Ukukhishwa okusha okubalulekile kokusatshalaliswa kwe-OpenWrt 21.02.0 kwethulwe, okuhloselwe ukusetshenziswa kumadivayisi enethiwekhi ahlukahlukene njengamarutha, amaswishi kanye nezindawo zokufinyelela. I-OpenWrt isekela amapulatifomu amaningi ahlukene kanye nezakhiwo futhi inohlelo lokuhlanganisa oluvumela ukuhlanganiswa okulula nokulula, okuhlanganisa izingxenye ezihlukahlukene emhlanganweni, okwenza kube lula ukwakha i-firmware esenziwe ngomumo noma isithombe sediski ngesethi oyifunayo ye-pre- amaphakheji afakiwe enzelwe imisebenzi ethile. Imihlangano yenzelwe izinkundla eziqondiwe ezingama-36.
Phakathi kwezinguquko ku-OpenWrt 21.02.0 okulandelayo kuyaphawulwa:
- Izidingo ezincane zehadiwe zinyusiwe. Ekwakheni okuzenzakalelayo, ngenxa yokufakwa kwezinhlelo ezingaphansi ze-Linux kernel, ukusebenzisa i-OpenWrt manje kudinga idivayisi eno-8 MB Flash kanye ne-RAM engu-64 MB. Uma uthanda, usengakwazi ukudala umhlangano wakho ohlutshiwe ongasebenza kumadivayisi ane-4 MB Flash kanye ne-RAM engu-32 MB, kodwa ukusebenza komhlangano onjalo kuzonqunyelwa, futhi ukuzinza komsebenzi akuqinisekisiwe.
- Iphakheji eyisisekelo ihlanganisa amaphakheji okusekela ubuchwepheshe bokuphepha kwenethiwekhi engenantambo ye-WPA3, manje etholakala ngokuzenzakalelayo kokubili lapho usebenza kumodi yeklayenti nalapho udala indawo yokufinyelela. I-WPA3 inikeza isivikelo ekuhlaselweni kokuqagela iphasiwedi (ngeke ikuvumele ukuqagela iphasiwedi kumodi engaxhunyiwe ku-inthanethi) futhi isebenzisa iphrothokholi yokuqinisekisa ye-SAE. Amandla okusebenzisa i-WPA3 anikezwa kubashayeli abaningi bemishini engenantambo.
- Iphakheji eyisisekelo ihlanganisa ukusekelwa kwe-TLS ne-HTTPS ngokuzenzakalelayo, okukuvumela ukuthi ufinyelele ku-interface yewebhu ye-LuCI nge-HTTPS futhi usebenzise izinsiza ezifana ne-wget ne-opkg ukuze uthole ulwazi ngeziteshi zokuxhumana ezibethelwe. Amaseva amaphakheji alandwa ngawo nge-opkg asatshalaliswa nawo ashintshelwa ekuthumeleni ulwazi nge-HTTPS ngokuzenzakalela. Ilabhulali ye-mbedTLS esetshenziselwa ukubethela ithathelwe indawo yi-wolfSSL (uma kunesidingo, ungakwazi ukufaka imitapo yolwazi ye-mbedTLS kanye ne-OpenSSL, eqhubeka nokunikezwa njengezinketho). Ukuze ulungiselele ukudlulisela phambili okuzenzakalelayo ku-HTTPS, isixhumi esibonakalayo sewebhu sinikeza inketho “uhttpd.main.redirect_https=1”.
- Usekelo lokuqala lwenziwe kuhlelo olungaphansi lwe-kernel ye-DSA (Distributed Switch Architecture), ehlinzeka ngamathuluzi okulungisa nokuphatha ama-cascade amaswishi e-Ethernet axhumene, kusetshenziswa izindlela ezisetshenziselwa ukulungisa ukuxhumana kwenethiwekhi okujwayelekile (iproute2, ifconfig). I-DSA ingasetshenziselwa ukulungisa izimbobo nama-VLAN esikhundleni sethuluzi le-swconfig elinikezwe ngaphambilini, kodwa akuwona wonke ama-switch driver asekela i-DSA okwamanje. Ekukhishweni okuhlongozwayo, i-DSA inikwe amandla kubashayeli be-ath79 (TP-Link TL-WR941ND), bcm4908, gemini, kirkwood, mediatek, mvebu, octeon, ramips (mt7621) kanye ne-realtek.
- Izinguquko zenziwe ku-syntax yamafayela okumisa atholakala ku-/etc/config/network. Kubhulokhi ethi "config interface", inketho ethi "igama le-ifname" iqanjwe kabusha ngokuthi "idivayisi", futhi "esisetshenziswa sokulungisa", izinketho "zebhuloho" kanye "negama legama" ziqanjwe kabusha ngokuthi "izikhumulo". Ekufakweni okusha, hlukanisa amafayela anezilungiselelo zamadivayisi (usendlalelo 2, ukuvinjwa kwedivayisi “yokulungisa”) nezixhumi zenethiwekhi (isendlalelo sesi-3, ibhulokhi “lokuhlanganisa”) manje seziyakhiqizwa. Ukugcina ukuhambisana okubuyela emuva, usekelo lwe-syntax endala luyagcinwa, i.e. izilungiselelo ezidalwe ngaphambilini ngeke zidinge izinguquko. Kulokhu, kusixhumi esibonakalayo sewebhu, uma kutholwa i-syntax endala, kuzovezwa isiphakamiso sokuthuthela ku-syntax entsha, okudingekayo ukuze uhlele izilungiselelo ngokusebenzisa isixhumi esibonakalayo sewebhu.
Isibonelo se-syntax entsha: hlela igama lenketho yedivayisi 'br-lan' uhlobo lwenketho 'yebhuloho' inketho macaddr '00:01:02:XX:XX:XX' izimbobo zohlu 'lan1' izimbobo zohlu 'lan2' izimbobo zohlu 'lan3' izimbobo zohlu 'lan4' config interface 'lan' inketho idivayisi 'br-lan' inketho proto 'static' inketho ipaddr '192.168.1.1' inketho netmask '255.255.255.0' inketho ip6assign '60' config device option name 'eth1' option macaddr '00 :01:02:YY:YY:YY' config interface 'wan' inketho idivayisi 'eth1' inketho proto 'dhcp' config interface 'wan6' inketho idivayisi 'eth1' inketho proto 'dhcpv6'
Ngokufanisa namafayela okucushwa /etc/config/network, amagama enkambu ebhodini.json ashintshiwe esuka ku-“igama le-ifname” kuya “idivayisi”.
- Inkundla entsha ye-"realtek" yengeziwe, evumela i-OpenWrt ukuthi isetshenziswe kumadivayisi anenombolo enkulu yezimbobo ze-Ethernet, njenge-D-Link, ZyXEL, ALLNET, INABA kanye namaswishi e-NETGEAR Ethernet.
- Kwengezwe izinkundla ezintsha ze-bcm4908 kanye ne-rockchip kumadivayisi asekelwe ku-Broadcom BCM4908 kanye ne-Rockchip RK33xx SoCs. Izinkinga zosekelo lwedivayisi zixazululiwe ezinkundleni ezisekelwe ngaphambilini.
- Ukusekelwa kweplathifomu ye-ar71xx kunqanyuliwe, esikhundleni salokho iplathifomu ye-ath79 kufanele isetshenziselwe (kumadivayisi asuselwe ku-ar71xx, kuyanconywa ukuthi ufake kabusha i-OpenWrt kusukela ekuqaleni). Ukusekelwa kwezingxenyekazi ze-cns3xxx (Cavium Networks CNS3xxx), rb532 (MikroTik RB532) kanye ne-samsung (SamsungTQ210) nakho kuyekiwe.
- Amafayela asebenzisekayo ezinhlelo zokusebenza ezihilelekile ekucubunguleni ukuxhumana kwenethiwekhi ahlanganiswa kumodi ye-PIE (Position-Independent Executables) enokwesekwa okugcwele kwe-address space randomization (ASLR) ukwenza kube nzima ukuxhaphaza ubungozi ezinhlelweni ezinjalo.
- Lapho wakha i-Linux kernel, izinketho zinikwa amandla ngokuzenzakalelayo ukusekela ubuchwepheshe bokuhlukaniswa kweziqukathi, okuvumela ikhithi yamathuluzi ye-LXC kanye nemodi ye-procd-ujail ukuthi isetshenziswe ku-OpenWrt ezinkundleni eziningi.
- Ikhono lokwakha ngokusekelwa kohlelo lokulawula ukufinyelela lwe-SELinux linikeziwe (likhutshazwe ngokuzenzakalelayo).
- Izinguqulo zephakheji ezibuyekeziwe, okuhlanganisa ukukhishwa okuhlongozwayo kwe-musl libc 1.1.24, glibc 2.33, gcc 8.4.0, binutils 2.34, hostapd 2020-06-08, dnsmasq 2.85, dropbear 2020.81, busybox 1.33.1. I-Linux kernel ibuyekezelwe kunguqulo engu-5.4.143, ifaka isitaki esingenantambo se-cfg80211/mac80211 sisuka ku-5.10.42 kernel kanye nosekelo lwe-Wireguard VPN.
Source: opennet.ru