujail CMAKE_OPTIONS += -DJAIL_SUPPORT=1 endif -ifdef CONFIG_PACKAGE_procd-seccomp - CMAKE_OPTIONS += -DSECCOMP_SUPPORT=1 -DUTRACE_SUPPORT=1 -endif +SECCOMP=$(if $(CONFIG_PACKAGE_procd-seccomp),1,0) +CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP) define Package/procd/install $(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions -- 2.15.0.rc2 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] umdns fails to launch (seccom related)?
On Fri, Nov 3, 2017 at 4:28 PM, Michal Sojkawrote: > you're right, I'm aware of the problem. I already have a patch with the > fix. I need to do a few cleanups before posting it - I'll look at that > tonight. Fantastic, Michal! I look forward to the fix. In the meantime I will just patch out the seccomp line on my build system so there's no hurry. Thanks for the quick response. ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] umdns fails to launch (seccom related)?
Hi Bryan, On Fri, Nov 03 2017, Bryan Mayland wrote: > I use a custom LEDE build as the basis for an open source project and > noticed recently that the umdns daemon has stopped loading. This also > occurs with the standard development snapshot with the umdns package > installed. > root@LEDE:~# /etc/init.d/umdns restart > Command failed: Request timed out > > umdns never launches so the service_started() handler waits for the 10 > seconds for the ubus response then fails. If I comment out the > `procd_set_param seccomp /etc/seccomp/umdns.json` line it works just > fine. I've also tried replacing the umdns executable with a simple > shell script and it never appears to execute. This occurs if the > daemon is configured to be jailed or not. > > Because my bcm2708 target does not have CONFIG_KERNEL_SECCOMP enabled, > this should not make a difference right? I've also tried adding a > /sbin/seccomp-trace which was just a shell script as well to launch > umdns and it had no effect. > > I believe it is a problem in procd but I'm not sure where else to look > as this seems like it could affect anything with a seccomp procd init, > and umdns is the only one that does this so far. you're right, I'm aware of the problem. I already have a patch with the fix. I need to do a few cleanups before posting it - I'll look at that tonight. -Michal ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [PATCH v1] wireguard: version bump to 0.0.20171101
Update wireguard to latest snapshot: 9fc5daf version: bump snapshot 748ca6b compat: unbreak unloading on kernels 4.6 through 4.9 7be9894 timers: switch to kees' new timer_list functions 6be9a66 wg-quick: save all hooks on save 752e7af version: bump snapshot 2cd9642 wg-quick: fsync the temporary file before renaming b139499 wg-quick: allow for saving existing interface 582c201 contrib: add reresolve-dns 8e04be1 tools: correct type for CTRL_ATTR_FAMILY_ID c138276 wg-quick: allow for the hatchet, but not by default d03f2a0 global: use fewer BUG_ONs 6d681ce timers: guard entire setting in block 4bf32ca curve25519: only enable int128 if compiler support is sound 86e06a3 device: expand scope of destruct lock e3661ab global: get rid of useless forward declarations bedc77a device: only take reference if netns is different 7c07e22 wg-quick: remember to rewind DNS settings on failure 2352ec0 wg-quick: allow specifiying multiple hooks 573cb19 qemu: test using four cores e09ec4d global: style nits 4d3deae qemu: work around ccache bugs 7491cd4 global: infuriating kernel iterator style 78e079c peer: store total number of peers instead of iterating d4e2752 peer: get rid of peer_for_each magic 6cf12d1 compat: be sure to include header before testing 3ea08d8 qemu: allow for cross compilation d467551 crypto/avx: make sure we can actually use ymm registers c786c46 blake2: include headers for macros 328e386 global: accept decent check_patch.pl suggestions a473592 compat: fix up stat calculation for udp tunnel 9d930f5 stats: more robust accounting 311ca62 selftest: initialize mutex in routingtable selftest 8a9a6d3 netns: use time-based test instead of quantity-based e480068 netns: use read built-in instead of ncat hack for dmesg Compile-tested-for: ar71xx Run-tested-on: ar71xx Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant--- package/network/services/wireguard/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile index e1b60e2b1a..4a732abc98 100644 --- a/package/network/services/wireguard/Makefile +++ b/package/network/services/wireguard/Makefile @@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=wireguard -PKG_VERSION:=0.0.20171017 +PKG_VERSION:=0.0.20171101 PKG_RELEASE:=1 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/ -PKG_HASH:=57b79a62874d9b99659a744513d4f6f9d88cb772deaa99e485b6fed3004a35cd +PKG_HASH:=096b6482a65e566c7bf8c059f5ee6aadb2de565b04b6d810c685f1c377540325 PKG_LICENSE:=GPL-2.0 Apache-2.0 PKG_LICENSE_FILES:=COPYING -- 2.13.6 (Apple Git-96) ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [PATCH v2] firewall3: ubus: parse the firewall data within the service itself
It gives the ability to create firewall rules within the service itself and independently of the instances. Changes since v1: - align coding style - if no instance is given (within the service), do not write it Signed-off-by: Pierre Lebleu--- ubus.c | 99 +- 1 file changed, 56 insertions(+), 43 deletions(-) diff --git a/ubus.c b/ubus.c index bcbe1e8..5bb4f5d 100644 --- a/ubus.c +++ b/ubus.c @@ -240,14 +240,47 @@ fw3_ubus_zone_devices(struct fw3_zone *zone) } } +static void fw3_ubus_rules_add(struct blob_buf *b, const char *service, + const char *instance, const char *device, + const struct blob_attr *rule, unsigned n) +{ + void *k = blobmsg_open_table(b, ""); + struct blob_attr *ropt; + unsigned orem; + char *type = NULL; + char comment[256]; + + blobmsg_for_each_attr(ropt, rule, orem) { + if (!strcmp(blobmsg_name(ropt), "type")) + type = blobmsg_data(ropt); + if (device && !strcmp(blobmsg_name(ropt), "device")) + device = blobmsg_get_string(ropt); + else if (strcmp(blobmsg_name(ropt), "name")) + blobmsg_add_blob(b, ropt); + } + + if (instance) + snprintf(comment, sizeof(comment), "ubus:%s[%s] %s %d", + service, instance, type ? type : "rule", n); + else + snprintf(comment, sizeof(comment), "ubus:%s %s %d", + service, type ? type : "rule", n); + + blobmsg_add_string(b, "name", comment); + + if (device) + blobmsg_add_string(b, "device", device); + + blobmsg_close_table(b, k); +} + void fw3_ubus_rules(struct blob_buf *b) { blob_buf_init(b, 0); - struct blob_attr *c, *cur, *dcur, *rule, *ropt; - unsigned n, r, rem, drem, rrem, orem; - char comment[256]; + struct blob_attr *c, *cur, *dcur, *rule; + unsigned n, r, rem, drem, rrem; blobmsg_for_each_attr(c, interfaces, r) { const char *l3_device = NULL; @@ -275,28 +308,9 @@ fw3_ubus_rules(struct blob_buf *b) n = 0; - blobmsg_for_each_attr(rule, dcur, rrem) { - void *k = blobmsg_open_table(b, ""); - char *type = NULL; - - blobmsg_for_each_attr(ropt, rule, orem) { - if (!strcmp(blobmsg_name(ropt), "type")) - type = blobmsg_data(ropt); - if (!strcmp(blobmsg_name(ropt), "device")) - l3_device = blobmsg_get_string(ropt); - else if (strcmp(blobmsg_name(ropt), "name")) - blobmsg_add_blob(b, ropt); - } - - snprintf(comment, sizeof(comment), "ubus:%s[%s] %s %d", - iface_name, iface_proto, - type ? type : "rule", n++); - - blobmsg_add_string(b, "name", comment); - - blobmsg_add_string(b, "device", l3_device); - blobmsg_close_table(b, k); - } + blobmsg_for_each_attr(rule, dcur, rrem) + fw3_ubus_rules_add(b, iface_name, iface_proto, + l3_device, rule, n++); } } @@ -313,31 +327,30 @@ fw3_ubus_rules(struct blob_buf *b) if (!blobmsg_check_attr(cur, true)) continue; + /* fw rules within the service itself */ + if (!strcmp(blobmsg_name(cur), "firewall")) { + n = 0; + + blobmsg_for_each_attr(rule, cur, rrem) + fw3_ubus_rules_add(b, blobmsg_name(c), + NULL, NULL, rule, n++); + + continue; + } + /* type */ blobmsg_for_each_attr(dcur, cur, drem) { if (!blobmsg_check_attr(dcur, true)) continue; - n = 0; - - blobmsg_for_each_attr(rule, dcur, rrem) { - void *k = blobmsg_open_table(b, ""); - char *type = NULL; - - blobmsg_for_each_attr(ropt, rule, orem) { -
[LEDE-DEV] umdns fails to launch (seccom related)?
I use a custom LEDE build as the basis for an open source project and noticed recently that the umdns daemon has stopped loading. This also occurs with the standard development snapshot with the umdns package installed. root@LEDE:~# /etc/init.d/umdns restart Command failed: Request timed out umdns never launches so the service_started() handler waits for the 10 seconds for the ubus response then fails. If I comment out the `procd_set_param seccomp /etc/seccomp/umdns.json` line it works just fine. I've also tried replacing the umdns executable with a simple shell script and it never appears to execute. This occurs if the daemon is configured to be jailed or not. Because my bcm2708 target does not have CONFIG_KERNEL_SECCOMP enabled, this should not make a difference right? I've also tried adding a /sbin/seccomp-trace which was just a shell script as well to launch umdns and it had no effect. I believe it is a problem in procd but I'm not sure where else to look as this seems like it could affect anything with a seccomp procd init, and umdns is the only one that does this so far. ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] 17.01.4 on Mikrotik RB951Ui-2HnD
On 03/11/2017 11:22, Nishant Sharma wrote: Hi Alberto, On Friday 03 November 2017 01:44 PM, Alberto Bursi wrote: On 03/11/2017 08:04, Nishant Sharma wrote: I am not able to find the documentation to install Lede 17.01.x on RB951Ui-2HnD. The device has since then gone into a boot loop. I searched on the forum as well, but couldn't find a solution. I've seen a thread in the forum too, (with no answer) so if you confirm it works either post there or report back here and I'll post the same instructions there too. https://forum.lede-project.org/t/installing-on-mikrotik-rb951ui-2hnd/3751 Thanks for your reply. I will put them on the forum as well. Here are the steps: 1. Download vmlinux-initramfs.elf (lede-17.01.4-ar71xx-mikrotik-vmlinux-initramfs.elf) and use it as boot file. 2. DHCP didn't give IP Address. Had to ssh using IPv6 address. Or statically assigning an IP of 192.168.1.x to my machine. 3. scp lede-17.01.4-ar71xx-mikrotik-nand-large-squashfs-sysupgrade.bin to the router. 4. sysupgrade -n lede-17.01.4-ar71xx-mikrotik-nand-large-squashfs-sysupgrade.bin 5. Router reboots after upgrade Where did my 20 MB of flash space go? df -h with old firmware: Filesystem Size Used Available Use% Mounted on rootfs 124.0M 35.4M 88.6M 29% / /dev/root 124.0M 35.4M 88.6M 29% / tmpfs 61.8M 61.8M 0 100% /tmp tmpfs 512.0K 0 512.0K 0% /dev df -h with new firmware: Filesystem Size Used Available Use% Mounted on /dev/root 2.5M 2.5M 0 100% /rom tmpfs 61.2M 52.0K 61.1M 0% /tmp /dev/ubi0_2 103.0M 36.0K 98.3M 0% /overlay overlayfs:/overlay 103.0M 36.0K 98.3M 0% / tmpfs 512.0K 0 512.0K 0% /dev Regards, Nishant They adjusted partitions (which is why you couldn't just sysupgrade from OpenWRT). Actually, with the new firmware you have 10 MB more usable space, even if partition is smaller. Look at the "Available" column. Old fw was 88MB, new fw is 98MB. -Alberto ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [PATCH] dropbear: make syslog support configurable
By default dropbear logs to syslog which discloses info about account names when doing connection attempts (e.g. "Bad password attempt for 'engineer' from x.x.x.x:y") As this facilitates brute force attempts against account names; make syslog support configurable in order not to leak sensitive info via syslog. Signed-off-by: Hans Dedecker--- package/network/services/dropbear/Config.in | 6 ++ package/network/services/dropbear/Makefile | 7 --- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index ca0af9d..95316b9 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -56,4 +56,10 @@ config DROPBEAR_PUTUTLINE help Dropbear will use pututline() to write the utmp structure into the utmp file. +config DROPBEAR_DISABLE_SYSLOG + bool "Disable syslog logging" + default n + help + Disables syslog log support; log messages will be redirected to stderr. + endmenu diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 2db2f81..32efa7b 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear PKG_VERSION:=2017.75 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ @@ -26,7 +26,8 @@ PKG_USE_MIPS16:=0 PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \ CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE + CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ + CONFIG_DROPBEAR_DISABLE_SYSLOG include $(INCLUDE_DIR)/package.mk @@ -69,7 +70,7 @@ endef CONFIGURE_ARGS += \ --disable-pam \ --enable-openpty \ - --enable-syslog \ + $(if $(CONFIG_DROPBEAR_DISABLE_SYSLOG),--disable-syslog,--enable-syslog) \ --disable-lastlog \ --disable-utmpx \ $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \ -- 1.9.1 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] WhiteBox Wireless Router Supplier
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software.--- Begin Message --- Were looking for a (White Box/Lede 100% Compatible) wireless router supplier. If anyone has any recommendation. Must have: Dual Band (2.4/5.8Ac) At least 4 gigabit ports. 2 or more external antennas. Case: ISP providing wireless for customers,bulk order. --- End Message --- ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] 17.01.4 on Mikrotik RB951Ui-2HnD
Hi Alberto, On Friday 03 November 2017 01:44 PM, Alberto Bursi wrote: On 03/11/2017 08:04, Nishant Sharma wrote: I am not able to find the documentation to install Lede 17.01.x on RB951Ui-2HnD. The device has since then gone into a boot loop. I searched on the forum as well, but couldn't find a solution. I've seen a thread in the forum too, (with no answer) so if you confirm it works either post there or report back here and I'll post the same instructions there too. https://forum.lede-project.org/t/installing-on-mikrotik-rb951ui-2hnd/3751 Thanks for your reply. I will put them on the forum as well. Here are the steps: 1. Download vmlinux-initramfs.elf (lede-17.01.4-ar71xx-mikrotik-vmlinux-initramfs.elf) and use it as boot file. 2. DHCP didn't give IP Address. Had to ssh using IPv6 address. Or statically assigning an IP of 192.168.1.x to my machine. 3. scp lede-17.01.4-ar71xx-mikrotik-nand-large-squashfs-sysupgrade.bin to the router. 4. sysupgrade -n lede-17.01.4-ar71xx-mikrotik-nand-large-squashfs-sysupgrade.bin 5. Router reboots after upgrade Where did my 20 MB of flash space go? df -h with old firmware: FilesystemSize Used Available Use% Mounted on rootfs 124.0M 35.4M 88.6M 29% / /dev/root 124.0M 35.4M 88.6M 29% / tmpfs61.8M 61.8M 0 100% /tmp tmpfs 512.0K 0512.0K 0% /dev df -h with new firmware: FilesystemSize Used Available Use% Mounted on /dev/root 2.5M 2.5M 0 100% /rom tmpfs61.2M 52.0K 61.1M 0% /tmp /dev/ubi0_2 103.0M 36.0K 98.3M 0% /overlay overlayfs:/overlay 103.0M 36.0K 98.3M 0% / tmpfs 512.0K 0512.0K 0% /dev Regards, Nishant ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] Bringing young people in the community: Google Code-In 2017
Hi everyone, I'm Federico Capoano, some of you may know me for my involvement with Ninux, NetJSON, OpenWISP and contribution to several editions of the Google Summer of Code with Freifunk. OpenWISP has been accepted into the Google Code-In: https://codein.withgoogle.com/organizations/openwisp/ By participating in this program we hope to attract many new young contributors in the world of open source networking, free wifi and similar topics. We aim at proposing easy tasks related to documentation, tutorials, fixing small code issues, UX improvements and so on. We are looking for mentors that share similar goals with us and want to get involved, for those of you that are following the NetJSON development or using some OpenWISP tool, this would be a good time to start contributing! We also would like to invite mentors that want to propose tasks that are related to OpenWRT/LEDE (as indicated to some of you at the last OpenWRT Summit in Prague). Important notes: - we want mentors to take care of the tasks they propose - please read the GCI rules, in particular section 2, 4 and 5: https://developers.google.com/open-source/gci/resources/contest-rules - take a look at the tasks proposals we are working on (we will export this collaborative spreadsheet to CSV) and import it using the GCI API: https://docs.google.com/spreadsheets/d/1nNNN6Db8fS3KtijO9BJB2YHmMzU20OUBoFrXdWk055I/edit#gid=820690942 If interested, please get in touch with us via our support channels (IRC, mailing list, gitter) http://openwisp.org/support.html or reply in private to me (in order to avoid cross-post hell). Thank you for your attention! Best regards Nemesis ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [PATCH mountd 0/2] mount: improve handling unsupported filesystems
From: Rafał MiłeckiWhile debugging mountd through adding some prints, I noticed that mount_dev_add will be called every second for unsupported filesystems. Even though LEDE's master branch switched to the blockd, mountd may be still used by some (e.g. LEDE 17.01 release users) so I found it worth fixing. Rafał Miłecki (2): mount: drop duplicated filesystem check from mount_add_list mount: add mount with ignore=1 for unsupported filesystems mount.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) -- 2.11.0 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [PATCH mountd 2/2] mount: add mount with ignore=1 for unsupported filesystems
From: Rafał MiłeckiSo far a check for unsupported filesystem was in the mount_add_list which was simply stopping mount from being added to the global list. This resulted in mount_dev_add continuously not being able to find a mount for the given block device and trying to add it over and over. That was non-optimal becuse with unsupported filesystem present the code was checking all its parameters every second. Fix this by: 1) Moving check out of the mount_add_list to keep all logic in the caller function. 2) Adding mount with ignore=1 for unsupported filesystem instead of ignoring it. Signed-off-by: Rafał Miłecki --- mount.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/mount.c b/mount.c index 6d95de9..caf9d9d 100644 --- a/mount.c +++ b/mount.c @@ -139,8 +139,7 @@ static void mount_add_list(char *name, char *dev, char *serial, { struct mount *mount; char tmp[64], tmp2[64]; - if(fs <= MBR || fs > LASTFS) - return; + mount = malloc(sizeof(struct mount)); INIT_LIST_HEAD(>list); strncpy(mount->vendor, vendor, 64); @@ -451,6 +450,7 @@ static void mount_dev_add(char *dev) char sector_size[64]; FILE *fp; int offset = 3; + int fs; strcpy(name, dev); if (!strncmp(name, "mmcblk", 6)) @@ -556,7 +556,11 @@ static void mount_dev_add(char *dev) fclose(fp); } snprintf(tmp, 64, "/dev/%s", dev); - mount_add_list(node, dev, s, vendor, model, rev, ignore, size, sector_size, detect_fs(tmp)); + fs = detect_fs(tmp); + if (fs <= MBR || fs > LASTFS) { + ignore = 1; + } + mount_add_list(node, dev, s, vendor, model, rev, ignore, size, sector_size, fs); mount_dump_uci_state(); } } -- 2.11.0 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] [PATCH mountd 1/2] mount: drop duplicated filesystem check from mount_add_list
From: Rafał MiłeckiAt the very beginning of this function there is following code: if(fs <= MBR || fs > LASTFS) return; There is no point in checking for the same range again as these checks will always evaluate into true. Signed-off-by: Rafał Miłecki --- mount.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mount.c b/mount.c index 92606da..6d95de9 100644 --- a/mount.c +++ b/mount.c @@ -155,7 +155,7 @@ static void mount_add_list(char *name, char *dev, char *serial, mount->mounted = 0; mount->fs = fs; list_add(>list, ); - if((!mount->ignore) && (mount->fs > MBR) && (mount->fs <= LASTFS)) + if (!mount->ignore) { log_printf("new mount : %s -> %s (%s)\n", name, dev, fs_names[mount->fs]); snprintf(tmp, 64, "%s%s", uci_path, name); -- 2.11.0 ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] 17.01.4 on Mikrotik RB951Ui-2HnD
On 03/11/2017 08:04, Nishant Sharma wrote: Hi, I am not able to find the documentation to install Lede 17.01.x on RB951Ui-2HnD. I used to install OpenWrt 15.05 using TFTP boot, mtd erase and unpacking the tar.gz of the rootfs to mtdblock2 and copying the kernel to mtdblock1. But with Lede 17.01.4, there is no tar.gz. I tried doing: mtd write rootfs.squashfs rootfs and copy the kernel to mtdblock1 The device has since then gone into a boot loop. I searched on the forum as well, but couldn't find a solution. Any pointers for the same would be helpful. Thanks in advance. Regards, Nishant ___ That target has the "ramdisk" feature enabled by default, so one of the files generated by a default compile can be sent over tftp, and then booted from RAM The system may lack Luci but will have SSH and after connecting to it you can do a sysupgrade through the commandline, which will write the firmware on flash. Try the ones with "initramfs" in the name, I suspect the right one is the "vmlinux-initramfs.bin" or the .elf. I've seen a thread in the forum too, (with no answer) so if you confirm it works either post there or report back here and I'll post the same instructions there too. https://forum.lede-project.org/t/installing-on-mikrotik-rb951ui-2hnd/3751 -Alberto ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
Re: [LEDE-DEV] 17.01.4 on Mikrotik RB951Ui-2HnD
Alright, replying to myself. Here are the steps to flash Lede 17.01.4 on Mikrotik RB951Ui-2HnD: 1. TFTP boot with vmlinux-initramfs.elf as bootfile 2. Use Luci GUI to upload and flash nand-large-squashfs-sysupgrade.bin 3. Fun I have tried it using a self compiled 17.01.4 image, so LuCI was built into the initram kernel image. Any further inputs are welcome. Regards, Nishant On Friday 03 November 2017 12:34 PM, Nishant Sharma wrote: Hi, I am not able to find the documentation to install Lede 17.01.x on RB951Ui-2HnD. I used to install OpenWrt 15.05 using TFTP boot, mtd erase and unpacking the tar.gz of the rootfs to mtdblock2 and copying the kernel to mtdblock1. But with Lede 17.01.4, there is no tar.gz. I tried doing: mtd write rootfs.squashfs rootfs and copy the kernel to mtdblock1 The device has since then gone into a boot loop. I searched on the forum as well, but couldn't find a solution. Any pointers for the same would be helpful. Thanks in advance. Regards, Nishant ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
[LEDE-DEV] 17.01.4 on Mikrotik RB951Ui-2HnD
Hi, I am not able to find the documentation to install Lede 17.01.x on RB951Ui-2HnD. I used to install OpenWrt 15.05 using TFTP boot, mtd erase and unpacking the tar.gz of the rootfs to mtdblock2 and copying the kernel to mtdblock1. But with Lede 17.01.4, there is no tar.gz. I tried doing: mtd write rootfs.squashfs rootfs and copy the kernel to mtdblock1 The device has since then gone into a boot loop. I searched on the forum as well, but couldn't find a solution. Any pointers for the same would be helpful. Thanks in advance. Regards, Nishant ___ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev