If the MTU of one of an attached interface becomes too small to transmit
the local translation table then it must be resized to fit inside all
fragments (when enabled) or a single packet.
But if the MTU becomes too low to transmit even the header + the VLAN
specific part then the resizing of the local TT will never succeed. This
can for example happen when the usable space is 110 bytes and 11 VLANs are
on top of batman-adv. In this case, at least 116 byte would be needed.
There will just be an endless spam of
batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)
in the log but the function will never finish. Problem here is that the
timeout will be halved all the time and will then stagnate at 0 and
therefore never be able to reduce the table even more.
There are other scenarios possible with a similar result. The number of
BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too
high to fit inside a packet. Such a scenario can therefore happen also with
only a single VLAN + 7 non-purgable addresses - requiring at least 120
bytes.
While this should be handled proactively when:
* interface with too low MTU is added
* VLAN is added
* non-purgeable local mac is added
* MTU of an attached interface is reduced
* fragmentation setting gets disabled (which most likely requires dropping
attached interfaces)
not all of these scenarios can be prevented because batman-adv is only
consuming events without the the possibility to prevent these actions
(non-purgable MAC address added, MTU of an attached interface is reduced).
It is therefore necessary to also make sure that the code is able to handle
also the situations when there were already incompatible system
configuration are present.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
The batadv_vlan proto doesn't need to do anything when it gets teared down.
But the scripts are still trying to call the teardown function of this
proto. This results in warnings like:
daemon.notice netifd: batmesh1 (18940): ./batadv_vlan.sh: eval: line 37: proto_batadv_vlan_teardown: not found
Just providing a stub function avoids this log spam.
Fixes: #1044
Reported-by: Rani Hod <rani.hod@gmail.com>
Fixes: f5205d7d24 ("batman-adv: upgrade package to latest release 2014.2.0")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Automatically compute and substitute current values for all
$(AUTORELEASE) instances as this feature is deprecated and shouldn't be
used. Since commit 2584b0cecae ("CI: deprecate $(AUTORELEASE) via
comments"), this is even announced by the CI
The following temporary change was made to the core:
diff --git a/rules.mk b/rules.mk
index 57d7995d4fa8..f16367de87a8 100644
--- a/rules.mk
+++ b/rules.mk
@@ -429,7 +429,7 @@ endef
abi_version_str = $(subst -,,$(subst _,,$(subst .,,$(1))))
COMMITCOUNT = $(if $(DUMP),0,$(call commitcount))
-AUTORELEASE = $(if $(DUMP),0,$(call commitcount,1))
+AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
all:
FORCE: ;
And this command used to fix affected packages:
./scripts/feeds install -a routing
for i in $(cd feeds/routing; git grep -l 'PKG_RELEASE:=.*AUTORELEASE' | \
sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
make package/${i%/Makefile}/download
done
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Fix a buffer overflow in case the
query string is too long.
Signed-off-by: Moritz Warning <moritzwarning@web.de>
(cherry picked from commit fe1c67fb3d)
This package is no longer maintained by us or by upstream developers.
The last version in the GitHub repository is from 2020 with no activity so far.
We are using version 0.1-alpha.
Because LuCI app is vulnerable to several CVEs and DependencyBot still
sends emails about it, let's drop it.
If anyone wants, they can use bmx7.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 9fb9d9343e)
DependencyBot, which are using is sending us emails about these CVEs:
CVE-2012-6708
CVE-2020-23064
CVE-2019-11358
This was reported to maintainer in April 2023, but no one stepped it to fix that,
so let's drop this.
Replacement could be luci-app-bmx7.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit c2124dd2ad)
Maintainer: Rob White rob@blue-wave.net
Compile tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64
Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64; on snapshot, 23.05, 22.03
Description:
opennds (10.1.3)
Security Advisory. This version contains fixes for multiple potential security vulnerabilities
Credit - Stanislav Dashevskyi - standash.github.io [standash]
It also contains some minor bug fixes
* Fix - Buffer overflow causing segfault - CVE-2023-41101 [bluewavenet]
* Fix - Memory leaks due to passing allocated buffer into safe_asprintf() - CVE-2023-41102 [bluewavenet]
* Fix - Remove deprecated preauth option [bluewavenet]
* Fix - missing free in show_preauth_page if MHD does not respond [bluewavenet]
* Fix - more safe_asprintf memory leaks [bluewavenet]
* Fix - missing free for mark_auth [bluewavenet]
* Fix - memory leak after starting authmon daemon [bluewavenet]
* Fix - memory leak in encode_and_redirect_to_splashpage [bluewavenet]
* Fix - Community themespec, voucher css and logo image [bluewavenet]
* Fix - ThemeSpec, path to logo in page footer [bluewavenet]
* Fix - ensure gatewayurl is urldecoded to fix broken css and images in themespec [bluewavenet]
* Add - set default fas remote fqdn to disabled [bluewavenet]
Signed-off-by: Rob White <rob@blue-wave.net>
(cherry picked from commit 88c98c910a)
Add concurrency rules to skip redundant build to skip extra build test
on force push on pull request.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 5aa683be13)
Currently, the package run-test phase will fail for PRs that only
add/update host-only packages, as no target packages (*.ipk) are built.
This checks if any target packages are built before attempting the
run-tests.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 299ee2b1cf)
Some packages variants have conflicting dependencies with the
base packages and the CI test will fail to install before anything
can be done by the packages to setup the system for install.
This change adds a pre-test.sh that runs before the install so things
like the default libustream variant can be swapped out as shown in the
updated cache-domains.
Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
(cherry picked from commit 61997c86b0)
To test each package, the CI-built target package (ipk) file is
installed, but currently the target package's dependencies are installed
from the standard opkg feeds.
There are cases when the CI-built target packages should be
installed/tested together:
* If a pull request contains several new packages that depend on each
other, the test step will fail as the new dependencies cannot be found
in the current packages feed.
* If a pull request upgrades a source package that builds several target
packages that depend on each other, the test step may fail due to the
version/ABI mismatch between a newer target package and the older
dependencies installed from the packages feed.
This sets up a local feed for the CI-built packages so that dependencies
are also installed from the same set of packages.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit f818fe716e)
836b4e1c734f9705bfd8db0da0c04214c2647932 added
--force-removal-of-dependent-packages but it does not do what the commit
message says it does.
When package A depends on package B (package B is a dependency of
package A; package A is a dependent of package B), trying to remove
package B while package A is installed will result in an error. Adding
--force-removal-of-dependent-packages in this case will cause the
removal of package B and package A (package B's dependent).
But in the case of the CI testing step, it is package A that is being
installed and removed. Removing package A with
--force-removal-of-dependent-packages will not cause package B (package
A's dependency) to be removed.
This adds --autoremove to actually remove the package's dependencies.
This also ignores any errors returned by opkg remove as --autoremove can
sometimes falsely return an error[1].
[1]: https://github.com/openwrt/openwrt/issues/12241
Fixes: 836b4e1c734f ("github-ci: add --force-removal-of-dependent-packages")
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 53a53b8ee3)
Autorelease causes some issues like heavy bandwidth usage as well as
non-deterministic package releases whenever someone doesn't use the full
git log.
With this comment all modified packages are checked and if they use
the autorelease feature, kindly comment to the user to change that.
Signed-off-by: Paul Spooren <paul.spooren@rhebo.com>
[ move check to separate workflow to handle ci limitation ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit c993ee8a89)
Since this file was taken from packages repository, it tries to compile
packages from that repository as fallback if changes are not detected.
Let's change these packages to some, which are present in this
repository, so they will be compiled as test.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit c9a8f2d032)
Update checkout and upload-artifact action to v3 to mute nodejs
deprecation warning.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 52570d4242822e3db678f5484c2ca3e72f485d52)
(cherry picked from commit 5d87b95697)
The previous build errors with v5 have been fixed. This version builds
packages as a normal user instead of as root.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit e2d72c5775)
The automatic recalculation of the maximum allowed MTU is usually triggered
by code sections which are already rtnl lock protected by callers outside
of batman-adv. But when the fragmentation setting is changed via
batman-adv's own batadv genl family, then the rtnl lock is not yet taken.
But dev_set_mtu requires that the caller holds the rtnl lock because it
uses netdevice notifiers. And this code will then fail the check for this
lock:
RTNL: assertion failed at net/core/dev.c (1953)
Fixes: 12577be7ed ("batman-adv: Merge bugfixes from 2023.2")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
* Broken sync while rescheduling delayed work
* compat: Use native kstrtox.h for 5.10.185
* Do not get eth header before batadv_check_management_packet
* Trigger events for auto adjusted MTU
* Don't increase MTU when set by user
* Fix TT global entry leak when client roamed back
* Fix batadv_v_ogm_aggr_send memory leak
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Maintainer: Rob White rob@blue-wave.net
Compile tested: All
Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64, on 21.02, 22.03 and snapshot.
Description:
mesh11sd (2.0.0)
This release contains new functionality.
Autonomous portal mode is introduced. This simplifies the rollout of meshnodes allowing a common configuration to be used on all nodes.
Remote administration is introduced, allowing files to be copied and terminal sessions to be opened on established meshnodes, identifying remote nodes by mac address.
* Add - Update config file [bluewavenet]
* Add - implementation of remote copy [bluewavenet]
* Add - implementation of remote connect [bluewavenet]
* Add - Autonomous portal mode [bluewavenet]
-- Rob White dot@blue-wave.net Mon, 31 Jul 2023 16:59:52 +0000
Signed-off-by: Rob White <rob@blue-wave.net>
(cherry picked from commit 5beb3be9b8)
OpenNDS lists nodogsplash a conflict as well.
This causes a circular reference that is not allowed.
Signed-off-by: Moritz Warning <moritzwarning@web.de>
(cherry picked from commit 967dde509b)
Maintainer: Rob White rob@blue-wave.net
Compile tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64
Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64; on snapshot, 23.05, 22.03
Description:
opennds (10.1.2)
Security Advisory. This version contains fixes for multiple potential security vulnerabilities
Credit - Stanislav Dashevskyi - standash.github.io [standash]
It also contains some minor bug fixes
* Fix - Generate unique sha256 faskey if not set in config - CVE-2023-38324 [bluewavenet]
* Fix - NULL pointer dereference if user_agent is NULL - CVE-2023-38320, CVE-2023-38322 [bluewavenet]
* Fix - NULL pointer dereference if authdir is called with an incomplete or missing query string - CVE-2023-38313, CVE-2023-38314, CVE-2023-38315 [bluewavenet]
* Fix - remove deprecated and non-functioning unescape callback - CVE-2023-38316 [bluewavenet]
* Fix - prevent potential recursive dependency and detect if conflicting package is installed [bluewavenet]
Signed-off-by: Rob White <rob@blue-wave.net>
(cherry picked from commit 3eb9aa3056)
Maintainer: Rob White rob@blue-wave.net
Compile tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64
Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64; on snapshot, 23.05, 22.03
opennds (10.1.1)
* This version contains some minor bug fixes and documentation updates
* Fix - send only contents of buffer, not entire buffer when serving page511 [bluewavenet]
* Fix - Set fas_remotefqdn to gw_fqdn when overriding FAS settings [bluewavenet]
* Fix - use absolute path for css and images in ThemeSpec [bluewavenet]
* Fix - revert to old option names without underscores [bluewavenet]
* Fix - FAS URL when fas_remotefqdn is not set [bluewavenet]
Signed-off-by: Rob White <rob@blue-wave.net>
(cherry picked from commit 26f5f0f812)
Maintainer: Rob White rob@blue-wave.net
Compile tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64
Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64; on snapshot, 23.05, 22.03
opennds (10.1.0)
This version is a major upgrade including full migration to nftables
and native uci configuration support even for generic Linux distributions.
It also includes a significant refactoring of inbuilt memory management,
improving long term reliability, fixing several memory leaks, buffer overflows and several edge case crashes.
* Add - support for included custom binauth script [bluewavenet]
* Add - emit a useful stderr message if auth_restore fails [bluewavenet]
* Add - procd respawn threshold, respawn timeout and respawn retry parameters [bluewavenet]
* Add - user friendly commandline message if already running [bluewavenet]
* Fix - Enabling of Data volume quotas [bluewavenet]
* Fix - use get_list_from_config instead of get_option_from_config [bluewavenet]
* Fix - compiler warning - unused variable [bluewavenet]
* Fix - remove redundant function call ipsetconf [bluewavenet]
* Fix - walledgarden for both nftset and ipset on OpenWrt [bluewavenet]
* Add - more meaningful output if attempt is made to restart when already running [bluewavenet]
* Fix - resolve gatewayfqdn after startup [bluewavenet]
* Fix - Choose forground or background running according to commandline arguments [bluewavenet]
* Fix - remove superfluous debug message [bluewavenet]
* Fix - replace sleep with procd_set_param term_timeout [bluewavenet]
* Fix - make option enabled default to enabled [bluewavenet]
* Fix - report authmon pid instead of opennds pid from authmon [bluewavenet]
* Fix - ensure correct pid obtained for opennds [bluewavenet]
* Add - StartLimitIntervalSec and StartLimitBurst to systemd service script [bluewavenet]
* Fix - refactor remote downloads [bluewavenet]
* Fix - suppress error message on ipset test failure [bluewavenet]
* Fix - send non-syslog debug information to stdout by default [bluewavenet]
* Add - C function to check heartbeat watchdog [bluewavenet]
* Fix - Update generic Linux makefile [bluewavenet]
* Fix - remove redundant ruleset struct definition [bluewavenet]
* Fix - potential buffer overflow issue during config stage [bluewavenet]
* Fix - remove unnecessary calls to free() in page 404 processing [bluewavenet]
* Fix - remove redundant code from fw_iptables [bluewavenet]
* Add - updates to binauth_log script [bluewavenet]
* Add - updates for service startup, systemd and procd [bluewavenet]
* Add - refactoring of commandline processing [bluewavenet]
* Fix - remove debugging message [bluewavenet]
* Fix - typo in client ruleset [bluewavenet]
* Add - Refactor to use uci config directly even for Generic Linux [bluewavenet]
* Add - Parsing for multi item lists with spaces in items [bluewavenet]
* Add - use common library call get_option_fom_config [bluewavenet]
* Add - support for direct use of uci format config file - string and integer parameters [bluewavenet]
* Fix - Remove deprecated syslog_facility config setting [bluewavenet]
* Add - thread busy message to ndsctl [bluewavenet]
* Add - refactor configure_log_location [bluewavenet]
* Fix - suppress LOG_NOTICE message when getting mac of interface [bluewavenet]
* Fix - ndsctl error message [bluewavenet]
* Fix - get_client_interface for levels 2 and 3 [bluewavenet]
* Add - use common library write_log function [bluewavenet]
* Add - Refactor memory management [bluewavenet]
* Fix - fix and refactor upload rate limiting rules [bluewavenet]
* Fix - Change a debug message from err to info [bluewavenet]
* Add - refine common buffer sizes [bluewavenet]
* Add - use initialised heap memory for redirect_to_splashpage [bluewavenet]
* Add - user message to themespec [bluewavenet]
* Add - auth_restore support ie reauth clients after a restart by default. [bluewavenet]
* Add - Library call to preemptively re-auth clients after a restart or crash [bluewavenet]
* Add - BinAuth, write an authenticated clients list [bluewavenet]
* Add - library call "check_heartbeat" [bluewavenet]
* Fix - Tidy up redundant code [bluewavenet]
* Fix - change warning message to debug message when iw not installed [bluewavenet]
* Add - library call to log to syslog [bluewavenet]
* Fix - use initialised heap memory for client list entries [bluewavenet]
* Fix - ignore legacy ipset firewall rule [bluewavenet]
* Fix - refactor memory management for MHD calls - use heap memory for buffers etc [bluewavenet]
* Fix - missing free causing memory leak [bluewavenet]
* Fix - predefine and initialise buffer for send_redirect_temp [bluewavenet]
* Add - support protocol "all" in firewall ruleset [bluewavenet]
* Add - pre-allocation of initialised buffers [bluewavenet]
* Fix - prevent buffer overrun on removing client [bluewavenet]
* Add - update MHD connection timeout and connection limit [bluewavenet]
* Add - chain ndsDLR for dynamic client download rate limiting rules [bluewavenet]
* Add - Use Internal Polling Thread / Thread Per Connection in MHD [bluewavenet]
* Add - some new default values [bluewavenet]
* Fix - remove some redundant code and fix some compiler warnings [bluewavenet]
* Fix - remove redundant library command string [bluewavenet]
* Fix - Tidy up redundant iptables code [bluewavenet]
* Add - convert trusted client support to nftables [bluewavenet]
* Add - refer to nftables [bluewavenet]
* Add - move code for generating authentication mark string to initial setup [bluewavenet]
* Add - full nftset support with ipset import where required [bluewavenet]
* Add - nftset support library calls [bluewavenet]
* Add - ipset_to_nftset library call [bluewavenet]
* Add - support for nftables version of append_ruleset and nftables_compile [bluewavenet]
* Fix - buffer overflow in page_511 generation [bluewavenet]
* Add - more nftables migration including rate quotas [bluewavenet]
* Fix - change GatewayInterface to lower case [bluewavenet]
* Add - upload and download limiting client flags for future use [bluewavenet]
* add - lib calls "pad_string" and "replace_client_rule" [bluewavenet]
* Add - further nftables migration [bluewavenet]
* Fix - correctly parse options from legacy conf file [bluewavenet]
* Fix - some compiler warnings and set min iptables version [bluewavenet]
* Add - Generic Linux configure walledgarden [bluewavenet]
* Add - Implementation of nftsets for walledgarden [bluewavenet]
* Add - migration to nftables, next phase. [bluewavenet]
* Add - library function delete_client_rule [bluewavenet]
* Fix - remove duplicate definition [bluewavenet]
* Add - First stage migration to nftables [bluewavenet]
Signed-off-by: Rob White <rob@blue-wave.net>
(cherry picked from commit 7b1911020b)
The "Filters", "Functions" and "Status" sections of the web interfaces
for both Bird4 and Bird6 threw the following error upon performing any
action:
Form token mismatch
The submitted security token is invalid or already expired!
Changing their entry types from "cbi" to "form" fixes them.
Fixes#922.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
(cherry picked from commit c37fbab8f5)
This patch renames the get_bool() function, implemented in the
bird4-lib.sh and bird6-lib.sh files (respectively, for the IPv4 and
the IPv6 versions of the package), as well as all the calls to it.
This way, we avoid a function name collision with the one provided by
file /lib/functions.sh, which is slightly different and caused an
out-of-memory error when parsing the bird4/bird6 UCI config files.
Fixes#920.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
(cherry picked from commit d32f93e049)
This commit replaces the deprecated licensing text with an SPDX license
identifier, and removes tab indentations in the conffiles sections.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
(cherry picked from commit 6697ca291f)
Having two Makefile files, respectively in the bird1-openwrt-ipv4 and
bird1-ipv6-openwrt folders, made the CI tests fail at the time of
building the packages, due to a compilation error. This patch merges
both Makefile files into a single one. As a result, package compilation
succeeds during the CI tests.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
(cherry picked from commit 914c27aeb6)
Maintainer: Rob White rob@blue-wave.net
Compile tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64
Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64; on snapshot, 22.03
opennds (9.10.0)
* This version adds new functionality, and fixes some issues
* Fix - unable to read client upload traffic volume on some versions of iptables-nft (generic Linux) [bluewavenet]
* Fix - compatibility with bash shell on generic Linux [bluewavenet]
* Fix - compiler warning, unused variable [bluewavenet]
* Fix - silently continue if fw4 table is not found [bluewavenet]
* Add - Start daemon earlier on boot [bluewavenet]
* Fix - compatibility with legacy iptables packages [bluewavenet]
* Add - call to delete nft chains [bluewavenet]
* Fix - stop using legacy INPUT and FORWARD chains [bluewavenet]
* Add - watchdog restart if openNDS nftables ruleset is missing [bluewavenet]
* Add - automated rule setting/deleting for users_to_router [bluewavenet]
* Add - Change fwhook to add users to router rule to fw4 on OpenWrt [bluewavenet]
* Add - Set allow or passthrough mode for users_to_router rules [bluewavenet]
* Fix - set fwhook default to disabled to prevent restart on hotplug event [bluewavenet]
* Fix - fas-aes-https description comments [bluewavenet]
* Fix - icon overspill on splash pages [bluewavenet]
* Fix - missing config option in community script [bluewavenet]
* Fix - urlencode handling of "$" character and add htmlentity encode/decode library call [bluewavenet]
Signed-off-by: Rob White <rob@blue-wave.net>
(cherry picked from commit 18168b3468)
Maintainer: Rob White rob@blue-wave.net
Compile tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64
Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, x86-64; on snapshot, 22.03
opennds (9.9.1)
* This version fixes some issues
* Fix - minimalise deprecated legacy .conf file
* Fix - Prevent rate limit refresh if rate limit is set to 0 [bluewavenet]
* Fix - Mute some unneccessary debug messages [bluewavenet]
* Fix - do not write unconfigured (null) parameters to client id file (cidfile) [bluewavenet]
* Fix - Prevent error "Command process exited due to signal 13" when executing an external script [bluewavenet]
* Fix - use WTERMSIG() return code for _execute_ret when execute fails [bluewavenet]
* Fix - use correct response type for error 503 [bluewavenet]
* Update Makefile description [bluewavenet]
* Add - Community Local FAS install script [bluewavenet]
* Update - Mention TCP port 80 requires AutonomousWG [afriza]
Signed-off-by: Rob White <rob@blue-wave.net>
(cherry picked from commit 6c31b5bd1c)
Simon Wunderlich