From 4ba6720ef16c9739c1881f431bc280514b7e9a93 Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Tue, 27 Jul 2021 14:09:17 -0400 Subject: [PATCH 01/13] Bumped revision to 386.3_1 --- release/src-rt/version.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release/src-rt/version.conf b/release/src-rt/version.conf index 954ba3eb372..1080f0f72c4 100644 --- a/release/src-rt/version.conf +++ b/release/src-rt/version.conf @@ -1,5 +1,5 @@ KERNEL_VER=3.0 FS_VER=0.4 SERIALNO=386.3 -EXTENDNO=0 +EXTENDNO=1 RCNO=0 From 45a269a2348c66464c000f22ad437fd2b6ad7b90 Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Tue, 27 Jul 2021 14:17:44 -0400 Subject: [PATCH 02/13] libovpn: don't set default gateway for ovpn client with Redirect Internet set to No This will allow other RPDB tables to also get processed in case we have mutliple connected clients, with the final default being the main table at the end. --- release/src/router/libovpn/openvpn_control.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/release/src/router/libovpn/openvpn_control.c b/release/src/router/libovpn/openvpn_control.c index db9ec469145..ac36889a3ad 100644 --- a/release/src/router/libovpn/openvpn_control.c +++ b/release/src/router/libovpn/openvpn_control.c @@ -382,7 +382,12 @@ void ovpn_client_up_handler(int unit) // Handle traffic redirection rgw = nvram_pf_get_int(prefix, "rgw"); - if (rgw != OVPN_RGW_NONE) { + if (rgw == OVPN_RGW_NONE) { + snprintf(buffer, sizeof (buffer), "/usr/sbin/ip route del default table ovpnc%d", unit); + system(buffer); + if (verb >= 6) + logmessage("openvpn-routing", "Remove default gateway for client %d table", unit); + } else { // Force traffic to remote VPN server to go through local GW remote_env = getenv("trusted_ip"); localgw = getenv("route_net_gateway"); From acf2d27aa0a5a5181eb8ca19d19c01572f5214dc Mon Sep 17 00:00:00 2001 From: Maxim Mikityanskiy Date: Fri, 30 Jul 2021 19:05:01 -0400 Subject: [PATCH 03/13] sch_cake: Fix out of bounds when parsing TCP options The TCP option parser in cake qdisc (cake_get_tcpopt and cake_tcph_may_drop) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). --- Changelog-NG.txt | 11 +++++++++++ release/src/router/sch_cake/sch_cake.c | 4 ++++ 2 files changed, 15 insertions(+) diff --git a/Changelog-NG.txt b/Changelog-NG.txt index d456d65e7ad..3f9d530934b 100644 --- a/Changelog-NG.txt +++ b/Changelog-NG.txt @@ -1,6 +1,17 @@ Asuswrt-Merlin 386/NG Changelog =============================== +386.3_2 (xx-xxx-2021) + - FIXED: Only the first OpenVPN client would be used if + you had multiple clients connected and the first + one had a Redirect Internet set to "No". Now, + setting this to "No" means that client's routing + table will no longer get a default gateway + configured, allowing traffic to be processed + by other RPDB tables if there wasn't a matching + route within that client's table. + + 386.3 (23-July-2021) - NOTE: First time you boot into this version, you need to either shift-reload the main index page, or clear diff --git a/release/src/router/sch_cake/sch_cake.c b/release/src/router/sch_cake/sch_cake.c index a25a0f90c48..0861c9b1e66 100644 --- a/release/src/router/sch_cake/sch_cake.c +++ b/release/src/router/sch_cake/sch_cake.c @@ -1070,6 +1070,8 @@ static const void *cake_get_tcpopt(const struct tcphdr *tcph, length--; continue; } + if (length < 2) + break; opsize = *ptr++; if (opsize < 2 || opsize > length) break; @@ -1207,6 +1209,8 @@ static bool cake_tcph_may_drop(const struct tcphdr *tcph, length--; continue; } + if (length < 2) + break; opsize = *ptr++; if (opsize < 2 || opsize > length) break; From b4a8839d772d3e46eda520780a3246a561c9dd20 Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Sat, 31 Jul 2021 02:21:48 -0400 Subject: [PATCH 04/13] Revert "Enable jitterentropy-rngd for non-HND models" Jitterentropy bring negligible improvements on older models, and is unable to reach the target entropy threshold, causing it to constantly run every few seconds. This reverts commit a33196c67997ad95ca27a665921622ab588ef4b4. --- release/src/router/Makefile | 2 ++ release/src/router/rc/services.c | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/release/src/router/Makefile b/release/src/router/Makefile index 344d85fe79d..56863a6a429 100644 --- a/release/src/router/Makefile +++ b/release/src/router/Makefile @@ -1465,7 +1465,9 @@ obj-$(RTCONFIG_DNSSEC) += $(if $(RTCONFIG_DNSSEC_OPENSSL),openssl,) $(if $(RTCON obj-$(RTCONFIG_SAMBA36X) += libiconv-1.14 obj-$(RTCONFIG_TELENET) += lanauth obj-y += wsdd2 +ifeq ($(HND_ROUTER),y) obj-y += jitterentropy-rngd +endif #obj-$(RTCONFIG_BWDPI) += faketc ifneq ($(HND_ROUTER),y) diff --git a/release/src/router/rc/services.c b/release/src/router/rc/services.c index 29139279c5e..ee19243e14a 100644 --- a/release/src/router/rc/services.c +++ b/release/src/router/rc/services.c @@ -175,8 +175,10 @@ void start_cron(void); void start_wlcscan(void); void stop_wlcscan(void); +#ifdef HND_ROUTER void start_jitterentropy(void); void stop_jitterentropy(void); +#endif /* HND_ROUTER */ #ifndef MS_MOVE #define MS_MOVE 8192 @@ -9333,7 +9335,9 @@ start_aura_rgb_sw(void) int start_services(void) { +#ifdef HND_ROUTER start_jitterentropy(); +#endif /* HND_ROUTER */ #if defined(RTAX82U) || defined(DSL_AX82U) || defined(GSAX3000) || defined(GSAX5400) start_ledg(); start_ledbtn(); @@ -9990,9 +9994,12 @@ stop_services(void) #if defined(RTCONFIG_CFEZ) && defined(RTCONFIG_BCMARM) stop_envrams(); #endif +#ifdef HND_ROUTER stop_jitterentropy(); +#endif /* HND_ROUTER */ } +#ifdef HND_ROUTER void start_jitterentropy() { pid_t pid; @@ -10008,6 +10015,7 @@ void stop_jitterentropy() char *cmd_argv[] = { "killall", "jitterentropy-rngd", NULL}; _eval(cmd_argv, NULL, 0, &pid); } +#endif /* HND_ROUTER */ #ifdef RTCONFIG_QCA int stop_wifi_service(void) From 7aedcd7438fd8887d82840cd230e11d185a4341c Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Sat, 31 Jul 2021 02:30:32 -0400 Subject: [PATCH 05/13] Updated documentation --- Changelog-NG.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog-NG.txt b/Changelog-NG.txt index 3f9d530934b..31e485960e9 100644 --- a/Changelog-NG.txt +++ b/Changelog-NG.txt @@ -2,6 +2,11 @@ Asuswrt-Merlin 386/NG Changelog =============================== 386.3_2 (xx-xxx-2021) + - CHANGED: Re-disabled jitterentropy-rngd on non-HND + models. It kept using CPU time every two + seconds and had a very marginal impact on + the entropy pool (which it never could push + above the target threshold of 1024). - FIXED: Only the first OpenVPN client would be used if you had multiple clients connected and the first one had a Redirect Internet set to "No". Now, From cf00748fb1d7c6a59381dab456ef409f12a543aa Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Sun, 1 Aug 2021 16:13:49 -0400 Subject: [PATCH 06/13] webui: visual enhancements to OpenVPN client page - Moved "Redirect Internet traffic" setting into the Network section, to improve its visibility - Report "Internet not redirected" instead of "Public IP: unknown" if Redirect Internet traffic is set to "No" - Do not refresh the connection status every two seconds if the client is currently in an error state --- .../www/Advanced_OpenVPNClient_Content.asp | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/release/src/router/www/Advanced_OpenVPNClient_Content.asp b/release/src/router/www/Advanced_OpenVPNClient_Content.asp index 2cc8bb56b58..af8a40b9f19 100644 --- a/release/src/router/www/Advanced_OpenVPNClient_Content.asp +++ b/release/src/router/www/Advanced_OpenVPNClient_Content.asp @@ -713,8 +713,11 @@ function showConnStatus() { code = "Connecting..."; setTimeout("getConnStatus()",2000); break; - case "2": // COnnected - code = "Connected (Local: "+ localip + " - Public: " + remoteip + ") Refresh"; + case "2": // Connected + if (policy_ori == 0) + code = "Connected (Local: "+ localip + " - Internet not redirected)"; + else + code = "Connected (Local: "+ localip + " - Public: " + remoteip + ") Refresh"; break; case "-1": switch (client_errno) { @@ -737,7 +740,6 @@ function showConnStatus() { code = "Error - check configuration!"; break; } - setTimeout("getConnStatus()",2000); break; default: code = ""; @@ -1019,6 +1021,14 @@ function refreshVPNIP() { " > + + Redirect Internet traffic through tunnel + + + "> + + Accept DNS Configuration @@ -1215,14 +1225,6 @@ function refreshVPNIP() { "> - - Redirect Internet traffic through tunnel - - - "> - - Killswitch - Block routed clients if tunnel goes down From b4a609dacbae07fc9c0f62b32fb4eb6d4acf38d8 Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Sun, 1 Aug 2021 16:40:17 -0400 Subject: [PATCH 07/13] Updated documentation --- Changelog-NG.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Changelog-NG.txt b/Changelog-NG.txt index 31e485960e9..7658af8f26d 100644 --- a/Changelog-NG.txt +++ b/Changelog-NG.txt @@ -2,11 +2,22 @@ Asuswrt-Merlin 386/NG Changelog =============================== 386.3_2 (xx-xxx-2021) + - NOTE: closed down the Issue tracker on Github, as 90% + of it was people asking for technical support, + or failing to use the supplied submission form. - CHANGED: Re-disabled jitterentropy-rngd on non-HND models. It kept using CPU time every two seconds and had a very marginal impact on the entropy pool (which it never could push above the target threshold of 1024). + - CHANGED: Moved the "Redirect Internet traffic" setting on + the OpenVPN Client page to the Network Settings + section to increase its visibility, as too many + users are not properly configuring it. + - CHANGED: Display "Internet traffic not redirected" instead + of "Public IP Unknown" on the OpenVPN Client + status display when Redirect Internet traffic + is set to "No". - FIXED: Only the first OpenVPN client would be used if you had multiple clients connected and the first one had a Redirect Internet set to "No". Now, From a1aa87d4dd8222ae49f84eeb5f23cc85d37409ef Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Sun, 1 Aug 2021 17:06:29 -0400 Subject: [PATCH 08/13] httpd: skip running gettunnelip.sh if Internet not redirected Prevents long pauses before status can be reported on the webui if the tunnel isn't configured to route Internet traffic. Also reports "No Internet traffic" instead of "unknown" in the Public IP field on the VPNStatus page. --- release/src/router/httpd/sysinfo.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/release/src/router/httpd/sysinfo.c b/release/src/router/httpd/sysinfo.c index b6ee62fcf7d..5eb83486177 100644 --- a/release/src/router/httpd/sysinfo.c +++ b/release/src/router/httpd/sysinfo.c @@ -84,7 +84,7 @@ typedef struct { unsigned int speed[4]; } phyState; #endif - +#include "openvpn_config.h" unsigned int get_phy_temperature(int radio); @@ -411,7 +411,7 @@ int ej_show_sysinfo(int eid, webs_t wp, int argc, char_t ** argv) int instance = 1; int fd; struct ifreq ifr; - char buf[18]; + char buf[18], buf2[18]; strcpy(result, "0.0.0.0"); @@ -424,7 +424,11 @@ int ej_show_sysinfo(int eid, webs_t wp, int argc, char_t ** argv) strlcpy(result, inet_ntoa(((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr), sizeof result); snprintf(buf, sizeof buf, "vpn_client%d_rip", instance); - if (!strlen(nvram_safe_get(buf))) { + snprintf(buf2, sizeof buf2, "vpn_client%d_rgw", instance); + + if (nvram_get_int(buf2) == OVPN_RGW_NONE) { + nvram_set(buf, "no Internet traffic"); + } else if (!strlen(nvram_safe_get(buf))) { sprintf(buf, "%d", instance); eval("/usr/sbin/gettunnelip.sh", buf); } From 639446cc812da7ff8a1421dc9636f6b960f0f006 Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Thu, 5 Aug 2021 01:35:05 -0400 Subject: [PATCH 09/13] rc: no longer process dnsfilter at boot time for obsolete Norton entries Also resolve a bug in that code that could corrupt the content of dnsfilter_rulelist. --- release/src/router/rc/format.c | 49 ---------------------------------- 1 file changed, 49 deletions(-) diff --git a/release/src/router/rc/format.c b/release/src/router/rc/format.c index 790a2300020..7a7a06e70ef 100644 --- a/release/src/router/rc/format.c +++ b/release/src/router/rc/format.c @@ -17,10 +17,6 @@ extern int vpnc_load_profile(VPNC_PROFILE *list, const int list_size, const int #include #include -#ifdef RTCONFIG_DNSFILTER -#include "dnsfilter.h" -#endif - void adjust_merlin_config(void) { #ifdef RTCONFIG_OPENVPN @@ -34,9 +30,6 @@ void adjust_merlin_config(void) char *nv, *nvp, *entry; char *name, *mac, *mode, *ipaddr, *nvname; char tmp[64]; -#ifdef RTCONFIG_DNSFILTER - int globalmode; -#endif int count; int need_commit=0; @@ -232,48 +225,6 @@ void adjust_merlin_config(void) nvram_set("dev_fail_reboot", "1"); } -/* Remove discontinued DNSFilter services (384.7) */ -#ifdef RTCONFIG_DNSFILTER - globalmode = nvram_get_int("dnsfilter_mode"); - if (globalmode == DNSF_SRV_NORTON1 || globalmode == DNSF_SRV_NORTON2 || globalmode == DNSF_SRV_NORTON3) - nvram_set_int("dnsfilter_mode", DNSF_SRV_OPENDNS_FAMILY); - -#ifdef HND_ROUTER - nv = nvp = malloc(255 * 6 + 1); - if (nv) nvram_split_get("dnsfilter_rulelist", nv, 255 * 6 + 1, 5); -#else - nv = nvp = strdup(nvram_safe_get("dnsfilter_rulelist")); -#endif - newstr = malloc(strlen(nv) + 1); - - if (newstr) { - newstr[0] = '\0'; - - while (nv && (entry = strsep(&nvp, "<")) != NULL) { - if (vstrsep(entry, ">", &name, &mac, &mode) != 3) - continue; - if (!*mac || !*mode ) - continue; - - if (atoi(mode) == DNSF_SRV_NORTON1 || atoi(mode) == DNSF_SRV_NORTON2 || atoi(mode) == DNSF_SRV_NORTON3) { - need_commit = 1; - snprintf(tmp, sizeof(tmp), "<%s>%s>%d", name, mac, DNSF_SRV_OPENDNS_FAMILY); - } - else - snprintf(tmp, sizeof(tmp), "<%s>%s>%s", name, mac, mode); - strcat(newstr, tmp); - } - -#ifdef HND_ROUTER - nvram_split_set("dnsfilter_rulelist", newstr, 255 * 6 + 1, 5); -#else - nvram_set("dnsfilter_rulelist", newstr); -#endif - free(newstr); - } - free(nv); -#endif - /* Migrate lan_dns_fwd_local (384.11) */ if (nvram_get_int("lan_dns_fwd_local")) { need_commit = 1; From beda77938b63b906f7b870bdbf47620e3e3077ae Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Thu, 5 Aug 2021 23:21:29 -0400 Subject: [PATCH 10/13] rc: fix DNSFilter rules handling for IPV6 on HND models --- release/src/router/rc/dnsfilter.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/release/src/router/rc/dnsfilter.c b/release/src/router/rc/dnsfilter.c index 4a9db966096..5a016fcb3d2 100644 --- a/release/src/router/rc/dnsfilter.c +++ b/release/src/router/rc/dnsfilter.c @@ -289,7 +289,13 @@ void dnsfilter_setup_dnsmasq(FILE *fp) { } /* DNS server per client */ +#ifdef HND_ROUTER + nv = nvp = malloc(255 * 6 + 1); + if (nv) nvram_split_get("dnsfilter_rulelist", nv, 255 * 6 + 1, 5); +#else nv = nvp = strdup(nvram_safe_get("dnsfilter_rulelist")); +#endif + while (nv && (b = strsep(&nvp, "<")) != NULL) { if (vstrsep(b, ">", &name, &mac, &mode, &enable) < 3) continue; From 2e98e45ac26d83e19a46b0e77eadb0ea26e1d222 Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Fri, 6 Aug 2021 00:32:05 -0400 Subject: [PATCH 11/13] webui: move killswitch setting to the Network Settings, and reorganize order in that section --- .../www/Advanced_OpenVPNClient_Content.asp | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/release/src/router/www/Advanced_OpenVPNClient_Content.asp b/release/src/router/www/Advanced_OpenVPNClient_Content.asp index af8a40b9f19..e586f1ad7b3 100644 --- a/release/src/router/www/Advanced_OpenVPNClient_Content.asp +++ b/release/src/router/www/Advanced_OpenVPNClient_Content.asp @@ -1021,25 +1021,6 @@ function refreshVPNIP() { " > - - Redirect Internet traffic through tunnel - - - "> - - - - Accept DNS Configuration - - - - Server is on the same subnet @@ -1077,6 +1058,32 @@ function refreshVPNIP() { "> + + Accept DNS Configuration + + + + + + Redirect Internet traffic through tunnel + + + "> + + + + Killswitch - Block routed clients if tunnel goes down + + ><#checkbox_Yes#> + ><#checkbox_No#> + + @@ -1225,13 +1232,6 @@ function refreshVPNIP() { "> - - - -
Killswitch - Block routed clients if tunnel goes down - ><#checkbox_Yes#> - ><#checkbox_No#> -
From 43208fc79a2711245c2f89f3210e4ebacff136b0 Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Fri, 6 Aug 2021 17:43:49 -0400 Subject: [PATCH 12/13] Updated documentation --- Changelog-NG.txt | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Changelog-NG.txt b/Changelog-NG.txt index 7658af8f26d..cd5b8dede36 100644 --- a/Changelog-NG.txt +++ b/Changelog-NG.txt @@ -1,7 +1,7 @@ Asuswrt-Merlin 386/NG Changelog =============================== -386.3_2 (xx-xxx-2021) +386.3_2 (6-Aug-2021) - NOTE: closed down the Issue tracker on Github, as 90% of it was people asking for technical support, or failing to use the supplied submission form. @@ -13,7 +13,7 @@ Asuswrt-Merlin 386/NG Changelog - CHANGED: Moved the "Redirect Internet traffic" setting on the OpenVPN Client page to the Network Settings section to increase its visibility, as too many - users are not properly configuring it. + users are forgetting to configure it. - CHANGED: Display "Internet traffic not redirected" instead of "Public IP Unknown" on the OpenVPN Client status display when Redirect Internet traffic @@ -26,6 +26,10 @@ Asuswrt-Merlin 386/NG Changelog configured, allowing traffic to be processed by other RPDB tables if there wasn't a matching route within that client's table. + - FIXED: IPV6-compatible DNSFilter servers weren't + properly configured in dnsmasq. + - FIXED: DNSFilter client rules may get corrupted after a + reboot. 386.3 (23-July-2021) From cc376d7be14bd939f281df4b14145a2b776240ec Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Fri, 6 Aug 2021 17:44:17 -0400 Subject: [PATCH 13/13] Bumped revision to 386.3_2 --- release/src-rt/version.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release/src-rt/version.conf b/release/src-rt/version.conf index 1080f0f72c4..70fde97b042 100644 --- a/release/src-rt/version.conf +++ b/release/src-rt/version.conf @@ -1,5 +1,5 @@ KERNEL_VER=3.0 FS_VER=0.4 SERIALNO=386.3 -EXTENDNO=1 +EXTENDNO=2 RCNO=0