Merge pull request from GHSA-xqhj-fmc7-f8mv

ecdsautils: verify: fix signature verification (CVE-2022-24884)

README.md

@@ -21,7 +21,7 @@ the future development of Gluon.
 
 Please refrain from using the `master` branch for anything else but development purposes!
 Use the most recent release instead. You can list all releases by running `git tag`
-and switch to one by running `git checkout v2019.1 && make update`.
+and switch to one by running `git checkout v2019.1.3 && make update`.
 
 If you're using the autoupdater, do not autoupdate nodes with anything but releases.
 If you upgrade using random master commits the nodes *will break* eventually.

contrib/ci/Jenkinsfile

@@ -0,0 +1,27 @@
+pipeline {
+    agent { label 'gluon-docker' }
+    environment {
+        GLUON_SITEDIR = "contrib/ci/minimal-site"
+        GLUON_TARGET = "x86-64"
+        BUILD_LOG = "1"
+    }
+    stages {
+        stage('lint') {
+            steps {
+                sh 'luacheck package scripts targets'
+            }
+        }
+        stage('docs') {
+            steps {
+                sh 'make -C docs html'
+            }
+        }
+        stage('build') {
+            steps {
+                sh 'make update'
+                sh 'test -d /dl_cache && ln -s /dl_cache openwrt/dl || true'
+                sh 'make -j$(nproc) V=s'
+            }
+        }
+    }
+}

contrib/ci/jenkins-community-slave/Dockerfile

@@ -0,0 +1,33 @@
+FROM gluon
+
+USER root
+
+# this is needed to install default-jre-headless in debian slim images
+RUN mkdir -p /usr/share/man/man1
+ 
+RUN apt-get update && apt-get install -y default-jre-headless curl python3 python3-pip python3-sphinx git
+RUN pip3 install jenkins-webapi sphinx_rtd_theme
+ 
+# Get docker-compose in the agent container
+RUN mkdir -p /home/jenkins
+RUN mkdir -p /var/lib/jenkins
+RUN mkdir -p /remoting
+RUN chown gluon /home/jenkins
+RUN chown gluon /var/lib/jenkins
+RUN chown gluon /remoting
+ 
+# Start-up script to attach the slave to the master
+ADD slave.py /var/lib/jenkins/slave.py
+
+USER gluon
+ 
+WORKDIR /home/jenkins
+
+ENV JENKINS_URL "https://build.ffh.zone/"
+ENV JENKINS_SLAVE_ADDRESS ""
+ENV SLAVE_EXECUTORS "1"
+ENV SLAVE_LABELS "docker"
+ENV SLAVE_WORING_DIR ""
+ENV CLEAN_WORKING_DIR "true"
+ 
+CMD [ "python3", "-u", "/var/lib/jenkins/slave.py" ]

contrib/ci/jenkins-community-slave/README.md

@@ -0,0 +1,32 @@
+# Gluon CI using Jenkins
+
+## Requirements
+- Only a host with docker.
+
+## Architecture
+
+![Screenshot from 2019-09-24 00-20-32](https://user-images.githubusercontent.com/601153/65468827-9edf2c80-de65-11e9-9fe0-56c3487719c3.png)
+
+## Installation
+You can support the gluon CI with your infrastructure:
+1. You need to query @lemoer (freifunk@irrelefant.net) for credentials.
+2. He will give you a `SLAVE_NAME` and a `SLAVE_SECRET` for your host.
+3. Then go to your docker host and substitute the values for  `SLAVE_NAME` and a `SLAVE_SECRET` in the following statements:
+``` shell
+git clone https://github.com/freifunk-gluon/gluon/
+cd gluon/contrib/ci/jenkins-community-slave/
+docker build -t gluon-jenkins .
+mkdir /var/cache/openwrt_dl_cache/
+docker run --detach --restart always \
+    -e "SLAVE_NAME=whoareyou" \
+    -e "SLAVE_SECRET=changeme" \
+    -v /var/cache/openwrt_dl_cache/:/dl_cache
+```
+4. Check whether the instance is running correctly:
+   - Your node should appear [here](https://build.ffh.zone/label/gluon-docker/).
+   - When clicking on it, Jenkins should state "Agent is connected." like here: 
+![Screenshot from 2019-09-24 01-00-52](https://user-images.githubusercontent.com/601153/65469209-dac6c180-de66-11e9-9d62-0d1c3b6b940b.png)
+5. **Your docker container needs to be rebuilt, when the build dependencies of gluon change. So please be aware of that and update your docker container in that case.** 
+
+## Backoff
+- If @lemoer is not reachable, please be patient at first if possible. Otherwise contact info@hannover.freifunk.net or join the channel `#freifunkh` on hackint.

contrib/ci/jenkins-community-slave/slave.py

@@ -0,0 +1,103 @@
+from jenkins import Jenkins, JenkinsError, NodeLaunchMethod
+import os
+import signal
+import sys
+import urllib.request
+import subprocess
+import shutil
+import requests
+import time
+
+slave_jar = '/var/lib/jenkins/slave.jar'
+slave_name = os.environ['SLAVE_NAME'] if os.environ['SLAVE_NAME'] != '' else 'docker-slave-' + os.environ['HOSTNAME']
+jnlp_url = os.environ['JENKINS_URL'] + '/computer/' + slave_name + '/slave-agent.jnlp'
+slave_jar_url = os.environ['JENKINS_URL'] + '/jnlpJars/slave.jar'
+print(slave_jar_url)
+process = None
+
+def clean_dir(dir):
+    for root, dirs, files in os.walk(dir):
+        for f in files:
+            os.unlink(os.path.join(root, f))
+        for d in dirs:
+            shutil.rmtree(os.path.join(root, d))
+
+def slave_create(node_name, working_dir, executors, labels):
+    j = Jenkins(os.environ['JENKINS_URL'], os.environ['JENKINS_USER'], os.environ['JENKINS_PASS'])
+    j.node_create(node_name, working_dir, num_executors = int(executors), labels = labels, launcher = NodeLaunchMethod.JNLP)
+
+def slave_delete(node_name):
+    j = Jenkins(os.environ['JENKINS_URL'], os.environ['JENKINS_USER'], os.environ['JENKINS_PASS'])
+    j.node_delete(node_name)
+
+def slave_download(target):
+    if os.path.isfile(slave_jar):
+        os.remove(slave_jar)
+
+    loader = urllib.request.URLopener()
+    loader.retrieve(os.environ['JENKINS_URL'] + '/jnlpJars/slave.jar', '/var/lib/jenkins/slave.jar')
+
+def slave_run(slave_jar, jnlp_url):
+    params = [ 'java', '-jar', slave_jar, '-jnlpUrl', jnlp_url ]
+    if os.environ['JENKINS_SLAVE_ADDRESS'] != '':
+        params.extend([ '-connectTo', os.environ['JENKINS_SLAVE_ADDRESS' ] ])
+
+    if os.environ['SLAVE_SECRET'] == '':
+        params.extend([ '-jnlpCredentials', os.environ['JENKINS_USER'] + ':' + os.environ['JENKINS_PASS'] ])
+    else:
+        params.extend([ '-secret', os.environ['SLAVE_SECRET'] ])
+    return subprocess.Popen(params, stdout=subprocess.PIPE)
+
+def signal_handler(sig, frame):
+    if process != None:
+        process.send_signal(signal.SIGINT)
+
+signal.signal(signal.SIGINT, signal_handler)
+signal.signal(signal.SIGTERM, signal_handler)
+
+def h():
+    print("ERROR!: please specify environment variables")
+    print("")
+    print('docker run -e "SLAVE_NAME=test" -e "SLAVE_SECRET=..." jenkins')
+
+if os.environ.get('SLAVE_NAME') is None:
+    h()
+    sys.exit(1)
+
+if os.environ.get('SLAVE_SECRET') is None:
+    h()
+    sys.exit(1)
+
+def master_ready(url):
+    try:
+        r = requests.head(url, verify=False, timeout=None)
+        return r.status_code == requests.codes.ok
+    except:
+        return False
+
+while not master_ready(slave_jar_url):
+    print("Master not ready yet, sleeping for 10sec!")
+    time.sleep(10)
+
+slave_download(slave_jar)
+print('Downloaded Jenkins slave jar.')
+
+if os.environ['SLAVE_WORING_DIR']:
+    os.setcwd(os.environ['SLAVE_WORING_DIR'])
+
+if os.environ['CLEAN_WORKING_DIR'] == 'true':
+    clean_dir(os.getcwd())
+    print("Cleaned up working directory.")
+
+if os.environ['SLAVE_NAME'] == '':
+    slave_create(slave_name, os.getcwd(), os.environ['SLAVE_EXECUTORS'], os.environ['SLAVE_LABELS'])
+    print('Created temporary Jenkins slave.')
+
+process = slave_run(slave_jar, jnlp_url)
+print('Started Jenkins slave with name "' + slave_name + '" and labels [' + os.environ['SLAVE_LABELS'] + '].')
+process.wait()
+
+print('Jenkins slave stopped.')
+if os.environ['SLAVE_NAME'] == '':
+    slave_delete(slave_name)
+    print('Removed temporary Jenkins slave.')

contrib/ci/minimal-site/i18n

@@ -0,0 +1 @@
+../../../docs/site-example/i18n/

contrib/ci/minimal-site/modules

@@ -0,0 +1 @@
+../../../docs/site-example/modules

contrib/ci/minimal-site/site.conf

@@ -0,0 +1,154 @@
+-- This is an example site configuration for Gluon v2018.2+
+--
+-- Take a look at the documentation located at
+-- https://gluon.readthedocs.io/ for details.
+--
+-- This configuration will not work as is. You're required to make
+-- community specific changes to it!
+{
+  -- Used for generated hostnames, e.g. freifunk-abcdef123456. (optional)
+  -- hostname_prefix = 'freifunk-',
+
+  -- Name of the community.
+  site_name = 'Continious Integration',
+
+  -- Shorthand of the community.
+  site_code = 'ci',
+
+  -- 32 bytes of random data, encoded in hexadecimal
+  -- This data must be unique among all sites and domains!
+  -- Can be generated using: echo $(hexdump -v -n 32 -e '1/1 "%02x"' </dev/urandom)
+  domain_seed = 'e9608c4ff338b920992d629190e9ff11049de1dfc3f299eac07792dfbcda341c',
+
+  -- Prefixes used within the mesh.
+  -- prefix6 is required, prefix4 can be omitted if next_node.ip4
+  -- is not set.
+  prefix4 = '10.0.0.0/20',
+  prefix6 = 'fd::/64',
+
+  -- Timezone of your community.
+  -- See https://openwrt.org/docs/guide-user/base-system/system_configuration#time_zones
+  timezone = 'CET-1CEST,M3.5.0,M10.5.0/3',
+
+  -- List of NTP servers in your community.
+  -- Must be reachable using IPv6!
+  --  ntp_servers = {'1.ntp.services.ffxx'},
+
+  -- Wireless regulatory domain of your community.
+  regdom = 'DE',
+
+  -- Wireless configuration for 2.4 GHz interfaces.
+  wifi24 = {
+    -- Wireless channel.
+    channel = 1,
+
+    -- ESSID used for client network.
+    ap = {
+      ssid = 'gluon-ci-ssid',
+      -- disabled = true, -- (optional)
+    },
+
+    mesh = {
+      -- Adjust these values!
+      id = 'ueH3uXjdp', -- usually you don't want users to connect to this mesh-SSID, so use a cryptic id that no one will accidentally mistake for the client WiFi
+      mcast_rate = 12000,
+      -- disabled = true, -- (optional)
+    },
+  },
+
+  -- Wireless configuration for 5 GHz interfaces.
+  -- This should be equal to the 2.4 GHz variant, except
+  -- for channel.
+  wifi5 = {
+    channel = 44,
+    outdoor_chanlist = '100-140',
+    ap = {
+      ssid = 'gluon-ci-ssid',
+    },
+    mesh = {
+      -- Adjust these values!
+      id = 'ueH3uXjdp',
+      mcast_rate = 12000,
+    },
+  },
+
+
+  -- The next node feature allows clients to always reach the node it is
+  -- connected to using a known IP address.
+  next_node = {
+    -- anycast IPs of all nodes
+    -- name = { 'nextnode.location.community.example.org', 'nextnode', 'nn' },
+    ip4 = '10.0.0.1',
+    ip6 = 'fd::1',
+  },
+
+  mesh = {
+    vxlan = true,
+    batman_adv = {
+      routing_algo = 'BATMAN_IV'
+    }
+  },
+
+  mesh_vpn = {
+    -- enabled = true,
+    mtu = 1312,
+
+    fastd = {
+      -- Refer to https://fastd.readthedocs.io/en/latest/ to better understand
+      -- what these options do.
+
+      -- List of crypto-methods to use.
+      methods = {'salsa2012+umac'},
+      -- configurable = true,
+      -- syslog_level = 'warn',
+
+      groups = {
+        backbone = {
+          -- Limit number of connected peers to reduce bandwidth.
+          limit = 1,
+
+          -- List of peers.
+          peers = {
+          },
+
+        },
+      },
+    },
+
+    bandwidth_limit = {
+      -- The bandwidth limit can be enabled by default here.
+      enabled = false,
+
+      -- Default upload limit (kbit/s).
+      egress = 200,
+
+      -- Default download limit (kbit/s).
+      ingress = 3000,
+    },
+  },
+
+  autoupdater = {
+    -- Default branch. Don't forget to set GLUON_BRANCH when building!
+    branch = 'stable',
+
+    -- List of branches. You may define multiple branches.
+    branches = {
+      stable = {
+        name = 'stable',
+
+        -- List of mirrors to fetch images from. IPv6 required!
+        mirrors = {'http://1.updates.services.ffhl/stable/sysupgrade'},
+
+        -- Number of good signatures required.
+        -- Have multiple maintainers sign your build and only
+        -- accept it when a sufficient number of them have
+        -- signed it.
+        good_signatures = 2,
+
+        -- List of public keys of maintainers.
+        pubkeys = {
+        },
+      },
+    },
+  },
+}

contrib/ci/minimal-site/site.mk

@@ -0,0 +1 @@
+../../../docs/site-example/site.mk

docs/conf.py

@@ -24,7 +24,7 @@ copyright = '2015-2019, Project Gluon'
 author = 'Project Gluon'
 
 # The short X.Y version
-version = '2018.2+'
+version = '2019.1.3'
 # The full version, including alpha/beta/rc tags
 release = version
 

docs/features/roles.rst

@@ -28,7 +28,7 @@ If you want node owners to change the defined roles via config-mode you can add
 
 The role is saved in ``gluon-node-info.system.role``. To change the role using command line do::
 
-  uci set gluon-node-info.system.role="$ROLE"
+  uci set gluon-node-info.@system[0].role="$ROLE"
   uci commit
 
 Please replace ``$ROLE`` by the role you want the node to own.

docs/index.rst

@@ -74,7 +74,11 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre
    :caption: Releases
    :maxdepth: 1
 
+   releases/v2019.1.3
+   releases/v2019.1.2
+   releases/v2019.1.1
    releases/v2019.1
+   releases/v2018.2.4
    releases/v2018.2.3
    releases/v2018.2.2
    releases/v2018.2.1

docs/package/gluon-hoodselector.rst

@@ -36,7 +36,7 @@ example of a regional domain:
 Behaviour
 ------------------
 
-The following is an abstract state diagramm which gives an overview
+The following is an abstract state diagram which gives an overview
 of the process:
 
 .. image:: ./gluon-hoodselector.svg
@@ -61,7 +61,7 @@ It provides a fallback to the default domain.
 Domain shapes
 -------------
 
-There are two types of domains: the unique dehault one without a defined shape
+There are two types of domains: the unique default one without a defined shape
 and others which contain shapes.
 
 * **default domain**

docs/package/gluon-mesh-batman-adv.rst

@@ -99,7 +99,7 @@ Furthermore, by default IGMP and MLD messages are filtered. See
 :ref:`site.conf mesh section <user-site-mesh>` and
 :ref:`igmp-mld-domain-segmentation` for details.
 
-To achieve some level of scalabilty for multicast, multicast group
+To achieve some level of scalability for multicast, multicast group
 awareness is implemented and utilized in the following ways:
 
 Node-Local Multicast Handling

docs/releases/v2018.2.4.rst

@@ -0,0 +1,53 @@
+Gluon 2018.2.4
+==============
+
+End of life
+~~~~~~~~~~~~~~
+
+This will be the final release of the v2018.2.x series. Updating to the v2019.1.x release series is the recommended course of action, which should be fairly easy.
+
+Bugfixes
+~~~~~~~~
+
+* Fixes device alias for Ubiquiti UniFi AC LR. (`#1834 <https://github.com/freifunk-gluon/gluon/issues/1834>`_)
+  Autoupdates on this model were impossible before, since we were missing the proper device alias.
+
+* Add correct ath10k firmware package for OCEDO Koala. (`#1838 <https://github.com/freifunk-gluon/gluon/pull/1838>`_)
+
+* Fixes various batman-adv bugs with backports from 2019.4 and 2019.5 by updating the openwrt-routing packages feed
+
+Other changes
+~~~~~~~~~~~~~
+
+* Linux kernel has been updated to either
+  
+  - 4.9.207 (ar71xx, brcm2708, mpc85xx) or
+  - 4.14.160 (ipq40xx, ipq806x, mvebu, ramips, sunxi, x86).
+
+Known issues
+~~~~~~~~~~~~
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are
+  unknown (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is
+  disabled (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected
+  (like VMware when promiscuous mode is disallowed).
+
+* Inconsistent respondd API
+  (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API
+  will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on
+  weak hardware especially in larger meshes
+  (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.

docs/releases/v2019.1.1.rst

@@ -0,0 +1,62 @@
+Gluon 2019.1.1
+##############
+
+Bugfixes
+********
+
+* Fixes device alias for Ubiquiti UniFi AC LR. (`#1834 <https://github.com/freifunk-gluon/gluon/issues/1834>`_)
+  Autoupdates on this model were impossible before, since we were missing the proper device alias.
+
+* Add correct ath10k firmware package for OCEDO Koala. (`#1838 <https://github.com/freifunk-gluon/gluon/pull/1838>`_)
+
+* Fixes various batman-adv bugs with backports from 2019.4 and 2019.5 by updating the openwrt-routing packages feed.
+
+* Fixes node role list.  (`#1851 <https://github.com/freifunk-gluon/gluon/issues/1851>`_)
+  With Gluon v2019.1 it became impossible to change the role of a node via the config mode.
+
+Other Changes
+*************
+
+* Linux kernel has been updated to either
+
+  - 4.9.207 (ar71xx, brcm2708, mpc85xx) or
+  - 4.14.160 (ipq40xx, ipq806x, mvebu, ramips, sunxi, x86).
+
+Known issues
+************
+
+* Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+   - | Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+     | Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+     | metric.
+
+   - | Throughput values are not correctly acquired for different interface types.
+     | (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+     | This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+* Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on weak hardware especially in larger
+  meshes (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.
+

docs/releases/v2019.1.2.rst

@@ -0,0 +1,58 @@
+Gluon 2019.1.2
+##############
+
+Bugfixes
+********
+
+* Fixes a buffer-overflow vulnerability in libubox, a core component of OpenWrt
+  (CVE-2020-7248)
+
+* Fixes a vulnerability in the OpenWrt package manager (opkg). By using this vulnerability,
+  an attacker could bypass the integrity check of the package artifacts. (CVE-2020-7982)
+
+Other Changes
+*************
+
+* Linux kernel has been updated to either
+
+  - 4.9.211 (ar71xx, brcm2708, mpc85xx) or
+  - 4.14.167 (ipq40xx, ipq806x, mvebu, ramips, sunxi, x86).
+
+Known issues
+************
+
+* Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+   - | Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+     | Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+     | metric.
+
+   - | Throughput values are not correctly acquired for different interface types.
+     | (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+     | This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+* Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on weak hardware especially in larger
+  meshes (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.
+

docs/releases/v2019.1.3.rst

@@ -0,0 +1,68 @@
+Gluon 2019.1.3
+==============
+
+Bugfixes
+--------
+
+- Fixes a bug in the tunneldigger watchdog where the watchdog would incorrectly find itself while looking up the running tunneldigger process. It then went on and assumed a PID mismatch between the tunneldigger service and its PID file and therefore caused an unnecessary restart of the tunnel. (`#1952 <https://github.com/freifunk-gluon/gluon/issues/1952>`_)
+
+- Fixes an oversight in the firewalling of the respondd service where queries from prefix listed in ``extra_prefixes6`` would be dropped. (`#1941 <https://github.com/freifunk-gluon/gluon/issues/1941>`_)
+
+- Fixes a bug in ``gluon-web`` where forms would not correctly update their field visibility on reset. This affected, for example, the private wifi page in the config mode. (`#1970 <https://github.com/freifunk-gluon/gluon/pull/1970>`_)
+
+- Fixes RX buffer sizing in the ath10k driver to allow for frames larger than 1528 Bytes. (`#1992 <https://github.com/freifunk-gluon/gluon/pull/1992>`_)
+
+- Fixed handling of mesh interfaces together with outdoor mode, site.conf defaults and config mode (`#2049 <https://github.com/freifunk-gluon/gluon/pull/2049>`_) (`#2054 <https://github.com/freifunk-gluon/gluon/pull/2054>`_)
+
+- Fixes a bug with perl when building Gluon v2019.1.x with GCC10
+
+- Fixes a buffer leak in fastd when receiving invalid packets
+
+Other Changes
+-------------
+
+- Linux kernel has been updated to either
+
+  - 4.9.237 (ar71xx, brcm2708, mpc85xx) or
+  - 4.14.199 (ipq40xx, ipq806x, mvebu, ramips, sunxi, x86).
+
+- Backports of batman-adv bugfixes
+
+Known issues
+------------
+
+* Out of memory situations with high client count on ath9k.
+  (`#1768 <https://github.com/freifunk-gluon/gluon/issues/1768>`_)
+
+* The integration of the BATMAN_V routing algorithm is incomplete.
+
+   - | Mesh neighbors don't appear on the status page. (`#1726 <https://github.com/freifunk-gluon/gluon/issues/1726>`_)
+     | Many tools have the BATMAN_IV metric hardcoded, these need to be updated to account for the new throughput
+     | metric.
+
+   - | Throughput values are not correctly acquired for different interface types.
+     | (`#1728 <https://github.com/freifunk-gluon/gluon/issues/1728>`_)
+     | This affects virtual interface types like bridges and VXLAN.
+
+* Default TX power on many Ubiquiti devices is too high, correct offsets are unknown
+  (`#94 <https://github.com/freifunk-gluon/gluon/issues/94>`_)
+
+  Reducing the TX power in the Advanced Settings is recommended.
+
+* The MAC address of the WAN interface is modified even when Mesh-on-WAN is disabled
+  (`#496 <https://github.com/freifunk-gluon/gluon/issues/496>`_)
+
+  This may lead to issues in environments where a fixed MAC address is expected (like VMware when promiscuous mode is
+  disallowed).
+
+* Inconsistent respondd API (`#522 <https://github.com/freifunk-gluon/gluon/issues/522>`_)
+
+  The current API is inconsistent and will be replaced eventually. The old API will still be supported for a while.
+
+* Frequent reboots due to out-of-memory or high load due to memory pressure on weak hardware especially in larger
+  meshes (`#1243 <https://github.com/freifunk-gluon/gluon/issues/1243>`_)
+
+  Optimizations in Gluon 2018.1 have significantly improved memory usage.
+  There are still known bugs leading to unreasonably high load that we hope to
+  solve in future releases.
+

docs/releases/v2019.1.rst

@@ -91,7 +91,7 @@ to decide which module gets loaded and the scheduled domain switching functional
 the two versions.
 
 Note that if you were using ``gluon-mesh-batman-adv-14`` ("batman-adv-legacy") before you will need to update the
-``mesh.batman_adv.routing_algo`` setting from from ``BATMAN_IV`` to ``BATMAN_IV_LEGACY`` if you want to
+``mesh.batman_adv.routing_algo`` setting from ``BATMAN_IV`` to ``BATMAN_IV_LEGACY`` if you want to
 stay on v14 compat.
 
 See the :ref:`mesh <user-site-mesh>` section for the *site.conf* configuration of this feature.
@@ -157,7 +157,7 @@ Bugfixes
   (`#1777 <https://github.com/freifunk-gluon/gluon/issues/1777>`_)
 
 * Fixes cross-domain leakage of respondd data by not joining the link-local multicast group on br-client. Nodes will
-  not be answering respondd queries on  ``[ff02::2:1001]:1001`` anymore. Respondd queries using that adresss must be
+  not be answering respondd queries on  ``[ff02::2:1001]:1001`` anymore. Respondd queries using that address must be
   updated to the new address ``[ff05::2:1001]:1001``. (`#1701 <https://github.com/freifunk-gluon/gluon/issues/1701>`_)
 
 

docs/site-example/site.conf

@@ -1,4 +1,4 @@
--- This is an example site configuration for Gluon v2019.1
+-- This is an example site configuration for Gluon v2019.1.3
 --
 -- Take a look at the documentation located at
 -- https://gluon.readthedocs.io/ for details.

docs/user/getting_started.rst

@@ -8,7 +8,7 @@ Gluon's releases are managed using `Git tags`_. If you are just getting
 started with Gluon we recommend to use the latest stable release of Gluon.
 
 Take a look at the `list of gluon releases`_ and notice the latest release,
-e.g. *v2019.1*. Always get Gluon using git and don't try to download it
+e.g. *v2019.1.3*. Always get Gluon using git and don't try to download it
 as a Zip archive as the archive will be missing version information.
 
 Please keep in mind that there is no "default Gluon" build; a site configuration
@@ -44,7 +44,7 @@ Building the images
 -------------------
 
 To build Gluon, first check out the repository. Replace *RELEASE* with the
-version you'd like to checkout, e.g. *v2019.1*.
+version you'd like to checkout, e.g. *v2019.1.3*.
 
 ::
 

docs/user/site.rst

@@ -169,8 +169,8 @@ wifi5 \: optional
     Same as `wifi24` but for the 5Ghz radio.
 
     Additionally a range of channels that are safe to use outsides on the 5 GHz band can
-    be set up through ``outdoor_chanlist``, which allows for a space-seperated list of
-    channels and channel ranges, seperated by a hyphen.
+    be set up through ``outdoor_chanlist``, which allows for a space-separated list of
+    channels and channel ranges, separated by a hyphen.
     When set this offers the outdoor mode flag for 5 GHz radios in the config mode which
     reconfigures the AP to select its channel from outdoor chanlist, while respecting
     regulatory specifications, and  disables mesh on that radio.

docs/user/supported_devices.rst

@@ -86,7 +86,7 @@ ar71xx-generic
   - CPE220 (v1.1)
   - CPE510 (v1.0, v1.1)
   - CPE520 (v1.1)
-  - RE450 [#ath10k]_
+  - RE450 (v1) [#ath10k]_
   - TL-WDR3500 (v1)
   - TL-WDR3600 (v1)
   - TL-WDR4300 (v1)

modules

@@ -2,15 +2,15 @@ GLUON_FEEDS='packages routing luci gluon'
 
 OPENWRT_REPO=https://git.openwrt.org/openwrt/openwrt.git
 OPENWRT_BRANCH=openwrt-18.06
-OPENWRT_COMMIT=89808e211cd5ef5989bd0becb8cd45f9340610ff
+OPENWRT_COMMIT=7cbbab7246b43209a6d940f3a35c9f9a364a0572
 
 PACKAGES_PACKAGES_REPO=https://github.com/openwrt/packages.git
 PACKAGES_PACKAGES_BRANCH=openwrt-18.06
-PACKAGES_PACKAGES_COMMIT=1eeea30fda0f573e57cd00bd3560f7af63fa6d10
+PACKAGES_PACKAGES_COMMIT=65e91999666573eac2d9d57ed4ecadac029cf8f3
 
 PACKAGES_ROUTING_REPO=https://github.com/openwrt-routing/packages.git
 PACKAGES_ROUTING_BRANCH=openwrt-18.06
-PACKAGES_ROUTING_COMMIT=7589804a56baac804421b492c93004c28a627abb
+PACKAGES_ROUTING_COMMIT=83f515d7ae76e5a7460c0eacadae806363df05a1
 
 PACKAGES_LUCI_REPO=https://github.com/openwrt/luci.git
 PACKAGES_LUCI_BRANCH=openwrt-18.06

package/gluon-config-mode-outdoor/luasrc/lib/gluon/config-mode/wizard/0250-outdoor.lua

@@ -25,5 +25,5 @@ return function(form, uci)
 		end
 	end
 
-	return {'gluon', 'wireless'}
+	return {'gluon', 'network', 'wireless'}
 end

package/gluon-core/luasrc/lib/gluon/upgrade/200-wireless

@@ -84,7 +84,7 @@ local function is_disabled(name)
 	if uci:get('wireless', name) then
 		return uci:get_bool('wireless', name, 'disabled')
 	else
-		return false
+		return nil
 	end
 end
 

package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog

@@ -33,7 +33,7 @@ local function has_mesh_vpn_neighbours()
 end
 
 if uci:get_bool('tunneldigger', 'mesh_vpn', 'enabled') then
-	if io.popen('pgrep tunneldigger'):read('*l') ~= read_pid_file() then
+	if io.popen('pgrep -x /usr/bin/tunneldigger'):read('*l') ~= read_pid_file() then
 		os.execute('logger -t tunneldigger-watchdog "Process-Pid does not match with pid-File."')
 		restart_tunneldigger()
 		return

package/gluon-respondd/luasrc/lib/gluon/upgrade/400-respondd-firewall

@@ -25,6 +25,7 @@ uci:section('firewall', 'rule', 'client_respondd', {
 	target = 'ACCEPT',
 })
 
+-- Allow respondd-access from within the mesh
 uci:section('firewall', 'rule',  'mesh_respondd_ll', {
 	name = 'mesh_respondd_ll',
 	src = 'mesh',
@@ -43,4 +44,19 @@ uci:section('firewall', 'rule',  'mesh_respondd_siteprefix', {
 	target = 'ACCEPT',
 })
 
+uci:delete_all('firewall', 'rule', function(rule)
+	return rule['.name']:find('^mesh_respondd_extraprefix')
+end)
+
+for idx, prefix in ipairs(site.extra_prefixes6({})) do
+	uci:section('firewall', 'rule',  'mesh_respondd_extraprefix' .. idx, {
+		name = 'mesh_respondd_extraprefix' .. idx,
+		src = 'mesh',
+		src_ip = prefix,
+		dest_port = '1001',
+		proto = 'udp',
+		target = 'ACCEPT',
+	})
+end
+
 uci:save('firewall')

package/gluon-web-model/files/lib/gluon/web/view/model/form.html

@@ -1,4 +1,4 @@
-<form method="post" enctype="multipart/form-data" action="<%|url(request)%>">
+<form method="post" enctype="multipart/form-data" action="<%|url(request)%>" data-update="reset">
 	<input type="hidden" name="token" value="<%=token%>" />
 	<input type="hidden" name="<%=id%>" value="1" />
 

package/gluon-web-model/javascript/gluon-web-model.js

@@ -517,7 +517,7 @@
 		for (var i = 0, node; (node = nodes[i]) !== undefined; i++) {
 			var events = node.getAttribute('data-update').split(' ');
 			for (var j = 0, event; (event = events[j]) !== undefined; j++) {
-				bind(node, event, update);
+				bind(node, event, function () {setTimeout(update, 0);});
 			}
 		}
 

package/gluon-web-node-role/luasrc/lib/gluon/config-mode/model/admin/noderole.lua

@@ -18,7 +18,7 @@ s = f:section(Section, nil, translate(
 o = s:option(ListValue, "role", translate("Role"))
 o.default = role
 for _, role_value in ipairs(site.roles.list()) do
-	o:value(role, site_i18n.translate('gluon-web-node-role:role:' .. role_value))
+	o:value(role_value, site_i18n.translate('gluon-web-node-role:role:' .. role_value))
 end
 
 function o:write(data)

package/gluon-web-wifi-config/luasrc/lib/gluon/config-mode/model/admin/wifi-config.lua

@@ -158,6 +158,7 @@ end
 function f:write()
 	uci:commit('gluon')
 	os.execute('/lib/gluon/upgrade/200-wireless')
+	uci:commit('network')
 	uci:commit('wireless')
 end
 

patches/openwrt/0009-build-add-mkrasimage.patch

@@ -249,12 +249,12 @@ index ccddaa0016b0c926d4737abb5757e7212b0a1157..00000000000000000000000000000000
 -
 -rm -rf "$tmpdir"
 diff --git a/target/linux/ar71xx/image/generic.mk b/target/linux/ar71xx/image/generic.mk
-index 640557532c8a02f37bc6f84ade8cb34e7172162d..4568b656219419e9ca1156c6716bd2124074cb32 100644
+index ba5f9d90a639c8102d8a380d57a491b0206bd588..a494fa6b0be07b3b1f99f6fbb29e11d77df1dfd1 100644
 --- a/target/linux/ar71xx/image/generic.mk
 +++ b/target/linux/ar71xx/image/generic.mk
 @@ -1086,8 +1086,12 @@ define Device/NBG6616
    IMAGE_SIZE := 15323k
-   MTDPARTS := spi0.0:192k(u-boot)ro,64k(env)ro,64k(RFdata)ro,384k(zyxel_rfsd),384k(romd),64k(header),2048k(kernel),13184k(rootfs),15232k@0x120000(firmware)
+   MTDPARTS := spi0.0:192k(u-boot)ro,64k(env),64k(RFdata)ro,384k(zyxel_rfsd),384k(romd),64k(header),2048k(kernel),13184k(rootfs),15232k@0x120000(firmware)
    CMDLINE += mem=128M
 -  IMAGES := sysupgrade.bin
 +  RAS_BOARD := NBG6616

patches/openwrt/0013-ramips-add-support-for-Archer-C50-v4.patch

@@ -112,10 +112,10 @@ index 6057275978591192e3b7799a8e6d97761c3e23a5..19386b9e139a25fd1ac29cd9a66b738b
  	ucidef_set_led_switch "wan" "wan" "$boardname:green:wan" "switch0" "0x01"
  	ucidef_set_led_wlan "wlan2g" "wlan2g" "$boardname:green:wlan2g" "phy0tpt"
 diff --git a/target/linux/ramips/base-files/etc/board.d/02_network b/target/linux/ramips/base-files/etc/board.d/02_network
-index ebf40ad1fa874d324b43c8f0613bca53a19ab2d0..1c6cc6b0af745b43b81bbfffc9b5462c1b88defc 100755
+index 50d3a89bd88478b6077cf4f0aacde26901f869b4..15034e8e5e461a2ca13913ecde6a789a261dad64 100755
 --- a/target/linux/ramips/base-files/etc/board.d/02_network
 +++ b/target/linux/ramips/base-files/etc/board.d/02_network
-@@ -205,6 +205,7 @@ ramips_setup_interfaces()
+@@ -202,6 +202,7 @@ ramips_setup_interfaces()
  	rt-n14u|\
  	tplink,c20-v4|\
  	tplink,c50-v3|\

patches/openwrt/0016-ramips-add-support-for-Netgear-R6120.patch

@@ -37,10 +37,10 @@ index 19386b9e139a25fd1ac29cd9a66b738b5b092cdf..4203773b4fa3ec771f07b7a8c414a416
  	set_usb_led "$boardname:red:status"
  	;;
 diff --git a/target/linux/ramips/base-files/etc/board.d/02_network b/target/linux/ramips/base-files/etc/board.d/02_network
-index 1c6cc6b0af745b43b81bbfffc9b5462c1b88defc..9424c7ddfd64f9149a24ff91e63b71990265d211 100755
+index 15034e8e5e461a2ca13913ecde6a789a261dad64..0b65e567e558e94b5de0a53ac95dc406ccf0acec 100755
 --- a/target/linux/ramips/base-files/etc/board.d/02_network
 +++ b/target/linux/ramips/base-files/etc/board.d/02_network
-@@ -301,6 +301,10 @@ ramips_setup_interfaces()
+@@ -307,6 +307,10 @@ ramips_setup_interfaces()
  			"0:lan" "1:lan" "2:lan" "3:lan" "6t@eth0"
  		ucidef_set_interface_wan "usb0"
  		;;

patches/openwrt/0023-ar71xx-Add-support-for-TP-Link-CPE210-v3.patch

@@ -28,7 +28,7 @@ definition from cpe210-v2]
 Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
 
 diff --git a/target/linux/ar71xx/base-files/etc/board.d/01_leds b/target/linux/ar71xx/base-files/etc/board.d/01_leds
-index 23f3d23bf53883fb08944bc65b98cac06a16c0a5..e0222f3637b60b89a6ef6c0d10cfb20fbe73f075 100755
+index 037eaee7196b229ec67a08417d88dcb92995c17f..92f3c0281a485fd671b0f8490edaad997a2af25e 100755
 --- a/target/linux/ar71xx/base-files/etc/board.d/01_leds
 +++ b/target/linux/ar71xx/base-files/etc/board.d/01_leds
 @@ -249,6 +249,7 @@ cf-e530n)
@@ -50,7 +50,7 @@ index 23f3d23bf53883fb08944bc65b98cac06a16c0a5..e0222f3637b60b89a6ef6c0d10cfb20f
  		;;
  	*)
 diff --git a/target/linux/ar71xx/base-files/etc/board.d/02_network b/target/linux/ar71xx/base-files/etc/board.d/02_network
-index e9522252a2b8ba7de1c8ca7d070ff7f2897aade9..386d93e58451b953937320b1bfe8d71ed73c69fd 100755
+index 87a6677d883756c20e708f14bc40648f5737eca2..55b517fa136214654e71c179438cbf5c01e62c38 100755
 --- a/target/linux/ar71xx/base-files/etc/board.d/02_network
 +++ b/target/linux/ar71xx/base-files/etc/board.d/02_network
 @@ -75,6 +75,7 @@ ar71xx_setup_interfaces()
@@ -62,10 +62,10 @@ index e9522252a2b8ba7de1c8ca7d070ff7f2897aade9..386d93e58451b953937320b1bfe8d71e
  	eap120|\
  	eap300v2|\
 diff --git a/target/linux/ar71xx/base-files/lib/ar71xx.sh b/target/linux/ar71xx/base-files/lib/ar71xx.sh
-index ccbd4e77c324a36e7fba6e6dccad59d8f94a3921..2200069c647b33220126e797b6a61928d1fb428e 100755
+index a61c781b28177ece36e6c2a63f921d15c39b6c2a..7e96ab2b2a0b026ac063cc0f30ab8f4bbef28b1e 100755
 --- a/target/linux/ar71xx/base-files/lib/ar71xx.sh
 +++ b/target/linux/ar71xx/base-files/lib/ar71xx.sh
-@@ -583,6 +583,10 @@ ar71xx_board_detect() {
+@@ -729,6 +729,10 @@ ar71xx_board_detect() {
  		name="cpe210-v2"
  		tplink_pharos_board_detect "$(tplink_pharos_v2_get_model_string)"
  		;;
@@ -77,7 +77,7 @@ index ccbd4e77c324a36e7fba6e6dccad59d8f94a3921..2200069c647b33220126e797b6a61928
  		name="cpe505n"
  		;;
 diff --git a/target/linux/ar71xx/base-files/lib/upgrade/platform.sh b/target/linux/ar71xx/base-files/lib/upgrade/platform.sh
-index ca1270b7fdc84c53f8417c226f18ca4fff1f27d8..a04dd7441d28e9db4dc7c744707bb5f35936da00 100755
+index 1ac0613c7bc4cf189cfafc306bd66e1aa434d9ad..5ebc775e8e0015bc62a63e7126e8247db8932428 100755
 --- a/target/linux/ar71xx/base-files/lib/upgrade/platform.sh
 +++ b/target/linux/ar71xx/base-files/lib/upgrade/platform.sh
 @@ -587,7 +587,8 @@ platform_check_image() {

patches/openwrt/0024-ramips-add-support-for-ASUS-RT-AC57U.patch

@@ -44,10 +44,10 @@ Web-interface.
 Signed-off-by: David Bauer <mail@david-bauer.net>
 
 diff --git a/target/linux/ramips/base-files/etc/board.d/02_network b/target/linux/ramips/base-files/etc/board.d/02_network
-index 9424c7ddfd64f9149a24ff91e63b71990265d211..7ceec7742aa7a0248ea3c31053b9adda2b247c9c 100755
+index 0b65e567e558e94b5de0a53ac95dc406ccf0acec..212204a1a3edf78cbf2f67d9b9709eb0e703b330 100755
 --- a/target/linux/ramips/base-files/etc/board.d/02_network
 +++ b/target/linux/ramips/base-files/etc/board.d/02_network
-@@ -186,6 +186,7 @@ ramips_setup_interfaces()
+@@ -185,6 +185,7 @@ ramips_setup_interfaces()
  		ucidef_add_switch "switch0" \
  			"1:lan" "2:lan" "3:lan" "4:lan" "6t@eth0"
  		;;
@@ -55,7 +55,7 @@ index 9424c7ddfd64f9149a24ff91e63b71990265d211..7ceec7742aa7a0248ea3c31053b9adda
  	atp-52b|\
  	awm002-evb-4M|\
  	awm002-evb-8M|\
-@@ -413,6 +414,11 @@ ramips_setup_macs()
+@@ -419,6 +420,11 @@ ramips_setup_macs()
  	wmdr-143n)
  		lan_mac=$(cat /sys/class/net/eth0/address)
  		;;
@@ -67,7 +67,7 @@ index 9424c7ddfd64f9149a24ff91e63b71990265d211..7ceec7742aa7a0248ea3c31053b9adda
  	all0239-3g|\
  	carambola|\
  	freestation5|\
-@@ -541,10 +547,6 @@ ramips_setup_macs()
+@@ -546,10 +552,6 @@ ramips_setup_macs()
  		lan_mac=$(mtd_get_mac_ascii u-boot-env LAN_MAC_ADDR)
  		wan_mac=$(mtd_get_mac_ascii u-boot-env WAN_MAC_ADDR)
  		;;
@@ -259,10 +259,10 @@ index 0000000000000000000000000000000000000000..cdab94676e13d259eb80afbcb28347d7
 +	};
 +};
 diff --git a/target/linux/ramips/image/mt7621.mk b/target/linux/ramips/image/mt7621.mk
-index c8de8bd5ff7d1bec4de5c4ffd84a589892871ecb..e0f8cc65ebbfc93b4bfd765db5e62b5afda27c40 100644
+index a352ca21d7c3ac157ed58a9745d91ae4f8315955..8a12b6b67b1dd2f3b1e18bcce97a82c62d307e06 100644
 --- a/target/linux/ramips/image/mt7621.mk
 +++ b/target/linux/ramips/image/mt7621.mk
-@@ -49,6 +49,14 @@ define Device/11acnas
+@@ -50,6 +50,14 @@ define Device/11acnas
  endef
  TARGET_DEVICES += 11acnas
  

patches/openwrt/0026-mac80211-ath10k-increase-rx-buffer-size-to-2048.patch

@@ -0,0 +1,70 @@
+From: Linus Lüssing <ll@simonwunderlich.de>
+Date: Wed, 5 Feb 2020 20:10:43 +0100
+Subject: mac80211: ath10k: increase rx buffer size to 2048
+
+Before, only frames with a maximum size of 1528 bytes could be
+transmitted between two 802.11s nodes.
+
+For batman-adv for instance, which adds its own header to each frame,
+we typically need an MTU of at least 1532 bytes to be able to transmit
+without fragmentation.
+
+This patch now increases the maxmimum frame size from 1528 to 1656
+bytes.
+
+Tested with two ath10k devices in 802.11s mode, as well as with
+batman-adv on top of 802.11s with forwarding disabled.
+
+Fix originally found and developed by Ben Greear.
+
+Link: https://github.com/greearb/ath10k-ct/issues/89
+Link: https://github.com/greearb/ath10k-ct/commit/9e5ab25027e0971fa24ccf93373324c08c4e992d
+Cc: Ben Greear <greearb@candelatech.com>
+Signed-off-by: Linus Lüssing <ll@simonwunderlich.de>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+
+Forwarded: https://github.com/openwrt/openwrt/pull/2959
+
+diff --git a/package/kernel/mac80211/patches/ath/922-ath10k-increase-rx-buffer-size-to-2048.patch b/package/kernel/mac80211/patches/ath/922-ath10k-increase-rx-buffer-size-to-2048.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..f7c842f428986130002922b68daf3d29b096ddbd
+--- /dev/null
++++ b/package/kernel/mac80211/patches/ath/922-ath10k-increase-rx-buffer-size-to-2048.patch
+@@ -0,0 +1,37 @@
++From: Linus Lüssing <ll@simonwunderlich.de>
++Date: Wed, 5 Feb 2020 20:10:43 +0100
++Subject: ath10k: increase rx buffer size to 2048
++
++Before, only frames with a maximum size of 1528 bytes could be
++transmitted between two 802.11s nodes.
++
++For batman-adv for instance, which adds its own header to each frame,
++we typically need an MTU of at least 1532 bytes to be able to transmit
++without fragmentation.
++
++This patch now increases the maxmimum frame size from 1528 to 1656
++bytes.
++
++Tested with two ath10k devices in 802.11s mode, as well as with
++batman-adv on top of 802.11s with forwarding disabled.
++
++Fix originally found and developed by Ben Greear.
++
++Link: https://github.com/greearb/ath10k-ct/issues/89
++Link: https://github.com/greearb/ath10k-ct/commit/9e5ab25027e0971fa24ccf93373324c08c4e992d
++Cc: Ben Greear <greearb@candelatech.com>
++Signed-off-by: Linus Lüssing <ll@simonwunderlich.de>
++
++Forwarded: https://patchwork.kernel.org/patch/11367055/
++
++--- a/drivers/net/wireless/ath/ath10k/htt.h
+++++ b/drivers/net/wireless/ath/ath10k/htt.h
++@@ -2004,7 +2004,7 @@ struct htt_rx_desc {
++  * Should be: sizeof(struct htt_host_rx_desc) + max rx MSDU size,
++  * rounded up to a cache line size.
++  */
++-#define HTT_RX_BUF_SIZE 1920
+++#define HTT_RX_BUF_SIZE 2048
++ #define HTT_RX_MSDU_SIZE (HTT_RX_BUF_SIZE - (int)sizeof(struct htt_rx_desc))
++ 
++ /* Refill a bunch of RX buffers for each refill round so that FW/HW can handle

patches/openwrt/0027-scripts-download.pl-retry-download-using-filename.patch

@@ -0,0 +1,51 @@
+From: David Bauer <mail@david-bauer.net>
+Date: Wed, 18 Nov 2020 16:02:23 +0100
+Subject: scripts: download.pl: retry download using filename
+
+With this commit, the download script will try downloading source files
+using the filename instead of the url-filename in case the previous
+download attempt using the url-filename failed.
+
+This is required, as the OpenWrt sources mirrors serve files using the
+filename files might be renamed to after downloading. If the original
+mirror for a file where url-filename and filename do not match goes
+down, the download failed prior to this patch.
+
+Further improvement can be done by performing this only for the
+OpenWrt sources mirrors.
+
+Signed-off-by: David Bauer <mail@david-bauer.net>
+
+diff --git a/scripts/download.pl b/scripts/download.pl
+index 9848a625220c83072e00dd2aa58b0a3a59b35690..d6e60cbbcf2ef4dd0ad0a7921c449fc8f610c8a9 100755
+--- a/scripts/download.pl
++++ b/scripts/download.pl
+@@ -93,6 +93,7 @@ $hash_cmd or ($file_hash eq "skip") or die "Cannot find appropriate hash command
+ sub download
+ {
+ 	my $mirror = shift;
++	my $download_filename = shift;
+ 
+ 	$mirror =~ s!/$!!;
+ 
+@@ -139,7 +140,7 @@ sub download
+ 			}
+ 		};
+ 	} else {
+-		my @cmd = download_cmd("$mirror/$url_filename");
++		my @cmd = download_cmd("$mirror/$download_filename");
+ 		print STDERR "+ ".join(" ",@cmd)."\n";
+ 		open(FETCH_FD, '-|', @cmd) or die "Cannot launch curl or wget.\n";
+ 		$hash_cmd and do {
+@@ -267,7 +268,10 @@ while (!-f "$target/$filename") {
+ 	my $mirror = shift @mirrors;
+ 	$mirror or die "No more mirrors to try - giving up.\n";
+ 
+-	download($mirror);
++	download($mirror, $url_filename);
++	if (!-f "$target/$filename" && $url_filename ne $filename) {
++		download($mirror, $filename);
++	}
+ }
+ 
+ $SIG{INT} = \&cleanup;

patches/packages/packages/0001-perl-fix-build-failure-in-GCC10.patch

@@ -0,0 +1,130 @@
+From: Ken Wong <xinxijishuwyq@gmail.com>
+Date: Sat, 16 May 2020 13:30:42 +0800
+Subject: perl: fix build failure in GCC10
+
+The perl Configure file was matching GCC 10 against "1*" and treating it
+as GCC 1, causing ABI breakage and segfaults.
+
+Cherry-pick the upstream patch which fixes it to check against (e.g)
+"1.*" instead, which will make it work for hundreds more GCC versions
+to come.
+
+https://github.com/Perl/perl5/commit/6bd6308fcea3541
+ "Adapt Configure to GCC version 10"
+
+Also includes the previous commit just adding GCC 8 and 9 to one case:
+https://github.com/Perl/perl5/commit/ae195500577d707
+ "Add gcc-8 and gcc-9 for FORTIFY_SOURCE"
+
+Signed-off-by: Ken Wong <xinxijishuwyq@gmail.com>
+(cherry picked from commit 65578a43f0d12c02888df00b6fdc90c73a02875c)
+
+diff --git a/lang/perl/patches/999-fix-build-failure-against-gcc-10.patch b/lang/perl/patches/999-fix-build-failure-against-gcc-10.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..55d9a0e8ae15b400294b6a20b60155cecd26db0b
+--- /dev/null
++++ b/lang/perl/patches/999-fix-build-failure-against-gcc-10.patch
+@@ -0,0 +1,103 @@
++From 6bd6308fcea3541e505651bf8e8127a4a03d22cd Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
++Date: Tue, 12 Nov 2019 09:19:18 +0100
++Subject: [PATCH] Adapt Configure to GCC version 10
++
++I got a notice from Jeff Law <law@redhat.com>:
++
++    Your particular package fails its testsuite. This was ultimately
++    tracked down to a Configure problem. The perl configure script treated
++    gcc-10 as gcc-1 and turned on -fpcc-struct-return. This is an ABI
++    changing flag and caused Perl to not be able to interact properly with
++    the dbm libraries on the system leading to a segfault.
++
++His proposed patch corrected only this one instance of the version
++mismatch. Reading the Configure script revealed more issues. This
++patch fixes all of them I found.
++
++---
++ Configure | 14 +++++++-------
++ cflags.SH |  2 +-
++ 2 files changed, 8 insertions(+), 8 deletions(-)
++
++diff --git a/Configure b/Configure
++index fad1c9f2b1..706c0b64ed 100755
++--- a/Configure
+++++ b/Configure
++@@ -4701,7 +4701,7 @@ else
++ fi
++ $rm -f try try.*
++ case "$gccversion" in
++-1*) cpp=`./loc gcc-cpp $cpp $pth` ;;
+++1.*) cpp=`./loc gcc-cpp $cpp $pth` ;;
++ esac
++ case "$gccversion" in
++ '') gccosandvers='' ;;
++@@ -4741,7 +4741,7 @@ esac
++ # gcc 3.* complain about adding -Idirectories that they already know about,
++ # so we will take those off from locincpth.
++ case "$gccversion" in
++-3*)
+++3.*)
++     echo "main(){}">try.c
++     for incdir in $locincpth; do
++        warn=`$cc $ccflags -I$incdir -c try.c 2>&1 | \
++@@ -5467,13 +5467,13 @@ fi
++ case "$hint" in
++ default|recommended)
++ 	case "$gccversion" in
++-	1*) dflt="$dflt -fpcc-struct-return" ;;
+++	1.*) dflt="$dflt -fpcc-struct-return" ;;
++ 	esac
++ 	case "$optimize:$DEBUGGING" in
++ 	*-g*:old) dflt="$dflt -DDEBUGGING";;
++ 	esac
++ 	case "$gccversion" in
++-	2*) if $test -d /etc/conf/kconfig.d &&
+++	2.*) if $test -d /etc/conf/kconfig.d &&
++ 			$contains _POSIX_VERSION $usrinc/sys/unistd.h >/dev/null 2>&1
++ 		then
++ 			# Interactive Systems (ISC) POSIX mode.
++@@ -5482,7 +5482,7 @@ default|recommended)
++ 		;;
++ 	esac
++ 	case "$gccversion" in
++-	1*) ;;
+++	1.*) ;;
++ 	2.[0-8]*) ;;
++ 	?*)	set strict-aliasing -fno-strict-aliasing
++ 		eval $checkccflag
++@@ -5600,7 +5600,7 @@ case "$cppflags" in
++     ;;
++ esac
++ case "$gccversion" in
++-1*) cppflags="$cppflags -D__GNUC__"
+++1.*) cppflags="$cppflags -D__GNUC__"
++ esac
++ case "$mips_type" in
++ '');;
++@@ -23103,7 +23103,7 @@ fi
++ 
++ : add -D_FORTIFY_SOURCE if feasible and not already there
++ case "$gccversion" in
++-[4567].*)	case "$optimize$ccflags" in
+++[456789].*|[1-9][0-9]*)	case "$optimize$ccflags" in
++ 	*-O*)	case "$ccflags$cppsymbols" in
++ 		*_FORTIFY_SOURCE=*) # Don't add it again.
++ 			echo "You seem to have -D_FORTIFY_SOURCE already, not adding it." >&4
++diff --git a/cflags.SH b/cflags.SH
++index e60742fed1..f1bcd6c38e 100755
++--- a/cflags.SH
+++++ b/cflags.SH
++@@ -156,7 +156,7 @@ esac
++ 
++ case "$gccversion" in
++ '') ;;
++-[12]*) ;; # gcc versions 1 (gasp!) and 2 are not good for this.
+++[12].*) ;; # gcc versions 1 (gasp!) and 2 are not good for this.
++ Intel*) ;; # # Is that you, Intel C++?
++ #
++ # NOTE 1: the -std=c89 without -pedantic is a bit pointless.
++-- 
++2.17.1
++

patches/packages/packages/0002-ecdsautils-verify-fix-signature-verification-CVE-2022-24884.patch

@@ -0,0 +1,73 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Wed, 27 Apr 2022 19:01:39 +0200
+Subject: ecdsautils: verify: fix signature verification (CVE-2022-24884)
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/utils/ecdsautils/Makefile b/utils/ecdsautils/Makefile
+index 7f1c76f0301f56b0a88c1f6a1a0147397fde25c7..5ba893be69d40279cd6f5c9e544e941d0011f451 100644
+--- a/utils/ecdsautils/Makefile
++++ b/utils/ecdsautils/Makefile
+@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=ecdsautils
+ PKG_VERSION:=0.3.2.20160630
+-PKG_RELEASE:=1
++PKG_RELEASE:=2
+ PKG_REV:=07538893fb6c2a9539678c45f9dbbf1e4f222b46
+ PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+diff --git a/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..34d80cc201c0e87ca654c3def4fbbbddf622b0ba
+--- /dev/null
++++ b/utils/ecdsautils/patches/0001-verify-fix-signature-verification-CVE-2022-24884.patch
+@@ -0,0 +1,48 @@
++From 1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 Mon Sep 17 00:00:00 2001
++Message-Id: <1d4b091abdf15ad7b2312535b5b95ad70f6dbd08.1651078760.git.mschiffer@universe-factory.net>
++From: Matthias Schiffer <mschiffer@universe-factory.net>
++Date: Wed, 20 Apr 2022 22:04:07 +0200
++Subject: [PATCH] verify: fix signature verification (CVE-2022-24884)
++
++Verify that r and s are non-zero. Without these checks, an all-zero
++signature is always considered valid.
++
++While it would be nicer to error out in ecdsa_verify_prepare_legacy()
++already, that would require users of libecdsautil to check a return value
++of the prepare step. To be safe, implement the fix in an API/ABI-compatible
++way that doesn't need changes to the users.
++---
++ src/lib/ecdsa.c | 10 ++++++++++
++ 1 file changed, 10 insertions(+)
++
++diff --git a/src/lib/ecdsa.c b/src/lib/ecdsa.c
++index 8cd7722be8cd..a661b56bd7c8 100644
++--- a/src/lib/ecdsa.c
+++++ b/src/lib/ecdsa.c
++@@ -135,6 +135,12 @@ regenerate:
++ void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) {
++   ecc_int256_t w, u1, tmp;
++ 
+++  if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) {
+++    // Signature is invalid, mark by setting ctx->r to an invalid value
+++    memset(&ctx->r, 0, sizeof(ctx->r));
+++    return;
+++  }
+++
++   ctx->r = signature->r;
++ 
++   ecc_25519_gf_recip(&w, &signature->s);
++@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work
++   ecc_25519_work_t s2, work;
++   ecc_int256_t w, tmp;
++ 
+++  // Signature was detected as invalid in prepare step
+++  if (ecc_25519_gf_is_zero(&ctx->r))
+++    return false;
+++
++   ecc_25519_scalarmult(&s2, &ctx->u2, pubkey);
++   ecc_25519_add(&work, &ctx->s1, &s2);
++   ecc_25519_store_xy_legacy(&w, NULL, &work);
++-- 
++2.36.0
++

patches/packages/routing/0002-batctl-remove-kmod-batman-adv-dependency.patch

@@ -8,7 +8,7 @@ batctl works just as well with batman-adv-legacy (compat 14).
 Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
 
 diff --git a/batctl/Makefile b/batctl/Makefile
-index 4e67512844d07607852a5447a336dc9f93f5990a..df96ca7325ba3f84bd682da6df32fa4489474113 100644
+index ba83914217732ee49a66a304f18e46f07b1225e6..a16128e3a17135e73dea008721f4026b06fb8ee0 100644
 --- a/batctl/Makefile
 +++ b/batctl/Makefile
 @@ -23,7 +23,7 @@ define Package/batctl

patches/packages/routing/0003-batman-adv-remove-module-autoload.patch

@@ -8,7 +8,7 @@ or batman-adv-legacy module, depending on the configured routing
 algorithm in UCI.
 
 diff --git a/batman-adv/Makefile b/batman-adv/Makefile
-index ae434909c90f61efdf0d80b56352c983cfef25b0..e58f862b0e5fac7ac12d6ba5a09241d23148a252 100644
+index 9df29a7feeaddca3a7b0fc247f58cde0ccd1396f..4d007a666be7dd7b1814260a97f6e8e26a858230 100644
 --- a/batman-adv/Makefile
 +++ b/batman-adv/Makefile
 @@ -30,7 +30,6 @@ define KernelPackage/batman-adv

targets/ar71xx-generic

@@ -181,6 +181,7 @@ device('netgear-wnr2200', 'wnr2200', {
 
 device('ocedo-koala', 'koala', {
 	factory = false,
+	packages = ATH10K_PACKAGES,
 })
 
 
@@ -408,7 +409,7 @@ device('ubiquiti-ls-sr71', 'ubnt-ls-sr71', {
 device('ubiquiti-unifi-ac-lite', 'ubnt-unifiac-lite', {
 	factory = false,
 	packages = ATH10K_PACKAGES,
-	aliases = {'ubiquiti-unifi-ac-lr'},
+	aliases = {'ubiquiti-unifi-ac-lite-mesh'},
 })
 
 device('ubiquiti-unifi-ac-pro', 'ubnt-unifiac-pro', {