82 Commits a5d0de214f ... 9414697f92

Author SHA1 Message Date
  Rosen Penev 9414697f92 ag71xx: Remove ___cacheline_aligned from ring structs. 6 years ago
  Rosen Penev f74ce430f2 ag71xx: Reorder ring struct for lower cache thrashing. 6 years ago
  Rosen Penev c8eb9545a0 ag71xx: Move timestamp struct member outside of struct. 6 years ago
  Felix Fietkau ea2e88f605 ar71xx: use global timestamp for hang check 6 years ago
  Rosen Penev b9dc815e4c ag71xx: Reorder ag71xx struct members for better cache performance 6 years ago
  Rosen Penev 202b2bc507 ag71xx: Reduce NAPI weight to 32. 6 years ago
  Rosen Penev a5d0de214f ag71xx: Remove ___cacheline_aligned from ring structs. 6 years ago
  Rosen Penev 60fcf54838 ag71xx: Reorder ring struct for lower cache thrashing. 6 years ago
  Rosen Penev bbecb936c5 ag71xx: Move timestamp struct member outside of struct. 6 years ago
  Felix Fietkau 9805d6cd83 ar71xx: use global timestamp for hang check 6 years ago
  Rosen Penev dd630fe38a ag71xx: Reorder ag71xx struct members for better cache performance 6 years ago
  Rosen Penev 0bb9c7b054 ag71xx: Reduce NAPI weight to 32. 6 years ago
  Christopher Howard 828be3537e Adds Soft Brick Recovery doc 6 years ago
  RISCi_ATOM 1e1a7bf9fa Add Shell-in-a-box support to libreCMC 6 years ago
  RISCi_ATOM 774f46eeb4 Bump OpenVPN to 4.4.5 (fix) 6 years ago
  RISCi_ATOM f8cc0a4ff0 Revert "Bump OpenVPN to 4.4.5" 6 years ago
  RISCi_ATOM 3a07a7db1c Bump OpenVPN to 4.4.5 6 years ago
  RISCi_ATOM b2c562bd9c mbedtls: update to version 2.7.0 6 years ago
  RISCi_ATOM b090ef38d8 Bump x86 config 6 years ago
  RISCi_ATOM ad1e55f27a Remove 4.4.115 ref. and bump libreCMC version to v1.4.3 6 years ago
  RISCi_ATOM f569eb5ecc Bump kernel to 4.4.120 and update e2fsprogs 6 years ago
  RISCI_ATOM da8ab71dac Change the ref to libreCMC wiki since all docs have been moved to /docs folder. 6 years ago
  RISCi_ATOM 555a65c966 Revert OpenVPN version bump (broken wait patch)... 6 years ago
  RISCi_ATOM 536c73f533 Bump OpenVPN to 2.4.5 (testing) 6 years ago
  RISCI_ATOM 5f18c3169b Fix TL-WR1043ND link 6 years ago
  Christopher Howard 462baef495 Adds server interface setup details 6 years ago
  RISCI_ATOM 1652ef79ee Merge branch 'v1.4' of pi31415/libreCMC-cmh into v1.4 6 years ago
  Christopher Howard bc68e870fc Tweaks to server config of L2 VPN guide 6 years ago
  RISCi_ATOM b6e24f02ac Pull in updated system / network components from upstream (stage 1) 6 years ago
  RISCi_ATOM 96e3c54eb6 Pull nfs-server support into core 6 years ago
  RISCi_ATOM d61e016059 Fix grammar issue 6 years ago
  RISCi_ATOM 7ce8666852 Add libreCMC banner / shell prompt with a few corrections 6 years ago
  RISCi_ATOM ea14ba0d41 Fix typo : dialup vs dialout group 6 years ago
  RISCi_ATOM 79bb389622 Add basic serial console documentation (still needs work). 6 years ago
  RISCi_ATOM 50b5be44e7 Add experimental Tor support to base libreCMC 6 years ago
  Christopher Howard 03714ac7cd Minor edits to System Log doc for consistency 6 years ago
  Christopher Howard cf5919e236 System Log doc: Changes prompt for MD readability 6 years ago
  Christopher Howard bd903941d6 Tests markup keywords 6 years ago
  Christopher Howard 51e7f6eb0f Fixes type in System Log documentation 6 years ago
  Christopher Howard 5f793b1927 Fixes broken image links in System Log documentation 6 years ago
  Christopher Howard 80435e94e3 Adds System Log documentation 6 years ago
  RISCi_ATOM 25db12370b Add / fix carl9170 firmware 6 years ago
  RISCi_ATOM 6e172c1c9b Bump kernel to 4.4.115 6 years ago
  RISCi_ATOM fcad225674 Fix CVE 2018-5332 6 years ago
  RISCI_ATOM 9a6a4b1305 Merge branch 'fix_ar300m_flashing' of somenut/libreCMC into v1.4 6 years ago
  hungrymonkey a7069c5570 Fix flash as RISC_ATOM's sugguestions 6 years ago
  RISCI_ATOM 415698e432 Merge branch 'v1.4' of somenut/libreCMC into v1.4 6 years ago
  hungrymonkey 0b887021cd Added GL-AR300M documentation. 6 years ago
  RISCi_ATOM 176db68b40 Merge branch 'v1.4' of https://gogs.librecmc.org/libreCMC/libreCMC into v1.4 6 years ago
  RISCI_ATOM c939b37cb1 Fix broken link 6 years ago
  Kevin Darbyshire-Bryant d0266fd309 dnsmasq: backport validation fix in dnssec security fix 6 years ago
  Kevin Darbyshire-Bryant b6a05ed3d4 dnsmasq: backport dnssec security fix for 17.01 6 years ago
  RISCI_ATOM 6d0e9c77cf Merge branch 'port-forwarding-doc' of pi31415/libreCMC-cmh into v1.4 6 years ago
  Christopher Howard 2904fc091e Minor edits to Port Forwards doc 6 years ago
  Christopher Howard 2a7d1a6ea6 Adds images and corrections to Port Forwards doc 6 years ago
  Christopher Howard 3909c86f26 Adds initial Port Forwarding doc 6 years ago
  RISCI_ATOM 3a886c4057 Update 'docs/unbrick_with_uboot_mod.md' 6 years ago
  RISCI_ATOM 5cf9925687 Fix table 6 years ago
  RISCi_ATOM 6f93212cc3 Testing Image_support.md page... 6 years ago
  RISCI_ATOM 0447d06a23 Merge branch 'basic-wifi-settings' of pi31415/libreCMC-cmh into v1.4 6 years ago
  Christopher Howard 7f6d705353 Adds images plus several edits to Basic Wireless Settings doc 6 years ago
  Christopher Howard c41336e30a Fixes typo in Basic Wireless Settings doc 6 years ago
  Christopher Howard 221e414c39 Adds core content for Basic Wireless Settings doc 6 years ago
  RISCi_ATOM f529696ddd Bump 4.4 kernel to 4.4.110 ( based upon upstream OpenWRT commit : 7f5a040359cf227bc54d2ef553d469f85ed413e2 6 years ago
  RISCI_ATOM 6c50ec1473 Merge branch 'bridge-mode-doc' of pi31415/libreCMC-cmh into v1.4 6 years ago
  Christopher Howard ceda523e53 Fixes a small typo in Bridge Mode doc 6 years ago
  Christopher Howard 5f5536b990 A correction to the last edit in Bridge Mode doc 6 years ago
  Christopher Howard b8aefca293 Moves a misplaced image in Bridge Mode doc 6 years ago
  Christopher Howard afb3dc438d Adds edits and more material for Bridge Mod doc 6 years ago
  Christopher Howard 7ad8ad9706 Adds Bridge_Mode doc 6 years ago
  Christopher Howard b9b274c10e Adds images for planned bridging mode doc 6 years ago
  RISCI_ATOM 3b92df263f Merge branch 'v1.4' of pi31415/libreCMC-cmh into v1.4 6 years ago
  Christopher Howard d9b5048eab OpenVPN docs: converted to utf-8-unix encoding to remove DOS line endings 6 years ago
  Christopher Howard a7e986926f OpenVPN docs: tweaks and additional material 6 years ago
  Christopher Howard 7d81905242 Link fix in TPE-R1100 documentation 6 years ago
  Christopher Howard 11c2a6ad6b Adds more material to OpenVPN Layer 2 Server doc 6 years ago
  Jo-Philipp Wich 6ba4014e6d uci: update to HEAD of lede-17.01 branch 6 years ago
  RISCi_ATOM 98ed2a77ec Merge branch 'v1.4' 6 years ago
  RISCi_ATOM da6eac1c74 Pull in e2fsprogs from master upstream 6 years ago
  RISCi_ATOM af209174f9 iw: fix build on musl host 6 years ago
  RISCi_ATOM e06eb5674e Update tools/cmake from upstream 6 years ago
  RISCi_ATOM 1f52f1ebba tools/mkimage: fix musl build 6 years ago
100 changed files with 3423 additions and 322 deletions
  1. 96 0
      docs/Basic_Wireless_Settings.md
  2. 71 0
      docs/Bridge_Mode.md
  3. 44 0
      docs/GL-AR300M.md
  4. 9 3
      docs/How To Submit A Change To This Wiki.md
  5. 15 0
      docs/Image_Support.md
  6. 103 61
      docs/OpenVPN_Layer_2_Server.md
  7. 84 0
      docs/Port_Forwards.md
  8. 104 0
      docs/Serial.md
  9. 32 0
      docs/Soft_Brick_Recovery_With_IPv6.md
  10. 37 37
      docs/Supported_Hardware.md
  11. 67 0
      docs/System_Log.md
  12. 1 1
      docs/TPE_R1100.md
  13. BIN
      docs/images/librecmc-changing-admin-password.png
  14. BIN
      docs/images/librecmc-changing-essid.png
  15. BIN
      docs/images/librecmc-changing-wifi-password.png
  16. BIN
      docs/images/librecmc-default-interfaces.png
  17. BIN
      docs/images/librecmc-default-login.png
  18. BIN
      docs/images/librecmc-dhcp-server-ignore-lan.png
  19. BIN
      docs/images/librecmc-eth0-added-to-lan.png
  20. BIN
      docs/images/librecmc-luci-selecting-system-log.png
  21. BIN
      docs/images/librecmc-luci-system-log.png
  22. BIN
      docs/images/librecmc-port-forwards-after-save-apply.png
  23. BIN
      docs/images/librecmc-port-forwards-entering-parameters.png
  24. BIN
      docs/images/librecmc-selecting-firewall-menu.png
  25. BIN
      docs/images/librecmc-selecting-port-forwards-tab.png
  26. BIN
      docs/images/librecmc-switch-lan-to-dhcp.png
  27. BIN
      docs/images/serial.png
  28. 1 1
      docs/unbrick_with_uboot_mod.md
  29. 2 2
      include/kernel-version.mk
  30. 1 1
      include/version.mk
  31. 3 3
      package/firmware/linux-libre-firmware/Makefile
  32. 58 0
      package/libs/libcap/Makefile
  33. 19 0
      package/libs/libcap/patches/100-portability.patch
  34. 2 2
      package/libs/mbedtls/Makefile
  35. 36 47
      package/libs/mbedtls/patches/200-config.patch
  36. 69 0
      package/libs/tcp_wrappers/Makefile
  37. 936 0
      package/libs/tcp_wrappers/patches/001-debian_subset.patch
  38. 12 0
      package/libs/tcp_wrappers/patches/002-opt_cflags.patch
  39. 17 0
      package/libs/tcp_wrappers/patches/003-scaffold_malloc.patch
  40. 72 0
      package/libs/tcp_wrappers/patches/004-ipv4_prefix.patch
  41. 22 0
      package/libs/tcp_wrappers/patches/005-no--lnsl-on-musl.patch
  42. 1 1
      package/libs/ustream-ssl/Makefile
  43. 54 0
      package/luci/applications/luci-app-shellinabox/Makefile
  44. BIN
      package/luci/applications/luci-app-shellinabox/files/terminal.png
  45. 4 0
      package/luci/applications/luci-app-shellinabox/luasrc/controller/shellinabox.lua
  46. 4 0
      package/luci/applications/luci-app-shellinabox/luasrc/model/cbi/shellinabox/cbi_tab.lua
  47. 3 0
      package/luci/applications/luci-app-shellinabox/luasrc/view/shellinabox/view_tab.htm
  48. 6 6
      package/network/config/firewall/Makefile
  49. 5 5
      package/network/config/netifd/Makefile
  50. 4 1
      package/network/config/netifd/files/etc/init.d/network
  51. 14 6
      package/network/config/netifd/files/lib/netifd/dhcp.script
  52. 6 3
      package/network/config/netifd/files/lib/netifd/proto/dhcp.sh
  53. 1 1
      package/network/services/dnsmasq/Makefile
  54. 202 0
      package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch
  55. 159 0
      package/network/services/nfs-kernel-server/Makefile
  56. 1 0
      package/network/services/nfs-kernel-server/files/nfsd.exports
  57. 38 0
      package/network/services/nfs-kernel-server/files/nfsd.init
  58. 10 0
      package/network/services/nfs-kernel-server/patches/100-no_malloc_h.patch
  59. 16 0
      package/network/services/nfs-kernel-server/patches/101-musl-getservbyport.patch
  60. 10 0
      package/network/services/nfs-kernel-server/patches/102-limits.patch
  61. 3 3
      package/network/services/openvpn/Makefile
  62. 1 1
      package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
  63. 15 9
      package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
  64. 53 0
      package/network/services/portmap/Makefile
  65. 13 0
      package/network/services/portmap/files/portmap.init
  66. 12 0
      package/network/services/portmap/patches/101-no_pie.patch
  67. 64 0
      package/network/services/shellinabox/Makefile
  68. 17 0
      package/network/services/shellinabox/files/shellinabox.init
  69. 24 0
      package/network/services/shellinabox/files/style.css
  70. 22 0
      package/network/services/shellinabox/old/000-makefile-arch.patch
  71. 105 0
      package/network/services/shellinabox/old/001-makefile-objcopy.patch
  72. 20 0
      package/network/services/shellinabox/old/002-httpconn-isnan.patch
  73. 5 0
      package/network/services/shellinabox/old/readme
  74. 145 0
      package/network/services/tor/Makefile
  75. 26 0
      package/network/services/tor/files/tor.init
  76. 25 0
      package/network/services/tor/patches/001-torrc.patch
  77. 1 1
      package/network/utils/curl/Makefile
  78. 27 0
      package/network/utils/curl/patches/320-mbedtls-nonblocking-handshake.patch
  79. 2 1
      package/network/utils/iw/Makefile
  80. 4 4
      package/system/ca-certificates/Makefile
  81. 18 5
      package/system/fstools/Makefile
  82. 21 0
      package/system/fstools/files/blockd.init
  83. 9 7
      package/system/fstools/files/snapshot
  84. 2 1
      package/system/mtd/src/Makefile
  85. 23 3
      package/system/mtd/src/mtd.c
  86. 1 0
      package/system/mtd/src/mtd.h
  87. 208 0
      package/system/mtd/src/wrg.c
  88. 11 13
      package/system/opkg/Makefile
  89. 11 46
      package/system/procd/Makefile
  90. 4 4
      package/system/procd/files/hotplug-preinit.json
  91. 11 11
      package/system/procd/files/hotplug.json
  92. 41 5
      package/system/procd/files/procd.sh
  93. 4 4
      package/system/rpcd/Makefile
  94. 9 9
      package/system/ubox/Makefile
  95. 1 1
      package/system/ubox/files/log.init
  96. 4 4
      package/system/ubus/Makefile
  97. 3 3
      package/system/uci/Makefile
  98. 3 2
      package/system/uci/files/lib/config/uci.sh
  99. 1 1
      package/system/usign/Makefile
  100. 3 3
      package/utils/px5g/Makefile

+ 96 - 0
docs/Basic_Wireless_Settings.md

@@ -0,0 +1,96 @@
+# Basic Wireless Settings
+
+This document is only intended to cover the most basic details of
+Wi-Fi settings on LibreCMC, for people who do not know much about
+computer networking. Geeks are encouraged to simply log in
+to `192.168.10.1` and experiment with the settings.
+
+## Log in to the LuCi configuration interface
+
+First, you need a physical connection to the LibreCMC Wi-Fi
+router. The simplest way is to connect an Ethernet cable between the
+Ethernet port on your computer, and the LAN port on your router. An
+Ethernet cable is like a fat telephone cable; usually you get one
+included with your router. Tablets and smart phones usually don't have
+an Ethernet port, so you might need to borrow a laptop.
+
+* In the address bar of your Web browser, enter the address
+  `192.168.10.1` and press `Enter` or `Return`. You should see a page
+  appear called `Authorization Required`.
+
+* If you see instead a page complaining that the connection is not
+  secure, you will need to add a security exception. On Mozilla
+  Firefox, you press the `Advanced` button and then the `Add
+  Exception` button, and then the `Confirm Security Exception`
+  button.
+  
+* Enter the adminstrative Username and Password for your router. The
+  default is `root` for the Username and a blank password.
+
+![alt text](images/librecmc-default-login.png "Default login page for
+ LibreCMC")
+
+If a blank password does not work, and you cannot figure out what it
+is supposed to be, you may need to
+[reset the router](Router_Reset_Instructions.md).
+
+If you are unable to view the `Authorization Required` page, it may be
+that you do not have your Ethernet cable connected to the correct
+ports, or your computer is not set to allow use of the Ethernet
+cable. Find a tech savvy relative to help you out.
+
+## Change the name of your Wi-Fi network
+
+* Select the `Network` >> `Wireless` menu.
+
+* Select the `Edit` button to the right side of "libreCMC".
+
+* Scroll down to the `ESSID` text field under the `Interface
+  Configuration` section. and enter the name you would like for your
+  Wi-Fi network. This is the name people will see when they are
+  looking to connect to your Wi-Fi network.
+
+![alt text](images/librecmc-changing-essid.png "Changing ESSID on LibreCMC")
+
+* If that is all you wanted to do, press the `Save & Apply` button at
+  the bottom of the page, or go on to the next section.
+
+## Change your Wi-Fi password
+
+* If you haven't already, Select the `Network` >> `Wireless` menu, and
+  select the `Edit` button to the right side of "libreCMC".
+
+* Select the `Wireless Security` tab under the `Interface
+  Configuration` section.
+
+* In the `Encryption` drop down menu select `WPA2-PSK`. (If you have
+  some really old devices on your network, it may be necessary to
+  select `WPA-PSK` instead, to get them to connect, but don't do this
+  unless you really need to.)
+
+* In the `Key` text field, put in the password you want people to use
+  to connect to your Wi-Fi network. If you press the green arrows
+  button, it will make it easier to type in the password.
+
+![alt text](images/librecmc-changing-wifi-password.png "Changing Wi-Fi
+ password on LibreCMC")
+
+* Press the `Save & Apply` button at the bottom of the page.
+
+## Change your Administrator password
+
+* There is a password used for logging into the LuCi configuration
+  interface. You typically want this to be different than the Wi-Fi password you share with other people.
+
+* Select the `System` >> `Administration` menu.
+
+* Under `Router Password` section, type a new password into the
+  `Password` text field. Pressing the green arrows button makes it
+  easier to type in your password.
+
+* Type the exact same password into the `Confirmation` text field.
+
+![alt text](images/librecmc-changing-admin-password.png "Changing
+ admin password on LibreCMC")
+
+* Press the `Save & Apply` button at the bottom of the page.

+ 71 - 0
docs/Bridge_Mode.md

@@ -0,0 +1,71 @@
+# Bridge Mode
+
+A common feature of COTS Wi-Fi routers is to be able to set the router
+to bridge mode, where the devices stops acting like an IP router
+(layer 3) and starts acting like an ethernet switch (layer
+2). LibreCMC does not actually have a bridge mode, but the same effect
+is achievable with two easy steps.
+
+1. Add the WAN ethernet port to the LAN bridge interface
+2. Set the DHCP server to ignore the LAN interface
+
+## Adjust the LAN bridge interface
+
+Go to the Network >> Interfaces page and press the EDIT button next to
+the LAN Network. Select the Physical Settings tab.
+
+![alt text](images/librecmc-default-interfaces.png "LibreCMC default
+ interfaces view")
+
+Place a checkmark in the box for the "eth0" interface for wan and
+wan6. (I suppose the interface name might vary amongst different
+routers.)
+
+![alt text](images/librecmc-eth0-added-to-lan.png "Adjustments to
+ LibreCMC interface physical settings")
+
+You can also check the box for Enable STP if desired. There doesn't
+seem to be any downside from this, though I suppose it would use a
+little more CPU cycles and memory. STP is a protocol intended to
+prevent infinite communication loops from forming in a network of
+layer 2 switches.
+
+## Adjust DHCP server settings
+
+On the same page, scroll down a little to the DHCP Server section. In
+the General Setup tab, check the "Ignore interface" box.
+
+![alt text](images/librecmc-dhcp-server-ignore-lan.png "Setting
+ LibreCMC DHCP server to ignore LAN interface")
+
+Save and apply your changes.
+
+## Communicating with LibreCMC in "bridge mode"
+
+Now that the DHCP server is turned off, the next time you connect to
+the libreCMC device, you will not be able to communicate with it. You
+must set your connecting device manually to be on the same
+subnet. Since the default libreCMC LAN IP address is 192.168.10.1/24,
+it should work to set your connecting device to IP address
+192.168.10.2/24.On Gnu/Linux systems, the command is usually `ip addr
+add 192.168.10.2/24 dev eth0` or `dev wlan0` if connecting wirelessly.
+
+Alternatively, you may set the libreCMC device to receive an IP
+address from another DHCP server on your network: go to back to the
+Network >> Interfaces page, press the EDIT button again next to the
+LAN Network, select the General Setup tab, and switch the Protocol
+from "Static address" to "DHCP client". (It seems that in LibreCMC,
+bridging the LAN interface to the WAN port disables the operation of
+the DHCP client on the WAN interface.) Of course, if you do this, be
+sure that your DHCP server has reserved a memorable IP address for the
+LibreCMC device's MAC address, so you don't have trouble finding it.
+
+![alt text](images/librecmc-switch-lan-to-dhcp.png)
+
+## Adjusting the firewall...?
+
+To make a more consistent look in the your LibreCMC interface, you
+could go into Network >> Firewall and do things like deleting WAN
+zones or disabling NAT masquerading. But since the ports are bridged,
+it isn't necessary, and it will only make it more work to switch back
+out of "bridge mode" if you want to later.

+ 44 - 0
docs/GL-AR300M.md

@@ -0,0 +1,44 @@
+# GL-INet AR300M
+
+## Hardware Specs
+
+* SoC : Qualcomm Atheros QCA9531
+* Flash ROM : 16 MB Nor + 128 MB Nand
+* RAM : 128 MB
+
+## Flashing from factory
+
+### Using GL-Inet's U-boot-mod and web UI
+
+1) Set computer IP address to 192.168.1.2
+
+2) Connect the enternet from the computer to "lan" port on the router
+
+3) Press and hold the reset button, and power on the router by plugging in the power
+
+4) Wait until the LED flashes once and red LED flashes 5 times before releasing the reset button.
+
+5) Open IP address in the browser 192.168.1.1
+
+6) Select the .img for NAND and .bin for NOR
+
+
+## Tested
+
+* v1.4.2 librecmc-ar71xx-nand-gl-ar300m-ubi-factory.img
+
+## Reset Instructions
+
+????
+
+## Notes:
+
+* This router is currently not officially supported by Librecmc
+
+* This router is dual flash and stock uboot attempts to boot nand flash first.
+
+* NOR flash uses .bin image and Nand flash uses .img image.
+
+* Default router ip is 192.168.10.1
+
+* On KDE, Disable change ipv4 method from automatic to manual to set the computer ip to 192.168.1.2.

+ 9 - 3
docs/How To Submit A Change To This Wiki.md

@@ -1,10 +1,16 @@
 How To Submit A Change To This Wiki
 ===================================
+This wiki is written in Markdown and all wiki documenation is located in /docs.
+
 
 Clone this repo and:
 --------------------
 
-    git clone https://gogs.librecmc.org/libreCMC/libreCMC-wiki.git
+    git clone https://gogs.librecmc.org/libreCMC/libreCMC.git
+    
+    
+Make desired documenation changes in /docs
+
 
 then
 
@@ -22,7 +28,7 @@ Clone the upstream repo in Gogs, then clone to your computer:
 
 Add upstream repo to be able to rebase to upstream point commit:
 
-    git remote add upstream https://gogs.librecmc.org/libreCMC/libreCMC-wiki.git
+    git remote add upstream https://gogs.librecmc.org/libreCMC/libreCMC.git
     (git checkout -b optionalBranchName)
     git push (--all)
 
@@ -43,7 +49,7 @@ Clone the upstream repo to your computer.
 
 Example for piping output to haste:
 
-    git request-pull -p b3b8926484feb37c33e5150facf315ef12b4612e https://gogs.librecmc.org/jonasbits2/libreCMC-wiki.git master | haste
+    git request-pull -p b3b8926484feb37c33e5150facf315ef12b4612e https://gogs.librecmc.org/jonasbits2/libreCMC.git master | haste
 
 * Send to hastebin.com or any site you like
 * Paste link in IRC channel

+ 15 - 0
docs/Image_Support.md

@@ -0,0 +1,15 @@
+# libreCMC image support
+
+libreCMC is distributed in 3 different flavors: main, core and legacy. 
+Each image type is for a specific use case or to extend support for a 
+specific class of devices.
+
+
+| image type | Web-ui support    |Package Management | Min. Flash Size | Target Examples     | Use Case |
+|-----------:|-------------:|------------------:|-----------:|--------------------:|---------:|
+| Main     | Yes          | Yes	        | 8M      |                  | Easy to use |
+| Core       | No           | Yes               | 4M      |            | Minimal, more control | 
+| Legacy    | No	    | No	        | 4M	     | TL-WR741ND, TL-WR841ND,TPE-NWIFIROUTER* | Easy to use for legacy targets... |
+
+
+# NOT READY YET!

+ 103 - 61
docs/OpenVPN_Layer_2_Server.md

@@ -1,61 +1,103 @@
-# OpenVPN Layer 2 Server
-
-## Installing OpenVPN packages
-
-TODO
-
-## Interface Setup
-
-TODO
-
-## Certificate and Key Setup Instructions
-
-TODO
-
-## Server configuration
-
-For server bridge option: First two parameters are the ip/netmask of
-the gateway on the bridged subnet. Next two paraters indicate the
-pool-start-IP and pool-end-IP, which is the part of your IP address
-pool that you have reserved just for VPN clients. You have to make
-sure the DHCP server on the company network is not handing those out
-to on-site systems.
-
-/etc/config/openvpn
-```
-config openvpn 'myvpn'
-	option enabled '1'
-	option dev 'tap0'
-	option port '1194'
-	option proto 'udp'
-	option status '/var/log/openvpn_status.log'
-	option log '/tmp/openvpn.log'
-	option verb '3'
-	option mute '5'
-	option keepalive '10 120'
-	option persist_key '1'
-	option persist_tun '1'
-	option user 'nobody'
-	option group 'nogroup'
-	option ca '/etc/easy-rsa/keys/ca.crt'
-	option cert '/etc/easy-rsa/keys/myvpn.crt'
-	option key '/etc/easy-rsa/keys/myvpn.key'
-	option dh '/etc/easy-rsa/keys/dh2048.pem'
-	option tls_server '1'
-	option tls_auth '/etc/easy-rsa/keys/ta.key 0'
-	option server_bridge '10.0.0.1 255.255.255.0 10.0.0.201 10.0.0.220'
-	option topology 'subnet'
-	option client_to_client '1'
-	list push 'persist-key'
-	list push 'persist-tun'
-	list push 'redirect-gateway def1'
-	# allow your clients to access to your network
-	list push 'route 10.0.0.0 255.255.255.0'
-	# push DNS to your clients
-	list push 'dhcp-option DNS 10.0.0.1'
-        # option comp_lzo 'no'
-```
-
-## Client setup information
-
-TODO
+# OpenVPN Layer 2 Server
+
+## Introduction
+
+Librecmc can operate as an OpenVPN server. OpenVPN technology connects
+two networks via an encrypted tunnel. With proper server, network, and
+client configuration, OpenVPN allows a client outside of your LAN to
+see the LAN as though it were physically connected to the LAN.
+
+OpenVPN can run in layer 2 or layer 3 mode. In layer 3 mode, the
+remote client sees your LAN as though it is on the other side of an IP
+router. In layer 2 mode, the remote client sees your LAN as though
+they are both on the same Data Link segment (e.g., the same Ethernet
+link). Layer 3 mode is easier to set up, but layer 2 mode is sometimes
+desired to give clients a more direct exposure to services on the LAN.
+
+## Warnings
+
+This information is provided for educational purposes only and is not
+meant to be a guide to best network security practices. Readers are
+advised to study all relevant OpenVPN and network security
+documentation.
+
+## Required LibreCMC packages
+
+* openvpn-openssl
+* openvpn-easy-rsa
+* luci-app-openvpn
+
+## Interface Setup
+
+In LuCi, select `Network` >> `Interfaces` and then `Add New Interface`.
+
+- Set `Name of the new interface` to `myvpn` or anything else you would like.
+- Set `Protocol of the new interface` to unmanaged.
+- Set `Cover the following interface` to `Custom Interface: vpn0`.
+- In my current working system, the `firewall-zone` for the interface
+  is set to `lan`, but I don't think that really matters in this case.
+
+In my working configuration, I added tap0 into the LAN bridge
+interface, and deleted the WAN interface. However, my vpn server is a
+separate unit on my network, intended to operate in "bridge mode",
+where if you server is your gateway router, a different configuration
+might be necessary.
+
+## Certificate and Key Setup Instructions
+
+```
+cd /etc/easy-rsa
+source vars
+clean-all
+build-ca
+build-dh
+build-key-server myvpn
+openvpn --genkey --secret /etc/easy-rsa/keys/ta.key
+mkdir -m 700 /etc/openvpn/keys
+mv ca.crt myvpn.crt myvpn.key dh2018.pem /etc/openvpn/keys
+```
+
+N.B.: Using easy-rsa is a straightforward approach, but it may be
+possible to produce more secure certificates using openssl directly.
+
+## Server configuration
+
+For the `server bridge` option: The first two parameters are the ip
+and netmask of the gateway on the bridged subnet. The next two
+parameters indicate the pool-start-IP and pool-end-IP, which is the
+part of your IP address pool that you have reserved just for VPN
+clients. You must to make sure that the DHCP server for your LAN is
+not leasing out those IP addresses to local (non-vpn) clients.
+
+/etc/config/openvpn
+```
+config openvpn 'myvpn'
+	option enabled '1'
+	option dev 'tap0'
+	option port '1194'
+	option proto 'udp'
+	option keepalive '10 120'
+	option persist_key '1'
+	option persist_tun '1'
+	option user 'nobody'
+	option group 'nogroup'
+	option ca '/etc/openvpn/keys/ca.crt'
+	option cert '/etc/openvpn/keys/myvpn.crt'
+	option key '/etc/openvpn/keys/myvpn.key'
+	option dh '/etc/openvpn/keys/dh2048.pem'
+	option tls_server '1'
+	option tls_auth '/etc/openvpn/keys/ta.key 0'
+	option server_bridge '10.0.0.1 255.255.255.0 10.0.0.201 10.0.0.220'
+	option client_to_client '1'
+	list push 'persist-key'
+	list push 'persist-tun'
+	list push 'redirect-gateway def1'
+	list push 'route 10.0.0.0 255.255.255.0'
+	list push 'dhcp-option DNS 10.0.0.1'
+	option mute '15'
+	option verb '3'
+```
+
+## Client setup information
+
+TODO

+ 84 - 0
docs/Port_Forwards.md

@@ -0,0 +1,84 @@
+# Port Forwarding
+
+## What is port forwarding?
+
+Technically, port forwarding is the use of Network Address Translation
+(NAT) to map an IP address and port number to another IP address and
+port number. Typically you need this function to be able to expose a
+service running our your local network (LAN) to the Internet (WAN)
+which otherwise would be impossible because your LAN uses private,
+non-routable IP addresses; for example, if you are trying to run a
+gaming server or a Web page server from your home network.
+
+## Security Warnings
+
+Be aware that the use of port forwarding may create additional
+security holes into your local network. The local system(s) and
+service(s) you are exposing to the Internet must be free from security
+vulnerabilities, or this may allow a remote attacker to infiltrate
+your network.
+
+## LuCi Interface
+
+* Log into the LuCi Web interface, which by default is at address https://192.168.10.1
+
+* Select the `Network` >> `Firewall` menu.
+
+![alt text](images/librecmc-selecting-firewall-menu.png "Selecting the
+ Firewall menu entry")
+
+* Select the `Port Forwards` tab.
+
+![alt text](images/librecmc-selecting-port-forwards-tab.png "Selecting the
+ Port Forwards tab")
+
+* Under the `New Port forward` section, enter in the `Name` field a
+  brief description of the port forward, e.g., "HTTP server" for an
+  unencrypted Web page server.
+
+* Select a protocol from the `Protocol` field. Most services you can
+  run will be using the TCP protocol, but you can select `TCP+UDP` if
+  you aren't sure.
+
+* Usually, you will leave the `External zone` set to `wan`.
+
+* Enter a port number in the `External port` field. Typically this
+  will be the usual port number expected for a particular
+  service. E.g., HTTP servers use port 80. You are free to use
+  non-standard ports, but your remote clients may need to use special
+  techniques to connect to the correct port.
+
+* Usually, you will leave the `Internal zone` set to `lan`.
+
+* Select an IP address in the `Internal IP address` drop down menu. If
+  your server is using DHCP, you should see its hostname appear in the
+  list. If your server is has it's private IP address set statically,
+  select the `Custom` option at the bottom of the list, and enter in
+  the correct IP address in the text field that appears. Note that if
+  your server is using DHCP, you should be sure LibreCMC has a static
+  lease created for it (TODO: link to Static Leases documentation).
+
+* Enter a port number in the `Internal port` field. Typically this
+  will be the same as the external port, unless you have set your
+  server to work through a non-standard port, or you selected a
+  non-standard external port earlier.
+
+![alt text](images/librecmc-port-forwards-entering-parameters.png
+ "Entering parameters for port forwarding")
+
+* Press the `Add` button to the right.
+
+* Press the `Save & Apply` button at the bottom of the page.
+
+![alt text](images/librecmc-port-forwards-after-save-apply.png
+ "Port Forwards view after Save & Apply")
+
+## Port Numbers
+
+The official IANA port number list is available at
+
+[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml]
+
+## Port Range
+
+(TODO: option for configuring a range of ports simultaneously)

+ 104 - 0
docs/Serial.md

@@ -0,0 +1,104 @@
+# Using a serial interface with U-boot and libreCMC
+
+A serial interface (console) provides a means of debugging or 
+unlocking features hidden from the user. Most computing devices 
+have a serial interface whether it is broken out by the manufacture or not.
+
+In the case of devices that run libreCMC, a serial console is used
+to configure U-boot and debug libreCMC if the network interface can't
+be brought up. These instructions outline the basics of using
+a serial console with a USB to serial cable.
+
+
+
+## The basics
+
+There are a few different standards for serial interfaces, but here we are
+providing just the basics. There are 3 different connections that we care 
+about : Transmit (TX), Receive (RX) and Ground (GND). Depending on the
+serial cable, the color coding could be different. The common coloration
+is RX is Green, TX is white and GND is black*.
+
+These three wires will be connected to a pin header on the board or might need
+to be soldered to pads. Many device manufactures are kind enough to provide a 
+header and indicate where the serial interface is. Look for silkscreen labeling
+with : GND, TX, RX. Sometimes additional work is needed to break out a stable
+serial interface.
+
+* Many serial cables ship with the color corresponding to the connection on the board, 
+so TX and RX are effectively reversed.
+
+Some routers use the following standard:
+```
+         __________________
+        |            |     |
+        | .   .   .  |  .  |              <- Inside of the router (you may need to do some soldering)
+        |____________|_____|
+                 
+          |   |    \     \
+          *  GND   RX    TX
+```
+
+In this case, transmit is in the marked off box.
+
+
+
+```
+         _________________
+        |                 |
+        | .   .   .    .  |             
+      * |_________________|
+
+          |   |    \     \
+        GND   RX    TX   Vcc
+
+```
+
+Some might use a dot to indicate GND, etc...
+
+TPE-R1100 example:
+
+![alt text](images/serial.png "TPE-R1100 Serial")
+
+Warning: NEVER connect the red wire to the device / router! You will most likely fry it because
+many routers use 3.3V for Vcc instead of the 5V provided by USB.
+
+## Getting a console
+
+In order to communicate with the device, we need a terminal application to interact with
+the serial port provided by the USB to serial cable. In this case, we are going to use GNU Screen.
+Make sure that the GNU Screen package is installed and make sure that your user is part of the 
+`dialout` group.
+
+Before we can use the terminal application, we need to know the baud rate at which the serial
+console will be provided. With most devices running libreCMC and u-boot, this most likely will
+be 115200
+
+## Putting it all together
+
+
+1) Plug in / wire up the serial cable to the board.
+
+2) Plug the USB part of the serial cable into an available USB port.
+
+3) run `screen /dev/ttyUSB0 115200` or (if you are NOT part of the `dialout` group) `sudo screen /dev/ttyUSB0 115200`
+Please note that the serial device might have a different name (ttyUSB(n), ttyS0, etc...).
+
+4) Power on the device you are connecting to.
+
+5) You should see ledgible ASCII text scroll by.
+
+If the device gets all the way through the boot process, the libreCMC banner will appear with
+a shell prompt:
+
+```
+                    ____  _____  ____
+  _ _ _            |  __||     ||  __|
+ | (_) |__ _ _ ___ | |   | | | || |
+ | | | '_ \ '_/ -_)| |__ | | | || |__
+ |_|_|_.__/_| \___||____||_|_|_||____|
+ -----------------------------------------
+
+root@libreCMC:~#
+
+```

+ 32 - 0
docs/Soft_Brick_Recovery_With_IPv6.md

@@ -0,0 +1,32 @@
+# Soft Brick Recovery With IPv6
+
+## Use Case
+
+If you recklessly experiment with your libreCMC networking settings, it is likely you will eventually cause a "soft brick". Typically, this means you have messed up your IPv4 network configuration in such as way that you cannot connect to the LuCi control panel, nor connect to the busybox shell via SSH. One option is to figure out how to reload the firmware and start over from scratch. Something that might be easier, though, is to instead use IPv6 to connect to the router. This is usually possible for two reasons: (1) libreCMC has IPv6 enabled by default; (2) IPv6 has link-level autoconfiguration.
+
+## Determine the router's link local IPv6 Address and interface name.
+
+Connect a Gnu/Linux computer to the LAN port of the libreCMC router. Then run the `ip neigh` command. You are looking for a `REACHABLE lladdr` address that starts with `fe80`. For example:
+
+```
+christopher@evenstar:~$ ip neigh
+fe80::280:aeff:fece:5a21 dev eth0 lladdr 00:80:ae:ce:5a:21 router REACHABLE
+```
+
+Here, `fe80::280:aeff:fece:5a21` is the IPv6 address, and `eth0` is the name of the interface.
+
+## Log in to the router
+
+Unforunately, a link local IPv6 address usually cannot be used to directly connect to the LuCi control panel. This is because Web browsers are usually programmed not to process such addresses. However, you can use SSH to connect to the busybox shell, with a command like so:
+
+```
+ssh root@fe80::280:aeff:fece:5a21%eth0
+```
+
+Replace `fe80::280:aeff:fece:5a21` with the IPv6 address of your router, and `eth0` with the correct interface name.
+
+## What next?
+
+Once you are logged into the busybox shell, you can use the `ip addr` command to see what is the actual state of your IPv4 network configuration. If you understand IPv4, it may be sufficient to use `ip addr add` to add an IPv4 address, which you can then use to connect to the LuCi control panel. If the IPv4 configuration is okay, you may be having a problem with the dnsmasq dhcp server, or the LuCi Web service itself may be down, for some reason. Use the `logread` command to look for errors or warnings.
+
+If you are still not sure what to do, you can ask for help on the libreCMC IRC channel or libreCMC email list.

+ 37 - 37
docs/Supported_Hardware.md

@@ -1,37 +1,37 @@
-# libreCMC supported Hardware
-
-### Buffalo
-* [WZR-HP-G300NH](/WZR_HP_G300NH.md)
-* WHR-HP-G300NH
-
-### Netgear 
-
-* [WNDR3800](/WNDR3800.md)
-
-### TP-link 
-
-* [TL-MR3020 v1](/TL_MR3020.md) 
-* [TL-WR741ND](/TL_WR741ND.md)
-* [TL-WR841ND](/TP_WR841ND.md)
-* [TL-WR842ND](/TL_WR842ND.md)
-* [TL-WR1043ND](/TL_WR1043ND)
-
-### ThinkPenguin
-* [TPE-NWIFIROUTER2](/TPE_NWIFIROUTER2.md)
-* [TPE-R1100](/TPE_R1100.md)
-
-### Qi-Hardware
-
-* [Ben Nanonote](/Ben_Nanonote.md)
-
-## Tested Hardware
-
-[List of tested hardware](/List_of_Tested_Hardware.md)
-
-# libreCMC unofficially supported Hardware
-
-### D-Link
-
-* DGL-5500 a1 : Ships with non-free wifi card, but can be replaced with a free one. Has a mini-pci-e card slot.
-
-#####Please note that other targets may work; we are **NOT** responsible for **ANY** _bricked_ devices.
+# libreCMC supported Hardware
+
+### Buffalo
+* [WZR-HP-G300NH](/WZR_HP_G300NH.md)
+* WHR-HP-G300NH
+
+### Netgear 
+
+* [WNDR3800](/WNDR3800.md)
+
+### TP-link 
+
+* [TL-MR3020 v1](/TL_MR3020.md) 
+* [TL-WR741ND](/TL_WR741ND.md)
+* [TL-WR841ND](/TL_WR841ND.md)
+* [TL-WR842ND](/TL_WR842ND.md)
+* [TL-WR1043ND](/TL_WR1043ND.md)
+
+### ThinkPenguin
+* [TPE-NWIFIROUTER2](/TPE_NWIFIROUTER2.md)
+* [TPE-R1100](/TPE_R1100.md)
+
+### Qi-Hardware
+
+* [Ben Nanonote](/Ben_Nanonote.md)
+
+## Tested Hardware
+
+[List of tested hardware](/List_of_Tested_Hardware.md)
+
+# libreCMC unofficially supported Hardware
+
+### D-Link
+
+* DGL-5500 a1 : Ships with non-free wifi card, but can be replaced with a free one. Has a mini-pci-e card slot.
+
+#####Please note that other targets may work; we are **NOT** responsible for **ANY** _bricked_ devices.

+ 67 - 0
docs/System_Log.md

@@ -0,0 +1,67 @@
+# System Log
+
+## Viewing the system log from LuCi
+
+Select the `Status >> System Log` menu entry.
+
+![alt text](images/librecmc-luci-selecting-system-log.png "Selecting
+ the System Log page in LuCi")
+
+![alt text](images/librecmc-luci-system-log.png "The System Log page
+ in LuCi")
+
+The `System Log` page in LuCi does not have an interface for filtering
+output. Therefore, you will likely want to use the shell interface.
+
+## Viewing the system log from the shell
+
+Once logged in via SSH, use the `logread` command
+
+```bash
+Usage: logread [options]
+Options:
+    -s <path>		Path to ubus socket
+    -l	<count>		Got only the last 'count' messages
+    -e	<pattern>	Filter messages with a regexp
+    -r	<server> <port>	Stream message to a server
+    -F	<file>		Log file
+    -S	<bytes>		Log size
+    -p	<file>		PID file
+    -h	<hostname>	Add hostname to the message
+    -P	<prefix>	Prefix custom text to streamed messages
+    -f			Follow log messages
+    -u			Use UDP as the protocol
+    -t			Add an extra timestamp
+    -0			Use \0 instead of \n as trailer when using TCP
+```
+
+For example:
+
+```bash
+root@libreCMC:~$ logread | grep 'kern\.warn'
+Mon Jan 15 20:22:01 2018 kern.warn kernel: [    0.000000] No valid device tree found, continuing without
+Mon Jan 15 20:22:01 2018 kern.warn kernel: [    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
+Mon Jan 15 20:22:01 2018 kern.warn kernel: [    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
+Mon Jan 15 20:22:01 2018 kern.warn kernel: [    0.669305] Crashlog allocated RAM at address 0x3f00000
+Mon Jan 15 20:22:01 2018 kern.warn kernel: [    0.752178] m25p80 spi0.0: found mx25l12805d, expected m25p80
+```
+
+One should be able to use `logread -e` instead of `grep`, but it seems
+that not all the same regular expressions work for both:
+
+```bash
+root@libreCMC:~$ logread -e 'kern\.warn' # and other similar variations
+(no output)
+```
+
+The system log is contained in a limited size, circular buffer in
+memory. So, if you have some process writing messages periodically,
+this will eventually erase messages that were only written once.
+
+## Configuring the system log
+
+TODO
+
+## Monitoring the system log
+
+TODO

+ 1 - 1
docs/TPE_R1100.md

@@ -1,4 +1,4 @@
-# Think Penguin [TPE-R1100 mini WiFi Router](https://www.thinkpenguin.com/TPE-R1100)
+# Think Penguin [TPE-R1100 mini WiFi Router](https://www.thinkpenguin.com/gnu-linux/free-software-wireless-n-mini-vpn-router-tpe-r1100)
 
 ## Specs
 

BIN
docs/images/librecmc-changing-admin-password.png


BIN
docs/images/librecmc-changing-essid.png


BIN
docs/images/librecmc-changing-wifi-password.png


BIN
docs/images/librecmc-default-interfaces.png


BIN
docs/images/librecmc-default-login.png


BIN
docs/images/librecmc-dhcp-server-ignore-lan.png


BIN
docs/images/librecmc-eth0-added-to-lan.png


BIN
docs/images/librecmc-luci-selecting-system-log.png


BIN
docs/images/librecmc-luci-system-log.png


BIN
docs/images/librecmc-port-forwards-after-save-apply.png


BIN
docs/images/librecmc-port-forwards-entering-parameters.png


BIN
docs/images/librecmc-selecting-firewall-menu.png


BIN
docs/images/librecmc-selecting-port-forwards-tab.png


BIN
docs/images/librecmc-switch-lan-to-dhcp.png


BIN
docs/images/serial.png


+ 1 - 1
docs/unbrick_with_uboot_mod.md

@@ -16,7 +16,7 @@ After the 3rd flash, release the reset button (it may
 take some coordination. From power on to the release of
 the button is exactly 3 sec.
 
-7. Open a web browser and go to 192.168.1/index.html
+7. Open a web browser and go to 192.168.1.1/index.html
 
 8. Click the "browse" button and select the firmware image for your router
 

+ 2 - 2
include/kernel-version.mk

@@ -2,9 +2,9 @@
 
 LINUX_RELEASE?=1
 
-LINUX_VERSION-4.4 = .110
+LINUX_VERSION-4.4 = .120
 
-LINUX_KERNEL_HASH-4.4.110 = b3d8c524f7b1b9f8022e1d3ab9349af21d3fd93f5fe73c6b395dbd8994efd692
+LINUX_KERNEL_HASH-4.4.120 = 667fcda44441106b649afe0952a3f4243ee9a214d9445491a3710e75572bf39f
 
 ifdef KERNEL_PATCHVER
   LINUX_VERSION:=$(KERNEL_PATCHVER)$(strip $(LINUX_VERSION-$(KERNEL_PATCHVER)))

+ 1 - 1
include/version.mk

@@ -31,7 +31,7 @@ qstrip_escape=$(subst ','\'',$(call qstrip,$(1)))
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip_escape,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),v1.4.2)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),v1.4.3)
 
 VERSION_CODE:=$(call qstrip_escape,$(CONFIG_VERSION_CODE))
 VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),$(REVISION))

+ 3 - 3
package/firmware/linux-libre-firmware/Makefile

@@ -12,9 +12,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://gogs.librecmc.org/libreCMC/libre_firmware.git
-PKG_SOURCE_DATE:=2017-12-14
-PKG_SOURCE_VERSION:=1afb874fa73dc1f4b7a4ffae49ed8dd32e2e772c
-PKG_MIRROR_HASH:=
+PKG_SOURCE_DATE:=2018-02-12
+PKG_SOURCE_VERSION:=413eefe5a96584139ffc0b95b3e220d85abe36b2
+PKG_MIRROR_HASH:=ea781ab5a73f946c0f8c9d2417a18228983000ae390133830399d1f545ad1c6c
 
 PKG_MAINTAINER:=
 

+ 58 - 0
package/libs/libcap/Makefile

@@ -0,0 +1,58 @@
+#
+# Copyright (C) 2011 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=libcap
+PKG_VERSION:=2.25
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=@KERNEL/linux/libs/security/linux-privs/libcap2
+PKG_HASH:=693c8ac51e983ee678205571ef272439d83afe62dd8e424ea14ad9790bc35162
+PKG_LICENSE:=GPL-2.0
+PKG_LICENSE_FILES:=License
+PKG_MAINTAINER:=Paul Wassi <p.wassi@gmx.at>
+
+PKG_INSTALL:=1
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+define Package/libcap
+  TITLE:=Linux capabilities library
+  SECTION:=libs
+  CATEGORY:=Libraries
+  URL:=http://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2/
+endef
+
+MAKE_FLAGS += \
+    CFLAGS="$(TARGET_CFLAGS)" \
+    BUILD_CC="$(CC)" \
+    BUILD_CFLAGS="$(FPIC) -I$(PKG_BUILD_DIR)/libcap/include" \
+    CFLAGS="$(TARGET_CFLAGS)" \
+    LD="$(TARGET_CC)" \
+    LDFLAGS="$(TARGET_LDFLAGS) -shared" \
+    INDENT="| true" \
+    PAM_CAP="no" \
+    RAISE_SETFCAP="no" \
+    DYNAMIC="yes" \
+    lib="lib"
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include/sys
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+	$(INSTALL_DIR) $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/lib/* $(1)/usr/lib/
+endef
+
+define Package/libcap/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/lib/libcap.so* $(1)/usr/lib/
+endef
+
+$(eval $(call BuildPackage,libcap))

+ 19 - 0
package/libs/libcap/patches/100-portability.patch

@@ -0,0 +1,19 @@
+--- a/libcap/_makenames.c
++++ b/libcap/_makenames.c
+@@ -7,7 +7,6 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+-#include <sys/capability.h>
+ 
+ /*
+  * #include 'sed' generated array
+@@ -22,7 +21,7 @@ struct {
+ };
+ 
+ /* this should be more than big enough (factor of three at least) */
+-const char *pointers[8*sizeof(struct __user_cap_data_struct)];
++const char *pointers[8*12];
+ 
+ int main(void)
+ {

+ 2 - 2
package/libs/mbedtls/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.6.0
+PKG_VERSION:=2.7.0
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=a99959d7360def22f9108d2d487c9de384fe76c349697176b1f22370080d5810
+PKG_HASH:=2c6fe289b4b50bf67b4839e81b07fcf52a19f5129d0241d2aa4d49cb1ef11e4f
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+

+ 36 - 47
package/libs/mbedtls/patches/200-config.patch

@@ -1,15 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -220,7 +220,7 @@
-  *
-  * Uncomment to get errors on using deprecated functions.
-  */
--//#define MBEDTLS_DEPRECATED_REMOVED
-+#define MBEDTLS_DEPRECATED_REMOVED
- 
- /* \} name SECTION: System support */
- 
-@@ -539,17 +539,17 @@
+@@ -566,17 +566,17 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -35,7 +26,7 @@
  #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
  
  /**
-@@ -574,8 +574,8 @@
+@@ -601,8 +601,8 @@
   * Requires: MBEDTLS_HMAC_DRBG_C
   *
   * Comment this macro to disable deterministic ECDSA.
@@ -45,16 +36,16 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-@@ -621,7 +621,7 @@
-  *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
-  *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+@@ -655,7 +655,7 @@
+  *             See dhm.h for more details.
+  *
   */
 -#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
 +//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -640,8 +640,8 @@
+@@ -674,8 +674,8 @@
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
@@ -64,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -666,7 +666,7 @@
+@@ -700,7 +700,7 @@
   *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -793,7 +793,7 @@
+@@ -834,7 +834,7 @@
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -82,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -817,7 +817,7 @@
+@@ -858,7 +858,7 @@
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -921,7 +921,7 @@
+@@ -962,7 +962,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -100,7 +91,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1015,14 +1015,14 @@
+@@ -1056,14 +1056,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -117,7 +108,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1038,7 +1038,7 @@
+@@ -1079,7 +1079,7 @@
   *
   * Uncomment to enable the smaller implementation of SHA256.
   */
@@ -126,17 +117,16 @@
  
  /**
   * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
-@@ -1157,8 +1157,8 @@
-  * misuse/misunderstand.
+@@ -1206,7 +1206,7 @@
+  *          configuration of this extension).
   *
-  * Comment this to disable support for renegotiation.
-- */
- #define MBEDTLS_SSL_RENEGOTIATION
-+ */
+  */
+-#define MBEDTLS_SSL_RENEGOTIATION
++//#define MBEDTLS_SSL_RENEGOTIATION
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1332,8 +1332,8 @@
+@@ -1380,8 +1380,8 @@
   * callbacks are provided by MBEDTLS_SSL_TICKET_C.
   *
   * Comment this macro to disable support for SSL session tickets
@@ -146,7 +136,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1363,7 +1363,7 @@
+@@ -1411,7 +1411,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -155,7 +145,7 @@
  
  /**
   * \def MBEDTLS_THREADING_ALT
-@@ -1397,8 +1397,8 @@
+@@ -1445,8 +1445,8 @@
   * Requires: MBEDTLS_VERSION_C
   *
   * Comment this to disable run-time checking and save ROM space
@@ -165,7 +155,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -1719,7 +1719,7 @@
+@@ -1773,7 +1773,7 @@
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -174,7 +164,7 @@
  
  /**
   * \def MBEDTLS_CCM_C
-@@ -1733,7 +1733,7 @@
+@@ -1787,7 +1787,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -183,7 +173,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -1745,7 +1745,7 @@
+@@ -1799,7 +1799,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -192,7 +182,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_C
-@@ -1798,7 +1798,7 @@
+@@ -1852,7 +1852,7 @@
   *
   * This module provides debugging functions.
   */
@@ -201,17 +191,16 @@
  
  /**
   * \def MBEDTLS_DES_C
-@@ -1823,8 +1823,8 @@
-  *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
-  *
-  * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
-- */
- #define MBEDTLS_DES_C
-+ */
+@@ -1881,7 +1881,7 @@
+  * \warning   DES is considered a weak cipher and its use constitutes a
+  *            security risk. We recommend considering stronger ciphers instead.
+  */
+-#define MBEDTLS_DES_C
++//#define MBEDTLS_DES_C
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -1978,8 +1978,8 @@
+@@ -2042,8 +2042,8 @@
   * Requires: MBEDTLS_MD_C
   *
   * Uncomment to enable the HMAC_DRBG random number geerator.
@@ -221,7 +210,7 @@
  
  /**
   * \def MBEDTLS_MD_C
-@@ -2256,7 +2256,7 @@
+@@ -2337,7 +2337,7 @@
   * Caller:  library/md.c
   *
   */
@@ -230,7 +219,7 @@
  
  /**
   * \def MBEDTLS_RSA_C
-@@ -2334,8 +2334,8 @@
+@@ -2421,8 +2421,8 @@
   * Caller:
   *
   * Requires: MBEDTLS_SSL_CACHE_C
@@ -240,7 +229,7 @@
  
  /**
   * \def MBEDTLS_SSL_COOKIE_C
-@@ -2356,8 +2356,8 @@
+@@ -2443,8 +2443,8 @@
   * Caller:
   *
   * Requires: MBEDTLS_CIPHER_C
@@ -250,7 +239,7 @@
  
  /**
   * \def MBEDTLS_SSL_CLI_C
-@@ -2456,8 +2456,8 @@
+@@ -2543,8 +2543,8 @@
   * Module:  library/version.c
   *
   * This module provides run-time version information.
@@ -260,7 +249,7 @@
  
  /**
   * \def MBEDTLS_X509_USE_C
-@@ -2567,7 +2567,7 @@
+@@ -2654,7 +2654,7 @@
   * Module:  library/xtea.c
   * Caller:
   */

+ 69 - 0
package/libs/tcp_wrappers/Makefile

@@ -0,0 +1,69 @@
+#
+# Copyright (C) 2006 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=tcp_wrappers
+PKG_VERSION:=7.6
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=ftp://ftp.porcupine.org/pub/security
+PKG_MD5SUM:=e6fa25f71226d090f34de3f6b122fb5a
+
+PKG_LICENSE:=BSD
+PKG_LICENE_FILES:=DISCLAIMER
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)_$(PKG_VERSION)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/libwrap
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=Security wrapper library for TCP services
+  URL:=ftp://ftp.porcupine.org/pub/security/index.html
+  MAINTAINER:=Peter Wagner <tripolar@gmx.at>
+endef
+
+TARGET_CFLAGS += $(FPIC)
+
+ifeq ($(CONFIG_USE_MUSL),)
+TARGET_EXTRA_LIBS:=LIBS=-lnsl
+endif
+
+define Build/Compile	
+	$(MAKE) -C $(PKG_BUILD_DIR) \
+		$(TARGET_CONFIGURE_OPTS) \
+		OPT_CFLAGS="$(TARGET_CFLAGS)" \
+		$(TARGET_EXTRA_LIBS) \
+		NETGROUP= \
+		VSYSLOG= \
+		BUGS= \
+		EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 \
+			-Dss_family=__ss_family -Dss_len=__ss_len" \
+		FACILITY=LOG_DAEMON \
+		SEVERITY=LOG_INFO \
+		REAL_DAEMON_DIR=/usr/sbin \
+		STYLE="-DPROCESS_OPTIONS" \
+		tidy all
+endef
+
+define Build/InstallDev	
+	$(INSTALL_DIR) $(1)/usr/include
+	$(CP) $(PKG_BUILD_DIR)/tcpd.h $(1)/usr/include/
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/libwrap.a $(1)/usr/lib/
+	$(CP) $(PKG_BUILD_DIR)/shared/libwrap.so* $(1)/usr/lib/
+endef
+
+define Package/libwrap/install	
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_BUILD_DIR)/shared/libwrap.so.* $(1)/usr/lib/
+endef
+	
+$(eval $(call BuildPackage,libwrap))

+ 936 - 0
package/libs/tcp_wrappers/patches/001-debian_subset.patch

@@ -0,0 +1,936 @@
+--- a/hosts_access.c
++++ b/hosts_access.c
+@@ -240,6 +240,26 @@ struct request_info *request;
+     }
+ }
+ 
++/* hostfile_match - look up host patterns from file */
++
++static int hostfile_match(path, host)
++char   *path;
++struct hosts_info *host;
++{
++    char    tok[BUFSIZ];
++    int     match = NO;
++    FILE   *fp;
++
++    if ((fp = fopen(path, "r")) != 0) {
++        while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
++            /* void */ ;
++        fclose(fp);
++    } else if (errno != ENOENT) {
++        tcpd_warn("open %s: %m", path);
++    }
++    return (match);
++}
++
+ /* host_match - match host name and/or address against pattern */
+ 
+ static int host_match(tok, host)
+@@ -267,6 +287,8 @@ struct host_info *host;
+ 	tcpd_warn("netgroup support is disabled");	/* not tcpd_jump() */
+ 	return (NO);
+ #endif
++    } else if (tok[0] == '/') {                         /* /file hack */
++        return (hostfile_match(tok, host));
+     } else if (STR_EQ(tok, "KNOWN")) {		/* check address and name */
+ 	char   *name = eval_hostname(host);
+ 	return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
+--- a/tcpd.h
++++ b/tcpd.h
+@@ -4,6 +4,25 @@
+   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+   */
+ 
++#ifndef _TCPWRAPPERS_TCPD_H
++#define _TCPWRAPPERS_TCPD_H
++
++/* someone else may have defined this */
++#undef  __P
++
++/* use prototypes if we have an ANSI C compiler or are using C++ */
++#if defined(__STDC__) || defined(__cplusplus)
++#define __P(args)       args
++#else
++#define __P(args)       ()
++#endif
++
++/* Need definitions of struct sockaddr_in and FILE. */
++#include <netinet/in.h>
++#include <stdio.h>
++
++__BEGIN_DECLS
++
+ /* Structure to describe one communications endpoint. */
+ 
+ #define STRING_LENGTH	128		/* hosts, users, processes */
+@@ -25,10 +44,10 @@ struct request_info {
+     char    pid[10];			/* access via eval_pid(request) */
+     struct host_info client[1];		/* client endpoint info */
+     struct host_info server[1];		/* server endpoint info */
+-    void  (*sink) ();			/* datagram sink function or 0 */
+-    void  (*hostname) ();		/* address to printable hostname */
+-    void  (*hostaddr) ();		/* address to printable address */
+-    void  (*cleanup) ();		/* cleanup function or 0 */
++    void  (*sink) __P((int));		/* datagram sink function or 0 */
++    void  (*hostname) __P((struct host_info *)); /* address to printable hostname */
++    void  (*hostaddr) __P((struct host_info *)); /* address to printable address */
++    void  (*cleanup) __P((struct request_info *)); /* cleanup function or 0 */
+     struct netconfig *config;		/* netdir handle */
+ };
+ 
+@@ -61,25 +80,30 @@ extern char paranoid[];
+ /* Global functions. */
+ 
+ #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
+-extern void fromhost();			/* get/validate client host info */
++extern void fromhost __P((struct request_info *));	/* get/validate client host info */
+ #else
+ #define fromhost sock_host		/* no TLI support needed */
+ #endif
+ 
+-extern int hosts_access();		/* access control */
+-extern void shell_cmd();		/* execute shell command */
+-extern char *percent_x();		/* do %<char> expansion */
+-extern void rfc931();			/* client name from RFC 931 daemon */
+-extern void clean_exit();		/* clean up and exit */
+-extern void refuse();			/* clean up and exit */
+-extern char *xgets();			/* fgets() on steroids */
+-extern char *split_at();		/* strchr() and split */
+-extern unsigned long dot_quad_addr();	/* restricted inet_addr() */
++extern void shell_cmd __P((char *));	/* execute shell command */
++extern char *percent_x __P((char *, int, char *, struct request_info *)); /* do %<char> expansion */
++extern void rfc931 __P((struct sockaddr_in *, struct sockaddr_in *, char *)); /* client name from RFC 931 daemon */
++extern void clean_exit __P((struct request_info *)); /* clean up and exit */
++extern void refuse __P((struct request_info *));	/* clean up and exit */
++extern char *xgets __P((char *, int, FILE *));	/* fgets() on steroids */
++extern char *split_at __P((char *, int));	/* strchr() and split */
++extern unsigned long dot_quad_addr __P((char *)); /* restricted inet_addr() */
+ 
+ /* Global variables. */
+ 
++#ifdef HAVE_WEAKSYMS
++extern int allow_severity __attribute__ ((weak)); /* for connection logging */
++extern int deny_severity __attribute__ ((weak)); /* for connection logging */
++#else
+ extern int allow_severity;		/* for connection logging */
+ extern int deny_severity;		/* for connection logging */
++#endif
++
+ extern char *hosts_allow_table;		/* for verification mode redirection */
+ extern char *hosts_deny_table;		/* for verification mode redirection */
+ extern int hosts_access_verbose;	/* for verbose matching mode */
+@@ -92,9 +116,14 @@ extern int resident;			/* > 0 if residen
+   */
+ 
+ #ifdef __STDC__
++extern int hosts_access(struct request_info *request);
++extern int hosts_ctl(char *daemon, char *client_name, char *client_addr, 
++                     char *client_user);
+ extern struct request_info *request_init(struct request_info *,...);
+ extern struct request_info *request_set(struct request_info *,...);
+ #else
++extern int hosts_access();
++extern int hosts_ctl();
+ extern struct request_info *request_init();	/* initialize request */
+ extern struct request_info *request_set();	/* update request structure */
+ #endif
+@@ -117,27 +146,31 @@ extern struct request_info *request_set(
+   * host_info structures serve as caches for the lookup results.
+   */
+ 
+-extern char *eval_user();		/* client user */
+-extern char *eval_hostname();		/* printable hostname */
+-extern char *eval_hostaddr();		/* printable host address */
+-extern char *eval_hostinfo();		/* host name or address */
+-extern char *eval_client();		/* whatever is available */
+-extern char *eval_server();		/* whatever is available */
++extern char *eval_user __P((struct request_info *));	/* client user */
++extern char *eval_hostname __P((struct host_info *));	/* printable hostname */
++extern char *eval_hostaddr __P((struct host_info *));	/* printable host address */
++extern char *eval_hostinfo __P((struct host_info *));	/* host name or address */
++extern char *eval_client __P((struct request_info *));	/* whatever is available */
++extern char *eval_server __P((struct request_info *));	/* whatever is available */
+ #define eval_daemon(r)	((r)->daemon)	/* daemon process name */
+ #define eval_pid(r)	((r)->pid)	/* process id */
+ 
+ /* Socket-specific methods, including DNS hostname lookups. */
+ 
+-extern void sock_host();		/* look up endpoint addresses */
+-extern void sock_hostname();		/* translate address to hostname */
+-extern void sock_hostaddr();		/* address to printable address */
++/* look up endpoint addresses */
++extern void sock_host __P((struct request_info *));
++/* translate address to hostname */
++extern void sock_hostname __P((struct host_info *));
++/* address to printable address */
++extern void sock_hostaddr __P((struct host_info *));
++
+ #define sock_methods(r) \
+ 	{ (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
+ 
+ /* The System V Transport-Level Interface (TLI) interface. */
+ 
+ #if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
+-extern void tli_host();			/* look up endpoint addresses etc. */
++extern void tli_host __P((struct request_info *));	/* look up endpoint addresses etc. */
+ #endif
+ 
+  /*
+@@ -178,7 +211,7 @@ extern struct tcpd_context tcpd_context;
+   * behavior.
+   */
+ 
+-extern void process_options();		/* execute options */
++extern void process_options __P((char *, struct request_info *)); /* execute options */
+ extern int dry_run;			/* verification flag */
+ 
+ /* Bug workarounds. */
+@@ -217,3 +250,7 @@ extern char *fix_strtok();
+ #define strtok	my_strtok
+ extern char *my_strtok();
+ #endif
++
++__END_DECLS
++
++#endif /* tcpd.h */
+--- a/Makefile
++++ b/Makefile
+@@ -1,5 +1,10 @@
++GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h)
++
+ # @(#) Makefile 1.23 97/03/21 19:27:20
+ 
++# unset the HOSTNAME environment variable
++HOSTNAME =
++
+ what:
+ 	@echo
+ 	@echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:"
+@@ -19,7 +24,7 @@ what:
+ 	@echo "	generic (most bsd-ish systems with sys5 compatibility)"
+ 	@echo "	386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543"
+ 	@echo "	dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"
+-	@echo "	linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
++	@echo "	linux gnu machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
+ 	@echo "	ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"
+ 	@echo "	sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
+ 	@echo "	uts215 uxp"
+@@ -43,8 +48,8 @@ what:
+ # Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
+ #REAL_DAEMON_DIR=/usr/etc
+ #
+-# SysV.4 Solaris 2.x OSF AIX
+-#REAL_DAEMON_DIR=/usr/sbin
++# SysV.4 Solaris 2.x OSF AIX Linux
++REAL_DAEMON_DIR=/usr/sbin
+ #
+ # BSD 4.4
+ #REAL_DAEMON_DIR=/usr/libexec
+@@ -141,10 +146,21 @@ freebsd:
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+ 	EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
+ 
++ifneq ($(GLIBC),0)
++MYLIB=-lnsl
++endif
++
+ linux:
+ 	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+-	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+-	NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all
++	LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
++	NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \
++	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_WEAKSYMS -D_REENTRANT"
++
++gnu:
++	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	LIBS=$(MYLIB) RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
++	NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= all \
++	EXTRA_CFLAGS="-DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT"
+ 
+ # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
+ hpux hpux8 hpux9 hpux10:
+@@ -391,7 +407,7 @@ AR	= ar
+ # the ones provided with this source distribution. The environ.c module
+ # implements setenv(), getenv(), and putenv().
+ 
+-AUX_OBJ= setenv.o
++#AUX_OBJ= setenv.o
+ #AUX_OBJ= environ.o
+ #AUX_OBJ= environ.o strcasecmp.o
+ 
+@@ -454,7 +470,8 @@ AUX_OBJ= setenv.o
+ # host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work
+ # around this. The workaround does no harm on other Solaris versions.
+ 
+-BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
++BUGS =
++#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
+ #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG
+ #BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG
+ 
+@@ -464,7 +481,7 @@ BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS
+ # If your system supports NIS or YP-style netgroups, enable the following
+ # macro definition. Netgroups are used only for host access control.
+ #
+-#NETGROUP= -DNETGROUP
++NETGROUP= -DNETGROUP
+ 
+ ###############################################################
+ # System dependencies: whether or not your system has vsyslog()
+@@ -491,7 +508,7 @@ VSYSLOG	= -Dvsyslog=myvsyslog
+ # Uncomment the next definition to turn on the language extensions
+ # (examples: allow, deny, banners, twist and spawn).
+ # 
+-#STYLE	= -DPROCESS_OPTIONS	# Enable language extensions.
++STYLE	= -DPROCESS_OPTIONS	# Enable language extensions.
+ 
+ ################################################################
+ # Optional: Changing the default disposition of logfile records
+@@ -514,7 +531,7 @@ VSYSLOG	= -Dvsyslog=myvsyslog
+ #
+ # The LOG_XXX names below are taken from the /usr/include/syslog.h file.
+ 
+-FACILITY= LOG_MAIL	# LOG_MAIL is what most sendmail daemons use
++FACILITY= LOG_DAEMON	# LOG_MAIL is what most sendmail daemons use
+ 
+ # The syslog priority at which successful connections are logged.
+ 
+@@ -610,7 +627,7 @@ TABLES	= -DHOSTS_DENY=\"/etc/hosts.deny\
+ # Paranoid mode implies hostname lookup. In order to disable hostname
+ # lookups altogether, see the next section.
+ 
+-PARANOID= -DPARANOID
++#PARANOID= -DPARANOID
+ 
+ ########################################
+ # Optional: turning off hostname lookups
+@@ -623,7 +640,7 @@ PARANOID= -DPARANOID
+ # In order to perform selective hostname lookups, disable paranoid
+ # mode (see previous section) and comment out the following definition.
+ 
+-HOSTNAME= -DALWAYS_HOSTNAME
++#HOSTNAME= -DALWAYS_HOSTNAME
+ 
+ #############################################
+ # Optional: Turning on host ADDRESS checking
+@@ -649,28 +666,46 @@ HOSTNAME= -DALWAYS_HOSTNAME
+ # source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
+ # Solaris 2.x, and Linux. See your system documentation for details.
+ #
+-# KILL_OPT= -DKILL_IP_OPTIONS
++KILL_OPT= -DKILL_IP_OPTIONS
+ 
+ ## End configuration options
+ ############################
+ 
+ # Protection against weird shells or weird make programs.
+ 
++CC	= gcc
+ SHELL	= /bin/sh
+-.c.o:;	$(CC) $(CFLAGS) -c $*.c
++.c.o:;	$(CC) $(CFLAGS) -o $*.o -c $*.c
++
++SOMAJOR = 0
++SOMINOR = 7.6
++
++LIB	= libwrap.a
++SHLIB	= shared/libwrap.so.$(SOMAJOR).$(SOMINOR)
++SHLIBSOMAJ= shared/libwrap.so.$(SOMAJOR)
++SHLIBSO	= shared/libwrap.so
++SHLIBFLAGS = -Lshared -lwrap
+ 
+-CFLAGS	= -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
++shared/%.o: %.c
++	$(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
++
++CFLAGS	= -O2 -g -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
+ 	$(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
+ 	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
+ 	-DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
+ 	$(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \
+ 	$(VSYSLOG) $(HOSTNAME)
+ 
++SHLINKFLAGS = -shared -Xlinker -soname -Xlinker libwrap.so.$(SOMAJOR) -lc $(LIBS)
++SHCFLAGS = -fPIC -shared -D_REENTRANT
++
+ LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \
+ 	hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \
+ 	$(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \
+ 	update.o misc.o diag.o percent_m.o myvsyslog.o
+ 
++SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));
++
+ FROM_OBJ= fromhost.o
+ 
+ KIT	= README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
+@@ -684,46 +719,78 @@ KIT	= README miscd.c tcpd.c fromhost.c h
+ 	refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \
+ 	scaffold.h tcpdmatch.8 README.NIS
+ 
+-LIB	= libwrap.a
+-
+-all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
++all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)
+ 
+ # Invalidate all object files when the compiler options (CFLAGS) have changed.
+ 
+ config-check:
+ 	@set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
+-	@set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \
+-	if cmp cflags /tmp/cflags.$$$$ ; \
+-	then rm /tmp/cflags.$$$$ ; \
+-	else mv /tmp/cflags.$$$$ cflags ; \
++	@set +e; echo $(CFLAGS) >cflags.new ; \
++	if cmp cflags cflags.new ; \
++	then rm cflags.new ; \
++	else mv cflags.new cflags ; \
+ 	fi >/dev/null 2>/dev/null
++	@if [ ! -d shared ]; then mkdir shared; fi
+ 
+ $(LIB):	$(LIB_OBJ)
+ 	rm -f $(LIB)
+ 	$(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
+ 	-$(RANLIB) $(LIB)
+ 
+-tcpd:	tcpd.o $(LIB)
+-	$(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
++$(SHLIB): $(SHLIB_OBJ)
++	rm -f $(SHLIB)
++	$(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
++	ln -s $(notdir $(SHLIB)) $(SHLIBSOMAJ)
++	ln -s $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
++
++tcpd:	tcpd.o $(SHLIB)
++	$(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
+ 
+-miscd:	miscd.o $(LIB)
+-	$(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
++miscd:	miscd.o $(SHLIB)
++	$(CC) $(CFLAGS) -o $@ miscd.o $(SHLIBFLAGS)
+ 
+-safe_finger: safe_finger.o $(LIB)
+-	$(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
++safe_finger: safe_finger.o $(SHLIB)
++	$(CC) $(CFLAGS) -o $@ safe_finger.o $(SHLIBFLAGS)
+ 
+ TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
+ 
+-tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
+-	$(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
++tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
++	$(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
+ 
+-try-from: try-from.o fakelog.o $(LIB)
+-	$(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
++try-from: try-from.o fakelog.o $(SHLIB)
++	$(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
+ 
+ TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
+ 
+-tcpdchk: $(TCPDCHK_OBJ) $(LIB)
+-	$(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
++tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
++	$(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
++
++install: install-lib install-bin install-dev
++
++install-lib:
++	install -o root -g root -m 0644 $(SHLIB) ${DESTDIR}/lib/
++	ln -s $(notdir $(SHLIB)) ${DESTDIR}/lib/$(notdir $(SHLIBSOMAJ))
++
++install-bin:
++	install -o root -g root -m 0755 tcpd ${DESTDIR}/usr/sbin/
++	install -o root -g root -m 0755 tcpdchk ${DESTDIR}/usr/sbin/
++	install -o root -g root -m 0755 tcpdmatch ${DESTDIR}/usr/sbin/
++	install -o root -g root -m 0755 try-from ${DESTDIR}/usr/sbin/
++	install -o root -g root -m 0755 safe_finger ${DESTDIR}/usr/sbin/
++	install -o root -g root -m 0644 tcpd.8 ${DESTDIR}/usr/share/man/man8/
++	install -o root -g root -m 0644 tcpdchk.8 ${DESTDIR}/usr/share/man/man8/
++	install -o root -g root -m 0644 tcpdmatch.8 ${DESTDIR}/usr/share/man/man8/
++	install -o root -g root -m 0644 hosts_access.5 ${DESTDIR}/usr/share/man/man5/
++	install -o root -g root -m 0644 hosts_options.5 ${DESTDIR}/usr/share/man/man5/
++
++install-dev:
++	ln -s /lib/$(notdir $(SHLIBSOMAJ)) ${DESTDIR}/usr/lib/$(notdir $(SHLIBSO))
++	install -o root -g root -m 0644 hosts_access.3 ${DESTDIR}/usr/share/man/man3/
++	install -o root -g root -m 0644 tcpd.h ${DESTDIR}/usr/include/
++	install -o root -g root -m 0644 $(LIB) ${DESTDIR}/usr/lib/
++	ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/hosts_ctl.3
++	ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_init.3
++	ln -s hosts_access.3 ${DESTDIR}/usr/share/man/man3/request_set.3
+ 
+ shar:	$(KIT)
+ 	@shar $(KIT)
+@@ -739,7 +806,8 @@ archive:
+ 
+ clean:
+ 	rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
+-	cflags
++	cflags libwrap*.so*
++	rm -rf shared
+ 
+ tidy:	clean
+ 	chmod -R a+r .
+@@ -885,5 +953,6 @@ update.o: cflags
+ update.o: mystdarg.h
+ update.o: tcpd.h
+ vfprintf.o: cflags
++weak_symbols.o: tcpd.h
+ workarounds.o: cflags
+ workarounds.o: tcpd.h
+--- a/hosts_access.5
++++ b/hosts_access.5
+@@ -8,9 +8,9 @@ name, host name/address) patterns.  Exam
+ impatient reader is encouraged to skip to the EXAMPLES section for a
+ quick introduction.
+ .PP
+-An extended version of the access control language is described in the
+-\fIhosts_options\fR(5) document. The extensions are turned on at
+-program build time by building with -DPROCESS_OPTIONS.
++The extended version of the access control language is described in the
++\fIhosts_options\fR(5) document. \fBNote that this language supersedes
++the meaning of \fIshell_command\fB as documented below.\fR
+ .PP
+ In the following text, \fIdaemon\fR is the the process name of a
+ network daemon process, and \fIclient\fR is the name and/or address of
+@@ -40,7 +40,7 @@ A newline character is ignored when it i
+ character. This permits you to break up long lines so that they are
+ easier to edit.
+ .IP \(bu
+-Blank lines or lines that begin with a `#\' character are ignored.
++Blank lines or lines that begin with a `#' character are ignored.
+ This permits you to insert comments and whitespace so that the tables
+ are easier to read.
+ .IP \(bu
+@@ -69,26 +69,33 @@ checks are case insensitive.
+ .SH PATTERNS
+ The access control language implements the following patterns:
+ .IP \(bu
+-A string that begins with a `.\' character. A host name is matched if
++A string that begins with a `.' character. A host name is matched if
+ the last components of its name match the specified pattern.  For
+-example, the pattern `.tue.nl\' matches the host name
+-`wzv.win.tue.nl\'.
++example, the pattern `.tue.nl' matches the host name
++`wzv.win.tue.nl'.
+ .IP \(bu
+-A string that ends with a `.\' character. A host address is matched if
++A string that ends with a `.' character. A host address is matched if
+ its first numeric fields match the given string.  For example, the
+-pattern `131.155.\' matches the address of (almost) every host on the
++pattern `131.155.' matches the address of (almost) every host on the
+ Eind\%hoven University network (131.155.x.x).
+ .IP \(bu
+-A string that begins with an `@\' character is treated as an NIS
++A string that begins with an `@' character is treated as an NIS
+ (formerly YP) netgroup name. A host name is matched if it is a host
+ member of the specified netgroup. Netgroup matches are not supported
+ for daemon process names or for client user names.
+ .IP \(bu
+-An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
+-`net/mask\' pair. A host address is matched if `net\' is equal to the
+-bitwise AND of the address and the `mask\'. For example, the net/mask
+-pattern `131.155.72.0/255.255.254.0\' matches every address in the
+-range `131.155.72.0\' through `131.155.73.255\'.
++An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a
++`net/mask' pair. A host address is matched if `net' is equal to the
++bitwise AND of the address and the `mask'. For example, the net/mask
++pattern `131.155.72.0/255.255.254.0' matches every address in the
++range `131.155.72.0' through `131.155.73.255'.
++.IP \(bu
++A string that begins with a `/' character is treated as a file
++name. A host name or address is matched if it matches any host name
++or address pattern listed in the named file. The file format is
++zero or more lines with zero or more host name or address patterns
++separated by whitespace.  A file name pattern can be used anywhere
++a host name or address pattern can be used.
+ .SH WILDCARDS
+ The access control language supports explicit wildcards:
+ .IP ALL
+@@ -115,19 +122,19 @@ without -DPARANOID when you want more co
+ .ne 6
+ .SH OPERATORS
+ .IP EXCEPT
+-Intended use is of the form: `list_1 EXCEPT list_2\'; this construct
++Intended use is of the form: `list_1 EXCEPT list_2'; this construct
+ matches anything that matches \fIlist_1\fR unless it matches
+ \fIlist_2\fR.  The EXCEPT operator can be used in daemon_lists and in
+ client_lists. The EXCEPT operator can be nested: if the control
+-language would permit the use of parentheses, `a EXCEPT b EXCEPT c\'
+-would parse as `(a EXCEPT (b EXCEPT c))\'.
++language would permit the use of parentheses, `a EXCEPT b EXCEPT c'
++would parse as `(a EXCEPT (b EXCEPT c))'.
+ .br
+ .ne 6
+ .SH SHELL COMMANDS
+ If the first-matched access control rule contains a shell command, that
+ command is subjected to %<letter> substitutions (see next section).
+ The result is executed by a \fI/bin/sh\fR child process with standard
+-input, output and error connected to \fI/dev/null\fR.  Specify an `&\'
++input, output and error connected to \fI/dev/null\fR.  Specify an `&'
+ at the end of the command if you do not want to wait until it has
+ completed.
+ .PP
+@@ -159,7 +166,7 @@ depending on how much information is ava
+ .IP %u
+ The client user name (or "unknown").
+ .IP %%
+-Expands to a single `%\' character.
++Expands to a single `%' character.
+ .PP
+ Characters in % expansions that may confuse the shell are replaced by
+ underscores.
+@@ -243,9 +250,9 @@ A positive IDENT lookup result (the clie
+ less trustworthy. It is possible for an intruder to spoof both the
+ client connection and the IDENT lookup, although doing so is much
+ harder than spoofing just a client connection. It may also be that
+-the client\'s IDENT server is lying.
++the client's IDENT server is lying.
+ .PP
+-Note: IDENT lookups don\'t work with UDP services. 
++Note: IDENT lookups don't work with UDP services. 
+ .SH EXAMPLES
+ The language is flexible enough that different types of access control
+ policy can be expressed with a minimum of fuss. Although the language
+@@ -285,7 +292,7 @@ ALL: LOCAL @some_netgroup
+ .br
+ ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
+ .PP
+-The first rule permits access from hosts in the local domain (no `.\'
++The first rule permits access from hosts in the local domain (no `.'
+ in the host name) and from members of the \fIsome_netgroup\fP
+ netgroup.  The second rule permits access from all hosts in the
+ \fIfoobar.edu\fP domain (notice the leading dot), with the exception of
+@@ -322,8 +329,8 @@ in.tftpd: LOCAL, .my.domain
+ /etc/hosts.deny:
+ .in +3
+ .nf
+-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
+-	/usr/ucb/mail -s %d-%h root) &
++in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
++	/usr/bin/mail -s %d-%h root) &
+ .fi
+ .PP
+ The safe_finger command comes with the tcpd wrapper and should be
+@@ -349,7 +356,7 @@ control rule; when the length of an acce
+ capacity of an internal buffer; when an access control rule is not
+ terminated by a newline character; when the result of %<letter>
+ expansion would overflow an internal buffer; when a system call fails
+-that shouldn\'t.  All problems are reported via the syslog daemon.
++that shouldn't.  All problems are reported via the syslog daemon.
+ .SH FILES
+ .na
+ .nf
+--- a/rfc931.c
++++ b/rfc931.c
+@@ -33,7 +33,7 @@ static char sccsid[] = "@(#) rfc931.c 1.
+ 
+ int     rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
+ 
+-static jmp_buf timebuf;
++static sigjmp_buf timebuf;
+ 
+ /* fsocket - open stdio stream on top of socket */
+ 
+@@ -62,7 +62,7 @@ int     protocol;
+ static void timeout(sig)
+ int     sig;
+ {
+-    longjmp(timebuf, sig);
++    siglongjmp(timebuf, sig);
+ }
+ 
+ /* rfc931 - return remote user name, given socket structures */
+@@ -99,7 +99,7 @@ char   *dest;
+ 	 * Set up a timer so we won't get stuck while waiting for the server.
+ 	 */
+ 
+-	if (setjmp(timebuf) == 0) {
++	if (sigsetjmp(timebuf,1) == 0) {
+ 	    signal(SIGALRM, timeout);
+ 	    alarm(rfc931_timeout);
+ 
+--- a/tcpd.8
++++ b/tcpd.8
+@@ -94,7 +94,7 @@ configuration files.
+ .PP
+ The example assumes that the network daemons live in /usr/etc. On some
+ systems, network daemons live in /usr/sbin or in /usr/libexec, or have
+-no `in.\' prefix to their name.
++no `in.' prefix to their name.
+ .SH EXAMPLE 2
+ This example applies when \fItcpd\fR expects that the network daemons
+ are left in their original place.
+@@ -110,26 +110,26 @@ finger  stream  tcp  nowait  nobody  /us
+ becomes:
+ .sp
+ .ti +5
+-finger  stream  tcp  nowait  nobody  /some/where/tcpd     in.fingerd
++finger  stream  tcp  nowait  nobody  /usr/sbin/tcpd       in.fingerd
+ .sp
+ .fi
+ .PP
+ The example assumes that the network daemons live in /usr/etc. On some
+ systems, network daemons live in /usr/sbin or in /usr/libexec, the
+-daemons have no `in.\' prefix to their name, or there is no userid
++daemons have no `in.' prefix to their name, or there is no userid
+ field in the inetd configuration file.
+ .PP
+ Similar changes will be needed for the other services that are to be
+-covered by \fItcpd\fR.  Send a `kill -HUP\' to the \fIinetd\fR(8)
++covered by \fItcpd\fR.  Send a `kill -HUP' to the \fIinetd\fR(8)
+ process to make the changes effective. AIX users may also have to
+-execute the `inetimp\' command.
++execute the `inetimp' command.
+ .SH EXAMPLE 3
+ In the case of daemons that do not live in a common directory ("secret"
+ or otherwise), edit the \fIinetd\fR configuration file so that it
+ specifies an absolute path name for the process name field. For example:
+ .nf
+ .sp
+-    ntalk  dgram  udp  wait  root  /some/where/tcpd  /usr/local/lib/ntalkd
++    ntalk  dgram  udp  wait  root  /usr/sbin/tcpd  /usr/sbin/in.ntalkd
+ .sp
+ .fi
+ .PP
+--- a/hosts_access.3
++++ b/hosts_access.3
+@@ -3,7 +3,7 @@
+ hosts_access, hosts_ctl, request_init, request_set \- access control library
+ .SH SYNOPSIS
+ .nf
+-#include "tcpd.h"
++#include <tcpd.h>
+ 
+ extern int allow_severity;
+ extern int deny_severity;
+--- a/options.c
++++ b/options.c
+@@ -473,6 +473,9 @@ static struct syslog_names log_fac[] = {
+ #ifdef LOG_CRON
+     "cron", LOG_CRON,
+ #endif
++#ifdef LOG_FTP
++    "ftp", LOG_FTP,
++#endif
+ #ifdef LOG_LOCAL0
+     "local0", LOG_LOCAL0,
+ #endif
+--- a/fix_options.c
++++ b/fix_options.c
+@@ -35,7 +35,12 @@ struct request_info *request;
+ #ifdef IP_OPTIONS
+     unsigned char optbuf[BUFFER_SIZE / 3], *cp;
+     char    lbuf[BUFFER_SIZE], *lp;
++#if !defined(__GLIBC__)
+     int     optsize = sizeof(optbuf), ipproto;
++#else /* __GLIBC__ */
++    size_t  optsize = sizeof(optbuf);
++    int     ipproto;
++#endif /* __GLIBC__ */
+     struct protoent *ip;
+     int     fd = request->fd;
+     unsigned int opt;
+--- a/workarounds.c
++++ b/workarounds.c
+@@ -163,7 +163,11 @@ int    *fromlen;
+ int     fix_getpeername(sock, sa, len)
+ int     sock;
+ struct sockaddr *sa;
++#if !defined(__GLIBC__)
+ int    *len;
++#else /* __GLIBC__ */
++size_t *len;
++#endif /* __GLIBC__ */
+ {
+     int     ret;
+     struct sockaddr_in *sin = (struct sockaddr_in *) sa;
+--- a/socket.c
++++ b/socket.c
+@@ -76,7 +76,11 @@ struct request_info *request;
+ {
+     static struct sockaddr_in client;
+     static struct sockaddr_in server;
++#if !defined (__GLIBC__)
+     int     len;
++#else /* __GLIBC__ */
++    size_t  len;
++#endif /* __GLIBC__ */
+     char    buf[BUFSIZ];
+     int     fd = request->fd;
+ 
+@@ -224,7 +228,11 @@ int     fd;
+ {
+     char    buf[BUFSIZ];
+     struct sockaddr_in sin;
++#if !defined(__GLIBC__)
+     int     size = sizeof(sin);
++#else /* __GLIBC__ */
++    size_t  size = sizeof(sin);
++#endif /* __GLIBC__ */
+ 
+     /*
+      * Eat up the not-yet received datagram. Some systems insist on a
+--- a/safe_finger.c
++++ b/safe_finger.c
+@@ -26,21 +26,24 @@ static char sccsid[] = "@(#) safe_finger
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <pwd.h>
++#include <syslog.h>
+ 
+ extern void exit();
+ 
+ /* Local stuff */
+ 
+-char    path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";
++char    path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";
+ 
+ #define	TIME_LIMIT	60		/* Do not keep listinging forever */
+ #define	INPUT_LENGTH	100000		/* Do not keep listinging forever */
+ #define	LINE_LENGTH	128		/* Editors can choke on long lines */
+ #define	FINGER_PROGRAM	"finger"	/* Most, if not all, UNIX systems */
+ #define	UNPRIV_NAME	"nobody"	/* Preferred privilege level */
+-#define	UNPRIV_UGID	32767		/* Default uid and gid */
++#define	UNPRIV_UGID	65534		/* Default uid and gid */
+ 
+ int     finger_pid;
++int	allow_severity = SEVERITY;
++int	deny_severity = LOG_WARNING;
+ 
+ void    cleanup(sig)
+ int     sig;
+--- a/hosts_options.5
++++ b/hosts_options.5
+@@ -58,12 +58,12 @@ Notice the leading dot on the domain nam
+ Execute, in a child process, the specified shell command, after
+ performing the %<letter> expansions described in the hosts_access(5)
+ manual page.  The command is executed with stdin, stdout and stderr
+-connected to the null device, so that it won\'t mess up the
++connected to the null device, so that it won't mess up the
+ conversation with the client host. Example:
+ .sp
+ .nf
+ .ti +3
+-spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &
++spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
+ .fi
+ .sp
+ executes, in a background child process, the shell command "safe_finger
+--- a/tcpdchk.c
++++ b/tcpdchk.c
+@@ -350,6 +350,8 @@ char   *pat;
+ {
+     if (pat[0] == '@') {
+ 	tcpd_warn("%s: daemon name begins with \"@\"", pat);
++    } else if (pat[0] == '/') {
++        tcpd_warn("%s: daemon name begins with \"/\"", pat);
+     } else if (pat[0] == '.') {
+ 	tcpd_warn("%s: daemon name begins with dot", pat);
+     } else if (pat[strlen(pat) - 1] == '.') {
+@@ -382,6 +384,8 @@ char   *pat;
+ {
+     if (pat[0] == '@') {			/* @netgroup */
+ 	tcpd_warn("%s: user name begins with \"@\"", pat);
++    } else if (pat[0] == '/') {
++        tcpd_warn("%s: user name begins with \"/\"", pat);
+     } else if (pat[0] == '.') {
+ 	tcpd_warn("%s: user name begins with dot", pat);
+     } else if (pat[strlen(pat) - 1] == '.') {
+@@ -402,8 +406,13 @@ char   *pat;
+ static int check_host(pat)
+ char   *pat;
+ {
++    char    buf[BUFSIZ];
+     char   *mask;
+     int     addr_count = 1;
++    FILE   *fp;
++    struct tcpd_context saved_context;
++    char   *cp;
++    char   *wsp = " \t\r\n";
+ 
+     if (pat[0] == '@') {			/* @netgroup */
+ #ifdef NO_NETGRENT
+@@ -422,6 +431,21 @@ char   *pat;
+ 	tcpd_warn("netgroup support disabled");
+ #endif
+ #endif
++    } else if (pat[0] == '/') {                 /* /path/name */
++        if ((fp = fopen(pat, "r")) != 0) {
++            saved_context = tcpd_context;
++            tcpd_context.file = pat;
++            tcpd_context.line = 0;
++            while (fgets(buf, sizeof(buf), fp)) {
++                tcpd_context.line++;
++                for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
++                    check_host(cp);
++            }
++            tcpd_context = saved_context;
++            fclose(fp);
++        } else if (errno != ENOENT) {
++            tcpd_warn("open %s: %m", pat);
++        }
+     } else if (mask = split_at(pat, '/')) {	/* network/netmask */
+ 	if (dot_quad_addr(pat) == INADDR_NONE
+ 	    || dot_quad_addr(mask) == INADDR_NONE)
+--- a/percent_m.c
++++ b/percent_m.c
+@@ -13,7 +13,7 @@ static char sccsid[] = "@(#) percent_m.c
+ #include <string.h>
+ 
+ extern int errno;
+-#ifndef SYS_ERRLIST_DEFINED
++#if !defined(SYS_ERRLIST_DEFINED) && !defined(HAVE_STRERROR)
+ extern char *sys_errlist[];
+ extern int sys_nerr;
+ #endif
+@@ -29,11 +29,15 @@ char   *ibuf;
+ 
+     while (*bp = *cp)
+ 	if (*cp == '%' && cp[1] == 'm') {
++#ifdef HAVE_STRERROR
++            strcpy(bp, strerror(errno));
++#else
+ 	    if (errno < sys_nerr && errno > 0) {
+ 		strcpy(bp, sys_errlist[errno]);
+ 	    } else {
+ 		sprintf(bp, "Unknown error %d", errno);
+ 	    }
++#endif
+ 	    bp += strlen(bp);
+ 	    cp += 2;
+ 	} else {
+--- a/scaffold.c
++++ b/scaffold.c
+@@ -180,10 +180,12 @@ struct request_info *request;
+ 
+ /* ARGSUSED */
+ 
+-void    rfc931(request)
+-struct request_info *request;
++void    rfc931(rmt_sin, our_sin, dest)
++struct sockaddr_in *rmt_sin;
++struct sockaddr_in *our_sin;
++char   *dest;
+ {
+-    strcpy(request->user, unknown);
++    strcpy(dest, unknown);
+ }
+ 
+ /* check_path - examine accessibility */
+--- /dev/null
++++ b/weak_symbols.c
+@@ -0,0 +1,11 @@
++ /*
++  * @(#) weak_symbols.h 1.5 99/12/29 23:50
++  * 
++  * Author: Anthony Towns <ajt@debian.org>
++  */
++
++#ifdef HAVE_WEAKSYMS
++#include <syslog.h>
++int deny_severity = LOG_WARNING;
++int allow_severity = SEVERITY; 
++#endif

+ 12 - 0
package/libs/tcp_wrappers/patches/002-opt_cflags.patch

@@ -0,0 +1,12 @@
+--- a/Makefile
++++ b/Makefile
+@@ -689,7 +689,8 @@ SHLIBFLAGS = -Lshared -lwrap
+ shared/%.o: %.c
+ 	$(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
+ 
+-CFLAGS	= -O2 -g -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
++OPT_CFLAGS = -O2 -g
++CFLAGS	= $(OPT_CFLAGS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
+ 	$(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
+ 	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
+ 	-DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \

+ 17 - 0
package/libs/tcp_wrappers/patches/003-scaffold_malloc.patch

@@ -0,0 +1,17 @@
+--- a/scaffold.c
++++ b/scaffold.c
+@@ -20,13 +20,12 @@ static char sccs_id[] = "@(#) scaffold.c
+ #include <syslog.h>
+ #include <setjmp.h>
+ #include <string.h>
++#include <stdlib.h>
+ 
+ #ifndef INADDR_NONE
+ #define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+ #endif
+ 
+-extern char *malloc();
+-
+ /* Application-specific. */
+ 
+ #include "tcpd.h"

+ 72 - 0
package/libs/tcp_wrappers/patches/004-ipv4_prefix.patch

@@ -0,0 +1,72 @@
+--- a/hosts_access.5
++++ b/hosts_access.5
+@@ -90,6 +90,9 @@ bitwise AND of the address and the `mask
+ pattern `131.155.72.0/255.255.254.0' matches every address in the
+ range `131.155.72.0' through `131.155.73.255'.
+ .IP \(bu
++An expression of the form `n.n.n.n/m\' is interpreted as a
++`net/prefixlen\' pair, as below, for IPv4 addresses.
++.IP \(bu
+ A string that begins with a `/' character is treated as a file
+ name. A host name or address is matched if it matches any host name
+ or address pattern listed in the named file. The file format is
+--- a/tcpd.h
++++ b/tcpd.h
+@@ -93,6 +93,7 @@ extern void refuse __P((struct request_i
+ extern char *xgets __P((char *, int, FILE *));	/* fgets() on steroids */
+ extern char *split_at __P((char *, int));	/* strchr() and split */
+ extern unsigned long dot_quad_addr __P((char *)); /* restricted inet_addr() */
++extern unsigned long prefix_to_netmask __P((char *)); /* 0-32 prefix length */
+ 
+ /* Global variables. */
+ 
+--- a/misc.c
++++ b/misc.c
+@@ -14,6 +14,8 @@ static char sccsic[] = "@(#) misc.c 1.2
+ #include <arpa/inet.h>
+ #include <stdio.h>
+ #include <string.h>
++#include <ctype.h>
++#include <stdlib.h>
+ 
+ #include "tcpd.h"
+ 
+@@ -85,3 +87,22 @@ char   *str;
+     }
+     return (runs == 4 ? inet_addr(str) : INADDR_NONE);
+ }
++
++/* prefix_to_netmask - convert prefix (0-32) to netmask */
++
++unsigned long prefix_to_netmask(str)
++char	*str;
++{
++    unsigned long prefix;
++    char *endptr;
++
++    if (!isdigit(str[0]))
++	return INADDR_NONE;
++
++    prefix = strtoul(str, &endptr, 10);
++    if ((endptr == str) || (*endptr != '\0') || (prefix > 32))
++	return INADDR_NONE;
++
++    return htonl(~0UL << (32 - prefix));
++}
++
+--- a/hosts_access.c
++++ b/hosts_access.c
+@@ -345,7 +345,12 @@ char   *string;
+     if ((addr = dot_quad_addr(string)) == INADDR_NONE)
+ 	return (NO);
+     if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
+-	|| (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) {
++	|| ((mask = dot_quad_addr(mask_tok)) == INADDR_NONE
++	    && strcmp(mask_tok, "255.255.255.255")
++	    && (mask = prefix_to_netmask(mask_tok)) == INADDR_NONE
++	    && strcmp(mask_tok, "32"))) {
++	/* 255.255.255.255 == INADDR_NONE, separate check needed. TJ. */
++	/* 32 == INADDR_NONE, separate check needed. philipp */
+ 	tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
+ 	return (NO);				/* not tcpd_jump() */
+     }

+ 22 - 0
package/libs/tcp_wrappers/patches/005-no--lnsl-on-musl.patch

@@ -0,0 +1,22 @@
+Index: tcp_wrappers_7.6/Makefile
+===================================================================
+--- tcp_wrappers_7.6.orig/Makefile
++++ tcp_wrappers_7.6/Makefile
+@@ -1,4 +1,4 @@
+-GLIBC=$(shell grep -s -c __GLIBC__ /usr/include/features.h)
++GLIBC=$(shell grep -s -c __GLIBC__ ${STAGING_DIR}/usr/include/features.h)
+ 
+ # @(#) Makefile 1.23 97/03/21 19:27:20
+ 
+@@ -146,9 +146,11 @@ freebsd:
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+ 	EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
+ 
++ifneq ($(GLIBC),)
+ ifneq ($(GLIBC),0)
+ MYLIB=-lnsl
+ endif
++endif
+ 
+ linux:
+ 	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \

+ 1 - 1
package/libs/ustream-ssl/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ustream-ssl
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(LEDE_GIT)/project/ustream-ssl.git

+ 54 - 0
package/luci/applications/luci-app-shellinabox/Makefile

@@ -0,0 +1,54 @@
+#
+# Copyright (C) 2017 Robert Call <bob@bobcall.me>
+#
+# You may redistribute this program and/or modify it under the terms of
+# the GNU General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=luci-app-shellinabox
+PKG_VERSION:=0.1
+PKG_RELEASE:=4
+
+PKG_LICENSE:=GPL-3.0
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/luci-app-shellinabox
+	SECTION:=luci
+	CATEGORY:=LuCI
+	SUBMENU:=3. Applications
+	TITLE:=Shell in a box integration
+	URL:=
+	MAINTAINER:=Robert Call <bob@bobcall.me>
+	DEPENDS:=+shellinabox
+endef
+
+define Package/luci-app-shellinabox/description
+	This package adds terminal integration into luci to make
+	router maintanance easier for those new to GNU/Linux or
+	don't have access to a GNU/Linux box.
+
+endef
+
+define Build/Compile
+endef
+
+define Package/luci-app-shellinabox/install
+	$(INSTALL_DIR) $(1)/usr/lib/lua/luci
+	$(INSTALL_DIR) $(1)/www/static
+	$(CP) ./luasrc/* $(1)/usr/lib/lua/luci
+	$(CP) ./files/terminal.png $(1)/www/static/terminal.png
+endef
+
+$(eval $(call BuildPackage,luci-app-shellinabox))

BIN
package/luci/applications/luci-app-shellinabox/files/terminal.png


+ 4 - 0
package/luci/applications/luci-app-shellinabox/luasrc/controller/shellinabox.lua

@@ -0,0 +1,4 @@
+module("luci.controller.shellinabox", package.seeall)  --notice that new_tab is the name of the file new_tab.lua
+ function index()
+     entry({"admin", "system", "tab_from_view"}, template("shellinabox/view_tab"), "Terminal", 2)  --this adds the second sub-tab that is located in <luci-path>/luci-myapplication/view/myapp-mymodule and the file is called view_tab.htm, also set to the second position
+end

+ 4 - 0
package/luci/applications/luci-app-shellinabox/luasrc/model/cbi/shellinabox/cbi_tab.lua

@@ -0,0 +1,4 @@
+m = Map("cbi_file", translate("First Tab Form"), translate("Please fill out the form below")) -- cbi_file is the config file in /etc/config
+d = m:section(TypedSection, "info", "Part A of the form")  -- info is the section called info in cbi_file
+a = d:option(Value, "name", "Name"); a.optional=false; a.rmempty = false;  -- name is the option in the cbi_file
+return m

+ 3 - 0
package/luci/applications/luci-app-shellinabox/luasrc/view/shellinabox/view_tab.htm

@@ -0,0 +1,3 @@
+<%+header%>                                                                    
+<a href="http://192.168.10.1:4200"><img src="/static/terminal.png"></a>
+<%+footer%>

+ 6 - 6
package/network/config/firewall/Makefile

@@ -9,13 +9,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL=$(LEDE_GIT)/project/firewall3.git
-PKG_SOURCE_DATE:=2017-05-27
-PKG_SOURCE_VERSION:=a4d98aea373e04f3fdc3c492c1688ba52ce490a9
-PKG_MIRROR_HASH:=55402b1e6bb471f6aed599c61c1c63b58212f5789f094d78247646fc0a7cf435
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git
+PKG_SOURCE_DATE:=2017-11-07
+PKG_SOURCE_VERSION:=c4309372acc7e1bef8aa230269f7da1dec790e68
+PKG_MIRROR_HASH:=1699884d8499d01e433959185f79ff9eb69704de47885b996123374b8015b422
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
 PKG_LICENSE:=ISC
 
@@ -28,7 +28,7 @@ define Package/firewall
   SECTION:=net
   CATEGORY:=Base system
   TITLE:=OpenWrt C Firewall
-  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +kmod-ipt-nat
+  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat
 endef
 
 define Package/firewall/description

+ 5 - 5
package/network/config/netifd/Makefile

@@ -1,13 +1,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=netifd
-PKG_RELEASE:=1
+PKG_RELEASE:=3
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL=$(LEDE_GIT)/project/netifd.git
-PKG_SOURCE_DATE:=2017-01-25
-PKG_SOURCE_VERSION:=650758b16e5185505a3fbc1307949340af70b611
-PKG_MIRROR_HASH:=d09c740bc1bf6269678bd75c9af52ecd4be3d1d59402a543ceb9d4459cecfa2b
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/netifd.git
+PKG_SOURCE_DATE:=2018-02-05
+PKG_SOURCE_VERSION:=1be329c66326c86d7a48ba71004fcef7691bbbf9
+PKG_MIRROR_HASH:=06c1c24ed56b4fe39b92b33719f8bd4f9a8fe3c6a25ce02a6a245e859f1237bf
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 
 PKG_LICENSE:=GPL-2.0

+ 4 - 1
package/network/config/netifd/files/etc/init.d/network

@@ -26,9 +26,12 @@ start_service() {
 }
 
 reload_service() {
+	local rv=0
+
 	init_switch
-	ubus call network reload
+	ubus call network reload || rv=1
 	/sbin/wifi reload_legacy
+	return $rv
 }
 
 stop_service() {

+ 14 - 6
package/network/config/netifd/files/lib/netifd/dhcp.script

@@ -18,10 +18,18 @@ setup_interface () {
 	proto_add_ipv4_address "$ip" "${subnet:-255.255.255.0}"
 	# TODO: apply $broadcast
 
+	local ip_net
+	eval "$(ipcalc.sh "$ip/$mask")";ip_net="$NETWORK"
+
+	local i
 	for i in $router; do
-		proto_add_ipv4_route "$i" 32 "" "$ip"
+		local gw_net
+		eval "$(ipcalc.sh "$i/$mask")";gw_net="$NETWORK"
+
+		[ "$ip_net" != "$gw_net" ] && proto_add_ipv4_route "$i" 32 "" "$ip"
 		proto_add_ipv4_route 0.0.0.0 0 "$i" "$ip"
 
+		local r
 		for r in $CUSTOMROUTES; do
 			proto_add_ipv4_route "${r%%/*}" "${r##*/}" "$i" "$ip"
 		done
@@ -31,11 +39,11 @@ setup_interface () {
 	[ -n "$staticroutes" ] && set_classless_routes $staticroutes
 	[ -n "$msstaticroutes" ] && set_classless_routes $msstaticroutes
 
-	for dns in $dns; do
-		proto_add_dns_server "$dns"
+	for i in $dns; do
+		proto_add_dns_server "$i"
 	done
-	for domain in $domain; do
-		proto_add_dns_search "$domain"
+	for i in $domain; do
+		proto_add_dns_search "$i"
 	done
 
 	proto_add_data
@@ -60,7 +68,7 @@ setup_interface () {
 		ip6rd="${ip6rd#* }"
 		local ip6rdbr="${ip6rd%% *}"
 
-		[ -n "$ZONE" ] || ZONE=$(fw3 -q network $INTERFACE)
+		[ -n "$ZONE" ] || ZONE=$(fw3 -q network $INTERFACE 2>/dev/null)
 		[ -z "$IFACE6RD" -o "$IFACE6RD" = 1 ] && IFACE6RD=${INTERFACE}_6
 
 		json_init

+ 6 - 3
package/network/config/netifd/files/lib/netifd/proto/dhcp.sh

@@ -14,6 +14,7 @@ proto_dhcp_init_config() {
 	proto_config_add_boolean 'broadcast:bool'
 	proto_config_add_boolean 'release:bool'
 	proto_config_add_string 'reqopts:list(string)'
+	proto_config_add_boolean 'defaultreqopts:bool'
 	proto_config_add_string iface6rd
 	proto_config_add_string sendopts
 	proto_config_add_boolean delegate
@@ -28,8 +29,8 @@ proto_dhcp_setup() {
 	local config="$1"
 	local iface="$2"
 
-	local ipaddr hostname clientid vendorid broadcast release reqopts iface6rd sendopts delegate zone6rd zone mtu6rd customroutes classlessroute
-	json_get_vars ipaddr hostname clientid vendorid broadcast release reqopts iface6rd sendopts delegate zone6rd zone mtu6rd customroutes classlessroute
+	local ipaddr hostname clientid vendorid broadcast release reqopts defaultreqopts iface6rd sendopts delegate zone6rd zone mtu6rd customroutes classlessroute
+	json_get_vars ipaddr hostname clientid vendorid broadcast release reqopts defaultreqopts iface6rd sendopts delegate zone6rd zone mtu6rd customroutes classlessroute
 
 	local opt dhcpopts
 	for opt in $reqopts; do
@@ -40,6 +41,8 @@ proto_dhcp_setup() {
 		append dhcpopts "-x $opt"
 	done
 
+	[ -z "$hostname" ] && hostname="$(cat /proc/sys/kernel/hostname)"
+	[ "$defaultreqopts" = 0 ] && defaultreqopts="-o" || defaultreqopts=
 	[ "$broadcast" = 1 ] && broadcast="-B" || broadcast=
 	[ "$release" = 1 ] && release="-R" || release=
 	[ -n "$clientid" ] && clientid="-x 0x3d:${clientid//:/}" || clientid="-C"
@@ -61,7 +64,7 @@ proto_dhcp_setup() {
 		${ipaddr:+-r $ipaddr} \
 		${hostname:+-x "hostname:$hostname"} \
 		${vendorid:+-V "$vendorid"} \
-		$clientid $broadcast $release $dhcpopts
+		$clientid $defaultreqopts $broadcast $release $dhcpopts
 }
 
 proto_dhcp_renew() {

+ 1 - 1
package/network/services/dnsmasq/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
 PKG_VERSION:=2.78
-PKG_RELEASE:=4
+PKG_RELEASE:=6
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/

+ 202 - 0
package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch

@@ -0,0 +1,202 @@
+From 4fe6744a220eddd3f1749b40cac3dfc510787de6 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 19 Jan 2018 12:26:08 +0000
+Subject: [PATCH] DNSSEC fix for wildcard NSEC records. CVE-2017-15107
+ applies.
+
+It's OK for NSEC records to be expanded from wildcards,
+but in that case, the proof of non-existence is only valid
+starting at the wildcard name, *.<domain> NOT the name expanded
+from the wildcard. Without this check it's possible for an
+attacker to craft an NSEC which wrongly proves non-existence
+in a domain which includes a wildcard for NSEC.
+---
+ src/dnssec.c |  117 +++++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 2 files changed, 114 insertions(+), 15 deletions(-)
+
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -424,15 +424,17 @@ static void from_wire(char *name)
+ static int count_labels(char *name)
+ {
+   int i;
+-
++  char *p;
++  
+   if (*name == 0)
+     return 0;
+ 
+-  for (i = 0; *name; name++)
+-    if (*name == '.')
++  for (p = name, i = 0; *p; p++)
++    if (*p == '.')
+       i++;
+ 
+-  return i+1;
++  /* Don't count empty first label. */
++  return *name == '.' ? i : i+1;
+ }
+ 
+ /* Implement RFC1982 wrapped compare for 32-bit numbers */
+@@ -1412,8 +1414,8 @@ static int hostname_cmp(const char *a, c
+     }
+ }
+ 
+-static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count,
+-				    char *workspace1, char *workspace2, char *name, int type, int *nons)
++static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count,
++				    char *workspace1_in, char *workspace2, char *name, int type, int *nons)
+ {
+   int i, rc, rdlen;
+   unsigned char *p, *psave;
+@@ -1426,6 +1428,9 @@ static int prove_non_existence_nsec(stru
+   /* Find NSEC record that proves name doesn't exist */
+   for (i = 0; i < nsec_count; i++)
+     {
++      char *workspace1 = workspace1_in;
++      int sig_labels, name_labels;
++
+       p = nsecs[i];
+       if (!extract_name(header, plen, &p, workspace1, 1, 10))
+ 	return 0;
+@@ -1434,7 +1439,27 @@ static int prove_non_existence_nsec(stru
+       psave = p;
+       if (!extract_name(header, plen, &p, workspace2, 1, 10))
+ 	return 0;
+-      
++
++      /* If NSEC comes from wildcard expansion, use original wildcard
++	 as name for computation. */
++      sig_labels = *labels[i];
++      name_labels = count_labels(workspace1);
++
++      if (sig_labels < name_labels)
++	{
++	  int k;
++	  for (k = name_labels - sig_labels; k != 0; k--)
++	    {
++	      while (*workspace1 != '.' && *workspace1 != 0)
++		workspace1++;
++	      if (k != 1 && *workspace1 == '.')
++		workspace1++;
++	    }
++	  
++	  workspace1--;
++	  *workspace1 = '*';
++	}
++	  
+       rc = hostname_cmp(workspace1, name);
+       
+       if (rc == 0)
+@@ -1832,24 +1857,26 @@ static int prove_non_existence_nsec3(str
+ 
+ static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons)
+ {
+-  static unsigned char **nsecset = NULL;
+-  static int nsecset_sz = 0;
++  static unsigned char **nsecset = NULL, **rrsig_labels = NULL;
++  static int nsecset_sz = 0, rrsig_labels_sz = 0;
+   
+   int type_found = 0;
+-  unsigned char *p = skip_questions(header, plen);
++  unsigned char *auth_start, *p = skip_questions(header, plen);
+   int type, class, rdlen, i, nsecs_found;
+   
+   /* Move to NS section */
+   if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen)))
+     return 0;
++
++  auth_start = p;
+   
+   for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--)
+     {
+       unsigned char *pstart = p;
+       
+-      if (!(p = skip_name(p, header, plen, 10)))
++      if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10))
+ 	return 0;
+-      
++	  
+       GETSHORT(type, p); 
+       GETSHORT(class, p);
+       p += 4; /* TTL */
+@@ -1866,7 +1893,69 @@ static int prove_non_existence(struct dn
+ 	  if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found))
+ 	    return 0; 
+ 	  
+-	  nsecset[nsecs_found++] = pstart;
++	  if (type == T_NSEC)
++	    {
++	      /* If we're looking for NSECs, find the corresponding SIGs, to 
++		 extract the labels value, which we need in case the NSECs
++		 are the result of wildcard expansion.
++		 Note that the NSEC may not have been validated yet
++		 so if there are multiple SIGs, make sure the label value
++		 is the same in all, to avoid be duped by a rogue one.
++		 If there are no SIGs, that's an error */
++	      unsigned char *p1 = auth_start;
++	      int res, j, rdlen1, type1, class1;
++	      
++	      if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found))
++		return 0;
++	      
++	      rrsig_labels[nsecs_found] = NULL;
++	      
++	      for (j = ntohs(header->nscount); j != 0; j--)
++		{
++		  if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10)))
++		    return 0;
++
++		   GETSHORT(type1, p1); 
++		   GETSHORT(class1, p1);
++		   p1 += 4; /* TTL */
++		   GETSHORT(rdlen1, p1);
++
++		   if (!CHECK_LEN(header, p1, plen, rdlen1))
++		     return 0;
++		   
++		   if (res == 1 && class1 == qclass && type1 == T_RRSIG)
++		     {
++		       int type_covered;
++		       unsigned char *psav = p1;
++		       
++		       if (rdlen1 < 18)
++			 return 0; /* bad packet */
++
++		       GETSHORT(type_covered, p1);
++
++		       if (type_covered == T_NSEC)
++			 {
++			   p1++; /* algo */
++			   
++			   /* labels field must be the same in every SIG we find. */
++			   if (!rrsig_labels[nsecs_found])
++			     rrsig_labels[nsecs_found] = p1;
++			   else if (*rrsig_labels[nsecs_found] != *p1) /* algo */
++			     return 0;
++			   }
++		       p1 = psav;
++		     }
++		   
++		   if (!ADD_RDLEN(header, p1, plen, rdlen1))
++		     return 0;
++		}
++
++	      /* Must have found at least one sig. */
++	      if (!rrsig_labels[nsecs_found])
++		return 0;
++	    }
++
++	  nsecset[nsecs_found++] = pstart;   
+ 	}
+       
+       if (!ADD_RDLEN(header, p, plen, rdlen))
+@@ -1874,7 +1963,7 @@ static int prove_non_existence(struct dn
+     }
+   
+   if (type_found == T_NSEC)
+-    return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons);
++    return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons);
+   else if (type_found == T_NSEC3)
+     return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons);
+   else

+ 159 - 0
package/network/services/nfs-kernel-server/Makefile

@@ -0,0 +1,159 @@
+# Copyright (C) 2009-2016 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=nfs-kernel-server
+PKG_VERSION:=2.3.1
+PKG_RELEASE:=1
+PKG_HASH:=245ec2f9abb51bcc233b64f6f3e9ac8e5cd16ffd35dba9450f83ce2803844cda
+
+PKG_SOURCE_URL:=@SF/nfs
+PKG_SOURCE:=nfs-utils-$(PKG_VERSION).tar.xz
+
+HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/nfs-utils-$(PKG_VERSION)
+PKG_BUILD_DIR:=$(BUILD_DIR)/nfs-utils-$(PKG_VERSION)
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+PKG_BUILD_DEPENDS:=$(PKG_NAME)/host
+
+include $(INCLUDE_DIR)/host-build.mk
+include $(INCLUDE_DIR)/package.mk
+
+define Package/nfs-kernel-server/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Filesystem
+  DEPENDS:=+libwrap +libblkid +libuuid $(LIBRPC_DEPENDS)
+  URL:=http://nfs.sourceforge.net/
+  MAINTAINER:=Peter Wagner <tripolar@gmx.at>
+endef
+
+define Package/nfs-kernel-server
+  $(call Package/nfs-kernel-server/Default)
+  TITLE:=Kernel NFS server support
+  DEPENDS+= +kmod-fs-nfsd +kmod-fs-nfs +portmap
+endef
+
+define Package/nfs-kernel-server/description
+  Kernel NFS server support
+endef
+
+define Package/nfs-kernel-server-utils
+  $(call Package/nfs-kernel-server/Default)
+  TITLE:=NFS server utils
+  DEPENDS:=nfs-kernel-server
+endef
+
+define Package/nfs-kernel-server-utils/description
+  NFS server utils
+endef
+
+define Package/nfs-kernel-server/conffiles
+/etc/exports
+endef
+
+define Package/nfs-utils
+  $(call Package/nfs-kernel-server/Default)
+  SECTION:=utils
+  CATEGORY:=Utilities
+  DEPENDS+= +libevent2 +USE_UCLIBC:librpc
+  TITLE:=updated mount utility (includes nfs4)
+endef
+
+define Package/nfs-utils/description
+  Updated mount.nfs command - allows mounting nfs4 volumes
+endef
+
+TARGET_CFLAGS += -I$(PKG_BUILD_DIR)/lib -I$(STAGING_DIR)/usr/include/libevent \
+		 -I$(STAGING_DIR)/usr/include/ -Drpc_uint=uint
+TARGET_LDFLAGS += -Wl,-rpath-link=$(STAGING_DIR)/usr/lib $(LIBRPC) \
+		  -L$(STAGING_DIR)/usr/lib/libevent
+
+CONFIGURE_ARGS += \
+	--disable-gss \
+	--disable-nfsv4 \
+	--disable-nfsv41 \
+	--disable-ipv6 \
+	--enable-static \
+	--enable-shared \
+	--disable-caps \
+	--disable-tirpc \
+	--disable-nfsdcld
+
+CONFIGURE_VARS += \
+	libblkid_cv_is_recent=yes \
+	ac_cv_lib_resolv___res_querydomain=yes \
+	CONFIG_SQLITE3_TRUE="\#" \
+	CONFIG_NFSDCLD_TRUE="\#"
+
+MAKE_FLAGS += \
+	OPT="$(TARGET_CFLAGS)" \
+	INSTALLSUID="install -m 4755" \
+	DESTDIR="$(PKG_INSTALL_DIR)" \
+	RPCGEN_PATH=$(STAGING_DIR_HOSTPKG)/bin/rpcgen \
+	RPCGEN=$(STAGING_DIR_HOSTPKG)/bin/rpcgen
+
+HOST_CFLAGS += -Dlinux
+
+HOST_CONFIGURE_ARGS += \
+	--disable-gss \
+	--disable-nfsv4 \
+	--disable-nfsv41 \
+	--disable-ipv6 \
+	--disable-tirpc \
+	--without-tcp-wrappers
+
+HOST_CONFIGURE_VARS += \
+	ac_cv_lib_event_event_dispatch=yes \
+	ac_cv_lib_nfsidmap_nfs4_init_name_mapping=yes \
+	ac_cv_lib_blkid_blkid_get_library_version=yes \
+	ac_cv_header_event_h=yes \
+	ac_cv_header_nfsidmap_h=yes \
+	ac_cv_header_blkid_blkid_h=yes \
+	GSSGLUE_CFLAGS=" " \
+	GSSGLUE_LIBS=" " \
+	RPCSECGSS_CFLAGS=" " \
+	RPCSECGSS_LIBS=" " \
+	CONFIG_SQLITE3_TRUE="\#" \
+	CONFIG_NFSDCLD_TRUE="\#"
+
+define Host/Compile
+	$(MAKE) -C $(HOST_BUILD_DIR)/tools/rpcgen all
+endef
+
+define Host/Install
+	$(INSTALL_DIR) $(STAGING_DIR_HOSTPKG)/bin
+	$(INSTALL_BIN) $(HOST_BUILD_DIR)/tools/rpcgen/rpcgen $(STAGING_DIR_HOSTPKG)/bin/rpcgen
+endef
+
+define Package/nfs-kernel-server/install
+	$(INSTALL_DIR) $(1)/etc/init.d $(1)/usr/sbin
+	$(INSTALL_DATA) ./files/nfsd.exports $(1)/etc/exports
+	$(INSTALL_BIN) ./files/nfsd.init $(1)/etc/init.d/nfsd
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/statd/sm-notify $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/statd/statd $(1)/usr/sbin/rpc.statd
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/nfsd/nfsd $(1)/usr/sbin/rpc.nfsd
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/mountd/mountd $(1)/usr/sbin/rpc.mountd
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/exportfs/exportfs $(1)/usr/sbin/
+endef
+
+define Package/nfs-kernel-server-utils/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/showmount/showmount $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/utils/nfsstat/nfsstat $(1)/usr/sbin
+endef
+
+define Package/nfs-utils/install
+	$(INSTALL_DIR) $(1)/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/sbin/mount.nfs $(1)/sbin/
+	(cd $(1)/sbin; ln -sf mount.nfs mount.nfs4; ln -sf mount.nfs umount.nfs; ln -sf mount.nfs umount.nfs4)
+endef
+
+$(eval $(call HostBuild))
+$(eval $(call BuildPackage,nfs-kernel-server))
+$(eval $(call BuildPackage,nfs-kernel-server-utils))
+$(eval $(call BuildPackage,nfs-utils))

+ 1 - 0
package/network/services/nfs-kernel-server/files/nfsd.exports

@@ -0,0 +1 @@
+/mnt	*(ro,all_squash,insecure,sync)

+ 38 - 0
package/network/services/nfs-kernel-server/files/nfsd.init

@@ -0,0 +1,38 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006 OpenWrt.org
+
+START=99
+STOP=60
+
+USE_PROCD=1
+
+NFS_D=/var/lib/nfs
+LOCK_D=/var/lib/nfs/sm
+
+start_service() {
+	grep -q /proc/fs/nfsd /proc/mounts || \
+		mount -t nfsd nfsd /proc/fs/nfsd
+	mkdir -p $NFS_D
+	mkdir -p $LOCK_D
+	touch $NFS_D/rmtab
+
+        sysctl -w fs.nfs.nlm_tcpport=32777 fs.nfs.nlm_udpport=32777 > /dev/null
+
+	procd_open_instance
+	procd_set_param command /usr/sbin/rpc.statd -p 32778 -o 32779 -F
+	procd_close_instance
+
+	/usr/sbin/exportfs -r
+	/usr/sbin/rpc.nfsd
+
+	procd_open_instance
+	procd_set_param command /usr/sbin/rpc.mountd -p 32780 -F
+	procd_close_instance
+}
+
+stop_service() {
+	rpc.nfsd 0 2> /dev/null
+	/usr/sbin/exportfs -au
+	grep -q /proc/fs/nfsd /proc/mounts && \
+		umount /proc/fs/nfsd
+}

+ 10 - 0
package/network/services/nfs-kernel-server/patches/100-no_malloc_h.patch

@@ -0,0 +1,10 @@
+--- a/tools/rpcgen/rpc_cout.c
++++ b/tools/rpcgen/rpc_cout.c
+@@ -36,7 +36,6 @@ static char sccsid[] = "@(#)rpc_cout.c 1
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
+-#include <malloc.h>
+ #include <ctype.h>
+ #include "rpc_parse.h"
+ #include "rpc_util.h"

+ 16 - 0
package/network/services/nfs-kernel-server/patches/101-musl-getservbyport.patch

@@ -0,0 +1,16 @@
+Musl will always return something with getservbyport so we cannot skip
+ports that returns non-null.
+
+--- a/utils/statd/rmtcall.c
++++ b/utils/statd/rmtcall.c
+@@ -93,8 +93,10 @@ statd_get_socket(void)
+ 					__func__);
+ 			break;
+ 		}
++#if defined(__GLIBC__) || defined(__UCLIBC__)
+ 		se = getservbyport(sin.sin_port, "udp");
+ 		if (se == NULL)
++#endif
+ 			break;
+ 
+ 		if (retries == MAX_BRP_RETRIES) {

+ 10 - 0
package/network/services/nfs-kernel-server/patches/102-limits.patch

@@ -0,0 +1,10 @@
+--- a/support/misc/file.c
++++ b/support/misc/file.c
+@@ -27,6 +27,7 @@
+ #include <dirent.h>
+ #include <stdlib.h>
+ #include <stdbool.h>
++#include <limits.h>
+ 
+ #include "xlog.h"
+ #include "misc.h"

+ 3 - 3
package/network/services/openvpn/Makefile

@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.4
-PKG_RELEASE:=2
+PKG_VERSION:=2.4.5
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=96cd1b8fe1e8cb2920f07c3fd3985faea756e16fdeebd11d3e146d5bd2b04a80
+PKG_HASH:=43c0a363a332350f620d1cd93bb431e082bedbc93d4fb872f758650d53c1d29e
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>

+ 1 - 1
package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch

@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1336,7 +1336,7 @@ const char *
+@@ -1394,7 +1394,7 @@ const char *
  get_ssl_library_version(void)
  {
      static char mbedtls_version[30];

+ 15 - 9
package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch

@@ -1,15 +1,17 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1068,62 +1068,15 @@ dnl
+@@ -1077,68 +1077,15 @@ dnl
  AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
  AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
  if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
 -    if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then
 -	# if the user did not explicitly specify flags, try to autodetect
 -	PKG_CHECK_MODULES([LZ4],
--			  [liblz4 >= 1.7.1],
+-			  [liblz4 >= 1.7.1 liblz4 < 100],
 -			  [have_lz4="yes"],
--			  [] # If this fails, we will do another test next
+-			  [LZ4_LIBS="-llz4"] # If this fails, we will do another test next.
+-					     # We also add set LZ4_LIBS otherwise the
+-					     # linker will not know about the lz4 library
 -	)
 -    fi
 
@@ -47,20 +49,24 @@
 -	fi
 -    fi
 -
--    # if LZ4_LIBS is set, we assume it will work, otherwise test
--    if test -z "${LZ4_LIBS}"; then
+-    # Double check we have a few needed functions
+-    if test "${have_lz4}" = "yes" ; then
 -	AC_CHECK_LIB([lz4],
--		     [LZ4_compress],
--		     [LZ4_LIBS="-llz4"],
+-		     [LZ4_compress_default],
+-		     [],
+-		     [have_lz4="no"])
+-	AC_CHECK_LIB([lz4],
+-		     [LZ4_decompress_safe],
+-		     [],
 -		     [have_lz4="no"])
 -    fi
 -
 -    if test "${have_lz4}" != "yes" ; then
--	AC_MSG_RESULT([		usuable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
+-	AC_MSG_RESULT([		usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
 -	AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
 -	LZ4_LIBS=""
 -    fi
-+    AC_MSG_RESULT([		usuable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
++    AC_MSG_RESULT([		usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
 +    AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
 +    LZ4_LIBS=""
      OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"

+ 53 - 0
package/network/services/portmap/Makefile

@@ -0,0 +1,53 @@
+#
+# Copyright (C) 2006-2011 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=portmap
+PKG_VERSION:=6.0
+PKG_RELEASE:=4
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tgz
+PKG_SOURCE_URL:=http://neil.brown.name/portmap/
+PKG_MD5SUM:=ac108ab68bf0f34477f8317791aaf1ff
+
+PKG_LICENSE:=BSD-4c
+PKG_LICENSE_FILES:=portmap.man
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)_$(PKG_VERSION)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/portmap
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+libwrap $(LIBRPC_DEPENDS)
+  TITLE:=The RPC Portmapper
+  URL:=http://neil.brown.name/portmap/
+  MAINTAINER:=Peter Wagner <tripolar@gmx.at>
+  USERID:=rpc=65533:rpc=65533
+endef
+
+define Package/portmap/description
+ Portmap is a server that converts RPC (Remote Procedure Call) program
+ numbers into DARPA protocol port numbers.
+endef
+
+MAKE_FLAGS += \
+	CFLAGS="$(TARGET_CFLAGS) $(TARGET_CPPFLAGS) -DHOSTS_ACCESS -DFACILITY=LOG_DAEMON -DIGNORE_SIGCHLD" \
+	RPCUSER="rpc" \
+	LDLIBS="$(TARGET_LDFLAGS) -lwrap $(LIBRPC)" \
+	all
+
+define Package/portmap/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/portmap $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/portmap.init $(1)/etc/init.d/portmap
+endef
+
+$(eval $(call BuildPackage,portmap))

+ 13 - 0
package/network/services/portmap/files/portmap.init

@@ -0,0 +1,13 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2011 OpenWrt.org
+
+START=19
+STOP=19
+
+USE_PROCD=1
+
+start_service() {
+	procd_open_instance
+	procd_set_param command /usr/sbin/portmap -f
+	procd_close_instance
+}

+ 12 - 0
package/network/services/portmap/patches/101-no_pie.patch

@@ -0,0 +1,12 @@
+diff -ur portmap_6.0.org/Makefile portmap_6.0/Makefile
+--- portmap_6.0.org/Makefile	2008-04-19 22:44:35.000000000 +0200
++++ portmap_6.0/Makefile	2008-04-19 00:02:01.000000000 +0200
+@@ -127,7 +127,7 @@
+ CPPFLAGS += $(HOSTS_ACCESS)
+ portmap: CFLAGS   += -fpie
+ portmap: LDLIBS   += $(WRAP_LIB)
+-portmap: LDFLAGS  += -pie
++#portmap: LDFLAGS  += -pie
+ portmap: portmap.o pmap_check.o from_local.o
+ 
+ from_local: CPPFLAGS += -DTEST

+ 64 - 0
package/network/services/shellinabox/Makefile

@@ -0,0 +1,64 @@
+# 
+# Copyright (C) 2006-2010 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# Initial port of shellinabox to OpenWrt - Jan Jaeger 25-MAR-2010
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=shellinabox
+PKG_VERSION:=2.10
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=HEAD
+PKG_SOURCE_URL:=https://github.com/OnionIoT/shellinabox.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)
+PKG_SOURCE:=$(PKG_NAME).tar.gz
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
+
+#PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+#PKG_SOURCE_URL:=http://shellinabox.googlecode.com/files
+#PKG_MD5SUM:=0e144910d85d92edc54702ab9c46f032
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/shellinabox
+	SECTION:=net
+	CATEGORY:=Network
+	TITLE:=Shell In A Box
+	DEPENDS:= zlib
+	URL:=http://shellinabox.googlecode.com
+endef
+
+define Package/shellinabox/description
+Web based AJAX terminal emulator
+endef
+
+define Build/Configure
+	$(call Build/Configure/Default)
+endef
+
+define Build/Compile
+	$(MAKE) -C $(PKG_BUILD_DIR) \
+		$(TARGET_CONFIGURE_OPTS) \
+		CFLAGS="$(TARGET_CFLAGS)" \
+		BINDIR="/usr/sbin" \
+		all
+endef
+
+define Package/shellinabox/install
+	# install the binary
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/shellinaboxd $(1)/usr/sbin/
+	# install the init.d file
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/$(PKG_NAME).init $(1)/etc/init.d/$(PKG_NAME)
+	# install the css file
+	$(INSTALL_DIR) $(1)/usr/lib/shellinabox
+	$(INSTALL_BIN) ./files/style.css $(1)/usr/lib/shellinabox/style.css
+endef
+
+$(eval $(call BuildPackage,shellinabox))

+ 17 - 0
package/network/services/shellinabox/files/shellinabox.init

@@ -0,0 +1,17 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2010 OpenWrt.org
+
+# enable auto start of this daemon
+START=99
+
+USE_PROCD=1
+PROG=/usr/sbin/shellinaboxd
+
+start_service() {
+        procd_open_instance
+        procd_set_param command $PROG -t --service=/:LOGIN --css /usr/lib/shellinabox/style.css
+        # disable automatic respawn - allow daemon to be turned off
+	#procd_set_param respawn                                                                   
+        procd_close_instance   
+}
+ 

+ 24 - 0
package/network/services/shellinabox/files/style.css

@@ -0,0 +1,24 @@
+#vt100 #cursor.bright {
+  background-color: white;
+  color:            black;
+}
+
+#vt100 #scrollable {
+  color:            #ffffff;
+  background-color: #000000;
+}
+
+#vt100 #scrollable.inverted {
+  color:            #000000;
+  background-color: #ffffff;
+}
+
+#vt100 .ansi15 {
+  color:            #000000;
+}
+
+#vt100 .bgAnsi0 {
+  background-color: #ffffff;
+}
+
+

+ 22 - 0
package/network/services/shellinabox/old/000-makefile-arch.patch

@@ -0,0 +1,22 @@
+diff -Naur shellinabox-2.10.orig/Makefile.am shellinabox-2.10/Makefile.am
+--- shellinabox-2.10.orig/Makefile.am	2009-11-18 17:55:52.000000000 +0100
++++ shellinabox-2.10/Makefile.am	2010-03-25 14:16:03.000000000 +0100
+@@ -107,6 +107,7 @@
+ objcopyflags         = case "$(host_cpu)" in                                  \
+                          i[0-9]86) echo '-O elf32-i386 -B i386';;             \
+                          x86_64)   echo '-O elf64-x86-64 -B i386:x86-64';;    \
++                         mips*)    echo '-O elf32-tradbigmips -B mips:isa32';; \
+                          arm*)     echo '-O elf32-littlearm -B arm';;         \
+                        esac
+ 
+diff -Naur shellinabox-2.10.orig/Makefile.in shellinabox-2.10/Makefile.in
+--- shellinabox-2.10.orig/Makefile.in	2009-11-21 23:47:39.000000000 +0100
++++ shellinabox-2.10/Makefile.in	2010-03-25 14:16:28.000000000 +0100
+@@ -371,6 +371,7 @@
+ objcopyflags = case "$(host_cpu)" in                                  \
+                          i[0-9]86) echo '-O elf32-i386 -B i386';;             \
+                          x86_64)   echo '-O elf64-x86-64 -B i386:x86-64';;    \
++                         mips*)    echo '-O elf32-tradbigmips -B mips:isa32';; \
+                          arm*)     echo '-O elf32-littlearm -B arm';;         \
+                        esac
+ 

+ 105 - 0
package/network/services/shellinabox/old/001-makefile-objcopy.patch

@@ -0,0 +1,105 @@
+diff -Naur shellinabox-2.10.orig/Makefile.am shellinabox-2.10/Makefile.am
+--- shellinabox-2.10.orig/Makefile.am	2010-03-25 19:30:55.000000000 +0100
++++ shellinabox-2.10/Makefile.am	2010-03-25 19:53:49.000000000 +0100
+@@ -218,23 +218,23 @@
+                 debian/tmp
+ 
+ .css.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ .gif.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ .html.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ .ico.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ shellinabox/shell_in_a_box.o: shellinabox/shell_in_a_box.js config.h
+@@ -249,12 +249,12 @@
+ 	     "$<" >"$@"
+ 
+ .js.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ .wav.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+diff -Naur shellinabox-2.10.orig/Makefile.in shellinabox-2.10/Makefile.in
+--- shellinabox-2.10.orig/Makefile.in	2010-03-25 19:30:55.000000000 +0100
++++ shellinabox-2.10/Makefile.in	2010-03-25 19:54:21.000000000 +0100
+@@ -1231,23 +1231,23 @@
+                 debian/tmp
+ 
+ .css.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ .gif.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ .html.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ .ico.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ shellinabox/shell_in_a_box.o: shellinabox/shell_in_a_box.js config.h
+@@ -1262,13 +1262,13 @@
+ 	     "$<" >"$@"
+ 
+ .js.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ .wav.o:
+-	@echo objcopy "$<" "$@"
+-	@objcopy -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
++	@echo $(OBJCOPY) "$<" "$@"
++	@$(OBJCOPY) -I binary `$(objcopyflags)` `echo "$<" | $(renamesymbols)`   \
+ 	  "$<" "$@"
+ 
+ # Tell versions [3.59,3.63) of GNU make to not export all variables.

+ 20 - 0
package/network/services/shellinabox/old/002-httpconn-isnan.patch

@@ -0,0 +1,20 @@
+--- shellinabox-2.10.orig/libhttp/httpconnection.c      2015-09-25 10:55:38.350974827 +0000
++++ shellinabox-2.10/libhttp/httpconnection.c   2015-09-25 10:56:23.462944723 +0000
+@@ -69,6 +69,17 @@
+ #define max(a, b) ({ typeof(a) _a = (a); typeof(b) _b = (b);                  \
+                      _a > _b ? _a : _b; })
+ 
++#undef isnan
++#ifndef isnan
++# define isnan(x) \
++    (sizeof (x) == sizeof (long double) ? isnan_ld (x) \
++     : sizeof (x) == sizeof (double) ? isnan_d (x) \
++     : isnan_f (x))
++static inline int isnan_f  (float       x) { return x != x; }
++static inline int isnan_d  (double      x) { return x != x; }
++static inline int isnan_ld (long double x) { return x != x; }
++#endif
++
+ #include "libhttp/httpconnection.h"
+ #include "logging/logging.h"
+ 

+ 5 - 0
package/network/services/shellinabox/old/readme

@@ -0,0 +1,5 @@
+Files here are patches required to get shellinabox-2.10 from Google Code to compile in OpenWRT buildroot
+
+These fixes have been integrated into the code in the Onion shellinabox repo
+
+

+ 145 - 0
package/network/services/tor/Makefile

@@ -0,0 +1,145 @@
+#
+# Copyright (C) 2008-2016 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=tor
+PKG_VERSION:=0.3.2.9
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://dist.torproject.org/ \
+	https://archive.torproject.org/tor-package-archive
+PKG_HASH:=435a7b91aa98d8b1a0ac1f60ca30c0ff3665b18a02e570bab5fe27935829160f
+PKG_MAINTAINER:=Hauke Mehrtens <hauke@hauke-m.de>
+PKG_LICENSE_FILES:=LICENSE
+
+PKG_INSTALL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/tor/Default
+  SECTION:=net
+  CATEGORY:=Network
+  URL:=https://www.torproject.org/
+  USERID:=tor=52:tor=52
+endef
+
+define Package/tor/Default/description
+ Tor is a toolset for a wide range of organizations and people that want to
+ improve their safety and security on the Internet. Using Tor can help you
+ anonymize web browsing and publishing, instant messaging, IRC, SSH, and
+ more. Tor also provides a platform on which software developers can build
+ new applications with built-in anonymity, safety, and privacy features.
+endef
+
+define Package/tor
+$(call Package/tor/Default)
+  TITLE:=An anonymous Internet communication system
+  DEPENDS:=+libevent2 +libopenssl +libpthread +librt +zlib +libcap
+endef
+
+define Package/tor/description
+$(call Package/tor/Default/description)
+ This package contains the tor daemon.
+endef
+
+define Package/tor-gencert
+$(call Package/tor/Default)
+  TITLE:=Tor certificate generation
+  DEPENDS:=+tor
+endef
+
+define Package/tor-gencert/description
+$(call Package/tor/Default/description)
+ Generate certs and keys for Tor directory authorities
+endef
+
+define Package/tor-resolve
+$(call Package/tor/Default)
+  TITLE:=tor hostname resolve
+  DEPENDS:=+tor
+endef
+
+define Package/tor-resolve/description
+$(call Package/tor/Default/description)
+ Resolve a hostname to an IP address via tor 
+endef
+
+define Package/tor-geoip
+$(call Package/tor/Default)
+  TITLE:=GeoIP db for tor
+  DEPENDS:=+tor
+endef
+
+define Package/tor-geoip/description
+$(call Package/tor/Default/description)
+ This package contains a GeoIP database mapping IP addresses to countries.
+endef
+
+define Package/tor/conffiles
+/etc/tor/torrc
+/var/lib/tor/fingerprint
+/var/lib/tor/keys/*
+endef
+
+CONFIGURE_ARGS += \
+	--with-libevent-dir="$(STAGING_DIR)/usr" \
+	--with-ssl-dir="$(STAGING_DIR)/usr" \
+	--with-openssl-dir="$(STAGING_DIR)/usr" \
+	--with-zlib-dir="$(STAGING_DIR)/usr" \
+	--disable-asciidoc \
+	--disable-seccomp \
+	--disable-libscrypt \
+	--disable-unittests \
+	--disable-largefile \
+	--disable-lzma \
+	--with-tor-user=tor \
+	--with-tor-group=tor
+
+EXTRA_CFLAGS += -std=gnu99
+
+ifneq ($(CONFIG_SSP_SUPPORT),y)
+	CONFIGURE_ARGS += \
+		--disable-gcc-hardening
+else
+	EXTRA_CFLAGS += -fPIC
+endif
+
+CONFIGURE_VARS += \
+	CROSS_COMPILE="yes"
+
+define Package/tor/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/tor $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/torify $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/tor.init $(1)/etc/init.d/tor
+	$(INSTALL_DIR) $(1)/etc/tor
+	$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/tor/torrc.sample $(1)/etc/tor/torrc
+endef
+
+define Package/tor-gencert/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/tor-gencert $(1)/usr/sbin/
+endef
+
+define Package/tor-resolve/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/tor-resolve $(1)/usr/sbin/
+endef
+
+define Package/tor-geoip/install
+	$(INSTALL_DIR) $(1)/usr/share/tor
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/tor/geoip $(1)/usr/share/tor/
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/tor/geoip6 $(1)/usr/share/tor/
+endef
+
+$(eval $(call BuildPackage,tor))
+$(eval $(call BuildPackage,tor-gencert))
+$(eval $(call BuildPackage,tor-resolve))
+$(eval $(call BuildPackage,tor-geoip))

+ 26 - 0
package/network/services/tor/files/tor.init

@@ -0,0 +1,26 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2011 OpenWrt.org
+
+START=50
+STOP=50
+
+USE_PROCD=1
+
+start_service() {
+	[ -f /var/run/tor.pid ] || {
+		touch /var/run/tor.pid
+		chown tor:tor /var/run/tor.pid
+	}
+	[ -d /var/lib/tor ] || {
+		mkdir -m 0755 -p /var/lib/tor
+		chmod 0700 /var/lib/tor
+		chown tor:tor /var/lib/tor
+	}
+	[ -d /var/log/tor ] || {
+		mkdir -m 0755 -p /var/log/tor
+		chown tor:tor /var/log/tor
+	}
+	procd_open_instance
+	procd_set_param command /usr/sbin/tor --runasdaemon 0
+	procd_close_instance
+}

+ 25 - 0
package/network/services/tor/patches/001-torrc.patch

@@ -0,0 +1,25 @@
+--- a/src/config/torrc.sample.in
++++ b/src/config/torrc.sample.in
+@@ -39,7 +39,7 @@
+ ## Send every possible message to @LOCALSTATEDIR@/log/tor/debug.log
+ #Log debug file @LOCALSTATEDIR@/log/tor/debug.log
+ ## Use the system log instead of Tor's logfiles
+-#Log notice syslog
++Log notice syslog
+ ## To send all messages to stderr:
+ #Log debug stderr
+ 
+@@ -50,7 +50,7 @@
+ 
+ ## The directory for keeping all the keys/etc. By default, we store
+ ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+-#DataDirectory @LOCALSTATEDIR@/lib/tor
++DataDirectory @LOCALSTATEDIR@/lib/tor
+ 
+ ## The port on which Tor will listen for local connections from Tor
+ ## controller applications, as documented in control-spec.txt.
+@@ -227,3 +227,4 @@
+ #%include /etc/torrc.d/
+ #%include /etc/torrc.custom
+ 
++User tor

+ 1 - 1
package/network/utils/curl/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=curl
 PKG_VERSION:=7.52.1
-PKG_RELEASE:=6
+PKG_RELEASE:=8
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://curl.haxx.se/download/ \

+ 27 - 0
package/network/utils/curl/patches/320-mbedtls-nonblocking-handshake.patch

@@ -0,0 +1,27 @@
+From b993d2cca536870ecdf3b4611de9f77215af8eb8 Mon Sep 17 00:00:00 2001
+From: Antoine Aubert <a.aubert@overkiz.com>
+Date: Fri, 20 Jan 2017 08:10:28 +0100
+Subject: [PATCH] vtls: fix mbedtls multi non blocking handshake.
+
+When using multi, mbedtls handshake is in non blocking mode.
+vtls must set wait for read/write flags for the socket.
+---
+ lib/vtls/vtls.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
+index fad9335bbf..871622fef1 100644
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -485,8 +485,9 @@ void Curl_ssl_close_all(struct Curl_easy *data)
+ }
+ 
+ #if defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \
+-    defined(USE_DARWINSSL) || defined(USE_NSS)
+-/* This function is for OpenSSL, GnuTLS, darwinssl, and schannel only. */
++    defined(USE_DARWINSSL) || defined(USE_NSS) || defined(USE_MBEDTLS)
++/* This function is for OpenSSL, GnuTLS, darwinssl, mbedtls, and schannel
++   only. */
+ int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks,
+                      int numsocks)
+ {

+ 2 - 1
package/network/utils/iw/Makefile

@@ -30,7 +30,8 @@ endef
 
 define Build/Configure
 	echo "const char iw_version[] = \"$(PKG_VERSION)\";" > $(PKG_BUILD_DIR)/version.c
-	echo "#!/bin/sh" > $(PKG_BUILD_DIR)/version.sh
+	rm -f $(PKG_BUILD_DIR)/version.sh
+	touch $(PKG_BUILD_DIR)/version.sh
 	chmod +x $(PKG_BUILD_DIR)/version.sh
 endef
 

+ 4 - 4
package/system/ca-certificates/Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2016 OpenWrt.org
+# Copyright (C) 2006-2017 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -7,13 +7,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ca-certificates
-PKG_VERSION:=20161130+nmu1
+PKG_VERSION:=20170717
 PKG_MAINTAINER:=Christian Schoenebeck <christian.schoenebeck@gmail.com>
 
 PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/main/c/ca-certificates
-PKG_HASH:=77f9aca431e3122bf04aa0ffd989b723d906db4d1c106e3290e463d73c177f0e
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-20161130
+PKG_HASH:=e487639b641fa75445174734dd6e9d600373e3248b3d86a7e3c6d0f6977decd2
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
 
 PKG_INSTALL:=1
 

+ 18 - 5
package/system/fstools/Makefile

@@ -11,11 +11,10 @@ PKG_NAME:=fstools
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL=$(LEDE_GIT)/project/fstools.git
-PKG_SOURCE_DATE:=2017-06-30
-PKG_SOURCE_VERSION:=bdcb075fafdac0bfe3207c23f64acd58432bad86
-PKG_MIRROR_HASH:=760a1fdbd379f1191947ac6ba9881a85a9b8c43f4a96d49db18d4654b0c312c4
-PKG_RELEASE:=1
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/fstools.git
+PKG_SOURCE_DATE:=2018-02-11
+PKG_SOURCE_VERSION:=3d239815bb048041ec0d48cba273573d148ad7a9
+PKG_MIRROR_HASH:=28b7e9f6b8ba4ad3dcab44daa629df412af103bf31448177cffb0d176f0aacf1
 CMAKE_INSTALL:=1
 
 PKG_LICENSE:=GPL-2.0
@@ -67,6 +66,13 @@ define Package/block-mount
   DEPENDS:=+ubox +libubox +libuci
 endef
 
+define Package/blockd
+  SECTION:=base
+  CATEGORY:=Base system
+  TITLE:=Block device automounting
+  DEPENDS:=+block-mount +fstools +libubus +kmod-fs-autofs4
+endef
+
 define Package/fstools/install
 	$(INSTALL_DIR) $(1)/sbin $(1)/lib
 
@@ -96,6 +102,12 @@ define Package/block-mount/install
 
 endef
 
+define Package/blockd/install
+	$(INSTALL_DIR) $(1)/sbin $(1)/etc/init.d/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/blockd $(1)/sbin/
+	$(INSTALL_BIN) ./files/blockd.init $(1)/etc/init.d/blockd
+endef
+
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include
 	$(CP) $(PKG_INSTALL_DIR)/usr/include/*.h $(1)/usr/include/
@@ -106,3 +118,4 @@ endef
 $(eval $(call BuildPackage,fstools))
 $(eval $(call BuildPackage,snapshot-tool))
 $(eval $(call BuildPackage,block-mount))
+$(eval $(call BuildPackage,blockd))

+ 21 - 0
package/system/fstools/files/blockd.init

@@ -0,0 +1,21 @@
+#!/bin/sh /etc/rc.common
+
+START=80
+
+USE_PROCD=1
+PROG=/sbin/blockd
+
+service_triggers() {
+	procd_add_reload_trigger "fstab"
+}
+
+reload_service() {
+	block autofs start
+}
+
+start_service() {
+	procd_open_instance
+	procd_set_param command "$PROG"
+	procd_set_param respawn
+	procd_close_instance
+}

+ 9 - 7
package/system/fstools/files/snapshot

@@ -42,7 +42,7 @@ do_snapshot_upgrade() {
 
 	opkg list-upgradable
 	[ $? -eq 0 ] || exit 2
-	
+
 	UPDATES=`opkg list-upgradable | cut -d" " -f1`
 	[ -z "${UPDATES}" ] && exit 0
 
@@ -64,14 +64,16 @@ do_convert_jffs2() {
 do_convert() {
 	. /lib/functions.sh
 	. /lib/upgrade/common.sh
-	ubus call system upgrade
-	touch /tmp/sysupgrade
+
 	cd /overlay/upper
 	tar czf /tmp/snapshot.tar.gz *
-	kill_remaining TERM
-	sleep 3
-	kill_remaining KILL
-	run_ramfs '. /sbin/snapshot; do_convert_jffs2'
+
+	install_bin /sbin/upgraded
+	ubus call system sysupgrade "{
+		\"prefix\": \"$RAM_ROOT\",
+		\"path\": \"\",
+		\"command\": \". /sbin/snapshot; do_convert_jffs2\"
+	}"
 }
 
 [ -n "$(cat /proc/mounts|grep /overlay|grep jffs2)" ] && {

+ 2 - 1
package/system/mtd/src/Makefile

@@ -4,13 +4,14 @@ LDFLAGS += -lubox
 
 obj = mtd.o jffs2.o crc32.o md5.o
 obj.seama = seama.o md5.o
+obj.wrg = wrg.o md5.o
 obj.wrgg = wrgg.o md5.o
 obj.ar71xx = trx.o $(obj.seama) $(obj.wrgg)
 obj.brcm = trx.o
 obj.brcm47xx = $(obj.brcm)
 obj.bcm53xx = $(obj.brcm) $(obj.seama)
 obj.brcm63xx = imagetag.o
-obj.ramips = $(obj.seama)
+obj.ramips = $(obj.seama) $(obj.wrg)
 obj.mvebu = linksys_bootcount.o
 obj.kirkwood = linksys_bootcount.o
 obj.ipq806x = linksys_bootcount.o

+ 23 - 3
package/system/mtd/src/mtd.c

@@ -54,6 +54,7 @@
 
 #define TRX_MAGIC		0x48445230	/* "HDR0" */
 #define SEAMA_MAGIC		0x5ea3a417
+#define WRG_MAGIC		0x20040220
 #define WRGG03_MAGIC		0x20080321
 
 #if !defined(__BYTE_ORDER)
@@ -76,6 +77,7 @@ enum mtd_image_format {
 	MTD_IMAGE_FORMAT_UNKNOWN,
 	MTD_IMAGE_FORMAT_TRX,
 	MTD_IMAGE_FORMAT_SEAMA,
+	MTD_IMAGE_FORMAT_WRG,
 	MTD_IMAGE_FORMAT_WRGG03,
 };
 
@@ -205,6 +207,8 @@ image_check(int imagefd, const char *mtd)
 		imageformat = MTD_IMAGE_FORMAT_TRX;
 	else if (be32_to_cpu(magic) == SEAMA_MAGIC)
 		imageformat = MTD_IMAGE_FORMAT_SEAMA;
+	else if (le32_to_cpu(magic) == WRG_MAGIC)
+		imageformat = MTD_IMAGE_FORMAT_WRG;
 	else if (le32_to_cpu(magic) == WRGG03_MAGIC)
 		imageformat = MTD_IMAGE_FORMAT_WRGG03;
 
@@ -214,7 +218,7 @@ image_check(int imagefd, const char *mtd)
 			ret = trx_check(imagefd, mtd, buf, &buflen);
 		break;
 	case MTD_IMAGE_FORMAT_SEAMA:
-		break;
+	case MTD_IMAGE_FORMAT_WRG:
 	case MTD_IMAGE_FORMAT_WRGG03:
 		break;
 	default:
@@ -685,6 +689,10 @@ resume:
 			if (mtd_fixseama)
 				mtd_fixseama(mtd, 0, 0);
 			break;
+		case MTD_IMAGE_FORMAT_WRG:
+			if (mtd_fixwrg)
+				mtd_fixwrg(mtd, 0, 0);
+			break;
 		case MTD_IMAGE_FORMAT_WRGG03:
 			if (mtd_fixwrgg)
 				mtd_fixwrgg(mtd, 0, 0);
@@ -734,6 +742,10 @@ static void usage(void)
 	    fprintf(stderr,
 	"        fixseama                fix the checksum in a seama header on first boot\n");
 	}
+	if (mtd_fixwrg) {
+	    fprintf(stderr,
+	"        fixwrg                  fix the checksum in a wrg header on first boot\n");
+	}
 	if (mtd_fixwrgg) {
 	    fprintf(stderr,
 	"        fixwrgg                 fix the checksum in a wrgg header on first boot\n");
@@ -755,9 +767,9 @@ static void usage(void)
 	    fprintf(stderr,
 	"        -o offset               offset of the image header in the partition(for fixtrx)\n");
 	}
-	if (mtd_fixtrx || mtd_fixseama || mtd_fixwrgg) {
+	if (mtd_fixtrx || mtd_fixseama || mtd_fixwrg || mtd_fixwrgg) {
 		fprintf(stderr,
-	"        -c datasize             amount of data to be used for checksum calculation (for fixtrx / fixseama / fixwrgg)\n");
+	"        -c datasize             amount of data to be used for checksum calculation (for fixtrx / fixseama / fixwrg / fixwrgg)\n");
 	}
 	fprintf(stderr,
 #ifdef FIS_SUPPORT
@@ -798,6 +810,7 @@ int main (int argc, char **argv)
 		CMD_JFFS2WRITE,
 		CMD_FIXTRX,
 		CMD_FIXSEAMA,
+		CMD_FIXWRG,
 		CMD_FIXWRGG,
 		CMD_VERIFY,
 		CMD_DUMP,
@@ -913,6 +926,9 @@ int main (int argc, char **argv)
 	} else if (((strcmp(argv[0], "fixseama") == 0) && (argc == 2)) && mtd_fixseama) {
 		cmd = CMD_FIXSEAMA;
 		device = argv[1];
+	} else if (((strcmp(argv[0], "fixwrg") == 0) && (argc == 2)) && mtd_fixwrg) {
+		cmd = CMD_FIXWRG;
+		device = argv[1];
 	} else if (((strcmp(argv[0], "fixwrgg") == 0) && (argc == 2)) && mtd_fixwrgg) {
 		cmd = CMD_FIXWRGG;
 		device = argv[1];
@@ -1012,6 +1028,10 @@ int main (int argc, char **argv)
 			if (mtd_fixseama)
 				mtd_fixseama(device, 0, data_size);
 			break;
+		case CMD_FIXWRG:
+			if (mtd_fixwrg)
+				mtd_fixwrg(device, 0, data_size);
+			break;
 		case CMD_FIXWRGG:
 			if (mtd_fixwrgg)
 				mtd_fixwrgg(device, 0, data_size);

+ 1 - 0
package/system/mtd/src/mtd.h

@@ -27,6 +27,7 @@ extern int trx_fixup(int fd, const char *name)  __attribute__ ((weak));
 extern int trx_check(int imagefd, const char *mtd, char *buf, int *len) __attribute__ ((weak));
 extern int mtd_fixtrx(const char *mtd, size_t offset, size_t data_size) __attribute__ ((weak));
 extern int mtd_fixseama(const char *mtd, size_t offset, size_t data_size) __attribute__ ((weak));
+extern int mtd_fixwrg(const char *mtd, size_t offset, size_t data_size) __attribute__ ((weak));
 extern int mtd_fixwrgg(const char *mtd, size_t offset, size_t data_size) __attribute__ ((weak));
 extern int mtd_resetbc(const char *mtd) __attribute__ ((weak));
 #endif /* __mtd_h */

+ 208 - 0
package/system/mtd/src/wrg.c

@@ -0,0 +1,208 @@
+/*
+ * wrg.c
+ *
+ * Copyright (C) 2005 Mike Baker
+ * Copyright (C) 2008 Felix Fietkau <nbd@nbd.name>
+ * Copyright (C) 2011-2012 Gabor Juhos <juhosg@openwrt.org>
+ * Copyright (C) 2016 Stijn Tintel <stijn@linux-ipv6.be>
+ * Copyright (C) 2017 George Hopkins <george-hopkins@null.net>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#include <byteswap.h>
+#include <endian.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <errno.h>
+#include <arpa/inet.h>
+
+#include <sys/ioctl.h>
+#include <mtd/mtd-user.h>
+#include "mtd.h"
+#include "md5.h"
+
+#if !defined(__BYTE_ORDER)
+#error "Unknown byte order"
+#endif
+
+#if __BYTE_ORDER == __BIG_ENDIAN
+#define cpu_to_le32(x)	bswap_32(x)
+#define le32_to_cpu(x)	bswap_32(x)
+#elif __BYTE_ORDER == __LITTLE_ENDIAN
+#define cpu_to_le32(x)	(x)
+#define le32_to_cpu(x)	(x)
+#else
+#error "Unsupported endianness"
+#endif
+
+#define WRG_MAGIC	0x20040220
+
+struct wrg_header {
+	char		signature[32];
+	uint32_t	magic1;
+	uint32_t	magic2;
+	uint32_t	size;
+	uint32_t	offset;
+	char		devname[32];
+	char		digest[16];
+} __attribute__ ((packed));
+
+ssize_t pread(int fd, void *buf, size_t count, off_t offset);
+ssize_t pwrite(int fd, const void *buf, size_t count, off_t offset);
+
+int
+wrg_fix_md5(struct wrg_header *shdr, int fd, size_t data_offset, size_t data_size)
+{
+	char *buf;
+	ssize_t res;
+	MD5_CTX ctx;
+	unsigned char digest[16];
+	int i;
+	int err = 0;
+
+	buf = malloc(data_size);
+	if (!buf) {
+		err = -ENOMEM;
+		goto err_out;
+	}
+
+	res = pread(fd, buf, data_size, data_offset);
+	if (res != data_size) {
+		perror("pread");
+		err = -EIO;
+		goto err_free;
+	}
+
+	MD5_Init(&ctx);
+	MD5_Update(&ctx, (char *)&shdr->offset, sizeof(shdr->offset));
+	MD5_Update(&ctx, (char *)&shdr->devname, sizeof(shdr->devname));
+	MD5_Update(&ctx, buf, data_size);
+	MD5_Final(digest, &ctx);
+
+	if (!memcmp(digest, shdr->digest, sizeof(digest))) {
+		if (quiet < 2)
+			fprintf(stderr, "the header is fixed already\n");
+		return -1;
+	}
+
+	if (quiet < 2) {
+		fprintf(stderr, "new size: %u, new MD5: ", data_size);
+		for (i = 0; i < sizeof(digest); i++)
+			fprintf(stderr, "%02x", digest[i]);
+
+		fprintf(stderr, "\n");
+	}
+
+	/* update the size in the image */
+	shdr->size = cpu_to_le32(data_size);
+
+	/* update the checksum in the image */
+	memcpy(shdr->digest, digest, sizeof(digest));
+
+err_free:
+	free(buf);
+err_out:
+	return err;
+}
+
+int
+mtd_fixwrg(const char *mtd, size_t offset, size_t data_size)
+{
+	int fd;
+	char *first_block;
+	ssize_t res;
+	size_t block_offset;
+	size_t data_offset;
+	struct wrg_header *shdr;
+
+	if (quiet < 2)
+		fprintf(stderr, "Trying to fix WRG header in %s at 0x%x...\n",
+			mtd, offset);
+
+	block_offset = offset & ~(erasesize - 1);
+	offset -= block_offset;
+
+	fd = mtd_check_open(mtd);
+	if(fd < 0) {
+		fprintf(stderr, "Could not open mtd device: %s\n", mtd);
+		exit(1);
+	}
+
+	if (block_offset + erasesize > mtdsize) {
+		fprintf(stderr, "Offset too large, device size 0x%x\n",
+			mtdsize);
+		exit(1);
+	}
+
+	first_block = malloc(erasesize);
+	if (!first_block) {
+		perror("malloc");
+		exit(1);
+	}
+
+	res = pread(fd, first_block, erasesize, block_offset);
+	if (res != erasesize) {
+		perror("pread");
+		exit(1);
+	}
+
+	shdr = (struct wrg_header *)(first_block + offset);
+	if (le32_to_cpu(shdr->magic1) != WRG_MAGIC) {
+		fprintf(stderr, "No WRG header found (%08x != %08x)\n",
+		        le32_to_cpu(shdr->magic1), WRG_MAGIC);
+		exit(1);
+	} else if (!le32_to_cpu(shdr->size)) {
+		fprintf(stderr, "WRG entity with empty image\n");
+		exit(1);
+	}
+
+	data_offset = offset + sizeof(struct wrg_header);
+	if (!data_size)
+		data_size = mtdsize - data_offset;
+	if (data_size > le32_to_cpu(shdr->size))
+		data_size = le32_to_cpu(shdr->size);
+	if (wrg_fix_md5(shdr, fd, data_offset, data_size))
+		goto out;
+
+	if (mtd_erase_block(fd, block_offset)) {
+		fprintf(stderr, "Can't erease block at 0x%x (%s)\n",
+			block_offset, strerror(errno));
+		exit(1);
+	}
+
+	if (quiet < 2)
+		fprintf(stderr, "Rewriting block at 0x%x\n", block_offset);
+
+	if (pwrite(fd, first_block, erasesize, block_offset) != erasesize) {
+		fprintf(stderr, "Error writing block (%s)\n", strerror(errno));
+		exit(1);
+	}
+
+	if (quiet < 2)
+		fprintf(stderr, "Done.\n");
+
+out:
+	close (fd);
+	sync();
+
+	return 0;
+}

+ 11 - 13
package/system/opkg/Makefile

@@ -1,32 +1,32 @@
 #
 # Copyright (C) 2006-2015 OpenWrt.org
-# Copyright (C) 2016 LEDE Project
+# Copyright (C) 2016-2017 LEDE Project
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 
 include $(TOPDIR)/rules.mk
 include $(INCLUDE_DIR)/kernel.mk
-include $(INCLUDE_DIR)/version.mk
-include $(INCLUDE_DIR)/feeds.mk
 
 PKG_NAME:=opkg
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_FLAGS:=essential
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://git.lede-project.org/project/opkg-lede.git
-PKG_SOURCE_DATE:=2017-12-08
-PKG_SOURCE_VERSION:=9f61f7acf3845d2e09675b49fec5d783d57eb780
-PKG_MIRROR_HASH:=3e70d78e92f73e0848a75cfd74762656a4172b6d71369b9e2717dc57acf39cbf
+PKG_SOURCE_URL:=https://git.openwrt.org/project/opkg-lede.git
+PKG_SOURCE_DATE:=2017-12-07
+PKG_SOURCE_VERSION:=3b417b9f41b4ceb5912d82f867dd5534e5675b5c
+PKG_MIRROR_HASH:=1c9c21e56186345d0034d15051c1d9c5ebb5aa6658d6ae8886d8403207a914a3
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
 
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
 
-PKG_FLAGS := nonshared
-PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES CONFIG_TARGET_INIT_PATH
+# Extend depends from version.mk
+PKG_CONFIG_DEPENDS += \
+	CONFIG_SIGNED_PACKAGES \
+	CONFIG_TARGET_INIT_PATH
 
 PKG_BUILD_PARALLEL:=1
 HOST_BUILD_PARALLEL:=1
@@ -43,7 +43,7 @@ define Package/opkg
   CATEGORY:=Base system
   TITLE:=opkg package manager
   DEPENDS:=+uclient-fetch +libpthread +libubox
-  URL:=https://git.lede-project.org/?p=project/opkg-lede.git
+  URL:=$(PKG_SOURCE_URL)
   MENU:=1
 endef
 
@@ -86,8 +86,6 @@ define Package/opkg/install
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_DATA) ./files/customfeeds.conf $(1)/etc/opkg/customfeeds.conf
 	$(INSTALL_DATA) ./files/opkg$(2).conf $(1)/etc/opkg.conf
-	$(call FeedSourcesAppend,$(1)/etc/opkg/distfeeds.conf)
-	$(VERSION_SED) $(1)/etc/opkg/distfeeds.conf
 	$(INSTALL_BIN) ./files/20_migrate-feeds $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/opkg-cl $(1)/bin/opkg
   ifneq ($(CONFIG_SIGNED_PACKAGES),)

+ 11 - 46
package/system/procd/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=procd
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL=$(LEDE_GIT)/project/procd.git
-PKG_SOURCE_DATE:=2017-11-14
-PKG_SOURCE_VERSION:=d9dc0e03d70937dbbea12af86997701fbd717dc5
-PKG_MIRROR_HASH:=ad62410e6e43113c13aebf15f60c145f1eac09f309b8e7bd006a3621ca8f07a5
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/procd.git
+PKG_SOURCE_DATE:=2018-01-23
+PKG_SOURCE_VERSION:=653629f19e591a0827ab39de07b4526bb119a57a
+PKG_MIRROR_HASH:=2e0c3ae45521eea456a8411c8d9ef19ed9a5ed6c0ab38b9496555625fb4ba6a2
 CMAKE_INSTALL:=1
 
 PKG_LICENSE:=GPL-2.0
@@ -22,11 +22,9 @@ PKG_LICENSE_FILES:=
 
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 
-PKG_FLAGS:=nonshared
-
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_TARGET_INIT_PATH CONFIG_KERNEL_SECCOMP \
-	CONFIG_NAND_SUPPORT CONFIG_PROCD_SHOW_BOOT CONFIG_PROCD_ZRAM_TMPFS \
+	CONFIG_PROCD_SHOW_BOOT CONFIG_PROCD_ZRAM_TMPFS \
 	CONFIG_KERNEL_NAMESPACES CONFIG_PACKAGE_procd-ujail CONFIG_PACKAGE_procd-seccomp
 
 include $(INCLUDE_DIR)/package.mk
@@ -42,7 +40,7 @@ TARGET_LDFLAGS += $(if $(CONFIG_USE_GLIBC),-lrt)
 define Package/procd
   SECTION:=base
   CATEGORY:=Base system
-  DEPENDS:=+ubusd +ubus +libjson-script +ubox +USE_GLIBC:librt +libubox +libubus +NAND_SUPPORT:procd-nand
+  DEPENDS:=+ubusd +ubus +libjson-script +ubox +USE_GLIBC:librt +libubox +libubus
   TITLE:=OpenWrt system process manager
 endef
 
@@ -60,20 +58,6 @@ define Package/procd-seccomp
   TITLE:=OpenWrt process seccomp helper + utrace
 endef
 
-define Package/procd-nand
-  SECTION:=utils
-  CATEGORY:=Utilities
-  DEPENDS:=@NAND_SUPPORT +ubi-utils
-  TITLE:=OpenWrt sysupgrade nand helper
-endef
-
-define Package/procd-nand-firstboot
-  SECTION:=utils
-  CATEGORY:=Utilities
-  DEPENDS:=procd-nand
-  TITLE:=OpenWrt firstboot nand helper
-endef
-
 define Package/procd/config
 menu "Configuration"
 	depends on PACKAGE_procd
@@ -91,10 +75,6 @@ endmenu
 endef
 
 
-ifeq ($(CONFIG_NAND_SUPPORT),y)
-  CMAKE_OPTIONS += -DBUILD_UPGRADED=1
-endif
-
 ifeq ($(CONFIG_PROCD_SHOW_BOOT),y)
   CMAKE_OPTIONS += -DSHOW_BOOT_ON_CONSOLE=1
 endif
@@ -107,14 +87,13 @@ ifdef CONFIG_PACKAGE_procd-ujail
   CMAKE_OPTIONS += -DJAIL_SUPPORT=1
 endif
 
-ifdef CONFIG_PACKAGE_procd-seccomp
-  CMAKE_OPTIONS += -DSECCOMP_SUPPORT=1 -DUTRACE_SUPPORT=1
-endif
+SECCOMP=$(if $(CONFIG_PACKAGE_procd-seccomp),1,0)
+CMAKE_OPTIONS += -DSECCOMP_SUPPORT=$(SECCOMP) -DUTRACE_SUPPORT=$(SECCOMP)
 
 define Package/procd/install
 	$(INSTALL_DIR) $(1)/sbin $(1)/etc $(1)/lib/functions
 
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger} $(1)/sbin/
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/{init,procd,askfirst,udevtrigger,upgraded} $(1)/sbin/
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libsetlbf.so $(1)/lib
 	$(INSTALL_BIN) ./files/reload_config $(1)/sbin/
 	$(INSTALL_DATA) ./files/hotplug*.json $(1)/etc/
@@ -130,24 +109,10 @@ define Package/procd-seccomp/install
 	$(INSTALL_DIR) $(1)/sbin $(1)/lib
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-seccomp.so $(1)/lib
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/utrace $(1)/sbin/
+	$(LN) utrace $(1)/sbin/seccomp-trace
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libpreload-trace.so $(1)/lib
 endef
 
-define Package/procd-nand/install
-	$(INSTALL_DIR) $(1)/sbin $(1)/lib/upgrade
-
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/upgraded $(1)/sbin/
-	$(INSTALL_DATA) ./files/nand.sh $(1)/lib/upgrade/
-endef
-
-define Package/procd-nand-firstboot/install
-	$(INSTALL_DIR) $(1)/lib/preinit
-
-	$(INSTALL_DATA) ./files/nand-preinit.sh $(1)/lib/preinit/60-nand-firstboot.sh
-endef
-
 $(eval $(call BuildPackage,procd))
 $(eval $(call BuildPackage,procd-ujail))
 $(eval $(call BuildPackage,procd-seccomp))
-$(eval $(call BuildPackage,procd-nand))
-$(eval $(call BuildPackage,procd-nand-firstboot))

+ 4 - 4
package/system/procd/files/hotplug-preinit.json

@@ -8,11 +8,11 @@
 					[ "load-firmware", "/lib/firmware" ],
 					[ "return" ]
 				]
-			],
-		],
-	}, ],
+			]
+		]
+	} ],
 	[ "if",
 		[ "eq", "SUBSYSTEM", "button" ],
 		[ "exec", "/etc/rc.button/failsafe" ]
-	],
+	]
 ]

+ 11 - 11
package/system/procd/files/hotplug.json

@@ -4,27 +4,27 @@
 			[ "if",
 				[ "and",
 					[ "has", "MAJOR" ],
-					[ "has", "MINOR" ],
+					[ "has", "MINOR" ]
 				],
 				[
 					[ "if",
 						[ "eq", "DEVNAME",
-							[ "null", "full", "ptmx", "zero", "tty", "net", "random", "urandom" ],
+							[ "null", "full", "ptmx", "zero", "tty", "net", "random", "urandom" ]
 						],
 						[
 							[ "makedev", "/dev/%DEVNAME%", "0666" ],
-							[ "return" ],
+							[ "return" ]
 						]
 					],
 					[ "if",
 						[ "regex", "DEVNAME", "^snd" ],
-						[ "makedev", "/dev/%DEVNAME%", "0660", "audio" ],
+						[ "makedev", "/dev/%DEVNAME%", "0660", "audio" ]
 					],
 					[ "if",
 						[ "has", "DEVNAME" ],
-						[ "makedev", "/dev/%DEVNAME%", "0600" ],
-					],
-				],
+						[ "makedev", "/dev/%DEVNAME%", "0600" ]
+					]
+				]
 			],
 			[ "if",
 				[ "has", "FIRMWARE" ],
@@ -33,14 +33,14 @@
 					[ "load-firmware", "/lib/firmware" ],
 					[ "return" ]
 				]
-			],
+			]
 		],
 		"remove" : [
 			[ "if",
 				[ "and",
 					[ "has", "DEVNAME" ],
 					[ "has", "MAJOR" ],
-					[ "has", "MINOR" ],
+					[ "has", "MINOR" ]
 				],
 				[ "rm", "/dev/%DEVNAME%" ]
 			]
@@ -49,7 +49,7 @@
 	[ "if",
 		[ "and",
 			[ "has", "BUTTON" ],
-			[ "eq", "SUBSYSTEM", "button" ],
+			[ "eq", "SUBSYSTEM", "button" ]
 		],
 		[ "button", "/etc/rc.button/%BUTTON%" ]
 	],
@@ -65,5 +65,5 @@
 			[ "isdir", "/etc/hotplug.d/%SUBSYSTEM%" ],
 			[ "exec", "/sbin/hotplug-call", "%SUBSYSTEM%" ]
 		]
-	],
+	]
 ]

+ 41 - 5
package/system/procd/files/procd.sh

@@ -33,11 +33,25 @@
 #   Send a signal to a service instance (or all instances)
 #
 
-. $IPKG_INSTROOT/usr/share/libubox/jshn.sh
+. "$IPKG_INSTROOT/usr/share/libubox/jshn.sh"
 
 PROCD_RELOAD_DELAY=1000
 _PROCD_SERVICE=
 
+procd_lock() {
+	local basescript=$(readlink "$initscript")
+	local service_name="$(basename ${basescript:-$initscript})"
+
+	flock -n 1000 &> /dev/null
+	if [ "$?" != "0" ]; then
+		exec 1000>"$IPKG_INSTROOT/var/lock/procd_${service_name}.lock"
+		flock 1000
+		if [ "$?" != "0" ]; then
+			logger "warning: procd flock for $service_name failed"
+		fi
+	fi
+}
+
 _procd_call() {
 	local old_cb
 
@@ -47,6 +61,7 @@ _procd_call() {
 }
 
 _procd_wrapper() {
+	procd_lock
 	while [ -n "$1" ]; do
 		eval "$1() { _procd_call _$1 \"\$@\"; }"
 		shift
@@ -79,6 +94,9 @@ _procd_close_service() {
 	_procd_open_trigger
 	service_triggers
 	_procd_close_trigger
+	_procd_open_data
+	service_data
+	_procd_close_data
 	_procd_ubus_call ${1:-set}
 }
 
@@ -134,6 +152,18 @@ _procd_close_trigger() {
 	json_close_array
 }
 
+_procd_open_data() {
+	let '_procd_data_open = _procd_data_open + 1'
+	[ "$_procd_data_open" -gt 1 ] && return
+	json_add_object "data"
+}
+
+_procd_close_data() {
+	let '_procd_data_open = _procd_data_open - 1'
+	[ "$_procd_data_open" -lt 1 ] || return
+	json_close_object
+}
+
 _procd_open_validate() {
 	json_select ..
 	json_add_array "validate"
@@ -213,7 +243,7 @@ _procd_set_param() {
 			json_add_string "" "$@"
 			json_close_array
 		;;
-		nice)
+		nice|term_timeout)
 			json_add_int "$type" "$1"
 		;;
 		reload_signal)
@@ -351,8 +381,10 @@ _procd_close_instance() {
 	if json_select respawn ; then
 		json_get_values respawn_vals
 		if [ -z "$respawn_vals" ]; then
+			local respawn_threshold=$(uci_get system.@service[0].respawn_threshold)
+			local respawn_timeout=$(uci_get system.@service[0].respawn_timeout)
 			local respawn_retry=$(uci_get system.@service[0].respawn_retry)
-			_procd_add_array_data 3600 5 ${respawn_retry:-5}
+			_procd_add_array_data ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
 		fi
 		json_select ..
 	fi
@@ -381,6 +413,10 @@ _procd_send_signal() {
 	local instance="$2"
 	local signal="$3"
 
+	case "$signal" in
+		[A-Z]*)	signal="$(kill -l "$signal" 2>/dev/null)" || return 1;;
+	esac
+
 	json_init
 	json_add_string name "$service"
 	[ -n "$instance" -a "$instance" != "*" ] && json_add_string instance "$instance"
@@ -421,7 +457,7 @@ procd_add_mdns_service() {
 	json_add_int port "$port"
 	[ -n "$1" ] && {
 		json_add_array txt
-		for txt in $@; do json_add_string "" $txt; done
+		for txt in "$@"; do json_add_string "" "$txt"; done
 		json_select ..
 	}
 	json_select ..
@@ -430,7 +466,7 @@ procd_add_mdns_service() {
 procd_add_mdns() {
 	procd_open_data
 	json_add_object "mdns"
-	procd_add_mdns_service $@
+	procd_add_mdns_service "$@"
 	json_close_object
 	procd_close_data
 }

+ 4 - 4
package/system/rpcd/Makefile

@@ -11,11 +11,11 @@ PKG_NAME:=rpcd
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL=$(LEDE_GIT)/project/rpcd.git
-PKG_SOURCE_DATE:=2017-11-12
-PKG_SOURCE_VERSION:=a0231be8fbc61bb97e725eb206fc9b1ce9f69c05
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/rpcd.git
+PKG_SOURCE_DATE:=2017-12-07
+PKG_SOURCE_VERSION:=cfe1e75c91bc1bac82e6caab3e652b0ebee59524
 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
-PKG_MIRROR_HASH:=5f66a6ad2eced71cccd43fc011077806e3bbc6dadd0403175947a02c25fe6344
+PKG_MIRROR_HASH:=4857497c88115defbf6add68a37975ed79e8f992e65d7d0df56cd29288dea379
 
 PKG_LICENSE:=ISC
 PKG_LICENSE_FILES:=

+ 9 - 9
package/system/ubox/Makefile

@@ -4,10 +4,10 @@ PKG_NAME:=ubox
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL=$(LEDE_GIT)/project/ubox.git
-PKG_SOURCE_DATE:=2017-03-10
-PKG_SOURCE_VERSION:=16f7e16181e2f3e9cf3e2ce56a7e291844900d09
-PKG_MIRROR_HASH:=5f10f3df134eb8a69d281a73d39f5d2e2fc96af531a2f3960b0c6116ff11a707
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/ubox.git
+PKG_SOURCE_DATE:=2018-02-14
+PKG_SOURCE_VERSION:=128bc35fa951ac3beff6e977bc3cced87c2e2600
+PKG_MIRROR_HASH:=f58dfb9a9bb69c6303cb69bbd850b14bd29ec59ea240bac4063fd74a7fce64aa
 CMAKE_INSTALL:=1
 
 PKG_LICENSE:=GPL-2.0
@@ -41,11 +41,11 @@ define Package/ubox/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/getrandom $(1)/usr/bin/
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libvalidate.so $(1)/lib
 
-	$(LN) ../../sbin/kmodloader $(1)/usr/sbin/rmmod
-	$(LN) ../../sbin/kmodloader $(1)/usr/sbin/insmod
-	$(LN) ../../sbin/kmodloader $(1)/usr/sbin/lsmod
-	$(LN) ../../sbin/kmodloader $(1)/usr/sbin/modinfo
-	$(LN) ../../sbin/kmodloader $(1)/usr/sbin/modprobe
+	$(LN) kmodloader $(1)/sbin/rmmod
+	$(LN) kmodloader $(1)/sbin/insmod
+	$(LN) kmodloader $(1)/sbin/lsmod
+	$(LN) kmodloader $(1)/sbin/modinfo
+	$(LN) kmodloader $(1)/sbin/modprobe
 endef
 
 define Package/logd/install

+ 1 - 1
package/system/ubox/files/log.init

@@ -39,7 +39,7 @@ start_service_daemon()
 	procd_open_instance
 	procd_set_param command "/sbin/logd"
 	procd_append_param command -S "${log_buffer_size}"
-	procd_set_param respawn
+	procd_set_param respawn 5 1 -1
 	procd_close_instance
 }
 

+ 4 - 4
package/system/ubus/Makefile

@@ -4,10 +4,10 @@ PKG_NAME:=ubus
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL=$(LEDE_GIT)/project/ubus.git
-PKG_SOURCE_DATE:=2017-02-18
-PKG_SOURCE_VERSION:=34c6e818e431cc53478a0f7c7c1eca07d194d692
-PKG_MIRROR_HASH:=fc4f1121faa4f5b8fa52ee25460b98b2e60e7d245aefa70e7f76c56ce5628fd5
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/ubus.git
+PKG_SOURCE_DATE:=2018-01-16
+PKG_SOURCE_VERSION:=5bae22eb5472c9c7cc30caa9a84004bba19940d3
+PKG_MIRROR_HASH:=6f46398279339dcc597965306275fe1272af384f8cb253ee8de2c68e366eed55
 CMAKE_INSTALL:=1
 
 PKG_LICENSE:=LGPL-2.1

+ 3 - 3
package/system/uci/Makefile

@@ -11,11 +11,11 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=uci
 PKG_RELEASE:=1
 
-PKG_SOURCE_URL=$(LEDE_GIT)/project/uci.git
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/uci.git
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE=2018-01-01
-PKG_SOURCE_VERSION:=141b64ef84f43c954e665865b1bbf216fbf7c05f
-PKG_MIRROR_HASH:=fbd837a16cfa6b0d80f5a4b332b86a105a2b9d37480bcc777931fdea7ce601c9
+PKG_SOURCE_VERSION:=5beb95da3dbec6db11a6bdfaab7807ee2daf41e6
+PKG_MIRROR_HASH:=123c5d3ed8f86db76ab52584e952c8e870891bca4dab682b753ca384d7d067bf
 
 PKG_LICENSE:=LGPL-2.1
 PKG_LICENSE_FILES:=

+ 3 - 2
package/system/uci/files/lib/config/uci.sh

@@ -118,9 +118,10 @@ uci_add() {
 uci_rename() {
 	local PACKAGE="$1"
 	local CONFIG="$2"
-	local VALUE="$3"
+	local OPTION="$3"
+	local VALUE="$4"
 
-	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} rename "$PACKAGE.$CONFIG=$VALUE"
+	/sbin/uci ${UCI_CONFIG_DIR:+-c $UCI_CONFIG_DIR} rename "$PACKAGE.$CONFIG${VALUE:+.$OPTION}=${VALUE:-$OPTION}"
 }
 
 uci_remove() {

+ 1 - 1
package/system/usign/Makefile

@@ -4,7 +4,7 @@ PKG_NAME:=usign
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL=$(LEDE_GIT)/project/usign.git
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/usign.git
 PKG_SOURCE_DATE:=2015-07-04
 PKG_SOURCE_VERSION:=ef6419142a3b0fbcddcccf536e3c1880302c6f89
 PKG_MIRROR_HASH:=9499ed7e40889b364e446a428e185c40986b75087888bd7e1496542457a6dbaa

+ 3 - 3
package/utils/px5g/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=px5g
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 PKG_LICENSE:=LGPL-2.1
 PKG_BUILD_DIR:=$(BUILD_DIR)/px5g-$(BUILD_VARIANT)
 
@@ -47,7 +47,7 @@ define Build/Prepare
 	mkdir -p $(PKG_BUILD_DIR)
 endef
 
-TARGET_LDFLAGS := -lmbedtls -lmbedx509 -lmbedcrypto
+TARGET_LDFLAGS += -lmbedtls -lmbedx509 -lmbedcrypto
 
 ifeq ($(BUILD_VARIANT),standalone)
   TARGET_LDFLAGS := -Wl,-Bstatic $(TARGET_LDFLAGS) -Wl,-Bdynamic
@@ -56,7 +56,7 @@ endif
 TARGET_CFLAGS += -Wl,--gc-sections
 
 define Build/Compile
-	$(TARGET_CC) $(TARGET_CFLAGS) -o $(PKG_BUILD_DIR)/px5g px5g.c $(TARGET_LDFLAGS)
+	$(TARGET_CC) $(TARGET_CPPFLAGS) $(TARGET_CFLAGS) -o $(PKG_BUILD_DIR)/px5g px5g.c $(TARGET_LDFLAGS)
 endef
 
 define Package/px5g-mbedtls/install

Some files were not shown because too many files changed in this diff