From 549a66bbfab309af9564200877f6f478a86f06ad Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Mon, 3 Apr 2023 21:20:31 +0000 Subject: [PATCH 01/49] simple-adblock: implement curl_additional_param compressed_cache_dir * curl_additional_param: to pass additional parameters (like proxy) to curl * compressed_cache_dir: where to store compressed cache in non-volitile memory Signed-off-by: Stan Grishin --- net/simple-adblock/Makefile | 4 +- net/simple-adblock/files/simple-adblock.conf | 4 +- net/simple-adblock/files/simple-adblock.init | 120 +++++++++++-------- 3 files changed, 78 insertions(+), 50 deletions(-) diff --git a/net/simple-adblock/Makefile b/net/simple-adblock/Makefile index 15169eacb..cbe16be2e 100644 --- a/net/simple-adblock/Makefile +++ b/net/simple-adblock/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=simple-adblock -PKG_VERSION:=1.9.4 -PKG_RELEASE:=4 +PKG_VERSION:=1.9.5 +PKG_RELEASE:=1 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=GPL-3.0-or-later diff --git a/net/simple-adblock/files/simple-adblock.conf b/net/simple-adblock/files/simple-adblock.conf index 7949156aa..a40c5a258 100644 --- a/net/simple-adblock/files/simple-adblock.conf +++ b/net/simple-adblock/files/simple-adblock.conf @@ -5,9 +5,11 @@ config simple-adblock 'config' option canary_domains_icloud '0' option canary_domains_mozilla '0' option compressed_cache '0' + option compressed_cache_dir '/etc' option config_update_enabled '0' option config_update_url 'https://cdn.jsdelivr.net/gh/openwrt/packages/net/simple-adblock/files/simple-adblock.conf.update' -# option curl_max_file_size '1000000' + option curl_additional_param '' + option curl_max_file_size '30000000' option curl_retry '3' option download_timeout '10' option debug '0' diff --git a/net/simple-adblock/files/simple-adblock.init b/net/simple-adblock/files/simple-adblock.init index 87fdfdef7..1427a7b61 100644 --- a/net/simple-adblock/files/simple-adblock.init +++ b/net/simple-adblock/files/simple-adblock.init @@ -31,35 +31,34 @@ readonly serviceName="$packageName $PKG_VERSION" readonly packageConfigFile="/etc/config/${packageName}" readonly dnsmasqAddnhostsFile="/var/run/${packageName}/dnsmasq.addnhosts" readonly dnsmasqAddnhostsCache="/var/run/${packageName}/dnsmasq.addnhosts.cache" -readonly dnsmasqAddnhostsGzip="/etc/${packageName}.dnsmasq.addnhosts.gz" +readonly dnsmasqAddnhostsGzip="${packageName}.dnsmasq.addnhosts.gz" readonly dnsmasqAddnhostsFilter='s|^|127.0.0.1 |;s|$||' readonly dnsmasqAddnhostsFilterIPv6='s|^|:: |;s|$||' readonly dnsmasqConfFile="/tmp/dnsmasq.d/${packageName}" readonly dnsmasqConfCache="/var/run/${packageName}/dnsmasq.conf.cache" -readonly dnsmasqConfGzip="/etc/${packageName}.dnsmasq.conf.gz" +readonly dnsmasqConfGzip="${packageName}.dnsmasq.conf.gz" readonly dnsmasqConfFilter='s|^|local=/|;s|$|/|' readonly dnsmasqIpsetFile="/tmp/dnsmasq.d/${packageName}.ipset" readonly dnsmasqIpsetCache="/var/run/${packageName}/dnsmasq.ipset.cache" -readonly dnsmasqIpsetGzip="/etc/${packageName}.dnsmasq.ipset.gz" +readonly dnsmasqIpsetGzip="${packageName}.dnsmasq.ipset.gz" readonly dnsmasqIpsetFilter='s|^|ipset=/|;s|$|/adb|' readonly dnsmasqNftsetFile="/tmp/dnsmasq.d/${packageName}.nftset" readonly dnsmasqNftsetCache="/var/run/${packageName}/dnsmasq.nftset.cache" -readonly dnsmasqNftsetGzip="/etc/${packageName}.dnsmasq.nftset.gz" +readonly dnsmasqNftsetGzip="${packageName}.dnsmasq.nftset.gz" readonly dnsmasqNftsetFilter='s|^|nftset=/|;s|$|/4#inet#fw4#adb4|' readonly dnsmasqNftsetFilterIPv6='s|^|nftset=/|;s|$|/4#inet#fw4#adb4,6#inet#fw4#adb6|' readonly dnsmasqServersFile="/var/run/${packageName}/dnsmasq.servers" readonly dnsmasqServersCache="/var/run/${packageName}/dnsmasq.servers.cache" -readonly dnsmasqServersGzip="/etc/${packageName}.dnsmasq.servers.gz" +readonly dnsmasqServersGzip="${packageName}.dnsmasq.servers.gz" readonly dnsmasqServersFilter='s|^|server=/|;s|$|/|' readonly unboundFile="/var/lib/unbound/adb_list.${packageName}" readonly unboundCache="/var/run/${packageName}/unbound.cache" -readonly unboundGzip="/etc/${packageName}.unbound.gz" +readonly unboundGzip="${packageName}.unbound.gz" readonly unboundFilter='s|^|local-zone: "|;s|$|" static|' readonly A_TMP="/var/${packageName}.hosts.a.tmp" readonly B_TMP="/var/${packageName}.hosts.b.tmp" readonly jsonFile="/var/run/${packageName}/${packageName}.json" readonly sharedMemoryError="/dev/shm/$packageName-error" -readonly sharedMemoryOutput="/dev/shm/$packageName-output" readonly hostsFilter='/localhost/d;/^#/d;/^[^0-9]/d;s/^0\.0\.0\.0.//;s/^127\.0\.0\.1.//;s/[[:space:]]*#.*$//;s/[[:cntrl:]]$//;s/[[:space:]]//g;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' readonly domainsFilter='/^#/d;s/[[:space:]]*#.*$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' readonly adBlockPlusFilter='/^#/d;/^!/d;s/[[:space:]]*#.*$//;s/^||//;s/\^$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' @@ -163,6 +162,7 @@ get_text() { warningExternalDnsmasqConfig) r="use of external dnsmasq config file detected, please set 'dns' option to 'dnsmasq.conf'";; warningMissingRecommendedPackages) r="Some recommended packages are missing";; + warningInvalidCompressedCacheDir) r="invalid compressed cache directory '%s'";; esac echo "$r" } @@ -183,11 +183,13 @@ dnsmasq_kill() { killall -q -s KILL dnsmasq; } dnsmasq_restart() { /etc/init.d/dnsmasq restart >/dev/null 2>&1; } unbound_restart() { /etc/init.d/unbound restart >/dev/null 2>&1; } is_present() { command -v "$1" >/dev/null 2>&1; } +sanitize_dir() { [ -d "$(readlink -fn "$1")" ] && readlink -fn "$1"; } output() { # Can take a single parameter (text) to be output at any verbosity # Or target verbosity level and text to be output at specifc verbosity local msg memmsg logmsg + local sharedMemoryOutput="/dev/shm/$packageName-output" verbosity="${verbosity:-2}" if [ $# -ne 1 ]; then if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi @@ -330,41 +332,50 @@ load_environment() { ;; esac + if [ "$(sanitize_dir "$compressed_cache_dir")" = '/' ]; then + compressed_cache_dir='' + elif [ -n "$(sanitize_dir "$compressed_cache_dir")" ]; then + compressed_cache_dir="$(sanitize_dir "$compressed_cache_dir")" + else + json add warning 'warningInvalidCompressedCacheDir' "$compressed_cache_dir" + compressed_cache_dir="/etc" + fi + case "$dns" in dnsmasq.addnhosts) outputFilter="$dnsmasqAddnhostsFilter" outputFile="$dnsmasqAddnhostsFile" outputCache="$dnsmasqAddnhostsCache" - outputGzip="$dnsmasqAddnhostsGzip" + outputGzip="${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" if [ "$ipv6_enabled" -ne 0 ]; then outputFilterIPv6="$dnsmasqAddnhostsFilterIPv6" fi - rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip" + rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" rm -f "$unboundFile" "$unboundCache" "$unboundGzip" ;; dnsmasq.conf) outputFilter="$dnsmasqConfFilter" outputFile="$dnsmasqConfFile" outputCache="$dnsmasqConfCache" - outputGzip="$dnsmasqConfGzip" - rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip" + outputGzip="${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" rm -f "$unboundFile" "$unboundCache" "$unboundGzip" ;; dnsmasq.ipset) outputFilter="$dnsmasqIpsetFilter" outputFile="$dnsmasqIpsetFile" outputCache="$dnsmasqIpsetCache" - outputGzip="$dnsmasqIpsetGzip" - rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip" + outputGzip="${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" rm -f "$unboundFile" "$unboundCache" "$unboundGzip" ;; dnsmasq.nftset) @@ -375,22 +386,22 @@ load_environment() { fi outputFile="$dnsmasqNftsetFile" outputCache="$dnsmasqNftsetCache" - outputGzip="$dnsmasqNftsetGzip" - rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip" + outputGzip="${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" rm -f "$unboundFile" "$unboundCache" "$unboundGzip" ;; dnsmasq.servers) outputFilter="$dnsmasqServersFilter" outputFile="$dnsmasqServersFile" outputCache="$dnsmasqServersCache" - outputGzip="$dnsmasqServersGzip" - rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" + outputGzip="${compressed_cache_dir}/${dnsmasqServersGzip}" + rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" rm -f "$unboundFile" "$unboundCache" "$unboundGzip" ;; unbound.adb_list) @@ -398,11 +409,11 @@ load_environment() { outputFile="$unboundFile" outputCache="$unboundCache" outputGzip="$unboundGzip" - rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "$dnsmasqServersGzip" + rm -f "$dnsmasqAddnhostsFile" "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqConfFile" "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqIpsetFile" "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqNftsetFile" "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqServersFile" "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" ;; esac @@ -432,6 +443,7 @@ load_environment() { # Prefer curl because it supports the file:// scheme. if is_present 'curl'; then dl_command="curl --silent --insecure" + dl_command="${dl_command}${curl_additional_param:+ $curl_additional_param}" dl_command="${dl_command}${curl_max_file_size:+ --max-filesize $curl_max_file_size}" dl_command="${dl_command}${curl_retry:+ --retry $curl_retry}" dl_command="${dl_command}${download_timeout:+ --connect-timeout $download_timeout}" @@ -613,8 +625,8 @@ json() { triggers) curReload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \ $blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \ - $dnsmasq_config_file_url $curl_max_file_size $curl_retry" - curRestart="$compressed_cache $force_dns $led $force_dns_port" + $dnsmasq_config_file_url $curl_additional_param $curl_max_file_size $curl_retry" + curRestart="$compressed_cache $compressed_cache_dir $force_dns $led $force_dns_port" if [ ! -s "$jsonFile" ]; then ret='on_boot' elif [ "$curReload" != "$reload" ]; then @@ -647,8 +659,8 @@ json() { triggers) reload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \ $blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \ - $dnsmasq_config_file_url $curl_max_file_size $curl_retry" - restart="$compressed_cache $force_dns $led $force_dns_port" + $dnsmasq_config_file_url $curl_additional_param $curl_max_file_size $curl_retry" + restart="$compressed_cache $compressed_cache_dir $force_dns $led $force_dns_port" ;; *) eval "$param"='${value}${extras:+|$extras}';; @@ -1516,11 +1528,21 @@ boot() { check() { load_validate_config 'config' adb_check "'$*'"; } dl() { rc_procd start_service 'download'; } killcache() { - rm -f "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersCache" "$dnsmasqServersGzip" + local compressed_cache_dir + config_load "$packageName" + config_get compressed_cache_dir 'config' 'compressed_cache_dir' '/etc' + if [ "$(sanitize_dir "$compressed_cache_dir")" = '/' ]; then + compressed_cache_dir='' + elif [ -n "$(sanitize_dir "$compressed_cache_dir")" ]; then + compressed_cache_dir="$(sanitize_dir "$compressed_cache_dir")" + else + compressed_cache_dir="/etc" + fi + rm -f "$dnsmasqAddnhostsCache" "${compressed_cache_dir}/${dnsmasqAddnhostsGzip}" + rm -f "$dnsmasqConfCache" "${compressed_cache_dir}/${dnsmasqConfGzip}" + rm -f "$dnsmasqIpsetCache" "${compressed_cache_dir}/${dnsmasqIpsetGzip}" + rm -f "$dnsmasqNftsetCache" "${compressed_cache_dir}/${dnsmasqNftsetGzip}" + rm -f "$dnsmasqServersCache" "${compressed_cache_dir}/${dnsmasqServersGzip}" rm -f "$unboundCache" "$unboundGzip" config_load 'dhcp' config_foreach resolver 'dnsmasq' 'cleanup' @@ -1567,6 +1589,7 @@ load_validate_config() { local parallel_downloads local debug local compressed_cache + local compressed_cache_dir local ipv6_enabled local allow_non_ascii local canary_domains_icloud @@ -1574,6 +1597,7 @@ load_validate_config() { local config_update_enabled local config_update_url local download_timeout + local curl_additional_param local curl_max_file_size local curl_retry local verbosity @@ -1596,6 +1620,7 @@ load_validate_config() { 'parallel_downloads:bool:1' \ 'debug:bool:0' \ 'compressed_cache:bool:0' \ + 'compressed_cache_dir:directory:/etc' \ 'ipv6_enabled:bool:0' \ 'allow_non_ascii:bool:0' \ 'canary_domains_icloud:bool:0' \ @@ -1603,7 +1628,8 @@ load_validate_config() { 'config_update_enabled:bool:0' \ 'config_update_url:string:https://cdn.jsdelivr.net/gh/openwrt/packages/net/simple-adblock/files/simple-adblock.conf.update' \ 'download_timeout:range(1,60):20' \ - 'curl_max_file_size:uinteger' \ + 'curl_additional_param:or("", string)' \ + 'curl_max_file_size:or("", uinteger)' \ 'curl_retry:range(0,30):3' \ 'verbosity:range(0,2):2' \ 'procd_trigger_wan6:bool:0' \ From 8589f298a130cb28cf0c769b50c1a4c116a3d70b Mon Sep 17 00:00:00 2001 From: Glen Huang Date: Wed, 26 Apr 2023 19:46:46 +0800 Subject: [PATCH 02/49] acme: remove redundant postinst opkg runs uci-defaults if a package installs one, in acme-common's case that's identical to postinst. prerm shouldn't be run a image builder, so it's unnecessary to check IPKG_INSTROOT Signed-off-by: Glen Huang --- net/acme-common/Makefile | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/net/acme-common/Makefile b/net/acme-common/Makefile index 841146826..ac92fc564 100644 --- a/net/acme-common/Makefile +++ b/net/acme-common/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=acme-common -PKG_VERSION:=1.0.2 +PKG_VERSION:=1.0.3 PKG_MAINTAINER:=Toke Høiland-Jørgensen PKG_LICENSE:=GPL-3.0-only @@ -48,19 +48,9 @@ define Package/acme-common/install $(INSTALL_DIR) $(1)/etc/hotplug.d/acme endef -define Package/acme-common/postinst -#!/bin/sh -if [ -z "$$IPKG_INSTROOT" ]; then - grep -q '/etc/init.d/acme' /etc/crontabs/root 2>/dev/null && exit 0 - echo "0 0 * * * /etc/init.d/acme start" >> /etc/crontabs/root -fi -endef - define Package/acme-common/prerm #!/bin/sh -if [ -z "$$IPKG_INSTROOT" ]; then - sed -i '\|/etc/init.d/acme|d' /etc/crontabs/root -fi +sed -i '\|/etc/init.d/acme|d' /etc/crontabs/root endef define Build/Configure From 0a67d0e1293df8a5be7ba9fe24834952c1e835e7 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Thu, 20 Apr 2023 12:59:08 +0200 Subject: [PATCH 03/49] nginx-util: add support for loading dynamic module in uci template Add support for loading dynamic module in uci template by adding .module file in module.d directory. Signed-off-by: Christian Marangi --- net/nginx-util/Makefile | 4 +++- net/nginx-util/files/uci.conf.template | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/net/nginx-util/Makefile b/net/nginx-util/Makefile index 2ff4da194..52cdbb4ea 100644 --- a/net/nginx-util/Makefile +++ b/net/nginx-util/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx-util PKG_VERSION:=1.6 -PKG_RELEASE:=15 +PKG_RELEASE:=16 PKG_MAINTAINER:=Peter Stadler include $(INCLUDE_DIR)/package.mk @@ -67,6 +67,8 @@ define Package/nginx-ssl-util/install/default $(INSTALL_CONF) ./files/restrict_locally $(1)/etc/nginx/ + $(INSTALL_DIR) $(1)/etc/nginx/module.d/ + $(INSTALL_DIR) $(1)/etc/config/ $(INSTALL_CONF) ./files/nginx.config $(1)/etc/config/nginx diff --git a/net/nginx-util/files/uci.conf.template b/net/nginx-util/files/uci.conf.template index 1c611d9ad..406ddb4cc 100644 --- a/net/nginx-util/files/uci.conf.template +++ b/net/nginx-util/files/uci.conf.template @@ -6,6 +6,8 @@ worker_processes auto; user root; +include module.d/*.module; + events {} http { From 65a676ed56fb25e41980b910c2453ea9da8773db Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sat, 9 Oct 2021 01:18:41 +0200 Subject: [PATCH 04/49] nginx: introduce support for dynamic modules Start building sub package that provide dynamic modules. Each module needs to be loaded using load_modules. Refer to nginx documentation on how to use this. This should result in lower memory usage as only used module are loaded. Also fix the uci-default scripts to add the required ubus module for luci module. -fvisibility=hidden is needed to be dropped to correctly support loading dynamic modules. Signed-off-by: Christian Marangi --- net/nginx/Config_ssl.in | 54 ----- net/nginx/Makefile | 225 +++++++++++------- .../files-luci-support/60_nginx-luci-support | 8 +- 3 files changed, 147 insertions(+), 140 deletions(-) diff --git a/net/nginx/Config_ssl.in b/net/nginx/Config_ssl.in index 02dd8094a..a0daac31e 100644 --- a/net/nginx/Config_ssl.in +++ b/net/nginx/Config_ssl.in @@ -15,21 +15,6 @@ config NGINX_DAV Enable the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE. default n -config NGINX_DAV_EXT - bool - prompt "Enable WebDAV EXT module" - select NGINX_DAV - help - Enable the WebDAV methods PROPFIND, OPTIONS, LOCK, UNLOCK. - default n - -config NGINX_UBUS - bool - prompt "Enable UBUS module" - help - Enable UBUS api support directly from the server. - default y - config NGINX_FLV bool prompt "Enable FLV module" @@ -195,16 +180,6 @@ config NGINX_PCRE prompt "Enable PCRE library usage" default y -config NGINX_NAXSI - bool - prompt "Enable NAXSI module" - default y - -config NGINX_LUA - bool - prompt "Enable Lua module" - default n - config NGINX_HTTP_REAL_IP bool prompt "Enable HTTP real ip module" @@ -219,20 +194,6 @@ config NGINX_HTTP_SUB bool prompt "Enable HTTP sub module" default n - -config NGINX_HEADERS_MORE - bool - prompt "Enable Headers_more module" - help - Set and clear input and output headers...more than "add"! - default y - -config NGINX_HTTP_BROTLI - bool - prompt "Enable Brotli compression module" - help - Add support for brotli compression module. - default n config NGINX_STREAM_CORE_MODULE bool @@ -257,19 +218,4 @@ config NGINX_STREAM_SSL_PREREAD_MODULE Add support for NGINX request streaming using information from the ClientHello message without terminating SSL/TLS. default n -config NGINX_RTMP_MODULE - bool - prompt "Enable RTMP module" - help - Add support for NGINX-based Media Streaming Server module. - DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module - default n - -config NGINX_TS_MODULE - bool - prompt "Enable TS module" - help - Add support for MPEG-TS Live Module module. - default n - endmenu diff --git a/net/nginx/Makefile b/net/nginx/Makefile index 86a7a212f..fc6b9ccc6 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx PKG_VERSION:=1.21.3 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nginx.org/download/ @@ -27,9 +27,7 @@ PKG_BUILD_FLAGS:=gc-sections PKG_CONFIG_DEPENDS := \ CONFIG_NGINX_DAV \ - CONFIG_NGINX_DAV_EXT \ CONFIG_NGINX_FLV \ - CONFIG_NGINX_UBUS \ CONFIG_NGINX_STUB_STATUS \ CONFIG_NGINX_HTTP_CHARSET \ CONFIG_NGINX_HTTP_GZIP \ @@ -62,17 +60,11 @@ PKG_CONFIG_DEPENDS := \ CONFIG_NGINX_HTTP_CACHE \ CONFIG_NGINX_HTTP_V2 \ CONFIG_NGINX_PCRE \ - CONFIG_NGINX_NAXSI \ - CONFIG_NGINX_LUA \ CONFIG_NGINX_HTTP_REAL_IP \ CONFIG_NGINX_HTTP_SECURE_LINK \ - CONFIG_NGINX_HTTP_BROTLI \ - CONFIG_NGINX_HEADERS_MORE \ CONFIG_NGINX_STREAM_CORE_MODULE \ CONFIG_NGINX_STREAM_SSL_MODULE \ CONFIG_NGINX_STREAM_SSL_PREREAD_MODULE \ - CONFIG_NGINX_RTMP_MODULE \ - CONFIG_NGINX_TS_MODULE \ CONFIG_OPENSSL_ENGINE \ CONFIG_OPENSSL_WITH_NPN @@ -101,8 +93,7 @@ define Package/nginx-ssl VARIANT:=ssl DEPENDS+= +NGINX_PCRE:libpcre \ +NGINX_PCRE:nginx-ssl-util +!NGINX_PCRE:nginx-ssl-util-nopcre \ - +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +NGINX_DAV:libxml2 \ - +NGINX_UBUS:libubus +NGINX_UBUS:libblobmsg-json +NGINX_UBUS:libjson-c + +NGINX_HTTP_GZIP:zlib +NGINX_DAV:libxml2 EXTRA_DEPENDS:=nginx-ssl-util$(if $(CONFIG_NGINX_PCRE),,-nopcre) (>=1.5-1) (<2) CONFLICTS:=nginx-all-module endef @@ -114,8 +105,10 @@ Package/nginx-ssl/description = $(Package/nginx/description) \ define Package/nginx-all-module $(Package/nginx/default) TITLE += with ALL module selected - DEPENDS+=+libpcre +nginx-ssl-util +zlib +liblua +libxml2 +libubus \ - +libblobmsg-json +libjson-c + DEPENDS+=+libpcre +nginx-ssl-util +zlib +libxml2 \ + +nginx-mod-ubus +nginx-mod-naxsi +nginx-mod-lua \ + +nginx-mod-dav-ext +nginx-mod-stream +nginx-mod-headers-more \ + +nginx-mod-brotli +nginx-mod-rtmp +nginx-mod-ts EXTRA_DEPENDS:=nginx-ssl-util (>=1.5-1) (<2) VARIANT:=all-module PROVIDES += nginx-ssl @@ -137,7 +130,6 @@ endef Package/nginx-ssl/conffiles = $(Package/nginx/conffiles) Package/nginx-all-module/conffiles = $(Package/nginx/conffiles) - ADDITIONAL_MODULES:= --with-http_ssl_module ifneq ($(BUILD_VARIANT),all-module) @@ -233,12 +225,6 @@ ifneq ($(BUILD_VARIANT),all-module) ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE),y) ADDITIONAL_MODULES += --without-http_upstream_keepalive_module endif - ifeq ($(CONFIG_NGINX_NAXSI),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src - endif - ifeq ($(CONFIG_NGINX_LUA),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/lua-nginx - endif ifeq ($(CONFIG_IPV6),y) ADDITIONAL_MODULES += --with-ipv6 endif @@ -251,12 +237,6 @@ ifneq ($(BUILD_VARIANT),all-module) ifeq ($(CONFIG_NGINX_DAV),y) ADDITIONAL_MODULES += --with-http_dav_module endif - ifeq ($(CONFIG_NGINX_DAV_EXT),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module - endif - ifeq ($(CONFIG_NGINX_UBUS),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-ubus-module - endif ifeq ($(CONFIG_NGINX_HTTP_AUTH_REQUEST),y) ADDITIONAL_MODULES += --with-http_auth_request_module endif @@ -272,51 +252,46 @@ ifneq ($(BUILD_VARIANT),all-module) ifeq ($(CONFIG_NGINX_HTTP_SUB),y) ADDITIONAL_MODULES += --with-http_sub_module endif - ifeq ($(CONFIG_NGINX_STREAM_CORE_MODULE),y) - ADDITIONAL_MODULES += --with-stream - endif - ifeq ($(CONFIG_NGINX_STREAM_SSL_MODULE),y) - ADDITIONAL_MODULES += --with-stream_ssl_module - endif - ifeq ($(CONFIG_NGINX_STREAM_SSL_PREREAD_MODULE),y) - ADDITIONAL_MODULES += --with-stream_ssl_preread_module - endif - ifeq ($(CONFIG_NGINX_HEADERS_MORE),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-headers-more - endif - ifeq ($(CONFIG_NGINX_HTTP_BROTLI),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-brotli - endif - ifeq ($(CONFIG_NGINX_RTMP_MODULE),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-rtmp - endif - ifeq ($(CONFIG_NGINX_TS_MODULE),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-ts - endif else - CONFIG_NGINX_HEADERS_MORE:=y - CONFIG_NGINX_HTTP_BROTLI:=y - CONFIG_NGINX_RTMP_MODULE:=y - CONFIG_NGINX_TS_MODULE:=y - CONFIG_NGINX_NAXSI:=y - CONFIG_NGINX_LUA:=y - CONFIG_NGINX_DAV:=y - CONFIG_NGINX_DAV_EXT:=y - CONFIG_NGINX_UBUS:=y ADDITIONAL_MODULES += --with-ipv6 --with-http_stub_status_module --with-http_flv_module \ --with-http_dav_module \ --with-http_auth_request_module --with-http_v2_module --with-http_realip_module \ --with-http_secure_link_module --with-http_sub_module \ - --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \ - --add-module=$(PKG_BUILD_DIR)/nginx-headers-more \ - --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src \ - --add-module=$(PKG_BUILD_DIR)/lua-nginx \ - --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module \ - --add-module=$(PKG_BUILD_DIR)/nginx-brotli --add-module=$(PKG_BUILD_DIR)/nginx-rtmp \ - --add-module=$(PKG_BUILD_DIR)/nginx-ts --add-module=$(PKG_BUILD_DIR)/nginx-ubus-module + --with-stream_ssl_module --with-stream_ssl_preread_module \ config_files += koi-utf koi-win win-utf fastcgi_params uwsgi_params endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-naxsi),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-lua),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/lua-nginx +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-dav-ext),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module +endif +ifneq ($(CONFIG_NGINX_STREAM_CORE_MODULE),) + ADDITIONAL_MODULES += --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-ubus),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-ubus-module +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-headers-more),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-headers-more +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-brotli),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-brotli +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-rtmp),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-rtmp +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-ts),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-ts +endif +ifeq ($(CONFIG_NGINX_GEOIP_MODULE),y) + ADDITIONAL_MODULES += --with-http_geoip_module=dynamic +endif + define Package/nginx-mod-luci TITLE:=Nginx on LuCI SECTION:=net @@ -324,7 +299,7 @@ define Package/nginx-mod-luci SUBMENU:=Web Servers/Proxies TITLE:=Support file for Nginx URL:=http://nginx.org/ - DEPENDS:=+uwsgi +uwsgi-luci-support +nginx + DEPENDS:=+uwsgi +uwsgi-luci-support +nginx +nginx-mod-ubus # TODO: add PROVIDES when removing nginx-mod-luci-ssl # PROVIDES:=nginx-mod-luci-ssl endef @@ -333,10 +308,93 @@ define Package/nginx-mod-luci/description Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi. endef +NGINX_MODULES := -TARGET_CFLAGS += -fvisibility=hidden -DNGX_LUA_NO_BY_LUA_BLOCK +# $(1) module name +# $(2) module additional dependency +# $(3) module so name (stripped of the finaly _module.so) +# $(4) module description +define module + define Package/nginx-mod-$(strip $(1)) + $(call Package/nginx/default) + DEPENDS:=+nginx-ssl $(2) + TITLE:=Nginx $(1) module + endef -ifeq ($(CONFIG_NGINX_LUA),y) + define Package/nginx-mod-$(strip $(1))/description + $(4) + endef + + define Package/nginx-mod-$(strip $(1))/install + $(INSTALL_DIR) $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(3)_module.so $$(1)/usr/lib/nginx/modules + endef + + NGINX_MODULES += nginx-mod-$(strip $(1)) +endef + +define brotli + define Package/nginx-mod-brotli + $(call Package/nginx/default) + DEPENDS:=+nginx-ssl + TITLE:=Nginx Brotli module + endef + + define Package/nginx-mod-brotli/description + Add support for brotli compression module. + endef + + define Package/nginx-mod-brotli/install + $(INSTALL_DIR) $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_brotli_filter_module.so $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_brotli_static_module.so $$(1)/usr/lib/nginx/modules + endef + + NGINX_MODULES += nginx-mod-brotli +endef + +define naxsi + define Package/nginx-mod-naxsi + $(call Package/nginx/default) + DEPENDS:=+nginx-ssl + TITLE:=Nginx naxsi module + endef + + define Package/nginx-mod-naxsi/description + Enable NAXSI module. + endef + + define Package/nginx-mod-naxsi/install + $(INSTALL_DIR) $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_naxsi_module.so $$(1)/usr/lib/nginx/modules + + $(INSTALL_DIR) $$(1)/etc/nginx + $(INSTALL_BIN) $$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $$(1)/etc/nginx + chmod 0640 $$(1)/etc/nginx/naxsi_core.rules + + $(INSTALL_BIN) $$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $$(1)/etc/nginx + chmod 0640 $$(1)/etc/nginx/naxsi_core.rules + endef + + NGINX_MODULES += nginx-mod-naxsi +endef + +$(eval $(call module,lua, +liblua,ngx_http_lua, Enable Lua module)) +$(eval $(call module,stream, +@NGINX_STREAM_CORE_MODULE,ngx_stream, Add support for NGINX request streaming.)) +$(eval $(call module,ubus, +libubus +libjson-c +libblobmsg-json +@NGINX_UBUS,ngx_http_ubus, Enable UBUS api support directly from the server.)) +$(eval $(call module,dav-ext, +@NGINX_DAV,ngx_http_dav_ext, Enable the WebDAV methods PROPFIND OPTIONS LOCK UNLOCK.)) +$(eval $(call module,headers-more,,ngx_http_headers_more_filter, Set and clear input and output headers...more than "add"!)) +$(eval $(call module,rtmp,,ngx_rtmp, Add support for NGINX-based Media Streaming Server module. \ + DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module)) +$(eval $(call module, ts,,ngx_http_ts, Add support for MPEG-TS Live Module module.)) +$(eval $(call brotli)) +$(eval $(call naxsi)) + +PKG_CONFIG_DEPENDS += $(patsubst %,CONFIG_PACKAGE_%,$(NGINX_MODULES)) + +TARGET_CFLAGS += -DNGX_LUA_NO_BY_LUA_BLOCK + +ifneq ($(CONFIG_PACKAGE_nginx-mod-lua),) CONFIGURE_VARS += LUA_INC=$(STAGING_DIR)/usr/include \ LUA_LIB=$(STAGING_DIR)/usr/lib endif @@ -347,6 +405,7 @@ CONFIGURE_ARGS += \ --crossbuild=Linux::$(ARCH) \ --prefix=/usr \ --conf-path=/etc/nginx/nginx.conf \ + --modules-path=/usr/lib/nginx/modules \ $(ADDITIONAL_MODULES) \ --error-log-path=stderr \ --pid-path=/var/run/nginx.pid \ @@ -358,7 +417,8 @@ CONFIGURE_ARGS += \ --with-cc="$(TARGET_CC)" \ --with-cc-opt="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \ --with-ld-opt="$(TARGET_LDFLAGS)" \ - --without-http_upstream_zone_module + --without-http_upstream_zone_module \ + --without-pcre2 define Package/nginx-mod-luci/install $(INSTALL_DIR) $(1)/etc/nginx/conf.d @@ -374,13 +434,6 @@ define Package/nginx-ssl/install $(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx -ifeq ($(CONFIG_NGINX_NAXSI),y) - $(INSTALL_DIR) $(1)/etc/nginx - $(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx - chmod 0640 $(1)/etc/nginx/naxsi_core.rules -endif - $(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx)) - $(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules)) endef Package/nginx-all-module/install = $(Package/nginx-ssl/install) @@ -513,13 +566,13 @@ endef define Build/Patch $(if $(QUILT),rm -rf $(PKG_BUILD_DIR)/patches; mkdir -p $(PKG_BUILD_DIR)/patches) $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/nginx,nginx/) -ifneq "$(or $(CONFIG_NGINX_DAV_EXT),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-dav-ext),$(QUILT))" "" $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/dav-nginx,dav-nginx/) endif -ifneq "$(or $(CONFIG_NGINX_LUA),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-lua),$(QUILT))" "" $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/lua-nginx,lua-nginx/) endif -ifneq "$(or $(CONFIG_NGINX_RTMP_MODULE),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-rtmp),$(QUILT))" "" $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/rtmp-nginx,rtmp-nginx/) endif $(if $(QUILT),touch $(PKG_BUILD_DIR)/.quilt_used) @@ -537,42 +590,42 @@ define Build/Prepare mkdir -p $(PKG_BUILD_DIR) $(PKG_UNPACK) -ifeq ($(CONFIG_NGINX_NAXSI),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-naxsi),) $(eval $(call Download,nginx-naxsi)) $(Prepare/nginx-naxsi) endif -ifneq "$(or $(CONFIG_NGINX_LUA),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-lua),$(QUILT))" "" $(eval $(call Download,lua-nginx)) $(Prepare/lua-nginx) endif -ifeq ($(CONFIG_NGINX_HTTP_BROTLI),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-brotli),) $(eval $(call Download,nginx-brotli)) $(Prepare/nginx-brotli) endif -ifeq ($(CONFIG_NGINX_HEADERS_MORE),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-headers-more),) $(eval $(call Download,nginx-headers-more)) $(Prepare/nginx-headers-more) endif -ifneq "$(or $(CONFIG_NGINX_RTMP_MODULE),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-rtmp),$(QUILT))" "" $(eval $(call Download,nginx-rtmp)) $(Prepare/nginx-rtmp) endif -ifeq ($(CONFIG_NGINX_TS_MODULE),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-ts),) $(eval $(call Download,nginx-ts)) $(Prepare/nginx-ts) endif -ifneq "$(or $(CONFIG_NGINX_DAV_EXT),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-dav-ext),$(QUILT))" "" $(eval $(call Download,nginx-dav-ext-module)) $(Prepare/nginx-dav-ext-module) endif -ifeq ($(CONFIG_NGINX_UBUS),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-ubus),) $(eval $(call Download,nginx-ubus-module)) $(Prepare/nginx-ubus-module) endif @@ -584,6 +637,8 @@ $(eval $(call BuildPackage,nginx-ssl)) $(eval $(call BuildPackage,nginx-all-module)) $(eval $(call BuildPackage,nginx-mod-luci)) +$(foreach m,$(NGINX_MODULES),$(eval $(call BuildPackage,$(m)))) + # TODO: remove after a transition period (together with pkg nginx-util): # It is for smoothly substituting nginx and nginx-mod-luci-ssl (by nginx-ssl # respectively nginx-mod-luci). Add above commented PROVIDES when removing. diff --git a/net/nginx/files-luci-support/60_nginx-luci-support b/net/nginx/files-luci-support/60_nginx-luci-support index b2564444c..22deb97a3 100644 --- a/net/nginx/files-luci-support/60_nginx-luci-support +++ b/net/nginx/files-luci-support/60_nginx-luci-support @@ -1,6 +1,6 @@ #!/bin/sh -if nginx -V 2>&1 | grep -q ubus; then +if nginx -V 2>&1 | grep -q ubus && [ -f /usr/lib/nginx/modules/ngx_http_ubus_module.so ]; then if [ -z "$(cat /etc/nginx/conf.d/luci.locations | grep ubus)" ]; then cat <> /etc/nginx/conf.d/luci.locations @@ -9,6 +9,12 @@ location /ubus { ubus_socket_path /var/run/ubus/ubus.sock; ubus_parallel_req 2; } +EOT + fi + + if [ ! -f "/etc/nginx/module.d/luci.module" ]; then + cat <> /etc/nginx/module.d/luci.module +load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so; EOT fi fi From cfce21ffea84e005a9fa6a4091bc9b22fdde416e Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Thu, 20 Apr 2023 13:50:21 +0200 Subject: [PATCH 05/49] nginx: update lua module to latest openresty version Update lua module to latest openrestry version. Additional config are required to correctly use it. Switch it to luajit from liblua as this is what is currently supported for the module since plain lua support was dropped from the module. Signed-off-by: Christian Marangi --- net/nginx/Makefile | 10 +- .../lua-nginx/100-no_by_lua_block.patch | 177 ++++++++++++------ 2 files changed, 121 insertions(+), 66 deletions(-) diff --git a/net/nginx/Makefile b/net/nginx/Makefile index fc6b9ccc6..837383897 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -379,7 +379,7 @@ define naxsi NGINX_MODULES += nginx-mod-naxsi endef -$(eval $(call module,lua, +liblua,ngx_http_lua, Enable Lua module)) +$(eval $(call module,lua, +luajit,ngx_http_lua, Enable Lua module)) $(eval $(call module,stream, +@NGINX_STREAM_CORE_MODULE,ngx_stream, Add support for NGINX request streaming.)) $(eval $(call module,ubus, +libubus +libjson-c +libblobmsg-json +@NGINX_UBUS,ngx_http_ubus, Enable UBUS api support directly from the server.)) $(eval $(call module,dav-ext, +@NGINX_DAV,ngx_http_dav_ext, Enable the WebDAV methods PROPFIND OPTIONS LOCK UNLOCK.)) @@ -395,8 +395,8 @@ PKG_CONFIG_DEPENDS += $(patsubst %,CONFIG_PACKAGE_%,$(NGINX_MODULES)) TARGET_CFLAGS += -DNGX_LUA_NO_BY_LUA_BLOCK ifneq ($(CONFIG_PACKAGE_nginx-mod-lua),) - CONFIGURE_VARS += LUA_INC=$(STAGING_DIR)/usr/include \ - LUA_LIB=$(STAGING_DIR)/usr/lib + CONFIGURE_VARS += LUAJIT_INC=$(STAGING_DIR)/usr/include/luajit-* \ + LUAJIT_LIB=$(STAGING_DIR)/usr/lib endif CONFIGURE_VARS += CONFIG_BIG_ENDIAN=$(CONFIG_BIG_ENDIAN) @@ -522,11 +522,11 @@ define Prepare/nginx-naxsi endef define Download/lua-nginx - VERSION:=e94f2e5d64daa45ff396e262d8dab8e56f5f10e0 + VERSION:=68acad14e4a8f42e31d4a4bb5ed44d6f5b55fc1c SUBDIR:=lua-nginx FILE:=lua-nginx-module-$$(VERSION).tar.xz URL:=https://github.com/openresty/lua-nginx-module.git - MIRROR_HASH:=27729921964f066d97e99c263da153b34622a2f4b811114e4c3ee61c6fc71395 + MIRROR_HASH:=366f24e1ba6221e34f6ba20ab29146438438f88c89fd71f9500d169b3f5aedf0 PROTO:=git endef diff --git a/net/nginx/patches/lua-nginx/100-no_by_lua_block.patch b/net/nginx/patches/lua-nginx/100-no_by_lua_block.patch index 968e12d58..1b4d1fef1 100644 --- a/net/nginx/patches/lua-nginx/100-no_by_lua_block.patch +++ b/net/nginx/patches/lua-nginx/100-no_by_lua_block.patch @@ -1,10 +1,9 @@ --- a/lua-nginx/src/ngx_http_lua_module.c +++ b/lua-nginx/src/ngx_http_lua_module.c -@@ -165,14 +165,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -207,12 +207,14 @@ static ngx_command_t ngx_http_lua_cmds[] offsetof(ngx_http_lua_loc_conf_t, log_socket_errors), NULL }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("init_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -12,16 +11,14 @@ NGX_HTTP_MAIN_CONF_OFFSET, 0, (void *) ngx_http_lua_init_by_inline }, -- +#endif + { ngx_string("init_by_lua"), NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, - ngx_http_lua_init_by_lua, -@@ -186,14 +186,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_MAIN_CONF_OFFSET, +@@ -228,12 +230,14 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_init_by_file }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("init_worker_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -29,141 +26,157 @@ NGX_HTTP_MAIN_CONF_OFFSET, 0, (void *) ngx_http_lua_init_worker_by_inline }, -- +#endif + { ngx_string("init_worker_by_lua"), NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, - ngx_http_lua_init_worker_by_lua, -@@ -209,6 +209,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -249,12 +253,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, (void *) ngx_http_lua_init_worker_by_file }, ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("exit_worker_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_exit_worker_by_lua_block, + NGX_HTTP_MAIN_CONF_OFFSET, + 0, + (void *) ngx_http_lua_exit_worker_by_inline }, ++#endif + + { ngx_string("exit_worker_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, +@@ -264,6 +270,7 @@ static ngx_command_t ngx_http_lua_cmds[] + (void *) ngx_http_lua_exit_worker_by_file }, + #if defined(NDK) && NDK +#ifndef NGX_LUA_NO_BY_LUA_BLOCK - /* set_by_lua $res { inline Lua code } [$arg1 [$arg2 [...]]] */ + /* set_by_lua_block $res { inline Lua code } */ { ngx_string("set_by_lua_block"), NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -217,7 +218,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -272,6 +279,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_filter_set_by_lua_inline }, -- +#endif + /* set_by_lua $res [$arg1 [$arg2 [...]]] */ { ngx_string("set_by_lua"), - NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -245,7 +246,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -292,6 +300,7 @@ static ngx_command_t ngx_http_lua_cmds[] + (void *) ngx_http_lua_filter_set_by_lua_file }, + #endif + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + /* server_rewrite_by_lua_block { } */ + { ngx_string("server_rewrite_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, +@@ -299,6 +308,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_server_rewrite_handler_inline }, ++#endif + + /* server_rewrite_by_lua_file filename; */ + { ngx_string("server_rewrite_by_lua_file"), +@@ -317,6 +327,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_rewrite_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* rewrite_by_lua_block { } */ { ngx_string("rewrite_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -254,7 +255,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -325,6 +336,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_rewrite_handler_inline }, -- +#endif + /* access_by_lua "" */ { ngx_string("access_by_lua"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -263,7 +264,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -335,6 +347,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_access_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* access_by_lua_block { } */ { ngx_string("access_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -272,7 +273,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -343,6 +356,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_access_handler_inline }, -- +#endif + /* content_by_lua "" */ { ngx_string("content_by_lua"), - NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1, -@@ -280,7 +281,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -352,6 +366,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_content_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* content_by_lua_block { } */ { ngx_string("content_by_lua_block"), NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, -@@ -288,7 +289,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -359,6 +374,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_content_handler_inline }, -- +#endif + /* log_by_lua */ { ngx_string("log_by_lua"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -297,7 +298,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -369,6 +385,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_log_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* log_by_lua_block { } */ { ngx_string("log_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -306,7 +307,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -377,6 +394,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_log_handler_inline }, -- +#endif + { ngx_string("rewrite_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF - |NGX_CONF_TAKE1, -@@ -361,7 +362,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -433,6 +451,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_header_filter_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* header_filter_by_lua_block { } */ { ngx_string("header_filter_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -370,7 +371,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -441,6 +460,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_header_filter_inline }, -- +#endif + { ngx_string("header_filter_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF - |NGX_CONF_TAKE1, -@@ -386,7 +387,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -458,6 +478,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_body_filter_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* body_filter_by_lua_block { } */ { ngx_string("body_filter_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -395,7 +396,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -466,6 +487,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_body_filter_inline }, -- +#endif + { ngx_string("body_filter_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF - |NGX_CONF_TAKE1, -@@ -403,14 +404,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -475,12 +497,14 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_body_filter_file }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("balancer_by_lua_block"), NGX_HTTP_UPS_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -171,16 +184,29 @@ NGX_HTTP_SRV_CONF_OFFSET, 0, (void *) ngx_http_lua_balancer_handler_inline }, -- +#endif + { ngx_string("balancer_by_lua_file"), NGX_HTTP_UPS_CONF|NGX_CONF_TAKE1, - ngx_http_lua_balancer_by_lua, -@@ -517,14 +518,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -585,12 +609,14 @@ static ngx_command_t ngx_http_lua_cmds[] offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers), NULL }, -- + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("ssl_client_hello_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_client_hello_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_client_hello_handler_inline }, ++#endif + + { ngx_string("ssl_client_hello_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, +@@ -599,12 +625,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, + (void *) ngx_http_lua_ssl_client_hello_handler_file }, + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("ssl_certificate_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -188,8 +214,37 @@ NGX_HTTP_SRV_CONF_OFFSET, 0, (void *) ngx_http_lua_ssl_cert_handler_inline }, -- +#endif + { ngx_string("ssl_certificate_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, - ngx_http_lua_ssl_cert_by_lua, +@@ -613,12 +641,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, + (void *) ngx_http_lua_ssl_cert_handler_file }, + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("ssl_session_store_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_sess_store_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_sess_store_handler_inline }, ++#endif + + { ngx_string("ssl_session_store_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, +@@ -627,12 +657,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, + (void *) ngx_http_lua_ssl_sess_store_handler_file }, + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("ssl_session_fetch_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_sess_fetch_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_sess_fetch_handler_inline }, ++#endif + + { ngx_string("ssl_session_fetch_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, From 4611ca0b0abd81a463c5dc614ecb6bc3a96e32e9 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Thu, 20 Apr 2023 14:17:20 +0200 Subject: [PATCH 06/49] nginx: update to 1.24.0 and update headers-more module Update nginx to 1.24.0 and update headers-more module to fix compilation error. Signed-off-by: Christian Marangi --- net/nginx/Makefile | 10 +++++----- .../patches/nginx/201-ignore-invalid-options.patch | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/net/nginx/Makefile b/net/nginx/Makefile index 837383897..4fc95b487 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx -PKG_VERSION:=1.21.3 -PKG_RELEASE:=4 +PKG_VERSION:=1.24.0 +PKG_RELEASE:=1 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nginx.org/download/ -PKG_HASH:=14774aae0d151da350417efc4afda5cce5035056e71894836797e1f6e2d1175a +PKG_HASH:=77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d PKG_MAINTAINER:=Thomas Heil \ Ansuel Smith @@ -452,11 +452,11 @@ endef Package/nginx-all-module/prerm = $(Package/nginx-ssl/prerm) define Download/nginx-headers-more - VERSION:=a9f7c7e86cc7441d04e2f11f01c2e3a9c4b0301d + VERSION:=bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0 SUBDIR:=nginx-headers-more FILE:=headers-more-nginx-module-$$(VERSION).tar.xz URL:=https://github.com/openresty/headers-more-nginx-module.git - MIRROR_HASH:=ce0b9996ecb2cff790831644d6ab1adc087aa2771d77d3931c06246d11bc59fd + MIRROR_HASH:=3617bbf7a935208a1d8d5f86a8f9b770f6987e4d2b5663a9ab1b777217e3066b PROTO:=git endef diff --git a/net/nginx/patches/nginx/201-ignore-invalid-options.patch b/net/nginx/patches/nginx/201-ignore-invalid-options.patch index d208bf507..8ea567167 100644 --- a/net/nginx/patches/nginx/201-ignore-invalid-options.patch +++ b/net/nginx/patches/nginx/201-ignore-invalid-options.patch @@ -1,6 +1,6 @@ --- a/auto/options +++ b/auto/options -@@ -400,8 +400,7 @@ $0: warning: the \"--with-sha1-asm\" opt +@@ -402,8 +402,7 @@ $0: warning: the \"--with-sha1-asm\" opt --test-build-solaris-sendfilev) NGX_TEST_BUILD_SOLARIS_SENDFILEV=YES ;; *) From c4b27ff6d59627faa172a903e2d7eceb96e0b886 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Thu, 20 Apr 2023 21:11:11 +0200 Subject: [PATCH 07/49] nginx: rename nginx-all-module to nginx-full Rename nginx-all-module to nginx-full to follow pattern used by other package and other projects. Signed-off-by: Christian Marangi --- net/nginx/Makefile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/nginx/Makefile b/net/nginx/Makefile index 4fc95b487..fe8462d69 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -95,14 +95,14 @@ define Package/nginx-ssl +NGINX_PCRE:nginx-ssl-util +!NGINX_PCRE:nginx-ssl-util-nopcre \ +NGINX_HTTP_GZIP:zlib +NGINX_DAV:libxml2 EXTRA_DEPENDS:=nginx-ssl-util$(if $(CONFIG_NGINX_PCRE),,-nopcre) (>=1.5-1) (<2) - CONFLICTS:=nginx-all-module + CONFLICTS:=nginx-full endef Package/nginx-ssl/description = $(Package/nginx/description) \ This variant is compiled with SSL support enabled. To enable additional module \ select them in the nginx default configuration menu. -define Package/nginx-all-module +define Package/nginx-full $(Package/nginx/default) TITLE += with ALL module selected DEPENDS+=+libpcre +nginx-ssl-util +zlib +libxml2 \ @@ -114,7 +114,7 @@ define Package/nginx-all-module PROVIDES += nginx-ssl endef -Package/nginx-all-module/description = $(Package/nginx/description) \ +Package/nginx-full/description = $(Package/nginx/description) \ This variant is compiled with ALL module selected. define Package/nginx-ssl/config @@ -128,7 +128,7 @@ define Package/nginx/conffiles endef Package/nginx-ssl/conffiles = $(Package/nginx/conffiles) -Package/nginx-all-module/conffiles = $(Package/nginx/conffiles) +Package/nginx-full/conffiles = $(Package/nginx/conffiles) ADDITIONAL_MODULES:= --with-http_ssl_module @@ -436,7 +436,7 @@ define Package/nginx-ssl/install $(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx endef -Package/nginx-all-module/install = $(Package/nginx-ssl/install) +Package/nginx-full/install = $(Package/nginx-ssl/install) define Package/nginx-ssl/prerm #!/bin/sh @@ -449,7 +449,7 @@ rm -f "$$(uci get "nginx.$${LAN_NAME}.ssl_certificate_key")" exit 0 endef -Package/nginx-all-module/prerm = $(Package/nginx-ssl/prerm) +Package/nginx-full/prerm = $(Package/nginx-ssl/prerm) define Download/nginx-headers-more VERSION:=bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0 @@ -634,7 +634,7 @@ endif endef $(eval $(call BuildPackage,nginx-ssl)) -$(eval $(call BuildPackage,nginx-all-module)) +$(eval $(call BuildPackage,nginx-full)) $(eval $(call BuildPackage,nginx-mod-luci)) $(foreach m,$(NGINX_MODULES),$(eval $(call BuildPackage,$(m)))) From 130e63931fe99b1e47989bb708543c5ebc12152a Mon Sep 17 00:00:00 2001 From: Nick Hainke Date: Tue, 25 Apr 2023 23:37:11 +0200 Subject: [PATCH 08/49] libreswan: update to 4.10 Release Notes: https://github.com/libreswan/libreswan/releases/tag/v4.10 Fixes: CVE-2023-23009 Signed-off-by: Nick Hainke --- net/libreswan/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/libreswan/Makefile b/net/libreswan/Makefile index 6a8329b83..952720892 100644 --- a/net/libreswan/Makefile +++ b/net/libreswan/Makefile @@ -7,12 +7,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libreswan -PKG_VERSION:=4.9 -PKG_RELEASE:=2 +PKG_VERSION:=4.10 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://download.libreswan.org/ -PKG_HASH:=f642dcb635e909564ca8fd99ea44ab43f60723b4d76c158ed812978c45b398b9 +PKG_HASH:=5a9400c25a8edba07420426fb55dcbaafdaa3702e5b0f2c19205a6c567248a7b PKG_MAINTAINER:=Lucian Cristian PKG_LICENSE:=GPL-2.0-or-later From 16acda226255748c0501d64dd317ef0a844660f3 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Fri, 28 Apr 2023 12:07:06 +0200 Subject: [PATCH 09/49] banip: update 0.8.4-2 * fix domain lookup function (parse banIP config vars) * update readme Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/README.md | 102 ++++++++++++++--------------- net/banip/files/banip-functions.sh | 1 + 3 files changed, 53 insertions(+), 52 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index dbee9b992..37ae93440 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 00cb83f5b..cca75823d 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -124,57 +124,57 @@ Available commands: ## banIP config options -| Option | Type | Default | Description | -| :---------------------- | :----- | :---------------------------- | :-------------------------------------------------------------------------------------------- | -| ban_enabled | option | 0 | enable the banIP service | -| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) | -| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | -| ban_loglimit | option | 100 | scan only the last n log entries permanently. Set it to '0' to disable the monitor | -| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | -| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | -| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | -| ban_debug | option | 0 | enable banIP related debug logging | -| ban_loginput | option | 1 | log drops in the wan-input chain | -| ban_logforwardwan | option | 1 | log drops in the wan-forward chain | -| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | -| ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist | -| ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist | -| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | -| ban_basedir | option | /tmp | base working directory while banIP processing | -| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | -| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files | -| ban_protov4 | option | - / autodetect | enable IPv4 support | -| ban_protov6 | option | - / autodetect | enable IPv4 support | -| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' | -| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' | -| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' | -| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' | -| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins | -| ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload | -| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets | -| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) | -| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | -| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | -| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | -| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance | -| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | -| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | -| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | -| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | -| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' | -| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' | -| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' | -| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | -| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | -| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | -| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | -| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | -| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | -| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | -| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | -| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | -| ban_reportelements | option | 1 | list set elements in the report, disable this to speed up the report significantly | -| ban_resolver | option | - | external resolver used for DNS lookups | +| Option | Type | Default | Description | +| :---------------------- | :----- | :---------------------------- | :----------------------------------------------------------------------------------------------------------- | +| ban_enabled | option | 0 | enable the banIP service | +| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) | +| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | +| ban_loglimit | option | 100 | scan only the last n log entries permanently. Set it to '0' to disable the monitor | +| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | +| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | +| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | +| ban_debug | option | 0 | enable banIP related debug logging | +| ban_loginput | option | 1 | log drops in the wan-input chain | +| ban_logforwardwan | option | 1 | log drops in the wan-forward chain | +| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | +| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | +| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | +| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | +| ban_basedir | option | /tmp | base working directory while banIP processing | +| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | +| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files | +| ban_protov4 | option | - / autodetect | enable IPv4 support | +| ban_protov6 | option | - / autodetect | enable IPv4 support | +| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' | +| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' | +| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' | +| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' | +| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins | +| ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload | +| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets | +| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) | +| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | +| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | +| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | +| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance | +| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | +| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | +| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | +| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | +| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' | +| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' | +| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' | +| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | +| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | +| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | +| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | +| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | +| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | +| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | +| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | +| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | +| ban_reportelements | option | 1 | list set elements in the report, disable this to speed up the report significantly | +| ban_resolver | option | - | external resolver used for DNS lookups | ## Examples **banIP report information** diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 18fd331d8..36442381e 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -1018,6 +1018,7 @@ f_getstatus() { f_lookup() { local cnt list domain lookup ip elementsv4 elementsv6 start_time end_time duration cnt_domain="0" cnt_ip="0" feed="${1}" + [ -z "${ban_dev}" ] && f_conf start_time="$(date "+%s")" if [ "${feed}" = "allowlist" ]; then list="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s ",tolower($1)}' "${ban_allowlist}" 2>/dev/null)" From febf921d101eb11d87e7910a6bc23415bf8e625f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=20St=C3=B6veken?= Date: Thu, 27 Apr 2023 18:33:41 +0200 Subject: [PATCH 10/49] restic: update to 0.15.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Maintainer: Tom Stöveken Compile tested: SDK for OpenWrt 22.03.4 Run tested: x86/64 @ Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, OpenWrt 22.03.4 Description: Updated to version 0.15.2 Signed-off-by: Tom Stöveken --- utils/restic/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/restic/Makefile b/utils/restic/Makefile index 7f08ccf4f..05156391c 100644 --- a/utils/restic/Makefile +++ b/utils/restic/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=restic -PKG_VERSION:=0.15.1 +PKG_VERSION:=0.15.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/restic/restic/tar.gz/v${PKG_VERSION}? -PKG_HASH:=fce382fdcdac0158a35daa640766d5e8a6e7b342ae2b0b84f2aacdff13990c52 +PKG_HASH:=52aca841486eaf4fe6422b059aa05bbf20db94b957de1d3fca019ed2af8192b7 PKG_LICENSE:=BSD-2-Clause PKG_LICENSE_FILES:=LICENSE From eb7275402e6559514e2322a1ef2dabaf7147153b Mon Sep 17 00:00:00 2001 From: Stepan Henek Date: Thu, 27 Apr 2023 15:02:18 +0200 Subject: [PATCH 11/49] python-eventlet: bump to version 0.33.3 old eventlet is not working well with python3.10 ``` root@turris:~# python3 Python 3.10.9 (main, Feb 9 2023, 10:37:45) [GCC 11.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import eventlet Traceback (most recent call last): File "", line 1, in File "/usr/lib/python3.10/site-packages/eventlet/__init__.py", line 17, in File "/usr/lib/python3.10/site-packages/eventlet/convenience.py", line 7, in File "/usr/lib/python3.10/site-packages/eventlet/green/socket.py", line 4, in File "/usr/lib/python3.10/site-packages/eventlet/green/_socket_nodns.py", line 11, in File "/usr/lib/python3.10/site-packages/eventlet/greenio/__init__.py", line 3, in File "/usr/lib/python3.10/site-packages/eventlet/greenio/base.py", line 32, in File "/usr/lib/python3.10/site-packages/eventlet/timeout.py", line 166, in wrap_is_timeout TypeError: cannot set 'is_timeout' attribute of immutable type 'TimeoutError' ``` see 0.33.3 release notes for details - https://eventlet.net/doc/changelog.html#id1 Signed-off-by: Stepan Henek --- lang/python/python-eventlet/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/python/python-eventlet/Makefile b/lang/python/python-eventlet/Makefile index a2d364aad..8b01f5be2 100644 --- a/lang/python/python-eventlet/Makefile +++ b/lang/python/python-eventlet/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-eventlet -PKG_VERSION:=0.30.2 +PKG_VERSION:=0.33.3 PKG_RELEASE:=1 PYPI_NAME:=eventlet -PKG_HASH:=1811b122d9a45eb5bafba092d36911bca825f835cb648a862bbf984030acff9d +PKG_HASH:=722803e7eadff295347539da363d68ae155b8b26ae6a634474d0a920be73cfda PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=MIT From ab94144b879139643a22931de632825a825356a6 Mon Sep 17 00:00:00 2001 From: Javier Marcet Date: Sun, 23 Apr 2023 15:25:36 +0200 Subject: [PATCH 12/49] samba4: decouple quotas from vfs option Signed-off-by: Javier Marcet --- net/samba4/Config.in | 12 +++++++++++- net/samba4/Makefile | 12 ++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/net/samba4/Config.in b/net/samba4/Config.in index d287effa5..21cbb1dc2 100644 --- a/net/samba4/Config.in +++ b/net/samba4/Config.in @@ -31,12 +31,22 @@ config SAMBA4_SERVER_AVAHI Announce Samba resources via DNS/DNS-SD using the Avahi daemon, for Linux/Mac clients. default y +config SAMBA4_SERVER_QUOTAS + bool "Quotas support" + depends on PACKAGE_samba4-server + select SAMBA4_SERVER_VFS + help + Enable VFS Quotas + installs: + modules: vfs_default_quota + default n + config SAMBA4_SERVER_VFS bool "Common VFS modules" depends on PACKAGE_samba4-server help installs: - modules: (vfs_btrfs) vfs_fruit vfs_shadow_copy2 vfs_recycle vfs_fake_perms vfs_readonly vfs_cap vfs_offline vfs_crossrename vfs_catia vfs_streams_xattr vfs_default_quota + modules: (vfs_btrfs) vfs_fruit vfs_shadow_copy2 vfs_recycle vfs_fake_perms vfs_readonly vfs_cap vfs_offline vfs_crossrename vfs_catia vfs_streams_xattr Commonly used VFS modules, vfs_btrfs requires kmod-fs-btrfs to be selected separately default y diff --git a/net/samba4/Makefile b/net/samba4/Makefile index cdd05443c..4144ee152 100644 --- a/net/samba4/Makefile +++ b/net/samba4/Makefile @@ -28,6 +28,7 @@ PKG_BUILD_DEPENDS:=samba4/host libtasn1/host perl/host PKG_CONFIG_DEPENDS:= \ CONFIG_SAMBA4_SERVER_NETBIOS \ CONFIG_SAMBA4_SERVER_AVAHI \ + CONFIG_SAMBA4_SERVER_QUOTAS \ CONFIG_SAMBA4_SERVER_VFS \ CONFIG_SAMBA4_SERVER_VFSX \ CONFIG_SAMBA4_SERVER_AD_DC \ @@ -122,7 +123,7 @@ define Package/samba4-utils endef define Package/samba4-utils/description - installs: smbstatus smbtree mvxattr smbtar smbcquotas + installs: smbstatus smbtree mvxattr smbtar (smbcquotas) Utilities collection endef @@ -231,7 +232,7 @@ CONFIGURE_ARGS += \ --with-privatedir=/etc/samba # features -ifeq ($(CONFIG_SAMBA4_SERVER_VFS),y) +ifeq ($(CONFIG_SAMBA4_SERVER_QUOTAS),y) CONFIGURE_ARGS += --with-quotas else CONFIGURE_ARGS += --without-quotas @@ -258,7 +259,10 @@ ifdef CONFIG_KERNEL_IO_URING SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_io_uring, endif ifeq ($(CONFIG_SAMBA4_SERVER_VFS),y) - SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_fruit,vfs_shadow_copy2,vfs_recycle,vfs_fake_perms,vfs_readonly,vfs_cap,vfs_offline,vfs_crossrename,vfs_catia,vfs_streams_xattr,vfs_xattr_tdb,vfs_default_quota,vfs_widelinks, + SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_fruit,vfs_shadow_copy2,vfs_recycle,vfs_fake_perms,vfs_readonly,vfs_cap,vfs_offline,vfs_crossrename,vfs_catia,vfs_streams_xattr,vfs_xattr_tdb,vfs_widelinks, +ifeq ($(CONFIG_SAMBA4_SERVER_QUOTAS),y) + SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_default_quota, +endif ifdef CONFIG_PACKAGE_kmod-fs-btrfs SAMBA4_VFS_MODULES_SHARED :=$(SAMBA4_VFS_MODULES_SHARED)vfs_btrfs, endif @@ -407,7 +411,7 @@ endef define Package/samba4-utils/install $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/{smbstatus,smbtree,mvxattr,smbtar} $(1)/usr/bin/ -ifeq ($(CONFIG_SAMBA4_SERVER_VFS),y) +ifeq ($(CONFIG_SAMBA4_SERVER_QUOTAS),y) $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/smbcquotas $(1)/usr/bin/ endif endef From cdfff4a69327a3ed5f4f455090b4908c3df17dd1 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Mon, 1 May 2023 00:44:34 +0000 Subject: [PATCH 13/49] pbr: update to 1.1.1-1 *** MAKEFILE *** * remove libubus dependency as it was causing issues https://forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/318 * move firewall hotplug directory/file creation out of default section into pbr and pbr-iptables packages sections in preparation for dropping it from pbr * fix no new line after output when uninstalling packages *** UCI-DEFAULTS *** * only add firewall include to firewall config if the include file exists * add shellcheck exception to netifd uci-defaults file *** SCRIPTS *** * more informative logging for firewall and iface hotplug scripts * more informative logging for firewall include script *** SERVICE *** * introduce lock-file to prevent package starting on external events if it hasn't been auto- or manually started before * use the `ip`, not `ip-full` command to prevent errors on OpenWrt 21.02 * parse firewall WAN zone to append list of interfaces * append error and warning "arrays" with new messages * used shared memory to store the service output/logging messages * improve is_ovpn function to filter out false positives when interface names started with `tun` * introduce is_valid_ovpn to find OpenVPN tunnels where the device name in OpenVPN config matches the device name in network config * introduce opkg_get_version to compare versions of principal and luci packages * better code to obtain AdGuardHome version with betas installed * optimize code and add better logging for errors when inserting policies with iptables * optimize code and add better logging for errors when inserting policies with nft * bugfix: insert policies in all specified protocols * bugfix: support using physical devices in policies in nft mode * bugfix: use iptPrefix, not nftPrefix in iptables commands * implement Tor support in nft mode * bugfix: fix spelling for User File Syntax error * restart service fully (instead of quick reload) for OpenVPN interface events, as the order/number of supported interfaces * more verbose output (showing handles) of status in nft mode * improve `icmp_interface`, `ignored_interface`, `supported_interface` validation regexes * improve `interface`, validation regex Signed-off-by: Stan Grishin --- net/pbr/Makefile | 18 +- net/pbr/files/etc/hotplug.d/firewall/70-pbr | 4 +- net/pbr/files/etc/hotplug.d/iface/70-pbr | 6 +- net/pbr/files/etc/init.d/pbr.init | 582 ++++++++++-------- net/pbr/files/etc/uci-defaults/90-pbr | 2 + net/pbr/files/etc/uci-defaults/91-pbr | 1 + .../files/usr/share/pbr/pbr.firewall.include | 2 +- 7 files changed, 336 insertions(+), 279 deletions(-) diff --git a/net/pbr/Makefile b/net/pbr/Makefile index 3d8438d9e..9f96686c1 100644 --- a/net/pbr/Makefile +++ b/net/pbr/Makefile @@ -4,8 +4,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pbr -PKG_VERSION:=1.0.1 -PKG_RELEASE:=16 +PKG_VERSION:=1.1.1 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Stan Grishin @@ -17,7 +17,7 @@ define Package/pbr/Default SUBMENU:=Routing and Redirection TITLE:=Policy Based Routing Service URL:=https://docs.openwrt.melmac.net/pbr/ - DEPENDS:=+ip-full +jshn +jsonfilter +libubus +resolveip + DEPENDS:=+ip-full +jshn +jsonfilter +resolveip CONFLICTS:=vpnbypass vpn-policy-routing PKGARCH:=all endef @@ -79,13 +79,11 @@ define Package/pbr/default/install $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/etc/init.d/pbr.init $(1)/etc/init.d/pbr $(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr - $(INSTALL_DIR) $(1)/etc/hotplug.d/firewall $(INSTALL_DIR) $(1)/etc/hotplug.d/iface $(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr $(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_BIN) ./files/etc/uci-defaults/90-pbr $(1)/etc/uci-defaults/90-pbr $(INSTALL_DIR) $(1)/usr/share/pbr - $(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include $(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.aws $(1)/usr/share/pbr/pbr.user.aws $(INSTALL_DATA) ./files/usr/share/pbr/pbr.user.netflix $(1)/usr/share/pbr/pbr.user.netflix endef @@ -94,12 +92,16 @@ define Package/pbr/install $(call Package/pbr/default/install,$(1)) $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr + $(INSTALL_DIR) $(1)/usr/share/pbr + $(INSTALL_DATA) ./files/usr/share/pbr/pbr.firewall.include $(1)/usr/share/pbr/pbr.firewall.include $(INSTALL_DIR) $(1)/usr/share/nftables.d $(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/ endef define Package/pbr-iptables/install $(call Package/pbr/default/install,$(1)) + $(INSTALL_DIR) $(1)/etc/hotplug.d/firewall + $(INSTALL_DATA) ./files/etc/hotplug.d/firewall/70-pbr $(1)/etc/hotplug.d/firewall/70-pbr $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr endef @@ -130,7 +132,7 @@ define Package/pbr/prerm # check if we are on real system if [ -z "$${IPKG_INSTROOT}" ]; then uci -q delete firewall.pbr || true - echo -n "Stopping pbr service... " + echo "Stopping pbr service... " /etc/init.d/pbr stop && echo "OK" || echo "FAIL" echo -n "Removing rc.d symlink for pbr... " /etc/init.d/pbr disable && echo "OK" || echo "FAIL" @@ -162,7 +164,7 @@ define Package/pbr-iptables/prerm # check if we are on real system if [ -z "$${IPKG_INSTROOT}" ]; then uci -q delete firewall.pbr || true - echo -n "Stopping pbr-iptables service... " + echo "Stopping pbr-iptables service... " /etc/init.d/pbr stop && echo "OK" || echo "FAIL" echo -n "Removing rc.d symlink for pbr-iptables... " /etc/init.d/pbr disable && echo "OK" || echo "FAIL" @@ -185,7 +187,7 @@ define Package/pbr-netifd/prerm # check if we are on real system if [ -z "$${IPKG_INSTROOT}" ]; then uci -q delete firewall.pbr || true - echo -n "Stopping pbr-netifd service... " + echo "Stopping pbr-netifd service... " /etc/init.d/pbr stop && echo "OK" || echo "FAIL" echo -n "Removing rc.d symlink for pbr... " /etc/init.d/pbr disable && echo "OK" || echo "FAIL" diff --git a/net/pbr/files/etc/hotplug.d/firewall/70-pbr b/net/pbr/files/etc/hotplug.d/firewall/70-pbr index c129006c5..25b7e58fa 100755 --- a/net/pbr/files/etc/hotplug.d/firewall/70-pbr +++ b/net/pbr/files/etc/hotplug.d/firewall/70-pbr @@ -1,6 +1,6 @@ #!/bin/sh -[ "$ACTION" = "reload" ] ||[ "$ACTION" = "restart" ] || exit 0 +[ "$ACTION" = "reload" ] || [ "$ACTION" = "restart" ] || exit 0 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then - logger -t "pbr" "Reloading pbr due to $ACTION of firewall" + logger -t "pbr" "Reloading pbr due to firewall action: $ACTION" /etc/init.d/pbr reload fi diff --git a/net/pbr/files/etc/hotplug.d/iface/70-pbr b/net/pbr/files/etc/hotplug.d/iface/70-pbr index 172385a11..bcb0faa7b 100644 --- a/net/pbr/files/etc/hotplug.d/iface/70-pbr +++ b/net/pbr/files/etc/hotplug.d/iface/70-pbr @@ -1,8 +1,6 @@ #!/bin/sh # shellcheck disable=SC1091,SC3060 -[ -s /etc/openwrt_release ] && . /etc/openwrt_release -[ "${DISTRIB_RELEASE//19.07}" = "$DISTRIB_RELEASE" ] && exit 0 if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then - logger -t pbr "Reloading pbr $INTERFACE due to $ACTION of $INTERFACE ($DEVICE)" - /etc/init.d/pbr reload_interface "$INTERFACE" + logger -t pbr "Reloading pbr $INTERFACE interface routing due to $ACTION of $INTERFACE ($DEVICE)" + /etc/init.d/pbr on_interface_reload "$INTERFACE" fi diff --git a/net/pbr/files/etc/init.d/pbr.init b/net/pbr/files/etc/init.d/pbr.init index 848dd2e9e..a76bc30a9 100755 --- a/net/pbr/files/etc/init.d/pbr.init +++ b/net/pbr/files/etc/init.d/pbr.init @@ -35,10 +35,10 @@ readonly packageName='pbr' readonly serviceName="$packageName $PKG_VERSION" readonly serviceTrapSignals='exit SIGHUP SIGQUIT SIGKILL' readonly packageConfigFile="/etc/config/${packageName}" +readonly packageLockFile="/var/run/${packageName}.lock" readonly nftTempFile="/var/run/${packageName}.nft" #readonly nftPermFile="/etc/nftables.d/table-post/30-pbr.nft" readonly dnsmasqFile="/var/dnsmasq.d/${packageName}" -readonly sharedMemoryOutput="/dev/shm/$packageName-output" readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m' readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m' readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m' @@ -46,6 +46,8 @@ readonly __FAIL__='\033[0;31m[\xe2\x9c\x97]\033[0m' readonly _ERROR_='\033[0;31mERROR\033[0m' readonly _WARNING_='\033[0;33mWARNING\033[0m' readonly ip_full='/usr/libexec/ip-full' +# shellcheck disable=SC2155 +readonly ip_bin="$(command -v ip)" readonly ipTablePrefix='pbr' # shellcheck disable=SC2155 readonly iptables="$(command -v iptables)" @@ -96,6 +98,7 @@ ifaceTableID= ifacePriority= ifacesAll= ifacesSupported= +firewallWanZone= wanGW4= wanGW6= serviceStartTrigger= @@ -122,30 +125,32 @@ get_text() { errorPolicyNoSrcDest) r="Policy '%s' has no source/destination parameters!";; errorPolicyNoInterface) r="Policy '%s' has no assigned interface!";; errorPolicyUnknownInterface) r="Policy '%s' has an unknown interface!";; - errorPolicyProcessCMD) r="%s";; + errorPolicyProcessCMD) r="'%s'!";; errorFailedSetup) r="Failed to set up '%s'!";; errorFailedReload) r="Failed to reload '%s'!";; errorUserFileNotFound) r="Custom user file '%s' not found or empty!";; - ererrorUserFileSyntax) r="Syntax error in custom user file '%s'!";; + errorUserFileSyntax) r="Syntax error in custom user file '%s'!";; errorUserFileRunning) r="Error running custom user file '%s'!";; errorUserFileNoCurl) r="Use of 'curl' is detected in custom user file '%s', but 'curl' isn't installed!";; errorNoGateways) r="Failed to set up any gateway!";; - errorResolver) r="Resolver %s";; - errorPolicyProcessNoIpv6) r="Skipping IPv6 policy '%s' as IPv6 support is disabled";; - errorPolicyProcessUnknownFwmark) r="Unknown packet mark for interface '%s'";; - errorPolicyProcessMismatchFamily) r="Mismatched IP family between in policy %s";; - errorPolicyProcessUnknownProtocol) r="Unknown protocol in policy %s";; - errorPolicyProcessInsertionFailed) r="Insertion failed for both IPv4 and IPv6 for policy %s";; - errorPolicyProcessInsertionFailedIpv4) r="Insertion failed for IPv4 for policy %s";; - errorInterfaceRoutingEmptyValues) r="Received empty tid/mark or interface name when setting up routing";; - errorFailedToResolve) r="Failed to resolve %s";; + errorResolver) r="Resolver '%s'!";; + errorPolicyProcessNoIpv6) r="Skipping IPv6 policy '%s' as IPv6 support is disabled!";; + errorPolicyProcessUnknownFwmark) r="Unknown packet mark for interface '%s'!";; + errorPolicyProcessMismatchFamily) r="Mismatched IP family between in policy '%s'!";; + errorPolicyProcessUnknownProtocol) r="Unknown protocol in policy '%s'!";; + errorPolicyProcessInsertionFailed) r="Insertion failed for both IPv4 and IPv6 for policy '%s'!";; + errorPolicyProcessInsertionFailedIpv4) r="Insertion failed for IPv4 for policy '%s'!";; + errorInterfaceRoutingEmptyValues) r="Received empty tid/mark or interface name when setting up routing!";; + errorFailedToResolve) r="Failed to resolve '%s'!";; + warningInvalidOVPNConfig) r="Invalid OpenVPN config for '%s' interface.";; warningResolverNotSupported) r="Resolver set (${resolver_set}) is not supported on this system.";; - warningAGHVersionTooLow) r="Installed AdGuardHome (%s) doesn't support 'ipset_file' option.";; - warningPolicyProcessCMD) r="%s";; - warningTorUnsetParams) r="Please unset 'src_addr', 'src_port' and 'dest_port' for policy '%s'";; - warningTorUnsetProto) r="Please unset 'proto' or set 'proto' to 'all' for policy '%s'";; - warningTorUnsetChainIpt) r="Please unset 'chain' or set 'chain' to 'PREROUTING' for policy '%s'";; - warningTorUnsetChainNft) r="Please unset 'chain' or set 'chain' to 'prerouting' for policy '%s'";; + warningAGHVersionTooLow) r="Installed AdGuardHome ('%s') doesn't support 'ipset_file' option.";; + warningPolicyProcessCMD) r="'%s'";; + warningTorUnsetParams) r="Please unset 'src_addr', 'src_port' and 'dest_port' for policy '%s'.";; + warningTorUnsetProto) r="Please unset 'proto' or set 'proto' to 'all' for policy '%s'.";; + warningTorUnsetChainIpt) r="Please unset 'chain' or set 'chain' to 'PREROUTING' for policy '%s'.";; + warningTorUnsetChainNft) r="Please unset 'chain' or set 'chain' to 'prerouting' for policy '%s'.";; + warningOutdatedWebUIApp) r="The WebUI application is outdated (version %s), please update it.";; esac echo "$r" } @@ -171,6 +176,7 @@ output() { # Can take a single parameter (text) to be output at any verbosity # Or target verbosity level and text to be output at specifc verbosity local msg memmsg logmsg + local sharedMemoryOutput="/dev/shm/$packageName-output" verbosity="${verbosity:-2}" if [ "$#" -ne 1 ]; then if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi @@ -190,8 +196,9 @@ is_present() { command -v "$1" >/dev/null 2>&1; } is_installed() { [ -s "/usr/lib/opkg/info/${1}.control" ]; } is_variant_installed() { [ "$(echo /usr/lib/opkg/info/"${1}"*.control)" != "/usr/lib/opkg/info/${1}*.control" ]; } is_nft() { [ -x "$nft" ] && ! str_contains "$resolver_set" 'ipset' && "$nft" list chains inet | grep -q "${nftPrefix}_prerouting"; } +_find_firewall_wan_zone() { [ "$(uci -q get "firewall.${1}.name")" = "wan" ] && firewallWanZone="$1"; } _build_ifaces_all() { ifacesAll="${ifacesAll}${1} "; } -_build_ifaces_supported() { is_supported_interface "$1" && ifacesSupported="${ifacesSupported}${1} "; } +_build_ifaces_supported() { is_supported_interface "$1" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${1} "; } pbr_find_iface() { local iface i param="$2" [ "$param" = 'wan6' ] || param='wan' @@ -209,7 +216,7 @@ pbr_get_gateway() { network_get_gateway gw "$iface" true if [ -z "$gw" ] || [ "$gw" = '0.0.0.0' ]; then # gw="$(ubus call "network.interface.${iface}" status | jsonfilter -e "@.route[0].nexthop")" - gw="$($ip_full -4 a list dev "$dev" 2>/dev/null | grep inet | awk '{print $2}' | awk -F "/" '{print $1}')" + gw="$($ip_bin -4 a list dev "$dev" 2>/dev/null | grep inet | awk '{print $2}' | awk -F "/" '{print $1}')" fi eval "$1"='$gw' } @@ -217,18 +224,20 @@ pbr_get_gateway6() { local iface="$2" dev="$3" gw network_get_gateway6 gw "$iface" true if [ -z "$gw" ] || [ "$gw" = '::/0' ] || [ "$gw" = '::0/0' ] || [ "$gw" = '::' ]; then - gw="$($ip_full -6 a list dev "$dev" 2>/dev/null | grep inet6 | awk '{print $2}')" + gw="$($ip_bin -6 a list dev "$dev" 2>/dev/null | grep inet6 | awk '{print $2}')" fi eval "$1"='$gw' } is_dslite() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:6}" = "dslite" ]; } is_l2tp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "l2tp" ]; } is_oc() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:11}" = "openconnect" ]; } -is_ovpn() { local dev; network_get_device dev "$1"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; } +# is_ovpn() { local dev; network_get_device dev "$1"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; } +is_ovpn() { local dev; dev="$(uci -q get "network.${1}.device")"; [ -z "$dev" ] && dev="$(uci -q get "network.${1}.dev")"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; } +is_valid_ovpn() { local dev_net dev_ovpn; dev_net="$(uci -q get "network.${1}.device")"; [ -z "$dev_net" ] && dev_net="$(uci -q get "network.${1}.dev")"; dev_ovpn="$(uci -q get "openvpn.${1}.dev")"; [ -n "$dev_net" ] && [ -n "$dev_ovpn" ] && [ "$dev_net" = "$dev_ovpn" ]; } is_pptp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "pptp" ]; } is_softether() { local dev; network_get_device dev "$1"; [ "${dev:0:4}" = "vpn_" ]; } is_tor() { [ "$(str_to_lower "$1")" = "tor" ]; } -is_tor_running() { +is_tor_running() { local ret=0 if [ -s "/etc/tor/torrc" ]; then json_load "$(ubus call service list "{ 'name': 'tor' }")" @@ -258,7 +267,7 @@ is_domain() { ! is_ipv6 "$1" && str_contains "$1" '[a-zA-Z]'; } is_phys_dev() { [ "${1:0:1}" = "@" ] && ip l show | grep -E -q "^\\d+\\W+${1:1}"; } dnsmasq_kill() { killall -q -s HUP dnsmasq; } dnsmasq_restart() { output 3 'Restarting dnsmasq '; if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then output_okn; else output_failn; fi; } -is_default_dev() { [ "$1" = "$($ip_full -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; } +is_default_dev() { [ "$1" = "$($ip_bin -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; } is_supported_iface_dev() { local n dev; for n in $ifacesSupported; do network_get_device dev "$n"; [ "$1" = "$dev" ] && return 0; done; return 1; } is_supported_protocol() { grep -o '^[^#]*' /etc/protocols | grep -w -v '0' | grep . | awk '{print $1}' | grep -q "$1"; } is_service_running_iptables() { [ -x "$iptables" ] && "$iptables" -t mangle -L | grep -q "${iptPrefix}_PREROUTING" >/dev/null 2>&1; } @@ -298,6 +307,7 @@ get_nft_sets() { [ -x "$nft" ] && "$nft" list table inet "$nftTable" 2>/dev/null is_ipset_type_supported() { ipset help hash:"$1" >/dev/null 2>&1; } ubus_get_status() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.status.${1}"; } ubus_get_iface() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.interfaces[@.name='${1}']${2:+.$2}"; } +opkg_get_version() { grep -m1 -A1 "$1" '/usr/lib/opkg/status' | grep -m1 'Version: ' | sed 's|Version: \(.*\)|\1|'; } load_package_config() { config_load "$packageName" @@ -341,38 +351,51 @@ load_package_config() { load_environment() { local param="$1" validation_result="$2" load_package_config - - if [ "$param" = 'on_start' ]; then - if [ -n "$validation_result" ] && [ "$validation_result" != '0' ]; then - output "${_ERROR_}: The $packageName config validation failed!\\n" - output "Please check if the '$packageConfigFile' contains correct values for config options.\\n" - state add 'errorSummary' 'errorConfigValidation' - return 1 - fi - if [ "$enabled" -eq 0 ]; then - state add 'errorSummary' 'errorServiceDisabled' - return 1 - fi - if [ ! -x "$ip_full" ]; then - state add 'errorSummary' 'errorNoIpFull' - return 1 - fi - if ! is_nft; then - if [ -z "$iptables" ] || [ ! -x "$iptables" ]; then - state add 'errorSummary' 'errorNoIptables' + case "$param" in + on_start) + if [ -n "$validation_result" ] && [ "$validation_result" != '0' ]; then + output "${_ERROR_}: The $packageName config validation failed!\\n" + output "Please check if the '$packageConfigFile' contains correct values for config options.\\n" + state add 'errorSummary' 'errorConfigValidation' return 1 fi - fi - resolver 'check_support' - fi - + if [ "$enabled" -eq 0 ]; then + state add 'errorSummary' 'errorServiceDisabled' + return 1 + fi + if [ ! -x "$ip_bin" ]; then + state add 'errorSummary' 'errorNoIpFull' + return 1 + fi + if ! is_nft; then + if [ -z "$iptables" ] || [ ! -x "$iptables" ]; then + state add 'errorSummary' 'errorNoIptables' + return 1 + fi + fi + rm -f "$packageLockFile" + resolver 'check_support' + ;; + on_stop) + touch "$packageLockFile" + ;; + esac load_network "$param" } load_network() { + local i config_load 'network' [ -z "$ifacesAll" ] && config_foreach _build_ifaces_all 'interface' - [ -z "$ifacesSupported" ] && config_foreach _build_ifaces_supported 'interface' + if [ -z "$ifacesSupported" ]; then + config_load 'firewall' + config_foreach _find_firewall_wan_zone 'zone' + for i in $(uci -q get "firewall.${firewallWanZone}.network"); do + is_supported_interface "$i" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${i} " + done + config_load 'network' + config_foreach _build_ifaces_supported 'interface' + fi pbr_find_iface wanIface4 'wan' [ -n "$ipv6_enabled" ] && pbr_find_iface wanIface6 'wan6' [ -n "$wanIface4" ] && network_get_gateway wanGW4 "$wanIface4" @@ -724,6 +747,8 @@ state() { eval "$param"='${line:+$line#}${value}${extras:+ $extras}' ;; json) + json_init + json_add_object "$packageName" case "$param" in errorSummary) json_add_array 'errors';; @@ -747,6 +772,8 @@ $(eval echo "\$$param" | tr \# \\n) EOF fi json_close_array + json_close_object + json_dump ;; print) [ -z "$(eval echo "\$$param")" ] && return 0 @@ -816,7 +843,7 @@ resolver() { return 1 fi if [ -n "$agh" ] && [ -s "$aghConfigFile" ]; then - agh_version="$($agh --version | sed 's|AdGuard Home, version v\(.*\)|\1|')" + agh_version="$($agh --version | sed 's|AdGuard Home, version v\(.*\)|\1|' | sed 's|-.*||')" if is_greater_or_equal "$agh_version" '0.107.13'; then resolver_set_supported='true' return 0 @@ -1165,20 +1192,20 @@ policy_routing_iptables() { return 1 fi - if [ -z "$proto" ]; then - if [ -n "$lport" ] || [ -n "$rport" ]; then - proto='tcp udp' - else - proto='all' - fi - fi - if is_family_mismatch "$laddr" "$raddr"; then processPolicyError='true' state add 'errorSummary' 'errorPolicyProcessMismatchFamily' "${name}: '$laddr' '$raddr'" return 1 fi + if [ -z "$proto" ]; then + if [ -n "${lport}${rport}" ]; then + proto='tcp udp' + else + proto='all' + fi + fi + for i in $proto; do if [ "$i" = 'all' ]; then param4="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest" @@ -1322,25 +1349,25 @@ policy_routing_iptables() { ipt6 "$param6" || ipv6_error='1' fi -# ipt6 returns true if IPv6 support is not enabled - [ -z "$ipv6_enabled" ] && ipv6_error='1' - if [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then - if [ -n "$ipv6_enabled" ]; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4" - state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param6" - else - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4" - fi + if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then + processPolicyError='true' + state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name" + state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4" + state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param6" + logger -t "$packageName" "ERROR: iptables $param4" + logger -t "$packageName" "ERROR: iptables $param6" + elif [ -z "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ]; then + processPolicyError='true' + state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name" + state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4" + logger -t "$packageName" "ERROR: iptables $param4" fi done } policy_routing_nft() { - local mark param4 param6 i negation value dest nftInsertOption='add' + local mark i nftInsertOption='add' + local param4 param6 proto_i negation value dest local ip4Flag='ip' ip6Flag='ip6' local name="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto chain uid="$9" proto="$(str_to_lower "$7")" @@ -1370,137 +1397,147 @@ policy_routing_nft() { return 1 fi - if [ -n "$proto" ] && ! is_supported_protocol "$proto"; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessUnknownProtocol' "${name}: '$i'" - return 1 - fi - - if [ -n "$src_addr" ]; then - if [ "${src_addr:0:1}" = "!" ]; then - negation='!='; value="${src_addr:1}" + if [ -z "$proto" ]; then + if [ -n "${src_port}${dest_port}" ]; then + proto='tcp udp' else - unset negation; value="$src_addr"; - fi - if is_phys_dev "$value"; then - param4="$param4 iifname $negation ${value:1}" - param6="$param6 iifname $negation ${value:1}" - elif is_mac_address "$value"; then - local target='src' type='mac' - if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 ether saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 ether saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - else - param4="$param4 ether saddr $negation $value" - param6="$param6 ether saddr $negation $value" - fi - else - local target='src' type='ip' - if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - else - param4="$param4 $ip4Flag saddr $negation $value" - param6="$param6 $ip6Flag saddr $negation $value" - fi + proto='all' fi fi - if [ -n "$dest_addr" ]; then - if [ "${dest_addr:0:1}" = "!" ]; then - negation='!='; value="${dest_addr:1}" - else - unset negation; value="$dest_addr"; + for proto_i in $proto; do + unset param4 + unset param6 + if [ "$proto_i" = 'all' ]; then + unset proto_i + elif ! is_supported_protocol "$proto_i"; then + processPolicyError='true' + state add 'errorSummary' 'errorPolicyProcessUnknownProtocol' "${name}: '$proto_i'" + return 1 fi - if is_phys_dev "$value"; then - param4="$param4 oifname $negation ${value:1}" - param6="$param6 oifname $negation ${value:1}" - elif is_domain "$value"; then - local target='dst' type='ip' - if resolver 'create_resolver_set' "$iface" "$target" "$type" "$uid" "$name" && \ - resolver 'add_resolver_element' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - elif nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + + if [ -n "$src_addr" ]; then + if [ "${src_addr:0:1}" = "!" ]; then + negation='!='; value="${src_addr:1}" else - local resolvedIP4 resolvedIP6 - resolvedIP4="$(resolveip_to_nftset4 "$value")" - resolvedIP6="$(resolveip_to_nftset6 "$value")" - if [ -z "$resolvedIP4" ] && [ -z "$resolvedIP6" ]; then - state add 'errorSummary' 'errorFailedToResolve' "$value" + unset negation; value="$src_addr"; + fi + if is_phys_dev "$value"; then + param4="$param4 iifname $negation ${value:1}" + param6="$param6 iifname $negation ${value:1}" + elif is_mac_address "$value"; then + local target='src' type='mac' + if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ + nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then + param4="$param4 ether saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" + param6="$param6 ether saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + else + param4="$param4 ether saddr $negation $value" + param6="$param6 ether saddr $negation $value" fi - param4="$param4 $ip4Flag daddr $negation { $resolvedIP4 }" - param6="$param6 $ip6Flag daddr $negation { $resolvedIP6 }" - fi - else - local target='dst' type='ip' - if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" else - param4="$param4 $ip4Flag daddr $negation $value" - param6="$param6 $ip6Flag daddr $negation $value" + local target='src' type='ip' + if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ + nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then + param4="$param4 $ip4Flag saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" + param6="$param6 $ip6Flag saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + else + param4="$param4 $ip4Flag saddr $negation $value" + param6="$param6 $ip6Flag saddr $negation $value" + fi fi fi - fi - if [ -n "${src_port}${dest_port}" ]; then - proto="${proto:-tcp}" - fi - - if [ -n "$src_port" ]; then - if [ "${src_port:0:1}" = "!" ]; then - negation='!='; value="${src_port:1}" - else - unset negation; value="$src_port"; + if [ -n "$dest_addr" ]; then + if [ "${dest_addr:0:1}" = "!" ]; then + negation='!='; value="${dest_addr:1}" + else + unset negation; value="$dest_addr"; + fi + if is_phys_dev "$value"; then + param4="$param4 oifname $negation ${value:1}" + param6="$param6 oifname $negation ${value:1}" + elif is_domain "$value"; then + local target='dst' type='ip' + if resolver 'create_resolver_set' "$iface" "$target" "$type" "$uid" "$name" && \ + resolver 'add_resolver_element' "$iface" "$target" "$type" "$uid" "$name" "$value"; then + param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" + param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + elif nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ + nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then + param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" + param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + else + local resolvedIP4 resolvedIP6 + resolvedIP4="$(resolveip_to_nftset4 "$value")" + resolvedIP6="$(resolveip_to_nftset6 "$value")" + if [ -z "$resolvedIP4" ] && [ -z "$resolvedIP6" ]; then + state add 'errorSummary' 'errorFailedToResolve' "$value" + fi + param4="$param4 $ip4Flag daddr $negation { $resolvedIP4 }" + param6="$param6 $ip6Flag daddr $negation { $resolvedIP6 }" + fi + else + local target='dst' type='ip' + if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ + nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then + param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" + param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" + else + param4="$param4 $ip4Flag daddr $negation $value" + param6="$param6 $ip6Flag daddr $negation $value" + fi + fi fi - param4="$param4 ${proto:+$proto }sport $negation {$(ports_to_nftset "$value")}" - param6="$param6 ${proto:+$proto }sport $negation {$(ports_to_nftset "$value")}" - fi - if [ -n "$dest_port" ]; then - if [ "${dest_port:0:1}" = "!" ]; then - negation='!='; value="${dest_port:1}" - else - unset negation; value="$dest_port"; + if [ -n "$src_port" ]; then + if [ "${src_port:0:1}" = "!" ]; then + negation='!='; value="${src_port:1}" + else + unset negation; value="$src_port"; + fi + param4="$param4 ${proto_i:+$proto_i }sport $negation {$(ports_to_nftset "$value")}" + param6="$param6 ${proto_i:+$proto_i }sport $negation {$(ports_to_nftset "$value")}" fi - param4="$param4 ${proto:+$proto }dport $negation {$(ports_to_nftset "$value")}" - param6="$param6 ${proto:+$proto }dport $negation {$(ports_to_nftset "$value")}" - fi - param4="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param4 $dest comment \"$name\"" - param6="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param6 $dest comment \"$name\"" - - local ipv4_error='0' ipv6_error='0' - if [ "$nftPrevParam4" != "$param4" ]; then - nft4 "$param4" || ipv4_error='1' - nftPrevParam4="$param4" - fi - if [ "$nftPrevParam6" != "$param6" ]; then - nft6 "$param6" || ipv6_error='1' - nftPrevParam6="$param6" - fi - -# nft6 returns true if IPv6 support is not enabled - [ -z "$ipv6_enabled" ] && ipv6_error='1' - if [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then - if [ -n "$ipv6_enabled" ]; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "nft '$param4'" - state add 'errorSummary' 'errorPolicyProcessCMD' "nft '$param6'" - else - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "nft '$param4'" + if [ -n "$dest_port" ]; then + if [ "${dest_port:0:1}" = "!" ]; then + negation='!='; value="${dest_port:1}" + else + unset negation; value="$dest_port"; + fi + param4="$param4 ${proto_i:+$proto_i }dport $negation {$(ports_to_nftset "$value")}" + param6="$param6 ${proto_i:+$proto_i }dport $negation {$(ports_to_nftset "$value")}" fi + + param4="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param4 $dest comment \"$name\"" + param6="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param6 $dest comment \"$name\"" + + local ipv4_error='0' ipv6_error='0' + if [ "$nftPrevParam4" != "$param4" ]; then + nft4 "$param4" || ipv4_error='1' + nftPrevParam4="$param4" + fi + if [ "$nftPrevParam6" != "$param6" ]; then + nft6 "$param6" || ipv6_error='1' + nftPrevParam6="$param6" + fi + + if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then + processPolicyError='true' + state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name" + state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param4" + state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param6" + logger -t "$packageName" "ERROR: nft $param4" + logger -t "$packageName" "ERROR: nft $param6" + elif [ -z "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ]; then + processPolicyError='true' + state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name" + state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param4" + logger -t "$packageName" "ERROR: nft $param4" fi + + done } policy_process() { @@ -1582,8 +1619,8 @@ interface_process_tor_iptables() { destroy) for i in $chainsList; do i="$(str_to_upper "$i")" - ipt -t nat -D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${nftPrefix}_${i}" - ipt -t nat -F "${nftPrefix}_${i}"; ipt -t nat -X "${nftPrefix}_${i}"; + ipt -t nat -D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}" + ipt -t nat -F "${iptPrefix}_${i}"; ipt -t nat -X "${iptPrefix}_${i}"; done ;; create) @@ -1592,18 +1629,19 @@ interface_process_tor_iptables() { trafficPort="$(grep -m1 TransPort /etc/tor/torrc | awk -F: '{print $2}')" dnsPort="${dnsPort:-9053}"; trafficPort="${trafficPort:-9040}"; for i in $chainsList; do - ipt -t nat -N "${nftPrefix}_${i}" - ipt -t nat -A "$i" -m mark --mark "0x0/${fw_mask}" -j "${nftPrefix}_${i}" + i="$(str_to_upper "$i")" + ipt -t nat -N "${iptPrefix}_${i}" + ipt -t nat -A "$i" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}" done if resolver 'create_resolver_set' "$iface" 'dst' 'ip' && ips 'flush' "$iface" 'dst' 'ip'; then set_name4="${ipsPrefix}_${iface}_4_dst_ip" for i in $chainsList; do - i="$(str_to_lower "$i")" - ipt -t nat -I "${nftPrefix}_${i}" -p udp -m udp --dport 53 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$dnsPort" -m comment --comment "TorDNS-UDP" || s=1 - ipt -t nat -I "${nftPrefix}_${i}" -p tcp -m tcp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-TCP" || s=1 - ipt -t nat -I "${nftPrefix}_${i}" -p udp -m udp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-UDP" || s=1 - ipt -t nat -I "${nftPrefix}_${i}" -p tcp -m tcp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-TCP" || s=1 - ipt -t nat -I "${nftPrefix}_${i}" -p udp -m udp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-UDP" || s=1 + i="$(str_to_upper "$i")" + ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 53 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$dnsPort" -m comment --comment "TorDNS-UDP" || s=1 + ipt -t nat -I "${iptPrefix}_${i}" -p tcp -m tcp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-TCP" || s=1 + ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-UDP" || s=1 + ipt -t nat -I "${iptPrefix}_${i}" -p tcp -m tcp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-TCP" || s=1 + ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-UDP" || s=1 done else s=1 @@ -1639,16 +1677,16 @@ interface_process_tor_nft() { if resolver 'create_resolver_set' "$iface" 'dst' 'ip' && nftset 'flush' "$iface" 'dst' 'ip'; then set_name4="${nftPrefix}_${iface}_4_dst_ip" set_name6="${nftPrefix}_${iface}_6_dst_ip" - nft meta nfproto ipv4 udp daddr "@${set_name4}" dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv4" || s=1 - nft meta nfproto ipv4 tcp daddr "@${set_name4}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv4" || s=1 - nft meta nfproto ipv4 udp daddr "@${set_name4}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv4" || s=1 - nft meta nfproto ipv4 tcp daddr "@${set_name4}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv4" || s=1 - nft meta nfproto ipv4 udp daddr "@${set_name4}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv4" || s=1 - nft6 meta nfproto ipv6 udp daddr "@${set_name6}" dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv6" || s=1 - nft6 meta nfproto ipv6 tcp daddr "@${set_name6}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv6" || s=1 - nft6 meta nfproto ipv6 udp daddr "@${set_name6}" dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv6" || s=1 - nft6 meta nfproto ipv6 tcp daddr "@${set_name6}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv6" || s=1 - nft6 meta nfproto ipv6 udp daddr "@${set_name6}" dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv6" || s=1 + nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv4" || s=1 + nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" tcp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv4" || s=1 + nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv4" || s=1 + nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" tcp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv4" || s=1 + nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv4" || s=1 + nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv6" || s=1 + nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" tcp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv6" || s=1 + nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv6" || s=1 + nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" tcp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv6" || s=1 + nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv6" || s=1 else s=1 fi @@ -1676,8 +1714,8 @@ interface_routing() { create) if is_netifd_table "$iface"; then ipv4_error=0 - $ip_full -4 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 + $ip_bin rule del table "$tid" >/dev/null 2>&1 + $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 if is_nft; then nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1 @@ -1689,8 +1727,7 @@ interface_routing() { fi if [ -n "$ipv6_enabled" ]; then ipv6_error=0 - $ip_full -6 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 + $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 fi else if ! grep -q "$tid ${ipTablePrefix}_${iface}" '/etc/iproute2/rt_tables'; then @@ -1699,14 +1736,14 @@ interface_routing() { echo "$tid ${ipTablePrefix}_${iface}" >> '/etc/iproute2/rt_tables' sync fi - $ip_full -4 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -4 route flush table "$tid" >/dev/null 2>&1 + $ip_bin rule del table "$tid" >/dev/null 2>&1 + $ip_bin route flush table "$tid" >/dev/null 2>&1 if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then ipv4_error=0 if [ -z "$gw4" ]; then - $ip_full -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 + $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 else - $ip_full -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 + $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi # shellcheck disable=SC2086 while read -r i; do @@ -1714,12 +1751,12 @@ interface_routing() { i="$(echo "$i" | sed 's/ onlink$//')" idev="$(echo "$i" | grep -Eso 'dev [^ ]*' | awk '{print $2}')" if ! is_supported_iface_dev "$idev"; then - $ip_full -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1 + $ip_bin -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi done << EOF - $($ip_full -4 route list table main) + $($ip_bin -4 route list table main) EOF - $ip_full -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 + $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 if is_nft; then nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1 @@ -1732,25 +1769,23 @@ EOF fi if [ -n "$ipv6_enabled" ]; then ipv6_error=0 - $ip_full -6 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -6 route flush table "$tid" >/dev/null 2>&1 if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then - $ip_full -6 route add unreachable default table "$tid" || ipv6_error=1 - elif $ip_full -6 route list table main | grep -q " dev $dev6 "; then + $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1 + elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then while read -r i; do i="$(echo "$i" | sed 's/ linkdown$//')" i="$(echo "$i" | sed 's/ onlink$//')" - $ip_full -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 done << EOF - $($ip_full -6 route list table main | grep " dev $dev6 ") + $($ip_bin -6 route list table main | grep " dev $dev6 ") EOF else - $ip_full -6 route add "$($ip_full -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 - $ip_full -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 fi fi - $ip_full -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 + $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 fi fi if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then @@ -1790,9 +1825,9 @@ EOF return "$s" ;; delete|destroy) - $ip_full rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 + $ip_bin rule del table "$tid" >/dev/null 2>&1 if ! is_netifd_table "$iface"; then - $ip_full route flush table "$tid" >/dev/null 2>&1 + $ip_bin route flush table "$tid" >/dev/null 2>&1 sed -i "/${ipTablePrefix}_${iface}\$/d" '/etc/iproute2/rt_tables' sync fi @@ -1801,35 +1836,35 @@ EOF reload_interface) is_netifd_table "$iface" && return 0; ipv4_error=0 - $ip_full -4 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -4 route flush table "$tid" >/dev/null 2>&1 + $ip_bin rule del table "$tid" >/dev/null 2>&1 + if ! is_netifd_table "$iface"; then + $ip_bin route flush table "$tid" >/dev/null 2>&1 + fi if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw4" ]; then - $ip_full -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 + $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 else - $ip_full -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 + $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi - $ip_full rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 + $ip_bin rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 fi if [ -n "$ipv6_enabled" ]; then ipv6_error=0 - $ip_full -6 rule del fwmark "${mark}/${fw_mask}" table "$tid" >/dev/null 2>&1 - $ip_full -6 route flush table "$tid" >/dev/null 2>&1 if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then - $ip_full -6 route add unreachable default table "$tid" || ipv6_error=1 - elif $ip_full -6 route list table main | grep -q " dev $dev6 "; then + $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1 + elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then while read -r i; do - $ip_full -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 done << EOF - $($ip_full -6 route list table main | grep " dev $dev6 ") + $($ip_bin -6 route list table main | grep " dev $dev6 ") EOF else - $ip_full -6 route add "$($ip_full -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 - $ip_full -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 fi fi - $ip_full -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 + $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 fi if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then s=0 @@ -1876,9 +1911,15 @@ interface_process() { is_wan6 "$iface" && return 0 [ $((ifaceMark)) -gt $((fw_mask)) ] && return 1 + if is_ovpn "$iface" && ! is_valid_ovpn "$iface"; then + : || state add 'warningSummary' 'warningInvalidOVPNConfig' "$iface" + fi + network_get_device dev "$iface" + [ -z "$dev" ] && network_get_physdev dev "$iface" if is_wan "$iface" && [ -n "$wanIface6" ] && str_contains "$wanIface6" "$iface"; then network_get_device dev6 "$wanIface6" + [ -z "$dev6" ] && network_get_physdev dev6 "$wanIface6" fi [ -z "$dev6" ] && dev6="$dev" @@ -1952,7 +1993,7 @@ user_file_process() { return 1 fi if ! $shellBin -n "$path"; then - state add 'errorSummary' 'ererrorUserFileSyntax' "$path" + state add 'errorSummary' 'errorUserFileSyntax' "$path" output_fail return 1 fi @@ -1977,17 +2018,24 @@ boot() { } on_firewall_reload() { - if [ -z "$(ubus_get_status 'gateways')" ]; then # service is not running, do not start it on firewall reload - logger -t "$packageName" "Reload on firewall action aborted: service not running." - return 0; + if [ -e "$packageLockFile" ]; then # service is stopped, do not start it on firewall reload + logger -t "$packageName" "Reload on firewall action aborted: service is stopped." + return 0 else rc_procd start_service 'on_firewall_reload' "$1" fi } -on_interface_reload() { rc_procd start_service 'on_interface_reload' "$1"; } +on_interface_reload() { + if [ -e "$packageLockFile" ]; then # service is stopped, do not start it on interface change + logger -t "$packageName" "Reload on interface change aborted: service is stopped." + return 0 + else + rc_procd start_service 'on_interface_reload' "$1" + fi +} start_service() { - local resolverStoredHash resolverNewHash i reloadedIface param="$1" + local resolverStoredHash resolverNewHash i param="$1" reloadedIface load_environment 'on_start' "$(load_validate_config)" || return 1 is_wan_up || return 1 @@ -2001,8 +2049,14 @@ start_service() { serviceStartTrigger='on_start' ;; on_interface_reload) - serviceStartTrigger='on_interface_reload' reloadedIface="$2" + if is_ovpn "$reloadedIface"; then + logger -t "$packageName" "Updated interface is an OpenVPN tunnel, restarting." + serviceStartTrigger='on_start' + unset reloadedIface + else + serviceStartTrigger='on_interface_reload' + fi ;; on_reload) serviceStartTrigger='on_reload' @@ -2238,8 +2292,8 @@ status_service_nft() { fi if [ -n "$wanIface6" ]; then network_get_device dev6 "$wanIface6" - wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') - [ "$wanGW6" = "default" ] && wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') + wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') + [ "$wanGW6" = "default" ] && wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') fi while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; eval "set_$param=1"; shift; done [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support" @@ -2255,17 +2309,17 @@ status_service_nft() { echo "$_SEPARATOR_" echo "$packageName chains - policies" for i in forward input output prerouting postrouting; do - "$nft" list table inet "$nftTable" | sed -n "/chain ${nftPrefix}_${i} {/,/\t}/p" + "$nft" -a list table inet "$nftTable" | sed -n "/chain ${nftPrefix}_${i} {/,/\t}/p" done echo "$_SEPARATOR_" echo "$packageName chains - marking" for i in $(get_mark_nft_chains); do - "$nft" list table inet "$nftTable" | sed -n "/chain ${i} {/,/\t}/p" + "$nft" -a list table inet "$nftTable" | sed -n "/chain ${i} {/,/\t}/p" done echo "$_SEPARATOR_" echo "$packageName nft sets" for i in $(get_nft_sets); do - "$nft" list table inet "$nftTable" | sed -n "/set ${i} {/,/\t}/p" + "$nft" -a list table inet "$nftTable" | sed -n "/set ${i} {/,/\t}/p" done if [ -s "$dnsmasqFile" ]; then echo "$_SEPARATOR_" @@ -2278,9 +2332,9 @@ status_service_nft() { tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0 wan_tid=$(($(get_rt_tables_next_id)-tableCount)) i=0; while [ $i -lt "$tableCount" ]; do - echo "IPv4 table $((wan_tid + i)) route: $($ip_full -4 route show table $((wan_tid + i)) | grep default)" + echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)" echo "IPv4 table $((wan_tid + i)) rule(s):" - $ip_full -4 rule list table "$((wan_tid + i))" + $ip_bin -4 rule list table "$((wan_tid + i))" i=$((i + 1)) done } @@ -2295,8 +2349,8 @@ status_service_iptables() { fi if [ -n "$wanIface6" ]; then network_get_device dev6 "$wanIface6" - wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') - [ "$wanGW6" = "default" ] && wanGW6=$($ip_full -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') + wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') + [ "$wanGW6" = "default" ] && wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') fi while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; eval "set_$param=1"; shift; done [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support" @@ -2322,15 +2376,15 @@ status_service_iptables() { if [ -n "$set_d" ]; then ip rule list; fi wan_tid=$(($(get_rt_tables_next_id)-tableCount)) i=0; while [ $i -lt "$tableCount" ]; do - echo "IPv4 table $((wan_tid + i)) route: $($ip_full -4 route show table $((wan_tid + i)) | grep default)" + echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)" echo "IPv4 table $((wan_tid + i)) rule(s):" - $ip_full -4 rule list table "$((wan_tid + i))" + $ip_bin -4 rule list table "$((wan_tid + i))" i=$((i + 1)) done if [ -n "$ipv6_enabled" ]; then i=0; while [ $i -lt "$tableCount" ]; do - $ip_full -6 route show table $((wan_tid + i)) | while read -r param; do + $ip_bin -6 route show table $((wan_tid + i)) | while read -r param; do echo "IPv6 Table $((wan_tid + i)): $param" done i=$((i + 1)) @@ -2422,9 +2476,9 @@ load_validate_config() { 'verbosity:range(0,2):1' \ "wan_mark:regex('0x[A-Fa-f0-9]{8}'):0x010000" \ "fw_mask:regex('0x[A-Fa-f0-9]{8}'):0xff0000" \ - 'icmp_interface:or("","ignore", uci("network", "@interface"))' \ - 'ignored_interface:list(uci("network", "@interface"))' \ - 'supported_interface:list(uci("network", "@interface"))' \ + 'icmp_interface:or("", "tor", uci("network", "@interface"))' \ + 'ignored_interface:list(or("tor", uci("network", "@interface")))' \ + 'supported_interface:list(or("tor", uci("network", "@interface")))' \ 'boot_timeout:integer:30' \ 'wan_ip_rules_priority:uinteger:30000' \ 'rule_create_option:or("", "add", "insert"):add' \ @@ -2448,7 +2502,7 @@ load_validate_policy() { uci_load_validate "$packageName" 'policy' "$1" "${2}${3:+ $3}" \ 'name:string:Untitled' \ 'enabled:bool:1' \ - 'interface:or(uci("network", "@interface"),"ignore"):wan' \ + 'interface:or("ignore", "tor", uci("network", "@interface")):wan' \ 'proto:or(string)' \ 'chain:or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING"):prerouting' \ 'src_addr:list(neg(or(host,network,macaddr,string)))' \ diff --git a/net/pbr/files/etc/uci-defaults/90-pbr b/net/pbr/files/etc/uci-defaults/90-pbr index 237ebac58..5d4d5d60a 100644 --- a/net/pbr/files/etc/uci-defaults/90-pbr +++ b/net/pbr/files/etc/uci-defaults/90-pbr @@ -22,6 +22,7 @@ sed -i "s/'POSTROUTING'/'postrouting'/g" /etc/config/pbr sed -i "s/option fw_mask '0x\(.*\)'/option fw_mask '\1'/g" /etc/config/pbr sed -i "s/option wan_mark '0x\(.*\)'/option wan_mark '\1'/g" /etc/config/pbr +if [ -s '/usr/share/pbr/pbr.firewall.include' ]; then uci -q batch <<-EOT delete firewall.pbr set firewall.pbr='include' @@ -30,5 +31,6 @@ uci -q batch <<-EOT set firewall.pbr.path='/usr/share/pbr/pbr.firewall.include' commit firewall EOT +fi exit 0 diff --git a/net/pbr/files/etc/uci-defaults/91-pbr b/net/pbr/files/etc/uci-defaults/91-pbr index 0d759c278..16693864f 100644 --- a/net/pbr/files/etc/uci-defaults/91-pbr +++ b/net/pbr/files/etc/uci-defaults/91-pbr @@ -4,6 +4,7 @@ readonly packageName='pbr' readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m' +# shellcheck disable=SC2317 pbr_iface_setup() { local iface="${1}" local proto diff --git a/net/pbr/files/usr/share/pbr/pbr.firewall.include b/net/pbr/files/usr/share/pbr/pbr.firewall.include index 3fe906ee1..36b3cd80d 100644 --- a/net/pbr/files/usr/share/pbr/pbr.firewall.include +++ b/net/pbr/files/usr/share/pbr/pbr.firewall.include @@ -1,5 +1,5 @@ #!/bin/sh if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then - logger -t "pbr" "Reloading pbr due to $ACTION of firewall" + logger -t "pbr" "Reloading pbr due to firewall action: $ACTION" /etc/init.d/pbr on_firewall_reload "$ACTION" fi From 90d5bd6dab453546c78f34f7c74014c88a019b6d Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Sun, 30 Apr 2023 04:11:01 -0400 Subject: [PATCH 14/49] lighttpd: build fixes Signed-off-by: Glenn Strauss --- net/lighttpd/Makefile | 2 +- .../030-meson-check-FORCE_._CRYPTO.patch | 34 +++++++++++++++++++ ...31-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch | 23 +++++++++++++ ...032-meson-build-fix-for-builtin_mods.patch | 20 +++++++++++ 4 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch create mode 100644 net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch create mode 100644 net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index ad0afd82f..a627c88ca 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd PKG_VERSION:=1.4.69 -PKG_RELEASE:=2 +PKG_RELEASE:=3 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch b/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch new file mode 100644 index 000000000..6db289588 --- /dev/null +++ b/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch @@ -0,0 +1,34 @@ +From e91ad65e4aacde815679c06cb687931dd7beb9b3 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Thu, 20 Apr 2023 21:27:36 -0400 +Subject: [PATCH] [meson] check FORCE_{WOLFSSL,MBEDTLS}_CRYPTO + +--- + src/meson.build | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/src/meson.build ++++ b/src/meson.build +@@ -358,15 +358,19 @@ if get_option('with_mbedtls') + libmbedtls = [ compiler.find_library('mbedtls') ] + libmbedx509 = [ compiler.find_library('mbedx509') ] + libmbedcrypto = [ compiler.find_library('mbedcrypto') ] +- libcrypto = [ compiler.find_library('mbedcrypto') ] ++ if compiler.get_define('FORCE_WOLFSSL_CRYPTO') == '' ++ libcrypto = [ compiler.find_library('mbedcrypto') ] ++ endif + conf_data.set('HAVE_LIBMBEDCRYPTO', true) + endif + if get_option('with_nettle') + # manual search: + # header: nettle/nettle-types.h + # function: nettle_md5_init (-lnettle) +- libcrypto = [ dependency('nettle') ] +- conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true) ++ if compiler.get_define('FORCE_WOLFSSL_CRYPTO') == '' and compiler.get_define('FORCE_MBEDTLS_CRYPTO') == '' ++ libcrypto = [ dependency('nettle') ] ++ conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true) ++ endif + endif + if get_option('with_gnutls') + # manual search: diff --git a/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch b/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch new file mode 100644 index 000000000..d50b2e90c --- /dev/null +++ b/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch @@ -0,0 +1,23 @@ +From 37cbdacda78f9df4aba4c39e60472025d93bb7ba Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Fri, 28 Apr 2023 03:17:16 -0400 +Subject: [PATCH] [mod_mbedtls] check MBEDTLS_DEBUG_C for debug func + +--- + src/mod_mbedtls.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/src/mod_mbedtls.c ++++ b/src/mod_mbedtls.c +@@ -2357,9 +2357,11 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_a + * overlap, and so this debug setting is not reset upon connection close. + * Once enabled, debug hook will remain so for this mbedtls_ssl_config */ + if (hctx->conf.ssl_log_noise) {/* volume level for debug message callback */ ++ #ifdef MBEDTLS_DEBUG_C + #if MBEDTLS_VERSION_NUMBER >= 0x02000000 /* mbedtls 2.0.0 */ + mbedtls_debug_set_threshold(hctx->conf.ssl_log_noise); + #endif ++ #endif + mbedtls_ssl_conf_dbg(hctx->ssl_ctx, mod_mbedtls_debug_cb, + (void *)(intptr_t)hctx->conf.ssl_log_noise); + } diff --git a/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch b/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch new file mode 100644 index 000000000..2375f8a71 --- /dev/null +++ b/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch @@ -0,0 +1,20 @@ +From 2fc157f37ea4644ba9ac776de1926b9e518ec42b Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Sat, 29 Apr 2023 00:43:55 -0400 +Subject: [PATCH] [meson] build fix for builtin_mods + +--- + src/meson.build | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/src/meson.build ++++ b/src/meson.build +@@ -656,7 +656,7 @@ executable('lighttpd-angel', + ) + + executable('lighttpd', configparser, +- sources: common_src + main_src, ++ sources: common_src + main_src + builtin_mods, + dependencies: [ common_flags, lighttpd_flags + , libattr + , libcrypto From b7b1fe6cb326136d6ab373359fa9cbf307fbaaa9 Mon Sep 17 00:00:00 2001 From: Hannu Nyman Date: Sun, 30 Apr 2023 10:50:56 +0300 Subject: [PATCH 15/49] zoneinfo: adjust to current timezone data file structure Tweak the package to better match the current file structure in the upstream time zone database. Add missing aliases. Make some clarifications * Combine -northmerica and -southamerica into -america, as all current official America/xxx definitions were already in -northamerica and only the unofficial/deprecated Brazil/xxx, Chile and Argentina were in -southamerica. (Confusingly America/Sao_Paulo was in northamerica, while Brazil was in southamerica.) * Add PROVIDES for the old package names * Add missing top-level dir country/nation alias links. * Define Eire in -europe instead of -core. * Rename -india to -indian, as it contains the Indian ocean islands instead of the actual Asia/Kolkata zone for the mainland India. * Add PROVIDES for the old package name * Add 'Ocean' to all ocean zone titles. * Make all zoneinfo-packages depend on zoneinfo-core, so that zone.tab, the UTC based definitions and the still existing short zone codes are always available. * Clarify menuconfig menu as "Time Zone info" Signed-off-by: Hannu Nyman --- utils/zoneinfo/Makefile | 67 +++++++++++++++++++---------------------- 1 file changed, 31 insertions(+), 36 deletions(-) diff --git a/utils/zoneinfo/Makefile b/utils/zoneinfo/Makefile index 7608fcef6..7fe47f87d 100644 --- a/utils/zoneinfo/Makefile +++ b/utils/zoneinfo/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=zoneinfo PKG_VERSION:=2023c -PKG_RELEASE:=1 +PKG_RELEASE:=2 #As i couldn't find real license used "Public Domain" #as referense to http://www.iana.org/time-zones/repository/tz-link.html @@ -32,7 +32,7 @@ endef $(eval $(call Download,tzcode)) define Package/zoneinfo/Default - SUBMENU:=Zoneinfo + SUBMENU:=Time Zone info TITLE:=Zone Information SECTION:=utils CATEGORY:=Utilities @@ -47,56 +47,63 @@ endef define Package/zoneinfo-simple $(call Package/zoneinfo/Default) TITLE:=Zone Information (simple) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-africa $(call Package/zoneinfo/Default) TITLE:=Zone Information (Africa) + DEPENDS+= +zoneinfo-core endef -define Package/zoneinfo-northamerica +define Package/zoneinfo-america $(call Package/zoneinfo/Default) - TITLE:=Zone Information (NorthAmerica) -endef - -define Package/zoneinfo-southamerica -$(call Package/zoneinfo/Default) - TITLE:=Zone Information (SouthAmerica) + TITLE:=Zone Information (America North/South) + PROVIDES:=zoneinfo-northamerica zoneinfo-southamerica + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-poles $(call Package/zoneinfo/Default) TITLE:=Zone Information (Arctic, Antarctic) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-asia $(call Package/zoneinfo/Default) TITLE:=Zone Information (Asia) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-atlantic $(call Package/zoneinfo/Default) - TITLE:=Zone Information (Atlantic) + TITLE:=Zone Information (Atlantic Ocean) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-australia-nz $(call Package/zoneinfo/Default) TITLE:=Zone Information (Australia-NZ) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-pacific $(call Package/zoneinfo/Default) - TITLE:=Zone Information (Pacific) + TITLE:=Zone Information (Pacific Ocean) + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-europe $(call Package/zoneinfo/Default) TITLE:=Zone Information (Europe) + DEPENDS+= +zoneinfo-core endef -define Package/zoneinfo-india +define Package/zoneinfo-indian $(call Package/zoneinfo/Default) - TITLE:=Zone Information (India) + TITLE:=Zone Information (Indian Ocean) + PROVIDES:=zoneinfo-india + DEPENDS+= +zoneinfo-core endef define Package/zoneinfo-all @@ -105,15 +112,14 @@ $(call Package/zoneinfo/Default) DEPENDS:= \ +zoneinfo-core \ +zoneinfo-africa \ - +zoneinfo-northamerica \ - +zoneinfo-southamerica \ + +zoneinfo-america \ +zoneinfo-poles \ +zoneinfo-asia \ +zoneinfo-atlantic \ +zoneinfo-australia-nz \ +zoneinfo-pacific \ +zoneinfo-europe \ - +zoneinfo-india + +zoneinfo-indian endef define Build/Prepare @@ -136,7 +142,7 @@ endef define Package/zoneinfo-core/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo for i in \ - CET CST6CDT EET EST EST5EDT GB-Eire Eire \ + CET CST6CDT EET EST EST5EDT GB-Eire \ GB GMT GMT+0 GMT-0 GMT0 Greenwich \ HST MET MST MST7MDT \ PRC PST8PDT ROC ROK UCT UTC \ @@ -167,29 +173,19 @@ define Package/zoneinfo-simple/install endef define Package/zoneinfo-africa/install - $(INSTALL_DIR) $(1)/usr/share/zoneinfo/Africa - $(CP) $(PKG_INSTALL_DIR)/zoneinfo/Africa/* \ - $(1)/usr/share/zoneinfo/Africa -endef - -define Package/zoneinfo-northamerica/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo - for i in US America Canada Mexico Cuba Jamaica Navajo ; do \ + for i in Africa Egypt Libya ; do \ $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \ $(1)/usr/share/zoneinfo ; \ done - rm -rf $(1)/usr/share/zoneinfo/America/Argentina endef -define Package/zoneinfo-southamerica/install +define Package/zoneinfo-america/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo - for i in Brazil Chile ; do \ + for i in America Brazil Canada Chile Cuba Jamaica Mexico Navajo US ; do \ $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \ $(1)/usr/share/zoneinfo ; \ done - $(INSTALL_DIR) $(1)/usr/share/zoneinfo/America/Argentina - $(CP) $(PKG_INSTALL_DIR)/zoneinfo/America/Argentina/* \ - $(1)/usr/share/zoneinfo/America/Argentina endef define Package/zoneinfo-poles/install @@ -202,7 +198,7 @@ endef define Package/zoneinfo-asia/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo - for i in Asia Japan Singapore Hongkong ; do \ + for i in Asia Hongkong Iran Israel Japan Singapore ; do \ $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \ $(1)/usr/share/zoneinfo ; \ done @@ -234,13 +230,13 @@ endef define Package/zoneinfo-europe/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo - for i in Europe Portugal Poland ; do \ + for i in Europe Eire Portugal Poland Turkey ; do \ $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \ $(1)/usr/share/zoneinfo ; \ done endef -define Package/zoneinfo-india/install +define Package/zoneinfo-indian/install $(INSTALL_DIR) $(1)/usr/share/zoneinfo for i in Indian ; do \ $(CP) $(PKG_INSTALL_DIR)/zoneinfo/$$$$i \ @@ -251,13 +247,12 @@ endef $(eval $(call BuildPackage,zoneinfo-simple)) $(eval $(call BuildPackage,zoneinfo-core)) $(eval $(call BuildPackage,zoneinfo-africa)) -$(eval $(call BuildPackage,zoneinfo-northamerica)) -$(eval $(call BuildPackage,zoneinfo-southamerica)) +$(eval $(call BuildPackage,zoneinfo-america)) $(eval $(call BuildPackage,zoneinfo-poles)) $(eval $(call BuildPackage,zoneinfo-asia)) $(eval $(call BuildPackage,zoneinfo-atlantic)) $(eval $(call BuildPackage,zoneinfo-australia-nz)) $(eval $(call BuildPackage,zoneinfo-pacific)) $(eval $(call BuildPackage,zoneinfo-europe)) -$(eval $(call BuildPackage,zoneinfo-india)) +$(eval $(call BuildPackage,zoneinfo-indian)) $(eval $(call BuildPackage,zoneinfo-all)) From 7029af834c17648c6e76c795e89003aa687c818d Mon Sep 17 00:00:00 2001 From: Erik Karlsson Date: Wed, 12 Apr 2023 18:09:07 +0200 Subject: [PATCH 16/49] openssh: add respawn and reloading via signal Configure the openssh server to respawn. Reload by sending SIGHUP Signed-off-by: Erik Karlsson --- net/openssh/files/sshd.init | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/openssh/files/sshd.init b/net/openssh/files/sshd.init index e7735364d..0b859e146 100644 --- a/net/openssh/files/sshd.init +++ b/net/openssh/files/sshd.init @@ -27,9 +27,14 @@ start_service() { procd_open_instance procd_add_mdns "ssh" "tcp" "$lport" procd_set_param command $PROG -D + procd_set_param respawn procd_close_instance } +reload_service() { + procd_send_signal sshd +} + shutdown() { local pid From f4a18fbd3de380b4c8a689dddb4212c572fff259 Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Fri, 14 Apr 2023 15:57:46 +0800 Subject: [PATCH 17/49] python-calver: Add new host-only package From the README: The calver package is a setuptools extension for automatically defining your Python package version as a calendar version. Signed-off-by: Jeffery To --- lang/python/python-calver/Makefile | 48 ++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 lang/python/python-calver/Makefile diff --git a/lang/python/python-calver/Makefile b/lang/python/python-calver/Makefile new file mode 100644 index 000000000..cd46859c5 --- /dev/null +++ b/lang/python/python-calver/Makefile @@ -0,0 +1,48 @@ +# +# Copyright (C) 2023 Jeffery To +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=python-calver +PKG_VERSION:=2022.6.26 +PKG_RELEASE:=1 + +PYPI_NAME:=calver +PKG_HASH:=e05493a3b17517ef1748fbe610da11f10485faa7c416b9d33fd4a52d74894f8b + +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Jeffery To + +PKG_HOST_ONLY:=1 +HOST_BUILD_DEPENDS:=python3/host python-build/host python-installer/host python-wheel/host + +include ../pypi.mk +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/host-build.mk +include ../python3-package.mk +include ../python3-host-build.mk + +define Package/python3-calver + SECTION:=lang + CATEGORY:=Languages + SUBMENU:=Python + TITLE:=Setuptools extension for CalVer package versions + URL:=https://github.com/di/calver + DEPENDS:=+python3-light + BUILDONLY:=1 +endef + +define Package/python3-calver/description +The calver package is a setuptools extension for automatically defining +your Python package version as a calendar version. +endef + +$(eval $(call Py3Package,python3-calver)) +$(eval $(call BuildPackage,python3-calver)) +$(eval $(call BuildPackage,python3-calver-src)) +$(eval $(call HostBuild)) From 7dc6b103c5e5eb2b1c0ec1c0d9b03b94d244e6c8 Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Fri, 14 Apr 2023 16:03:02 +0800 Subject: [PATCH 18/49] python-trove-classifiers: Add new host-only package From the README: Canonical source for classifiers on PyPI. Classifiers categorize projects per PEP 301. Use this package to validate classifiers in packages for PyPI upload or download. Signed-off-by: Jeffery To --- lang/python/python-trove-classifiers/Makefile | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 lang/python/python-trove-classifiers/Makefile diff --git a/lang/python/python-trove-classifiers/Makefile b/lang/python/python-trove-classifiers/Makefile new file mode 100644 index 000000000..b122bc2b7 --- /dev/null +++ b/lang/python/python-trove-classifiers/Makefile @@ -0,0 +1,56 @@ +# +# Copyright (C) 2023 Jeffery To +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=python-trove-classifiers +PKG_VERSION:=2023.3.9 +PKG_RELEASE:=1 + +PYPI_NAME:=trove-classifiers +PKG_HASH:=ee42f2f8c1d4bcfe35f746e472f07633570d485fab45407effc0379270a3bb03 + +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Jeffery To + +PKG_HOST_ONLY:=1 +PKG_BUILD_DEPENDS:=python-calver/host +HOST_BUILD_DEPENDS:= \ + python3/host \ + python-build/host \ + python-installer/host \ + python-wheel/host \ + python-calver/host + +include ../pypi.mk +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/host-build.mk +include ../python3-package.mk +include ../python3-host-build.mk + +define Package/python3-trove-classifiers + SECTION:=lang + CATEGORY:=Languages + SUBMENU:=Python + TITLE:=Canonical source for classifiers on PyPI (pypi.org). + URL:=https://github.com/pypa/trove-classifiers + DEPENDS:=+python3-light + BUILDONLY:=1 +endef + +define Package/python3-trove-classifiers/description +Canonical source for classifiers on PyPI. + +Classifiers categorize projects per PEP 301. Use this package to +validate classifiers in packages for PyPI upload or download. +endef + +$(eval $(call Py3Package,python3-trove-classifiers)) +$(eval $(call BuildPackage,python3-trove-classifiers)) +$(eval $(call BuildPackage,python3-trove-classifiers-src)) +$(eval $(call HostBuild)) From fe0dc6f48ae6b98c4663e3e93f6df12d8ef55203 Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Fri, 14 Apr 2023 16:09:36 +0800 Subject: [PATCH 19/49] python-hatchling: Update to 1.14.0 Signed-off-by: Jeffery To --- lang/python/python-hatchling/Makefile | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lang/python/python-hatchling/Makefile b/lang/python/python-hatchling/Makefile index 6ba6c63c1..958600083 100644 --- a/lang/python/python-hatchling/Makefile +++ b/lang/python/python-hatchling/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-hatchling -PKG_VERSION:=1.13.0 +PKG_VERSION:=1.14.0 PKG_RELEASE:=1 PYPI_NAME:=hatchling -PKG_HASH:=f8d275a2cc720735286b7c2e2bc35da05761e6d3695c2fa416550395f10c53c7 +PKG_HASH:=462ea91df03ff5d52813b5613fec1313a1a2059d2e37343e572b3f979867c5da PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE.txt @@ -27,7 +27,8 @@ HOST_BUILD_DEPENDS:= \ python-packaging/host \ python-pathspec/host \ python-pluggy/host \ - python-tomli/host + python-tomli/host \ + python-trove-classifiers/host include ../pypi.mk include $(INCLUDE_DIR)/package.mk @@ -48,7 +49,8 @@ define Package/python3-hatchling +python3-packaging \ +python3-pathspec \ +python3-pluggy \ - +python3-tomli + +python3-tomli \ + +python3-trove-classifiers BUILDONLY:=1 endef From 2fed4c089598b38d86531087fc41782f27c23c26 Mon Sep 17 00:00:00 2001 From: Andre Heider Date: Tue, 21 Feb 2023 15:54:16 +0100 Subject: [PATCH 20/49] getdns: fix compilation with OPENSSL_NO_DEPRECATED SSL_get_peer_certificate() is deprecated, OpenSSL v3.0 added SSL_get0_peer_certificate() and SSL_get1_peer_certificate(). Use the latter since the return value is explicitely X509_free()ed here, see [0]. [0] https://www.openssl.org/docs/manmaster/man3/SSL_get_peer_certificate.html Signed-off-by: Andre Heider --- libs/getdns/Makefile | 2 +- .../patches/001-openssl-deprecated.patch | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 libs/getdns/patches/001-openssl-deprecated.patch diff --git a/libs/getdns/Makefile b/libs/getdns/Makefile index 9a4b838bd..f9825493b 100644 --- a/libs/getdns/Makefile +++ b/libs/getdns/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=getdns PKG_VERSION:=1.7.3 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/libs/getdns/patches/001-openssl-deprecated.patch b/libs/getdns/patches/001-openssl-deprecated.patch new file mode 100644 index 000000000..ed695ac0c --- /dev/null +++ b/libs/getdns/patches/001-openssl-deprecated.patch @@ -0,0 +1,20 @@ +--- a/src/openssl/tls.c ++++ b/src/openssl/tls.c +@@ -872,7 +872,7 @@ _getdns_tls_x509* _getdns_tls_connection + if (!conn || !conn->ssl) + return NULL; + +- return _getdns_tls_x509_new(mfs, SSL_get_peer_certificate(conn->ssl)); ++ return _getdns_tls_x509_new(mfs, SSL_get1_peer_certificate(conn->ssl)); + } + + getdns_return_t _getdns_tls_connection_is_session_reused(_getdns_tls_connection* conn) +@@ -990,7 +990,7 @@ getdns_return_t _getdns_tls_connection_c + #if defined(USE_DANESSL) + { + getdns_return_t res = GETDNS_RETURN_GOOD; +- X509* peer_cert = SSL_get_peer_certificate(conn->ssl); ++ X509* peer_cert = SSL_get1_peer_certificate(conn->ssl); + if (peer_cert) { + if (conn->auth_name[0] && + X509_check_host(peer_cert, From f544e950999b8c7502f1c7674c6dfdb8a701c140 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Tue, 18 Apr 2023 18:21:29 -0600 Subject: [PATCH 21/49] kea: Update to 2.2.0 Signed-off-by: Philip Prindeville --- net/kea/Makefile | 8 ++++---- net/kea/patches/003-no-test-compile.patch | 12 ++---------- net/kea/patches/004-replace-rev-with-awk.patch | 2 +- net/kea/patches/010-openssl-deprecated.patch | 2 +- 4 files changed, 8 insertions(+), 16 deletions(-) diff --git a/net/kea/Makefile b/net/kea/Makefile index f269b4141..1febb3046 100644 --- a/net/kea/Makefile +++ b/net/kea/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=kea -PKG_VERSION:=2.0.3 -PKG_RELEASE:=2 +PKG_VERSION:=2.2.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://ftp.isc.org/isc/kea/$(PKG_VERSION) -PKG_HASH:=d642907374d17480ebe4df805b363dc9e230a955475a9f3e04a076b52d5c43ec +PKG_HASH:=da7d90ca62a772602dac6e77e507319038422895ad68eeb142f1487d67d531d2 -PKG_MAINTAINER:=BangLang Huang, Rosy Song +PKG_MAINTAINER:=BangLang Huang , Rosy Song PKG_LICENSE:=MPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/net/kea/patches/003-no-test-compile.patch b/net/kea/patches/003-no-test-compile.patch index 132c942aa..709e534c6 100644 --- a/net/kea/patches/003-no-test-compile.patch +++ b/net/kea/patches/003-no-test-compile.patch @@ -158,14 +158,6 @@ AM_CPPFLAGS = -I$(top_srcdir)/src/lib -I$(top_builddir)/src/lib AM_CPPFLAGS += $(BOOST_INCLUDES) ---- a/src/lib/cql/Makefile.am -+++ b/src/lib/cql/Makefile.am -@@ -1,4 +1,4 @@ --SUBDIRS = . testutils tests -+SUBDIRS = . - - AM_CPPFLAGS = -I$(top_srcdir)/src/lib -I$(top_builddir)/src/lib - AM_CPPFLAGS += $(BOOST_INCLUDES) $(CQL_CPPFLAGS) --- a/src/lib/cryptolink/Makefile.am +++ b/src/lib/cryptolink/Makefile.am @@ -1,4 +1,4 @@ @@ -203,8 +195,8 @@ @@ -1,6 +1,6 @@ AUTOMAKE_OPTIONS = subdir-objects --SUBDIRS = . testutils tests benchmarks -+SUBDIRS = . benchmarks +-SUBDIRS = . testutils tests ++SUBDIRS = . # DATA_DIR is the directory where to put default CSV files and the DHCPv6 # server ID file (i.e. the file where the server finds its DUID at startup). diff --git a/net/kea/patches/004-replace-rev-with-awk.patch b/net/kea/patches/004-replace-rev-with-awk.patch index d22dcd4b0..db22903c0 100644 --- a/net/kea/patches/004-replace-rev-with-awk.patch +++ b/net/kea/patches/004-replace-rev-with-awk.patch @@ -1,6 +1,6 @@ --- a/src/bin/keactrl/keactrl.in +++ b/src/bin/keactrl/keactrl.in -@@ -117,7 +117,7 @@ get_pid_from_file() { +@@ -115,7 +115,7 @@ get_pid_from_file() { # Extract the name portion (from last slash to last dot) of the config file name # File name and extension are documented in src/lib/util/filename.h local conf_name diff --git a/net/kea/patches/010-openssl-deprecated.patch b/net/kea/patches/010-openssl-deprecated.patch index c8b438efc..6487b0a44 100644 --- a/net/kea/patches/010-openssl-deprecated.patch +++ b/net/kea/patches/010-openssl-deprecated.patch @@ -1,6 +1,6 @@ --- a/src/lib/cryptolink/openssl_link.cc +++ b/src/lib/cryptolink/openssl_link.cc -@@ -79,7 +79,7 @@ CryptoLink::initialize() { +@@ -77,7 +77,7 @@ CryptoLink::initialize(CryptoLink& c) { std::string CryptoLink::getVersion() { From 10ac45abb77e929d0fc8fadbacd3b4e82004ad46 Mon Sep 17 00:00:00 2001 From: Philip Prindeville Date: Wed, 19 Apr 2023 18:32:54 -0600 Subject: [PATCH 22/49] kea: procd_close_instance doesn't take a parameter Signed-off-by: Philip Prindeville --- net/kea/files/kea.init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/kea/files/kea.init b/net/kea/files/kea.init index 0d63c38ab..db1af82ff 100755 --- a/net/kea/files/kea.init +++ b/net/kea/files/kea.init @@ -39,5 +39,5 @@ start_kea() { procd_set_param file "$cnf" procd_set_param stderr 1 procd_set_param stdout 1 - procd_close_instance ctrl_agent + procd_close_instance } From 7dd26ee760153caee550661b9fab0d9ad07dfe51 Mon Sep 17 00:00:00 2001 From: Gerard Ryan Date: Sat, 29 Apr 2023 16:25:49 +1000 Subject: [PATCH 23/49] cache-domains: added pre-test.sh CI step Some packages variants have conflicting dependencies with the base packages and the CI test will fail to install before anything can be done by the packages to setup the system for install. This change adds a pre-test.sh that runs before the install so things like the default libustream variant can be swapped out as shown in the updated cache-domains. Signed-off-by: Gerard Ryan --- .github/workflows/entrypoint.sh | 18 ++++++++++++++++-- utils/cache-domains/Makefile | 2 +- utils/cache-domains/pre-test.sh | 24 ++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 3 deletions(-) create mode 100755 utils/cache-domains/pre-test.sh diff --git a/.github/workflows/entrypoint.sh b/.github/workflows/entrypoint.sh index 76dd8cbcc..7587aa8b7 100755 --- a/.github/workflows/entrypoint.sh +++ b/.github/workflows/entrypoint.sh @@ -26,10 +26,24 @@ for PKG in /ci/*.ipk; do echo "Testing package $PKG_NAME in version $PKG_VERSION from $PKG_SOURCE" - opkg install "$PKG" - export PKG_NAME PKG_VERSION CI_HELPER + PRE_TEST_SCRIPT=$(find /ci/ -name "$PKG_SOURCE" -type d)/pre-test.sh + + if [ -f "$PRE_TEST_SCRIPT" ]; then + echo "Use package specific pre-test.sh" + if sh "$PRE_TEST_SCRIPT" "$PKG_NAME" "$PKG_VERSION"; then + echo "Pre-test successful" + else + echo "Pre-test failed" + exit 1 + fi + else + echo "No pre-test.sh script available" + fi + + opkg install "$PKG" + TEST_SCRIPT=$(find /ci/ -name "$PKG_SOURCE" -type d)/test.sh if [ -f "$TEST_SCRIPT" ]; then diff --git a/utils/cache-domains/Makefile b/utils/cache-domains/Makefile index c9e8e2632..0e12ec32c 100644 --- a/utils/cache-domains/Makefile +++ b/utils/cache-domains/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cache-domains PKG_VERSION:=2.3.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MAINTAINER:=Gerard Ryan diff --git a/utils/cache-domains/pre-test.sh b/utils/cache-domains/pre-test.sh new file mode 100755 index 000000000..0b3e5176b --- /dev/null +++ b/utils/cache-domains/pre-test.sh @@ -0,0 +1,24 @@ +#! /bin/sh + +set -o errexit + +case "${PKG_NAME}" in + cache-domains-openssl) + LIBUSTREAM_DEPS="libustream-openssl libopenssl3" + LIBUSTREAM_DEPS="${LIBUSTREAM_DEPS} libatomic1" # arm_cortex-a15_neon-vfpv4 extra dep + ;; + cache-domains-mbedtls) + LIBUSTREAM_DEPS="libustream-mbedtls libmbedtls" + ;; + cache-domains-wolfssl) + LIBUSTREAM_DEPS="libustream-wolfssl libwolfssl" + ;; +esac + +# Replace the current libustream with the one PKG_NAME depends on. +# opkg depends on libustream for https so we need to download the +# replacement first and replace it offline. +opkg download ${LIBUSTREAM_DEPS} +opkg remove 'libustream-*' +opkg install --offline-root / ./*.ipk +rm ./*.ipk From 10986d56c9fcdd093be0495d6e7a02e7f5f3141e Mon Sep 17 00:00:00 2001 From: Javier Marcet Date: Wed, 8 Feb 2023 14:40:10 +0100 Subject: [PATCH 24/49] sedutil: Add new package The Drive Trust Alliance Self Encrypting Drive Utility Signed-off-by: Javier Marcet --- utils/sedutil/Makefile | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 utils/sedutil/Makefile diff --git a/utils/sedutil/Makefile b/utils/sedutil/Makefile new file mode 100644 index 000000000..9625459d6 --- /dev/null +++ b/utils/sedutil/Makefile @@ -0,0 +1,41 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=sedutil +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL=https://github.com/Drive-Trust-Alliance/sedutil +PKG_SOURCE_DATE:=2022-12-27 +PKG_SOURCE_VERSION:=7a0cda7f60cce346f72466e61ce006e5ea48fbc0 +PKG_MIRROR_HASH:=e11333bfa0760a46cbebcba35360e0f076e6219eb38ce1545179b8741476668a + +PKG_LICENSE_FILES:=README.md +PKG_LICENSE:=GPL-3.0-or-later +PKG_MAINTAINER:=Javier Marcet + +PKG_FIXUP:=autoreconf +PKG_BUILD_PARALLEL:=1 +PKG_BUILD_FLAGS:=lto + +include $(INCLUDE_DIR)/package.mk + +define Package/sedutil + SECTION:=utils + CATEGORY:=Utilities + TITLE:=The Drive Trust Alliance Self Encrypting Drive Utility + URL:=https://github.com/Drive-Trust-Alliance/sedutil + DEPENDS:=+libstdcpp +endef + +define Package/sedutil/description +This program and it's accompanying Pre-Boot Authorization image allow you to +enable the locking in SED's that comply with the TCG OPAL 2.00 standard on bios +machines. +endef + +define Package/sedutil/install + $(INSTALL_DIR) $(1)/usr/bin + $(CP) $(PKG_BUILD_DIR)/{linuxpba,sedutil-cli} $(1)/usr/bin +endef + +$(eval $(call BuildPackage,sedutil)) From 20a803aa03be7176cdeb74622fb7c80ffe41b434 Mon Sep 17 00:00:00 2001 From: Van Waholtz Date: Mon, 1 May 2023 19:04:24 +0800 Subject: [PATCH 25/49] CI: Enable runtime_test for mips_24kc Signed-off-by: Van Waholtz --- .github/workflows/multi-arch-test-build.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/multi-arch-test-build.yml b/.github/workflows/multi-arch-test-build.yml index 1d281eda7..3e8b6f263 100644 --- a/.github/workflows/multi-arch-test-build.yml +++ b/.github/workflows/multi-arch-test-build.yml @@ -17,7 +17,7 @@ jobs: - arch: mips_24kc target: ath79-generic - runtime_test: false + runtime_test: true - arch: mipsel_24kc target: mt7621 @@ -162,7 +162,9 @@ jobs: - name: Register QEMU if: ${{ matrix.runtime_test }} run: | - sudo docker run --rm --privileged aptman/qus -s -- -p + sudo apt-get update + sudo apt-get install -y qemu-user-static binfmt-support + sudo update-binfmts --import - name: Build Docker container if: ${{ matrix.runtime_test }} From b9b641df039347cba9142e5f23d29776d0d5c7f5 Mon Sep 17 00:00:00 2001 From: Van Waholtz Date: Mon, 1 May 2023 19:04:24 +0800 Subject: [PATCH 26/49] sing-box: update to 1.2.6 Signed-off-by: Van Waholtz --- net/sing-box/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/sing-box/Makefile b/net/sing-box/Makefile index a20a2b401..2db8c7887 100644 --- a/net/sing-box/Makefile +++ b/net/sing-box/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sing-box -PKG_VERSION:=1.2.1 +PKG_VERSION:=1.2.6 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/SagerNet/sing-box/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=0f304b75c2e9f61e3f7808f23fe8fbe08161553475d9bec0dea4a5acf4452d2d +PKG_HASH:=8f7adf55ed9afe6ec0dd8b04ed64dd3a6243578ee779f909dfb3778fa2dbda10 PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE_FILES:=LICENSE From 71f9bdc0fb47852029c7d428d63a408e2669e754 Mon Sep 17 00:00:00 2001 From: Michael Heimpold Date: Mon, 1 May 2023 20:18:52 +0200 Subject: [PATCH 27/49] open-plc-utils: update to latest upstream version This adds support for QCA7006AQ chipset identification. Signed-off-by: Michael Heimpold --- utils/open-plc-utils/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/utils/open-plc-utils/Makefile b/utils/open-plc-utils/Makefile index eb763cffe..66f2a029c 100644 --- a/utils/open-plc-utils/Makefile +++ b/utils/open-plc-utils/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=open-plc-utils -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/qca/open-plc-utils.git -PKG_SOURCE_VERSION:=358dfcf78bdaf7b0b13dcdf91cb1aae1789f2770 -PKG_MIRROR_HASH:=3b24033f3d2d9ac33778fb772837bc5e0a8891ac708bbe1f35336ff792baf9f8 +PKG_SOURCE_VERSION:=1ba7d5a042e4e8ff6858b08e113eec5dc4e89cf2 +PKG_MIRROR_HASH:=67a8c23a10b6b9e3437badad9f215d5350a766b1d0021c58d0ae092609be2b34 PKG_MAINTAINER:=Michael Heimpold From f1e33826fb4e096758580c258acb43a052e1e328 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Tue, 2 May 2023 21:40:18 +0800 Subject: [PATCH 28/49] sqlite3: Update to 3.41.2 Fixes: CVE-2021-20227 Signed-off-by: Tianling Shen --- libs/sqlite3/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/sqlite3/Makefile b/libs/sqlite3/Makefile index aad769dcb..9d1d04dee 100644 --- a/libs/sqlite3/Makefile +++ b/libs/sqlite3/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sqlite -PKG_VERSION:=3410100 +PKG_VERSION:=3410200 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-autoconf-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.sqlite.org/2023/ -PKG_HASH:=4dadfbeab9f8e16c695d4fbbc51c16b2f77fb97ff4c1c3d139919dfc038c9e33 +PKG_HASH:=e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499 PKG_CPE_ID:=cpe:/a:sqlite:sqlite PKG_LICENSE:=PUBLICDOMAIN From 829a9a61c26421032a4184c1dabc460bad4aea33 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Tue, 2 May 2023 21:41:37 +0200 Subject: [PATCH 29/49] banip: update 0.8.4-3 * add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable' Signed-off-by: Dirk Brenken --- net/banip/Makefile | 6 +-- net/banip/files/README.md | 1 + net/banip/files/banip-functions.sh | 75 +++++++++++++++++------------- net/banip/files/banip-service.sh | 6 +-- 4 files changed, 49 insertions(+), 39 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 37ae93440..02cc404bf 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -1,5 +1,5 @@ # -# banIP - ban incoming and outgoing ip addresses/subnets via sets in nftables +# banIP - ban incoming and outgoing ip addresses/subnets via Sets in nftables # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.4 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken @@ -23,7 +23,7 @@ define Package/banip endef define Package/banip/description -banIP blocks IP addresses via named nftables sets. +banIP blocks IP addresses via named nftables Sets. banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime. Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information. diff --git a/net/banip/files/README.md b/net/banip/files/README.md index cca75823d..803e4a931 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -139,6 +139,7 @@ Available commands: | ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | +| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all | | ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | | ban_basedir | option | /tmp | base working directory while banIP processing | | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 36442381e..225427516 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -51,6 +51,7 @@ ban_logforwardwan="1" ban_logforwardlan="0" ban_allowlistonly="0" ban_autoallowlist="1" +ban_autoallowuplink="subnet" ban_autoblocklist="1" ban_deduplicate="1" ban_splitsize="0" @@ -65,7 +66,7 @@ ban_protov6="0" ban_ifv4="" ban_ifv6="" ban_dev="" -ban_sub="" +ban_uplink="" ban_fetchinsecure="" ban_cores="" ban_memory="" @@ -105,7 +106,7 @@ f_mkdir() { if [ ! -d "${dir}" ]; then rm -f "${dir}" mkdir -p "${dir}" - f_log "debug" "f_mkdir ::: created directory: ${dir}" + f_log "debug" "f_mkdir ::: created directory: ${dir}" fi } @@ -116,7 +117,7 @@ f_mkfile() { if [ ! -f "${file}" ]; then : >"${file}" - f_log "debug" "f_mkfile ::: created file: ${file}" + f_log "debug" "f_mkfile ::: created file: ${file}" fi } @@ -127,7 +128,7 @@ f_tmp() { ban_tmpdir="$(mktemp -p "${ban_basedir}" -d)" ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)" - f_log "debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}" + f_log "debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}" } # remove directories @@ -137,7 +138,7 @@ f_rmdir() { if [ -d "${dir}" ]; then rm -rf "${dir}" - f_log "debug" "f_rmdir ::: deleted directory: ${dir}" + f_log "debug" "f_rmdir ::: deleted directory: ${dir}" fi } @@ -286,7 +287,7 @@ f_fetch() { ;; esac - f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}" + f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}" } # remove logservice @@ -363,7 +364,7 @@ f_getif() { fi [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration" - f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" + f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" } # get wan devices @@ -398,37 +399,45 @@ f_getdev() { ban_dev="${ban_dev%%?}" [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration" - f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" + f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" } -# get local subnets +# get local uplink # -f_getsub() { - local sub iface ip update="0" +f_getuplink() { + local uplink iface ip update="0" - if [ "${ban_autoallowlist}" = "1" ]; then + if [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" != "disable" ]; then for iface in ${ban_ifv4} ${ban_ifv6}; do network_flush_cache - network_get_subnet sub "${iface}" - if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then - ban_sub="${ban_sub}${sub} " + if [ "${ban_autoallowuplink}" = "subnet" ]; then + network_get_subnet uplink "${iface}" + elif [ "${ban_autoallowuplink}" = "ip" ]; then + network_get_ipaddr uplink "${iface}" fi - network_get_subnet6 sub "${iface}" - if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then - ban_sub="${ban_sub}${sub} " + if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then + ban_uplink="${ban_uplink}${uplink} " + fi + if [ "${ban_autoallowuplink}" = "subnet" ]; then + network_get_subnet6 uplink "${iface}" + elif [ "${ban_autoallowuplink}" = "ip" ]; then + network_get_ipaddr6 uplink "${iface}" + fi + if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then + ban_uplink="${ban_uplink}${uplink} " fi done - for ip in ${ban_sub}; do + for ip in ${ban_uplink}; do if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then update="1" - printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" - f_log "info" "added subnet '${ip}' to local allowlist" + printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" + f_log "info" "added uplink '${ip}' to local allowlist" fi done - ban_sub="${ban_sub%%?}" + ban_uplink="${ban_uplink%%?}" fi - f_log "debug" "f_getsub ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}" + f_log "debug" "f_getuplink ::: auto/update: ${ban_autoallowlist}/${update}, uplink: ${ban_uplink:-"-"}" } # get feed information @@ -499,7 +508,7 @@ f_nftinit() { feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)" feed_rc="${?}" - f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" return ${feed_rc} } @@ -824,7 +833,7 @@ f_down() { rm -f "${tmp_split}" "${tmp_nft}" end_ts="$(date +%s)" - f_log "debug" "f_down ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_down ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" } # backup feeds @@ -835,7 +844,7 @@ f_backup() { gzip -cf "${feed_file}" >"${ban_backupdir}/banIP.${feed}.gz" backup_rc="${?}" - f_log "debug" "f_backup ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}" + f_log "debug" "f_backup ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}" return ${backup_rc} } @@ -851,7 +860,7 @@ f_restore() { restore_rc="${?}" fi - f_log "debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}" + f_log "debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}" return ${restore_rc} } @@ -891,7 +900,7 @@ f_rmset() { fi rm -f "${tmp_del}" - f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" } # generate status information @@ -941,10 +950,10 @@ f_genstatus() { json_close_object done json_close_array - json_add_array "active_subnets" - for object in ${ban_sub:-"-"}; do + json_add_array "active_uplink" + for object in ${ban_uplink:-"-"}; do json_add_object - json_add_string "subnet" "${object}" + json_add_string "uplink" "${object}" json_close_object done json_close_array @@ -1063,7 +1072,7 @@ f_lookup() { end_time="$(date "+%s")" duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s" - f_log "debug" "feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}" + f_log "debug" "f_lookup ::: feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}" } # table statistics @@ -1310,7 +1319,7 @@ f_mail() { f_log "info" "failed to send status mail (${?})" fi - f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" + f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" } # initial sourcing diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index ed2b9914c..b8a10398a 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -1,5 +1,5 @@ #!/bin/sh -# banIP main service script - ban incoming and outgoing ip addresses/subnets via sets in nftables +# banIP main service script - ban incoming and outgoing ip addresses/subnets via Sets in nftables # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -15,13 +15,13 @@ ban_funlib="/usr/lib/banip-functions.sh" # f_conf f_log "info" "start banIP processing (${ban_action})" -f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}" +f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}" f_genstatus "processing" f_tmp f_fetch f_getif f_getdev -f_getsub +f_getuplink f_mkdir "${ban_backupdir}" f_mkfile "${ban_blocklist}" f_mkfile "${ban_allowlist}" From 69c983391f1592a16729522e83f09063acb3c441 Mon Sep 17 00:00:00 2001 From: Zephyr Lykos Date: Tue, 2 May 2023 18:14:54 +0800 Subject: [PATCH 30/49] tailscale: update to 1.40.0 Signed-off-by: Zephyr Lykos --- net/tailscale/Makefile | 8 ++++---- net/tailscale/patches/010-fake_iptables.patch | 2 +- net/tailscale/patches/020-tailscaled_fake_iptables.patch | 2 +- net/tailscale/patches/030-default_to_netfilter_off.patch | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/net/tailscale/Makefile b/net/tailscale/Makefile index b3d280f35..53dffb790 100644 --- a/net/tailscale/Makefile +++ b/net/tailscale/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tailscale -PKG_VERSION:=1.36.0 +PKG_VERSION:=1.40.0 PKG_RELEASE:=1 PKG_SOURCE:=tailscale-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=25b293a7e65d7b962f0c56454d66fa56c89c3aa995467218f24efa335b924c76 +PKG_HASH:=6964176889943e0e0b25d8d69e14226cfb1c1a9944a257b24cb2dd212f797141 PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=BSD-3-Clause @@ -27,8 +27,8 @@ PKG_BUILD_FLAGS:=no-mips16 GO_PKG:=\ tailscale.com/cmd/tailscale \ tailscale.com/cmd/tailscaled -GO_PKG_LDFLAGS:=-X 'tailscale.com/version.Long=$(PKG_VERSION)-$(PKG_RELEASE) (OpenWrt)' -GO_PKG_LDFLAGS_X:=tailscale.com/version.Short=$(PKG_VERSION) +GO_PKG_LDFLAGS:=-X 'tailscale.com/version.longStamp=$(PKG_VERSION)-$(PKG_RELEASE) (OpenWrt)' +GO_PKG_LDFLAGS_X:=tailscale.com/version.shortStamp=$(PKG_VERSION) include $(INCLUDE_DIR)/package.mk include ../../lang/golang/golang-package.mk diff --git a/net/tailscale/patches/010-fake_iptables.patch b/net/tailscale/patches/010-fake_iptables.patch index 07e14fbf5..2874f53b0 100644 --- a/net/tailscale/patches/010-fake_iptables.patch +++ b/net/tailscale/patches/010-fake_iptables.patch @@ -2,7 +2,7 @@ +++ b/go.mod @@ -2,6 +2,8 @@ module tailscale.com - go 1.19 + go 1.20 +replace github.com/coreos/go-iptables => ./patched/go-iptables + diff --git a/net/tailscale/patches/020-tailscaled_fake_iptables.patch b/net/tailscale/patches/020-tailscaled_fake_iptables.patch index 2180080ca..a4d54bdc6 100644 --- a/net/tailscale/patches/020-tailscaled_fake_iptables.patch +++ b/net/tailscale/patches/020-tailscaled_fake_iptables.patch @@ -18,7 +18,7 @@ } } -@@ -1635,11 +1635,6 @@ func checkIPv6(logf logger.Logf) error { +@@ -1676,11 +1676,6 @@ func checkIPv6(logf logger.Logf) error { return fmt.Errorf("kernel doesn't support IPv6 policy routing: %w", err) } diff --git a/net/tailscale/patches/030-default_to_netfilter_off.patch b/net/tailscale/patches/030-default_to_netfilter_off.patch index 90c78fe69..1edd00225 100644 --- a/net/tailscale/patches/030-default_to_netfilter_off.patch +++ b/net/tailscale/patches/030-default_to_netfilter_off.patch @@ -1,6 +1,6 @@ --- a/cmd/tailscale/cli/up.go +++ b/cmd/tailscale/cli/up.go -@@ -143,7 +143,7 @@ func defaultNetfilterMode() string { +@@ -147,7 +147,7 @@ func defaultNetfilterMode() string { if distro.Get() == distro.Synology { return "off" } From 54c1303dc476bc678b2b40489408f6b0a0541486 Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Thu, 4 May 2023 14:10:43 +0800 Subject: [PATCH 31/49] python-hatchling: Update to 1.14.1 Signed-off-by: Jeffery To --- lang/python/python-hatchling/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/python/python-hatchling/Makefile b/lang/python/python-hatchling/Makefile index 958600083..661d62611 100644 --- a/lang/python/python-hatchling/Makefile +++ b/lang/python/python-hatchling/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-hatchling -PKG_VERSION:=1.14.0 +PKG_VERSION:=1.14.1 PKG_RELEASE:=1 PYPI_NAME:=hatchling -PKG_HASH:=462ea91df03ff5d52813b5613fec1313a1a2059d2e37343e572b3f979867c5da +PKG_HASH:=55fbc88cbd0d96c09c3e9392b51db513fd4cb4caf47615d65f935a5ef1756133 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE.txt From 66257510d9613478a9fd99c41d745329476f7574 Mon Sep 17 00:00:00 2001 From: Anna Tikhomirova Date: Fri, 28 Apr 2023 23:33:39 +0300 Subject: [PATCH 32/49] mwan3: fix addition of iptables rules for mwan3 sticky rules Addition of iptables rules for mwan3 sticky rules is broken, resulting in non-working sticky rules. The required parameters for the function 'mwan3_set_sticky_iptables' were passed in the wrong order. Signed-off-by: Anna Tikhomirova * Update commit message * Quoting function arguments Signed-off-by: Florian Eckert --- net/mwan3/files/lib/mwan3/mwan3.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh index 1bfb767e8..a3e7c0098 100644 --- a/net/mwan3/files/lib/mwan3/mwan3.sh +++ b/net/mwan3/files/lib/mwan3/mwan3.sh @@ -735,8 +735,8 @@ mwan3_set_policies_iptables() mwan3_set_sticky_iptables() { - local rule="${1}" - local interface="${2}" + local interface="${1}" + local rule="${2}" local ipv="${3}" local policy="${4}" @@ -879,7 +879,7 @@ mwan3_set_user_iptables_rule() fi mwan3_push_update -F "mwan3_rule_$1" - config_foreach mwan3_set_sticky_iptables interface $ipv "$policy" + config_foreach mwan3_set_sticky_iptables interface "$rule" "$ipv" "$policy" mwan3_push_update -A "mwan3_rule_$1" \ From fd2e20f66be8568355ac3d6a13e54ed117cacb5b Mon Sep 17 00:00:00 2001 From: Anna Tikhomirova Date: Wed, 3 May 2023 09:40:34 +0300 Subject: [PATCH 33/49] mwan3: bump PKG_VERSION to 2.11.5 Signed-off-by: Anna Tikhomirova --- net/mwan3/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mwan3/Makefile b/net/mwan3/Makefile index a72289fc6..10705df88 100644 --- a/net/mwan3/Makefile +++ b/net/mwan3/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mwan3 -PKG_VERSION:=2.11.4 +PKG_VERSION:=2.11.5 PKG_RELEASE:=1 PKG_MAINTAINER:=Florian Eckert , \ Aaron Goodman From 84b3de9eda29666bb96b656cdadaffd1c69897e7 Mon Sep 17 00:00:00 2001 From: Anna Tikhomirova Date: Fri, 28 Apr 2023 23:12:37 +0300 Subject: [PATCH 34/49] mwan3: fix addition of routes to mwan3_connected ipset Addition of routes to mwan3_connected ipset is broken. The ipset name was changed from mwan3_connected_v4/6 to mwan3_connected_ipv4/6, but this change was not reflected in mwan3rtmon. Signed-off-by: Anna Tikhomirova * Update commit message Signed-off-by: Florian Eckert --- net/mwan3/files/usr/sbin/mwan3rtmon | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mwan3/files/usr/sbin/mwan3rtmon b/net/mwan3/files/usr/sbin/mwan3rtmon index b7f03cc87..d8ccffeb0 100755 --- a/net/mwan3/files/usr/sbin/mwan3rtmon +++ b/net/mwan3/files/usr/sbin/mwan3rtmon @@ -75,7 +75,7 @@ mwan3_rtmon_route_handle() if [ "$route_line" = "$1" ]; then action="replace" - $IPS -! add mwan3_connected_${route_family##ip} ${route_line%% *} + $IPS -! add mwan3_connected_${route_family} ${route_line%% *} else action="del" mwan3_set_connected_${route_family} From d079652396b465bde3b5e2315a18085bf5001f29 Mon Sep 17 00:00:00 2001 From: Anna Tikhomirova Date: Wed, 3 May 2023 10:32:22 +0300 Subject: [PATCH 35/49] mwan3: bump PKG_VERSION to 2.11.6 Signed-off-by: Anna Tikhomirova --- net/mwan3/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mwan3/Makefile b/net/mwan3/Makefile index 10705df88..36adc06da 100644 --- a/net/mwan3/Makefile +++ b/net/mwan3/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mwan3 -PKG_VERSION:=2.11.5 +PKG_VERSION:=2.11.6 PKG_RELEASE:=1 PKG_MAINTAINER:=Florian Eckert , \ Aaron Goodman From 97d6c8bf77a3fdb3e252fefaff7ad8584d2e2b1c Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Thu, 4 May 2023 12:07:09 +0200 Subject: [PATCH 36/49] banip: update 0.8.4-4 * add housekeeping to the autoallow function, only the current uplink will be held * fix small issues * cosmetics Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/banip-functions.sh | 108 ++++++++++++++++------------- net/banip/files/banip-service.sh | 2 +- net/banip/files/banip.feeds | 88 +++++++++++------------ 4 files changed, 104 insertions(+), 96 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 02cc404bf..bb736d3bf 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.4 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 225427516..fc54dc3d2 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -29,6 +29,7 @@ ban_nftcmd="$(command -v nft)" ban_fw4cmd="$(command -v fw4)" ban_awkcmd="$(command -v awk)" ban_grepcmd="$(command -v grep)" +ban_sedcmd="$(command -v sed)" ban_lookupcmd="$(command -v nslookup)" ban_mailcmd="$(command -v msmtp)" ban_mailsender="no-reply@banIP" @@ -248,17 +249,17 @@ f_conf() { # prepare fetch utility # f_fetch() { - local ut utils packages insecure + local item utils packages insecure if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then - packages="$(${ban_ubuscmd} -S call rpc-sys packagelist 2>/dev/null)" - [ -z "${packages}" ] && f_log "err" "local opkg package repository is not available, please set the download utility 'ban_fetchcmd' manually" + packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" + [ -z "${packages}" ] && f_log "err" "local package repository is not available, please set the download utility 'ban_fetchcmd' manually" utils="aria2c curl wget uclient-fetch" - for ut in ${utils}; do - if { [ "${ut}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } || - { [ "${ut}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || - [ "${ut}" = "curl" ] || [ "${ut}" = "aria2c" ]; then - ban_fetchcmd="$(command -v "${ut}")" + for item in ${utils}; do + if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } || + { [ "${item}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || + [ "${item}" = "curl" ] || [ "${item}" = "aria2c" ]; then + ban_fetchcmd="$(command -v "${item}")" if [ -x "${ban_fetchcmd}" ]; then uci_set banip global ban_fetchcmd "${ban_fetchcmd##*/}" uci_commit "banip" @@ -429,12 +430,18 @@ f_getuplink() { done for ip in ${ban_uplink}; do if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then - update="1" + if [ "${update}" = "0" ]; then + "${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}" + fi printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" f_log "info" "added uplink '${ip}' to local allowlist" + update="1" fi done ban_uplink="${ban_uplink%%?}" + elif [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" = "disable" ]; then + "${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}" + update="1" fi f_log "debug" "f_getuplink ::: auto/update: ${ban_autoallowlist}/${update}, uplink: ${ban_uplink:-"-"}" @@ -867,7 +874,7 @@ f_restore() { # remove disabled feeds # f_rmset() { - local feedlist tmp_del ruleset_raw table_sets handle set del_set feed_log feed_rc + local feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc f_getfeed json_get_keys feedlist @@ -876,19 +883,19 @@ f_rmset() { table_sets="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')" { printf "%s\n\n" "#!/usr/sbin/nft -f" - for set in ${table_sets}; do - if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${set%v*}" || - ! printf "%s" "allowlist blocklist ${feedlist}" | "${ban_grepcmd}" -q "${set%v*}"; then - del_set="${del_set}${set}, " - rm -f "${ban_backupdir}/banIP.${set}.gz" - printf "%s\n" "flush set inet banIP ${set}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${set}\"].handle")" + for item in ${table_sets}; do + if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${item%v*}" || + ! printf "%s" "allowlist blocklist ${feedlist}" | "${ban_grepcmd}" -q "${item%v*}"; then + del_set="${del_set}${item}, " + rm -f "${ban_backupdir}/banIP.${item}.gz" + printf "%s\n" "flush set inet banIP ${item}" + handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${set}\"].handle")" + handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${set}\"].handle")" + handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" - printf "%s\n\n" "delete set inet banIP ${set}" + printf "%s\n\n" "delete set inet banIP ${item}" fi done } >"${tmp_del}" @@ -906,7 +913,7 @@ f_rmset() { # generate status information # f_genstatus() { - local object duration set table_sets cnt_elements="0" custom="0" split="0" status="${1}" + local object duration item table_sets cnt_elements="0" custom="0" split="0" status="${1}" [ -z "${ban_dev}" ] && f_conf if [ "${status}" = "active" ]; then @@ -916,8 +923,8 @@ f_genstatus() { fi table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')" if [ "${ban_reportelements}" = "1" ]; then - for set in ${table_sets}; do - cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" + for item in ${table_sets}; do + cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" done fi runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")" @@ -1078,7 +1085,7 @@ f_lookup() { # table statistics # f_report() { - local report_jsn report_txt set tmp_val ruleset_raw table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}" + local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}" local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan [ -z "${ban_dev}" ] && f_conf @@ -1102,13 +1109,13 @@ f_report() { : >"${report_jsn}" { printf "%s\n" "{" - printf "\t%s\n" '"sets": {' - for set in ${table_sets}; do - set_cntinput="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")" - set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")" - set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")" + printf "\t%s\n" '"sets":{' + for item in ${table_sets}; do + set_cntinput="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" + set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" + set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" if [ "${ban_reportelements}" = "1" ]; then - set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" + set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" sum_setelements="$((sum_setelements + set_cnt))" else set_cnt="" @@ -1139,7 +1146,7 @@ f_report() { set_cntforwardlan="" fi [ "${sum_sets}" -gt "0" ] && printf "%s\n" "," - printf "\t\t%s\n" "\"${set}\": {" + printf "\t\t%s\n" "\"${item}\":{" printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\"," printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\"," printf "\t\t\t%s\n" "\"input\": \"${set_input}\"," @@ -1193,9 +1200,9 @@ f_report() { if [ -n "${table_sets}" ]; then printf "%-25s%-15s%-24s%-24s%s\n" " Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)" printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------" - for set in ${table_sets}; do - printf " %-21s" "${set}" - json_select "${set}" + for item in ${table_sets}; do + printf " %-21s" "${item}" + json_select "${item}" json_get_keys set_details for detail in ${set_details}; do json_get_var jsnval "${detail}" >/dev/null 2>&1 @@ -1241,13 +1248,13 @@ f_report() { # set search # f_search() { - local set table_sets ip proto run_search hold cnt search="${1}" + local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}" - if [ -n "${search}" ]; then - ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')" + if [ -n "${input}" ]; then + ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v4" if [ -z "${proto}" ]; then - ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')" + ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v6" fi fi @@ -1261,13 +1268,15 @@ f_search() { printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")" printf " %s\n" "---" cnt="1" - run_search="/var/run/banIP.search" - for set in ${table_sets}; do - [ -f "${run_search}" ] && break + for item in ${table_sets}; do + if [ -f "${result_flag}" ]; then + rm -f "${result_flag}" + return + fi ( - if "${ban_nftcmd}" get element inet banIP "${set}" "{ ${ip} }" >/dev/null 2>&1; then - printf " %s\n" "IP found in Set '${set}'" - : >"${run_search}" + if "${ban_nftcmd}" get element inet banIP "${item}" "{ ${ip} }" >/dev/null 2>&1; then + printf " %s\n" "IP found in Set '${item}'" + : >"${result_flag}" fi ) & hold="$((cnt % ban_cores))" @@ -1275,22 +1284,21 @@ f_search() { cnt="$((cnt + 1))" done wait - [ ! -f "${run_search}" ] && printf " %s\n" "IP not found" - rm -f "${run_search}" + printf " %s\n" "IP not found" } # set survey # f_survey() { - local set_elements set="${1}" + local set_elements input="${1}" - if [ -z "${set}" ]; then + if [ -z "${input}" ]; then printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::" return fi - [ -n "${set}" ] && set_elements="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" + set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" - printf " %s\n" "List the elements of Set '${set}' on $(date "+%Y-%m-%d %H:%M:%S")" + printf " %s\n" "List the elements of Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")" printf " %s\n" "---" [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty set" } diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index b8a10398a..f70f5723f 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -138,7 +138,7 @@ wait f_rmset f_rmdir "${ban_tmpdir}" f_genstatus "active" -f_log "info" "finished banIP download processes" +f_log "info" "finish banIP download processes" # start domain lookup # diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index 90f6d63be..a5604fc3c 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -1,259 +1,259 @@ { - "adaway": { + "adaway":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "adaway IPs" }, - "adguard": { + "adguard":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "adguard IPs" }, - "adguardtrackers": { + "adguardtrackers":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "adguardtracker IPs" }, - "antipopads": { + "antipopads":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "antipopads IPs" }, - "asn": { + "asn":{ "url_4": "https://asn.ipinfo.app/api/text/list/", "url_6": "https://asn.ipinfo.app/api/text/list/", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "ASN IPs" }, - "backscatterer": { + "backscatterer":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "backscatterer IPs", "flag": "gz" }, - "bogon": { + "bogon":{ "url_4": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt", "url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "bogon prefixes" }, - "cinsscore": { + "cinsscore":{ "url_4": "https://cinsscore.com/list/ci-badguys.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "suspicious attacker IPs" }, - "country": { + "country":{ "url_4": "https://www.ipdeny.com/ipblocks/data/aggregated/", "url_6": "https://www.ipdeny.com/ipv6/ipaddresses/aggregated/", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "country blocks" }, - "darklist": { + "darklist":{ "url_4": "https://darklist.de/raw.php", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "suspicious attacker IPs" }, - "debl": { + "debl":{ "url_4": "https://www.blocklist.de/downloads/export-ips_all.txt", "url_6": "https://www.blocklist.de/downloads/export-ips_all.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "fail2ban IP blacklist" }, - "doh": { + "doh":{ "url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "public DoH-Provider" }, - "drop": { + "drop":{ "url_4": "https://www.spamhaus.org/drop/drop.txt", "url_6": "https://www.spamhaus.org/drop/dropv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "spamhaus drop compilation" }, - "dshield": { + "dshield":{ "url_4": "https://feeds.dshield.org/block.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}", "descr": "dshield IP blocklist" }, - "edrop": { + "edrop":{ "url_4": "https://www.spamhaus.org/drop/edrop.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "spamhaus edrop compilation" }, - "feodo": { + "feodo":{ "url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt", "rule_4": "BEGIN{RS=\"\\r\\n\"}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "feodo tracker" }, - "firehol1": { + "firehol1":{ "url_4": "https://iplists.firehol.org/files/firehol_level1.netset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "firehol level 1 compilation" }, - "firehol2": { + "firehol2":{ "url_4": "https://iplists.firehol.org/files/firehol_level2.netset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "firehol level 2 compilation" }, - "firehol3": { + "firehol3":{ "url_4": "https://iplists.firehol.org/files/firehol_level3.netset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "firehol level 3 compilation" }, - "firehol4": { + "firehol4":{ "url_4": "https://iplists.firehol.org/files/firehol_level4.netset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{if(!seen[$1]++)printf \"%s,\\n\",$1}", "descr": "firehol level 4 compilation" }, - "greensnow": { + "greensnow":{ "url_4": "https://blocklist.greensnow.co/greensnow.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "suspicious server IPs" }, - "iblockads": { + "iblockads":{ "url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "advertising IPs", "flag": "gz" }, - "iblockspy": { + "iblockspy":{ "url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "malicious spyware IPs", "flag": "gz" }, - "ipthreat": { + "ipthreat":{ "url_4": "https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-30.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}", "descr": "hacker and botnet IPs" }, - "myip": { + "myip":{ "url_4": "https://myip.ms/files/blacklist/general/latest_blacklist.txt", "url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "real-time IP blocklist" }, - "nixspam": { + "nixspam":{ "url_4": "https://www.nixspam.net/download/nixspam-ip.dump.gz", "rule_4": "/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$2}", "descr": "iX spam protection", "flag": "gz" }, - "oisdbig": { + "oisdbig":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdbig-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdbig-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "OISD-big IPs" }, - "oisdnsfw": { + "oisdnsfw":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "OISD-nsfw IPs" }, - "oisdsmall": { + "oisdsmall":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "OISD-small IPs" }, - "proxy": { + "proxy":{ "url_4": "https://iplists.firehol.org/files/proxylists.ipset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "open proxies" }, - "sslbl": { + "sslbl":{ "url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", "rule_4": "BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$2}", "descr": "SSL botnet IPs" }, - "stevenblack": { + "stevenblack":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "stevenblack IPs" }, - "talos": { + "talos":{ "url_4": "https://www.talosintelligence.com/documents/ip-blacklist", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "talos IPs" }, - "threat": { + "threat":{ "url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "emerging threats" }, - "threatview": { + "threatview":{ "url_4": "https://threatview.io/Downloads/IP-High-Confidence-Feed.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "malicious IPs" }, - "tor": { + "tor":{ "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "tor exit nodes" }, - "uceprotect1": { + "uceprotect1":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "spam protection level 1", "flag": "gz" }, - "uceprotect2": { + "uceprotect2":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz", "rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]NET)/{printf \"%s,\\n\",$1}", "descr": "spam protection level 2", "flag": "gz" }, - "uceprotect3": { + "uceprotect3":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-3.uceprotect.net.gz", "rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]YOUR)/{printf \"%s,\\n\",$1}", "descr": "spam protection level 3", "flag": "gz" }, - "urlhaus": { + "urlhaus":{ "url_4": "https://urlhaus.abuse.ch/downloads/ids/", "rule_4": "match($0,/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5]))/){printf \"%s,\\n\",substr($0,RSTART,RLENGTH)}", "descr": "urlhaus IDS IPs" }, - "urlvir": { + "urlvir":{ "url_4": "https://iplists.firehol.org/files/urlvir.ipset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "malware related IPs" }, - "voip": { + "voip":{ "url_4": "https://voipbl.org/update/", "rule_4": "BEGIN{RS=\"(([0-9]{1,3}\\\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)\"}{if(RT)printf \"%s,\\n\",RT}", "descr": "VoIP fraud blocklist" }, - "webclient": { + "webclient":{ "url_4": "https://iplists.firehol.org/files/firehol_webclient.netset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "malware related IPs" }, - "yoyo": { + "yoyo":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv6.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", From 7e70de77d089e94e80a3ae71b60ec87ec31be1ac Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Thu, 4 May 2023 22:40:48 +0200 Subject: [PATCH 37/49] banip: update 0.8.4-5 * fix remaining small issues * standardize log wording * polished up for branch 23.x Signed-off-by: Dirk Brenken --- net/banip/Makefile | 10 ++-- net/banip/files/README.md | 46 +++++++-------- net/banip/files/banip-functions.sh | 89 +++++++++++++++--------------- net/banip/files/banip-service.sh | 21 ++++--- net/banip/files/banip.init | 10 ++-- net/banip/files/banip.tpl | 4 +- 6 files changed, 87 insertions(+), 93 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index bb736d3bf..e29e10eaf 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -1,14 +1,12 @@ -# -# banIP - ban incoming and outgoing ip addresses/subnets via Sets in nftables +# banIP - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. -# include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.4 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken @@ -17,13 +15,13 @@ include $(INCLUDE_DIR)/package.mk define Package/banip SECTION:=net CATEGORY:=Network - TITLE:=banIP blocks IP addresses via named nftables sets + TITLE:=banIP blocks IPs via named nftables Sets DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys PKGARCH:=all endef define Package/banip/description -banIP blocks IP addresses via named nftables Sets. +banIP blocks IPs via named nftables Sets. banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime. Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information. diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 803e4a931..0a91b8290 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -1,9 +1,9 @@ -# banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables +# banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables ## Description -IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh. +IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh. ## Main Features * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses). @@ -57,9 +57,9 @@ IP address blocking is commonly used to protect against brute force attacks, pre | yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | * Zero-conf like automatic installation & setup, usually no manual changes needed -* All sets are handled in a separate nft table/namespace 'banIP' +* All Sets are handled in a separate nft table/namespace 'banIP' * Full IPv4 and IPv6 support -* Supports nft atomic set loading +* Supports nft atomic Set loading * Supports blocking by ASN numbers and by iso country codes * Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) * Auto-add the uplink subnet to the local allowlist @@ -70,10 +70,10 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget * Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs -* Deduplicate IPs accross all sets (single IPs only, no intervals) +* Deduplicate IPs accross all Sets (single IPs only, no intervals) * Provides comprehensive runtime information -* Provides a detailed set report -* Provides a set search engine for certain IPs +* Provides a detailed Set report +* Provides a Set search engine for certain IPs * Feed parsing by fast & flexible regex rulesets * Minimal status & error logging to syslog, enable debug logging to receive more output * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup) @@ -112,9 +112,9 @@ Available commands: enable Enable service autostart disable Disable service autostart enabled Check if service is started on boot - report [text|json|mail] Print banIP related set statistics - search [|] Check if an element exists in a banIP set - survey [] List all elements of a given banIP set + report [text|json|mail] Print banIP related Set statistics + search [|] Check if an element exists in a banIP Set + survey [] List all elements of a given banIP Set lookup Lookup the IPs of domain names in the local lists and update them running Check if service is running status Service status @@ -129,7 +129,7 @@ Available commands: | ban_enabled | option | 0 | enable the banIP service | | ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) | | ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | -| ban_loglimit | option | 100 | scan only the last n log entries permanently. Set it to '0' to disable the monitor | +| ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor | | ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | | ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | @@ -152,12 +152,12 @@ Available commands: | ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' | | ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins | | ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload | -| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets | -| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) | +| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets | +| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) | | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | | ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | | ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | -| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance | +| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance | | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | @@ -174,7 +174,7 @@ Available commands: | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | | ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | | ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | -| ban_reportelements | option | 1 | list set elements in the report, disable this to speed up the report significantly | +| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly | | ban_resolver | option | - | external resolver used for DNS lookups | ## Examples @@ -230,11 +230,11 @@ Available commands: ~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) - + version : 0.8.3-1 + + version : 0.8.5-1 + element_count : 281161 + active_feeds : allowlistvMAC, allowlistv6, allowlistv4, adawayv4, adguardtrackersv4, adawayv6, adguardv6, adguardv4, adguardtrackersv6, antipopadsv6, antipopadsv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dohv4, dohv6, iblockadsv4, firehol1v4, oisdbigv4, yoyov6, threatviewv4, yoyov4, oisdbigv6, blocklistvMAC, blocklistv4, blocklistv6 + active_devices : br-wan ::: wan, wan6 - + active_subnets : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128 + + active_uplink : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128 + nft_info : priority: -200, policy: memory, loglevel: warn, expiry: - + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘ @@ -259,7 +259,7 @@ Available commands: ::: ::: banIP Survey ::: - List the elements of Set 'cinsscorev4' on 2023-03-06 14:07:58 + List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58 --- 1.10.187.179 1.10.203.30 @@ -291,7 +291,7 @@ list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option. Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option). -Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. +Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. **allowlist-only mode** banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked. @@ -307,12 +307,12 @@ For a regular, automatic status mailing and update of the used lists on a daily ``` **tweaks for low memory systems** -nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options: +nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options: * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing - * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members - * set 'ban_reportelements' to '0' to disable the CPU intensive counting of set elements + * set 'ban_splitsize' e.g. to '1000' to split the load of an external Set after every 1000 lines/members + * set 'ban_reportelements' to '0' to disable the CPU intensive counting of Set elements **tweak the download options** By default banIP uses the following pre-configured download options: @@ -350,7 +350,7 @@ The banIP default blocklist feeds are stored in an external JSON file '/etc/bani A valid JSON source object contains the following information, e.g.: ``` [...] - "tor": { + "tor":{ "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index fc54dc3d2..7e882f244 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -1,4 +1,4 @@ -# banIP shared function library/include +# banIP shared function library/include - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -107,7 +107,7 @@ f_mkdir() { if [ ! -d "${dir}" ]; then rm -f "${dir}" mkdir -p "${dir}" - f_log "debug" "f_mkdir ::: created directory: ${dir}" + f_log "debug" "f_mkdir ::: directory: ${dir}" fi } @@ -118,7 +118,7 @@ f_mkfile() { if [ ! -f "${file}" ]; then : >"${file}" - f_log "debug" "f_mkfile ::: created file: ${file}" + f_log "debug" "f_mkfile ::: file: ${file}" fi } @@ -139,7 +139,7 @@ f_rmdir() { if [ -d "${dir}" ]; then rm -rf "${dir}" - f_log "debug" "f_rmdir ::: deleted directory: ${dir}" + f_log "debug" "f_rmdir ::: directory: ${dir}" fi } @@ -253,7 +253,7 @@ f_fetch() { if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" - [ -z "${packages}" ] && f_log "err" "local package repository is not available, please set the download utility 'ban_fetchcmd' manually" + [ -z "${packages}" ] && f_log "err" "no local package repository" utils="aria2c curl wget uclient-fetch" for item in ${utils}; do if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } || @@ -268,7 +268,7 @@ f_fetch() { fi done fi - [ ! -x "${ban_fetchcmd}" ] && f_log "err" "download utility with SSL support not found" + [ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support" case "${ban_fetchcmd##*/}" in "aria2c") [ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false" @@ -288,7 +288,7 @@ f_fetch() { ;; esac - f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}" + f_log "debug" "f_fetch ::: cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}" } # remove logservice @@ -336,7 +336,7 @@ f_getif() { ban_ifv4="${iface}" uci_set banip global ban_protov4 "1" uci_add_list banip global ban_ifv4 "${iface}" - f_log "info" "added IPv4 interface '${iface}' to config" + f_log "info" "add IPv4 interface '${iface}' to config" fi fi if [ -z "${ban_ifv6}" ]; then @@ -347,7 +347,7 @@ f_getif() { ban_ifv6="${iface}" uci_set banip global ban_protov6 "1" uci_add_list banip global ban_ifv6 "${iface}" - f_log "info" "added IPv6 interface '${iface}' to config" + f_log "info" "add IPv6 interface '${iface}' to config" fi fi fi @@ -359,11 +359,11 @@ f_getif() { ban_ifv6="${ban_ifv6%%?}" for iface in ${ban_ifv4} ${ban_ifv6}; do if ! "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then - f_log "err" "wan interface '${iface}' is not available, please check your configuration" + f_log "err" "no wan interface '${iface}'" fi done fi - [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration" + [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "no wan interfaces" f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" } @@ -385,7 +385,7 @@ f_getdev() { if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then ban_dev="${ban_dev}${dev} " uci_add_list banip global ban_dev "${dev}" - f_log "info" "added device '${dev}' to config" + f_log "info" "add device '${dev}' to config" fi fi done @@ -398,7 +398,7 @@ f_getdev() { uci_commit "banip" fi ban_dev="${ban_dev%%?}" - [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration" + [ -z "${ban_dev}" ] && f_log "err" "no wan devices" f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" } @@ -429,12 +429,12 @@ f_getuplink() { fi done for ip in ${ban_uplink}; do - if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then + if ! "${ban_grepcmd}" -q "${ip} " "${ban_allowlist}"; then if [ "${update}" = "0" ]; then "${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}" fi printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" - f_log "info" "added uplink '${ip}' to local allowlist" + f_log "info" "add uplink '${ip}' to local allowlist" update="1" fi done @@ -453,17 +453,17 @@ f_getfeed() { json_init if [ -s "${ban_customfeedfile}" ]; then if ! json_load_file "${ban_customfeedfile}" >/dev/null 2>&1; then - f_log "info" "banIP custom feed file can't be loaded" + f_log "info" "can't load banIP custom feed file" if ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then - f_log "err" "banIP feed file can't be loaded" + f_log "err" "can't load banIP feed file" fi fi elif ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then - f_log "err" "banIP feed file can't be loaded" + f_log "err" "can't load banIP feed file" fi } -# get set elements +# get Set elements # f_getelements() { local file="${1}" @@ -751,10 +751,10 @@ f_down() { feed_rc="${?}" fi - # build nft file with set and rules for regular downloads + # build nft file with Sets and rules for regular downloads # if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then - # deduplicate sets + # deduplicate Sets # if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}" @@ -763,13 +763,13 @@ f_down() { "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}" fi feed_rc="${?}" - # split sets + # split Sets # if [ "${feed_rc}" = "0" ]; then if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then rm -f "${tmp_file}".* - f_log "info" "failed to split '${feed}' Set to size '${ban_splitsize//[![:digit]]/}'" + f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'" fi else "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1" @@ -779,7 +779,7 @@ f_down() { rm -f "${tmp_raw}" "${tmp_load}" if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then { - # nft header (IPv4 set) + # nft header (IPv4 Set) # printf "%s\n\n" "#!/usr/sbin/nft -f" [ -s "${tmp_flush}" ] && cat "${tmp_flush}" @@ -793,7 +793,7 @@ f_down() { } >"${tmp_nft}" elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then { - # nft header (IPv6 set) + # nft header (IPv6 Set) # printf "%s\n\n" "#!/usr/sbin/nft -f" [ -s "${tmp_flush}" ] && cat "${tmp_flush}" @@ -815,6 +815,7 @@ f_down() { if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)" feed_rc="${?}" + # load additional split files # if [ "${feed_rc}" = "0" ]; then @@ -825,7 +826,7 @@ f_down() { continue fi if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then - f_log "info" "failed to add split file '${split_file##*.}' to '${feed}' Set" + f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'" fi rm -f "${split_file}" done @@ -834,7 +835,7 @@ f_down() { fi fi else - f_log "info" "empty feed '${feed}' will be skipped" + f_log "info" "skip empty feed '${feed}'" fi fi rm -f "${tmp_split}" "${tmp_nft}" @@ -871,7 +872,7 @@ f_restore() { return ${restore_rc} } -# remove disabled feeds +# remove disabled Sets # f_rmset() { local feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc @@ -1068,12 +1069,12 @@ f_lookup() { done if [ -n "${elementsv4}" ]; then if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then - f_log "info" "failed to add lookup file to '${feed}v4' Set" + f_log "info" "can't add lookup file to Set '${feed}v4'" fi fi if [ -n "${elementsv6}" ]; then if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then - f_log "info" "failed to add lookup file to '${feed}v6' Set" + f_log "info" "can't add lookup file to Set '${feed}v6'" fi fi end_time="$(date "+%s")" @@ -1245,7 +1246,7 @@ f_report() { rm -f "${report_txt}" } -# set search +# Set search # f_search() { local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}" @@ -1287,7 +1288,7 @@ f_search() { printf " %s\n" "IP not found" } -# set survey +# Set survey # f_survey() { local set_elements input="${1}" @@ -1298,12 +1299,12 @@ f_survey() { fi set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" - printf " %s\n" "List the elements of Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")" + printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")" printf " %s\n" "---" - [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty set" + [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty Set" } -# send status mails +# send status mail # f_mail() { local msmtp_debug @@ -1313,19 +1314,16 @@ f_mail() { if [ -r "${ban_mailtemplate}" ]; then . "${ban_mailtemplate}" else - f_log "info" "the mail template is missing" + f_log "info" "no mail template" fi - [ -z "${mail_text}" ] && f_log "info" "the 'mail_text' template variable is empty" + [ -z "${mail_text}" ] && f_log "info" "no mail content" [ "${ban_debug}" = "1" ] && msmtp_debug="--debug" # send mail # ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n" - if printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1; then - f_log "info" "status mail was sent successfully" - else - f_log "info" "failed to send status mail (${?})" - fi + printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1 + f_log "info" "send status mail (${?})" f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" } @@ -1345,8 +1343,7 @@ fi # f_system if [ "${ban_action}" != "stop" ]; then - [ ! -d "/etc/banip" ] && f_log "err" "banIP config directory not found, please re-install the package" - [ ! -r "/etc/banip/banip.feeds" ] && f_log "err" "banIP feed file not found, please re-install the package" - [ ! -r "/etc/config/banip" ] && f_log "err" "banIP config not found, please re-install the package" - [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service" + [ ! -d "/etc/banip" ] && f_log "err" "no banIP config directory" + [ ! -r "/etc/config/banip" ] && f_log "err" "no banIP config" + [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is disabled" fi diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index f70f5723f..aadeae380 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -1,5 +1,5 @@ #!/bin/sh -# banIP main service script - ban incoming and outgoing ip addresses/subnets via Sets in nftables +# banIP main service script - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -36,10 +36,10 @@ if [ "${ban_action}" != "reload" ]; then sleep 1 done if ! /etc/init.d/firewall status >/dev/null 2>&1; then - f_log "err" "nft based firewall/fw4 not functional" + f_log "err" "error in nft based firewall/fw4" fi else - f_log "err" "nft based firewall/fw4 not found" + f_log "err" "no nft based firewall/fw4" fi fi @@ -47,9 +47,9 @@ fi # if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then if f_nftinit "${ban_tmpfile}".init.nft; then - f_log "info" "nft namespace initialized" + f_log "info" "initialize nft namespace" else - f_log "err" "nft namespace can't be initialized" + f_log "err" "can't initialize nft namespace" fi fi @@ -83,7 +83,7 @@ for feed in allowlist ${ban_feed} blocklist; do # external feeds # if ! json_select "${feed}" >/dev/null 2>&1; then - f_log "info" "unknown feed '${feed}' will be removed" + f_log "info" "remove unknown feed '${feed}'" uci_remove_list banip global ban_feed "${feed}" uci_commit "banip" continue @@ -99,7 +99,7 @@ for feed in allowlist ${ban_feed} blocklist; do if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } || { { [ -n "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; } || { [ -z "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; }; } || { [ -z "${feed_url_4}" ] && [ -z "${feed_rule_4}" ] && [ -z "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; }; then - f_log "info" "incomplete feed '${feed}' will be skipped" + f_log "info" "skip incomplete feed '${feed}'" continue fi @@ -138,7 +138,6 @@ wait f_rmset f_rmdir "${ban_tmpdir}" f_genstatus "active" -f_log "info" "finish banIP download processes" # start domain lookup # @@ -191,15 +190,15 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimi [ -n "${ip}" ] && proto="v6" fi if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then - f_log "info" "suspicious IP${proto} found '${ip}'" + f_log "info" "suspicious IP${proto} '${ip}'" log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")" if [ "${log_count}" -ge "${ban_logcount}" ]; then if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then - f_log "info" "added IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" + f_log "info" "add IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" - f_log "info" "added IP${proto} '${ip}' to local blocklist" + f_log "info" "add IP${proto} '${ip}' to local blocklist" fi fi fi diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 891dee4eb..db584e2e2 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -1,5 +1,5 @@ #!/bin/sh /etc/rc.common -# banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables +# banIP init script - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -9,9 +9,9 @@ START=30 USE_PROCD=1 -extra_command "report" "[text|json|mail] Print banIP related set statistics" -extra_command "search" "[|] Check if an element exists in a banIP set" -extra_command "survey" "[] List all elements of a given banIP set" +extra_command "report" "[text|json|mail] Print banIP related Set statistics" +extra_command "search" "[|] Check if an element exists in a banIP Set" +extra_command "survey" "[] List all elements of a given banIP Set" extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them" ban_init="/etc/init.d/banip" @@ -45,7 +45,7 @@ start_service() { procd_close_instance else [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" - f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'" + f_log "err" "banIP service autostart is disabled" rm -rf "${ban_lock}" fi } diff --git a/net/banip/files/banip.tpl b/net/banip/files/banip.tpl index f6bd5214c..df5c7e8a1 100644 --- a/net/banip/files/banip.tpl +++ b/net/banip/files/banip.tpl @@ -1,5 +1,5 @@ -# banIP mail template/include -# Copyright (c) 2020-2023 Dirk Brenken (dev@brenken.org) +# banIP mail template/include - ban incoming and outgoing IPs via named nftables Sets +# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # info preparation From b2ec3ff76d0767ed04c9c18a295808f7b78ce5bf Mon Sep 17 00:00:00 2001 From: Glen Huang Date: Thu, 4 May 2023 17:27:52 +0800 Subject: [PATCH 38/49] uwsgi: make LuCI work LuCI is no longer powered by lua, but ucode Signed-off-by: Glen Huang --- net/uwsgi/Makefile | 2 +- net/uwsgi/files-luci-support/luci-cgi_io.ini | 2 +- net/uwsgi/files-luci-support/luci-webui.ini | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/uwsgi/Makefile b/net/uwsgi/Makefile index 9f4592542..d27b9ff04 100644 --- a/net/uwsgi/Makefile +++ b/net/uwsgi/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=uwsgi PKG_VERSION:=2.0.20 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PYPI_NAME:=uwsgi PKG_HASH:=88ab9867d8973d8ae84719cf233b7dafc54326fcaec89683c3f9f77c002cdff9 diff --git a/net/uwsgi/files-luci-support/luci-cgi_io.ini b/net/uwsgi/files-luci-support/luci-cgi_io.ini index 98e54f2bc..8b3cdcf29 100644 --- a/net/uwsgi/files-luci-support/luci-cgi_io.ini +++ b/net/uwsgi/files-luci-support/luci-cgi_io.ini @@ -8,7 +8,7 @@ end-if = plugin = cgi cgi-mode = true cgi = /www/ -chdir = /usr/lib/lua/luci/ +chdir = /usr/lib/ucode/luci/ buffer-size = 10000 reload-mercy = 8 max-requests = 2000 diff --git a/net/uwsgi/files-luci-support/luci-webui.ini b/net/uwsgi/files-luci-support/luci-webui.ini index eb984b312..6c1e7a625 100644 --- a/net/uwsgi/files-luci-support/luci-webui.ini +++ b/net/uwsgi/files-luci-support/luci-webui.ini @@ -8,7 +8,7 @@ end-if = plugin = cgi cgi-mode = true cgi = /www/ -chdir = /usr/lib/lua/luci/ +chdir = /usr/lib/ucode/luci/ buffer-size = 10000 reload-mercy = 8 max-requests = 2000 From 7960fd83ac0c31e221146b0576815ecb784ee5a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20H=C3=B6gberg?= Date: Thu, 4 May 2023 09:25:57 +0200 Subject: [PATCH 39/49] rtl_433: update to 22.11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Robert Högberg --- utils/rtl_433/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/rtl_433/Makefile b/utils/rtl_433/Makefile index 5a2d3d492..bafc75e71 100644 --- a/utils/rtl_433/Makefile +++ b/utils/rtl_433/Makefile @@ -7,12 +7,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=rtl_433 -PKG_VERSION:=21.12 +PKG_VERSION:=22.11 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/merbanan/rtl_433/tar.gz/$(PKG_VERSION)? -PKG_HASH:=b362ef3410adec64aee7ad8e6d4d74875f1b3d59ef6fb4856e96adc03876dc65 +PKG_HASH:=61a9163d69cc4b1da46aebbcaf969bd180a055a6b90f42ad281218cc4fbefb86 PKG_MAINTAINER:=Jasper Scholte PKG_LICENSE:=GPL-2.0-or-later From 8c704f2cccc3a6e0796f2a0c1d9747d8255971a8 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Fri, 5 May 2023 14:29:16 +0200 Subject: [PATCH 40/49] nginx: fix compilation error for nginx-full Fix compilation error for stream module not converted to use the PACKAGE config flag and a missing required dependency for the DAV ext module. Drop additional config for STREAM module since they are now included and built by default. Fixes: 65a676ed56fb ("nginx: introduce support for dynamic modules") Fixes: #20906 Signed-off-by: Christian Marangi --- net/nginx/Config_ssl.in | 23 ----------------------- net/nginx/Makefile | 10 +++------- 2 files changed, 3 insertions(+), 30 deletions(-) diff --git a/net/nginx/Config_ssl.in b/net/nginx/Config_ssl.in index a0daac31e..fbfb64ae7 100644 --- a/net/nginx/Config_ssl.in +++ b/net/nginx/Config_ssl.in @@ -195,27 +195,4 @@ config NGINX_HTTP_SUB prompt "Enable HTTP sub module" default n -config NGINX_STREAM_CORE_MODULE - bool - prompt "Enable stream support" - help - Add support for NGINX request streaming. - default n - -config NGINX_STREAM_SSL_MODULE - bool - prompt "Enable stream support with SSL/TLS termination" - depends on NGINX_STREAM_CORE_MODULE - help - Add support for NGINX request streaming with SSL/TLS termination. - default n - -config NGINX_STREAM_SSL_PREREAD_MODULE - bool - prompt "Enable stream support with SSL/TLS pre-read" - depends on NGINX_STREAM_CORE_MODULE - help - Add support for NGINX request streaming using information from the ClientHello message without terminating SSL/TLS. - default n - endmenu diff --git a/net/nginx/Makefile b/net/nginx/Makefile index fe8462d69..16767efdd 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx PKG_VERSION:=1.24.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nginx.org/download/ @@ -62,9 +62,6 @@ PKG_CONFIG_DEPENDS := \ CONFIG_NGINX_PCRE \ CONFIG_NGINX_HTTP_REAL_IP \ CONFIG_NGINX_HTTP_SECURE_LINK \ - CONFIG_NGINX_STREAM_CORE_MODULE \ - CONFIG_NGINX_STREAM_SSL_MODULE \ - CONFIG_NGINX_STREAM_SSL_PREREAD_MODULE \ CONFIG_OPENSSL_ENGINE \ CONFIG_OPENSSL_WITH_NPN @@ -257,7 +254,6 @@ else --with-http_dav_module \ --with-http_auth_request_module --with-http_v2_module --with-http_realip_module \ --with-http_secure_link_module --with-http_sub_module \ - --with-stream_ssl_module --with-stream_ssl_preread_module \ config_files += koi-utf koi-win win-utf fastcgi_params uwsgi_params endif @@ -270,7 +266,7 @@ endif ifneq ($(CONFIG_PACKAGE_nginx-mod-dav-ext),) ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module endif -ifneq ($(CONFIG_NGINX_STREAM_CORE_MODULE),) +ifneq ($(CONFIG_PACKAGE_nginx-mod-stream),) ADDITIONAL_MODULES += --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module endif ifneq ($(CONFIG_PACKAGE_nginx-mod-ubus),) @@ -382,7 +378,7 @@ endef $(eval $(call module,lua, +luajit,ngx_http_lua, Enable Lua module)) $(eval $(call module,stream, +@NGINX_STREAM_CORE_MODULE,ngx_stream, Add support for NGINX request streaming.)) $(eval $(call module,ubus, +libubus +libjson-c +libblobmsg-json +@NGINX_UBUS,ngx_http_ubus, Enable UBUS api support directly from the server.)) -$(eval $(call module,dav-ext, +@NGINX_DAV,ngx_http_dav_ext, Enable the WebDAV methods PROPFIND OPTIONS LOCK UNLOCK.)) +$(eval $(call module,dav-ext, +@NGINX_DAV +libxml2,ngx_http_dav_ext, Enable the WebDAV methods PROPFIND OPTIONS LOCK UNLOCK.)) $(eval $(call module,headers-more,,ngx_http_headers_more_filter, Set and clear input and output headers...more than "add"!)) $(eval $(call module,rtmp,,ngx_rtmp, Add support for NGINX-based Media Streaming Server module. \ DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module)) From 8f8444c12a74139149e6643654c89737f9231bd6 Mon Sep 17 00:00:00 2001 From: Hannu Nyman Date: Sat, 6 May 2023 11:46:49 +0300 Subject: [PATCH 41/49] gperf: remove - moved to OpenWrt main repo Remove gperf that was moved into the main OpenWrt repo. Commit in OpenWrt: 2070a2ca27bdb2b1e4e1587274e192e42f247516 Signed-off-by: Hannu Nyman --- libs/gperf/Makefile | 47 ------------------- .../gperf/patches/100-include_own_first.patch | 26 ---------- 2 files changed, 73 deletions(-) delete mode 100644 libs/gperf/Makefile delete mode 100644 libs/gperf/patches/100-include_own_first.patch diff --git a/libs/gperf/Makefile b/libs/gperf/Makefile deleted file mode 100644 index 5035895c4..000000000 --- a/libs/gperf/Makefile +++ /dev/null @@ -1,47 +0,0 @@ -# -# Copyright (C) 2006-2017 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=gperf -PKG_VERSION:=3.1 -PKG_RELEASE:=1 -PKG_HASH:=588546b945bba4b70b6a3a616e80b4ab466e3f33024a352fc2198112cdbb3ae2 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=@GNU/gperf -PKG_HOST_ONLY=1 - -PKG_MAINTAINER:=Espen Jürgensen -PKG_LICENSE:=GPL-3.0 -PKG_LICENSE_FILES:=COPYING - -include $(INCLUDE_DIR)/host-build.mk -include $(INCLUDE_DIR)/package.mk - -define Package/gperf - SECTION:=libs - CATEGORY:=Libraries - TITLE:=GNU gperf - BUILDONLY:=1 - URL:=http://www.gnu.org/software/gperf -endef - -define Package/gperf/description - GNU gperf is a perfect hash function generator. For a given list of strings, it - produces a hash function and hash table, in form of C or C++ code, for looking - up a value depending on the input string. The hash function is perfect, which - means that the hash table has no collisions, and the hash table lookup needs a - single string comparison only. -endef - -define Host/Install - $(MAKE) -C $(HOST_BUILD_DIR) install -endef - -$(eval $(call HostBuild)) -$(eval $(call BuildPackage,gperf)) diff --git a/libs/gperf/patches/100-include_own_first.patch b/libs/gperf/patches/100-include_own_first.patch deleted file mode 100644 index 6936f35db..000000000 --- a/libs/gperf/patches/100-include_own_first.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/lib/Makefile.in b/lib/Makefile.in -index 29bbf92..cf2bf3c 100644 ---- a/lib/Makefile.in -+++ b/lib/Makefile.in -@@ -61,7 +61,7 @@ SHELL = /bin/sh - VPATH = $(srcdir) - - OBJECTS = getopt.$(OBJEXT) getopt1.$(OBJEXT) getline.$(OBJEXT) hash.$(OBJEXT) --CPPFLAGS = @CPPFLAGS@ -I$(srcdir) -+CPPFLAGS = -I$(srcdir) @CPPFLAGS@ - - TARGETLIB = libgp.a - -diff --git a/src/Makefile.in b/src/Makefile.in -index 6866ffd..bd4df14 100644 ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -64,7 +64,7 @@ VPATH = $(srcdir) - OBJECTS = version.$(OBJEXT) positions.$(OBJEXT) options.$(OBJEXT) keyword.$(OBJEXT) keyword-list.$(OBJEXT) \ - input.$(OBJEXT) bool-array.$(OBJEXT) hash-table.$(OBJEXT) search.$(OBJEXT) output.$(OBJEXT) main.$(OBJEXT) - LIBS = ../lib/libgp.a @GPERF_LIBM@ --CPPFLAGS = @CPPFLAGS@ -I. -I$(srcdir)/../lib -+CPPFLAGS = -I. -I$(srcdir)/../lib @CPPFLAGS@ - - TARGETPROG = gperf$(EXEEXT) - From 5f58aa7a4efcb15e8c7e6ae293218dc9f8103e43 Mon Sep 17 00:00:00 2001 From: Hannu Nyman Date: Sat, 6 May 2023 11:48:26 +0300 Subject: [PATCH 42/49] libxml2: remove - moved to OpenWrt main repo Remove libxml2 that was moved into the main OpenWrt repo. Commit in OpenWrt: 9b0b46985c112c664354dc745d8cfb313166744b Signed-off-by: Hannu Nyman --- libs/libxml2/Makefile | 214 --------------------------- libs/libxml2/patches/010-iconv.patch | 12 -- 2 files changed, 226 deletions(-) delete mode 100644 libs/libxml2/Makefile delete mode 100644 libs/libxml2/patches/010-iconv.patch diff --git a/libs/libxml2/Makefile b/libs/libxml2/Makefile deleted file mode 100644 index a726e78cc..000000000 --- a/libs/libxml2/Makefile +++ /dev/null @@ -1,214 +0,0 @@ -# -# Copyright (C) 2006-2016 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=libxml2 -PKG_VERSION:=2.10.3 -PKG_RELEASE:=2 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=@GNOME/libxml2/$(basename $(PKG_VERSION)) -PKG_HASH:=5d2cc3d78bec3dbe212a9d7fa629ada25a7da928af432c93060ff5c17ee28a9c - -PKG_MAINTAINER:=Michael Heimpold -PKG_LICENSE:=MIT -PKG_LICENSE_FILES:=COPYING -PKG_CPE_ID:=cpe:/a:xmlsoft:libxml2 - -include $(INCLUDE_DIR)/host-build.mk -include $(INCLUDE_DIR)/package.mk -include $(INCLUDE_DIR)/cmake.mk -include $(INCLUDE_DIR)/nls.mk - -define Package/libxml2 - SECTION:=libs - CATEGORY:=Libraries - TITLE:=Gnome XML library - URL:=http://xmlsoft.org/ - DEPENDS:=+libpthread +zlib $(ICONV_DEPENDS) -endef - -define Package/libxml2/description - A library for manipulating XML and HTML resources. -endef - -define Package/libxml2-dev - SECTION:=devel - CATEGORY:=Development - SUBMENU:=Libraries - TITLE:=Development files for libxml2 - URL:=http://xmlsoft.org/ - DEPENDS:=+libxml2 -endef - -define Package/libxml2-dev/description - A library for manipulating XML and HTML resources. - - This package contains the headers and xml2-config binary. -endef - -define Package/libxml2-utils - SECTION:=utils - CATEGORY:=Utilities - TITLE:=XML command line utilities (xmllint...) - URL:=http://xmlsoft.org/ - DEPENDS:=+libxml2 -endef - -define Package/libxml2-utils/description - This package contains the binaries xmllint and xmlcatalog - from libxml2, a library for manipulating XML and HTML resources. -endef - -CMAKE_HOST_OPTIONS += \ - -DBUILD_SHARED_LIBS=OFF \ - -DLIBXML2_WITH_C14N=ON \ - -DLIBXML2_WITH_CATALOG=OFF \ - -DLIBXML2_WITH_DEBUG=ON \ - -DLIBXML2_WITH_FTP=OFF \ - -DLIBXML2_WITH_HTML=ON \ - -DLIBXML2_WITH_HTTP=OFF \ - -DLIBXML2_WITH_ICONV=ON \ - -DLIBXML2_WITH_ICU=OFF \ - -DLIBXML2_WITH_ISO8859X=OFF \ - -DLIBXML2_WITH_LEGACY=OFF \ - -DLIBXML2_WITH_LZMA=OFF \ - -DLIBXML2_WITH_MEM_DEBUG=OFF \ - -DLIBXML2_WITH_MODULES=OFF \ - -DLIBXML2_WITH_OUTPUT=ON \ - -DLIBXML2_WITH_PATTERN=ON \ - -DLIBXML2_WITH_PROGRAMS=OFF \ - -DLIBXML2_WITH_PUSH=ON \ - -DLIBXML2_WITH_PYTHON=OFF \ - -DLIBXML2_WITH_READER=ON \ - -DLIBXML2_WITH_REGEXPS=ON \ - -DLIBXML2_WITH_RUN_DEBUG=OFF \ - -DLIBXML2_WITH_SAX1=ON \ - -DLIBXML2_WITH_SCHEMAS=ON \ - -DLIBXML2_WITH_SCHEMATRON=OFF \ - -DLIBXML2_WITH_TESTS=OFF \ - -DLIBXML2_WITH_THREADS=ON \ - -DLIBXML2_WITH_THREAD_ALLOC=OFF \ - -DLIBXML2_WITH_TREE=ON \ - -DLIBXML2_WITH_VALID=ON \ - -DLIBXML2_WITH_WRITER=ON \ - -DLIBXML2_WITH_XINCLUDE=ON \ - -DLIBXML2_WITH_XPATH=ON \ - -DLIBXML2_WITH_XPTR=ON \ - -DLIBXML2_WITH_XPTR_LOCS=ON \ - -DLIBXML2_WITH_ZLIB=ON - -CMAKE_OPTIONS += \ - -DBUILD_SHARED_LIBS=ON \ - -DLIBXML2_WITH_C14N=ON \ - -DLIBXML2_WITH_CATALOG=OFF \ - -DLIBXML2_WITH_DEBUG=ON \ - -DLIBXML2_WITH_FTP=OFF \ - -DLIBXML2_WITH_HTML=ON \ - -DLIBXML2_WITH_HTTP=OFF \ - -DLIBXML2_WITH_ICONV=ON \ - -DLIBXML2_WITH_ICU=OFF \ - -DLIBXML2_WITH_ISO8859X=OFF \ - -DLIBXML2_WITH_LEGACY=OFF \ - -DLIBXML2_WITH_LZMA=OFF \ - -DLIBXML2_WITH_MEM_DEBUG=OFF \ - -DLIBXML2_WITH_MODULES=OFF \ - -DLIBXML2_WITH_OUTPUT=ON \ - -DLIBXML2_WITH_PATTERN=ON \ - -DLIBXML2_WITH_PROGRAMS=ON \ - -DLIBXML2_WITH_PUSH=ON \ - -DLIBXML2_WITH_PYTHON=OFF \ - -DLIBXML2_WITH_READER=ON \ - -DLIBXML2_WITH_REGEXPS=ON \ - -DLIBXML2_WITH_RUN_DEBUG=OFF \ - -DLIBXML2_WITH_SAX1=ON \ - -DLIBXML2_WITH_SCHEMAS=ON \ - -DLIBXML2_WITH_SCHEMATRON=OFF \ - -DLIBXML2_WITH_TESTS=OFF \ - -DLIBXML2_WITH_THREADS=ON \ - -DLIBXML2_WITH_THREAD_ALLOC=OFF \ - -DLIBXML2_WITH_TREE=ON \ - -DLIBXML2_WITH_VALID=ON \ - -DLIBXML2_WITH_WRITER=ON \ - -DLIBXML2_WITH_XINCLUDE=ON \ - -DLIBXML2_WITH_XPATH=ON \ - -DLIBXML2_WITH_XPTR=ON \ - -DLIBXML2_WITH_XPTR_LOCS=ON \ - -DLIBXML2_WITH_ZLIB=ON \ - -DHAVE_LIBHISTORY=OFF \ - -DHAVE_LIBREADLINE=OFF - -define Build/InstallDev - $(INSTALL_DIR) $(2)/bin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/xml2-config \ - $(2)/bin/$(GNU_TARGET_NAME)-xml2-config - $(SED) 's,^\(prefix\|exec_prefix\)=.*,\1=$(STAGING_DIR)/usr,g' \ - $(2)/bin/$(GNU_TARGET_NAME)-xml2-config - $(LN) $(GNU_TARGET_NAME)-xml2-config $(2)/bin/xml2-config - - $(INSTALL_DIR) $(1)/usr/bin - $(CP) $(PKG_INSTALL_DIR)/usr/bin/xmlcatalog $(1)/usr/bin/ - $(CP) $(PKG_INSTALL_DIR)/usr/bin/xmllint $(1)/usr/bin/ - - $(INSTALL_DIR) $(1)/usr/include - $(CP) $(PKG_INSTALL_DIR)/usr/include/libxml2 $(1)/usr/include/ - - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxml2.so* $(1)/usr/lib/ - - $(INSTALL_DIR) $(1)/usr/lib/cmake/libxml2 - $(CP) $(PKG_INSTALL_DIR)/usr/lib/cmake/libxml2-$(PKG_VERSION)/*.cmake \ - $(1)/usr/lib/cmake/libxml2 - - $(INSTALL_DIR) $(1)/usr/lib/pkgconfig - $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libxml-2.0.pc $(1)/usr/lib/pkgconfig/ - - $(INSTALL_DIR) $(2)/share/aclocal/ - $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/share/aclocal/* $(2)/share/aclocal -endef - -define Host/Install - $(call Host/Install/Default) - mv $(1)/bin/xml2-config $(1)/bin/$(GNU_HOST_NAME)-xml2-config - $(LN) $(GNU_HOST_NAME)-xml2-config $(1)/bin/xml2-config -endef - -define Package/libxml2/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxml2.so.* $(1)/usr/lib/ -endef - -define Package/libxml2-dev/install - $(INSTALL_DIR) $(1)/usr/bin - $(CP) $(PKG_INSTALL_DIR)/usr/bin/xml2-config $(1)/usr/bin/ - $(SED) "s,$(STAGING_DIR),,g" $(1)/usr/bin/xml2-config - - $(INSTALL_DIR) $(1)/usr/include/ - $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ - - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxml2.so $(1)/usr/lib/ - - $(INSTALL_DIR) $(1)/usr/lib/{cmake,pkgconfig} - $(CP) $(PKG_INSTALL_DIR)/usr/lib/{cmake,pkgconfig} $(1)/usr/lib/ - $(SED) "s,$(STAGING_DIR),,g" $(1)/usr/lib/pkgconfig/*.pc - - $(INSTALL_DIR) $(1)/usr/share/aclocal - $(CP) $(PKG_INSTALL_DIR)/usr/share/aclocal/* $(1)/usr/share/aclocal -endef - -define Package/libxml2-utils/install - $(INSTALL_DIR) $(1)/usr/bin - $(CP) $(PKG_INSTALL_DIR)/usr/bin/xmllint $(1)/usr/bin/ - $(CP) $(PKG_INSTALL_DIR)/usr/bin/xmlcatalog $(1)/usr/bin/ -endef - -$(eval $(call HostBuild)) -$(eval $(call BuildPackage,libxml2)) -$(eval $(call BuildPackage,libxml2-dev)) -$(eval $(call BuildPackage,libxml2-utils)) diff --git a/libs/libxml2/patches/010-iconv.patch b/libs/libxml2/patches/010-iconv.patch deleted file mode 100644 index e35b7ce93..000000000 --- a/libs/libxml2/patches/010-iconv.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -496,6 +496,9 @@ if(LIBXML2_WITH_PROGRAMS) - add_executable(LibXml2::${PROGRAM} ALIAS ${PROGRAM}) - target_compile_definitions(${PROGRAM} PRIVATE SYSCONFDIR="${CMAKE_INSTALL_FULL_SYSCONFDIR}") - target_link_libraries(${PROGRAM} LibXml2) -+ if(LIBXML2_WITH_ICONV AND NOT Iconv_IS_BUILT_IN) -+ target_link_libraries(${PROGRAM} iconv) -+ endif() - if(HAVE_LIBHISTORY) - target_link_libraries(${PROGRAM} history) - endif() From 7ac5f0a3d9505ee11393c6673d9ece663d8c1b60 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sat, 6 May 2023 22:41:56 +0200 Subject: [PATCH 43/49] banip: release 0.8.5-1 * add support for external allowlist URLs to reference additional IPv4/IPv6 feeds, set 'ban_allowurl' accordingly * make download retries in case of an error configurable, set 'ban_fetchretry' accordingly (default 5) * small fixes * readme update * LuCI update (separate commit) Signed-off-by: Dirk Brenken --- net/banip/Makefile | 4 +- net/banip/files/README.md | 19 ++++--- net/banip/files/banip-functions.sh | 79 ++++++++++++++++++++---------- net/banip/files/banip.feeds | 2 +- 4 files changed, 67 insertions(+), 37 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index e29e10eaf..07bad2213 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.8.4 -PKG_RELEASE:=5 +PKG_VERSION:=0.8.5 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 0a91b8290..ae5a4eedb 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -62,7 +62,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Supports nft atomic Set loading * Supports blocking by ASN numbers and by iso country codes * Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) -* Auto-add the uplink subnet to the local allowlist +* Auto-add the uplink subnet or uplink IP to the local allowlist * Provides a small background log monitor to ban unsuccessful login attempts in real-time * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist * Fast feed processing as they are handled in parallel as background jobs @@ -79,6 +79,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup) * Procd network interface trigger support * Add new or edit existing banIP feeds on your own with the integrated custom feed editor +* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds ## Prerequisites * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support @@ -168,6 +169,7 @@ Available commands: | ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | | ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | +| ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) | | ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | | ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | | ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | @@ -289,9 +291,10 @@ list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' **allow-/blocklist handling** banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. -Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option. -Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option). -Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. +Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option. +Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist. +Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl'). +Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. **allowlist-only mode** banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked. @@ -317,12 +320,12 @@ nftables supports the atomic loading of firewall rules (incl. elements), which i **tweak the download options** By default banIP uses the following pre-configured download options: ``` - * aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o - * curl: --connect-timeout 20 --fail --silent --show-error --location -o + * aria2c: --timeout=20 --retry-wait=10 --max-tries=5 --max-file-not-found=5 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o + * curl: --connect-timeout 20 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o + * wget: --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=5 --retry-connrefused --max-redirect=0 -O * uclient-fetch: --timeout=20 -O - * wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O ``` -To override the default set 'ban_fetchparm' manually to your needs. +To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs. **send E-Mail notifications via 'msmtp'** To use the email notification you must install & configure the package 'msmtp'. diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 7e882f244..85903d1de 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -30,6 +30,8 @@ ban_fw4cmd="$(command -v fw4)" ban_awkcmd="$(command -v awk)" ban_grepcmd="$(command -v grep)" ban_sedcmd="$(command -v sed)" +ban_catcmd="$(command -v cat)" +ban_zcatcmd="$(command -v zcat)" ban_lookupcmd="$(command -v nslookup)" ban_mailcmd="$(command -v msmtp)" ban_mailsender="no-reply@banIP" @@ -50,6 +52,7 @@ ban_asn="" ban_loginput="1" ban_logforwardwan="1" ban_logforwardlan="0" +ban_allowurl="" ban_allowlistonly="0" ban_autoallowlist="1" ban_autoallowuplink="subnet" @@ -69,6 +72,7 @@ ban_ifv6="" ban_dev="" ban_uplink="" ban_fetchinsecure="" +ban_fetchretry="5" ban_cores="" ban_memory="" ban_trigger="" @@ -197,7 +201,7 @@ f_log() { # load config # f_conf() { - unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn + unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn config_cb() { option_cb() { local option="${1}" @@ -220,6 +224,9 @@ f_conf() { "ban_feed") eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \"" ;; + "ban_allowurl") + eval "${option}=\"$(printf "%s" "${ban_allowurl}")${value} \"" + ;; "ban_blockinput") eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \"" ;; @@ -251,7 +258,7 @@ f_conf() { f_fetch() { local item utils packages insecure - if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then + if [ -z "${ban_fetchcmd}" ] || [ ! -x "$(command -v "${ban_fetchcmd}")" ]; then packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" [ -z "${packages}" ] && f_log "err" "no local package repository" utils="aria2c curl wget uclient-fetch" @@ -267,16 +274,18 @@ f_fetch() { fi fi done + else + ban_fetchcmd="$(command -v "${ban_fetchcmd}")" fi [ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support" case "${ban_fetchcmd##*/}" in "aria2c") [ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false" - ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}" + ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --retry-wait=10 --max-tries=${ban_fetchretry} --max-file-not-found=${ban_fetchretry} --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}" ;; "curl") [ "${ban_fetchinsecure}" = "1" ] && insecure="--insecure" - ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --fail --silent --show-error --location -o"}" + ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --retry-delay 10 --retry ${ban_fetchretry} --retry-all-errors --fail --silent --show-error --location -o"}" ;; "uclient-fetch") [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" @@ -284,7 +293,7 @@ f_fetch() { ;; "wget") [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" - ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}" + ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=${ban_fetchretry} --retry-connrefused --max-redirect=0 -O"}" ;; esac @@ -296,7 +305,7 @@ f_fetch() { f_rmpid() { local ppid pid pids - ppid="$(cat "${ban_pidfile}" 2>/dev/null)" + ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" [ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0 for pid in ${pids}; do kill -INT "${pid}" >/dev/null 2>&1 @@ -314,7 +323,7 @@ f_actual() { else nft="$(f_char "0")" fi - if pgrep -f "logread" -P "$(cat "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then + if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then monitor="$(f_char "1")" else monitor="$(f_char "0")" @@ -468,7 +477,7 @@ f_getfeed() { f_getelements() { local file="${1}" - [ -s "${file}" ] && printf "%s" "elements={ $(cat "${file}" 2>/dev/null) };" + [ -s "${file}" ] && printf "%s" "elements={ $("${ban_catcmd}" "${file}" 2>/dev/null) };" } # build initial nft file with base table, chains and rules @@ -533,6 +542,7 @@ f_down() { tmp_file="${ban_tmpfile}.${feed}.file" tmp_flush="${ban_tmpfile}.${feed}.flush" tmp_nft="${ban_tmpfile}.${feed}.nft" + tmp_allow="${ban_tmpfile}.${feed%v*}" [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \"" [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \"" @@ -592,18 +602,33 @@ f_down() { feed_rc="${restore_rc}" fi - # handle local lists + # prepare local allowlist + # + if [ "${feed%v*}" = "allowlist" ] && [ ! -f "${tmp_allow}" ]; then + "${ban_catcmd}" "${ban_allowlist}" 2>/dev/null >"${tmp_allow}" + for feed_url in ${ban_allowurl}; do + feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>&1)" + feed_rc="${?}" + if [ "${feed_rc}" = "0" ] && [ -s "${tmp_load}" ]; then + "${ban_catcmd}" "${tmp_load}" 2>/dev/null >>"${tmp_allow}" + else + f_log "info" "download for feed '${feed%v*}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})" + fi + done + fi + + # handle local feeds # if [ "${feed%v*}" = "allowlist" ]; then { printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" if [ "${proto}" = "MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}" + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${tmp_allow}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept" elif [ "${proto}" = "4" ]; then - "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}" + "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${tmp_allow}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then @@ -627,7 +652,7 @@ f_down() { fi fi elif [ "${proto}" = "6" ]; then - "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" | + "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${tmp_allow}" | "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then @@ -657,7 +682,7 @@ f_down() { elif [ "${feed%v*}" = "blocklist" ]; then { printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" if [ "${proto}" = "MAC" ]; then "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" @@ -667,7 +692,7 @@ f_down() { "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" - cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" + "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" else "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}" fi @@ -682,7 +707,7 @@ f_down() { "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" - cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" + "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" else "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" | "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}" @@ -695,7 +720,8 @@ f_down() { fi } >"${tmp_nft}" feed_rc="0" - # handle external downloads + + # handle external feeds # elif [ "${restore_rc}" != "0" ] && [ "${feed_url}" != "local" ]; then # handle country downloads @@ -704,7 +730,7 @@ f_down() { for country in ${ban_country}; do feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" 2>&1)" feed_rc="${?}" - [ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" done rm -f "${tmp_raw}" @@ -714,7 +740,7 @@ f_down() { for asn in ${ban_asn}; do feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" 2>&1)" feed_rc="${?}" - [ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" done rm -f "${tmp_raw}" @@ -726,7 +752,7 @@ f_down() { feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)" feed_rc="${?}" if [ "${feed_rc}" = "0" ]; then - zcat "${tmp_raw}" 2>/dev/null >"${tmp_load}" + "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}" feed_rc="${?}" fi rm -f "${tmp_raw}" @@ -740,6 +766,7 @@ f_down() { feed_rc="${?}" fi fi + [ "${feed_rc}" != "0" ] && f_log "info" "download for feed '${feed}' failed (rc: ${feed_rc:-"-"}/log: ${feed_log})" # backup/restore # @@ -782,7 +809,7 @@ f_down() { # nft header (IPv4 Set) # printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" # input and forward rules @@ -796,7 +823,7 @@ f_down() { # nft header (IPv6 Set) # printf "%s\n\n" "#!/usr/sbin/nft -f" - [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" # input and forward rules @@ -825,7 +852,7 @@ f_down() { rm -f "${split_file}" continue fi - if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then + if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $("${ban_catcmd}" "${split_file}") }" >/dev/null 2>&1; then f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'" fi rm -f "${split_file}" @@ -864,7 +891,7 @@ f_restore() { [ "${feed_rc}" != "0" ] && restore_rc="${feed_rc}" [ "${feed_url}" = "local" ] && tmp_feed="${feed%v*}v4" || tmp_feed="${feed}" if [ -f "${ban_backupdir}/banIP.${tmp_feed}.gz" ]; then - zcat "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}" + "${ban_zcatcmd}" "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}" restore_rc="${?}" fi @@ -1234,10 +1261,10 @@ f_report() { # case "${output}" in "text") - [ -s "${report_txt}" ] && cat "${report_txt}" + [ -s "${report_txt}" ] && "${ban_catcmd}" "${report_txt}" ;; "json") - [ -s "${report_jsn}" ] && cat "${report_jsn}" + [ -s "${report_jsn}" ] && "${ban_catcmd}" "${report_jsn}" ;; "mail") [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index a5604fc3c..056582071 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -69,7 +69,7 @@ "url_6": "https://www.blocklist.de/downloads/export-ips_all.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", - "descr": "fail2ban IP blacklist" + "descr": "fail2ban IP blocklist" }, "doh":{ "url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt", From e042899ef97595eeffa3990fc29e0a2459873a1e Mon Sep 17 00:00:00 2001 From: Nick Peng Date: Sat, 6 May 2023 22:30:24 +0800 Subject: [PATCH 44/49] smartdns: bump to 1.2023.42 Signed-off-by: Nick Peng --- net/smartdns/Makefile | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/net/smartdns/Makefile b/net/smartdns/Makefile index 27373890e..9ce5466ec 100644 --- a/net/smartdns/Makefile +++ b/net/smartdns/Makefile @@ -1,18 +1,18 @@ # -# Copyright (c) 2018-2022 Nick Peng (pymumu@gmail.com) +# Copyright (c) 2018-2023 Nick Peng (pymumu@gmail.com) # This is free software, licensed under the GNU General Public License v3. # include $(TOPDIR)/rules.mk PKG_NAME:=smartdns -PKG_VERSION:=1.2022.38.1 +PKG_VERSION:=1.2023.42 PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://www.github.com/pymumu/smartdns.git -PKG_SOURCE_VERSION:=9bc857f628299573c7eca0833229d9812b1c1de4 -PKG_MIRROR_HASH:=a202b765e6ce8355335c80214819add3ed72a82426b033d7d5adf1448b415063 +PKG_SOURCE_VERSION:=ed102cda03c56e9c63040d33d4a391b56491493e +PKG_MIRROR_HASH:=366e98b92c3d22844ff5fc52c35f65c3b01e1b92fc9dc14c474823f0cc3ed11a PKG_MAINTAINER:=Nick Peng PKG_LICENSE:=GPL-3.0-or-later @@ -36,7 +36,7 @@ endef define Package/smartdns/description SmartDNS is a local DNS server which accepts DNS query requests from local network clients, gets DNS query results from multiple upstream DNS servers concurrently, and returns the fastest IP to clients. -Unlike dnsmasq's all-servers, smartdns returns the fastest IP. +Unlike dnsmasq's all-servers, smartdns returns the fastest IP, and encrypt DNS queries with DoT or DoH. endef define Package/smartdns/conffiles @@ -44,10 +44,13 @@ define Package/smartdns/conffiles /etc/smartdns/address.conf /etc/smartdns/blacklist-ip.conf /etc/smartdns/custom.conf +/etc/smartdns/domain-block.list +/etc/smartdns/domain-forwarding.list endef define Package/smartdns/install - $(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/config $(1)/etc/init.d $(1)/etc/smartdns + $(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/config $(1)/etc/init.d + $(INSTALL_DIR) $(1)/etc/smartdns $(1)/etc/smartdns/domain-set $(1)/etc/smartdns/conf.d/ $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/smartdns $(1)/usr/sbin/smartdns $(INSTALL_BIN) $(PKG_BUILD_DIR)/package/openwrt/files/etc/init.d/smartdns $(1)/etc/init.d/smartdns $(INSTALL_CONF) $(PKG_BUILD_DIR)/package/openwrt/address.conf $(1)/etc/smartdns/address.conf From 4bd7befa6aaa812701ed4e66bb0fd6cd847f5401 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Sun, 7 May 2023 17:33:16 +0800 Subject: [PATCH 45/49] cloudflared: Update to 2023.5.0 Signed-off-by: Tianling Shen --- net/cloudflared/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/cloudflared/Makefile b/net/cloudflared/Makefile index 925045eba..fdb452a4a 100644 --- a/net/cloudflared/Makefile +++ b/net/cloudflared/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cloudflared -PKG_VERSION:=2023.4.0 +PKG_VERSION:=2023.5.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/cloudflare/cloudflared/tar.gz/$(PKG_VERSION)? -PKG_HASH:=bdb9dea9e5f9bb6b66878bbd1243d8a57fc565ca946c5f9790c2f120400ffa9e +PKG_HASH:=38d72e35fbb894c43161ee7c6871c44d9771bc9a1f3bc54602baf66e69acefd3 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE From 47ae88c3793e6ff950260785d84b81a8ad5d4918 Mon Sep 17 00:00:00 2001 From: Christian Lachner Date: Sun, 7 May 2023 10:34:39 +0200 Subject: [PATCH 46/49] haproxy: update to v2.6.13 - Update haproxy PKG_VERSION and PKG_HASH - See changes: http://git.haproxy.org/?p=haproxy-2.6.git;a=shortlog Signed-off-by: Christian Lachner --- net/haproxy/Makefile | 4 ++-- net/haproxy/get-latest-patches.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 17f893480..70b776f6a 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,12 +10,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=2.6.12 +PKG_VERSION:=2.6.13 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/2.6/src -PKG_HASH:=58f9edb26bf3288f4b502658399281cc5d6478468bd178eafe579c8f41895854 +PKG_HASH:=d69ff5233dbca657132ef280d111222ec1e33f5be1c1937d4e9ff516f63f5243 PKG_MAINTAINER:=Thomas Heil , \ Christian Lachner diff --git a/net/haproxy/get-latest-patches.sh b/net/haproxy/get-latest-patches.sh index c5f8c7031..2e312cc0a 100755 --- a/net/haproxy/get-latest-patches.sh +++ b/net/haproxy/get-latest-patches.sh @@ -1,7 +1,7 @@ #!/bin/sh CLONEURL=https://git.haproxy.org/git/haproxy-2.6.git -BASE_TAG=v2.6.12 +BASE_TAG=v2.6.13 TMP_REPODIR=tmprepo PATCHESDIR=patches From 1170831077456885518370bb865f59fb78e9b70a Mon Sep 17 00:00:00 2001 From: Antonio Flores Date: Sat, 6 May 2023 23:53:46 -0400 Subject: [PATCH 47/49] gnutls: update to v3.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://github.com/openwrt/openwrt/issues/12542 The detailed list of changes follows: * Version 3.8.0 (released 2023-02-09) ** libgnutls: Fix a Bleichenbacher oracle in the TLS RSA key exchange. Reported by Hubert Kario (#1050). Fix developed by Alexander Sosedkin. [GNUTLS-SA-2020-07-14, CVSS: medium] [CVE-2023-0361] ** libgnutls: C++ library is now header only. All definitions from gnutlsxx.c have been moved into gnutlsxx.h. Users of the C++ interface have two options: 1. include gnutlsxx.h in their application and link against the C library. (default) 2. include gnutlsxx.h in their application, compile with GNUTLS_GNUTLSXX_NO_HEADERONLY macro defined and link against the C++ library. ** libgnutls: GNUTLS_NO_STATUS_REQUEST flag and %NO_STATUS_REQUEST priority modifier have been added to allow disabling of the status_request TLS extension in the client side. ** libgnutls: TLS heartbeat is disabled by default. The heartbeat extension in TLS (RFC 6520) is not widely used given other implementations dropped support for it. To enable back support for it, supply --enable-heartbeat-support to configure script. ** libgnutls: SRP authentication is now disabled by default. It is disabled because the SRP authentication in TLS is not up to date with the latest TLS standards and its ciphersuites are based on the CBC mode and SHA-1. To enable it back, supply --enable-srp-authentication option to configure script. ** libgnutls: All code has been indented using "indent -ppi1 -linux". CI/CD has been adjusted to catch regressions. This is implemented through devel/indent-gnutls, devel/indent-maybe and .gitlab-ci.yml’s commit-check. You may run devel/indent-gnutls to fix any indentation issues if you make code modifications. ** guile: Guile-bindings removed. They have been extracted into a separate project to reduce complexity and to simplify maintenance, see . ** minitasn1: Upgraded to libtasn1 version 4.19. ** API and ABI modifications: GNUTLS_NO_STATUS_REQUEST: New flag GNUTLS_SRTP_AEAD_AES_128_GCM: New gnutls_srtp_profile_t enum member GNUTLS_SRTP_AEAD_AES_256_GCM: New gnutls_srtp_profile_t enum member Signed-off-by: Antonio Flores --- libs/gnutls/Makefile | 8 ++++---- libs/gnutls/patches/010-m4.patch | 4 ++-- libs/gnutls/patches/020-dont-install-m4-files.patch | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/libs/gnutls/Makefile b/libs/gnutls/Makefile index 3246bb254..dc94591c2 100644 --- a/libs/gnutls/Makefile +++ b/libs/gnutls/Makefile @@ -6,13 +6,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gnutls -PKG_VERSION:=3.7.8 -PKG_RELEASE:=2 +PKG_VERSION:=3.8.0 +PKG_RELEASE:=1 PKG_BUILD_FLAGS:=no-mips16 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7 -PKG_HASH:=c58ad39af0670efe6a8aee5e3a8b2331a1200418b64b7c51977fb396d4617114 +PKG_SOURCE_URL:=https://www.gnupg.org/ftp/gcrypt/gnutls/v3.8 +PKG_HASH:=0ea0d11a1660a1e63f960f157b197abe6d0c8cb3255be24e1fb3815930b9bdc5 PKG_MAINTAINER:=Nikos Mavrogiannopoulos PKG_LICENSE:=LGPL-2.1-or-later diff --git a/libs/gnutls/patches/010-m4.patch b/libs/gnutls/patches/010-m4.patch index 59ce29ee2..ac66a71bb 100644 --- a/libs/gnutls/patches/010-m4.patch +++ b/libs/gnutls/patches/010-m4.patch @@ -62,12 +62,12 @@ [AC_COMPILE_IFELSE( --- a/src/gl/m4/gnulib-comp.m4 +++ b/src/gl/m4/gnulib-comp.m4 -@@ -1188,7 +1188,7 @@ changequote([, ])dnl +@@ -1252,7 +1252,7 @@ changequote([, ])dnl gl_UNISTD_MODULE_INDICATOR([sleep]) AC_CHECK_DECLS_ONCE([alarm]) AC_REQUIRE([gt_TYPE_WCHAR_T]) - AC_REQUIRE([gt_TYPE_WINT_T]) + AC_REQUIRE([gt_TYPE_WINT_T_GNUTLS]) gl_FUNC_STRERROR_R - if test $HAVE_DECL_STRERROR_R = 0 || test $REPLACE_STRERROR_R = 1; then + AS_IF([test $HAVE_DECL_STRERROR_R = 0 || test $REPLACE_STRERROR_R = 1], [ AC_LIBOBJ([strerror_r]) diff --git a/libs/gnutls/patches/020-dont-install-m4-files.patch b/libs/gnutls/patches/020-dont-install-m4-files.patch index 28d5fc0ff..6caeabc48 100644 --- a/libs/gnutls/patches/020-dont-install-m4-files.patch +++ b/libs/gnutls/patches/020-dont-install-m4-files.patch @@ -14,7 +14,7 @@ Signed-off-by: Eneas U de Queiroz --- a/Makefile.am +++ b/Makefile.am -@@ -57,7 +57,7 @@ if ENABLE_DOC +@@ -48,7 +48,7 @@ if ENABLE_DOC SUBDIRS += doc endif From 47b4ceac8239751683e4ac1e794100bfb4b47f52 Mon Sep 17 00:00:00 2001 From: John Audia Date: Sun, 7 May 2023 00:58:25 -0400 Subject: [PATCH 48/49] snort3: update to 3.1.61.0 Upstream bump Removed upstreamed patch: 900-fix_build_for_archs_contain_plus.patch[1] 1. https://github.com/snort3/snort3/commit/4de62ca9b9bfea4049ebe373a07076284b121bfe Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia --- net/snort3/Makefile | 4 ++-- .../900-fix_build_for_archs_contain_plus.patch | 16 ---------------- 2 files changed, 2 insertions(+), 18 deletions(-) delete mode 100644 net/snort3/patches/900-fix_build_for_archs_contain_plus.patch diff --git a/net/snort3/Makefile b/net/snort3/Makefile index 8252bad5c..a3f17cf70 100644 --- a/net/snort3/Makefile +++ b/net/snort3/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=snort3 -PKG_VERSION:=3.1.60.0 +PKG_VERSION:=3.1.61.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/ -PKG_HASH:=295bbeea93ead7835379d9c9332b1f82f9ecdd3741aeed267caf85bb887126a1 +PKG_HASH:=207963ece2eddd3c85ad90c9e2dabe33dc67eaa485ba9576e2b244f7ac45fc5d PKG_MAINTAINER:=W. Michael Petullo PKG_LICENSE:=GPL-2.0-only diff --git a/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch b/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch deleted file mode 100644 index 163a7a069..000000000 --- a/net/snort3/patches/900-fix_build_for_archs_contain_plus.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/cmake/FindFlexLexer.cmake -+++ b/cmake/FindFlexLexer.cmake -@@ -16,11 +16,11 @@ macro(FLEX NAME LEXER_IN LEXER_OUT) - COMPILE_FLAGS ${FLEX_FLAGS} - ) - -- # we use '+' as a separator for 'sed' to avoid conflicts with '/' in paths from LEXER_OUT -+ # we use '|' as a separator for 'sed' to avoid conflicts with '/' in paths from LEXER_OUT - add_custom_command( - OUTPUT ${LEXER_OUT} - COMMAND sed -e -- "s+void yyFlexLexer::LexerError+yynoreturn void yyFlexLexer::LexerError+;s+${LEXER_OUT}.tmp+${LEXER_OUT}+" -+ "s|void yyFlexLexer::LexerError|yynoreturn void yyFlexLexer::LexerError|;s|${LEXER_OUT}.tmp|${LEXER_OUT}|" - ${FLEX_${NAME}_OUTPUTS} > ${LEXER_OUT} - DEPENDS ${FLEX_${NAME}_OUTPUTS} - VERBATIM From 05bc30fbb2636e8ef12326847f07cc3d788dbf4a Mon Sep 17 00:00:00 2001 From: "S. Brusch" Date: Fri, 5 May 2023 11:43:55 +0200 Subject: [PATCH 49/49] crowdsec-firewall-bouncer: new upstream release version 0.0.26 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: S. Brusch Maintainer: Kerma Gérald Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.5 Update crowdsec-firewall-bouncer to latest upstream release version 0.0.26 --- net/crowdsec-firewall-bouncer/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/crowdsec-firewall-bouncer/Makefile b/net/crowdsec-firewall-bouncer/Makefile index 713bd740a..2088c2d33 100644 --- a/net/crowdsec-firewall-bouncer/Makefile +++ b/net/crowdsec-firewall-bouncer/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=crowdsec-firewall-bouncer -PKG_VERSION:=0.0.25 +PKG_VERSION:=0.0.26 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/cs-firewall-bouncer/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=15ffaa38644215a4cf5e5d5d3a6fc6f0800057bc55d4bd25778d8e952679506e +PKG_HASH:=2325df3f8d01e2c9b52db212a796b15b4992a135d5d278441277e97db353b2a7 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE