A new major release of the OpenWrt 21.02.0 distribution has been introduced, targeting various network devices such as routers, switches, and access points. OpenWrt supports many different platforms and architectures and has a build system that allows you to easily and conveniently cross-compile, including various components in the assembly, which makes it easy to create a ready-made firmware or disk image adapted to specific tasks with the desired set of pre-installed packages. Builds are generated for 36 target platforms.
Of the changes in OpenWrt 21.02.0, it is noted:
- Increased minimum hardware requirements. In the default build, due to the inclusion of additional Linux kernel subsystems, using OpenWrt now requires a device with 8 MB Flash and 64 MB RAM. If you wish, you can still create your own stripped build that can work on devices with 4 MB Flash and 32 MB RAM, but the functionality of such a build will be limited, and stability is not guaranteed.
- The base package includes packages to support WPA3 wireless security technology, which is now available by default both when working in client mode and when creating an access point. WPA3 provides protection against password guessing attacks (will not allow offline password guessing) and uses the SAE authentication protocol. The ability to use WPA3 is provided in most drivers for wireless devices.
- The base distribution includes support for TLS and HTTPS by default, which allows you to access the LuCI Web interface over HTTPS and use utilities like wget and opkg to retrieve information over encrypted communication channels. Servers through which packages downloaded via opkg are distributed are also switched to sending information via HTTPS by default. The mbedTLS library used for encryption has been replaced by wolfSSL (if necessary, you can manually install the mbedTLS and OpenSSL libraries, which continue to be supplied as options). To configure automatic forwarding to HTTPS, the web interface offers the option "uhttpd.main.redirect_https=1".
- Implemented initial support for the DSA (Distributed Switch Architecture) kernel subsystem, which provides tools for configuring and managing cascades of interconnected Ethernet switches using the mechanisms used to configure conventional network interfaces (iproute2, ifconfig). DSA can be used to configure ports and VLANs instead of the previously offered swconfig tool, but not all switch drivers support DSA yet. In the proposed release, DSA is enabled for ath79 (TP-Link TL-WR941ND), bcm4908, gemini, kirkwood, mediatek, mvebu, octeon, ramips (mt7621) and realtek drivers.
- Changes have been made to the syntax of configuration files located in /etc/config/network. In the "config interface" block, the "ifname" option has been renamed to "device", and in the "config device" block, the "bridge" and "ifname" options have been renamed to "ports". For new installations, separate files with device settings (layer 2, "config device" block) and network interfaces (layer 3, "config interface" block) are now generated. To maintain backward compatibility, support for the old syntax has been retained, i.e. previously created settings will not require changes. At the same time, in the web interface, when the old syntax is detected, a proposal will be displayed to migrate to the new syntax, which is necessary to edit the settings through the web interface.
New syntax example: config device option name 'br-lan' option type 'bridge' option macaddr '00:01:02:XX:XX:XX' list ports 'lan1' list ports 'lan2' list ports 'lan3' list ports 'lan4' config interface 'lan' option device 'br-lan' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' config device option name 'eth1' option macaddr '00 :01:02:YY:YY:YY' config interface 'wan' option device 'eth1' option proto 'dhcp' config interface 'wan6' option device 'eth1' option proto 'dhcpv6'
By analogy with the /etc/config/network configuration files from "ifname" to "device", the names of the fields in board.json have been changed.
- A new "realtek" platform has been added to allow OpenWrt to be used on devices with a large number of Ethernet ports, such as D-Link, ZyXEL, ALLNET, INABA, and NETGEAR Ethernet switches.
- Added new platforms bcm4908 and rockchip for devices based on SoC Broadcom BCM4908 and Rockchip RK33xx. Gaps in device support have been fixed for previously supported platforms.
- Support for the ar71xx platform has been dropped, instead of which the ath79 platform should be used (for devices tied to ar71xx, it is recommended to reinstall OpenWrt from scratch). Support for the cns3xxx (Cavium Networks CNS3xxx), rb532 (MikroTik RB532) and samsung (SamsungTQ210) platforms has also been discontinued.
- Executable files of applications involved in processing network connections are built in PIE (Position-Independent Executables) mode with full support for address space randomization (ASLR) to make it difficult to exploit vulnerabilities in such applications.
- When building the Linux kernel, options are enabled by default to support container isolation technologies, allowing on most platforms to use the LXC toolkit in OpenWrt and the procd-ujail mode.
- The ability to build with support for the SELinux forced access control system is provided (disabled by default).
- Updated package versions, including suggested releases musl libc 1.1.24, glibc 2.33, gcc 8.4.0, binutils 2.34, hostapd 2020-06-08, dnsmasq 2.85, dropbear 2020.81, busybox 1.33.1. Linux kernel updated to version 5.4.143 porting the cfg80211/mac80211 wireless stack from kernel 5.10.42 and porting Wireguard VPN support.
Source: opennet.ru