Commit Graph

37968 Commits

Author SHA1 Message Date
Mathias Kresin
3214e174a0 ramips: fix Xiaomi MiWiFi Nano firmware partition size
Even the commit message of the patch adding support for the MiWiFi Nano
says that a 16 MB flash chip is used. Extend the firmware partition to
make use of all available flash space.

Fixes: FS#622

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-07-08 08:53:52 +02:00
Felix Fietkau
27da508749 build: fix kmod package build on non-GNU systems
BSD paste requires a filename argument, and it accepts - to use stdin as
intended.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-07-05 12:49:21 +02:00
Sergey Sergeev
d71ffb9639 ar71xx: Fix UBIFS work on Mikrotik RB95x devices
If nand chip has no NAND_NO_SUBPAGE_WRITE flag on its options
ubifs can't use it mtd devices and the kernel crashes with error:
__nand_correct_data: uncorrectable ECC error

Signed-off-by: Sergey Sergeev <adron@yapic.net>
2017-07-05 12:48:58 +02:00
Mathias Kresin
52617669c2 lantiq: use img file extension for DGN3500 factory images
The Netgear UI in basic mode refuses the upgrade file if the the
fileextension is not img. The expert/advanced mode accepts any
fileextension. Use img to make it work in any case.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-07-04 16:28:44 +02:00
Hans Dedecker
91d41b6305 dnsmasq: backport tweak ICMP ping logic for DHCPv4
Don't start ping-check of address in DHCP discover if there already
exists a lease for the address. It has been reported under some
circumstances android and netbooted windows devices can reply to
ICMP pings if they have a lease and thus block the allocation of
the IP address the device already has during boot.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-01 13:53:53 +02:00
Hans Dedecker
cca765f64c dhcpv6: add missing dollar sign in dhcpv6 script (FS#874)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-29 10:02:14 +02:00
Daniel Golle
eff3469510 procd: backport fixes from master branch
The following commits have been cherry-picked into the lede-17.01
branch of procd, listed here in git-log-order ie. with head first:

89918c8 system: introduce new attribute board_name
(79bbe6d and 453116e on master branch)

8297c38 preinit: define _GNU_SOURCE
(e5b963a on master branch)

8fd57dd upgraded: cmake: Find and include uloop.h
(e5ff8ca on master branch)

6b0da20 hotplug: fix a memory leak in handle_button_complete()
(f367ec6 on master branch)

558ffb5 service/service_stopped(): fix a use-after-free
(796ba3b on master branch)

22f89e1 upgraded: define __GNU_SOURCE
(e7bb2c8 on master branch)

6e8ea8b rcS: add missing fcntl.h include
(992b796 on master branch)

cd5225d procd/rcS: Use /dev/null as stdin
(d42b21e on master branch)

5131bec procd: Log initscript output prefixed with script name
(1247db1 on master branch)

225b18d procd: Don't use syslog before its initialization
(8d720b2 on master branch)

889442c procd: Add missing \n in debug message
(2555474 on master branch)

2716228 procd: service gets deleted when its last instance is freed
(8f218f5 on master branch)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-06-28 02:01:07 +02:00
Stijn Tintel
8d3d7f6b52 kernel: update kernel 4.4 to 4.4.74
Refresh patches.
Compile-tested on ar71xx, octeon.
Runtime-tested on ar71xx, octeon.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-27 15:00:35 +02:00
Stijn Tintel
53eba6f58f ipq806x: fixup thermal patches
Fix conflict with thermal patches added in
c03d4317a6.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-27 10:05:04 +02:00
Rafał Miłecki
761e6087ed base-files: fix PKG_CONFIG_DEPENDS to include version.mk entries
Including version.mk sets PKG_CONFIG_DEPENDS to config entries used for
VERSION_SED command. We should keep these configs to make sure package
gets refreshed when needed.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-06-26 23:47:12 +02:00
Rafał Miłecki
f197a2a4c9 bcm53xx: include wpad-mini only on devices with (supported) wireless
Don't include wpad-mini when it's useless just like we don't include
useless wireless drivers.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-06-26 23:45:07 +02:00
Mathias Kresin
6c03b293bb firmware-utils: fix dgn3500sum compiler warnings
The sum variable need to be initialised, otherwise it will points to
random stack memory and a bogus image checksum might be calculated.

While at it, fix the segfault in case the product region code isn't
specified and enable compiler warnings which had revealed all the code
issues.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-06-26 20:11:16 +02:00
Christian Schoenebeck
73a4568f19 ca-certificates: Update to version 20161130+nmu1
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
2017-06-26 10:09:54 +02:00
Magnus Kroken
57289ae640 openvpn: update to 2.4.3
Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:57:11 +02:00
Magnus Kroken
73e81a8318 mbedtls: update to 2.5.1
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:57:11 +02:00
Rafał Miłecki
5b0b27eb48 bcm53xx: enable Northstar thermal driver
It allows monitoring CPU temp and will shutdown system on critical
value.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-06-22 11:08:05 +02:00
Rafał Miłecki
c03d4317a6 kernel: backport Broadcom thermal drivers
This includes driver for Northstar and for Raspberry Pi.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-06-22 11:06:46 +02:00
Hans Dedecker
8f254e9c27 Revert "dnsmasq: don't point --resolv-file to default location unconditionally"
This reverts commit 78edfff530.

This breaks local dns resolving in case noresolv=1 as resolv.conf is not
populated anymore with 127.0.0.1 as resolvfile does not equal
/tmp/resolv.conf.auto anymore.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-19 22:07:44 +02:00
Kevin Darbyshire-Bryant
c16326cfed dropbear: fix service trigger syntax error
The classic single '&' when double '&&' conditional was meant.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-17 13:50:27 +02:00
小桥
2e206c79cc ramips: fix Phicomm K1S(PSG1208) pinmux
Use gpio function for pins with LEDs.

Signed-off-by: 小桥 <29551030@qq.com>
2017-06-12 21:10:14 +02:00
Alexander Couzens
a6b5ddfd9b LEDE v17.01.2: revert to branch defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-10 13:08:07 +02:00
Alexander Couzens
2da512ecf4 LEDE v17.01.2: adjust config defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-10 13:08:02 +02:00
Felix Fietkau
65eec8bd5f build: ensure that flock is available for make download
It ensures that make download can parallelize downloads, even when some
packages download the same files (e.g. gcc/initial, gcc/final)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-06-08 23:02:37 +02:00
Alexander Couzens
4053c4f0fe include/toplevel: set env GIT_ASKPASS=/bin/true
When git-https request a service (e.g. github) which ask for credentials
git will pass this request to the user resulting download.pl to wait for
user input. Set GIT_ASKPASS to stop asking.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-08 23:02:37 +02:00
Jo-Philipp Wich
e5db08edf7 base-files: network.sh: fix a number of IPv6 logic flaws
* Change network_get_subnet6() to sensibly guess a suitable prefix

  Attempt to return the first non-linklocal, non-ula range, then attempt
  to return the first non-linklocal range and finally fall back to the
  previous behaviour of simply returning the first found item.

* Fix network_get_ipaddrs_all()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on network_get_ipaddrs() and network_get_ipaddrs6()
  to build a single list of all interface addresses.

* Fix network_get_subnets6()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on the ipv6-prefix-assignment.local-address
  field to figure out the proper network address.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 23:02:16 +02:00
Jo-Philipp Wich
8a42d4d851 mwlwifi: update to version 10.3.4.0 / 2017-06-06
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 19:57:31 +02:00
Daniel Golle
f709597e81
automake: import upstream fix for perl 5.26
Build broke as distributions now include Perl 5.26 and automake
triggered an "Unescaped left brace in regex" error.
Import upstream commit 13f00eb449 to fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-06-08 12:18:56 +02:00
Jo-Philipp Wich
df4363b607 base-files: network.sh: properly report local IPv6 addresses
Rework the network_get_ipaddr6() and network_get_ipaddrs6() functions to
fetch the effective local IPv6 address of delegated prefix from the
"local-address" field instead of naively hardcoding ":1" as static suffix.

Fixes FS#829.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 12:06:50 +02:00
Jo-Philipp Wich
4fbd072624 kernel: update kernel 4.4 to 4.4.71
Fixes the following security vulnerabilities:

CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.

CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.

CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.

CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.

CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.

CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.

Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.71

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-07 21:24:41 +02:00
Kristian Evensen
443d705e38 Add missing APU1 reference to x86 board.d
x86 board.d only contains a case for the APU2, not the APU1. This
causes, for example, network configuration not to be created correctly.
Even though the APU1 seems to reaching EOL, there a still a lot of them
out there.

The APU1 and APU2 is configured in the same way and this patch should
also be considered for stable, as the error also exists there.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
2017-06-06 23:02:20 +02:00
Mathias Kresin
524ed5088e base-files: always set proto passed to _ucidef_set_interface()
Overwrite an already set proto if a new one is passed to
_ucidef_set_interface() similar to what is done for the interface.

It is required when using ""ucidef_set_interface_wan 'ptm0' 'pppoe'"
after some initial wan interface configuration is already done by
ucidef_add_switch.

The "json_is_a protocol string" guard is meant to not reset an earlier
set interface proto in case something like
"ucidef_set_interface_lan 'eth0'" is used afterwards.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-06-03 20:41:26 +02:00
Mathias Kresin
bf6216e5e3 lantiq: fix broadcasts and vlans in two iface mode
The two phy operation mode where one phy is assigned to an interface
without lantiq,* device tree property and the other phy is assigned to
an interface with the lantiq,wan device property was broken with the
multicast package leaks between vlans fixes.

Move the multicast packages relevant portmap settings to the condition
which handles multicast packages for better readability.

Replace the priv->port_map based port_map only for the interface which
has the lantiq,switch device tree property set, to allow tagged
multicast packages in two phy mode where the lantiq,switch device tree
property isn't used.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-06-03 16:51:42 +02:00
Felix Fietkau
36ccbbdab1 lantiq: select kmod-mt7603 instead of kmod-mt76 for WBMR-300HPD
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-06-03 16:51:41 +02:00
Mathias Kresin
4186d737f6 lantiq: use the P2812HNUF* wan port as wan
The port is labeled as wan and was only used as lan port because of the
"tx ring full" issues fixed with 8f02f7c.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-06-03 16:51:41 +02:00
Mathias Kresin
254bf7961e lantiq: xrx200: use vlan for ethernet wan port
Using the lantiq,wan device tree property for one interface node and
the lantiq,switch device tree property for another interface node at
the same time was never intended/isn't supported at the moment.

The property is meant to be used in two phy operation mode where one
phy is assigned to an interface without lantiq,* device tree property
and the other phy is assigned to an interface with the lantiq,wan
device property to have two netdevs.

If both properties are used at the same time, the lantiq,wan interface
is shown as independent netdev but not able to operate independent. The
port needs to be managed via swconfig. These dependency is not obvious
and fooled already a lot of users.

Add a default WAN vlan for xrx200 devices having an ethernet WAN port
and remove the lantiq,wan device tree property. Leave it up to the user
to set the ethernet WAN port as default WAN interface or to use this
port as additional LAN port.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-06-03 16:09:33 +02:00
Jo-Philipp Wich
b78bcdf619 x86: disable X2APIC support for legacy subtargets
Explicitely disable X2APIC support on legacy targets since the targeted
processor types do not support it anyway there.

Fixes FS#285.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 01:52:14 +02:00
Jo-Philipp Wich
e78a641f52 umdns: remove superfluous include in init script
The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.

Additionally, the network.sh helper is not actually used.

Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 01:29:51 +02:00
Jo-Philipp Wich
cdfc6788a9 dnsmasq: bump to 2.77
This is a cumulative backport of multiple dnsmasq update commits in master.

Drops three LEDE specific patches which are included upstream and another
patch which became obsolete. Remaining LEDE specific patches are rebased.

Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 00:25:08 +02:00
Alberto Bursi
9e20cc56b9 dnsmasq: make tftp root if not existing
If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2017-06-02 00:09:14 +02:00
Karl Vogel
ebf46d2c5b dnsmasq: use logical interface name for dhcp relay config
The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
2017-06-02 00:07:02 +02:00
Philip Prindeville
78edfff530 dnsmasq: don't point --resolv-file to default location unconditionally
If noresolv is set, we should not generate a --resolv-file parameter.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [minor cleanup]
2017-06-02 00:06:24 +02:00
Piotr Dymacz
b1257d8d73 ar71xx: fix Wallys DR344 GPIO-connected LEDs and button
This fixes wrong GPIO numbers for LEDs and button in Wallys DR344 board
and sets color of all LEDs to green as the mass production boards have
only green one.

Actually, DR344 has 6 GPIO-connected LEDs and one button:

- GPIO11: status
- GPIO12: sig1
- GPIO13: sig2
- GPIO14: sig3
- GPIO15: sig4
- GPIO16: reset button
- GPIO17: lan

WAN LED is connected directly with AR8035 PHY.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-05-30 14:57:09 +02:00
Piotr Dymacz
21a7e40941 ar71xx: set GE interface as wan by default in Wallys DR344
This aligns default network interfaces configuration with vendor
firmware: GE (eth0) -> wan, FE (eth1) -> lan.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-05-30 14:57:00 +02:00
Piotr Dymacz
a412350684 ar71xx: fix GE interface support in Wallys DR344
GMAC0 interface of AR9344 SOC in Wallys DR344 board is connected with
AR8035, not with AR8327. Without this fix, GE interface doesn't work at
all or shows high packet loss ratio.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-05-30 14:56:53 +02:00
Etienne Haarsma
dfecce60e6
toolchain/gdb: update to version 7.12.1
Update gdb to version 7.12.1.

GDB 7.12.1 brings the following fixes and enhancements over GDB 7.12:

   * PR tdep/20682 (aarch64 regression: gdb.cp/nextoverthrow.exp)
   * PR server/20733 (Failed to build aarch64_be-linux-gnu GDBserver)
   * PR tdep/20953 (GDB crashes after "set architecture rl78")
   * PR tdep/20954 (GDB crashes if "set architecture rx")
   * PR tdep/20955 (GDB internal error in cris-tdep.c)
   * PR build/20712 (gdb 7.12+ doesn't build as C++ on Solaris)
   * PR breakpoint/20653 (string_to_explicit_location has some weird code)
   * PR build/20753 (MinGW compilation errors due to strcasecmp)
   * PR gdb/20977 (GDB exception handling is broken on i686-w64-mingw32)
   * PR python/21048 (backtrace is broken on i686)
   * PR sim/20808 (mips sim build fails due to undefined SD/CPU variables)
   * PR sim/20809 (mips sim build fails for r3900 cpus)
   * PR gdb/20939 (GDB aborts

Signed-off-by: Etienne Haarsma <bladeoner112@gmail.com>
2017-05-30 01:32:21 +02:00
Julian Labus
fe5e343933 usbmode: update usb-modeswitch-data to 20170205
add support for new hardware

Signed-off-by: Julian Labus <julian@labus-online.de>
2017-05-29 09:26:27 +02:00
Julian Labus
4baf0ea229 usbmode: update to latest version
453da8e convert-modeswitch.pl: fix message indices

Signed-off-by: Julian Labus <julian@labus-online.de>
2017-05-29 09:26:27 +02:00
Florian Fainelli
7c1e58863c usbmode: Update to latest HEAD
Brings the following changes:

22f041e18df0 Extend StandardEject sequence to include LUN 1
61fdf7e9b1cc cmake: Search for libjson-c
2769852e76b5 cmake: Find libubox/blobmsg_json.h
8a47c4b6649f add TargetClass support

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-05-29 09:26:27 +02:00
Jo-Philipp Wich
22478bf473 samba: bump PKG_RELEASE
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 17:40:21 +02:00
Jo-Philipp Wich
757353c3a0 firewall: resync with master
Update to latest Git HEAD in order to import a number of fixes and other
improvements:

a4d98ae options: remove stray continue statement
3d2c18a options: improve handling of negations when parsing space separated values
0e5dd73 iptables: support -i, -o, -s and -d in option extra
4cb06c7 ubus: increase ubus network interface dump timeout
e5dfc82 iptables: add exception handling
f625954 firewall3: add check_snat() function
7d3d9dc firewall3: display the section type for UBUS rules
53ef9f1 firewall3: add UBUS support for include scripts
5cd4af4 firewall3: add UBUS support for ipset sections
02d6832 firewall3: add UBUS support for forwarding sections
0a7d36d firewall3: add UBUS support for redirect sections
d44f418 firewall3: add fw3_attr_parse_name_type() function
e264c8e firewall3: replace warn_rule() by warn_section()
6039c7f firewall3: check the return value of fw3_parse_options()
c328d1f build: use -Wno-format-truncation instead of -Wno-error=format-truncation
e06e537 utils: replace sprintf use with snprintf to avoid overflows
533f834 build: disable the format-truncation warning error to fix gcc 7 build errors
e751cde zones: drop outgoing invalid traffic in masqueraded zones
d596f72 rules: fix UCI context in error reporting
1d0564c ubus: fix interface name and proto lookup
82ccd9e firewall3: fix handling of UTC times
1949e0c iptables: support xtables API > 11

Fixes FS#548, FS#640, FS#806, FS#811.

Ref: https://forum.lede-project.org/t/nat-leakage-on-tl-wr1043nd-v4/1712

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 16:18:31 +02:00