[OpenWrt-Devel] [PATCH] update libnetfilter_conntrack to version 1.0.4

This updates libnetfilter_conntrack to the latest stable version 1.0.4 which was released Aug-06-2013. Changeset is available here: http://git.netfilter.org/libnetfilter_conntrack/log/ Signed-off-by: Christian Mehlis --- package/libs/libnetfilter-conntrack/Makefile | 4 ++-- 1 file changed, 2 i

Re: [OpenWrt-Devel] adding seccomp and service jailing to procd

Hi John, On Fri, Mar 27, 2015 at 07:58:46PM +0100, John Crispin wrote: > On 27/03/2015 19:56, Luka Perkov wrote: > > Hi John, > > > > On Fri, Mar 27, 2015 at 03:37:33PM +0100, John Crispin wrote: > >>> Also i would love to hear the pro and cons of extending ubus > >>> vs switching to kdbus (i'm n

Re: [OpenWrt-Devel] adding seccomp and service jailing to procd

On 27/03/2015 19:56, Luka Perkov wrote: > Hi John, > > On Fri, Mar 27, 2015 at 03:37:33PM +0100, John Crispin wrote: >>> Also i would love to hear the pro and cons of extending ubus >>> vs switching to kdbus (i'm not trying to start a debate, and i >>> really have no idea of the work involved, j

Re: [OpenWrt-Devel] adding seccomp and service jailing to procd

Hi John, On Fri, Mar 27, 2015 at 03:37:33PM +0100, John Crispin wrote: > > Also i would love to hear the pro and cons of extending ubus vs > > switching to kdbus > > (i'm not trying to start a debate, and i really have no idea of the work > > involved, just curious) > > we need to discuss this in

Re: [OpenWrt-Devel] ptrace and pselect

Are you still seeing this? Please note that the official BB build only has mosquitto 1.3.4. If you want to use 1.4, either use the feed: https://github.com/remakeelectric/owrt_pub_feeds or update to a CC based tree. Sorry, I've been on holidays, and only just saw this, but I'm the mosquitto main

Re: [OpenWrt-Devel] adding seccomp and service jailing to procd

Hi again, 2015-03-27 15:37 GMT+01:00 John Crispin : > > > On 27/03/2015 13:45, Etienne Champetier wrote: > > Hi, > > > > > > 2015-03-27 10:42 GMT+01:00 John Crispin > >: > > > > OpenWrt service hardening and jailing > > = > >

Re: [OpenWrt-Devel] adding seccomp and service jailing to procd

On 27/03/2015 13:45, Etienne Champetier wrote: > Hi, > > > 2015-03-27 10:42 GMT+01:00 John Crispin >: > > OpenWrt service hardening and jailing > = > > > <...> > > > If there are features that we are not aware of

[OpenWrt-Devel] [PATCH] gemini: fix usb driver compilation on 3.18

Signed-off-by: Roman Yeryomin --- target/linux/gemini/files/drivers/usb/host/ehci-fotg2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/target/linux/gemini/files/drivers/usb/host/ehci-fotg2.c b/target/linux/gemini/files/drivers/usb/host/ehci-fotg2.c index 4d95f2e..0717a

Re: [OpenWrt-Devel] DHCPv6 flash renumbering patches with HE tunnel breaks

Steven Barth writes: >> >> The problem is that you try to be "smart" by abusing the ability to set >> the address preferred lifetime lower than T1. I don't dispute that it >> is allowed by the RFC, but it is definitely not recommended. > There is no formal requirement (not even a SHOULD) that sa

Re: [OpenWrt-Devel] adding seccomp and service jailing to procd

Hi, 2015-03-27 10:42 GMT+01:00 John Crispin : > OpenWrt service hardening and jailing > = > > > <...> > If there are features that we are not aware of yet or that we forgot to > list, then please let us know about them. > > Comments and ideas are welcome ...

Re: [OpenWrt-Devel] DHCPv6 flash renumbering patches with HE tunnel breaks

Citeren Steven Barth : The problem is that you try to be "smart" by abusing the ability to set the address preferred lifetime lower than T1. I don't dispute that it is allowed by the RFC, but it is definitely not recommended. There is no formal requirement (not even a SHOULD) that says otherw

Re: [OpenWrt-Devel] DHCPv6 flash renumbering patches with HE tunnel breaks

On 27.03.2015 10:41, Kevin Darbyshire-Bryant wrote: On 26/03/2015 23:51, Steven Barth wrote: Radvd isn't part of OpenWrt for a while. dnsmasq doesn't support downstream delegation and its DHCPv6 features aren't well integrated if you have a dynamic prefix e.g. delegated from your ISP. I've be

Re: [OpenWrt-Devel] DHCPv6 flash renumbering patches with HE tunnel breaks

The problem is that you try to be "smart" by abusing the ability to set the address preferred lifetime lower than T1. I don't dispute that it is allowed by the RFC, but it is definitely not recommended. There is no formal requirement (not even a SHOULD) that says otherwise. The recommendation

Re: [OpenWrt-Devel] DHCPv6 flash renumbering patches with HE tunnel breaks

Steven Barth writes: > If the DHCPv6 server sends values for T1 and / or T2 which are valid > the client must honor them and not try to be "smart" about lifetimes > of addresses. The problem is that you try to be "smart" by abusing the ability to set the address preferred lifetime lower than T1.

Re: [OpenWrt-Devel] IPv6: network segmentation, use of vlan and IPsec

Hi Gnutella, This is likely not the correct mailing list for general network questions like this, and I'd suggest you go to somewhere like ##networking on Freenode to talk about this, however I'll try to answer your questions :) Firstly, your question seems to lack the clear distinction that

[OpenWrt-Devel] adding seccomp and service jailing to procd

OpenWrt service hardening and jailing = Current firmware builds have the problem, that a lot of services are running as root. This is especially critical for those services exposed to the network. Once an attacker has managed to compromise such a service he has

Re: [OpenWrt-Devel] DHCPv6 flash renumbering patches with HE tunnel breaks

On 26/03/2015 23:51, Steven Barth wrote: > Radvd isn't part of OpenWrt for a while. dnsmasq doesn't support > downstream delegation and its DHCPv6 features aren't well integrated > if you have a dynamic prefix e.g. delegated from your ISP. I've been messing with the 'constructor' option for quite a

[OpenWrt-Devel] IPv6: network segmentation, use of vlan and IPsec

Dear friends, I am studying IPv6 networks and would like to share some ideas with the community. At present, I am not sure to understand how to filter traffic and split networks. Here are a few questions: vlan: IPv6 has no broadcast. Do we still need vlans to segment traffic? Would you recommend

Re: [OpenWrt-Devel] EAP-TLS / EAP-TTLS PAP

Le jeudi 26 mars 2015 à 14:33 +0100, Bernd Naumann a écrit : > K back to the plot: > Know you any hostapd configurations or other software in openwrt which > can achieve that goal? Are there any issues which might can lead to > problems or other downsides I may have missed? Reasons against? I am n