diff --git a/.github/workflows/entrypoint.sh b/.github/workflows/entrypoint.sh index 76dd8cbcc..7587aa8b7 100755 --- a/.github/workflows/entrypoint.sh +++ b/.github/workflows/entrypoint.sh @@ -26,10 +26,24 @@ for PKG in /ci/*.ipk; do echo "Testing package $PKG_NAME in version $PKG_VERSION from $PKG_SOURCE" - opkg install "$PKG" - export PKG_NAME PKG_VERSION CI_HELPER + PRE_TEST_SCRIPT=$(find /ci/ -name "$PKG_SOURCE" -type d)/pre-test.sh + + if [ -f "$PRE_TEST_SCRIPT" ]; then + echo "Use package specific pre-test.sh" + if sh "$PRE_TEST_SCRIPT" "$PKG_NAME" "$PKG_VERSION"; then + echo "Pre-test successful" + else + echo "Pre-test failed" + exit 1 + fi + else + echo "No pre-test.sh script available" + fi + + opkg install "$PKG" + TEST_SCRIPT=$(find /ci/ -name "$PKG_SOURCE" -type d)/test.sh if [ -f "$TEST_SCRIPT" ]; then diff --git a/.github/workflows/multi-arch-test-build.yml b/.github/workflows/multi-arch-test-build.yml index 1d281eda7..3e8b6f263 100644 --- a/.github/workflows/multi-arch-test-build.yml +++ b/.github/workflows/multi-arch-test-build.yml @@ -17,7 +17,7 @@ jobs: - arch: mips_24kc target: ath79-generic - runtime_test: false + runtime_test: true - arch: mipsel_24kc target: mt7621 @@ -162,7 +162,9 @@ jobs: - name: Register QEMU if: ${{ matrix.runtime_test }} run: | - sudo docker run --rm --privileged aptman/qus -s -- -p + sudo apt-get update + sudo apt-get install -y qemu-user-static binfmt-support + sudo update-binfmts --import - name: Build Docker container if: ${{ matrix.runtime_test }} diff --git a/lang/python/python-calver/Makefile b/lang/python/python-calver/Makefile new file mode 100644 index 000000000..cd46859c5 --- /dev/null +++ b/lang/python/python-calver/Makefile @@ -0,0 +1,48 @@ +# +# Copyright (C) 2023 Jeffery To +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=python-calver +PKG_VERSION:=2022.6.26 +PKG_RELEASE:=1 + +PYPI_NAME:=calver +PKG_HASH:=e05493a3b17517ef1748fbe610da11f10485faa7c416b9d33fd4a52d74894f8b + +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Jeffery To + +PKG_HOST_ONLY:=1 +HOST_BUILD_DEPENDS:=python3/host python-build/host python-installer/host python-wheel/host + +include ../pypi.mk +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/host-build.mk +include ../python3-package.mk +include ../python3-host-build.mk + +define Package/python3-calver + SECTION:=lang + CATEGORY:=Languages + SUBMENU:=Python + TITLE:=Setuptools extension for CalVer package versions + URL:=https://github.com/di/calver + DEPENDS:=+python3-light + BUILDONLY:=1 +endef + +define Package/python3-calver/description +The calver package is a setuptools extension for automatically defining +your Python package version as a calendar version. +endef + +$(eval $(call Py3Package,python3-calver)) +$(eval $(call BuildPackage,python3-calver)) +$(eval $(call BuildPackage,python3-calver-src)) +$(eval $(call HostBuild)) diff --git a/lang/python/python-eventlet/Makefile b/lang/python/python-eventlet/Makefile index a2d364aad..8b01f5be2 100644 --- a/lang/python/python-eventlet/Makefile +++ b/lang/python/python-eventlet/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-eventlet -PKG_VERSION:=0.30.2 +PKG_VERSION:=0.33.3 PKG_RELEASE:=1 PYPI_NAME:=eventlet -PKG_HASH:=1811b122d9a45eb5bafba092d36911bca825f835cb648a862bbf984030acff9d +PKG_HASH:=722803e7eadff295347539da363d68ae155b8b26ae6a634474d0a920be73cfda PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=MIT diff --git a/lang/python/python-hatchling/Makefile b/lang/python/python-hatchling/Makefile index 6ba6c63c1..661d62611 100644 --- a/lang/python/python-hatchling/Makefile +++ b/lang/python/python-hatchling/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-hatchling -PKG_VERSION:=1.13.0 +PKG_VERSION:=1.14.1 PKG_RELEASE:=1 PYPI_NAME:=hatchling -PKG_HASH:=f8d275a2cc720735286b7c2e2bc35da05761e6d3695c2fa416550395f10c53c7 +PKG_HASH:=55fbc88cbd0d96c09c3e9392b51db513fd4cb4caf47615d65f935a5ef1756133 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE.txt @@ -27,7 +27,8 @@ HOST_BUILD_DEPENDS:= \ python-packaging/host \ python-pathspec/host \ python-pluggy/host \ - python-tomli/host + python-tomli/host \ + python-trove-classifiers/host include ../pypi.mk include $(INCLUDE_DIR)/package.mk @@ -48,7 +49,8 @@ define Package/python3-hatchling +python3-packaging \ +python3-pathspec \ +python3-pluggy \ - +python3-tomli + +python3-tomli \ + +python3-trove-classifiers BUILDONLY:=1 endef diff --git a/lang/python/python-trove-classifiers/Makefile b/lang/python/python-trove-classifiers/Makefile new file mode 100644 index 000000000..b122bc2b7 --- /dev/null +++ b/lang/python/python-trove-classifiers/Makefile @@ -0,0 +1,56 @@ +# +# Copyright (C) 2023 Jeffery To +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=python-trove-classifiers +PKG_VERSION:=2023.3.9 +PKG_RELEASE:=1 + +PYPI_NAME:=trove-classifiers +PKG_HASH:=ee42f2f8c1d4bcfe35f746e472f07633570d485fab45407effc0379270a3bb03 + +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Jeffery To + +PKG_HOST_ONLY:=1 +PKG_BUILD_DEPENDS:=python-calver/host +HOST_BUILD_DEPENDS:= \ + python3/host \ + python-build/host \ + python-installer/host \ + python-wheel/host \ + python-calver/host + +include ../pypi.mk +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/host-build.mk +include ../python3-package.mk +include ../python3-host-build.mk + +define Package/python3-trove-classifiers + SECTION:=lang + CATEGORY:=Languages + SUBMENU:=Python + TITLE:=Canonical source for classifiers on PyPI (pypi.org). + URL:=https://github.com/pypa/trove-classifiers + DEPENDS:=+python3-light + BUILDONLY:=1 +endef + +define Package/python3-trove-classifiers/description +Canonical source for classifiers on PyPI. + +Classifiers categorize projects per PEP 301. Use this package to +validate classifiers in packages for PyPI upload or download. +endef + +$(eval $(call Py3Package,python3-trove-classifiers)) +$(eval $(call BuildPackage,python3-trove-classifiers)) +$(eval $(call BuildPackage,python3-trove-classifiers-src)) +$(eval $(call HostBuild)) diff --git a/libs/getdns/Makefile b/libs/getdns/Makefile index 9a4b838bd..f9825493b 100644 --- a/libs/getdns/Makefile +++ b/libs/getdns/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=getdns PKG_VERSION:=1.7.3 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/libs/getdns/patches/001-openssl-deprecated.patch b/libs/getdns/patches/001-openssl-deprecated.patch new file mode 100644 index 000000000..ed695ac0c --- /dev/null +++ b/libs/getdns/patches/001-openssl-deprecated.patch @@ -0,0 +1,20 @@ +--- a/src/openssl/tls.c ++++ b/src/openssl/tls.c +@@ -872,7 +872,7 @@ _getdns_tls_x509* _getdns_tls_connection + if (!conn || !conn->ssl) + return NULL; + +- return _getdns_tls_x509_new(mfs, SSL_get_peer_certificate(conn->ssl)); ++ return _getdns_tls_x509_new(mfs, SSL_get1_peer_certificate(conn->ssl)); + } + + getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn) +@@ -990,7 +990,7 @@ getdns_return_t _getdns_tls_connection_c + #if defined(USE_DANESSL) + { + getdns_return_t res = GETDNS_RETURN_GOOD; +- X509* peer_cert = SSL_get_peer_certificate(conn->ssl); ++ X509* peer_cert = SSL_get1_peer_certificate(conn->ssl); + if (peer_cert) { + if (conn->auth_name[0] && + X509_check_host(peer_cert, diff --git a/libs/gnutls/Makefile b/libs/gnutls/Makefile index 3246bb254..dc94591c2 100644 --- a/libs/gnutls/Makefile +++ b/libs/gnutls/Makefile @@ -6,13 +6,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gnutls -PKG_VERSION:=3.7.8 -PKG_RELEASE:=2 +PKG_VERSION:=3.8.0 +PKG_RELEASE:=1 PKG_BUILD_FLAGS:=no-mips16 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7 -PKG_HASH:=c58ad39af0670efe6a8aee5e3a8b2331a1200418b64b7c51977fb396d4617114 +PKG_SOURCE_URL:=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8 +PKG_HASH:=0ea0d11a1660a1e63f960f157b197abe6d0c8cb3255be24e1fb3815930b9bdc5 PKG_MAINTAINER:=Nikos Mavrogiannopoulos PKG_LICENSE:=LGPL-2.1-or-later diff --git a/libs/gnutls/patches/010-m4.patch b/libs/gnutls/patches/010-m4.patch index 59ce29ee2..ac66a71bb 100644 --- a/libs/gnutls/patches/010-m4.patch +++ b/libs/gnutls/patches/010-m4.patch @@ -62,12 +62,12 @@ [AC_COMPILE_IFELSE( --- a/src/gl/m4/gnulib-comp.m4 +++ b/src/gl/m4/gnulib-comp.m4 -@@ -1188,7 +1188,7 @@ changequote([, ])dnl +@@ -1252,7 +1252,7 @@ changequote([, ])dnl gl_UNISTD_MODULE_INDICATOR([sleep]) AC_CHECK_DECLS_ONCE([alarm]) AC_REQUIRE([gt_TYPE_WCHAR_T]) - AC_REQUIRE([gt_TYPE_WINT_T]) + AC_REQUIRE([gt_TYPE_WINT_T_GNUTLS]) gl_FUNC_STRERROR_R - if test $HAVE_DECL_STRERROR_R = 0 || test $REPLACE_STRERROR_R = 1; then + AS_IF([test $HAVE_DECL_STRERROR_R = 0 || test $REPLACE_STRERROR_R = 1], [ AC_LIBOBJ([strerror_r]) diff --git a/libs/gnutls/patches/020-dont-install-m4-files.patch b/libs/gnutls/patches/020-dont-install-m4-files.patch index 28d5fc0ff..6caeabc48 100644 --- a/libs/gnutls/patches/020-dont-install-m4-files.patch +++ b/libs/gnutls/patches/020-dont-install-m4-files.patch @@ -14,7 +14,7 @@ Signed-off-by: Eneas U de Queiroz --- a/Makefile.am +++ b/Makefile.am -@@ -57,7 +57,7 @@ if ENABLE_DOC +@@ -48,7 +48,7 @@ if ENABLE_DOC SUBDIRS += doc endif diff --git a/libs/gperf/Makefile b/libs/gperf/Makefile deleted file mode 100644 index 5035895c4..000000000 --- a/libs/gperf/Makefile +++ /dev/null @@ -1,47 +0,0 @@ -# -# Copyright (C) 2006-2017 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=gperf -PKG_VERSION:=3.1 -PKG_RELEASE:=1 -PKG_HASH:=588546b945bba4b70b6a3a616e80b4ab466e3f33024a352fc2198112cdbb3ae2 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=@GNU/gperf -PKG_HOST_ONLY=1 - -PKG_MAINTAINER:=Espen Jürgensen -PKG_LICENSE:=GPL-3.0 -PKG_LICENSE_FILES:=COPYING - -include $(INCLUDE_DIR)/host-build.mk -include $(INCLUDE_DIR)/package.mk - -define Package/gperf - SECTION:=libs - CATEGORY:=Libraries - TITLE:=GNU gperf - BUILDONLY:=1 - URL:=http://www.gnu.org/software/gperf -endef - -define Package/gperf/description - GNU gperf is a perfect hash function generator. For a given list of strings, it - produces a hash function and hash table, in form of C or C++ code, for looking - up a value depending on the input string. The hash function is perfect, which - means that the hash table has no collisions, and the hash table lookup needs a - single string comparison only. -endef - -define Host/Install - $(MAKE) -C $(HOST_BUILD_DIR) install -endef - -$(eval $(call HostBuild)) -$(eval $(call BuildPackage,gperf)) diff --git a/libs/gperf/patches/100-include_own_first.patch b/libs/gperf/patches/100-include_own_first.patch deleted file mode 100644 index 6936f35db..000000000 --- a/libs/gperf/patches/100-include_own_first.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/lib/Makefile.in b/lib/Makefile.in -index 29bbf92..cf2bf3c 100644 ---- a/lib/Makefile.in -+++ b/lib/Makefile.in -@@ -61,7 +61,7 @@ SHELL = /bin/sh - VPATH = $(srcdir) - - OBJECTS = getopt.$(OBJEXT) getopt1.$(OBJEXT) getline.$(OBJEXT) hash.$(OBJEXT) --CPPFLAGS = @CPPFLAGS@ -I$(srcdir) -+CPPFLAGS = -I$(srcdir) @CPPFLAGS@ - - TARGETLIB = libgp.a - -diff --git a/src/Makefile.in b/src/Makefile.in -index 6866ffd..bd4df14 100644 ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -64,7 +64,7 @@ VPATH = $(srcdir) - OBJECTS = version.$(OBJEXT) positions.$(OBJEXT) options.$(OBJEXT) keyword.$(OBJEXT) keyword-list.$(OBJEXT) \ - input.$(OBJEXT) bool-array.$(OBJEXT) hash-table.$(OBJEXT) search.$(OBJEXT) output.$(OBJEXT) main.$(OBJEXT) - LIBS = ../lib/libgp.a @GPERF_LIBM@ --CPPFLAGS = @CPPFLAGS@ -I. -I$(srcdir)/../lib -+CPPFLAGS = -I. -I$(srcdir)/../lib @CPPFLAGS@ - - TARGETPROG = gperf$(EXEEXT) - diff --git a/libs/libxml2/Makefile b/libs/libxml2/Makefile deleted file mode 100644 index a726e78cc..000000000 --- a/libs/libxml2/Makefile +++ /dev/null @@ -1,214 +0,0 @@ -# -# Copyright (C) 2006-2016 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=libxml2 -PKG_VERSION:=2.10.3 -PKG_RELEASE:=2 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=@GNOME/libxml2/$(basename $(PKG_VERSION)) -PKG_HASH:=5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c - -PKG_MAINTAINER:=Michael Heimpold -PKG_LICENSE:=MIT -PKG_LICENSE_FILES:=COPYING -PKG_CPE_ID:=cpe:/a:xmlsoft:libxml2 - -include $(INCLUDE_DIR)/host-build.mk -include $(INCLUDE_DIR)/package.mk -include $(INCLUDE_DIR)/cmake.mk -include $(INCLUDE_DIR)/nls.mk - -define Package/libxml2 - SECTION:=libs - CATEGORY:=Libraries - TITLE:=Gnome XML library - URL:=http://xmlsoft.org/ - DEPENDS:=+libpthread +zlib $(ICONV_DEPENDS) -endef - -define Package/libxml2/description - A library for manipulating XML and HTML resources. -endef - -define Package/libxml2-dev - SECTION:=devel - CATEGORY:=Development - SUBMENU:=Libraries - TITLE:=Development files for libxml2 - URL:=http://xmlsoft.org/ - DEPENDS:=+libxml2 -endef - -define Package/libxml2-dev/description - A library for manipulating XML and HTML resources. - - This package contains the headers and xml2-config binary. -endef - -define Package/libxml2-utils - SECTION:=utils - CATEGORY:=Utilities - TITLE:=XML command line utilities (xmllint...) - URL:=http://xmlsoft.org/ - DEPENDS:=+libxml2 -endef - -define Package/libxml2-utils/description - This package contains the binaries xmllint and xmlcatalog - from libxml2, a library for manipulating XML and HTML resources. -endef - -CMAKE_HOST_OPTIONS += \ - -DBUILD_SHARED_LIBS=OFF \ - -DLIBXML2_WITH_C14N=ON \ - -DLIBXML2_WITH_CATALOG=OFF \ - -DLIBXML2_WITH_DEBUG=ON \ - -DLIBXML2_WITH_FTP=OFF \ - -DLIBXML2_WITH_HTML=ON \ - -DLIBXML2_WITH_HTTP=OFF \ - -DLIBXML2_WITH_ICONV=ON \ - -DLIBXML2_WITH_ICU=OFF \ - -DLIBXML2_WITH_ISO8859X=OFF \ - -DLIBXML2_WITH_LEGACY=OFF \ - -DLIBXML2_WITH_LZMA=OFF \ - -DLIBXML2_WITH_MEM_DEBUG=OFF \ - -DLIBXML2_WITH_MODULES=OFF \ - -DLIBXML2_WITH_OUTPUT=ON \ - -DLIBXML2_WITH_PATTERN=ON \ - -DLIBXML2_WITH_PROGRAMS=OFF \ - -DLIBXML2_WITH_PUSH=ON \ - -DLIBXML2_WITH_PYTHON=OFF \ - -DLIBXML2_WITH_READER=ON \ - -DLIBXML2_WITH_REGEXPS=ON \ - -DLIBXML2_WITH_RUN_DEBUG=OFF \ - -DLIBXML2_WITH_SAX1=ON \ - -DLIBXML2_WITH_SCHEMAS=ON \ - -DLIBXML2_WITH_SCHEMATRON=OFF \ - -DLIBXML2_WITH_TESTS=OFF \ - -DLIBXML2_WITH_THREADS=ON \ - -DLIBXML2_WITH_THREAD_ALLOC=OFF \ - -DLIBXML2_WITH_TREE=ON \ - -DLIBXML2_WITH_VALID=ON \ - -DLIBXML2_WITH_WRITER=ON \ - -DLIBXML2_WITH_XINCLUDE=ON \ - -DLIBXML2_WITH_XPATH=ON \ - -DLIBXML2_WITH_XPTR=ON \ - -DLIBXML2_WITH_XPTR_LOCS=ON \ - -DLIBXML2_WITH_ZLIB=ON - -CMAKE_OPTIONS += \ - -DBUILD_SHARED_LIBS=ON \ - -DLIBXML2_WITH_C14N=ON \ - -DLIBXML2_WITH_CATALOG=OFF \ - -DLIBXML2_WITH_DEBUG=ON \ - -DLIBXML2_WITH_FTP=OFF \ - -DLIBXML2_WITH_HTML=ON \ - -DLIBXML2_WITH_HTTP=OFF \ - -DLIBXML2_WITH_ICONV=ON \ - -DLIBXML2_WITH_ICU=OFF \ - -DLIBXML2_WITH_ISO8859X=OFF \ - -DLIBXML2_WITH_LEGACY=OFF \ - -DLIBXML2_WITH_LZMA=OFF \ - -DLIBXML2_WITH_MEM_DEBUG=OFF \ - -DLIBXML2_WITH_MODULES=OFF \ - -DLIBXML2_WITH_OUTPUT=ON \ - -DLIBXML2_WITH_PATTERN=ON \ - -DLIBXML2_WITH_PROGRAMS=ON \ - -DLIBXML2_WITH_PUSH=ON \ - -DLIBXML2_WITH_PYTHON=OFF \ - -DLIBXML2_WITH_READER=ON \ - -DLIBXML2_WITH_REGEXPS=ON \ - -DLIBXML2_WITH_RUN_DEBUG=OFF \ - -DLIBXML2_WITH_SAX1=ON \ - -DLIBXML2_WITH_SCHEMAS=ON \ - -DLIBXML2_WITH_SCHEMATRON=OFF \ - -DLIBXML2_WITH_TESTS=OFF \ - -DLIBXML2_WITH_THREADS=ON \ - -DLIBXML2_WITH_THREAD_ALLOC=OFF \ - -DLIBXML2_WITH_TREE=ON \ - -DLIBXML2_WITH_VALID=ON \ - -DLIBXML2_WITH_WRITER=ON \ - -DLIBXML2_WITH_XINCLUDE=ON \ - -DLIBXML2_WITH_XPATH=ON \ - -DLIBXML2_WITH_XPTR=ON \ - -DLIBXML2_WITH_XPTR_LOCS=ON \ - -DLIBXML2_WITH_ZLIB=ON \ - -DHAVE_LIBHISTORY=OFF \ - -DHAVE_LIBREADLINE=OFF - -define Build/InstallDev - $(INSTALL_DIR) $(2)/bin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/xml2-config \ - $(2)/bin/$(GNU_TARGET_NAME)-xml2-config - $(SED) 's,^\(prefix\|exec_prefix\)=.*,\1=$(STAGING_DIR)/usr,g' \ - $(2)/bin/$(GNU_TARGET_NAME)-xml2-config - $(LN) $(GNU_TARGET_NAME)-xml2-config $(2)/bin/xml2-config - - $(INSTALL_DIR) $(1)/usr/bin - $(CP) $(PKG_INSTALL_DIR)/usr/bin/xmlcatalog $(1)/usr/bin/ - $(CP) $(PKG_INSTALL_DIR)/usr/bin/xmllint $(1)/usr/bin/ - - $(INSTALL_DIR) $(1)/usr/include - $(CP) $(PKG_INSTALL_DIR)/usr/include/libxml2 $(1)/usr/include/ - - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxml2.so* $(1)/usr/lib/ - - $(INSTALL_DIR) $(1)/usr/lib/cmake/libxml2 - $(CP) $(PKG_INSTALL_DIR)/usr/lib/cmake/libxml2-$(PKG_VERSION)/*.cmake \ - $(1)/usr/lib/cmake/libxml2 - - $(INSTALL_DIR) $(1)/usr/lib/pkgconfig - $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libxml-2.0.pc $(1)/usr/lib/pkgconfig/ - - $(INSTALL_DIR) $(2)/share/aclocal/ - $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/share/aclocal/* $(2)/share/aclocal -endef - -define Host/Install - $(call Host/Install/Default) - mv $(1)/bin/xml2-config $(1)/bin/$(GNU_HOST_NAME)-xml2-config - $(LN) $(GNU_HOST_NAME)-xml2-config $(1)/bin/xml2-config -endef - -define Package/libxml2/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxml2.so.* $(1)/usr/lib/ -endef - -define Package/libxml2-dev/install - $(INSTALL_DIR) $(1)/usr/bin - $(CP) $(PKG_INSTALL_DIR)/usr/bin/xml2-config $(1)/usr/bin/ - $(SED) "s,$(STAGING_DIR),,g" $(1)/usr/bin/xml2-config - - $(INSTALL_DIR) $(1)/usr/include/ - $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ - - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxml2.so $(1)/usr/lib/ - - $(INSTALL_DIR) $(1)/usr/lib/{cmake,pkgconfig} - $(CP) $(PKG_INSTALL_DIR)/usr/lib/{cmake,pkgconfig} $(1)/usr/lib/ - $(SED) "s,$(STAGING_DIR),,g" $(1)/usr/lib/pkgconfig/*.pc - - $(INSTALL_DIR) $(1)/usr/share/aclocal - $(CP) $(PKG_INSTALL_DIR)/usr/share/aclocal/* $(1)/usr/share/aclocal -endef - -define Package/libxml2-utils/install - $(INSTALL_DIR) $(1)/usr/bin - $(CP) $(PKG_INSTALL_DIR)/usr/bin/xmllint $(1)/usr/bin/ - $(CP) $(PKG_INSTALL_DIR)/usr/bin/xmlcatalog $(1)/usr/bin/ -endef - -$(eval $(call HostBuild)) -$(eval $(call BuildPackage,libxml2)) -$(eval $(call BuildPackage,libxml2-dev)) -$(eval $(call BuildPackage,libxml2-utils)) diff --git a/libs/libxml2/patches/010-iconv.patch b/libs/libxml2/patches/010-iconv.patch deleted file mode 100644 index e35b7ce93..000000000 --- a/libs/libxml2/patches/010-iconv.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -496,6 +496,9 @@ if(LIBXML2_WITH_PROGRAMS) - add_executable(LibXml2::${PROGRAM} ALIAS ${PROGRAM}) - target_compile_definitions(${PROGRAM} PRIVATE SYSCONFDIR="${CMAKE_INSTALL_FULL_SYSCONFDIR}") - target_link_libraries(${PROGRAM} LibXml2) -+ if(LIBXML2_WITH_ICONV AND NOT Iconv_IS_BUILT_IN) -+ target_link_libraries(${PROGRAM} iconv) -+ endif() - if(HAVE_LIBHISTORY) - target_link_libraries(${PROGRAM} history) - endif() diff --git a/libs/sqlite3/Makefile b/libs/sqlite3/Makefile index aad769dcb..9d1d04dee 100644 --- a/libs/sqlite3/Makefile +++ b/libs/sqlite3/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sqlite -PKG_VERSION:=3410100 +PKG_VERSION:=3410200 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-autoconf-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.sqlite.org/2023/ -PKG_HASH:=4dadfbeab9f8e16c695d4fbbc51c16b2f77fb97ff4c1c3d139919dfc038c9e33 +PKG_HASH:=e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499 PKG_CPE_ID:=cpe:/a:sqlite:sqlite PKG_LICENSE:=PUBLICDOMAIN diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile index 841146826..ac92fc564 100644 --- a/net/acme-common/Makefile +++ b/net/acme-common/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme-common -PKG_VERSION:=1.0.2 +PKG_VERSION:=1.0.3 PKG_MAINTAINER:=Toke Høiland-Jørgensen PKG_LICENSE:=GPL-3.0-only @@ -48,19 +48,9 @@ define Package/acme-common/install $(INSTALL_DIR) $(1)/etc/hotplug.d/acme endef -define Package/acme-common/postinst -#!/bin/sh -if [ -z "$$IPKG_INSTROOT" ]; then - grep -q '/etc/init.d/acme' /etc/crontabs/root 2>/dev/null && exit 0 - echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root -fi -endef - define Package/acme-common/prerm #!/bin/sh -if [ -z "$$IPKG_INSTROOT" ]; then - sed -i '\|/etc/init.d/acme|d' /etc/crontabs/root -fi +sed -i '\|/etc/init.d/acme|d' /etc/crontabs/root endef define Build/Configure diff --git a/net/banip/Makefile b/net/banip/Makefile index dbee9b992..07bad2213 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -1,13 +1,11 @@ -# -# banIP - ban incoming and outgoing ip addresses/subnets via sets in nftables +# banIP - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. -# include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.8.4 +PKG_VERSION:=0.8.5 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken @@ -17,13 +15,13 @@ include $(INCLUDE_DIR)/package.mk define Package/banip SECTION:=net CATEGORY:=Network - TITLE:=banIP blocks IP addresses via named nftables sets + TITLE:=banIP blocks IPs via named nftables Sets DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys PKGARCH:=all endef define Package/banip/description -banIP blocks IP addresses via named nftables sets. +banIP blocks IPs via named nftables Sets. banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime. Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information. diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 00cb83f5b..ae5a4eedb 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -1,9 +1,9 @@ -# banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables +# banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables ## Description -IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh. +IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh. ## Main Features * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses). @@ -57,12 +57,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre | yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | * Zero-conf like automatic installation & setup, usually no manual changes needed -* All sets are handled in a separate nft table/namespace 'banIP' +* All Sets are handled in a separate nft table/namespace 'banIP' * Full IPv4 and IPv6 support -* Supports nft atomic set loading +* Supports nft atomic Set loading * Supports blocking by ASN numbers and by iso country codes * Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) -* Auto-add the uplink subnet to the local allowlist +* Auto-add the uplink subnet or uplink IP to the local allowlist * Provides a small background log monitor to ban unsuccessful login attempts in real-time * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist * Fast feed processing as they are handled in parallel as background jobs @@ -70,15 +70,16 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget * Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs -* Deduplicate IPs accross all sets (single IPs only, no intervals) +* Deduplicate IPs accross all Sets (single IPs only, no intervals) * Provides comprehensive runtime information -* Provides a detailed set report -* Provides a set search engine for certain IPs +* Provides a detailed Set report +* Provides a Set search engine for certain IPs * Feed parsing by fast & flexible regex rulesets * Minimal status & error logging to syslog, enable debug logging to receive more output * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup) * Procd network interface trigger support * Add new or edit existing banIP feeds on your own with the integrated custom feed editor +* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds ## Prerequisites * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support @@ -112,9 +113,9 @@ Available commands: enable Enable service autostart disable Disable service autostart enabled Check if service is started on boot - report [text|json|mail] Print banIP related set statistics - search [|] Check if an element exists in a banIP set - survey [] List all elements of a given banIP set + report [text|json|mail] Print banIP related Set statistics + search [|] Check if an element exists in a banIP Set + survey [] List all elements of a given banIP Set lookup Lookup the IPs of domain names in the local lists and update them running Check if service is running status Service status @@ -124,57 +125,59 @@ Available commands: ## banIP config options -| Option | Type | Default | Description | -| :---------------------- | :----- | :---------------------------- | :-------------------------------------------------------------------------------------------- | -| ban_enabled | option | 0 | enable the banIP service | -| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) | -| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | -| ban_loglimit | option | 100 | scan only the last n log entries permanently. Set it to '0' to disable the monitor | -| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | -| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | -| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | -| ban_debug | option | 0 | enable banIP related debug logging | -| ban_loginput | option | 1 | log drops in the wan-input chain | -| ban_logforwardwan | option | 1 | log drops in the wan-forward chain | -| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | -| ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist | -| ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist | -| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | -| ban_basedir | option | /tmp | base working directory while banIP processing | -| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | -| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files | -| ban_protov4 | option | - / autodetect | enable IPv4 support | -| ban_protov6 | option | - / autodetect | enable IPv4 support | -| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' | -| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' | -| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' | -| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' | -| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins | -| ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload | -| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets | -| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) | -| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | -| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | -| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | -| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance | -| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | -| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | -| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | -| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | -| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' | -| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' | -| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' | -| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | -| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | -| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | -| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | -| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | -| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | -| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | -| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | -| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | -| ban_reportelements | option | 1 | list set elements in the report, disable this to speed up the report significantly | -| ban_resolver | option | - | external resolver used for DNS lookups | +| Option | Type | Default | Description | +| :---------------------- | :----- | :---------------------------- | :----------------------------------------------------------------------------------------------------------- | +| ban_enabled | option | 0 | enable the banIP service | +| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) | +| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | +| ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor | +| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | +| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | +| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | +| ban_debug | option | 0 | enable banIP related debug logging | +| ban_loginput | option | 1 | log drops in the wan-input chain | +| ban_logforwardwan | option | 1 | log drops in the wan-forward chain | +| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | +| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | +| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | +| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all | +| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | +| ban_basedir | option | /tmp | base working directory while banIP processing | +| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | +| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files | +| ban_protov4 | option | - / autodetect | enable IPv4 support | +| ban_protov6 | option | - / autodetect | enable IPv4 support | +| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' | +| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' | +| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' | +| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' | +| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins | +| ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload | +| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets | +| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) | +| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | +| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | +| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | +| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance | +| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | +| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | +| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | +| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | +| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' | +| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' | +| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' | +| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | +| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | +| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | +| ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) | +| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | +| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | +| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | +| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | +| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | +| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | +| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly | +| ban_resolver | option | - | external resolver used for DNS lookups | ## Examples **banIP report information** @@ -229,11 +232,11 @@ Available commands: ~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) - + version : 0.8.3-1 + + version : 0.8.5-1 + element_count : 281161 + active_feeds : allowlistvMAC, allowlistv6, allowlistv4, adawayv4, adguardtrackersv4, adawayv6, adguardv6, adguardv4, adguardtrackersv6, antipopadsv6, antipopadsv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dohv4, dohv6, iblockadsv4, firehol1v4, oisdbigv4, yoyov6, threatviewv4, yoyov4, oisdbigv6, blocklistvMAC, blocklistv4, blocklistv6 + active_devices : br-wan ::: wan, wan6 - + active_subnets : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128 + + active_uplink : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128 + nft_info : priority: -200, policy: memory, loglevel: warn, expiry: - + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘ @@ -258,7 +261,7 @@ Available commands: ::: ::: banIP Survey ::: - List the elements of Set 'cinsscorev4' on 2023-03-06 14:07:58 + List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58 --- 1.10.187.179 1.10.203.30 @@ -288,9 +291,10 @@ list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' **allow-/blocklist handling** banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. -Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option. -Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option). -Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. +Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option. +Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist. +Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl'). +Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. **allowlist-only mode** banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked. @@ -306,22 +310,22 @@ For a regular, automatic status mailing and update of the used lists on a daily ``` **tweaks for low memory systems** -nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options: +nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options: * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing - * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members - * set 'ban_reportelements' to '0' to disable the CPU intensive counting of set elements + * set 'ban_splitsize' e.g. to '1000' to split the load of an external Set after every 1000 lines/members + * set 'ban_reportelements' to '0' to disable the CPU intensive counting of Set elements **tweak the download options** By default banIP uses the following pre-configured download options: ``` - * aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o - * curl: --connect-timeout 20 --fail --silent --show-error --location -o + * aria2c: --timeout=20 --retry-wait=10 --max-tries=5 --max-file-not-found=5 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o + * curl: --connect-timeout 20 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o + * wget: --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=5 --retry-connrefused --max-redirect=0 -O * uclient-fetch: --timeout=20 -O - * wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O ``` -To override the default set 'ban_fetchparm' manually to your needs. +To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs. **send E-Mail notifications via 'msmtp'** To use the email notification you must install & configure the package 'msmtp'. @@ -349,7 +353,7 @@ The banIP default blocklist feeds are stored in an external JSON file '/etc/bani A valid JSON source object contains the following information, e.g.: ``` [...] - "tor": { + "tor":{ "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 18fd331d8..85903d1de 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -1,4 +1,4 @@ -# banIP shared function library/include +# banIP shared function library/include - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -29,6 +29,9 @@ ban_nftcmd="$(command -v nft)" ban_fw4cmd="$(command -v fw4)" ban_awkcmd="$(command -v awk)" ban_grepcmd="$(command -v grep)" +ban_sedcmd="$(command -v sed)" +ban_catcmd="$(command -v cat)" +ban_zcatcmd="$(command -v zcat)" ban_lookupcmd="$(command -v nslookup)" ban_mailcmd="$(command -v msmtp)" ban_mailsender="no-reply@banIP" @@ -49,8 +52,10 @@ ban_asn="" ban_loginput="1" ban_logforwardwan="1" ban_logforwardlan="0" +ban_allowurl="" ban_allowlistonly="0" ban_autoallowlist="1" +ban_autoallowuplink="subnet" ban_autoblocklist="1" ban_deduplicate="1" ban_splitsize="0" @@ -65,8 +70,9 @@ ban_protov6="0" ban_ifv4="" ban_ifv6="" ban_dev="" -ban_sub="" +ban_uplink="" ban_fetchinsecure="" +ban_fetchretry="5" ban_cores="" ban_memory="" ban_trigger="" @@ -105,7 +111,7 @@ f_mkdir() { if [ ! -d "${dir}" ]; then rm -f "${dir}" mkdir -p "${dir}" - f_log "debug" "f_mkdir ::: created directory: ${dir}" + f_log "debug" "f_mkdir ::: directory: ${dir}" fi } @@ -116,7 +122,7 @@ f_mkfile() { if [ ! -f "${file}" ]; then : >"${file}" - f_log "debug" "f_mkfile ::: created file: ${file}" + f_log "debug" "f_mkfile ::: file: ${file}" fi } @@ -127,7 +133,7 @@ f_tmp() { ban_tmpdir="$(mktemp -p "${ban_basedir}" -d)" ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)" - f_log "debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}" + f_log "debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}" } # remove directories @@ -137,7 +143,7 @@ f_rmdir() { if [ -d "${dir}" ]; then rm -rf "${dir}" - f_log "debug" "f_rmdir ::: deleted directory: ${dir}" + f_log "debug" "f_rmdir ::: directory: ${dir}" fi } @@ -195,7 +201,7 @@ f_log() { # load config # f_conf() { - unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn + unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn config_cb() { option_cb() { local option="${1}" @@ -218,6 +224,9 @@ f_conf() { "ban_feed") eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \"" ;; + "ban_allowurl") + eval "${option}=\"$(printf "%s" "${ban_allowurl}")${value} \"" + ;; "ban_blockinput") eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \"" ;; @@ -247,17 +256,17 @@ f_conf() { # prepare fetch utility # f_fetch() { - local ut utils packages insecure + local item utils packages insecure - if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then - packages="$(${ban_ubuscmd} -S call rpc-sys packagelist 2>/dev/null)" - [ -z "${packages}" ] && f_log "err" "local opkg package repository is not available, please set the download utility 'ban_fetchcmd' manually" + if [ -z "${ban_fetchcmd}" ] || [ ! -x "$(command -v "${ban_fetchcmd}")" ]; then + packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" + [ -z "${packages}" ] && f_log "err" "no local package repository" utils="aria2c curl wget uclient-fetch" - for ut in ${utils}; do - if { [ "${ut}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } || - { [ "${ut}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || - [ "${ut}" = "curl" ] || [ "${ut}" = "aria2c" ]; then - ban_fetchcmd="$(command -v "${ut}")" + for item in ${utils}; do + if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } || + { [ "${item}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || + [ "${item}" = "curl" ] || [ "${item}" = "aria2c" ]; then + ban_fetchcmd="$(command -v "${item}")" if [ -x "${ban_fetchcmd}" ]; then uci_set banip global ban_fetchcmd "${ban_fetchcmd##*/}" uci_commit "banip" @@ -265,16 +274,18 @@ f_fetch() { fi fi done + else + ban_fetchcmd="$(command -v "${ban_fetchcmd}")" fi - [ ! -x "${ban_fetchcmd}" ] && f_log "err" "download utility with SSL support not found" + [ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support" case "${ban_fetchcmd##*/}" in "aria2c") [ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false" - ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}" + ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --retry-wait=10 --max-tries=${ban_fetchretry} --max-file-not-found=${ban_fetchretry} --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}" ;; "curl") [ "${ban_fetchinsecure}" = "1" ] && insecure="--insecure" - ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --fail --silent --show-error --location -o"}" + ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --retry-delay 10 --retry ${ban_fetchretry} --retry-all-errors --fail --silent --show-error --location -o"}" ;; "uclient-fetch") [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" @@ -282,11 +293,11 @@ f_fetch() { ;; "wget") [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" - ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}" + ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=${ban_fetchretry} --retry-connrefused --max-redirect=0 -O"}" ;; esac - f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}" + f_log "debug" "f_fetch ::: cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}" } # remove logservice @@ -294,7 +305,7 @@ f_fetch() { f_rmpid() { local ppid pid pids - ppid="$(cat "${ban_pidfile}" 2>/dev/null)" + ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" [ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0 for pid in ${pids}; do kill -INT "${pid}" >/dev/null 2>&1 @@ -312,7 +323,7 @@ f_actual() { else nft="$(f_char "0")" fi - if pgrep -f "logread" -P "$(cat "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then + if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then monitor="$(f_char "1")" else monitor="$(f_char "0")" @@ -334,7 +345,7 @@ f_getif() { ban_ifv4="${iface}" uci_set banip global ban_protov4 "1" uci_add_list banip global ban_ifv4 "${iface}" - f_log "info" "added IPv4 interface '${iface}' to config" + f_log "info" "add IPv4 interface '${iface}' to config" fi fi if [ -z "${ban_ifv6}" ]; then @@ -345,7 +356,7 @@ f_getif() { ban_ifv6="${iface}" uci_set banip global ban_protov6 "1" uci_add_list banip global ban_ifv6 "${iface}" - f_log "info" "added IPv6 interface '${iface}' to config" + f_log "info" "add IPv6 interface '${iface}' to config" fi fi fi @@ -357,13 +368,13 @@ f_getif() { ban_ifv6="${ban_ifv6%%?}" for iface in ${ban_ifv4} ${ban_ifv6}; do if ! "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then - f_log "err" "wan interface '${iface}' is not available, please check your configuration" + f_log "err" "no wan interface '${iface}'" fi done fi - [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration" + [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "no wan interfaces" - f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" + f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" } # get wan devices @@ -383,7 +394,7 @@ f_getdev() { if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then ban_dev="${ban_dev}${dev} " uci_add_list banip global ban_dev "${dev}" - f_log "info" "added device '${dev}' to config" + f_log "info" "add device '${dev}' to config" fi fi done @@ -396,39 +407,53 @@ f_getdev() { uci_commit "banip" fi ban_dev="${ban_dev%%?}" - [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration" + [ -z "${ban_dev}" ] && f_log "err" "no wan devices" - f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" + f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" } -# get local subnets +# get local uplink # -f_getsub() { - local sub iface ip update="0" +f_getuplink() { + local uplink iface ip update="0" - if [ "${ban_autoallowlist}" = "1" ]; then + if [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" != "disable" ]; then for iface in ${ban_ifv4} ${ban_ifv6}; do network_flush_cache - network_get_subnet sub "${iface}" - if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then - ban_sub="${ban_sub}${sub} " + if [ "${ban_autoallowuplink}" = "subnet" ]; then + network_get_subnet uplink "${iface}" + elif [ "${ban_autoallowuplink}" = "ip" ]; then + network_get_ipaddr uplink "${iface}" fi - network_get_subnet6 sub "${iface}" - if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then - ban_sub="${ban_sub}${sub} " + if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then + ban_uplink="${ban_uplink}${uplink} " + fi + if [ "${ban_autoallowuplink}" = "subnet" ]; then + network_get_subnet6 uplink "${iface}" + elif [ "${ban_autoallowuplink}" = "ip" ]; then + network_get_ipaddr6 uplink "${iface}" + fi + if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then + ban_uplink="${ban_uplink}${uplink} " fi done - for ip in ${ban_sub}; do - if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then + for ip in ${ban_uplink}; do + if ! "${ban_grepcmd}" -q "${ip} " "${ban_allowlist}"; then + if [ "${update}" = "0" ]; then + "${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}" + fi + printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" + f_log "info" "add uplink '${ip}' to local allowlist" update="1" - printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" - f_log "info" "added subnet '${ip}' to local allowlist" fi done - ban_sub="${ban_sub%%?}" + ban_uplink="${ban_uplink%%?}" + elif [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" = "disable" ]; then + "${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}" + update="1" fi - f_log "debug" "f_getsub ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}" + f_log "debug" "f_getuplink ::: auto/update: ${ban_autoallowlist}/${update}, uplink: ${ban_uplink:-"-"}" } # get feed information @@ -437,22 +462,22 @@ f_getfeed() { json_init if [ -s "${ban_customfeedfile}" ]; then if ! json_load_file "${ban_customfeedfile}" >/dev/null 2>&1; then - f_log "info" "banIP custom feed file can't be loaded" + f_log "info" "can't load banIP custom feed file" if ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then - f_log "err" "banIP feed file can't be loaded" + f_log "err" "can't load banIP feed file" fi fi elif ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then - f_log "err" "banIP feed file can't be loaded" + f_log "err" "can't load banIP feed file" fi } -# get set elements +# get Set elements # f_getelements() { local file="${1}" - [ -s "${file}" ] && printf "%s" "elements={ $(cat "${file}" 2>/dev/null) };" + [ -s "${file}" ] && printf "%s" "elements={ $("${ban_catcmd}" "${file}" 2>/dev/null) };" } # build initial nft file with base table, chains and rules @@ -499,7 +524,7 @@ f_nftinit() { feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)" feed_rc="${?}" - f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" return ${feed_rc} } @@ -517,6 +542,7 @@ f_down() { tmp_file="${ban_tmpfile}.${feed}.file" tmp_flush="${ban_tmpfile}.${feed}.flush" tmp_nft="${ban_tmpfile}.${feed}.nft" + tmp_allow="${ban_tmpfile}.${feed%v*}" [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \"" [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \"" @@ -576,18 +602,33 @@ f_down() { feed_rc="${restore_rc}" fi - # handle local lists + # prepare local allowlist + # + if [ "${feed%v*}" = "allowlist" ] && [ ! -f "${tmp_allow}" ]; then + "${ban_catcmd}" "${ban_allowlist}" 2>/dev/null >"${tmp_allow}" + for feed_url in ${ban_allowurl}; do + feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>&1)" + feed_rc="${?}" + if [ "${feed_rc}" = "0" ] && [ -s "${tmp_load}" ]; then + "${ban_catcmd}" "${tmp_load}" 2>/dev/null >>"${tmp_allow}" + else + f_log "info" "download for feed '${feed%v*}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})" + fi + done + fi + + # handle local feeds # if [ "${feed%v*}" = "allowlist" ]; then { printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" if [ "${proto}" = "MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}" + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${tmp_allow}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept" elif [ "${proto}" = "4" ]; then - "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}" + "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${tmp_allow}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then @@ -611,7 +652,7 @@ f_down() { fi fi elif [ "${proto}" = "6" ]; then - "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" | + "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${tmp_allow}" | "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then @@ -641,7 +682,7 @@ f_down() { elif [ "${feed%v*}" = "blocklist" ]; then { printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" if [ "${proto}" = "MAC" ]; then "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" @@ -651,7 +692,7 @@ f_down() { "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" - cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" + "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" else "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}" fi @@ -666,7 +707,7 @@ f_down() { "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" - cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" + "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" else "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" | "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}" @@ -679,7 +720,8 @@ f_down() { fi } >"${tmp_nft}" feed_rc="0" - # handle external downloads + + # handle external feeds # elif [ "${restore_rc}" != "0" ] && [ "${feed_url}" != "local" ]; then # handle country downloads @@ -688,7 +730,7 @@ f_down() { for country in ${ban_country}; do feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" 2>&1)" feed_rc="${?}" - [ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" done rm -f "${tmp_raw}" @@ -698,7 +740,7 @@ f_down() { for asn in ${ban_asn}; do feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" 2>&1)" feed_rc="${?}" - [ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" done rm -f "${tmp_raw}" @@ -710,7 +752,7 @@ f_down() { feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)" feed_rc="${?}" if [ "${feed_rc}" = "0" ]; then - zcat "${tmp_raw}" 2>/dev/null >"${tmp_load}" + "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}" feed_rc="${?}" fi rm -f "${tmp_raw}" @@ -724,6 +766,7 @@ f_down() { feed_rc="${?}" fi fi + [ "${feed_rc}" != "0" ] && f_log "info" "download for feed '${feed}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})" # backup/restore # @@ -735,10 +778,10 @@ f_down() { feed_rc="${?}" fi - # build nft file with set and rules for regular downloads + # build nft file with Sets and rules for regular downloads # if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then - # deduplicate sets + # deduplicate Sets # if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}" @@ -747,13 +790,13 @@ f_down() { "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}" fi feed_rc="${?}" - # split sets + # split Sets # if [ "${feed_rc}" = "0" ]; then if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then rm -f "${tmp_file}".* - f_log "info" "failed to split '${feed}' Set to size '${ban_splitsize//[![:digit]]/}'" + f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'" fi else "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1" @@ -763,10 +806,10 @@ f_down() { rm -f "${tmp_raw}" "${tmp_load}" if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then { - # nft header (IPv4 set) + # nft header (IPv4 Set) # printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" # input and forward rules @@ -777,10 +820,10 @@ f_down() { } >"${tmp_nft}" elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then { - # nft header (IPv6 set) + # nft header (IPv6 Set) # printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" # input and forward rules @@ -799,6 +842,7 @@ f_down() { if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)" feed_rc="${?}" + # load additional split files # if [ "${feed_rc}" = "0" ]; then @@ -808,8 +852,8 @@ f_down() { rm -f "${split_file}" continue fi - if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then - f_log "info" "failed to add split file '${split_file##*.}' to '${feed}' Set" + if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $("${ban_catcmd}" "${split_file}") }" >/dev/null 2>&1; then + f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'" fi rm -f "${split_file}" done @@ -818,13 +862,13 @@ f_down() { fi fi else - f_log "info" "empty feed '${feed}' will be skipped" + f_log "info" "skip empty feed '${feed}'" fi fi rm -f "${tmp_split}" "${tmp_nft}" end_ts="$(date +%s)" - f_log "debug" "f_down ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_down ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" } # backup feeds @@ -835,7 +879,7 @@ f_backup() { gzip -cf "${feed_file}" >"${ban_backupdir}/banIP.${feed}.gz" backup_rc="${?}" - f_log "debug" "f_backup ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}" + f_log "debug" "f_backup ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}" return ${backup_rc} } @@ -847,18 +891,18 @@ f_restore() { [ "${feed_rc}" != "0" ] && restore_rc="${feed_rc}" [ "${feed_url}" = "local" ] && tmp_feed="${feed%v*}v4" || tmp_feed="${feed}" if [ -f "${ban_backupdir}/banIP.${tmp_feed}.gz" ]; then - zcat "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}" + "${ban_zcatcmd}" "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}" restore_rc="${?}" fi - f_log "debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}" + f_log "debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}" return ${restore_rc} } -# remove disabled feeds +# remove disabled Sets # f_rmset() { - local feedlist tmp_del ruleset_raw table_sets handle set del_set feed_log feed_rc + local feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc f_getfeed json_get_keys feedlist @@ -867,19 +911,19 @@ f_rmset() { table_sets="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')" { printf "%s\n\n" "#!/usr/sbin/nft -f" - for set in ${table_sets}; do - if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${set%v*}" || - ! printf "%s" "allowlist blocklist ${feedlist}" | "${ban_grepcmd}" -q "${set%v*}"; then - del_set="${del_set}${set}, " - rm -f "${ban_backupdir}/banIP.${set}.gz" - printf "%s\n" "flush set inet banIP ${set}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${set}\"].handle")" + for item in ${table_sets}; do + if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${item%v*}" || + ! printf "%s" "allowlist blocklist ${feedlist}" | "${ban_grepcmd}" -q "${item%v*}"; then + del_set="${del_set}${item}, " + rm -f "${ban_backupdir}/banIP.${item}.gz" + printf "%s\n" "flush set inet banIP ${item}" + handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${set}\"].handle")" + handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${set}\"].handle")" + handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" - printf "%s\n\n" "delete set inet banIP ${set}" + printf "%s\n\n" "delete set inet banIP ${item}" fi done } >"${tmp_del}" @@ -891,13 +935,13 @@ f_rmset() { fi rm -f "${tmp_del}" - f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" } # generate status information # f_genstatus() { - local object duration set table_sets cnt_elements="0" custom="0" split="0" status="${1}" + local object duration item table_sets cnt_elements="0" custom="0" split="0" status="${1}" [ -z "${ban_dev}" ] && f_conf if [ "${status}" = "active" ]; then @@ -907,8 +951,8 @@ f_genstatus() { fi table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')" if [ "${ban_reportelements}" = "1" ]; then - for set in ${table_sets}; do - cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" + for item in ${table_sets}; do + cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" done fi runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")" @@ -941,10 +985,10 @@ f_genstatus() { json_close_object done json_close_array - json_add_array "active_subnets" - for object in ${ban_sub:-"-"}; do + json_add_array "active_uplink" + for object in ${ban_uplink:-"-"}; do json_add_object - json_add_string "subnet" "${object}" + json_add_string "uplink" "${object}" json_close_object done json_close_array @@ -1018,6 +1062,7 @@ f_getstatus() { f_lookup() { local cnt list domain lookup ip elementsv4 elementsv6 start_time end_time duration cnt_domain="0" cnt_ip="0" feed="${1}" + [ -z "${ban_dev}" ] && f_conf start_time="$(date "+%s")" if [ "${feed}" = "allowlist" ]; then list="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s ",tolower($1)}' "${ban_allowlist}" 2>/dev/null)" @@ -1051,24 +1096,24 @@ f_lookup() { done if [ -n "${elementsv4}" ]; then if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then - f_log "info" "failed to add lookup file to '${feed}v4' Set" + f_log "info" "can't add lookup file to Set '${feed}v4'" fi fi if [ -n "${elementsv6}" ]; then if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then - f_log "info" "failed to add lookup file to '${feed}v6' Set" + f_log "info" "can't add lookup file to Set '${feed}v6'" fi fi end_time="$(date "+%s")" duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s" - f_log "debug" "feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}" + f_log "debug" "f_lookup ::: feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}" } # table statistics # f_report() { - local report_jsn report_txt set tmp_val ruleset_raw table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}" + local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}" local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan [ -z "${ban_dev}" ] && f_conf @@ -1092,13 +1137,13 @@ f_report() { : >"${report_jsn}" { printf "%s\n" "{" - printf "\t%s\n" '"sets": {' - for set in ${table_sets}; do - set_cntinput="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")" - set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")" - set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")" + printf "\t%s\n" '"sets":{' + for item in ${table_sets}; do + set_cntinput="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" + set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" + set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" if [ "${ban_reportelements}" = "1" ]; then - set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" + set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" sum_setelements="$((sum_setelements + set_cnt))" else set_cnt="" @@ -1129,7 +1174,7 @@ f_report() { set_cntforwardlan="" fi [ "${sum_sets}" -gt "0" ] && printf "%s\n" "," - printf "\t\t%s\n" "\"${set}\": {" + printf "\t\t%s\n" "\"${item}\":{" printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\"," printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\"," printf "\t\t\t%s\n" "\"input\": \"${set_input}\"," @@ -1183,9 +1228,9 @@ f_report() { if [ -n "${table_sets}" ]; then printf "%-25s%-15s%-24s%-24s%s\n" " Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)" printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------" - for set in ${table_sets}; do - printf " %-21s" "${set}" - json_select "${set}" + for item in ${table_sets}; do + printf " %-21s" "${item}" + json_select "${item}" json_get_keys set_details for detail in ${set_details}; do json_get_var jsnval "${detail}" >/dev/null 2>&1 @@ -1216,10 +1261,10 @@ f_report() { # case "${output}" in "text") - [ -s "${report_txt}" ] && cat "${report_txt}" + [ -s "${report_txt}" ] && "${ban_catcmd}" "${report_txt}" ;; "json") - [ -s "${report_jsn}" ] && cat "${report_jsn}" + [ -s "${report_jsn}" ] && "${ban_catcmd}" "${report_jsn}" ;; "mail") [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail @@ -1228,16 +1273,16 @@ f_report() { rm -f "${report_txt}" } -# set search +# Set search # f_search() { - local set table_sets ip proto run_search hold cnt search="${1}" + local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}" - if [ -n "${search}" ]; then - ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')" + if [ -n "${input}" ]; then + ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v4" if [ -z "${proto}" ]; then - ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')" + ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v6" fi fi @@ -1251,13 +1296,15 @@ f_search() { printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")" printf " %s\n" "---" cnt="1" - run_search="/var/run/banIP.search" - for set in ${table_sets}; do - [ -f "${run_search}" ] && break + for item in ${table_sets}; do + if [ -f "${result_flag}" ]; then + rm -f "${result_flag}" + return + fi ( - if "${ban_nftcmd}" get element inet banIP "${set}" "{ ${ip} }" >/dev/null 2>&1; then - printf " %s\n" "IP found in Set '${set}'" - : >"${run_search}" + if "${ban_nftcmd}" get element inet banIP "${item}" "{ ${ip} }" >/dev/null 2>&1; then + printf " %s\n" "IP found in Set '${item}'" + : >"${result_flag}" fi ) & hold="$((cnt % ban_cores))" @@ -1265,27 +1312,26 @@ f_search() { cnt="$((cnt + 1))" done wait - [ ! -f "${run_search}" ] && printf " %s\n" "IP not found" - rm -f "${run_search}" + printf " %s\n" "IP not found" } -# set survey +# Set survey # f_survey() { - local set_elements set="${1}" + local set_elements input="${1}" - if [ -z "${set}" ]; then + if [ -z "${input}" ]; then printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::" return fi - [ -n "${set}" ] && set_elements="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" + set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" - printf " %s\n" "List the elements of Set '${set}' on $(date "+%Y-%m-%d %H:%M:%S")" + printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")" printf " %s\n" "---" - [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty set" + [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty Set" } -# send status mails +# send status mail # f_mail() { local msmtp_debug @@ -1295,21 +1341,18 @@ f_mail() { if [ -r "${ban_mailtemplate}" ]; then . "${ban_mailtemplate}" else - f_log "info" "the mail template is missing" + f_log "info" "no mail template" fi - [ -z "${mail_text}" ] && f_log "info" "the 'mail_text' template variable is empty" + [ -z "${mail_text}" ] && f_log "info" "no mail content" [ "${ban_debug}" = "1" ] && msmtp_debug="--debug" # send mail # ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n" - if printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1; then - f_log "info" "status mail was sent successfully" - else - f_log "info" "failed to send status mail (${?})" - fi + printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1 + f_log "info" "send status mail (${?})" - f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" + f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" } # initial sourcing @@ -1327,8 +1370,7 @@ fi # f_system if [ "${ban_action}" != "stop" ]; then - [ ! -d "/etc/banip" ] && f_log "err" "banIP config directory not found, please re-install the package" - [ ! -r "/etc/banip/banip.feeds" ] && f_log "err" "banIP feed file not found, please re-install the package" - [ ! -r "/etc/config/banip" ] && f_log "err" "banIP config not found, please re-install the package" - [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service" + [ ! -d "/etc/banip" ] && f_log "err" "no banIP config directory" + [ ! -r "/etc/config/banip" ] && f_log "err" "no banIP config" + [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is disabled" fi diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index ed2b9914c..aadeae380 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -1,5 +1,5 @@ #!/bin/sh -# banIP main service script - ban incoming and outgoing ip addresses/subnets via sets in nftables +# banIP main service script - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -15,13 +15,13 @@ ban_funlib="/usr/lib/banip-functions.sh" # f_conf f_log "info" "start banIP processing (${ban_action})" -f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}" +f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}" f_genstatus "processing" f_tmp f_fetch f_getif f_getdev -f_getsub +f_getuplink f_mkdir "${ban_backupdir}" f_mkfile "${ban_blocklist}" f_mkfile "${ban_allowlist}" @@ -36,10 +36,10 @@ if [ "${ban_action}" != "reload" ]; then sleep 1 done if ! /etc/init.d/firewall status >/dev/null 2>&1; then - f_log "err" "nft based firewall/fw4 not functional" + f_log "err" "error in nft based firewall/fw4" fi else - f_log "err" "nft based firewall/fw4 not found" + f_log "err" "no nft based firewall/fw4" fi fi @@ -47,9 +47,9 @@ fi # if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then if f_nftinit "${ban_tmpfile}".init.nft; then - f_log "info" "nft namespace initialized" + f_log "info" "initialize nft namespace" else - f_log "err" "nft namespace can't be initialized" + f_log "err" "can't initialize nft namespace" fi fi @@ -83,7 +83,7 @@ for feed in allowlist ${ban_feed} blocklist; do # external feeds # if ! json_select "${feed}" >/dev/null 2>&1; then - f_log "info" "unknown feed '${feed}' will be removed" + f_log "info" "remove unknown feed '${feed}'" uci_remove_list banip global ban_feed "${feed}" uci_commit "banip" continue @@ -99,7 +99,7 @@ for feed in allowlist ${ban_feed} blocklist; do if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } || { { [ -n "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; } || { [ -z "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; }; } || { [ -z "${feed_url_4}" ] && [ -z "${feed_rule_4}" ] && [ -z "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; }; then - f_log "info" "incomplete feed '${feed}' will be skipped" + f_log "info" "skip incomplete feed '${feed}'" continue fi @@ -138,7 +138,6 @@ wait f_rmset f_rmdir "${ban_tmpdir}" f_genstatus "active" -f_log "info" "finished banIP download processes" # start domain lookup # @@ -191,15 +190,15 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimi [ -n "${ip}" ] && proto="v6" fi if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then - f_log "info" "suspicious IP${proto} found '${ip}'" + f_log "info" "suspicious IP${proto} '${ip}'" log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")" if [ "${log_count}" -ge "${ban_logcount}" ]; then if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then - f_log "info" "added IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" + f_log "info" "add IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" - f_log "info" "added IP${proto} '${ip}' to local blocklist" + f_log "info" "add IP${proto} '${ip}' to local blocklist" fi fi fi diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index 90f6d63be..056582071 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -1,259 +1,259 @@ { - "adaway": { + "adaway":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "adaway IPs" }, - "adguard": { + "adguard":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "adguard IPs" }, - "adguardtrackers": { + "adguardtrackers":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "adguardtracker IPs" }, - "antipopads": { + "antipopads":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "antipopads IPs" }, - "asn": { + "asn":{ "url_4": "https://asn.ipinfo.app/api/text/list/", "url_6": "https://asn.ipinfo.app/api/text/list/", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "ASN IPs" }, - "backscatterer": { + "backscatterer":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "backscatterer IPs", "flag": "gz" }, - "bogon": { + "bogon":{ "url_4": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt", "url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "bogon prefixes" }, - "cinsscore": { + "cinsscore":{ "url_4": "https://cinsscore.com/list/ci-badguys.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "suspicious attacker IPs" }, - "country": { + "country":{ "url_4": "https://www.ipdeny.com/ipblocks/data/aggregated/", "url_6": "https://www.ipdeny.com/ipv6/ipaddresses/aggregated/", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "country blocks" }, - "darklist": { + "darklist":{ "url_4": "https://darklist.de/raw.php", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "suspicious attacker IPs" }, - "debl": { + "debl":{ "url_4": "https://www.blocklist.de/downloads/export-ips_all.txt", "url_6": "https://www.blocklist.de/downloads/export-ips_all.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", - "descr": "fail2ban IP blacklist" + "descr": "fail2ban IP blocklist" }, - "doh": { + "doh":{ "url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "public DoH-Provider" }, - "drop": { + "drop":{ "url_4": "https://www.spamhaus.org/drop/drop.txt", "url_6": "https://www.spamhaus.org/drop/dropv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "spamhaus drop compilation" }, - "dshield": { + "dshield":{ "url_4": "https://feeds.dshield.org/block.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}", "descr": "dshield IP blocklist" }, - "edrop": { + "edrop":{ "url_4": "https://www.spamhaus.org/drop/edrop.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "spamhaus edrop compilation" }, - "feodo": { + "feodo":{ "url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt", "rule_4": "BEGIN{RS=\"\\r\\n\"}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "feodo tracker" }, - "firehol1": { + "firehol1":{ "url_4": "https://iplists.firehol.org/files/firehol_level1.netset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "firehol level 1 compilation" }, - "firehol2": { + "firehol2":{ "url_4": "https://iplists.firehol.org/files/firehol_level2.netset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "firehol level 2 compilation" }, - "firehol3": { + "firehol3":{ "url_4": "https://iplists.firehol.org/files/firehol_level3.netset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "firehol level 3 compilation" }, - "firehol4": { + "firehol4":{ "url_4": "https://iplists.firehol.org/files/firehol_level4.netset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{if(!seen[$1]++)printf \"%s,\\n\",$1}", "descr": "firehol level 4 compilation" }, - "greensnow": { + "greensnow":{ "url_4": "https://blocklist.greensnow.co/greensnow.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "suspicious server IPs" }, - "iblockads": { + "iblockads":{ "url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "advertising IPs", "flag": "gz" }, - "iblockspy": { + "iblockspy":{ "url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "malicious spyware IPs", "flag": "gz" }, - "ipthreat": { + "ipthreat":{ "url_4": "https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-30.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}", "descr": "hacker and botnet IPs" }, - "myip": { + "myip":{ "url_4": "https://myip.ms/files/blacklist/general/latest_blacklist.txt", "url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "real-time IP blocklist" }, - "nixspam": { + "nixspam":{ "url_4": "https://www.nixspam.net/download/nixspam-ip.dump.gz", "rule_4": "/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$2}", "descr": "iX spam protection", "flag": "gz" }, - "oisdbig": { + "oisdbig":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdbig-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdbig-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "OISD-big IPs" }, - "oisdnsfw": { + "oisdnsfw":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "OISD-nsfw IPs" }, - "oisdsmall": { + "oisdsmall":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "OISD-small IPs" }, - "proxy": { + "proxy":{ "url_4": "https://iplists.firehol.org/files/proxylists.ipset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "open proxies" }, - "sslbl": { + "sslbl":{ "url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", "rule_4": "BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$2}", "descr": "SSL botnet IPs" }, - "stevenblack": { + "stevenblack":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "stevenblack IPs" }, - "talos": { + "talos":{ "url_4": "https://www.talosintelligence.com/documents/ip-blacklist", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "talos IPs" }, - "threat": { + "threat":{ "url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "emerging threats" }, - "threatview": { + "threatview":{ "url_4": "https://threatview.io/Downloads/IP-High-Confidence-Feed.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "malicious IPs" }, - "tor": { + "tor":{ "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "tor exit nodes" }, - "uceprotect1": { + "uceprotect1":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "spam protection level 1", "flag": "gz" }, - "uceprotect2": { + "uceprotect2":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz", "rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]NET)/{printf \"%s,\\n\",$1}", "descr": "spam protection level 2", "flag": "gz" }, - "uceprotect3": { + "uceprotect3":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-3.uceprotect.net.gz", "rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]YOUR)/{printf \"%s,\\n\",$1}", "descr": "spam protection level 3", "flag": "gz" }, - "urlhaus": { + "urlhaus":{ "url_4": "https://urlhaus.abuse.ch/downloads/ids/", "rule_4": "match($0,/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5]))/){printf \"%s,\\n\",substr($0,RSTART,RLENGTH)}", "descr": "urlhaus IDS IPs" }, - "urlvir": { + "urlvir":{ "url_4": "https://iplists.firehol.org/files/urlvir.ipset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "malware related IPs" }, - "voip": { + "voip":{ "url_4": "https://voipbl.org/update/", "rule_4": "BEGIN{RS=\"(([0-9]{1,3}\\\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)\"}{if(RT)printf \"%s,\\n\",RT}", "descr": "VoIP fraud blocklist" }, - "webclient": { + "webclient":{ "url_4": "https://iplists.firehol.org/files/firehol_webclient.netset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "malware related IPs" }, - "yoyo": { + "yoyo":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 891dee4eb..db584e2e2 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -1,5 +1,5 @@ #!/bin/sh /etc/rc.common -# banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables +# banIP init script - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -9,9 +9,9 @@ START=30 USE_PROCD=1 -extra_command "report" "[text|json|mail] Print banIP related set statistics" -extra_command "search" "[|] Check if an element exists in a banIP set" -extra_command "survey" "[] List all elements of a given banIP set" +extra_command "report" "[text|json|mail] Print banIP related Set statistics" +extra_command "search" "[|] Check if an element exists in a banIP Set" +extra_command "survey" "[] List all elements of a given banIP Set" extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them" ban_init="/etc/init.d/banip" @@ -45,7 +45,7 @@ start_service() { procd_close_instance else [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" - f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'" + f_log "err" "banIP service autostart is disabled" rm -rf "${ban_lock}" fi } diff --git a/net/banip/files/banip.tpl b/net/banip/files/banip.tpl index f6bd5214c..df5c7e8a1 100644 --- a/net/banip/files/banip.tpl +++ b/net/banip/files/banip.tpl @@ -1,5 +1,5 @@ -# banIP mail template/include -# Copyright (c) 2020-2023 Dirk Brenken (dev@brenken.org) +# banIP mail template/include - ban incoming and outgoing IPs via named nftables Sets +# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # info preparation diff --git a/net/cloudflared/Makefile b/net/cloudflared/Makefile index 925045eba..fdb452a4a 100644 --- a/net/cloudflared/Makefile +++ b/net/cloudflared/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cloudflared -PKG_VERSION:=2023.4.0 +PKG_VERSION:=2023.5.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/cloudflare/cloudflared/tar.gz/$(PKG_VERSION)? -PKG_HASH:=bdb9dea9e5f9bb6b66878bbd1243d8a57fc565ca946c5f9790c2f120400ffa9e +PKG_HASH:=38d72e35fbb894c43161ee7c6871c44d9771bc9a1f3bc54602baf66e69acefd3 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE diff --git a/net/crowdsec-firewall-bouncer/Makefile b/net/crowdsec-firewall-bouncer/Makefile index 713bd740a..2088c2d33 100644 --- a/net/crowdsec-firewall-bouncer/Makefile +++ b/net/crowdsec-firewall-bouncer/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=crowdsec-firewall-bouncer -PKG_VERSION:=0.0.25 +PKG_VERSION:=0.0.26 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/cs-firewall-bouncer/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=15ffaa38644215a4cf5e5d5d3a6fc6f0800057bc55d4bd25778d8e952679506e +PKG_HASH:=2325df3f8d01e2c9b52db212a796b15b4992a135d5d278441277e97db353b2a7 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 17f893480..70b776f6a 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,12 +10,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=2.6.12 +PKG_VERSION:=2.6.13 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/2.6/src -PKG_HASH:=58f9edb26bf3288f4b502658399281cc5d6478468bd178eafe579c8f41895854 +PKG_HASH:=d69ff5233dbca657132ef280d111222ec1e33f5be1c1937d4e9ff516f63f5243 PKG_MAINTAINER:=Thomas Heil , \ Christian Lachner diff --git a/net/haproxy/get-latest-patches.sh b/net/haproxy/get-latest-patches.sh index c5f8c7031..2e312cc0a 100755 --- a/net/haproxy/get-latest-patches.sh +++ b/net/haproxy/get-latest-patches.sh @@ -1,7 +1,7 @@ #!/bin/sh CLONEURL=https://git.haproxy.org/git/haproxy-2.6.git -BASE_TAG=v2.6.12 +BASE_TAG=v2.6.13 TMP_REPODIR=tmprepo PATCHESDIR=patches diff --git a/net/kea/Makefile b/net/kea/Makefile index f269b4141..1febb3046 100644 --- a/net/kea/Makefile +++ b/net/kea/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=kea -PKG_VERSION:=2.0.3 -PKG_RELEASE:=2 +PKG_VERSION:=2.2.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://ftp.isc.org/isc/kea/$(PKG_VERSION) -PKG_HASH:=d642907374d17480ebe4df805b363dc9e230a955475a9f3e04a076b52d5c43ec +PKG_HASH:=da7d90ca62a772602dac6e77e507319038422895ad68eeb142f1487d67d531d2 -PKG_MAINTAINER:=BangLang Huang, Rosy Song +PKG_MAINTAINER:=BangLang Huang , Rosy Song PKG_LICENSE:=MPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/net/kea/files/kea.init b/net/kea/files/kea.init index 0d63c38ab..db1af82ff 100755 --- a/net/kea/files/kea.init +++ b/net/kea/files/kea.init @@ -39,5 +39,5 @@ start_kea() { procd_set_param file "$cnf" procd_set_param stderr 1 procd_set_param stdout 1 - procd_close_instance ctrl_agent + procd_close_instance } diff --git a/net/kea/patches/003-no-test-compile.patch b/net/kea/patches/003-no-test-compile.patch index 132c942aa..709e534c6 100644 --- a/net/kea/patches/003-no-test-compile.patch +++ b/net/kea/patches/003-no-test-compile.patch @@ -158,14 +158,6 @@ AM_CPPFLAGS = -I$(top_srcdir)/src/lib -I$(top_builddir)/src/lib AM_CPPFLAGS += $(BOOST_INCLUDES) ---- a/src/lib/cql/Makefile.am -+++ b/src/lib/cql/Makefile.am -@@ -1,4 +1,4 @@ --SUBDIRS = . testutils tests -+SUBDIRS = . - - AM_CPPFLAGS = -I$(top_srcdir)/src/lib -I$(top_builddir)/src/lib - AM_CPPFLAGS += $(BOOST_INCLUDES) $(CQL_CPPFLAGS) --- a/src/lib/cryptolink/Makefile.am +++ b/src/lib/cryptolink/Makefile.am @@ -1,4 +1,4 @@ @@ -203,8 +195,8 @@ @@ -1,6 +1,6 @@ AUTOMAKE_OPTIONS = subdir-objects --SUBDIRS = . testutils tests benchmarks -+SUBDIRS = . benchmarks +-SUBDIRS = . testutils tests ++SUBDIRS = . # DATA_DIR is the directory where to put default CSV files and the DHCPv6 # server ID file (i.e. the file where the server finds its DUID at startup). diff --git a/net/kea/patches/004-replace-rev-with-awk.patch b/net/kea/patches/004-replace-rev-with-awk.patch index d22dcd4b0..db22903c0 100644 --- a/net/kea/patches/004-replace-rev-with-awk.patch +++ b/net/kea/patches/004-replace-rev-with-awk.patch @@ -1,6 +1,6 @@ --- a/src/bin/keactrl/keactrl.in +++ b/src/bin/keactrl/keactrl.in -@@ -117,7 +117,7 @@ get_pid_from_file() { +@@ -115,7 +115,7 @@ get_pid_from_file() { # Extract the name portion (from last slash to last dot) of the config file name # File name and extension are documented in src/lib/util/filename.h local conf_name diff --git a/net/kea/patches/010-openssl-deprecated.patch b/net/kea/patches/010-openssl-deprecated.patch index c8b438efc..6487b0a44 100644 --- a/net/kea/patches/010-openssl-deprecated.patch +++ b/net/kea/patches/010-openssl-deprecated.patch @@ -1,6 +1,6 @@ --- a/src/lib/cryptolink/openssl_link.cc +++ b/src/lib/cryptolink/openssl_link.cc -@@ -79,7 +79,7 @@ CryptoLink::initialize() { +@@ -77,7 +77,7 @@ CryptoLink::initialize(CryptoLink& c) { std::string CryptoLink::getVersion() { diff --git a/net/libreswan/Makefile b/net/libreswan/Makefile index 6a8329b83..952720892 100644 --- a/net/libreswan/Makefile +++ b/net/libreswan/Makefile @@ -7,12 +7,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libreswan -PKG_VERSION:=4.9 -PKG_RELEASE:=2 +PKG_VERSION:=4.10 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://download.libreswan.org/ -PKG_HASH:=f642dcb635e909564ca8fd99ea44ab43f60723b4d76c158ed812978c45b398b9 +PKG_HASH:=5a9400c25a8edba07420426fb55dcbaafdaa3702e5b0f2c19205a6c567248a7b PKG_MAINTAINER:=Lucian Cristian PKG_LICENSE:=GPL-2.0-or-later diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index ad0afd82f..a627c88ca 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd PKG_VERSION:=1.4.69 -PKG_RELEASE:=2 +PKG_RELEASE:=3 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch b/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch new file mode 100644 index 000000000..6db289588 --- /dev/null +++ b/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch @@ -0,0 +1,34 @@ +From e91ad65e4aacde815679c06cb687931dd7beb9b3 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Thu, 20 Apr 2023 21:27:36 -0400 +Subject: [PATCH] [meson] check FORCE_{WOLFSSL,MBEDTLS}_CRYPTO + +--- + src/meson.build | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/src/meson.build ++++ b/src/meson.build +@@ -358,15 +358,19 @@ if get_option('with_mbedtls') + libmbedtls = [ compiler.find_library('mbedtls') ] + libmbedx509 = [ compiler.find_library('mbedx509') ] + libmbedcrypto = [ compiler.find_library('mbedcrypto') ] +- libcrypto = [ compiler.find_library('mbedcrypto') ] ++ if compiler.get_define('FORCE_WOLFSSL_CRYPTO') == '' ++ libcrypto = [ compiler.find_library('mbedcrypto') ] ++ endif + conf_data.set('HAVE_LIBMBEDCRYPTO', true) + endif + if get_option('with_nettle') + # manual search: + # header: nettle/nettle-types.h + # function: nettle_md5_init (-lnettle) +- libcrypto = [ dependency('nettle') ] +- conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true) ++ if compiler.get_define('FORCE_WOLFSSL_CRYPTO') == '' and compiler.get_define('FORCE_MBEDTLS_CRYPTO') == '' ++ libcrypto = [ dependency('nettle') ] ++ conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true) ++ endif + endif + if get_option('with_gnutls') + # manual search: diff --git a/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch b/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch new file mode 100644 index 000000000..d50b2e90c --- /dev/null +++ b/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch @@ -0,0 +1,23 @@ +From 37cbdacda78f9df4aba4c39e60472025d93bb7ba Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Fri, 28 Apr 2023 03:17:16 -0400 +Subject: [PATCH] [mod_mbedtls] check MBEDTLS_DEBUG_C for debug func + +--- + src/mod_mbedtls.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/src/mod_mbedtls.c ++++ b/src/mod_mbedtls.c +@@ -2357,9 +2357,11 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_a + * overlap, and so this debug setting is not reset upon connection close. + * Once enabled, debug hook will remain so for this mbedtls_ssl_config */ + if (hctx->conf.ssl_log_noise) {/* volume level for debug message callback */ ++ #ifdef MBEDTLS_DEBUG_C + #if MBEDTLS_VERSION_NUMBER >= 0x02000000 /* mbedtls 2.0.0 */ + mbedtls_debug_set_threshold(hctx->conf.ssl_log_noise); + #endif ++ #endif + mbedtls_ssl_conf_dbg(hctx->ssl_ctx, mod_mbedtls_debug_cb, + (void *)(intptr_t)hctx->conf.ssl_log_noise); + } diff --git a/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch b/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch new file mode 100644 index 000000000..2375f8a71 --- /dev/null +++ b/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch @@ -0,0 +1,20 @@ +From 2fc157f37ea4644ba9ac776de1926b9e518ec42b Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Sat, 29 Apr 2023 00:43:55 -0400 +Subject: [PATCH] [meson] build fix for builtin_mods + +--- + src/meson.build | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/src/meson.build ++++ b/src/meson.build +@@ -656,7 +656,7 @@ executable('lighttpd-angel', + ) + + executable('lighttpd', configparser, +- sources: common_src + main_src, ++ sources: common_src + main_src + builtin_mods, + dependencies: [ common_flags, lighttpd_flags + , libattr + , libcrypto diff --git a/net/mwan3/Makefile b/net/mwan3/Makefile index a72289fc6..36adc06da 100644 --- a/net/mwan3/Makefile +++ b/net/mwan3/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mwan3 -PKG_VERSION:=2.11.4 +PKG_VERSION:=2.11.6 PKG_RELEASE:=1 PKG_MAINTAINER:=Florian Eckert , \ Aaron Goodman diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index 1bfb767e8..a3e7c0098 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -735,8 +735,8 @@ mwan3_set_policies_iptables() mwan3_set_sticky_iptables() { - local rule="${1}" - local interface="${2}" + local interface="${1}" + local rule="${2}" local ipv="${3}" local policy="${4}" @@ -879,7 +879,7 @@ mwan3_set_user_iptables_rule() fi mwan3_push_update -F "mwan3_rule_$1" - config_foreach mwan3_set_sticky_iptables interface $ipv "$policy" + config_foreach mwan3_set_sticky_iptables interface "$rule" "$ipv" "$policy" mwan3_push_update -A "mwan3_rule_$1" \ diff --git a/net/mwan3/files/usr/sbin/mwan3rtmon b/net/mwan3/files/usr/sbin/mwan3rtmon index b7f03cc87..d8ccffeb0 100755 --- a/net/mwan3/files/usr/sbin/mwan3rtmon +++ b/net/mwan3/files/usr/sbin/mwan3rtmon @@ -75,7 +75,7 @@ mwan3_rtmon_route_handle() if [ "$route_line" = "$1" ]; then action="replace" - $IPS -! add mwan3_connected_${route_family##ip} ${route_line%% *} + $IPS -! add mwan3_connected_${route_family} ${route_line%% *} else action="del" mwan3_set_connected_${route_family} diff --git a/net/nginx-util/Makefile b/net/nginx-util/Makefile index 2ff4da194..52cdbb4ea 100644 --- a/net/nginx-util/Makefile +++ b/net/nginx-util/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx-util PKG_VERSION:=1.6 -PKG_RELEASE:=15 +PKG_RELEASE:=16 PKG_MAINTAINER:=Peter Stadler include $(INCLUDE_DIR)/package.mk @@ -67,6 +67,8 @@ define Package/nginx-ssl-util/install/default $(INSTALL_CONF) ./files/restrict_locally $(1)/etc/nginx/ + $(INSTALL_DIR) $(1)/etc/nginx/module.d/ + $(INSTALL_DIR) $(1)/etc/config/ $(INSTALL_CONF) ./files/nginx.config $(1)/etc/config/nginx diff --git a/net/nginx-util/files/uci.conf.template b/net/nginx-util/files/uci.conf.template index 1c611d9ad..406ddb4cc 100644 --- a/net/nginx-util/files/uci.conf.template +++ b/net/nginx-util/files/uci.conf.template @@ -6,6 +6,8 @@ worker_processes auto; user root; +include module.d/*.module; + events {} http { diff --git a/net/nginx/Config_ssl.in b/net/nginx/Config_ssl.in index 02dd8094a..fbfb64ae7 100644 --- a/net/nginx/Config_ssl.in +++ b/net/nginx/Config_ssl.in @@ -15,21 +15,6 @@ config NGINX_DAV Enable the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE. default n -config NGINX_DAV_EXT - bool - prompt "Enable WebDAV EXT module" - select NGINX_DAV - help - Enable the WebDAV methods PROPFIND, OPTIONS, LOCK, UNLOCK. - default n - -config NGINX_UBUS - bool - prompt "Enable UBUS module" - help - Enable UBUS api support directly from the server. - default y - config NGINX_FLV bool prompt "Enable FLV module" @@ -195,16 +180,6 @@ config NGINX_PCRE prompt "Enable PCRE library usage" default y -config NGINX_NAXSI - bool - prompt "Enable NAXSI module" - default y - -config NGINX_LUA - bool - prompt "Enable Lua module" - default n - config NGINX_HTTP_REAL_IP bool prompt "Enable HTTP real ip module" @@ -219,57 +194,5 @@ config NGINX_HTTP_SUB bool prompt "Enable HTTP sub module" default n - -config NGINX_HEADERS_MORE - bool - prompt "Enable Headers_more module" - help - Set and clear input and output headers...more than "add"! - default y - -config NGINX_HTTP_BROTLI - bool - prompt "Enable Brotli compression module" - help - Add support for brotli compression module. - default n - -config NGINX_STREAM_CORE_MODULE - bool - prompt "Enable stream support" - help - Add support for NGINX request streaming. - default n - -config NGINX_STREAM_SSL_MODULE - bool - prompt "Enable stream support with SSL/TLS termination" - depends on NGINX_STREAM_CORE_MODULE - help - Add support for NGINX request streaming with SSL/TLS termination. - default n - -config NGINX_STREAM_SSL_PREREAD_MODULE - bool - prompt "Enable stream support with SSL/TLS pre-read" - depends on NGINX_STREAM_CORE_MODULE - help - Add support for NGINX request streaming using information from the ClientHello message without terminating SSL/TLS. - default n - -config NGINX_RTMP_MODULE - bool - prompt "Enable RTMP module" - help - Add support for NGINX-based Media Streaming Server module. - DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module - default n - -config NGINX_TS_MODULE - bool - prompt "Enable TS module" - help - Add support for MPEG-TS Live Module module. - default n endmenu diff --git a/net/nginx/Makefile b/net/nginx/Makefile index 86a7a212f..16767efdd 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx -PKG_VERSION:=1.21.3 -PKG_RELEASE:=3 +PKG_VERSION:=1.24.0 +PKG_RELEASE:=2 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nginx.org/download/ -PKG_HASH:=14774aae0d151da350417efc4afda5cce5035056e71894836797e1f6e2d1175a +PKG_HASH:=77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d PKG_MAINTAINER:=Thomas Heil \ Ansuel Smith @@ -27,9 +27,7 @@ PKG_BUILD_FLAGS:=gc-sections PKG_CONFIG_DEPENDS := \ CONFIG_NGINX_DAV \ - CONFIG_NGINX_DAV_EXT \ CONFIG_NGINX_FLV \ - CONFIG_NGINX_UBUS \ CONFIG_NGINX_STUB_STATUS \ CONFIG_NGINX_HTTP_CHARSET \ CONFIG_NGINX_HTTP_GZIP \ @@ -62,17 +60,8 @@ PKG_CONFIG_DEPENDS := \ CONFIG_NGINX_HTTP_CACHE \ CONFIG_NGINX_HTTP_V2 \ CONFIG_NGINX_PCRE \ - CONFIG_NGINX_NAXSI \ - CONFIG_NGINX_LUA \ CONFIG_NGINX_HTTP_REAL_IP \ CONFIG_NGINX_HTTP_SECURE_LINK \ - CONFIG_NGINX_HTTP_BROTLI \ - CONFIG_NGINX_HEADERS_MORE \ - CONFIG_NGINX_STREAM_CORE_MODULE \ - CONFIG_NGINX_STREAM_SSL_MODULE \ - CONFIG_NGINX_STREAM_SSL_PREREAD_MODULE \ - CONFIG_NGINX_RTMP_MODULE \ - CONFIG_NGINX_TS_MODULE \ CONFIG_OPENSSL_ENGINE \ CONFIG_OPENSSL_WITH_NPN @@ -101,27 +90,28 @@ define Package/nginx-ssl VARIANT:=ssl DEPENDS+= +NGINX_PCRE:libpcre \ +NGINX_PCRE:nginx-ssl-util +!NGINX_PCRE:nginx-ssl-util-nopcre \ - +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +NGINX_DAV:libxml2 \ - +NGINX_UBUS:libubus +NGINX_UBUS:libblobmsg-json +NGINX_UBUS:libjson-c + +NGINX_HTTP_GZIP:zlib +NGINX_DAV:libxml2 EXTRA_DEPENDS:=nginx-ssl-util$(if $(CONFIG_NGINX_PCRE),,-nopcre) (>=1.5-1) (<2) - CONFLICTS:=nginx-all-module + CONFLICTS:=nginx-full endef Package/nginx-ssl/description = $(Package/nginx/description) \ This variant is compiled with SSL support enabled. To enable additional module \ select them in the nginx default configuration menu. -define Package/nginx-all-module +define Package/nginx-full $(Package/nginx/default) TITLE += with ALL module selected - DEPENDS+=+libpcre +nginx-ssl-util +zlib +liblua +libxml2 +libubus \ - +libblobmsg-json +libjson-c + DEPENDS+=+libpcre +nginx-ssl-util +zlib +libxml2 \ + +nginx-mod-ubus +nginx-mod-naxsi +nginx-mod-lua \ + +nginx-mod-dav-ext +nginx-mod-stream +nginx-mod-headers-more \ + +nginx-mod-brotli +nginx-mod-rtmp +nginx-mod-ts EXTRA_DEPENDS:=nginx-ssl-util (>=1.5-1) (<2) VARIANT:=all-module PROVIDES += nginx-ssl endef -Package/nginx-all-module/description = $(Package/nginx/description) \ +Package/nginx-full/description = $(Package/nginx/description) \ This variant is compiled with ALL module selected. define Package/nginx-ssl/config @@ -135,8 +125,7 @@ define Package/nginx/conffiles endef Package/nginx-ssl/conffiles = $(Package/nginx/conffiles) -Package/nginx-all-module/conffiles = $(Package/nginx/conffiles) - +Package/nginx-full/conffiles = $(Package/nginx/conffiles) ADDITIONAL_MODULES:= --with-http_ssl_module @@ -233,12 +222,6 @@ ifneq ($(BUILD_VARIANT),all-module) ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE),y) ADDITIONAL_MODULES += --without-http_upstream_keepalive_module endif - ifeq ($(CONFIG_NGINX_NAXSI),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src - endif - ifeq ($(CONFIG_NGINX_LUA),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/lua-nginx - endif ifeq ($(CONFIG_IPV6),y) ADDITIONAL_MODULES += --with-ipv6 endif @@ -251,12 +234,6 @@ ifneq ($(BUILD_VARIANT),all-module) ifeq ($(CONFIG_NGINX_DAV),y) ADDITIONAL_MODULES += --with-http_dav_module endif - ifeq ($(CONFIG_NGINX_DAV_EXT),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module - endif - ifeq ($(CONFIG_NGINX_UBUS),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-ubus-module - endif ifeq ($(CONFIG_NGINX_HTTP_AUTH_REQUEST),y) ADDITIONAL_MODULES += --with-http_auth_request_module endif @@ -272,51 +249,45 @@ ifneq ($(BUILD_VARIANT),all-module) ifeq ($(CONFIG_NGINX_HTTP_SUB),y) ADDITIONAL_MODULES += --with-http_sub_module endif - ifeq ($(CONFIG_NGINX_STREAM_CORE_MODULE),y) - ADDITIONAL_MODULES += --with-stream - endif - ifeq ($(CONFIG_NGINX_STREAM_SSL_MODULE),y) - ADDITIONAL_MODULES += --with-stream_ssl_module - endif - ifeq ($(CONFIG_NGINX_STREAM_SSL_PREREAD_MODULE),y) - ADDITIONAL_MODULES += --with-stream_ssl_preread_module - endif - ifeq ($(CONFIG_NGINX_HEADERS_MORE),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-headers-more - endif - ifeq ($(CONFIG_NGINX_HTTP_BROTLI),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-brotli - endif - ifeq ($(CONFIG_NGINX_RTMP_MODULE),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-rtmp - endif - ifeq ($(CONFIG_NGINX_TS_MODULE),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-ts - endif else - CONFIG_NGINX_HEADERS_MORE:=y - CONFIG_NGINX_HTTP_BROTLI:=y - CONFIG_NGINX_RTMP_MODULE:=y - CONFIG_NGINX_TS_MODULE:=y - CONFIG_NGINX_NAXSI:=y - CONFIG_NGINX_LUA:=y - CONFIG_NGINX_DAV:=y - CONFIG_NGINX_DAV_EXT:=y - CONFIG_NGINX_UBUS:=y ADDITIONAL_MODULES += --with-ipv6 --with-http_stub_status_module --with-http_flv_module \ --with-http_dav_module \ --with-http_auth_request_module --with-http_v2_module --with-http_realip_module \ --with-http_secure_link_module --with-http_sub_module \ - --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \ - --add-module=$(PKG_BUILD_DIR)/nginx-headers-more \ - --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src \ - --add-module=$(PKG_BUILD_DIR)/lua-nginx \ - --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module \ - --add-module=$(PKG_BUILD_DIR)/nginx-brotli --add-module=$(PKG_BUILD_DIR)/nginx-rtmp \ - --add-module=$(PKG_BUILD_DIR)/nginx-ts --add-module=$(PKG_BUILD_DIR)/nginx-ubus-module config_files += koi-utf koi-win win-utf fastcgi_params uwsgi_params endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-naxsi),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-lua),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/lua-nginx +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-dav-ext),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-stream),) + ADDITIONAL_MODULES += --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-ubus),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-ubus-module +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-headers-more),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-headers-more +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-brotli),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-brotli +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-rtmp),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-rtmp +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-ts),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-ts +endif +ifeq ($(CONFIG_NGINX_GEOIP_MODULE),y) + ADDITIONAL_MODULES += --with-http_geoip_module=dynamic +endif + define Package/nginx-mod-luci TITLE:=Nginx on LuCI SECTION:=net @@ -324,7 +295,7 @@ define Package/nginx-mod-luci SUBMENU:=Web Servers/Proxies TITLE:=Support file for Nginx URL:=http://nginx.org/ - DEPENDS:=+uwsgi +uwsgi-luci-support +nginx + DEPENDS:=+uwsgi +uwsgi-luci-support +nginx +nginx-mod-ubus # TODO: add PROVIDES when removing nginx-mod-luci-ssl # PROVIDES:=nginx-mod-luci-ssl endef @@ -333,12 +304,95 @@ define Package/nginx-mod-luci/description Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi. endef +NGINX_MODULES := -TARGET_CFLAGS += -fvisibility=hidden -DNGX_LUA_NO_BY_LUA_BLOCK +# $(1) module name +# $(2) module additional dependency +# $(3) module so name (stripped of the finaly _module.so) +# $(4) module description +define module + define Package/nginx-mod-$(strip $(1)) + $(call Package/nginx/default) + DEPENDS:=+nginx-ssl $(2) + TITLE:=Nginx $(1) module + endef -ifeq ($(CONFIG_NGINX_LUA),y) - CONFIGURE_VARS += LUA_INC=$(STAGING_DIR)/usr/include \ - LUA_LIB=$(STAGING_DIR)/usr/lib + define Package/nginx-mod-$(strip $(1))/description + $(4) + endef + + define Package/nginx-mod-$(strip $(1))/install + $(INSTALL_DIR) $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(3)_module.so $$(1)/usr/lib/nginx/modules + endef + + NGINX_MODULES += nginx-mod-$(strip $(1)) +endef + +define brotli + define Package/nginx-mod-brotli + $(call Package/nginx/default) + DEPENDS:=+nginx-ssl + TITLE:=Nginx Brotli module + endef + + define Package/nginx-mod-brotli/description + Add support for brotli compression module. + endef + + define Package/nginx-mod-brotli/install + $(INSTALL_DIR) $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_brotli_filter_module.so $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_brotli_static_module.so $$(1)/usr/lib/nginx/modules + endef + + NGINX_MODULES += nginx-mod-brotli +endef + +define naxsi + define Package/nginx-mod-naxsi + $(call Package/nginx/default) + DEPENDS:=+nginx-ssl + TITLE:=Nginx naxsi module + endef + + define Package/nginx-mod-naxsi/description + Enable NAXSI module. + endef + + define Package/nginx-mod-naxsi/install + $(INSTALL_DIR) $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_naxsi_module.so $$(1)/usr/lib/nginx/modules + + $(INSTALL_DIR) $$(1)/etc/nginx + $(INSTALL_BIN) $$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $$(1)/etc/nginx + chmod 0640 $$(1)/etc/nginx/naxsi_core.rules + + $(INSTALL_BIN) $$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $$(1)/etc/nginx + chmod 0640 $$(1)/etc/nginx/naxsi_core.rules + endef + + NGINX_MODULES += nginx-mod-naxsi +endef + +$(eval $(call module,lua, +luajit,ngx_http_lua, Enable Lua module)) +$(eval $(call module,stream, +@NGINX_STREAM_CORE_MODULE,ngx_stream, Add support for NGINX request streaming.)) +$(eval $(call module,ubus, +libubus +libjson-c +libblobmsg-json +@NGINX_UBUS,ngx_http_ubus, Enable UBUS api support directly from the server.)) +$(eval $(call module,dav-ext, +@NGINX_DAV +libxml2,ngx_http_dav_ext, Enable the WebDAV methods PROPFIND OPTIONS LOCK UNLOCK.)) +$(eval $(call module,headers-more,,ngx_http_headers_more_filter, Set and clear input and output headers...more than "add"!)) +$(eval $(call module,rtmp,,ngx_rtmp, Add support for NGINX-based Media Streaming Server module. \ + DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module)) +$(eval $(call module, ts,,ngx_http_ts, Add support for MPEG-TS Live Module module.)) +$(eval $(call brotli)) +$(eval $(call naxsi)) + +PKG_CONFIG_DEPENDS += $(patsubst %,CONFIG_PACKAGE_%,$(NGINX_MODULES)) + +TARGET_CFLAGS += -DNGX_LUA_NO_BY_LUA_BLOCK + +ifneq ($(CONFIG_PACKAGE_nginx-mod-lua),) + CONFIGURE_VARS += LUAJIT_INC=$(STAGING_DIR)/usr/include/luajit-* \ + LUAJIT_LIB=$(STAGING_DIR)/usr/lib endif CONFIGURE_VARS += CONFIG_BIG_ENDIAN=$(CONFIG_BIG_ENDIAN) @@ -347,6 +401,7 @@ CONFIGURE_ARGS += \ --crossbuild=Linux::$(ARCH) \ --prefix=/usr \ --conf-path=/etc/nginx/nginx.conf \ + --modules-path=/usr/lib/nginx/modules \ $(ADDITIONAL_MODULES) \ --error-log-path=stderr \ --pid-path=/var/run/nginx.pid \ @@ -358,7 +413,8 @@ CONFIGURE_ARGS += \ --with-cc="$(TARGET_CC)" \ --with-cc-opt="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \ --with-ld-opt="$(TARGET_LDFLAGS)" \ - --without-http_upstream_zone_module + --without-http_upstream_zone_module \ + --without-pcre2 define Package/nginx-mod-luci/install $(INSTALL_DIR) $(1)/etc/nginx/conf.d @@ -374,16 +430,9 @@ define Package/nginx-ssl/install $(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx -ifeq ($(CONFIG_NGINX_NAXSI),y) - $(INSTALL_DIR) $(1)/etc/nginx - $(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx - chmod 0640 $(1)/etc/nginx/naxsi_core.rules -endif - $(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx)) - $(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules)) endef -Package/nginx-all-module/install = $(Package/nginx-ssl/install) +Package/nginx-full/install = $(Package/nginx-ssl/install) define Package/nginx-ssl/prerm #!/bin/sh @@ -396,14 +445,14 @@ rm -f "$$(uci get "nginx.$${LAN_NAME}.ssl_certificate_key")" exit 0 endef -Package/nginx-all-module/prerm = $(Package/nginx-ssl/prerm) +Package/nginx-full/prerm = $(Package/nginx-ssl/prerm) define Download/nginx-headers-more - VERSION:=a9f7c7e86cc7441d04e2f11f01c2e3a9c4b0301d + VERSION:=bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0 SUBDIR:=nginx-headers-more FILE:=headers-more-nginx-module-$$(VERSION).tar.xz URL:=https://github.com/openresty/headers-more-nginx-module.git - MIRROR_HASH:=ce0b9996ecb2cff790831644d6ab1adc087aa2771d77d3931c06246d11bc59fd + MIRROR_HASH:=3617bbf7a935208a1d8d5f86a8f9b770f6987e4d2b5663a9ab1b777217e3066b PROTO:=git endef @@ -469,11 +518,11 @@ define Prepare/nginx-naxsi endef define Download/lua-nginx - VERSION:=e94f2e5d64daa45ff396e262d8dab8e56f5f10e0 + VERSION:=68acad14e4a8f42e31d4a4bb5ed44d6f5b55fc1c SUBDIR:=lua-nginx FILE:=lua-nginx-module-$$(VERSION).tar.xz URL:=https://github.com/openresty/lua-nginx-module.git - MIRROR_HASH:=27729921964f066d97e99c263da153b34622a2f4b811114e4c3ee61c6fc71395 + MIRROR_HASH:=366f24e1ba6221e34f6ba20ab29146438438f88c89fd71f9500d169b3f5aedf0 PROTO:=git endef @@ -513,13 +562,13 @@ endef define Build/Patch $(if $(QUILT),rm -rf $(PKG_BUILD_DIR)/patches; mkdir -p $(PKG_BUILD_DIR)/patches) $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/nginx,nginx/) -ifneq "$(or $(CONFIG_NGINX_DAV_EXT),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-dav-ext),$(QUILT))" "" $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/dav-nginx,dav-nginx/) endif -ifneq "$(or $(CONFIG_NGINX_LUA),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-lua),$(QUILT))" "" $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/lua-nginx,lua-nginx/) endif -ifneq "$(or $(CONFIG_NGINX_RTMP_MODULE),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-rtmp),$(QUILT))" "" $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/rtmp-nginx,rtmp-nginx/) endif $(if $(QUILT),touch $(PKG_BUILD_DIR)/.quilt_used) @@ -537,42 +586,42 @@ define Build/Prepare mkdir -p $(PKG_BUILD_DIR) $(PKG_UNPACK) -ifeq ($(CONFIG_NGINX_NAXSI),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-naxsi),) $(eval $(call Download,nginx-naxsi)) $(Prepare/nginx-naxsi) endif -ifneq "$(or $(CONFIG_NGINX_LUA),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-lua),$(QUILT))" "" $(eval $(call Download,lua-nginx)) $(Prepare/lua-nginx) endif -ifeq ($(CONFIG_NGINX_HTTP_BROTLI),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-brotli),) $(eval $(call Download,nginx-brotli)) $(Prepare/nginx-brotli) endif -ifeq ($(CONFIG_NGINX_HEADERS_MORE),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-headers-more),) $(eval $(call Download,nginx-headers-more)) $(Prepare/nginx-headers-more) endif -ifneq "$(or $(CONFIG_NGINX_RTMP_MODULE),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-rtmp),$(QUILT))" "" $(eval $(call Download,nginx-rtmp)) $(Prepare/nginx-rtmp) endif -ifeq ($(CONFIG_NGINX_TS_MODULE),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-ts),) $(eval $(call Download,nginx-ts)) $(Prepare/nginx-ts) endif -ifneq "$(or $(CONFIG_NGINX_DAV_EXT),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-dav-ext),$(QUILT))" "" $(eval $(call Download,nginx-dav-ext-module)) $(Prepare/nginx-dav-ext-module) endif -ifeq ($(CONFIG_NGINX_UBUS),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-ubus),) $(eval $(call Download,nginx-ubus-module)) $(Prepare/nginx-ubus-module) endif @@ -581,9 +630,11 @@ endif endef $(eval $(call BuildPackage,nginx-ssl)) -$(eval $(call BuildPackage,nginx-all-module)) +$(eval $(call BuildPackage,nginx-full)) $(eval $(call BuildPackage,nginx-mod-luci)) +$(foreach m,$(NGINX_MODULES),$(eval $(call BuildPackage,$(m)))) + # TODO: remove after a transition period (together with pkg nginx-util): # It is for smoothly substituting nginx and nginx-mod-luci-ssl (by nginx-ssl # respectively nginx-mod-luci). Add above commented PROVIDES when removing. diff --git a/net/nginx/files-luci-support/60_nginx-luci-support b/net/nginx/files-luci-support/60_nginx-luci-support index 2257602fa..d1b6c64d2 100644 --- a/net/nginx/files-luci-support/60_nginx-luci-support +++ b/net/nginx/files-luci-support/60_nginx-luci-support @@ -1,8 +1,8 @@ #!/bin/sh -if nginx -V 2>&1 | grep -q ubus; then - if [ -z "$(cat /etc/nginx/conf.d/luci.locations | grep ubus)" ]; then - cat <> /etc/nginx/conf.d/luci.locations +if nginx -V 2>&1 | grep -q ubus && [ -f /usr/lib/nginx/modules/ngx_http_ubus_module.so ]; then + if [ -z "$(cat /etc/nginx/conf.d/luci.locations | grep ubus)" ]; then + cat <> /etc/nginx/conf.d/luci.locations location /ubus { ubus_interpreter; @@ -25,7 +25,13 @@ location ~ /netdata/(?.*) { } EOT - fi + fi + + if [ ! -f "/etc/nginx/module.d/luci.module" ]; then + cat <> /etc/nginx/module.d/luci.module +load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so; +EOT + fi fi grep -q /var/run/ubus.sock /etc/nginx/conf.d/luci.locations && diff --git a/net/nginx/patches/lua-nginx/100-no_by_lua_block.patch b/net/nginx/patches/lua-nginx/100-no_by_lua_block.patch index 968e12d58..1b4d1fef1 100644 --- a/net/nginx/patches/lua-nginx/100-no_by_lua_block.patch +++ b/net/nginx/patches/lua-nginx/100-no_by_lua_block.patch @@ -1,10 +1,9 @@ --- a/lua-nginx/src/ngx_http_lua_module.c +++ b/lua-nginx/src/ngx_http_lua_module.c -@@ -165,14 +165,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -207,12 +207,14 @@ static ngx_command_t ngx_http_lua_cmds[] offsetof(ngx_http_lua_loc_conf_t, log_socket_errors), NULL }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("init_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -12,16 +11,14 @@ NGX_HTTP_MAIN_CONF_OFFSET, 0, (void *) ngx_http_lua_init_by_inline }, -- +#endif + { ngx_string("init_by_lua"), NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, - ngx_http_lua_init_by_lua, -@@ -186,14 +186,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_MAIN_CONF_OFFSET, +@@ -228,12 +230,14 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_init_by_file }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("init_worker_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -29,141 +26,157 @@ NGX_HTTP_MAIN_CONF_OFFSET, 0, (void *) ngx_http_lua_init_worker_by_inline }, -- +#endif + { ngx_string("init_worker_by_lua"), NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, - ngx_http_lua_init_worker_by_lua, -@@ -209,6 +209,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -249,12 +253,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, (void *) ngx_http_lua_init_worker_by_file }, ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("exit_worker_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_exit_worker_by_lua_block, + NGX_HTTP_MAIN_CONF_OFFSET, + 0, + (void *) ngx_http_lua_exit_worker_by_inline }, ++#endif + + { ngx_string("exit_worker_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, +@@ -264,6 +270,7 @@ static ngx_command_t ngx_http_lua_cmds[] + (void *) ngx_http_lua_exit_worker_by_file }, + #if defined(NDK) && NDK +#ifndef NGX_LUA_NO_BY_LUA_BLOCK - /* set_by_lua $res { inline Lua code } [$arg1 [$arg2 [...]]] */ + /* set_by_lua_block $res { inline Lua code } */ { ngx_string("set_by_lua_block"), NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -217,7 +218,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -272,6 +279,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_filter_set_by_lua_inline }, -- +#endif + /* set_by_lua $res [$arg1 [$arg2 [...]]] */ { ngx_string("set_by_lua"), - NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -245,7 +246,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -292,6 +300,7 @@ static ngx_command_t ngx_http_lua_cmds[] + (void *) ngx_http_lua_filter_set_by_lua_file }, + #endif + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + /* server_rewrite_by_lua_block { } */ + { ngx_string("server_rewrite_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, +@@ -299,6 +308,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_server_rewrite_handler_inline }, ++#endif + + /* server_rewrite_by_lua_file filename; */ + { ngx_string("server_rewrite_by_lua_file"), +@@ -317,6 +327,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_rewrite_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* rewrite_by_lua_block { } */ { ngx_string("rewrite_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -254,7 +255,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -325,6 +336,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_rewrite_handler_inline }, -- +#endif + /* access_by_lua "" */ { ngx_string("access_by_lua"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -263,7 +264,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -335,6 +347,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_access_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* access_by_lua_block { } */ { ngx_string("access_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -272,7 +273,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -343,6 +356,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_access_handler_inline }, -- +#endif + /* content_by_lua "" */ { ngx_string("content_by_lua"), - NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1, -@@ -280,7 +281,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -352,6 +366,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_content_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* content_by_lua_block { } */ { ngx_string("content_by_lua_block"), NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, -@@ -288,7 +289,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -359,6 +374,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_content_handler_inline }, -- +#endif + /* log_by_lua */ { ngx_string("log_by_lua"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -297,7 +298,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -369,6 +385,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_log_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* log_by_lua_block { } */ { ngx_string("log_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -306,7 +307,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -377,6 +394,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_log_handler_inline }, -- +#endif + { ngx_string("rewrite_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF - |NGX_CONF_TAKE1, -@@ -361,7 +362,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -433,6 +451,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_header_filter_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* header_filter_by_lua_block { } */ { ngx_string("header_filter_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -370,7 +371,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -441,6 +460,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_header_filter_inline }, -- +#endif + { ngx_string("header_filter_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF - |NGX_CONF_TAKE1, -@@ -386,7 +387,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -458,6 +478,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_body_filter_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* body_filter_by_lua_block { } */ { ngx_string("body_filter_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -395,7 +396,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -466,6 +487,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_body_filter_inline }, -- +#endif + { ngx_string("body_filter_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF - |NGX_CONF_TAKE1, -@@ -403,14 +404,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -475,12 +497,14 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_body_filter_file }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("balancer_by_lua_block"), NGX_HTTP_UPS_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -171,16 +184,29 @@ NGX_HTTP_SRV_CONF_OFFSET, 0, (void *) ngx_http_lua_balancer_handler_inline }, -- +#endif + { ngx_string("balancer_by_lua_file"), NGX_HTTP_UPS_CONF|NGX_CONF_TAKE1, - ngx_http_lua_balancer_by_lua, -@@ -517,14 +518,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -585,12 +609,14 @@ static ngx_command_t ngx_http_lua_cmds[] offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers), NULL }, -- + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("ssl_client_hello_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_client_hello_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_client_hello_handler_inline }, ++#endif + + { ngx_string("ssl_client_hello_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, +@@ -599,12 +625,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, + (void *) ngx_http_lua_ssl_client_hello_handler_file }, + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("ssl_certificate_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -188,8 +214,37 @@ NGX_HTTP_SRV_CONF_OFFSET, 0, (void *) ngx_http_lua_ssl_cert_handler_inline }, -- +#endif + { ngx_string("ssl_certificate_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, - ngx_http_lua_ssl_cert_by_lua, +@@ -613,12 +641,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, + (void *) ngx_http_lua_ssl_cert_handler_file }, + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("ssl_session_store_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_sess_store_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_sess_store_handler_inline }, ++#endif + + { ngx_string("ssl_session_store_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, +@@ -627,12 +657,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, + (void *) ngx_http_lua_ssl_sess_store_handler_file }, + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("ssl_session_fetch_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_sess_fetch_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_sess_fetch_handler_inline }, ++#endif + + { ngx_string("ssl_session_fetch_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, diff --git a/net/nginx/patches/nginx/201-ignore-invalid-options.patch b/net/nginx/patches/nginx/201-ignore-invalid-options.patch index d208bf507..8ea567167 100644 --- a/net/nginx/patches/nginx/201-ignore-invalid-options.patch +++ b/net/nginx/patches/nginx/201-ignore-invalid-options.patch @@ -1,6 +1,6 @@ --- a/auto/options +++ b/auto/options -@@ -400,8 +400,7 @@ $0: warning: the \"--with-sha1-asm\" opt +@@ -402,8 +402,7 @@ $0: warning: the \"--with-sha1-asm\" opt --test-build-solaris-sendfilev) NGX_TEST_BUILD_SOLARIS_SENDFILEV=YES ;; *) diff --git a/net/openssh/files/sshd.init b/net/openssh/files/sshd.init index e7735364d..0b859e146 100644 --- a/net/openssh/files/sshd.init +++ b/net/openssh/files/sshd.init @@ -27,9 +27,14 @@ start_service() { procd_open_instance procd_add_mdns "ssh" "tcp" "$lport" procd_set_param command $PROG -D + procd_set_param respawn procd_close_instance } +reload_service() { + procd_send_signal sshd +} + shutdown() { local pid diff --git a/net/pbr/Makefile b/net/pbr/Makefile index 3d8438d9e..9f96686c1 100644 --- a/net/pbr/Makefile +++ b/net/pbr/Makefile @@ -4,8 +4,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pbr -PKG_VERSION:=1.0.1 -PKG_RELEASE:=16 +PKG_VERSION:=1.1.1 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Stan Grishin @@ -17,7 +17,7 @@ define Package/pbr/Default SUBMENU:=Routing and Redirection TITLE:=Policy Based Routing Service URL:=https://docs.openwrt.melmac.net/pbr/ - DEPENDS:=+ip-full +jshn +jsonfilter +libubus +resolveip + DEPENDS:=+ip-full +jshn +jsonfilter +resolveip CONFLICTS:=vpnbypass vpn-policy-routing PKGARCH:=all endef @@ -79,13 +79,11 @@ define Package/pbr/default/install $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/etc/init.d/pbr.init $(1)/etc/init.d/pbr $(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr - $(INSTALL_DIR) $(1)/etc/hotplug.d/firewall $(INSTALL_DIR) $(1)/etc/hotplug.d/iface $(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr $(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_BIN) ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr $(INSTALL_DIR) $(1)/usr/share/pbr - $(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include $(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws $(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix endef @@ -94,12 +92,16 @@ define Package/pbr/install $(call Package/pbr/default/install,$(1)) $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr + $(INSTALL_DIR) $(1)/usr/share/pbr + $(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include $(INSTALL_DIR) $(1)/usr/share/nftables.d $(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/ endef define Package/pbr-iptables/install $(call Package/pbr/default/install,$(1)) + $(INSTALL_DIR) $(1)/etc/hotplug.d/firewall + $(INSTALL_DATA) ./files/etc/hotplug.d/firewall/70-pbr $(1)/etc/hotplug.d/firewall/70-pbr $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr endef @@ -130,7 +132,7 @@ define Package/pbr/prerm # check if we are on real system if [ -z "$${IPKG_INSTROOT}" ]; then uci -q delete firewall.pbr || true - echo -n "Stopping pbr service... " + echo "Stopping pbr service... " /etc/init.d/pbr stop && echo "OK" || echo "FAIL" echo -n "Removing rc.d symlink for pbr... " /etc/init.d/pbr disable && echo "OK" || echo "FAIL" @@ -162,7 +164,7 @@ define Package/pbr-iptables/prerm # check if we are on real system if [ -z "$${IPKG_INSTROOT}" ]; then uci -q delete firewall.pbr || true - echo -n "Stopping pbr-iptables service... " + echo "Stopping pbr-iptables service... " /etc/init.d/pbr stop && echo "OK" || echo "FAIL" echo -n "Removing rc.d symlink for pbr-iptables... " /etc/init.d/pbr disable && echo "OK" || echo "FAIL" @@ -185,7 +187,7 @@ define Package/pbr-netifd/prerm # check if we are on real system if [ -z "$${IPKG_INSTROOT}" ]; then uci -q delete firewall.pbr || true - echo -n "Stopping pbr-netifd service... " + echo "Stopping pbr-netifd service... " /etc/init.d/pbr stop && echo "OK" || echo "FAIL" echo -n "Removing rc.d symlink for pbr... " /etc/init.d/pbr disable && echo "OK" || echo "FAIL" diff --git a/net/pbr/files/etc/hotplug.d/firewall/70-pbr b/net/pbr/files/etc/hotplug.d/firewall/70-pbr index c129006c5..25b7e58fa 100755 --- a/net/pbr/files/etc/hotplug.d/firewall/70-pbr +++ b/net/pbr/files/etc/hotplug.d/firewall/70-pbr @@ -1,6 +1,6 @@ #!/bin/sh -[ "$ACTION" = "reload" ] ||[ "$ACTION" = "restart" ] || exit 0 +[ "$ACTION" = "reload" ] || [ "$ACTION" = "restart" ] || exit 0 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then - logger -t "pbr" "Reloading pbr due to $ACTION of firewall" + logger -t "pbr" "Reloading pbr due to firewall action: $ACTION" /etc/init.d/pbr reload fi diff --git a/net/pbr/files/etc/hotplug.d/iface/70-pbr b/net/pbr/files/etc/hotplug.d/iface/70-pbr index 172385a11..bcb0faa7b 100644 --- a/net/pbr/files/etc/hotplug.d/iface/70-pbr +++ b/net/pbr/files/etc/hotplug.d/iface/70-pbr @@ -1,8 +1,6 @@ #!/bin/sh # shellcheck disable=SC1091,SC3060 -[ -s /etc/openwrt_release ] && . /etc/openwrt_release -[ "${DISTRIB_RELEASE//19.07}" = "$DISTRIB_RELEASE" ] && exit 0 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then - logger -t pbr "Reloading pbr $INTERFACE due to $ACTION of $INTERFACE ($DEVICE)" - /etc/init.d/pbr reload_interface "$INTERFACE" + logger -t pbr "Reloading pbr $INTERFACE interface routing due to $ACTION of $INTERFACE ($DEVICE)" + /etc/init.d/pbr on_interface_reload "$INTERFACE" fi diff --git a/net/pbr/files/etc/init.d/pbr.init b/net/pbr/files/etc/init.d/pbr.init index 848dd2e9e..a76bc30a9 100755 --- a/net/pbr/files/etc/init.d/pbr.init +++ b/net/pbr/files/etc/init.d/pbr.init @@ -35,10 +35,10 @@ readonly packageName='pbr' readonly serviceName="$packageName $PKG_VERSION" readonly serviceTrapSignals='exit SIGHUP SIGQUIT SIGKILL' readonly packageConfigFile="/etc/config/${packageName}" +readonly packageLockFile="/var/run/${packageName}.lock" readonly nftTempFile="/var/run/${packageName}.nft" #readonly nftPermFile="/etc/nftables.d/table-post/30-pbr.nft" readonly dnsmasqFile="/var/dnsmasq.d/${packageName}" -readonly sharedMemoryOutput="/dev/shm/$packageName-output" readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m' readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m' readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m' @@ -46,6 +46,8 @@ readonly __FAIL__='\033[0;31m[\xe2\x9c\x97]\033[0m' readonly _ERROR_='\033[0;31mERROR\033[0m' readonly _WARNING_='\033[0;33mWARNING\033[0m' readonly ip_full='/usr/libexec/ip-full' +# shellcheck disable=SC2155 +readonly ip_bin="$(command -v ip)" readonly ipTablePrefix='pbr' # shellcheck disable=SC2155 readonly iptables="$(command -v iptables)" @@ -96,6 +98,7 @@ ifaceTableID= ifacePriority= ifacesAll= ifacesSupported= +firewallWanZone= wanGW4= wanGW6= serviceStartTrigger= @@ -122,30 +125,32 @@ get_text() { errorPolicyNoSrcDest) r="Policy '%s' has no source/destination parameters!";; errorPolicyNoInterface) r="Policy '%s' has no assigned interface!";; errorPolicyUnknownInterface) r="Policy '%s' has an unknown interface!";; - errorPolicyProcessCMD) r="%s";; + errorPolicyProcessCMD) r="'%s'!";; errorFailedSetup) r="Failed to set up '%s'!";; errorFailedReload) r="Failed to reload '%s'!";; errorUserFileNotFound) r="Custom user file '%s' not found or empty!";; - ererrorUserFileSyntax) r="Syntax error in custom user file '%s'!";; + errorUserFileSyntax) r="Syntax error in custom user file '%s'!";; errorUserFileRunning) r="Error running custom user file '%s'!";; errorUserFileNoCurl) r="Use of 'curl' is detected in custom user file '%s', but 'curl' isn't installed!";; errorNoGateways) r="Failed to set up any gateway!";; - errorResolver) r="Resolver %s";; - errorPolicyProcessNoIpv6) r="Skipping IPv6 policy '%s' as IPv6 support is disabled";; - errorPolicyProcessUnknownFwmark) r="Unknown packet mark for interface '%s'";; - errorPolicyProcessMismatchFamily) r="Mismatched IP family between in policy %s";; - errorPolicyProcessUnknownProtocol) r="Unknown protocol in policy %s";; - errorPolicyProcessInsertionFailed) r="Insertion failed for both IPv4 and IPv6 for policy %s";; - errorPolicyProcessInsertionFailedIpv4) r="Insertion failed for IPv4 for policy %s";; - errorInterfaceRoutingEmptyValues) r="Received empty tid/mark or interface name when setting up routing";; - errorFailedToResolve) r="Failed to resolve %s";; + errorResolver) r="Resolver '%s'!";; + errorPolicyProcessNoIpv6) r="Skipping IPv6 policy '%s' as IPv6 support is disabled!";; + errorPolicyProcessUnknownFwmark) r="Unknown packet mark for interface '%s'!";; + errorPolicyProcessMismatchFamily) r="Mismatched IP family between in policy '%s'!";; + errorPolicyProcessUnknownProtocol) r="Unknown protocol in policy '%s'!";; + errorPolicyProcessInsertionFailed) r="Insertion failed for both IPv4 and IPv6 for policy '%s'!";; + errorPolicyProcessInsertionFailedIpv4) r="Insertion failed for IPv4 for policy '%s'!";; + errorInterfaceRoutingEmptyValues) r="Received empty tid/mark or interface name when setting up routing!";; + errorFailedToResolve) r="Failed to resolve '%s'!";; + warningInvalidOVPNConfig) r="Invalid OpenVPN config for '%s' interface.";; warningResolverNotSupported) r="Resolver set (${resolver_set}) is not supported on this system.";; - warningAGHVersionTooLow) r="Installed AdGuardHome (%s) doesn't support 'ipset_file' option.";; - warningPolicyProcessCMD) r="%s";; - warningTorUnsetParams) r="Please unset 'src_addr', 'src_port' and 'dest_port' for policy '%s'";; - warningTorUnsetProto) r="Please unset 'proto' or set 'proto' to 'all' for policy '%s'";; - warningTorUnsetChainIpt) r="Please unset 'chain' or set 'chain' to 'PREROUTING' for policy '%s'";; - warningTorUnsetChainNft) r="Please unset 'chain' or set 'chain' to 'prerouting' for policy '%s'";; + warningAGHVersionTooLow) r="Installed AdGuardHome ('%s') doesn't support 'ipset_file' option.";; + warningPolicyProcessCMD) r="'%s'";; + warningTorUnsetParams) r="Please unset 'src_addr', 'src_port' and 'dest_port' for policy '%s'.";; + warningTorUnsetProto) r="Please unset 'proto' or set 'proto' to 'all' for policy '%s'.";; + warningTorUnsetChainIpt) r="Please unset 'chain' or set 'chain' to 'PREROUTING' for policy '%s'.";; + warningTorUnsetChainNft) r="Please unset 'chain' or set 'chain' to 'prerouting' for policy '%s'.";; + warningOutdatedWebUIApp) r="The WebUI application is outdated (version %s), please update it.";; esac echo "$r" } @@ -171,6 +176,7 @@ output() { # Can take a single parameter (text) to be output at any verbosity # Or target verbosity level and text to be output at specifc verbosity local msg memmsg logmsg + local sharedMemoryOutput="/dev/shm/$packageName-output" verbosity="${verbosity:-2}" if [ "$#" -ne 1 ]; then if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi @@ -190,8 +196,9 @@ is_present() { command -v "$1" >/dev/null 2>&1; } is_installed() { [ -s "/usr/lib/opkg/info/${1}.control" ]; } is_variant_installed() { [ "$(echo /usr/lib/opkg/info/"${1}"*.control)" != "/usr/lib/opkg/info/${1}*.control" ]; } is_nft() { [ -x "$nft" ] && ! str_contains "$resolver_set" 'ipset' && "$nft" list chains inet | grep -q "${nftPrefix}_prerouting"; } +_find_firewall_wan_zone() { [ "$(uci -q get "firewall.${1}.name")" = "wan" ] && firewallWanZone="$1"; } _build_ifaces_all() { ifacesAll="${ifacesAll}${1} "; } -_build_ifaces_supported() { is_supported_interface "$1" && ifacesSupported="${ifacesSupported}${1} "; } +_build_ifaces_supported() { is_supported_interface "$1" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${1} "; } pbr_find_iface() { local iface i param="$2" [ "$param" = 'wan6' ] || param='wan' @@ -209,7 +216,7 @@ pbr_get_gateway() { network_get_gateway gw "$iface" true if [ -z "$gw" ] || [ "$gw" = '0.0.0.0' ]; then # gw="$(ubus call "network.interface.${iface}" status | jsonfilter -e "@.route[0].nexthop")" - gw="$($ip_full -4 a list dev "$dev" 2>/dev/null | grep inet | awk '{print $2}' | awk -F "/" '{print $1}')" + gw="$($ip_bin -4 a list dev "$dev" 2>/dev/null | grep inet | awk '{print $2}' | awk -F "/" '{print $1}')" fi eval "$1"='$gw' } @@ -217,18 +224,20 @@ pbr_get_gateway6() { local iface="$2" dev="$3" gw network_get_gateway6 gw "$iface" true if [ -z "$gw" ] || [ "$gw" = '::/0' ] || [ "$gw" = '::0/0' ] || [ "$gw" = '::' ]; then - gw="$($ip_full -6 a list dev "$dev" 2>/dev/null | grep inet6 | awk '{print $2}')" + gw="$($ip_bin -6 a list dev "$dev" 2>/dev/null | grep inet6 | awk '{print $2}')" fi eval "$1"='$gw' } is_dslite() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:6}" = "dslite" ]; } is_l2tp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "l2tp" ]; } is_oc() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:11}" = "openconnect" ]; } -is_ovpn() { local dev; network_get_device dev "$1"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; } +# is_ovpn() { local dev; network_get_device dev "$1"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; } +is_ovpn() { local dev; dev="$(uci -q get "network.${1}.device")"; [ -z "$dev" ] && dev="$(uci -q get "network.${1}.dev")"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; } +is_valid_ovpn() { local dev_net dev_ovpn; dev_net="$(uci -q get "network.${1}.device")"; [ -z "$dev_net" ] && dev_net="$(uci -q get "network.${1}.dev")"; dev_ovpn="$(uci -q get "openvpn.${1}.dev")"; [ -n "$dev_net" ] && [ -n "$dev_ovpn" ] && [ "$dev_net" = "$dev_ovpn" ]; } is_pptp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "pptp" ]; } is_softether() { local dev; network_get_device dev "$1"; [ "${dev:0:4}" = "vpn_" ]; } is_tor() { [ "$(str_to_lower "$1")" = "tor" ]; } -is_tor_running() { +is_tor_running() { local ret=0 if [ -s "/etc/tor/torrc" ]; then json_load "$(ubus call service list "{ 'name': 'tor' }")" @@ -258,7 +267,7 @@ is_domain() { ! is_ipv6 "$1" && str_contains "$1" '[a-zA-Z]'; } is_phys_dev() { [ "${1:0:1}" = "@" ] && ip l show | grep -E -q "^\\d+\\W+${1:1}"; } dnsmasq_kill() { killall -q -s HUP dnsmasq; } dnsmasq_restart() { output 3 'Restarting dnsmasq '; if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then output_okn; else output_failn; fi; } -is_default_dev() { [ "$1" = "$($ip_full -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; } +is_default_dev() { [ "$1" = "$($ip_bin -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; } is_supported_iface_dev() { local n dev; for n in $ifacesSupported; do network_get_device dev "$n"; [ "$1" = "$dev" ] && return 0; done; return 1; } is_supported_protocol() { grep -o '^[^#]*' /etc/protocols | grep -w -v '0' | grep . | awk '{print $1}' | grep -q "$1"; } is_service_running_iptables() { [ -x "$iptables" ] && "$iptables" -t mangle -L | grep -q "${iptPrefix}_PREROUTING" >/dev/null 2>&1; } @@ -298,6 +307,7 @@ get_nft_sets() { [ -x "$nft" ] && "$nft" list table inet "$nftTable" 2>/dev/null is_ipset_type_supported() { ipset help hash:"$1" >/dev/null 2>&1; } ubus_get_status() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.status.${1}"; } ubus_get_iface() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.interfaces[@.name='${1}']${2:+.$2}"; } +opkg_get_version() { grep -m1 -A1 "$1" '/usr/lib/opkg/status' | grep -m1 'Version: ' | sed 's|Version: \(.*\)|\1|'; } load_package_config() { config_load "$packageName" @@ -341,38 +351,51 @@ load_package_config() { load_environment() { local param="$1" validation_result="$2" load_package_config - - if [ "$param" = 'on_start' ]; then - if [ -n "$validation_result" ] && [ "$validation_result" != '0' ]; then - output "${_ERROR_}: The $packageName config validation failed!\\n" - output "Please check if the '$packageConfigFile' contains correct values for config options.\\n" - state add 'errorSummary' 'errorConfigValidation' - return 1 - fi - if [ "$enabled" -eq 0 ]; then - state add 'errorSummary' 'errorServiceDisabled' - return 1 - fi - if [ ! -x "$ip_full" ]; then - state add 'errorSummary' 'errorNoIpFull' - return 1 - fi - if ! is_nft; then - if [ -z "$iptables" ] || [ ! -x "$iptables" ]; then - state add 'errorSummary' 'errorNoIptables' + case "$param" in + on_start) + if [ -n "$validation_result" ] && [ "$validation_result" != '0' ]; then + output "${_ERROR_}: The $packageName config validation failed!\\n" + output "Please check if the '$packageConfigFile' contains correct values for config options.\\n" + state add 'errorSummary' 'errorConfigValidation' return 1 fi - fi - resolver 'check_support' - fi - + if [ "$enabled" -eq 0 ]; then + state add 'errorSummary' 'errorServiceDisabled' + return 1 + fi + if [ ! -x "$ip_bin" ]; then + state add 'errorSummary' 'errorNoIpFull' + return 1 + fi + if ! is_nft; then + if [ -z "$iptables" ] || [ ! -x "$iptables" ]; then + state add 'errorSummary' 'errorNoIptables' + return 1 + fi + fi + rm -f "$packageLockFile" + resolver 'check_support' + ;; + on_stop) + touch "$packageLockFile" + ;; + esac load_network "$param" } load_network() { + local i config_load 'network' [ -z "$ifacesAll" ] && config_foreach _build_ifaces_all 'interface' - [ -z "$ifacesSupported" ] && config_foreach _build_ifaces_supported 'interface' + if [ -z "$ifacesSupported" ]; then + config_load 'firewall' + config_foreach _find_firewall_wan_zone 'zone' + for i in $(uci -q get "firewall.${firewallWanZone}.network"); do + is_supported_interface "$i" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${i} " + done + config_load 'network' + config_foreach _build_ifaces_supported 'interface' + fi pbr_find_iface wanIface4 'wan' [ -n "$ipv6_enabled" ] && pbr_find_iface wanIface6 'wan6' [ -n "$wanIface4" ] && network_get_gateway wanGW4 "$wanIface4" @@ -724,6 +747,8 @@ state() { eval "$param"='${line:+$line#}${value}${extras:+ $extras}' ;; json) + json_init + json_add_object "$packageName" case "$param" in errorSummary) json_add_array 'errors';; @@ -747,6 +772,8 @@ $(eval echo "\$$param" | tr \# \\n) EOF fi json_close_array + json_close_object + json_dump ;; print) [ -z "$(eval echo "\$$param")" ] && return 0 @@ -816,7 +843,7 @@ resolver() { return 1 fi if [ -n "$agh" ] && [ -s "$aghConfigFile" ]; then - agh_version="$($agh --version | sed 's|AdGuard Home, version v\(.*\)|\1|')" + agh_version="$($agh --version | sed 's|AdGuard Home, version v\(.*\)|\1|' | sed 's|-.*||')" if is_greater_or_equal "$agh_version" '0.107.13'; then resolver_set_supported='true' return 0 @@ -1165,20 +1192,20 @@ policy_routing_iptables() { return 1 fi - if [ -z "$proto" ]; then - if [ -n "$lport" ] || [ -n "$rport" ]; then - proto='tcp udp' - else - proto='all' - fi - fi - if is_family_mismatch "$laddr" "$raddr"; then processPolicyError='true' state add 'errorSummary' 'errorPolicyProcessMismatchFamily' "${name}: '$laddr' '$raddr'" return 1 fi + if [ -z "$proto" ]; then + if [ -n "${lport}${rport}" ]; then + proto='tcp udp' + else + proto='all' + fi + fi + for i in $proto; do if [ "$i" = 'all' ]; then param4="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest" @@ -1322,25 +1349,25 @@ policy_routing_iptables() { ipt6 "$param6" || ipv6_error='1' fi -# ipt6 returns true if IPv6 support is not enabled - [ -z "$ipv6_enabled" ] && ipv6_error='1' - if [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then - if [ -n "$ipv6_enabled" ]; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4" - state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param6" - else - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4" - fi + if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then + processPolicyError='true' + state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name" + state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4" + state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param6" + logger -t "$packageName" "ERROR: iptables $param4" + logger -t "$packageName" "ERROR: iptables $param6" + elif [ -z "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ]; then + processPolicyError='true' + state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name" + state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4" + logger -t "$packageName" "ERROR: iptables $param4" fi done } policy_routing_nft() { - local mark param4 param6 i negation value dest nftInsertOption='add' + local mark i nftInsertOption='add' + local param4 param6 proto_i negation value dest local ip4Flag='ip' ip6Flag='ip6' local name="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto chain uid="$9" proto="$(str_to_lower "$7")" @@ -1370,137 +1397,147 @@ policy_routing_nft() { return 1 fi - if [ -n "$proto" ] && ! is_supported_protocol "$proto"; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessUnknownProtocol' "${name}: '$i'" - return 1 - fi - - if [ -n "$src_addr" ]; then - if [ "${src_addr:0:1}" = "!" ]; then - negation='!='; value="${src_addr:1}" + if [ -z "$proto" ]; then + if [ -n "${src_port}${dest_port}" ]; then + proto='tcp udp' else - unset negation; value="$src_addr"; - fi - if is_phys_dev "$value"; then - param4="$param4 iifname $negation ${value:1}" - param6="$param6 iifname $negation ${value:1}" - elif is_mac_address "$value"; then - local target='src' type='mac' - if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 ether saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 ether saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - else - param4="$param4 ether saddr $negation $value" - param6="$param6 ether saddr $negation $value" - fi - else - local target='src' type='ip' - if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - else - param4="$param4 $ip4Flag saddr $negation $value" - param6="$param6 $ip6Flag saddr $negation $value" - fi + proto='all' fi fi - if [ -n "$dest_addr" ]; then - if [ "${dest_addr:0:1}" = "!" ]; then - negation='!='; value="${dest_addr:1}" - else - unset negation; value="$dest_addr"; + for proto_i in $proto; do + unset param4 + unset param6 + if [ "$proto_i" = 'all' ]; then + unset proto_i + elif ! is_supported_protocol "$proto_i"; then + processPolicyError='true' + state add 'errorSummary' 'errorPolicyProcessUnknownProtocol' "${name}: '$proto_i'" + return 1 fi - if is_phys_dev "$value"; then - param4="$param4 oifname $negation ${value:1}" - param6="$param6 oifname $negation ${value:1}" - elif is_domain "$value"; then - local target='dst' type='ip' - if resolver 'create_resolver_set' "$iface" "$target" "$type" "$uid" "$name" && \ - resolver 'add_resolver_element' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - elif nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + + if [ -n "$src_addr" ]; then + if [ "${src_addr:0:1}" = "!" ]; then + negation='!='; value="${src_addr:1}" else - local resolvedIP4 resolvedIP6 - resolvedIP4="$(resolveip_to_nftset4 "$value")" - resolvedIP6="$(resolveip_to_nftset6 "$value")" - if [ -z "$resolvedIP4" ] && [ -z "$resolvedIP6" ]; then - state add 'errorSummary' 'errorFailedToResolve' "$value" + unset negation; value="$src_addr"; + fi + if is_phys_dev "$value"; then + param4="$param4 iifname $negation ${value:1}" + param6="$param6 iifname $negation ${value:1}" + elif is_mac_address "$value"; then + local target='src' type='mac' + if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ + nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then + param4="$param4 ether saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" + param6="$param6 ether saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + else + param4="$param4 ether saddr $negation $value" + param6="$param6 ether saddr $negation $value" fi - param4="$param4 $ip4Flag daddr $negation { $resolvedIP4 }" - param6="$param6 $ip6Flag daddr $negation { $resolvedIP6 }" - fi - else - local target='dst' type='ip' - if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" else - param4="$param4 $ip4Flag daddr $negation $value" - param6="$param6 $ip6Flag daddr $negation $value" + local target='src' type='ip' + if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ + nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then + param4="$param4 $ip4Flag saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" + param6="$param6 $ip6Flag saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + else + param4="$param4 $ip4Flag saddr $negation $value" + param6="$param6 $ip6Flag saddr $negation $value" + fi fi fi - fi - if [ -n "${src_port}${dest_port}" ]; then - proto="${proto:-tcp}" - fi - - if [ -n "$src_port" ]; then - if [ "${src_port:0:1}" = "!" ]; then - negation='!='; value="${src_port:1}" - else - unset negation; value="$src_port"; + if [ -n "$dest_addr" ]; then + if [ "${dest_addr:0:1}" = "!" ]; then + negation='!='; value="${dest_addr:1}" + else + unset negation; value="$dest_addr"; + fi + if is_phys_dev "$value"; then + param4="$param4 oifname $negation ${value:1}" + param6="$param6 oifname $negation ${value:1}" + elif is_domain "$value"; then + local target='dst' type='ip' + if resolver 'create_resolver_set' "$iface" "$target" "$type" "$uid" "$name" && \ + resolver 'add_resolver_element' "$iface" "$target" "$type" "$uid" "$name" "$value"; then + param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" + param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + elif nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ + nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then + param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" + param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + else + local resolvedIP4 resolvedIP6 + resolvedIP4="$(resolveip_to_nftset4 "$value")" + resolvedIP6="$(resolveip_to_nftset6 "$value")" + if [ -z "$resolvedIP4" ] && [ -z "$resolvedIP6" ]; then + state add 'errorSummary' 'errorFailedToResolve' "$value" + fi + param4="$param4 $ip4Flag daddr $negation { $resolvedIP4 }" + param6="$param6 $ip6Flag daddr $negation { $resolvedIP6 }" + fi + else + local target='dst' type='ip' + if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ + nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then + param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" + param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + else + param4="$param4 $ip4Flag daddr $negation $value" + param6="$param6 $ip6Flag daddr $negation $value" + fi + fi fi - param4="$param4 ${proto:+$proto }sport $negation {$(ports_to_nftset "$value")}" - param6="$param6 ${proto:+$proto }sport $negation {$(ports_to_nftset "$value")}" - fi - if [ -n "$dest_port" ]; then - if [ "${dest_port:0:1}" = "!" ]; then - negation='!='; value="${dest_port:1}" - else - unset negation; value="$dest_port"; + if [ -n "$src_port" ]; then + if [ "${src_port:0:1}" = "!" ]; then + negation='!='; value="${src_port:1}" + else + unset negation; value="$src_port"; + fi + param4="$param4 ${proto_i:+$proto_i }sport $negation {$(ports_to_nftset "$value")}" + param6="$param6 ${proto_i:+$proto_i }sport $negation {$(ports_to_nftset "$value")}" fi - param4="$param4 ${proto:+$proto }dport $negation {$(ports_to_nftset "$value")}" - param6="$param6 ${proto:+$proto }dport $negation {$(ports_to_nftset "$value")}" - fi - param4="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param4 $dest comment \"$name\"" - param6="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param6 $dest comment \"$name\"" - - local ipv4_error='0' ipv6_error='0' - if [ "$nftPrevParam4" != "$param4" ]; then - nft4 "$param4" || ipv4_error='1' - nftPrevParam4="$param4" - fi - if [ "$nftPrevParam6" != "$param6" ]; then - nft6 "$param6" || ipv6_error='1' - nftPrevParam6="$param6" - fi - -# nft6 returns true if IPv6 support is not enabled - [ -z "$ipv6_enabled" ] && ipv6_error='1' - if [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then - if [ -n "$ipv6_enabled" ]; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "nft '$param4'" - state add 'errorSummary' 'errorPolicyProcessCMD' "nft '$param6'" - else - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "nft '$param4'" + if [ -n "$dest_port" ]; then + if [ "${dest_port:0:1}" = "!" ]; then + negation='!='; value="${dest_port:1}" + else + unset negation; value="$dest_port"; + fi + param4="$param4 ${proto_i:+$proto_i }dport $negation {$(ports_to_nftset "$value")}" + param6="$param6 ${proto_i:+$proto_i }dport $negation {$(ports_to_nftset "$value")}" fi + + param4="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param4 $dest comment \"$name\"" + param6="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param6 $dest comment \"$name\"" + + local ipv4_error='0' ipv6_error='0' + if [ "$nftPrevParam4" != "$param4" ]; then + nft4 "$param4" || ipv4_error='1' + nftPrevParam4="$param4" + fi + if [ "$nftPrevParam6" != "$param6" ]; then + nft6 "$param6" || ipv6_error='1' + nftPrevParam6="$param6" + fi + + if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then + processPolicyError='true' + state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name" + state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param4" + state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param6" + logger -t "$packageName" "ERROR: nft $param4" + logger -t "$packageName" "ERROR: nft $param6" + elif [ -z "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ]; then + processPolicyError='true' + state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name" + state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param4" + logger -t "$packageName" "ERROR: nft $param4" fi + + done } policy_process() { @@ -1582,8 +1619,8 @@ interface_process_tor_iptables() { destroy) for i in $chainsList; do i="$(str_to_upper "$i")" - ipt -t nat -D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${nftPrefix}_${i}" - ipt -t nat -F "${nftPrefix}_${i}"; ipt -t nat -X "${nftPrefix}_${i}"; + ipt -t nat -D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}" + ipt -t nat -F "${iptPrefix}_${i}"; ipt -t nat -X "${iptPrefix}_${i}"; done ;; create) @@ -1592,18 +1629,19 @@ interface_process_tor_iptables() { trafficPort="$(grep -m1 TransPort /etc/tor/torrc | awk -F: '{print $2}')" dnsPort="${dnsPort:-9053}"; trafficPort="${trafficPort:-9040}"; for i in $chainsList; do - ipt -t nat -N "${nftPrefix}_${i}" - ipt -t nat -A "$i" -m mark --mark "0x0/${fw_mask}" -j "${nftPrefix}_${i}" + i="$(str_to_upper "$i")" + ipt -t nat -N "${iptPrefix}_${i}" + ipt -t nat -A "$i" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}" done if resolver 'create_resolver_set' "$iface" 'dst' 'ip' && ips 'flush' "$iface" 'dst' 'ip'; then set_name4="${ipsPrefix}_${iface}_4_dst_ip" for i in $chainsList; do - i="$(str_to_lower "$i")" - ipt -t nat -I "${nftPrefix}_${i}" -p udp -m udp --dport 53 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$dnsPort" -m comment --comment "TorDNS-UDP" || s=1 - ipt -t nat -I "${nftPrefix}_${i}" -p tcp -m tcp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-TCP" || s=1 - ipt -t nat -I "${nftPrefix}_${i}" -p udp -m udp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-UDP" || s=1 - ipt -t nat -I "${nftPrefix}_${i}" -p tcp -m tcp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-TCP" || s=1 - ipt -t nat -I "${nftPrefix}_${i}" -p udp -m udp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-UDP" || s=1 + i="$(str_to_upper "$i")" + ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 53 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$dnsPort" -m comment --comment "TorDNS-UDP" || s=1 + ipt -t nat -I "${iptPrefix}_${i}" -p tcp -m tcp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-TCP" || s=1 + ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-UDP" || s=1 + ipt -t nat -I "${iptPrefix}_${i}" -p tcp -m tcp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-TCP" || s=1 + ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-UDP" || s=1 done else s=1 @@ -1639,16 +1677,16 @@ interface_process_tor_nft() { if resolver 'create_resolver_set' "$iface" 'dst' 'ip' && nftset 'flush' "$iface" 'dst' 'ip'; then set_name4="${nftPrefix}_${iface}_4_dst_ip" set_name6="${nftPrefix}_${iface}_6_dst_ip" - nft meta nfproto ipv4 udp daddr "@${set_name4}" dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv4" || s=1 - nft meta nfproto ipv4 tcp daddr "@${set_name4}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv4" || s=1 - nft meta nfproto ipv4 udp daddr "@${set_name4}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv4" || s=1 - nft meta nfproto ipv4 tcp daddr "@${set_name4}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv4" || s=1 - nft meta nfproto ipv4 udp daddr "@${set_name4}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv4" || s=1 - nft6 meta nfproto ipv6 udp daddr "@${set_name6}" dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv6" || s=1 - nft6 meta nfproto ipv6 tcp daddr "@${set_name6}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv6" || s=1 - nft6 meta nfproto ipv6 udp daddr "@${set_name6}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv6" || s=1 - nft6 meta nfproto ipv6 tcp daddr "@${set_name6}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv6" || s=1 - nft6 meta nfproto ipv6 udp daddr "@${set_name6}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv6" || s=1 + nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv4" || s=1 + nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" tcp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv4" || s=1 + nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv4" || s=1 + nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" tcp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv4" || s=1 + nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv4" || s=1 + nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv6" || s=1 + nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" tcp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv6" || s=1 + nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv6" || s=1 + nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" tcp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv6" || s=1 + nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv6" || s=1 else s=1 fi @@ -1676,8 +1714,8 @@ interface_routing() { create) if is_netifd_table "$iface"; then ipv4_error=0 - $ip_full -4 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 + $ip_bin rule del table "$tid" >/dev/null 2>&1 + $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 if is_nft; then nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1 @@ -1689,8 +1727,7 @@ interface_routing() { fi if [ -n "$ipv6_enabled" ]; then ipv6_error=0 - $ip_full -6 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 + $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 fi else if ! grep -q "$tid ${ipTablePrefix}_${iface}" '/etc/iproute2/rt_tables'; then @@ -1699,14 +1736,14 @@ interface_routing() { echo "$tid ${ipTablePrefix}_${iface}" >> '/etc/iproute2/rt_tables' sync fi - $ip_full -4 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -4 route flush table "$tid" >/dev/null 2>&1 + $ip_bin rule del table "$tid" >/dev/null 2>&1 + $ip_bin route flush table "$tid" >/dev/null 2>&1 if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then ipv4_error=0 if [ -z "$gw4" ]; then - $ip_full -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 + $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 else - $ip_full -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 + $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi # shellcheck disable=SC2086 while read -r i; do @@ -1714,12 +1751,12 @@ interface_routing() { i="$(echo "$i" | sed 's/ onlink$//')" idev="$(echo "$i" | grep -Eso 'dev [^ ]*' | awk '{print $2}')" if ! is_supported_iface_dev "$idev"; then - $ip_full -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1 + $ip_bin -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi done << EOF - $($ip_full -4 route list table main) + $($ip_bin -4 route list table main) EOF - $ip_full -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 + $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 if is_nft; then nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1 @@ -1732,25 +1769,23 @@ EOF fi if [ -n "$ipv6_enabled" ]; then ipv6_error=0 - $ip_full -6 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -6 route flush table "$tid" >/dev/null 2>&1 if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then - $ip_full -6 route add unreachable default table "$tid" || ipv6_error=1 - elif $ip_full -6 route list table main | grep -q " dev $dev6 "; then + $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1 + elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then while read -r i; do i="$(echo "$i" | sed 's/ linkdown$//')" i="$(echo "$i" | sed 's/ onlink$//')" - $ip_full -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 done << EOF - $($ip_full -6 route list table main | grep " dev $dev6 ") + $($ip_bin -6 route list table main | grep " dev $dev6 ") EOF else - $ip_full -6 route add "$($ip_full -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 - $ip_full -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 fi fi - $ip_full -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 + $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 fi fi if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then @@ -1790,9 +1825,9 @@ EOF return "$s" ;; delete|destroy) - $ip_full rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 + $ip_bin rule del table "$tid" >/dev/null 2>&1 if ! is_netifd_table "$iface"; then - $ip_full route flush table "$tid" >/dev/null 2>&1 + $ip_bin route flush table "$tid" >/dev/null 2>&1 sed -i "/${ipTablePrefix}_${iface}\$/d" '/etc/iproute2/rt_tables' sync fi @@ -1801,35 +1836,35 @@ EOF reload_interface) is_netifd_table "$iface" && return 0; ipv4_error=0 - $ip_full -4 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -4 route flush table "$tid" >/dev/null 2>&1 + $ip_bin rule del table "$tid" >/dev/null 2>&1 + if ! is_netifd_table "$iface"; then + $ip_bin route flush table "$tid" >/dev/null 2>&1 + fi if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw4" ]; then - $ip_full -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 + $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 else - $ip_full -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 + $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi - $ip_full rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 + $ip_bin rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 fi if [ -n "$ipv6_enabled" ]; then ipv6_error=0 - $ip_full -6 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -6 route flush table "$tid" >/dev/null 2>&1 if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then - $ip_full -6 route add unreachable default table "$tid" || ipv6_error=1 - elif $ip_full -6 route list table main | grep -q " dev $dev6 "; then + $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1 + elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then while read -r i; do - $ip_full -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 done << EOF - $($ip_full -6 route list table main | grep " dev $dev6 ") + $($ip_bin -6 route list table main | grep " dev $dev6 ") EOF else - $ip_full -6 route add "$($ip_full -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 - $ip_full -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 fi fi - $ip_full -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 + $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 fi if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then s=0 @@ -1876,9 +1911,15 @@ interface_process() { is_wan6 "$iface" && return 0 [ $((ifaceMark)) -gt $((fw_mask)) ] && return 1 + if is_ovpn "$iface" && ! is_valid_ovpn "$iface"; then + : || state add 'warningSummary' 'warningInvalidOVPNConfig' "$iface" + fi + network_get_device dev "$iface" + [ -z "$dev" ] && network_get_physdev dev "$iface" if is_wan "$iface" && [ -n "$wanIface6" ] && str_contains "$wanIface6" "$iface"; then network_get_device dev6 "$wanIface6" + [ -z "$dev6" ] && network_get_physdev dev6 "$wanIface6" fi [ -z "$dev6" ] && dev6="$dev" @@ -1952,7 +1993,7 @@ user_file_process() { return 1 fi if ! $shellBin -n "$path"; then - state add 'errorSummary' 'ererrorUserFileSyntax' "$path" + state add 'errorSummary' 'errorUserFileSyntax' "$path" output_fail return 1 fi @@ -1977,17 +2018,24 @@ boot() { } on_firewall_reload() { - if [ -z "$(ubus_get_status 'gateways')" ]; then # service is not running, do not start it on firewall reload - logger -t "$packageName" "Reload on firewall action aborted: service not running." - return 0; + if [ -e "$packageLockFile" ]; then # service is stopped, do not start it on firewall reload + logger -t "$packageName" "Reload on firewall action aborted: service is stopped." + return 0 else rc_procd start_service 'on_firewall_reload' "$1" fi } -on_interface_reload() { rc_procd start_service 'on_interface_reload' "$1"; } +on_interface_reload() { + if [ -e "$packageLockFile" ]; then # service is stopped, do not start it on interface change + logger -t "$packageName" "Reload on interface change aborted: service is stopped." + return 0 + else + rc_procd start_service 'on_interface_reload' "$1" + fi +} start_service() { - local resolverStoredHash resolverNewHash i reloadedIface param="$1" + local resolverStoredHash resolverNewHash i param="$1" reloadedIface load_environment 'on_start' "$(load_validate_config)" || return 1 is_wan_up || return 1 @@ -2001,8 +2049,14 @@ start_service() { serviceStartTrigger='on_start' ;; on_interface_reload) - serviceStartTrigger='on_interface_reload' reloadedIface="$2" + if is_ovpn "$reloadedIface"; then + logger -t "$packageName" "Updated interface is an OpenVPN tunnel, restarting." + serviceStartTrigger='on_start' + unset reloadedIface + else + serviceStartTrigger='on_interface_reload' + fi ;; on_reload) serviceStartTrigger='on_reload' @@ -2238,8 +2292,8 @@ status_service_nft() { fi if [ -n "$wanIface6" ]; then network_get_device dev6 "$wanIface6" - wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') - [ "$wanGW6" = "default" ] && wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') + wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') + [ "$wanGW6" = "default" ] && wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') fi while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; eval "set_$param=1"; shift; done [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support" @@ -2255,17 +2309,17 @@ status_service_nft() { echo "$_SEPARATOR_" echo "$packageName chains - policies" for i in forward input output prerouting postrouting; do - "$nft" list table inet "$nftTable" | sed -n "/chain ${nftPrefix}_${i} {/,/\t}/p" + "$nft" -a list table inet "$nftTable" | sed -n "/chain ${nftPrefix}_${i} {/,/\t}/p" done echo "$_SEPARATOR_" echo "$packageName chains - marking" for i in $(get_mark_nft_chains); do - "$nft" list table inet "$nftTable" | sed -n "/chain ${i} {/,/\t}/p" + "$nft" -a list table inet "$nftTable" | sed -n "/chain ${i} {/,/\t}/p" done echo "$_SEPARATOR_" echo "$packageName nft sets" for i in $(get_nft_sets); do - "$nft" list table inet "$nftTable" | sed -n "/set ${i} {/,/\t}/p" + "$nft" -a list table inet "$nftTable" | sed -n "/set ${i} {/,/\t}/p" done if [ -s "$dnsmasqFile" ]; then echo "$_SEPARATOR_" @@ -2278,9 +2332,9 @@ status_service_nft() { tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0 wan_tid=$(($(get_rt_tables_next_id)-tableCount)) i=0; while [ $i -lt "$tableCount" ]; do - echo "IPv4 table $((wan_tid + i)) route: $($ip_full -4 route show table $((wan_tid + i)) | grep default)" + echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)" echo "IPv4 table $((wan_tid + i)) rule(s):" - $ip_full -4 rule list table "$((wan_tid + i))" + $ip_bin -4 rule list table "$((wan_tid + i))" i=$((i + 1)) done } @@ -2295,8 +2349,8 @@ status_service_iptables() { fi if [ -n "$wanIface6" ]; then network_get_device dev6 "$wanIface6" - wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') - [ "$wanGW6" = "default" ] && wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') + wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') + [ "$wanGW6" = "default" ] && wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') fi while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; eval "set_$param=1"; shift; done [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support" @@ -2322,15 +2376,15 @@ status_service_iptables() { if [ -n "$set_d" ]; then ip rule list; fi wan_tid=$(($(get_rt_tables_next_id)-tableCount)) i=0; while [ $i -lt "$tableCount" ]; do - echo "IPv4 table $((wan_tid + i)) route: $($ip_full -4 route show table $((wan_tid + i)) | grep default)" + echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)" echo "IPv4 table $((wan_tid + i)) rule(s):" - $ip_full -4 rule list table "$((wan_tid + i))" + $ip_bin -4 rule list table "$((wan_tid + i))" i=$((i + 1)) done if [ -n "$ipv6_enabled" ]; then i=0; while [ $i -lt "$tableCount" ]; do - $ip_full -6 route show table $((wan_tid + i)) | while read -r param; do + $ip_bin -6 route show table $((wan_tid + i)) | while read -r param; do echo "IPv6 Table $((wan_tid + i)): $param" done i=$((i + 1)) @@ -2422,9 +2476,9 @@ load_validate_config() { 'verbosity:range(0,2):1' \ "wan_mark:regex('0x[A-Fa-f0-9]{8}'):0x010000" \ "fw_mask:regex('0x[A-Fa-f0-9]{8}'):0xff0000" \ - 'icmp_interface:or("","ignore", uci("network", "@interface"))' \ - 'ignored_interface:list(uci("network", "@interface"))' \ - 'supported_interface:list(uci("network", "@interface"))' \ + 'icmp_interface:or("", "tor", uci("network", "@interface"))' \ + 'ignored_interface:list(or("tor", uci("network", "@interface")))' \ + 'supported_interface:list(or("tor", uci("network", "@interface")))' \ 'boot_timeout:integer:30' \ 'wan_ip_rules_priority:uinteger:30000' \ 'rule_create_option:or("", "add", "insert"):add' \ @@ -2448,7 +2502,7 @@ load_validate_policy() { uci_load_validate "$packageName" 'policy' "$1" "${2}${3:+ $3}" \ 'name:string:Untitled' \ 'enabled:bool:1' \ - 'interface:or(uci("network", "@interface"),"ignore"):wan' \ + 'interface:or("ignore", "tor", uci("network", "@interface")):wan' \ 'proto:or(string)' \ 'chain:or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING"):prerouting' \ 'src_addr:list(neg(or(host,network,macaddr,string)))' \ diff --git a/net/pbr/files/etc/uci-defaults/90-pbr b/net/pbr/files/etc/uci-defaults/90-pbr index 237ebac58..5d4d5d60a 100644 --- a/net/pbr/files/etc/uci-defaults/90-pbr +++ b/net/pbr/files/etc/uci-defaults/90-pbr @@ -22,6 +22,7 @@ sed -i "s/'POSTROUTING'/'postrouting'/g" /etc/config/pbr sed -i "s/option fw_mask '0x\(.*\)'/option fw_mask '\1'/g" /etc/config/pbr sed -i "s/option wan_mark '0x\(.*\)'/option wan_mark '\1'/g" /etc/config/pbr +if [ -s '/usr/share/pbr/pbr.firewall.include' ]; then uci -q batch <<-EOT delete firewall.pbr set firewall.pbr='include' @@ -30,5 +31,6 @@ uci -q batch <<-EOT set firewall.pbr.path='/usr/share/pbr/pbr.firewall.include' commit firewall EOT +fi exit 0 diff --git a/net/pbr/files/etc/uci-defaults/91-pbr b/net/pbr/files/etc/uci-defaults/91-pbr index 0d759c278..16693864f 100644 --- a/net/pbr/files/etc/uci-defaults/91-pbr +++ b/net/pbr/files/etc/uci-defaults/91-pbr @@ -4,6 +4,7 @@ readonly packageName='pbr' readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m' +# shellcheck disable=SC2317 pbr_iface_setup() { local iface="${1}" local proto diff --git a/net/pbr/files/usr/share/pbr/pbr.firewall.include b/net/pbr/files/usr/share/pbr/pbr.firewall.include index 3fe906ee1..36b3cd80d 100644 --- a/net/pbr/files/usr/share/pbr/pbr.firewall.include +++ b/net/pbr/files/usr/share/pbr/pbr.firewall.include @@ -1,5 +1,5 @@ #!/bin/sh if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then - logger -t "pbr" "Reloading pbr due to $ACTION of firewall" + logger -t "pbr" "Reloading pbr due to firewall action: $ACTION" /etc/init.d/pbr on_firewall_reload "$ACTION" fi diff --git a/net/samba4/Config.in b/net/samba4/Config.in index d287effa5..21cbb1dc2 100644 --- a/net/samba4/Config.in +++ b/net/samba4/Config.in @@ -31,12 +31,22 @@ config SAMBA4_SERVER_AVAHI Announce Samba resources via DNS/DNS-SD using the Avahi daemon, for Linux/Mac clients. default y +config SAMBA4_SERVER_QUOTAS + bool "Quotas support" + depends on PACKAGE_samba4-server + select SAMBA4_SERVER_VFS + help + Enable VFS Quotas + installs: + modules: vfs_default_quota + default n + config SAMBA4_SERVER_VFS bool "Common VFS modules" depends on PACKAGE_samba4-server help installs: - modules: (vfs_btrfs) vfs_fruit vfs_shadow_copy2 vfs_recycle vfs_fake_perms vfs_readonly vfs_cap vfs_offline vfs_crossrename vfs_catia vfs_streams_xattr vfs_default_quota + modules: (vfs_btrfs) vfs_fruit vfs_shadow_copy2 vfs_recycle vfs_fake_perms vfs_readonly vfs_cap vfs_offline vfs_crossrename vfs_catia vfs_streams_xattr Commonly used VFS modules, vfs_btrfs requires kmod-fs-btrfs to be selected separately default y diff --git a/net/samba4/Makefile b/net/samba4/Makefile index cdd05443c..4144ee152 100644 --- a/net/samba4/Makefile +++ b/net/samba4/Makefile @@ -28,6 +28,7 @@ PKG_BUILD_DEPENDS:=samba4/host libtasn1/host perl/host PKG_CONFIG_DEPENDS:= \ CONFIG_SAMBA4_SERVER_NETBIOS \ CONFIG_SAMBA4_SERVER_AVAHI \ + CONFIG_SAMBA4_SERVER_QUOTAS \ CONFIG_SAMBA4_SERVER_VFS \ CONFIG_SAMBA4_SERVER_VFSX \ CONFIG_SAMBA4_SERVER_AD_DC \ @@ -122,7 +123,7 @@ define Package/samba4-utils endef define Package/samba4-utils/description - installs: smbstatus smbtree mvxattr smbtar smbcquotas + installs: smbstatus smbtree mvxattr smbtar (smbcquotas) Utilities collection endef @@ -231,7 +232,7 @@ CONFIGURE_ARGS += \ --with-privatedir=/etc/samba # features -ifeq ($(CONFIG_SAMBA4_SERVER_VFS),y) +ifeq ($(CONFIG_SAMBA4_SERVER_QUOTAS),y) CONFIGURE_ARGS += --with-quotas else CONFIGURE_ARGS += --without-quotas @@ -258,7 +259,10 @@ ifdef CONFIG_KERNEL_IO_URING SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_io_uring, endif ifeq ($(CONFIG_SAMBA4_SERVER_VFS),y) - SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_fruit,vfs_shadow_copy2,vfs_recycle,vfs_fake_perms,vfs_readonly,vfs_cap,vfs_offline,vfs_crossrename,vfs_catia,vfs_streams_xattr,vfs_xattr_tdb,vfs_default_quota,vfs_widelinks, + SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_fruit,vfs_shadow_copy2,vfs_recycle,vfs_fake_perms,vfs_readonly,vfs_cap,vfs_offline,vfs_crossrename,vfs_catia,vfs_streams_xattr,vfs_xattr_tdb,vfs_widelinks, +ifeq ($(CONFIG_SAMBA4_SERVER_QUOTAS),y) + SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_default_quota, +endif ifdef CONFIG_PACKAGE_kmod-fs-btrfs SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_btrfs, endif @@ -407,7 +411,7 @@ endef define Package/samba4-utils/install $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/{smbstatus,smbtree,mvxattr,smbtar} $(1)/usr/bin/ -ifeq ($(CONFIG_SAMBA4_SERVER_VFS),y) +ifeq ($(CONFIG_SAMBA4_SERVER_QUOTAS),y) $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/smbcquotas $(1)/usr/bin/ endif endef diff --git a/net/simple-adblock/Makefile b/net/simple-adblock/Makefile index 15169eacb..cbe16be2e 100644 --- a/net/simple-adblock/Makefile +++ b/net/simple-adblock/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=simple-adblock -PKG_VERSION:=1.9.4 -PKG_RELEASE:=4 +PKG_VERSION:=1.9.5 +PKG_RELEASE:=1 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=GPL-3.0-or-later diff --git a/net/simple-adblock/files/simple-adblock.conf b/net/simple-adblock/files/simple-adblock.conf index 7949156aa..a40c5a258 100644 --- a/net/simple-adblock/files/simple-adblock.conf +++ b/net/simple-adblock/files/simple-adblock.conf @@ -5,9 +5,11 @@ config simple-adblock 'config' option canary_domains_icloud '0' option canary_domains_mozilla '0' option compressed_cache '0' + option compressed_cache_dir '/etc' option config_update_enabled '0' option config_update_url 'https://cdn.jsdelivr.net/gh/openwrt/packages/net/simple-adblock/files/simple-adblock.conf.update' -# option curl_max_file_size '1000000' + option curl_additional_param '' + option curl_max_file_size '30000000' option curl_retry '3' option download_timeout '10' option debug '0' diff --git a/net/simple-adblock/files/simple-adblock.init b/net/simple-adblock/files/simple-adblock.init index 87fdfdef7..1427a7b61 100644 --- a/net/simple-adblock/files/simple-adblock.init +++ b/net/simple-adblock/files/simple-adblock.init @@ -31,35 +31,34 @@ readonly serviceName="$packageName $PKG_VERSION" readonly packageConfigFile="/etc/config/${packageName}" readonly dnsmasqAddnhostsFile="/var/run/${packageName}/dnsmasq.addnhosts" readonly dnsmasqAddnhostsCache="/var/run/${packageName}/dnsmasq.addnhosts.cache" -readonly dnsmasqAddnhostsGzip="/etc/${packageName}.dnsmasq.addnhosts.gz" +readonly dnsmasqAddnhostsGzip="${packageName}.dnsmasq.addnhosts.gz" readonly dnsmasqAddnhostsFilter='s|^|127.0.0.1 |;s|$||' readonly dnsmasqAddnhostsFilterIPv6='s|^|:: |;s|$||' readonly dnsmasqConfFile="/tmp/dnsmasq.d/${packageName}" readonly dnsmasqConfCache="/var/run/${packageName}/dnsmasq.conf.cache" -readonly dnsmasqConfGzip="/etc/${packageName}.dnsmasq.conf.gz" +readonly dnsmasqConfGzip="${packageName}.dnsmasq.conf.gz" readonly dnsmasqConfFilter='s|^|local=/|;s|$|/|' readonly dnsmasqIpsetFile="/tmp/dnsmasq.d/${packageName}.ipset" readonly dnsmasqIpsetCache="/var/run/${packageName}/dnsmasq.ipset.cache" -readonly dnsmasqIpsetGzip="/etc/${packageName}.dnsmasq.ipset.gz" +readonly dnsmasqIpsetGzip="${packageName}.dnsmasq.ipset.gz" readonly dnsmasqIpsetFilter='s|^|ipset=/|;s|$|/adb|' readonly dnsmasqNftsetFile="/tmp/dnsmasq.d/${packageName}.nftset" readonly dnsmasqNftsetCache="/var/run/${packageName}/dnsmasq.nftset.cache" -readonly dnsmasqNftsetGzip="/etc/${packageName}.dnsmasq.nftset.gz" +readonly dnsmasqNftsetGzip="${packageName}.dnsmasq.nftset.gz" readonly dnsmasqNftsetFilter='s|^|nftset=/|;s|$|/4#inet#fw4#adb4|' readonly dnsmasqNftsetFilterIPv6='s|^|nftset=/|;s|$|/4#inet#fw4#adb4,6#inet#fw4#adb6|' readonly dnsmasqServersFile="/var/run/${packageName}/dnsmasq.servers" readonly dnsmasqServersCache="/var/run/${packageName}/dnsmasq.servers.cache" -readonly dnsmasqServersGzip="/etc/${packageName}.dnsmasq.servers.gz" +readonly dnsmasqServersGzip="${packageName}.dnsmasq.servers.gz" readonly dnsmasqServersFilter='s|^|server=/|;s|$|/|' readonly unboundFile="/var/lib/unbound/adb_list.${packageName}" readonly unboundCache="/var/run/${packageName}/unbound.cache" -readonly unboundGzip="/etc/${packageName}.unbound.gz" +readonly unboundGzip="${packageName}.unbound.gz" readonly unboundFilter='s|^|local-zone: "|;s|$|" static|' readonly A_TMP="/var/${packageName}.hosts.a.tmp" readonly B_TMP="/var/${packageName}.hosts.b.tmp" readonly jsonFile="/var/run/${packageName}/${packageName}.json" readonly sharedMemoryError="/dev/shm/$packageName-error" -readonly sharedMemoryOutput="/dev/shm/$packageName-output" readonly hostsFilter='/localhost/d;/^#/d;/^[^0-9]/d;s/^0\.0\.0\.0.//;s/^127\.0\.0\.1.//;s/[[:space:]]*#.*$//;s/[[:cntrl:]]$//;s/[[:space:]]//g;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' readonly domainsFilter='/^#/d;s/[[:space:]]*#.*$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' readonly adBlockPlusFilter='/^#/d;/^!/d;s/[[:space:]]*#.*$//;s/^||//;s/\^$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' @@ -163,6 +162,7 @@ get_text() { warningExternalDnsmasqConfig) r="use of external dnsmasq config file detected, please set 'dns' option to 'dnsmasq.conf'";; warningMissingRecommendedPackages) r="Some recommended packages are missing";; + warningInvalidCompressedCacheDir) r="invalid compressed cache directory '%s'";; esac echo "$r" } @@ -183,11 +183,13 @@ dnsmasq_kill() { killall -q -s KILL dnsmasq; } dnsmasq_restart() { /etc/init.d/dnsmasq restart >/dev/null 2>&1; } unbound_restart() { /etc/init.d/unbound restart >/dev/null 2>&1; } is_present() { command -v "$1" >/dev/null 2>&1; } +sanitize_dir() { [ -d "$(readlink -fn "$1")" ] && readlink -fn "$1"; } output() { # Can take a single parameter (text) to be output at any verbosity # Or target verbosity level and text to be output at specifc verbosity local msg memmsg logmsg + local sharedMemoryOutput="/dev/shm/$packageName-output" verbosity="${verbosity:-2}" if [ $# -ne 1 ]; then if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi @@ -330,41 +332,50 @@ load_environment() { ;; esac + if [ "$(sanitize_dir "$compressed_cache_dir")" = '/' ]; then + compressed_cache_dir='' + elif [ -n "$(sanitize_dir "$compressed_cache_dir")" ]; then + compressed_cache_dir="$(sanitize_dir "$compressed_cache_dir")" + else + json add warning 'warningInvalidCompressedCacheDir' "$compressed_cache_dir" + compressed_cache_dir="/etc" + fi + case "$dns" in dnsmasq.addnhosts) outputFilter="$dnsmasqAddnhostsFilter" outputFile="$dnsmasqAddnhostsFile" outputCache="$dnsmasqAddnhostsCache" - outputGzip="$dnsmasqAddnhostsGzip" + outputGzip="${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" if [ "$ipv6_enabled" -ne 0 ]; then outputFilterIPv6="$dnsmasqAddnhostsFilterIPv6" fi - rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip" + rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" rm -f "$unboundFile" "$unboundCache" "$unboundGzip" ;; dnsmasq.conf) outputFilter="$dnsmasqConfFilter" outputFile="$dnsmasqConfFile" outputCache="$dnsmasqConfCache" - outputGzip="$dnsmasqConfGzip" - rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip" + outputGzip="${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" rm -f "$unboundFile" "$unboundCache" "$unboundGzip" ;; dnsmasq.ipset) outputFilter="$dnsmasqIpsetFilter" outputFile="$dnsmasqIpsetFile" outputCache="$dnsmasqIpsetCache" - outputGzip="$dnsmasqIpsetGzip" - rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip" + outputGzip="${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" rm -f "$unboundFile" "$unboundCache" "$unboundGzip" ;; dnsmasq.nftset) @@ -375,22 +386,22 @@ load_environment() { fi outputFile="$dnsmasqNftsetFile" outputCache="$dnsmasqNftsetCache" - outputGzip="$dnsmasqNftsetGzip" - rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip" + outputGzip="${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" rm -f "$unboundFile" "$unboundCache" "$unboundGzip" ;; dnsmasq.servers) outputFilter="$dnsmasqServersFilter" outputFile="$dnsmasqServersFile" outputCache="$dnsmasqServersCache" - outputGzip="$dnsmasqServersGzip" - rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" + outputGzip="${compressed_cache_dir}/${dnsmasqServersGzip}" + rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" rm -f "$unboundFile" "$unboundCache" "$unboundGzip" ;; unbound.adb_list) @@ -398,11 +409,11 @@ load_environment() { outputFile="$unboundFile" outputCache="$unboundCache" outputGzip="$unboundGzip" - rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip" + rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" ;; esac @@ -432,6 +443,7 @@ load_environment() { # Prefer curl because it supports the file:// scheme. if is_present 'curl'; then dl_command="curl --silent --insecure" + dl_command="${dl_command}${curl_additional_param:+ $curl_additional_param}" dl_command="${dl_command}${curl_max_file_size:+ --max-filesize $curl_max_file_size}" dl_command="${dl_command}${curl_retry:+ --retry $curl_retry}" dl_command="${dl_command}${download_timeout:+ --connect-timeout $download_timeout}" @@ -613,8 +625,8 @@ json() { triggers) curReload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \ $blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \ - $dnsmasq_config_file_url $curl_max_file_size $curl_retry" - curRestart="$compressed_cache $force_dns $led $force_dns_port" + $dnsmasq_config_file_url $curl_additional_param $curl_max_file_size $curl_retry" + curRestart="$compressed_cache $compressed_cache_dir $force_dns $led $force_dns_port" if [ ! -s "$jsonFile" ]; then ret='on_boot' elif [ "$curReload" != "$reload" ]; then @@ -647,8 +659,8 @@ json() { triggers) reload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \ $blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \ - $dnsmasq_config_file_url $curl_max_file_size $curl_retry" - restart="$compressed_cache $force_dns $led $force_dns_port" + $dnsmasq_config_file_url $curl_additional_param $curl_max_file_size $curl_retry" + restart="$compressed_cache $compressed_cache_dir $force_dns $led $force_dns_port" ;; *) eval "$param"='${value}${extras:+|$extras}';; @@ -1516,11 +1528,21 @@ boot() { check() { load_validate_config 'config' adb_check "'$*'"; } dl() { rc_procd start_service 'download'; } killcache() { - rm -f "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersCache" "$dnsmasqServersGzip" + local compressed_cache_dir + config_load "$packageName" + config_get compressed_cache_dir 'config' 'compressed_cache_dir' '/etc' + if [ "$(sanitize_dir "$compressed_cache_dir")" = '/' ]; then + compressed_cache_dir='' + elif [ -n "$(sanitize_dir "$compressed_cache_dir")" ]; then + compressed_cache_dir="$(sanitize_dir "$compressed_cache_dir")" + else + compressed_cache_dir="/etc" + fi + rm -f "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" rm -f "$unboundCache" "$unboundGzip" config_load 'dhcp' config_foreach resolver 'dnsmasq' 'cleanup' @@ -1567,6 +1589,7 @@ load_validate_config() { local parallel_downloads local debug local compressed_cache + local compressed_cache_dir local ipv6_enabled local allow_non_ascii local canary_domains_icloud @@ -1574,6 +1597,7 @@ load_validate_config() { local config_update_enabled local config_update_url local download_timeout + local curl_additional_param local curl_max_file_size local curl_retry local verbosity @@ -1596,6 +1620,7 @@ load_validate_config() { 'parallel_downloads:bool:1' \ 'debug:bool:0' \ 'compressed_cache:bool:0' \ + 'compressed_cache_dir:directory:/etc' \ 'ipv6_enabled:bool:0' \ 'allow_non_ascii:bool:0' \ 'canary_domains_icloud:bool:0' \ @@ -1603,7 +1628,8 @@ load_validate_config() { 'config_update_enabled:bool:0' \ 'config_update_url:string:https://cdn.jsdelivr.net/gh/openwrt/packages/net/simple-adblock/files/simple-adblock.conf.update' \ 'download_timeout:range(1,60):20' \ - 'curl_max_file_size:uinteger' \ + 'curl_additional_param:or("", string)' \ + 'curl_max_file_size:or("", uinteger)' \ 'curl_retry:range(0,30):3' \ 'verbosity:range(0,2):2' \ 'procd_trigger_wan6:bool:0' \ diff --git a/net/sing-box/Makefile b/net/sing-box/Makefile index a20a2b401..2db8c7887 100644 --- a/net/sing-box/Makefile +++ b/net/sing-box/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sing-box -PKG_VERSION:=1.2.1 +PKG_VERSION:=1.2.6 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/SagerNet/sing-box/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=0f304b75c2e9f61e3f7808f23fe8fbe08161553475d9bec0dea4a5acf4452d2d +PKG_HASH:=8f7adf55ed9afe6ec0dd8b04ed64dd3a6243578ee779f909dfb3778fa2dbda10 PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE_FILES:=LICENSE diff --git a/net/smartdns/Makefile b/net/smartdns/Makefile index 27373890e..9ce5466ec 100644 --- a/net/smartdns/Makefile +++ b/net/smartdns/Makefile @@ -1,18 +1,18 @@ # -# Copyright (c) 2018-2022 Nick Peng (pymumu@gmail.com) +# Copyright (c) 2018-2023 Nick Peng (pymumu@gmail.com) # This is free software, licensed under the GNU General Public License v3. # include $(TOPDIR)/rules.mk PKG_NAME:=smartdns -PKG_VERSION:=1.2022.38.1 +PKG_VERSION:=1.2023.42 PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://www.github.com/pymumu/smartdns.git -PKG_SOURCE_VERSION:=9bc857f628299573c7eca0833229d9812b1c1de4 -PKG_MIRROR_HASH:=a202b765e6ce8355335c80214819add3ed72a82426b033d7d5adf1448b415063 +PKG_SOURCE_VERSION:=ed102cda03c56e9c63040d33d4a391b56491493e +PKG_MIRROR_HASH:=366e98b92c3d22844ff5fc52c35f65c3b01e1b92fc9dc14c474823f0cc3ed11a PKG_MAINTAINER:=Nick Peng PKG_LICENSE:=GPL-3.0-or-later @@ -36,7 +36,7 @@ endef define Package/smartdns/description SmartDNS is a local DNS server which accepts DNS query requests from local network clients, gets DNS query results from multiple upstream DNS servers concurrently, and returns the fastest IP to clients. -Unlike dnsmasq's all-servers, smartdns returns the fastest IP. +Unlike dnsmasq's all-servers, smartdns returns the fastest IP, and encrypt DNS queries with DoT or DoH. endef define Package/smartdns/conffiles @@ -44,10 +44,13 @@ define Package/smartdns/conffiles /etc/smartdns/address.conf /etc/smartdns/blacklist-ip.conf /etc/smartdns/custom.conf +/etc/smartdns/domain-block.list +/etc/smartdns/domain-forwarding.list endef define Package/smartdns/install - $(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/config $(1)/etc/init.d $(1)/etc/smartdns + $(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/config $(1)/etc/init.d + $(INSTALL_DIR) $(1)/etc/smartdns $(1)/etc/smartdns/domain-set $(1)/etc/smartdns/conf.d/ $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/smartdns $(1)/usr/sbin/smartdns $(INSTALL_BIN) $(PKG_BUILD_DIR)/package/openwrt/files/etc/init.d/smartdns $(1)/etc/init.d/smartdns $(INSTALL_CONF) $(PKG_BUILD_DIR)/package/openwrt/address.conf $(1)/etc/smartdns/address.conf diff --git a/net/snort3/Makefile b/net/snort3/Makefile index 8252bad5c..a3f17cf70 100644 --- a/net/snort3/Makefile +++ b/net/snort3/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=snort3 -PKG_VERSION:=3.1.60.0 +PKG_VERSION:=3.1.61.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/ -PKG_HASH:=295bbeea93ead7835379d9c9332b1f82f9ecdd3741aeed267caf85bb887126a1 +PKG_HASH:=207963ece2eddd3c85ad90c9e2dabe33dc67eaa485ba9576e2b244f7ac45fc5d PKG_MAINTAINER:=W. Michael Petullo PKG_LICENSE:=GPL-2.0-only diff --git a/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch b/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch deleted file mode 100644 index 163a7a069..000000000 --- a/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/cmake/FindFlexLexer.cmake -+++ b/cmake/FindFlexLexer.cmake -@@ -16,11 +16,11 @@ macro(FLEX NAME LEXER_IN LEXER_OUT) - COMPILE_FLAGS ${FLEX_FLAGS} - ) - -- # we use '+' as a separator for 'sed' to avoid conflicts with '/' in paths from LEXER_OUT -+ # we use '|' as a separator for 'sed' to avoid conflicts with '/' in paths from LEXER_OUT - add_custom_command( - OUTPUT ${LEXER_OUT} - COMMAND sed -e -- "s+void yyFlexLexer::LexerError+yynoreturn void yyFlexLexer::LexerError+;s+${LEXER_OUT}.tmp+${LEXER_OUT}+" -+ "s|void yyFlexLexer::LexerError|yynoreturn void yyFlexLexer::LexerError|;s|${LEXER_OUT}.tmp|${LEXER_OUT}|" - ${FLEX_${NAME}_OUTPUTS} > ${LEXER_OUT} - DEPENDS ${FLEX_${NAME}_OUTPUTS} - VERBATIM diff --git a/net/tailscale/Makefile b/net/tailscale/Makefile index b3d280f35..53dffb790 100644 --- a/net/tailscale/Makefile +++ b/net/tailscale/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tailscale -PKG_VERSION:=1.36.0 +PKG_VERSION:=1.40.0 PKG_RELEASE:=1 PKG_SOURCE:=tailscale-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=25b293a7e65d7b962f0c56454d66fa56c89c3aa995467218f24efa335b924c76 +PKG_HASH:=6964176889943e0e0b25d8d69e14226cfb1c1a9944a257b24cb2dd212f797141 PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=BSD-3-Clause @@ -27,8 +27,8 @@ PKG_BUILD_FLAGS:=no-mips16 GO_PKG:=\ tailscale.com/cmd/tailscale \ tailscale.com/cmd/tailscaled -GO_PKG_LDFLAGS:=-X 'tailscale.com/version.Long=$(PKG_VERSION)-$(PKG_RELEASE) (OpenWrt)' -GO_PKG_LDFLAGS_X:=tailscale.com/version.Short=$(PKG_VERSION) +GO_PKG_LDFLAGS:=-X 'tailscale.com/version.longStamp=$(PKG_VERSION)-$(PKG_RELEASE) (OpenWrt)' +GO_PKG_LDFLAGS_X:=tailscale.com/version.shortStamp=$(PKG_VERSION) include $(INCLUDE_DIR)/package.mk include ../../lang/golang/golang-package.mk diff --git a/net/tailscale/patches/010-fake_iptables.patch b/net/tailscale/patches/010-fake_iptables.patch index 07e14fbf5..2874f53b0 100644 --- a/net/tailscale/patches/010-fake_iptables.patch +++ b/net/tailscale/patches/010-fake_iptables.patch @@ -2,7 +2,7 @@ +++ b/go.mod @@ -2,6 +2,8 @@ module tailscale.com - go 1.19 + go 1.20 +replace github.com/coreos/go-iptables => ./patched/go-iptables + diff --git a/net/tailscale/patches/020-tailscaled_fake_iptables.patch b/net/tailscale/patches/020-tailscaled_fake_iptables.patch index 2180080ca..a4d54bdc6 100644 --- a/net/tailscale/patches/020-tailscaled_fake_iptables.patch +++ b/net/tailscale/patches/020-tailscaled_fake_iptables.patch @@ -18,7 +18,7 @@ } } -@@ -1635,11 +1635,6 @@ func checkIPv6(logf logger.Logf) error { +@@ -1676,11 +1676,6 @@ func checkIPv6(logf logger.Logf) error { return fmt.Errorf("kernel doesn't support IPv6 policy routing: %w", err) } diff --git a/net/tailscale/patches/030-default_to_netfilter_off.patch b/net/tailscale/patches/030-default_to_netfilter_off.patch index 90c78fe69..1edd00225 100644 --- a/net/tailscale/patches/030-default_to_netfilter_off.patch +++ b/net/tailscale/patches/030-default_to_netfilter_off.patch @@ -1,6 +1,6 @@ --- a/cmd/tailscale/cli/up.go +++ b/cmd/tailscale/cli/up.go -@@ -143,7 +143,7 @@ func defaultNetfilterMode() string { +@@ -147,7 +147,7 @@ func defaultNetfilterMode() string { if distro.Get() == distro.Synology { return "off" } diff --git a/net/uwsgi/Makefile b/net/uwsgi/Makefile index 9f4592542..d27b9ff04 100644 --- a/net/uwsgi/Makefile +++ b/net/uwsgi/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=uwsgi PKG_VERSION:=2.0.20 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PYPI_NAME:=uwsgi PKG_HASH:=88ab9867d8973d8ae84719cf233b7dafc54326fcaec89683c3f9f77c002cdff9 diff --git a/net/uwsgi/files-luci-support/luci-cgi_io.ini b/net/uwsgi/files-luci-support/luci-cgi_io.ini index 98e54f2bc..8b3cdcf29 100644 --- a/net/uwsgi/files-luci-support/luci-cgi_io.ini +++ b/net/uwsgi/files-luci-support/luci-cgi_io.ini @@ -8,7 +8,7 @@ end-if = plugin = cgi cgi-mode = true cgi = /www/ -chdir = /usr/lib/lua/luci/ +chdir = /usr/lib/ucode/luci/ buffer-size = 10000 reload-mercy = 8 max-requests = 2000 diff --git a/net/uwsgi/files-luci-support/luci-webui.ini b/net/uwsgi/files-luci-support/luci-webui.ini index eb984b312..6c1e7a625 100644 --- a/net/uwsgi/files-luci-support/luci-webui.ini +++ b/net/uwsgi/files-luci-support/luci-webui.ini @@ -8,7 +8,7 @@ end-if = plugin = cgi cgi-mode = true cgi = /www/ -chdir = /usr/lib/lua/luci/ +chdir = /usr/lib/ucode/luci/ buffer-size = 10000 reload-mercy = 8 max-requests = 2000 diff --git a/utils/cache-domains/Makefile b/utils/cache-domains/Makefile index c9e8e2632..0e12ec32c 100644 --- a/utils/cache-domains/Makefile +++ b/utils/cache-domains/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cache-domains PKG_VERSION:=2.3.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MAINTAINER:=Gerard Ryan diff --git a/utils/cache-domains/pre-test.sh b/utils/cache-domains/pre-test.sh new file mode 100755 index 000000000..0b3e5176b --- /dev/null +++ b/utils/cache-domains/pre-test.sh @@ -0,0 +1,24 @@ +#! /bin/sh + +set -o errexit + +case "${PKG_NAME}" in + cache-domains-openssl) + LIBUSTREAM_DEPS="libustream-openssl libopenssl3" + LIBUSTREAM_DEPS="${LIBUSTREAM_DEPS} libatomic1" # arm_cortex-a15_neon-vfpv4 extra dep + ;; + cache-domains-mbedtls) + LIBUSTREAM_DEPS="libustream-mbedtls libmbedtls" + ;; + cache-domains-wolfssl) + LIBUSTREAM_DEPS="libustream-wolfssl libwolfssl" + ;; +esac + +# Replace the current libustream with the one PKG_NAME depends on. +# opkg depends on libustream for https so we need to download the +# replacement first and replace it offline. +opkg download ${LIBUSTREAM_DEPS} +opkg remove 'libustream-*' +opkg install --offline-root / ./*.ipk +rm ./*.ipk diff --git a/utils/open-plc-utils/Makefile b/utils/open-plc-utils/Makefile index eb763cffe..66f2a029c 100644 --- a/utils/open-plc-utils/Makefile +++ b/utils/open-plc-utils/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=open-plc-utils -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/qca/open-plc-utils.git -PKG_SOURCE_VERSION:=358dfcf78bdaf7b0b13dcdf91cb1aae1789f2770 -PKG_MIRROR_HASH:=3b24033f3d2d9ac33778fb772837bc5e0a8891ac708bbe1f35336ff792baf9f8 +PKG_SOURCE_VERSION:=1ba7d5a042e4e8ff6858b08e113eec5dc4e89cf2 +PKG_MIRROR_HASH:=67a8c23a10b6b9e3437badad9f215d5350a766b1d0021c58d0ae092609be2b34 PKG_MAINTAINER:=Michael Heimpold diff --git a/utils/restic/Makefile b/utils/restic/Makefile index 7f08ccf4f..05156391c 100644 --- a/utils/restic/Makefile +++ b/utils/restic/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=restic -PKG_VERSION:=0.15.1 +PKG_VERSION:=0.15.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/restic/restic/tar.gz/v${PKG_VERSION}? -PKG_HASH:=fce382fdcdac0158a35daa640766d5e8a6e7b342ae2b0b84f2aacdff13990c52 +PKG_HASH:=52aca841486eaf4fe6422b059aa05bbf20db94b957de1d3fca019ed2af8192b7 PKG_LICENSE:=BSD-2-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/utils/rtl_433/Makefile b/utils/rtl_433/Makefile index 5a2d3d492..bafc75e71 100644 --- a/utils/rtl_433/Makefile +++ b/utils/rtl_433/Makefile @@ -7,12 +7,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=rtl_433 -PKG_VERSION:=21.12 +PKG_VERSION:=22.11 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/merbanan/rtl_433/tar.gz/$(PKG_VERSION)? -PKG_HASH:=b362ef3410adec64aee7ad8e6d4d74875f1b3d59ef6fb4856e96adc03876dc65 +PKG_HASH:=61a9163d69cc4b1da46aebbcaf969bd180a055a6b90f42ad281218cc4fbefb86 PKG_MAINTAINER:=Jasper Scholte PKG_LICENSE:=GPL-2.0-or-later diff --git a/utils/sedutil/Makefile b/utils/sedutil/Makefile new file mode 100644 index 000000000..9625459d6 --- /dev/null +++ b/utils/sedutil/Makefile @@ -0,0 +1,41 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=sedutil +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL=https://github.com/Drive-Trust-Alliance/sedutil +PKG_SOURCE_DATE:=2022-12-27 +PKG_SOURCE_VERSION:=7a0cda7f60cce346f72466e61ce006e5ea48fbc0 +PKG_MIRROR_HASH:=e11333bfa0760a46cbebcba35360e0f076e6219eb38ce1545179b8741476668a + +PKG_LICENSE_FILES:=README.md +PKG_LICENSE:=GPL-3.0-or-later +PKG_MAINTAINER:=Javier Marcet + +PKG_FIXUP:=autoreconf +PKG_BUILD_PARALLEL:=1 +PKG_BUILD_FLAGS:=lto + +include $(INCLUDE_DIR)/package.mk + +define Package/sedutil + SECTION:=utils + CATEGORY:=Utilities + TITLE:=The Drive Trust Alliance Self Encrypting Drive Utility + URL:=https://github.com/Drive-Trust-Alliance/sedutil + DEPENDS:=+libstdcpp +endef + +define Package/sedutil/description +This program and it's accompanying Pre-Boot Authorization image allow you to +enable the locking in SED's that comply with the TCG OPAL 2.00 standard on bios +machines. +endef + +define Package/sedutil/install + $(INSTALL_DIR) $(1)/usr/bin + $(CP) $(PKG_BUILD_DIR)/{linuxpba,sedutil-cli} $(1)/usr/bin +endef + +$(eval $(call BuildPackage,sedutil)) diff --git a/utils/zoneinfo/Makefile b/utils/zoneinfo/Makefile index 7608fcef6..7fe47f87d 100644 --- a/utils/zoneinfo/Makefile +++ b/utils/zoneinfo/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=zoneinfo PKG_VERSION:=2023c -PKG_RELEASE:=1 +PKG_RELEASE:=2 #As i couldn't find real license used "Public Domain" #as referense to http://www.iana.org/time-zones/repository/tz-link.html @@ -32,7 +32,7 @@ endef $(eval $(call Download,tzcode)) define Package/zoneinfo/Default - SUBMENU:=Zoneinfo + SUBMENU:=Time Zone info TITLE:=Zone Information SECTION:=utils CATEGORY:=Utilities @@ -47,56 +47,63 @@ endef define Package/zoneinfo-simple $(call Package/zoneinfo/Default) TITLE:=Zone Information (simple) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-africa $(call Package/zoneinfo/Default) TITLE:=Zone Information (Africa) + DEPENDS+= +zoneinfo-core endef -define Package/zoneinfo-northamerica +define Package/zoneinfo-america $(call Package/zoneinfo/Default) - TITLE:=Zone Information (NorthAmerica) -endef - -define Package/zoneinfo-southamerica -$(call Package/zoneinfo/Default) - TITLE:=Zone Information (SouthAmerica) + TITLE:=Zone Information (America North/South) + PROVIDES:=zoneinfo-northamerica zoneinfo-southamerica + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-poles $(call Package/zoneinfo/Default) TITLE:=Zone Information (Arctic, Antarctic) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-asia $(call Package/zoneinfo/Default) TITLE:=Zone Information (Asia) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-atlantic $(call Package/zoneinfo/Default) - TITLE:=Zone Information (Atlantic) + TITLE:=Zone Information (Atlantic Ocean) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-australia-nz $(call Package/zoneinfo/Default) TITLE:=Zone Information (Australia-NZ) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-pacific $(call Package/zoneinfo/Default) - TITLE:=Zone Information (Pacific) + TITLE:=Zone Information (Pacific Ocean) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-europe $(call Package/zoneinfo/Default) TITLE:=Zone Information (Europe) + DEPENDS+= +zoneinfo-core endef -define Package/zoneinfo-india +define Package/zoneinfo-indian $(call Package/zoneinfo/Default) - TITLE:=Zone Information (India) + TITLE:=Zone Information (Indian Ocean) + PROVIDES:=zoneinfo-india + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-all @@ -105,15 +112,14 @@ $(call Package/zoneinfo/Default) DEPENDS:= \ +zoneinfo-core \ +zoneinfo-africa \ - +zoneinfo-northamerica \ - +zoneinfo-southamerica \ + +zoneinfo-america \ +zoneinfo-poles \ +zoneinfo-asia \ +zoneinfo-atlantic \ +zoneinfo-australia-nz \ +zoneinfo-pacific \ +zoneinfo-europe \ - +zoneinfo-india + +zoneinfo-indian endef define Build/Prepare @@ -136,7 +142,7 @@ endef define Package/zoneinfo-core/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo for i in \ - CET CST6CDT EET EST EST5EDT GB-Eire Eire \ + CET CST6CDT EET EST EST5EDT GB-Eire \ GB GMT GMT+0 GMT-0 GMT0 Greenwich \ HST MET MST MST7MDT \ PRC PST8PDT ROC ROK UCT UTC \ @@ -167,29 +173,19 @@ define Package/zoneinfo-simple/install endef define Package/zoneinfo-africa/install - $(INSTALL_DIR) $(1)/usr/share/zoneinfo/Africa - $(CP) $(PKG_INSTALL_DIR)/zoneinfo/Africa/* \ - $(1)/usr/share/zoneinfo/Africa -endef - -define Package/zoneinfo-northamerica/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo - for i in US America Canada Mexico Cuba Jamaica Navajo ; do \ + for i in Africa Egypt Libya ; do \ $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \ $(1)/usr/share/zoneinfo ; \ done - rm -rf $(1)/usr/share/zoneinfo/America/Argentina endef -define Package/zoneinfo-southamerica/install +define Package/zoneinfo-america/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo - for i in Brazil Chile ; do \ + for i in America Brazil Canada Chile Cuba Jamaica Mexico Navajo US ; do \ $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \ $(1)/usr/share/zoneinfo ; \ done - $(INSTALL_DIR) $(1)/usr/share/zoneinfo/America/Argentina - $(CP) $(PKG_INSTALL_DIR)/zoneinfo/America/Argentina/* \ - $(1)/usr/share/zoneinfo/America/Argentina endef define Package/zoneinfo-poles/install @@ -202,7 +198,7 @@ endef define Package/zoneinfo-asia/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo - for i in Asia Japan Singapore Hongkong ; do \ + for i in Asia Hongkong Iran Israel Japan Singapore ; do \ $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \ $(1)/usr/share/zoneinfo ; \ done @@ -234,13 +230,13 @@ endef define Package/zoneinfo-europe/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo - for i in Europe Portugal Poland ; do \ + for i in Europe Eire Portugal Poland Turkey ; do \ $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \ $(1)/usr/share/zoneinfo ; \ done endef -define Package/zoneinfo-india/install +define Package/zoneinfo-indian/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo for i in Indian ; do \ $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \ @@ -251,13 +247,12 @@ endef $(eval $(call BuildPackage,zoneinfo-simple)) $(eval $(call BuildPackage,zoneinfo-core)) $(eval $(call BuildPackage,zoneinfo-africa)) -$(eval $(call BuildPackage,zoneinfo-northamerica)) -$(eval $(call BuildPackage,zoneinfo-southamerica)) +$(eval $(call BuildPackage,zoneinfo-america)) $(eval $(call BuildPackage,zoneinfo-poles)) $(eval $(call BuildPackage,zoneinfo-asia)) $(eval $(call BuildPackage,zoneinfo-atlantic)) $(eval $(call BuildPackage,zoneinfo-australia-nz)) $(eval $(call BuildPackage,zoneinfo-pacific)) $(eval $(call BuildPackage,zoneinfo-europe)) -$(eval $(call BuildPackage,zoneinfo-india)) +$(eval $(call BuildPackage,zoneinfo-indian)) $(eval $(call BuildPackage,zoneinfo-all))