Re: [LEDE-DEV] [RFC 2/3] ipq: Don't force selection of the IPQ4019 firmware.

[Ben Greear]

On 11/03/2017 05:58 PM, Christian Lamparter wrote:

On Friday, November 3, 2017 5:05:39 PM CET gree...@candelatech.com wrote:

From: Ben Greear 

This will allow us to select the CT IPQ4019 firmware instead if
desired.

Signed-off-by: Ben Greear 
---
 package/firmware/ipq-wifi/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/firmware/ipq-wifi/Makefile 
b/package/firmware/ipq-wifi/Makefile
index aec8bf2..31d0fbf 100644
--- a/package/firmware/ipq-wifi/Makefile
+++ b/package/firmware/ipq-wifi/Makefile
@@ -20,7 +20,7 @@ define Package/ipq-wifi-default
   SUBMENU:=ath10k IPQ4019 Boarddata
   SECTION:=firmware
   CATEGORY:=Firmware
-  DEPENDS:=@TARGET_ipq806x +ath10k-firmware-qca4019
+  DEPENDS:=@TARGET_ipq806x

Hm, this would break the WIFI in the default configuration for the
FritzBox 4040 image. Currently it only has a dependency on the
ipq-wifi-fritz4040. (So it will end up without a firmware-5.bin)

Please also note that the ipq-wifi boards need to overwrite the
board-2.bin provided by the ath10k-firmware-qca4019(-ct) packages.
So switching (or up-/downgrading) these wifi-firmwares will always
require the (manual) reinstallation of the ipq-wifi board
(if available).


Maybe have the custom board.data file named slightly differently
and then have an early fixup script to copy it into the proper place
on first boot?  And, we could hack the driver to look for a custom
board-2.bin first and just install both board-x.bin images.

And, can we have the IPQ boards select the stock 4019 firmware by default
but still allow it to be de-selected so CT firmware can be selected?

Or if not, then I can call my firmware something different, and have my
driver look for it before the firmware-5.bin.

Thanks,
Ben

--
Ben Greear 
Candela Technologies Inc  http://www.candelatech.com

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] [RFC 2/3] ipq: Don't force selection of the IPQ4019 firmware.

[Christian Lamparter]

On Friday, November 3, 2017 5:05:39 PM CET gree...@candelatech.com wrote:
> From: Ben Greear 
> 
> This will allow us to select the CT IPQ4019 firmware instead if
> desired.
> 
> Signed-off-by: Ben Greear 
> ---
>  package/firmware/ipq-wifi/Makefile | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/firmware/ipq-wifi/Makefile 
> b/package/firmware/ipq-wifi/Makefile
> index aec8bf2..31d0fbf 100644
> --- a/package/firmware/ipq-wifi/Makefile
> +++ b/package/firmware/ipq-wifi/Makefile
> @@ -20,7 +20,7 @@ define Package/ipq-wifi-default
>SUBMENU:=ath10k IPQ4019 Boarddata
>SECTION:=firmware
>CATEGORY:=Firmware
> -  DEPENDS:=@TARGET_ipq806x +ath10k-firmware-qca4019
> +  DEPENDS:=@TARGET_ipq806x
Hm, this would break the WIFI in the default configuration for the 
FritzBox 4040 image. Currently it only has a dependency on the 
ipq-wifi-fritz4040. (So it will end up without a firmware-5.bin)

Please also note that the ipq-wifi boards need to overwrite the 
board-2.bin provided by the ath10k-firmware-qca4019(-ct) packages.
So switching (or up-/downgrading) these wifi-firmwares will always
require the (manual) reinstallation of the ipq-wifi board
(if available).

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [RFC 3/3] ath10k-firmware: Support CT IPQ4019 firmware.

[greearb]

From: Ben Greear 

Initial beta release of the CT IPQ4019 firmware.  Features are somewhat
similar to the CT 9984 firmware, but more testing and tweaking is yet
to come.

Signed-off-by: Ben Greear 
---
 package/firmware/ath10k-firmware/Makefile | 33 +++
 1 file changed, 33 insertions(+)

diff --git a/package/firmware/ath10k-firmware/Makefile 
b/package/firmware/ath10k-firmware/Makefile
index 1c6f4df..6255699 100644
--- a/package/firmware/ath10k-firmware/Makefile
+++ b/package/firmware/ath10k-firmware/Makefile
@@ -85,6 +85,13 @@ define Download/ath10k-firmware-qca9984-ct
 endef
 $(eval $(call Download,ath10k-firmware-qca9984-ct))
 
+QCA4019_FIRMWARE_FILE_CT:=firmware-5-ct-full-community-10.bin-lede.001
+define Download/ath10k-firmware-qca4019-ct
+  $(call Download/ct-firmware,QCA4019,ath10k-4019-10-4)
+  HASH:=1a1881eb204d295684773b483046dfd3f33d3fc02500ea203ad6676d670837c4
+endef
+$(eval $(call Download,ath10k-firmware-qca4019-ct))
+
 QCA9888_FIRMWARE_FILE_CT:=firmware-5-ct-full-community-9.bin-lede.004
 define Download/ath10k-firmware-qca9888-ct
   $(call Download/ct-firmware,QCA9888,ath10k-9888-10-4)
@@ -146,6 +153,14 @@ This firmware conflicts with the standard 9984 firmware, 
so select only
 one.
 endef
 
+define Package/ath10k-firmware-qca4019-ct/description
+Alternative ath10k firmware for IPQ4019 radio from Candela Technologies.
+Enables IBSS and other features.  See:
+http://www.candelatech.com/ath10k-10.4.php
+This firmware conflicts with the standard IPQ4019 firmware, so select only
+one.
+endef
+
 define Package/ath10k-firmware-qca9888-ct/description
 Alternative ath10k firmware for QCA9886 and QCA9888 from Candela Technologies.
 Enables IBSS and other features.  See:
@@ -174,6 +189,13 @@ $(Package/ath10k-firmware-default)
   CATEGORY:=Firmware
 endef
 
+define Package/ath10k-firmware-qca4019-ct
+$(Package/ath10k-firmware-default)
+  TITLE:=ath10k CT 10.4.3 firmware for QCA4019 devices
+  SECTION:=firmware
+  CATEGORY:=Firmware
+endef
+
 define Package/ath10k-firmware-qca9888-ct
 $(Package/ath10k-firmware-default)
   TITLE:=ath10k CT 10.4.3 firmware for QCA9886 and QCA9888 devices
@@ -328,6 +350,16 @@ define Package/ath10k-firmware-qca9984-ct/install
$(1)/lib/firmware/ath10k/QCA9984/hw1.0/firmware-5.bin
 endef
 
+define Package/ath10k-firmware-qca4019-ct/install
+   $(INSTALL_DIR) $(1)/lib/firmware/ath10k/QCA4019/hw1.0
+   $(INSTALL_DATA) \
+   $(PKG_BUILD_DIR)/QCA4019/hw1.0/board-2.bin \
+   $(1)/lib/firmware/ath10k/QCA4019/hw1.0/
+   $(INSTALL_DATA) \
+   $(DL_DIR)/$(call CT_FIRMWARE_FILE,QCA4019) \
+   $(1)/lib/firmware/ath10k/QCA4019/hw1.0/firmware-5.bin
+endef
+
 define Package/ath10k-firmware-qca9888-ct/install
$(INSTALL_DIR) $(1)/lib/firmware/ath10k/QCA9888/hw2.0
ln -s \
@@ -353,4 +385,5 @@ $(eval $(call BuildPackage,ath10k-firmware-qca9887-ct))
 $(eval $(call BuildPackage,ath10k-firmware-qca988x-ct))
 $(eval $(call BuildPackage,ath10k-firmware-qca99x0-ct))
 $(eval $(call BuildPackage,ath10k-firmware-qca9984-ct))
+$(eval $(call BuildPackage,ath10k-firmware-qca4019-ct))
 $(eval $(call BuildPackage,ath10k-firmware-qca9888-ct))
-- 
2.4.11


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [RFC 2/3] ipq: Don't force selection of the IPQ4019 firmware.

[greearb]

From: Ben Greear 

This will allow us to select the CT IPQ4019 firmware instead if
desired.

Signed-off-by: Ben Greear 
---
 package/firmware/ipq-wifi/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/firmware/ipq-wifi/Makefile 
b/package/firmware/ipq-wifi/Makefile
index aec8bf2..31d0fbf 100644
--- a/package/firmware/ipq-wifi/Makefile
+++ b/package/firmware/ipq-wifi/Makefile
@@ -20,7 +20,7 @@ define Package/ipq-wifi-default
   SUBMENU:=ath10k IPQ4019 Boarddata
   SECTION:=firmware
   CATEGORY:=Firmware
-  DEPENDS:=@TARGET_ipq806x +ath10k-firmware-qca4019
+  DEPENDS:=@TARGET_ipq806x
   TITLE:=Custom Board
 endef
 
-- 
2.4.11


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [RFC 1/3] Update to latest ath10k-ct driver, enable AHB.

[greearb]

From: Ben Greear 

The driver updates include:

ath10k driver backport to fix WPA 'pn' related security bugs
(4.13 based driver only currently),
a fix for off-channel TX for CT wave-1 firmware, a likely
fix for napi related crashes, and a backport of the firmware fetch
patch.

AHB is needed for the IPQ4019 platform radios.

Signed-off-by: Ben Greear 
---
 package/kernel/ath10k-ct/Makefile  | 12 +---
 ...ctivate-user-space-firmware-loading-again.patch | 36 --
 2 files changed, 7 insertions(+), 41 deletions(-)
 delete mode 100644 
package/kernel/ath10k-ct/patches/130-ath10k-activate-user-space-firmware-loading-again.patch

diff --git a/package/kernel/ath10k-ct/Makefile 
b/package/kernel/ath10k-ct/Makefile
index 82d7664..5669a9f 100644
--- a/package/kernel/ath10k-ct/Makefile
+++ b/package/kernel/ath10k-ct/Makefile
@@ -9,7 +9,7 @@ PKG_LICENSE_FILES:=
 PKG_SOURCE_URL:=https://github.com/greearb/ath10k-ct.git
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2017-06-13
-PKG_SOURCE_VERSION:=bded1823912549017d819d1796273b3134c3de20
+PKG_SOURCE_VERSION:=df29a72a16b54ce337b80ccc1ca0389bc1f77a6f
 
PKG_MIRROR_HASH:=616174650e12a82edb6b6bd18ac186e2c6a48fdad0082df9d2011ab20940814b
 
 PKG_MAINTAINER:=Ben Greear 
@@ -29,7 +29,7 @@ include $(INCLUDE_DIR)/package.mk
 define KernelPackage/ath10k-ct
   SUBMENU:=Wireless Drivers
   TITLE:=ath10k-ct driver optimized for CT ath10k firmware
-  DEPENDS:=+kmod-mac80211 +kmod-ath +@DRIVER_11N_SUPPORT +@DRIVER_11AC_SUPPORT 
@PCI_SUPPORT +@KERNEL_RELAY +kmod-hwmon-core
+  DEPENDS:= @PCI_SUPPORT +kmod-ath +@DRIVER_11N_SUPPORT +@DRIVER_11AC_SUPPORT 
+@DRIVER_11W_SUPPORT +@KERNEL_RELAY +kmod-hwmon-core
   FILES:=\
$(PKG_BUILD_DIR)/ath10k$(CT_KVER)/ath10k_pci.ko \
$(PKG_BUILD_DIR)/ath10k$(CT_KVER)/ath10k_core.ko
@@ -50,9 +50,11 @@ ifdef CONFIG_PACKAGE_MAC80211_MESH
 endif
 
 CT_MAKEDEFS += CONFIG_ATH10K=m CONFIG_ATH10K_PCI=m
-# No AHB support enabled yet.  Could conditionally enable it later.
-#CT_MAKEDEFS += CONFIG_ATH10K_AHB=y
-#NOSTDINC_FLAGS += -DCONFIG_ATH10K_AHB
+
+# This AHB logic is needed for IPQ4019 radios
+CT_MAKEDEFS += CONFIG_ATH10K_AHB=m
+NOSTDINC_FLAGS += -DCONFIG_ATH10K_AHB
+
 NOSTDINC_FLAGS += -DSTANDALONE_CT
 
 ifdef CONFIG_PACKAGE_MAC80211_DEBUGFS
diff --git 
a/package/kernel/ath10k-ct/patches/130-ath10k-activate-user-space-firmware-loading-again.patch
 
b/package/kernel/ath10k-ct/patches/130-ath10k-activate-user-space-firmware-loading-again.patch
deleted file mode 100644
index dc02a9d..000
--- 
a/package/kernel/ath10k-ct/patches/130-ath10k-activate-user-space-firmware-loading-again.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From c0cc00f250e19c717fc9cdbdb7f55aaa569c7498 Mon Sep 17 00:00:00 2001
-From: Hauke Mehrtens 
-Date: Thu, 24 Aug 2017 23:06:41 +0200
-Subject: [PATCH] ath10k: activate user space firmware loading again
-
-In commit 9f5bcfe93315 ("ath10k: silence firmware file probing
-warnings") the firmware loading was changed from request_firmware() to
-request_firmware_direct() to silence some warnings in case it fails.
-request_firmware_direct() directly searches in the file system only and
-does not send a hotplug event to user space in case it could not find
-the firmware directly.
-In LEDE we use a user space script to extract the calibration data from
-the flash memory which gets triggered by the hotplug event. This way the
-firmware gets extracted from some vendor specific partition when the
-driver requests this firmware. This mechanism does not work any more
-after this change.
-
-Fixes: 9f5bcfe93315 ("ath10k: silence firmware file probing warnings")
-Signed-off-by: Hauke Mehrtens 
-Cc: Michal Kazior 
-Signed-off-by: Kalle Valo 

- ath10k-4.13/core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
 a/ath10k-4.13/core.c
-+++ b/ath10k-4.13/core.c
-@@ -556,7 +556,7 @@ static const struct firmware *ath10k_fet
-   dir = ".";
- 
-   snprintf(filename, sizeof(filename), "%s/%s", dir, file);
--  ret = request_firmware_direct(, filename, ar->dev);
-+  ret = request_firmware(, filename, ar->dev);
-   ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot fw request '%s': %d\n",
-  filename, ret);
- 
-- 
2.4.11


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH procd] service: Start services normally when seccomp is disabled

[Michal Sojka]

When service init file declares seccomp support (procd_set_param seccomp),
but procd is compiled without seccomp support, the service should be
started normally, because seccomp-trace and utrace are not available.

Older procd versions decided about whether to start a service in
seccomp sandbox or not based on existence of seccomp whitelist in the
filesystem. This was recently removed (c8faedc "Do not disable seccomp
when configuration is not found", 2017-09-12) because it could be easy
for attackers to disable seccomp support. This changes is a follow-up
to the mentioned commit. With it, procd decides about whether to use
seccomp sandbox based only on compile-time configuration.

Signed-off-by: Michal Sojka 
---
 CMakeLists.txt | 1 +
 service/instance.c | 9 ++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7d05e97..4b3eebd 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -88,6 +88,7 @@ ADD_CUSTOM_COMMAND(
 ADD_CUSTOM_TARGET(capabilities-names-h DEPENDS capabilities-names.h)
 
 IF(SECCOMP_SUPPORT)
+ADD_DEFINITIONS(-DSECCOMP_SUPPORT)
 ADD_LIBRARY(preload-seccomp SHARED jail/preload.c jail/seccomp.c)
 TARGET_LINK_LIBRARIES(preload-seccomp dl ubox blobmsg_json)
 INSTALL(TARGETS preload-seccomp
diff --git a/service/instance.c b/service/instance.c
index 7703686..29d6ea6 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -141,8 +141,6 @@ static const struct rlimit_name rlimit_names[] = {
{ NULL, 0 }
 };
 
-static char trace[] = "/sbin/utrace";
-
 static void closefd(int fd)
 {
if (fd > STDERR_FILENO)
@@ -315,10 +313,15 @@ instance_run(struct service_instance *in, int _stdout, 
int _stderr)
argv = alloca(sizeof(char *) * (argc + in->jail.argc));
argc = 0;
 
+#ifdef SECCOMP_SUPPORT
if (in->trace)
-   argv[argc++] = trace;
+   argv[argc++] = "/sbin/utrace";
else if (seccomp)
argv[argc++] = "/sbin/seccomp-trace";
+#else
+   if (in->trace || seccomp)
+   ULOG_WARN("Seccomp support for %s::%s not available\n", 
in->srv->name, in->name);
+#endif
 
if (in->has_jail)
argc = jail_run(in, argv);
-- 
2.15.0.rc2


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH] procd: Always tell cmake whether to include seccomp support or not

[Michal Sojka]

Without this change, when a user disables seccomp support in .config,
procd does not get recompiled unless the package is cleaned manually.
It is because when -D option is missing from cmake command line, cmake
uses cached value from the previous run where seccomp was enabled.

Signed-off-by: Michal Sojka 
---
 package/system/procd/Makefile | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/package/system/procd/Makefile b/package/system/procd/Makefile
index f424cea57d..3d413266e4 100644
--- a/package/system/procd/Makefile
+++ b/package/system/procd/Makefile
@@ -107,9 +107,8 @@ ifdef CONFIG_PACKAGE_procd-ujail
   CMAKE_OPTIONS += -DJAIL_SUPPORT=1
 endif
 
-ifdef CONFIG_PACKAGE_procd-seccomp
-  CMAKE_OPTIONS += -DSECCOMP_SUPPORT=1 -DUTRACE_SUPPORT=1
-endif
+SECCOMP=$(if $(CONFIG_PACKAGE_procd-seccomp),1,0)
+CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP)
 
 define Package/procd/install
$(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions
-- 
2.15.0.rc2


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] umdns fails to launch (seccom related)?

[Bryan Mayland]

On Fri, Nov 3, 2017 at 4:28 PM, Michal Sojka  wrote:
> you're right, I'm aware of the problem. I already have a patch with the
> fix. I need to do a few cleanups before posting it - I'll look at that
> tonight.

Fantastic, Michal! I look forward to the fix. In the meantime I will
just patch out the seccomp line on my build system so there's no
hurry. Thanks for the quick response.

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] umdns fails to launch (seccom related)?

[Michal Sojka]

Hi Bryan,

On Fri, Nov 03 2017, Bryan Mayland wrote:
> I use a custom LEDE build as the basis for an open source project and
> noticed recently that the umdns daemon has stopped loading. This also
> occurs with the standard development snapshot with the umdns package
> installed.
> root@LEDE:~# /etc/init.d/umdns restart
> Command failed: Request timed out
>
> umdns never launches so the service_started() handler waits for the 10
> seconds for the ubus response then fails. If I comment out the
> `procd_set_param seccomp /etc/seccomp/umdns.json` line it works just
> fine. I've also tried replacing the umdns executable with a simple
> shell script and it never appears to execute. This occurs if the
> daemon is configured to be jailed or not.
>
> Because my bcm2708 target does not have CONFIG_KERNEL_SECCOMP enabled,
> this should not make a difference right? I've also tried adding a
> /sbin/seccomp-trace which was just a shell script as well to launch
> umdns and it had no effect.
>
> I believe it is a problem in procd but I'm not sure where else to look
> as this seems like it could affect anything with a seccomp procd init,
> and umdns is the only one that does this so far.

you're right, I'm aware of the problem. I already have a patch with the
fix. I need to do a few cleanups before posting it - I'll look at that
tonight.

-Michal

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH v1] wireguard: version bump to 0.0.20171101

[Kevin Darbyshire-Bryant]

Update wireguard to latest snapshot:

9fc5daf version: bump snapshot
748ca6b compat: unbreak unloading on kernels 4.6 through 4.9
7be9894 timers: switch to kees' new timer_list functions
6be9a66 wg-quick: save all hooks on save
752e7af version: bump snapshot
2cd9642 wg-quick: fsync the temporary file before renaming
b139499 wg-quick: allow for saving existing interface
582c201 contrib: add reresolve-dns
8e04be1 tools: correct type for CTRL_ATTR_FAMILY_ID
c138276 wg-quick: allow for the hatchet, but not by default
d03f2a0 global: use fewer BUG_ONs
6d681ce timers: guard entire setting in block
4bf32ca curve25519: only enable int128 if compiler support is sound
86e06a3 device: expand scope of destruct lock
e3661ab global: get rid of useless forward declarations
bedc77a device: only take reference if netns is different
7c07e22 wg-quick: remember to rewind DNS settings on failure
2352ec0 wg-quick: allow specifiying multiple hooks
573cb19 qemu: test using four cores
e09ec4d global: style nits
4d3deae qemu: work around ccache bugs
7491cd4 global: infuriating kernel iterator style
78e079c peer: store total number of peers instead of iterating
d4e2752 peer: get rid of peer_for_each magic
6cf12d1 compat: be sure to include header before testing
3ea08d8 qemu: allow for cross compilation
d467551 crypto/avx: make sure we can actually use ymm registers
c786c46 blake2: include headers for macros
328e386 global: accept decent check_patch.pl suggestions
a473592 compat: fix up stat calculation for udp tunnel
9d930f5 stats: more robust accounting
311ca62 selftest: initialize mutex in routingtable selftest
8a9a6d3 netns: use time-based test instead of quantity-based
e480068 netns: use read built-in instead of ncat hack for dmesg

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant 
---
 package/network/services/wireguard/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/network/services/wireguard/Makefile 
b/package/network/services/wireguard/Makefile
index e1b60e2b1a..4a732abc98 100644
--- a/package/network/services/wireguard/Makefile
+++ b/package/network/services/wireguard/Makefile
@@ -11,12 +11,12 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=wireguard
 
-PKG_VERSION:=0.0.20171017
+PKG_VERSION:=0.0.20171101
 PKG_RELEASE:=1
 
 PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/
-PKG_HASH:=57b79a62874d9b99659a744513d4f6f9d88cb772deaa99e485b6fed3004a35cd
+PKG_HASH:=096b6482a65e566c7bf8c059f5ee6aadb2de565b04b6d810c685f1c377540325
 
 PKG_LICENSE:=GPL-2.0 Apache-2.0
 PKG_LICENSE_FILES:=COPYING
-- 
2.13.6 (Apple Git-96)


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH v2] firewall3: ubus: parse the firewall data within the service itself

[Pierre Lebleu]

It gives the ability to create firewall rules within the service
itself and independently of the instances.

Changes since v1:
- align coding style
- if no instance is given (within the service), do not write it

Signed-off-by: Pierre Lebleu 
---
 ubus.c | 99 +-
 1 file changed, 56 insertions(+), 43 deletions(-)

diff --git a/ubus.c b/ubus.c
index bcbe1e8..5bb4f5d 100644
--- a/ubus.c
+++ b/ubus.c
@@ -240,14 +240,47 @@ fw3_ubus_zone_devices(struct fw3_zone *zone)
}
 }
 
+static void fw3_ubus_rules_add(struct blob_buf *b, const char *service,
+   const char *instance, const char *device,
+   const struct blob_attr *rule, unsigned n)
+{
+   void *k = blobmsg_open_table(b, "");
+   struct blob_attr *ropt;
+   unsigned orem;
+   char *type = NULL;
+   char comment[256];
+
+   blobmsg_for_each_attr(ropt, rule, orem) {
+   if (!strcmp(blobmsg_name(ropt), "type"))
+   type = blobmsg_data(ropt);
+   if (device && !strcmp(blobmsg_name(ropt), "device"))
+   device = blobmsg_get_string(ropt);
+   else if (strcmp(blobmsg_name(ropt), "name"))
+   blobmsg_add_blob(b, ropt);
+   }
+
+   if (instance)
+   snprintf(comment, sizeof(comment), "ubus:%s[%s] %s %d",
+   service, instance, type ? type : "rule", n);
+   else
+   snprintf(comment, sizeof(comment), "ubus:%s %s %d",
+   service, type ? type : "rule", n);
+
+   blobmsg_add_string(b, "name", comment);
+
+   if (device)
+   blobmsg_add_string(b, "device", device);
+
+   blobmsg_close_table(b, k);
+}
+
 void
 fw3_ubus_rules(struct blob_buf *b)
 {
blob_buf_init(b, 0);
 
-   struct blob_attr *c, *cur, *dcur, *rule, *ropt;
-   unsigned n, r, rem, drem, rrem, orem;
-   char comment[256];
+   struct blob_attr *c, *cur, *dcur, *rule;
+   unsigned n, r, rem, drem, rrem;
 
blobmsg_for_each_attr(c, interfaces, r) {
const char *l3_device = NULL;
@@ -275,28 +308,9 @@ fw3_ubus_rules(struct blob_buf *b)
 
n = 0;
 
-   blobmsg_for_each_attr(rule, dcur, rrem) {
-   void *k = blobmsg_open_table(b, "");
-   char *type = NULL;
-
-   blobmsg_for_each_attr(ropt, rule, orem) {
-   if (!strcmp(blobmsg_name(ropt), "type"))
-   type = blobmsg_data(ropt);
-   if (!strcmp(blobmsg_name(ropt), 
"device"))
-   l3_device = 
blobmsg_get_string(ropt);
-   else if (strcmp(blobmsg_name(ropt), 
"name"))
-   blobmsg_add_blob(b, ropt);
-   }
-
-   snprintf(comment, sizeof(comment), "ubus:%s[%s] 
%s %d",
-   iface_name, iface_proto,
-   type ? type : "rule", n++);
-
-   blobmsg_add_string(b, "name", comment);
-
-   blobmsg_add_string(b, "device", l3_device);
-   blobmsg_close_table(b, k);
-   }
+   blobmsg_for_each_attr(rule, dcur, rrem)
+   fw3_ubus_rules_add(b, iface_name, iface_proto,
+   l3_device, rule, n++);
}
}
 
@@ -313,31 +327,30 @@ fw3_ubus_rules(struct blob_buf *b)
if (!blobmsg_check_attr(cur, true))
continue;
 
+   /* fw rules within the service itself */
+   if (!strcmp(blobmsg_name(cur), "firewall")) {
+   n = 0;
+
+   blobmsg_for_each_attr(rule, cur, rrem)
+   fw3_ubus_rules_add(b, blobmsg_name(c),
+   NULL, NULL, rule, n++);
+
+   continue;
+   }
+
/* type */
blobmsg_for_each_attr(dcur, cur, drem) {
if (!blobmsg_check_attr(dcur, true))
continue;
 
-   n = 0;
-
-   blobmsg_for_each_attr(rule, dcur, rrem) {
-   void *k = blobmsg_open_table(b, "");
-   char *type = NULL;
-
-   blobmsg_for_each_attr(ropt, rule, orem) 
{
-  

[LEDE-DEV] umdns fails to launch (seccom related)?

[Bryan Mayland]

I use a custom LEDE build as the basis for an open source project and
noticed recently that the umdns daemon has stopped loading. This also
occurs with the standard development snapshot with the umdns package
installed.
root@LEDE:~# /etc/init.d/umdns restart
Command failed: Request timed out

umdns never launches so the service_started() handler waits for the 10
seconds for the ubus response then fails. If I comment out the
`procd_set_param seccomp /etc/seccomp/umdns.json` line it works just
fine. I've also tried replacing the umdns executable with a simple
shell script and it never appears to execute. This occurs if the
daemon is configured to be jailed or not.

Because my bcm2708 target does not have CONFIG_KERNEL_SECCOMP enabled,
this should not make a difference right? I've also tried adding a
/sbin/seccomp-trace which was just a shell script as well to launch
umdns and it had no effect.

I believe it is a problem in procd but I'm not sure where else to look
as this seems like it could affect anything with a seccomp procd init,
and umdns is the only one that does this so far.

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] 17.01.4 on Mikrotik RB951Ui-2HnD

[Alberto Bursi]

On 03/11/2017 11:22, Nishant Sharma wrote:

Hi Alberto,

On Friday 03 November 2017 01:44 PM, Alberto Bursi wrote:



On 03/11/2017 08:04, Nishant Sharma wrote:


I am not able to find the documentation to install Lede 17.01.x on 
RB951Ui-2HnD.




The device has since then gone into a boot loop. I searched on the 
forum as well, but couldn't find a solution.


I've seen a thread in the forum too, (with no answer) so if you 
confirm it works either post there or report back here and I'll post 
the same instructions there too.
https://forum.lede-project.org/t/installing-on-mikrotik-rb951ui-2hnd/3751 



Thanks for your reply. I will put them on the forum as well.

Here are the steps:

1. Download vmlinux-initramfs.elf 
(lede-17.01.4-ar71xx-mikrotik-vmlinux-initramfs.elf) and use it as 
boot file.
2. DHCP didn't give IP Address. Had to ssh using IPv6 address. Or 
statically assigning an IP of 192.168.1.x to my machine.
3. scp lede-17.01.4-ar71xx-mikrotik-nand-large-squashfs-sysupgrade.bin 
to the router.
4. sysupgrade -n 
lede-17.01.4-ar71xx-mikrotik-nand-large-squashfs-sysupgrade.bin

5. Router reboots after upgrade

Where did my 20 MB of flash space go?

df -h with old firmware:
Filesystem    Size  Used Available Use% Mounted on
rootfs  124.0M 35.4M 88.6M  29% /
/dev/root   124.0M 35.4M 88.6M  29% /
tmpfs    61.8M 61.8M 0 100% /tmp
tmpfs   512.0K 0    512.0K   0% /dev

df -h with new firmware:
Filesystem    Size  Used Available Use% Mounted on
/dev/root 2.5M  2.5M 0 100% /rom
tmpfs    61.2M 52.0K 61.1M   0% /tmp
/dev/ubi0_2 103.0M 36.0K 98.3M   0% /overlay
overlayfs:/overlay  103.0M 36.0K 98.3M   0% /
tmpfs   512.0K 0    512.0K   0% /dev

Regards,
Nishant



They adjusted partitions (which is why you couldn't just sysupgrade from 
OpenWRT).
Actually, with the new firmware you have 10 MB more usable space, even 
if partition is smaller.

Look at the "Available" column. Old fw was 88MB, new fw is 98MB.

-Alberto

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH] dropbear: make syslog support configurable

[Hans Dedecker]

By default dropbear logs to syslog which discloses info about account names
when doing connection attempts (e.g. "Bad password attempt for 'engineer' from
x.x.x.x:y")
As this facilitates brute force attempts against account names; make syslog
support configurable in order not to leak sensitive info via syslog.

Signed-off-by: Hans Dedecker 
---
 package/network/services/dropbear/Config.in | 6 ++
 package/network/services/dropbear/Makefile  | 7 ---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/package/network/services/dropbear/Config.in 
b/package/network/services/dropbear/Config.in
index ca0af9d..95316b9 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -56,4 +56,10 @@ config DROPBEAR_PUTUTLINE
help
Dropbear will use pututline() to write the utmp structure into 
the utmp file.
 
+config DROPBEAR_DISABLE_SYSLOG
+   bool "Disable syslog logging"
+   default n
+   help
+   Disables syslog log support; log messages will be redirected to 
stderr.
+
 endmenu
diff --git a/package/network/services/dropbear/Makefile 
b/package/network/services/dropbear/Makefile
index 2db2f81..32efa7b 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2017.75
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
@@ -26,7 +26,8 @@ PKG_USE_MIPS16:=0
 PKG_CONFIG_DEPENDS:= \
CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \
CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
-   CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE
+   CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
+   CONFIG_DROPBEAR_DISABLE_SYSLOG
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -69,7 +70,7 @@ endef
 CONFIGURE_ARGS += \
--disable-pam \
--enable-openpty \
-   --enable-syslog \
+   $(if 
$(CONFIG_DROPBEAR_DISABLE_SYSLOG),--disable-syslog,--enable-syslog) \
--disable-lastlog \
--disable-utmpx \
$(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
-- 
1.9.1


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] WhiteBox Wireless Router Supplier

[Alan Gregory via Lede-dev]

The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.--- Begin Message ---
Were looking for a (White Box/Lede 100% Compatible) wireless router supplier. 
If anyone has any recommendation. 

Must have: 
Dual Band (2.4/5.8Ac) 
At least 4 gigabit ports. 
2 or more external antennas. 

Case: ISP providing wireless for customers,bulk order. 


--- End Message ---
___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] 17.01.4 on Mikrotik RB951Ui-2HnD

[Nishant Sharma]

Hi Alberto,

On Friday 03 November 2017 01:44 PM, Alberto Bursi wrote:



On 03/11/2017 08:04, Nishant Sharma wrote:


I am not able to find the documentation to install Lede 17.01.x on 
RB951Ui-2HnD.




The device has since then gone into a boot loop. I searched on the 
forum as well, but couldn't find a solution.


I've seen a thread in the forum too, (with no answer) so if you confirm 
it works either post there or report back here and I'll post the same 
instructions there too.

https://forum.lede-project.org/t/installing-on-mikrotik-rb951ui-2hnd/3751


Thanks for your reply. I will put them on the forum as well.

Here are the steps:

1. Download vmlinux-initramfs.elf 
(lede-17.01.4-ar71xx-mikrotik-vmlinux-initramfs.elf) and use it as boot 
file.
2. DHCP didn't give IP Address. Had to ssh using IPv6 address. Or 
statically assigning an IP of 192.168.1.x to my machine.
3. scp lede-17.01.4-ar71xx-mikrotik-nand-large-squashfs-sysupgrade.bin 
to the router.
4. sysupgrade -n 
lede-17.01.4-ar71xx-mikrotik-nand-large-squashfs-sysupgrade.bin

5. Router reboots after upgrade

Where did my 20 MB of flash space go?

df -h with old firmware:
FilesystemSize  Used Available Use% Mounted on
rootfs  124.0M 35.4M 88.6M  29% /
/dev/root   124.0M 35.4M 88.6M  29% /
tmpfs61.8M 61.8M 0 100% /tmp
tmpfs   512.0K 0512.0K   0% /dev

df -h with new firmware:
FilesystemSize  Used Available Use% Mounted on
/dev/root 2.5M  2.5M 0 100% /rom
tmpfs61.2M 52.0K 61.1M   0% /tmp
/dev/ubi0_2 103.0M 36.0K 98.3M   0% /overlay
overlayfs:/overlay  103.0M 36.0K 98.3M   0% /
tmpfs   512.0K 0512.0K   0% /dev

Regards,
Nishant

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] Bringing young people in the community: Google Code-In 2017

[nemesis]

Hi everyone,

I'm Federico Capoano, some of you may know me for my involvement with 
Ninux, NetJSON, OpenWISP and contribution to several editions of the 
Google Summer of Code with Freifunk.


OpenWISP has been accepted into the Google Code-In:
https://codein.withgoogle.com/organizations/openwisp/

By participating in this program we hope to attract many new young 
contributors in the world of open source networking, free wifi and 
similar topics.
We aim at proposing easy tasks related to documentation, tutorials, 
fixing small code issues, UX improvements and so on.


We are looking for mentors that share similar goals with us and want to 
get involved, for those of you that are following the NetJSON 
development or using some OpenWISP tool, this would be a good time to 
start contributing!


We also would like to invite mentors that want to propose tasks that 
are related to OpenWRT/LEDE (as indicated to some of you at the last 
OpenWRT Summit in Prague).


Important notes:

- we want mentors to take care of the tasks they propose
- please read the GCI rules, in particular section 2, 4 and 5: 
https://developers.google.com/open-source/gci/resources/contest-rules
- take a look at the tasks proposals we are working on (we will export 
this collaborative spreadsheet to CSV) and import it using the GCI API: 
https://docs.google.com/spreadsheets/d/1nNNN6Db8fS3KtijO9BJB2YHmMzU20OUBoFrXdWk055I/edit#gid=820690942


If interested, please get in touch with us via our support channels 
(IRC, mailing list, gitter) http://openwisp.org/support.html or reply in 
private to me (in order to avoid cross-post hell).


Thank you for your attention!

Best regards
Nemesis

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH mountd 0/2] mount: improve handling unsupported filesystems

[Rafał Miłecki]

From: Rafał Miłecki 

While debugging mountd through adding some prints, I noticed that
mount_dev_add will be called every second for unsupported filesystems.

Even though LEDE's master branch switched to the blockd, mountd may be
still used by some (e.g. LEDE 17.01 release users) so I found it worth
fixing.

Rafał Miłecki (2):
  mount: drop duplicated filesystem check from mount_add_list
  mount: add mount with ignore=1 for unsupported filesystems

 mount.c | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

-- 
2.11.0


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH mountd 2/2] mount: add mount with ignore=1 for unsupported filesystems

[Rafał Miłecki]

From: Rafał Miłecki 

So far a check for unsupported filesystem was in the mount_add_list
which was simply stopping mount from being added to the global list.

This resulted in mount_dev_add continuously not being able to find a
mount for the given block device and trying to add it over and over.
That was non-optimal becuse with unsupported filesystem present the
code was checking all its parameters every second.

Fix this by:
1) Moving check out of the mount_add_list to keep all logic in the
   caller function.
2) Adding mount with ignore=1 for unsupported filesystem instead of
   ignoring it.

Signed-off-by: Rafał Miłecki 
---
 mount.c | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/mount.c b/mount.c
index 6d95de9..caf9d9d 100644
--- a/mount.c
+++ b/mount.c
@@ -139,8 +139,7 @@ static void mount_add_list(char *name, char *dev, char 
*serial,
 {
struct mount *mount;
char tmp[64], tmp2[64];
-   if(fs <= MBR || fs > LASTFS)
-   return;
+
mount  = malloc(sizeof(struct mount));
INIT_LIST_HEAD(>list);
strncpy(mount->vendor, vendor, 64);
@@ -451,6 +450,7 @@ static void mount_dev_add(char *dev)
char sector_size[64];
FILE *fp;
int offset = 3;
+   int fs;
 
strcpy(name, dev);
if (!strncmp(name, "mmcblk", 6))
@@ -556,7 +556,11 @@ static void mount_dev_add(char *dev)
fclose(fp);
}
snprintf(tmp, 64, "/dev/%s", dev);
-   mount_add_list(node, dev, s, vendor, model, rev, ignore, size, 
sector_size, detect_fs(tmp));
+   fs = detect_fs(tmp);
+   if (fs <= MBR || fs > LASTFS) {
+   ignore = 1;
+   }
+   mount_add_list(node, dev, s, vendor, model, rev, ignore, size, 
sector_size, fs);
mount_dump_uci_state();
}
 }
-- 
2.11.0


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] [PATCH mountd 1/2] mount: drop duplicated filesystem check from mount_add_list

[Rafał Miłecki]

From: Rafał Miłecki 

At the very beginning of this function there is following code:
if(fs <= MBR || fs > LASTFS)
return;

There is no point in checking for the same range again as these checks
will always evaluate into true.

Signed-off-by: Rafał Miłecki 
---
 mount.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mount.c b/mount.c
index 92606da..6d95de9 100644
--- a/mount.c
+++ b/mount.c
@@ -155,7 +155,7 @@ static void mount_add_list(char *name, char *dev, char 
*serial,
mount->mounted = 0;
mount->fs = fs;
list_add(>list, );
-   if((!mount->ignore) && (mount->fs > MBR) && (mount->fs <= LASTFS))
+   if (!mount->ignore)
{
log_printf("new mount : %s -> %s (%s)\n", name, dev, 
fs_names[mount->fs]);
snprintf(tmp, 64, "%s%s", uci_path, name);
-- 
2.11.0


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] 17.01.4 on Mikrotik RB951Ui-2HnD

[Alberto Bursi]

On 03/11/2017 08:04, Nishant Sharma wrote:

Hi,

I am not able to find the documentation to install Lede 17.01.x on 
RB951Ui-2HnD.


I used to install OpenWrt 15.05 using TFTP boot, mtd erase and 
unpacking the tar.gz of the rootfs to mtdblock2 and copying the kernel 
to mtdblock1.


But with Lede 17.01.4, there is no tar.gz. I tried doing:

mtd write rootfs.squashfs rootfs

and copy the kernel to mtdblock1

The device has since then gone into a boot loop. I searched on the 
forum as well, but couldn't find a solution.


Any pointers for the same would be helpful.

Thanks in advance.

Regards,
Nishant

___



That target has the "ramdisk" feature enabled by default, so one of the 
files generated by a default compile can be sent over tftp, and then 
booted from RAM
The system may lack Luci but will have SSH and after connecting to it 
you can do a sysupgrade through the commandline, which will write the 
firmware on flash.


Try the ones with "initramfs" in the name, I suspect the right one is 
the "vmlinux-initramfs.bin" or the .elf.


I've seen a thread in the forum too, (with no answer) so if you confirm 
it works either post there or report back here and I'll post the same 
instructions there too.

https://forum.lede-project.org/t/installing-on-mikrotik-rb951ui-2hnd/3751

-Alberto


___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Re: [LEDE-DEV] 17.01.4 on Mikrotik RB951Ui-2HnD

[Nishant Sharma]

Alright,

replying to myself.

Here are the steps to flash Lede 17.01.4 on Mikrotik RB951Ui-2HnD:

1. TFTP boot with vmlinux-initramfs.elf as bootfile
2. Use Luci GUI to upload and flash nand-large-squashfs-sysupgrade.bin
3. Fun

I have tried it using a self compiled 17.01.4 image, so LuCI was built 
into the initram kernel image.


Any further inputs are welcome.

Regards,
Nishant

On Friday 03 November 2017 12:34 PM, Nishant Sharma wrote:

Hi,

I am not able to find the documentation to install Lede 17.01.x on 
RB951Ui-2HnD.


I used to install OpenWrt 15.05 using TFTP boot, mtd erase and unpacking 
the tar.gz of the rootfs to mtdblock2 and copying the kernel to mtdblock1.


But with Lede 17.01.4, there is no tar.gz. I tried doing:

mtd write rootfs.squashfs rootfs

and copy the kernel to mtdblock1

The device has since then gone into a boot loop. I searched on the forum 
as well, but couldn't find a solution.


Any pointers for the same would be helpful.

Thanks in advance.

Regards,
Nishant



___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

[LEDE-DEV] 17.01.4 on Mikrotik RB951Ui-2HnD

[Nishant Sharma]

Hi,

I am not able to find the documentation to install Lede 17.01.x on 
RB951Ui-2HnD.


I used to install OpenWrt 15.05 using TFTP boot, mtd erase and unpacking 
the tar.gz of the rootfs to mtdblock2 and copying the kernel to mtdblock1.


But with Lede 17.01.4, there is no tar.gz. I tried doing:

mtd write rootfs.squashfs rootfs

and copy the kernel to mtdblock1

The device has since then gone into a boot loop. I searched on the forum 
as well, but couldn't find a solution.


Any pointers for the same would be helpful.

Thanks in advance.

Regards,
Nishant

___
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev