diff --git a/admin/sudo/Makefile b/admin/sudo/Makefile index 55e36e37f..fbb6adcc0 100644 --- a/admin/sudo/Makefile +++ b/admin/sudo/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sudo -PKG_VERSION:=1.9.12p1 -PKG_RELEASE:=$(AUTORELEASE) +PKG_VERSION:=1.9.12p2 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.sudo.ws/dist -PKG_HASH:=475a18a8eb3da8b2917ceab063a6baf51ea09128c3c47e3e0e33ab7497bab7d8 +PKG_HASH:=b9a0b1ae0f1ddd9be7f3eafe70be05ee81f572f6f536632c44cd4101bb2a8539 PKG_MAINTAINER:=Alexandru Ardelean diff --git a/lang/python/python-chardet/Makefile b/lang/python/python-chardet/Makefile index 27b53b79d..83e1799bd 100644 --- a/lang/python/python-chardet/Makefile +++ b/lang/python/python-chardet/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-chardet -PKG_VERSION:=5.0.0 -PKG_RELEASE:=$(AUTORELEASE) +PKG_VERSION:=5.1.0 +PKG_RELEASE:=1 PKG_LICENSE:=LGPL-2.1 PYPI_NAME:=chardet -PKG_HASH:=0368df2bfd78b5fc20572bb4e9bb7fb53e2c094f60ae9993339e8671d0afb8aa +PKG_HASH:=0d62712b956bc154f85fb0a266e2a3c5913c2967e00348701b32411d6def31e5 include ../pypi.mk include $(INCLUDE_DIR)/package.mk @@ -26,7 +26,7 @@ define Package/python3-chardet MAINTAINER:=Alexandru Ardelean URL:=https://github.com/chardet/chardet TITLE:=Universal encoding detector - DEPENDS:=+python3-light + DEPENDS:=+python3-light +python3-logging endef define Package/python3-chardet/description diff --git a/lang/python/python-evdev/Makefile b/lang/python/python-evdev/Makefile index 35c0b6066..bc26068a6 100644 --- a/lang/python/python-evdev/Makefile +++ b/lang/python/python-evdev/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=python-evdev -PKG_VERSION:=1.6.0 -PKG_RELEASE:=$(AUTORELEASE) +PKG_VERSION:=1.6.1 +PKG_RELEASE:=1 PKG_LICENSE:=BSD-3-Clause PKG_MAINTAINER:=Paulo Costa , Alexandru Ardelean PYPI_NAME:=evdev -PKG_HASH:=ecfa01b5c84f7e8c6ced3367ac95288f43cd84efbfd7dd7d0cdbfc0d18c87a6a +PKG_HASH:=299db8628cc73b237fc1cc57d3c2948faa0756e2a58b6194b5bf81dc2081f1e3 include ../pypi.mk include $(INCLUDE_DIR)/package.mk diff --git a/net/bind/Config.in b/net/bind/Config.in index 07bcc1c63..f1b83c746 100644 --- a/net/bind/Config.in +++ b/net/bind/Config.in @@ -33,4 +33,12 @@ config BIND_ENABLE_DOH You can disable DoHTTPS if you do not need it or need to avoid the additional library dependency. +config BIND_ENABLE_GSSAPI + bool + default n + prompt "Include GSSPAI support in bind" + help + BIND 9 supports GSSAPI. This depends on libcomerr and krb5-libs. + Disable it by default as krb5-libs is rather large. + endif diff --git a/net/bind/Makefile b/net/bind/Makefile index a65cfe764..dfa48cb52 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind PKG_VERSION:=9.18.11 -PKG_RELEASE:=1 +PKG_RELEASE:=3 USERID:=bind=57:bind=57 PKG_MAINTAINER:=Noah Meyerhans @@ -34,7 +34,8 @@ PKG_BUILD_PARALLEL:=1 PKG_CONFIG_DEPENDS := \ CONFIG_BIND_LIBJSON \ CONFIG_BIND_LIBXML2 \ - CONFIG_BIND_ENABLE_DOH + CONFIG_BIND_ENABLE_DOH \ + CONFIG_BIND_ENABLE_GSSAPI PKG_BUILD_DEPENDS += BIND_LIBXML2:libxml2 BIND_LIBJSON:libjson-c @@ -61,6 +62,8 @@ define Package/bind-libs +libatomic \ +libuv \ +BIND_ENABLE_DOH:libnghttp2 \ + +BIND_ENABLE_GSSAPI:krb5-libs \ + +BIND_ENABLE_GSSAPI:libcomerr \ +BIND_LIBXML2:libxml2 \ +BIND_LIBJSON:libjson-c TITLE:=bind shared libraries @@ -147,7 +150,6 @@ CONFIGURE_ARGS += \ --with-openssl="$(STAGING_DIR)/usr" \ --without-lmdb \ --enable-epoll \ - --without-gssapi \ --without-readline \ --sysconfdir=/etc/bind @@ -176,6 +178,14 @@ else --disable-doh endif +ifdef CONFIG_BIND_ENABLE_GSSAPI + CONFIGURE_ARGS += \ + --with-gssapi +else + CONFIGURE_ARGS += \ + --without-gssapi +endif + CONFIGURE_VARS += \ BUILD_CC="$(TARGET_CC)" \ diff --git a/net/bind/files/named.init b/net/bind/files/named.init index 312e297fb..288d8f885 100644 --- a/net/bind/files/named.init +++ b/net/bind/files/named.init @@ -73,7 +73,7 @@ start_service() { touch $conf_local_file local args= - [ no_ipv6 ] && args="-4" + no_ipv6 && args="-4" procd_open_instance procd_set_param command /usr/sbin/named -u bind -f $args -c $config_file diff --git a/net/crowdsec-firewall-bouncer/Makefile b/net/crowdsec-firewall-bouncer/Makefile index 52318f563..b8ea0b18e 100644 --- a/net/crowdsec-firewall-bouncer/Makefile +++ b/net/crowdsec-firewall-bouncer/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=crowdsec-firewall-bouncer -PKG_VERSION:=0.0.21 -PKG_RELEASE:=$(AUTORELEASE) +PKG_VERSION:=0.0.25 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/cs-firewall-bouncer/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=c92e02085c4c8481009a46ba80374329d102a45933fd0fd2164901954331923e +PKG_HASH:=15ffaa38644215a4cf5e5d5d3a6fc6f0800057bc55d4bd25778d8e952679506e PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE @@ -47,8 +47,7 @@ endef define Package/crowdsec-firewall-bouncer $(call Package/crowdsec-firewall-bouncer/Default) - DEPENDS:=@(PACKAGE_iptables||PACKAGE_nftables) \ - $(GO_ARCH_DEPENDS) + DEPENDS:=$(GO_ARCH_DEPENDS) endef define Package/golang-crowdsec-firewall-bouncer-dev @@ -65,7 +64,7 @@ define Package/crowdsec-firewall-bouncer/Default/description crowdsec-firewall-bouncer will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls. - You must install iptables+ipset or nftables. + You must install nftables. endef define Package/crowdsec-firewall-bouncer/description @@ -83,29 +82,15 @@ endef define Package/crowdsec-firewall-bouncer/install $(call GoPackage/Package/Install/Bin,$(1)) - $(INSTALL_DIR) $(1)/etc/crowdsec/bouncers - $(INSTALL_DATA) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/crowdsec-firewall-bouncer.yaml \ - $(1)/etc/crowdsec/bouncers + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_CONF) ./files/crowdsec.config $(1)/etc/config/crowdsec $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) \ - ./files/crowdsec-firewall-bouncer.initd \ - $(1)/etc/init.d/crowdsec-firewall-bouncer - - $(INSTALL_DIR) $(1)/etc - $(INSTALL_BIN) \ - ./files/crowdsec-firewall-bouncer.firewall \ - $(1)/etc/firewall.cs - - $(INSTALL_DIR) $(1)/etc/uci-defaults - $(INSTALL_BIN) \ - ./files/crowdsec-firewall-bouncer.defaults \ - $(1)/etc/uci-defaults/99_crowdsec-firewall-bouncer + $(INSTALL_BIN) ./files/crowdsec-firewall-bouncer.initd $(1)/etc/init.d/crowdsec-firewall-bouncer endef define Package/crowdsec-firewall-bouncer/conffiles -/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml +/etc/config/crowdsec endef $(eval $(call GoBinPackage,crowdsec-firewall-bouncer)) diff --git a/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.defaults b/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.defaults deleted file mode 100644 index 64d69a2f1..000000000 --- a/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.defaults +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -CONFIG=/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -## Gen&ConfigApiKey -if grep -q "{API_KEY}" "$CONFIG"; then - SUFFIX=`tr -dc A-Za-z0-9 + +USE_PROCD=1 START=99 -USE_PROCD=1 + NAME=crowdsec-firewall-bouncer PROG=/usr/bin/cs-firewall-bouncer -CONFIG=/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -BACKEND=iptables VARCONFIGDIR=/var/etc/crowdsec/bouncers VARCONFIG=/var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -FW_BACKEND="iptables" + +CONFIGURATION=crowdsec + +TABLE="crowdsec" +TABLE6="crowdsec6" service_triggers() { procd_add_reload_trigger crowdsec-firewall-bouncer + procd_add_config_trigger "config.change" "crowdsec" /etc/init.d/crowdsec-firewall-bouncer reload } -init_config() { - ## CheckFirewall - iptables="true" - which iptables > /dev/null - FW_BACKEND="" - if [[ $? != 0 ]]; then - echo "iptables is not present" - iptables="false" - else - FW_BACKEND="iptables" - echo "iptables found" - fi +init_yaml() { - nftables="true" - which nft > /dev/null - if [[ $? != 0 ]]; then - echo "nftables is not present" - nftables="false" - else - FW_BACKEND="nftables" - echo "nftables found" - fi + local section="$1" - if [ "$nftables" = "true" -a "$iptables" = "true" ]; then - echo "Found nftables(default) and iptables..." - fi + local update_frequency + local log_level + local api_url + local api_key + local ipv6 + local deny_action + local deny_log + local log_prefix + local log_max_size + local log_max_backups + local log_max_age + local ipv4 + local input_chain_name + local input6_chain_name - if [ "$FW_BACKEND" = "iptables" ]; then - which ipset > /dev/null - if [[ $? != 0 ]]; then - echo "ipset not found, install it !" - fi - fi - BACKEND=$FW_BACKEND + config_get update_frequency $section update_frequency '10s' + config_get log_level $section log_level 'info' + config_get api_url $section api_url "http://127.0.0.1:8080" + config_get api_key $section api_key "API_KEY" + config_get_bool ipv6 $section ipv6 '1' + config_get deny_action $section deny_action "drop" + config_get_bool deny_log $section deny_log '0' + config_get log_prefix $section log_prefix "crowdsec: " + config_get log_max_size $section log_max_size '100' + config_get log_max_backups $section log_max_backups '3' + config_get log_max_age $section log_max_age '30' + config_get_bool ipv4 $section ipv4 '1' + config_get input_chain_name $section input_chain_name "input" + config_get input6_chain_name $section input6_chain_name "input" # Create tmp dir & permissions if needed if [ ! -d "${VARCONFIGDIR}" ]; then mkdir -m 0755 -p "${VARCONFIGDIR}" fi; - cp $CONFIG $VARCONFIG + cat > $VARCONFIG <<-EOM + mode: nftables + pid_dir: /var/run/ + update_frequency: $update_frequency + daemonize: true + log_mode: file + log_dir: /var/log/ + log_level: $log_level + log_compression: true + log_max_size: $log_max_size + log_max_backups: $log_max_backups + log_max_age: $log_max_age + api_url: $api_url + api_key: $api_key + insecure_skip_verify: true + disable_ipv6: boolnot($ipv6) + deny_action: $deny_action + deny_log: bool($deny_log) + supported_decisions_type: + - ban + #to change log prefix + deny_log_prefix: "$log_prefix" + #to change the blacklists name + blacklists_ipv4: crowdsec-blacklists + blacklists_ipv6: crowdsec6-blacklists + #type of ipset to use + ipset_type: nethash + #if present, insert rule in those chains + iptables_chains: + - INPUT + # - FORWARD + # - DOCKER-USER + ## nftables + nftables: + ipv4: + enabled: bool($ipv4) + set-only: true + table: $TABLE + chain: $input_chain_name + ipv6: + enabled: bool($ipv6) + set-only: true + table: $TABLE6 + chain: $input6_chain_name + # packet filter + pf: + # an empty disables the anchor + anchor_name: "" + prometheus: + enabled: false + listen_addr: 127.0.0.1 + listen_port: 60601 + EOM - sed -i "s,^\(\s*mode\s*:\s*\).*\$,\1$BACKEND," $VARCONFIG + sed -i "s/bool(1)/true/g" $VARCONFIG + sed -i "s/bool(0)/false/g" $VARCONFIG + sed -i "s/boolnot(1)/false/g" $VARCONFIG + sed -i "s/boolnot(0)/true/g" $VARCONFIG + sed -i "s,^\(\s*api_url\s*:\s*\).*\$,\1$api_url," $VARCONFIG + sed -i "s,^\(\s*api_key\s*:\s*\).*\$,\1$api_key," $VARCONFIG +} + +init_nftables() { + + local section="$1" + + local priority + local deny_action + local deny_log + local log_prefix + local ipv4 + local ipv6 + local filter_input + local filter_forward + local input_chain_name + local forward_chain_name + local input6_chain_name + local forward6_chain_name + local interface + local log_term="" + + config_get priority $section priority "4" + config_get deny_action $section deny_action "drop" + config_get_bool deny_log $section deny_log '0' + config_get log_prefix $section log_prefix "crowdsec: " + config_get_bool ipv4 $section ipv4 '1' + config_get_bool ipv6 $section ipv6 '1' + config_get_bool filter_input $section filter_input '1' + config_get_bool filter_forward $section filter_forward '1' + config_get input_chain_name $section input_chain_name "input" + config_get forward_chain_name $section forward_chain_name "forward" + config_get input6_chain_name $section input6_chain_name "input" + config_get forward6_chain_name $section forward6_chain_name "forward" + config_get interface $section interface 'eth1' + + if [ "$deny_log" -eq "1" ] ; then + local log_term="log prefix \"${log_prefix}\"" + fi + + local interface="${interface// /, }" + + #as of kernel 3.18 we can delete a table without need to flush it + nft delete table ip crowdsec 2>/dev/null + nft delete table ip6 crowdsec6 2>/dev/null + + if [ "$ipv4" -eq "1" ] ; then + + nft add table ip crowdsec + nft add set ip crowdsec crowdsec-blacklists '{ type ipv4_addr; flags timeout; }' + + if [ "$filter_input" -eq "1" ] ; then + nft add chain ip "$TABLE" $input_chain_name "{ type filter hook input priority $priority; policy accept; }" + nft add rule ip "$TABLE" $input_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action + fi + if [ "$filter_forward" -eq "1" ] ; then + nft add chain ip "$TABLE" $forward_chain_name "{ type filter hook forward priority $priority; policy accept; }" + nft add rule ip "$TABLE" $forward_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action + fi + fi + + if [ "$ipv6" -eq "1" ] ; then + + nft add table ip6 crowdsec6 + nft add set ip6 crowdsec6 crowdsec6-blacklists '{ type ipv6_addr; flags timeout; }' + + if [ "$filter_input" -eq "1" ] ; then + nft add chain ip6 "$TABLE6" $input6_chain_name "{ type filter hook input priority $priority; policy accept; }" + nft add rule ip6 "$TABLE6" $input6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action + fi + if [ "$filter_forward" -eq "1" ] ; then + nft add chain ip6 "$TABLE6" $forward6_chain_name "{ type filter hook forward priority $priority; policy accept; }" + nft add rule ip6 "$TABLE6" $forward6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action + fi + fi +} + +run_bouncer() { + + local section="$1" + + local enabled + config_get_bool enabled $section enabled 0 + + if [ "$enabled" -eq "1" ] ; then + + init_yaml "$section" + init_nftables "$section" + + procd_open_instance + procd_set_param command "$PROG" -c "$VARCONFIG" + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_close_instance + fi } start_service() { - init_config - procd_open_instance - procd_set_param command "$PROG" -c "$VARCONFIG" - procd_close_instance + config_load "${CONFIGURATION}" + config_foreach run_bouncer bouncer } + +service_stopped() { + + rm $VARCONFIG + + nft delete table ip crowdsec 2>/dev/null + nft delete table ip6 crowdsec6 2>/dev/null +} + + diff --git a/net/crowdsec-firewall-bouncer/files/crowdsec.config b/net/crowdsec-firewall-bouncer/files/crowdsec.config new file mode 100644 index 000000000..ad43bd119 --- /dev/null +++ b/net/crowdsec-firewall-bouncer/files/crowdsec.config @@ -0,0 +1,15 @@ +config bouncer + option enabled '0' + option ipv4 '1' + option ipv6 '1' + option api_url 'http://localhost:8080/' + option api_key '' + option update_frequency '10s' + option deny_action 'drop' + option deny_log '0' + option log_prefix 'crowdsec: ' + option log_level 'info' + option filter_input '1' + option filter_forward '1' + list interface 'eth1' + diff --git a/net/crowdsec-firewall-bouncer/patches/001-fix_config_iptables_chains.patch b/net/crowdsec-firewall-bouncer/patches/001-fix_config_iptables_chains.patch deleted file mode 100644 index f129ad89f..000000000 --- a/net/crowdsec-firewall-bouncer/patches/001-fix_config_iptables_chains.patch +++ /dev/null @@ -1,9 +0,0 @@ ---- a/config/crowdsec-firewall-bouncer.yaml -+++ b/config/crowdsec-firewall-bouncer.yaml -@@ -20,5 +20,5 @@ supported_decisions_types: - #if present, insert rule in those chains - iptables_chains: - - INPUT --# - FORWARD -+ - FORWARD - # - DOCKER-USER diff --git a/net/openssh/Makefile b/net/openssh/Makefile index cc5c27b91..8d103f604 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssh -PKG_VERSION:=9.1p1 +PKG_VERSION:=9.2p1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ https://ftp.spline.de/pub/OpenBSD/OpenSSH/portable/ -PKG_HASH:=19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288 +PKG_HASH:=3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46 PKG_LICENSE:=BSD ISC PKG_LICENSE_FILES:=LICENCE @@ -36,7 +36,6 @@ define Package/openssh/Default MAINTAINER:=Peter Wagner URL:=http://www.openssh.com/ SUBMENU:=SSH - VARIANT:=without-pam endef define Package/openssh-moduli @@ -89,6 +88,7 @@ define Package/openssh-server DEPENDS+= +openssh-keygen +OPENSSH_LIBFIDO2:libfido2 TITLE+= server USERID:=sshd=22:sshd=22 + VARIANT:=without-pam endef define Package/openssh-server/config diff --git a/net/pdns-recursor/Makefile b/net/pdns-recursor/Makefile index 36b5a75a2..5be05462f 100644 --- a/net/pdns-recursor/Makefile +++ b/net/pdns-recursor/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pdns-recursor -PKG_VERSION:=4.8.1 +PKG_VERSION:=4.8.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://downloads.powerdns.com/releases/ -PKG_HASH:=d7b03447009257e512f01fcc46cbdb9c859b672a1c9b23faf382e870765b0f0d +PKG_HASH:=4382d3e84f13401685772779dfede6cbc8157ecf6763fa7fdb1dd33ee3f79ac7 PKG_MAINTAINER:=Peter van Dijk PKG_LICENCE:=GPL-2.0-only diff --git a/net/simple-adblock/Makefile b/net/simple-adblock/Makefile index de1ca0e05..497c6c3bd 100644 --- a/net/simple-adblock/Makefile +++ b/net/simple-adblock/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=simple-adblock PKG_VERSION:=1.9.3 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=GPL-3.0-or-later diff --git a/net/simple-adblock/files/simple-adblock.conf b/net/simple-adblock/files/simple-adblock.conf index e005f2317..03b016fe1 100644 --- a/net/simple-adblock/files/simple-adblock.conf +++ b/net/simple-adblock/files/simple-adblock.conf @@ -71,9 +71,9 @@ config simple-adblock 'config' # enabling this will disable processing of any other block/allow-lists # option dnsmasq_config_file_url 'https://dnsmasq.oisd.nl/' -# File size: 34.0M +# File size: 19.0M # block-list too big for most routers -# list blocked_hosts_url 'https://hosts.oisd.nl/' +# list blocked_domains_url 'https://dbl.oisd.nl/' # site was down on last check # list blocked_domains_url 'http://support.it-mate.co.uk/downloads/hosts.txt' diff --git a/net/simple-adblock/files/simple-adblock.conf.update b/net/simple-adblock/files/simple-adblock.conf.update index b9fde68ee..2d42d1712 100644 --- a/net/simple-adblock/files/simple-adblock.conf.update +++ b/net/simple-adblock/files/simple-adblock.conf.update @@ -4,7 +4,6 @@ s|blacklist_hosts_url|blocked_hosts_url|g s|blacklist_domains_url|blocked_domains_url|g s|blacklist_domain|blocked_domain|g s|ssl.bblck.me|cdn.jsdelivr.net/gh/paulgb/BarbBlock|g -s|dbl.oisd.nl|hosts.oisd.nl|g s|raw.githubusercontent.com/StevenBlack/hosts/|cdn.jsdelivr.net/gh/StevenBlack/hosts@|g s|raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/|cdn.jsdelivr.net/gh/hoshsadiq/adblock-nocoin-list@|g s|raw.githubusercontent.com/jawz101/MobileAdTrackers/|cdn.jsdelivr.net/gh/jawz101/MobileAdTrackers@|g diff --git a/net/simple-adblock/files/simple-adblock.init b/net/simple-adblock/files/simple-adblock.init index fb6e99588..89ef3fd7b 100644 --- a/net/simple-adblock/files/simple-adblock.init +++ b/net/simple-adblock/files/simple-adblock.init @@ -1409,16 +1409,29 @@ adb_stop() { fi } +allow() { load_validate_config 'config' adb_allow "'$*'"; } +boot() { + ubus -t 30 wait_for network.interface 2>/dev/null + rc_procd start_service 'on_boot' +} +check() { load_validate_config 'config' adb_check "'$*'"; } +dl() { rc_procd start_service 'download'; } +killcache() { + rm -f "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" + rm -f "$dnsmasqConfCache" "$dnsmasqConfGzip" + rm -f "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" + rm -f "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" + rm -f "$dnsmasqServersCache" "$dnsmasqServersGzip" + rm -f "$unboundCache" "$unboundGzip" + config_load 'dhcp' + config_foreach resolver 'dnsmasq' 'cleanup' + uci_commit 'dhcp' + return 0 +} +reload_service() { rc_procd start_service 'restart'; } +restart_service() { rc_procd start_service 'restart'; } service_started() { procd_set_config_changed firewall; } service_stopped() { procd_set_config_changed firewall; } -restart_service() { rc_procd start_service 'restart'; } -reload_service() { rc_procd start_service 'restart'; } -start_service() { - load_validate_config 'config' adb_config_update "'$*'" - load_validate_config 'config' adb_start "'$*'" -} -stop_service() { load_validate_config 'config' adb_stop "'$*'"; } -status_service() { load_validate_config 'config' adb_status "''"; } service_triggers() { local wan wan6 i local procd_trigger_wan6 @@ -1437,22 +1450,13 @@ service_triggers() { done procd_add_config_trigger "config.change" "$packageName" "/etc/init.d/${packageName}" reload } -allow() { load_validate_config 'config' adb_allow "'$*'"; } -check() { load_validate_config 'config' adb_check "'$*'"; } -dl() { rc_procd start_service 'download'; } -killcache() { - rm -f "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersCache" "$dnsmasqServersGzip" - rm -f "$unboundCache" "$unboundGzip" - config_load 'dhcp' - config_foreach resolver 'dnsmasq' 'cleanup' - uci_commit 'dhcp' - return 0 -} sizes() { load_validate_config 'config' adb_sizes "''"; } +start_service() { + load_validate_config 'config' adb_config_update "'$*'" + load_validate_config 'config' adb_start "'$*'" +} +status_service() { load_validate_config 'config' adb_status "''"; } +stop_service() { load_validate_config 'config' adb_stop "'$*'"; } version() { echo "$PKG_VERSION"; } load_validate_config() { diff --git a/net/tailscale/Makefile b/net/tailscale/Makefile index e15b54aa1..6dd8fb7aa 100644 --- a/net/tailscale/Makefile +++ b/net/tailscale/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tailscale -PKG_VERSION:=1.32.3 +PKG_VERSION:=1.36.0 PKG_RELEASE:=1 PKG_SOURCE:=tailscale-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=4cf88a1d754240ce71b29d3a65ca480091ad9c614ac99c541cef6fdaf0585dd4 +PKG_HASH:=25b293a7e65d7b962f0c56454d66fa56c89c3aa995467218f24efa335b924c76 PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=BSD-3-Clause @@ -61,24 +61,44 @@ endef Package/tailscaled/description:=$(Package/tailscale/description) +define Package/tailscaled/conffiles +/etc/config/tailscale +/etc/tailscale/tailscaled.state +endef + +GO_IPTABLES_VERSION:=0.6.0 +GO_IPTABLES_FILE:=$(PKG_NAME)-go-iptables-$(GO_IPTABLES_VERSION).tar.gz + +define Download/go-iptables + URL:=https://codeload.github.com/coreos/go-iptables/tar.gz/v$(GO_IPTABLES_VERSION)? + URL_FILE:=$(GO_IPTABLES_FILE) + FILE:=$(GO_IPTABLES_FILE) + HASH:=a784cc17fcb17879f073eae47bc4c2e899f59f6906dac5a0aa7a9cc9f95ea66d +endef + +define Build/Prepare + $(PKG_UNPACK) + [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR) + $(eval $(call Download,go-iptables)) + ( \ + mkdir -p $(PKG_BUILD_DIR)/patched/ ; \ + gzip -dc $(DL_DIR)/$(GO_IPTABLES_FILE) | $(HOST_TAR) -C $(PKG_BUILD_DIR)/patched $(TAR_OPTIONS) ; \ + mv $(PKG_BUILD_DIR)/patched/go-iptables-$(GO_IPTABLES_VERSION) $(PKG_BUILD_DIR)/patched/go-iptables ; \ + ) + $(Build/Patch) +endef + define Package/tailscale/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscale $(1)/usr/sbin endef define Package/tailscaled/install - $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d $(1)/etc/config $(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscaled $(1)/usr/sbin - $(INSTALL_DIR) $(1)/etc/init.d/ $(INSTALL_BIN) ./files//tailscale.init $(1)/etc/init.d/tailscale - $(INSTALL_DIR) $(1)/etc/config/ $(INSTALL_DATA) ./files//tailscale.conf $(1)/etc/config/tailscale endef -define Package/tailscaled/conffiles -/etc/config/tailscale -/etc/tailscale/tailscaled.state -endef - $(eval $(call BuildPackage,tailscale)) $(eval $(call BuildPackage,tailscaled)) diff --git a/net/tailscale/README.md b/net/tailscale/README.md index d3b58e7ce..eaffa57d7 100644 --- a/net/tailscale/README.md +++ b/net/tailscale/README.md @@ -25,4 +25,9 @@ Run command and finish device registration with the given URL. tailscale up ``` +If you are running with nftables, it is not supported by tailscale, +so disable it and configure firewall by yourself and add argument +--netfilter-mode off +to tailscale up command to disable iptables use. + After that, you should see your router in tailscale admin page. diff --git a/net/tailscale/patches/010-fake_iptables.patch b/net/tailscale/patches/010-fake_iptables.patch new file mode 100644 index 000000000..07e14fbf5 --- /dev/null +++ b/net/tailscale/patches/010-fake_iptables.patch @@ -0,0 +1,53 @@ +--- a/go.mod ++++ b/go.mod +@@ -2,6 +2,8 @@ module tailscale.com + + go 1.19 + ++replace github.com/coreos/go-iptables => ./patched/go-iptables ++ + require ( + filippo.io/mkcert v1.4.3 + github.com/Microsoft/go-winio v0.6.0 +--- a/patched/go-iptables/iptables/iptables.go ++++ b/patched/go-iptables/iptables/iptables.go +@@ -149,12 +149,39 @@ func New(opts ...option) (*IPTables, err + return ipt, nil + } + ++func NewFake(opts ...option) (*IPTables, error) { ++ ++ ipt := &IPTables{ ++ path: "/bin/false", ++ proto: ProtocolIPv4, ++ hasCheck: false, ++ hasWait: false, ++ waitSupportSecond: false, ++ hasRandomFully: false, ++ v1: 0, ++ v2: 0, ++ v3: 0, ++ mode: "legacy", ++ timeout: 0, ++ } ++ ++ for _, opt := range opts { ++ opt(ipt) ++ } ++ ++ return ipt, nil ++} ++ + // New creates a new IPTables for the given proto. + // The proto will determine which command is used, either "iptables" or "ip6tables". + func NewWithProtocol(proto Protocol) (*IPTables, error) { + return New(IPFamily(proto), Timeout(0)) + } + ++func NewFakeWithProtocol(proto Protocol) (*IPTables, error) { ++ return NewFake(IPFamily(proto), Timeout(0)) ++} ++ + // Proto returns the protocol used by this IPTables. + func (ipt *IPTables) Proto() Protocol { + return ipt.proto diff --git a/net/tailscale/patches/020-tailscaled_fake_iptables.patch b/net/tailscale/patches/020-tailscaled_fake_iptables.patch new file mode 100644 index 000000000..2180080ca --- /dev/null +++ b/net/tailscale/patches/020-tailscaled_fake_iptables.patch @@ -0,0 +1,32 @@ +--- a/wgengine/router/router_linux.go ++++ b/wgengine/router/router_linux.go +@@ -129,7 +129,7 @@ func newUserspaceRouter(logf logger.Logf + + ipt4, err := iptables.NewWithProtocol(iptables.ProtocolIPv4) + if err != nil { +- return nil, err ++ ipt4, err = iptables.NewFakeWithProtocol(iptables.ProtocolIPv4) + } + + v6err := checkIPv6(logf) +@@ -148,7 +148,7 @@ func newUserspaceRouter(logf logger.Logf + // if unavailable. We want that to be a non-fatal error. + ipt6, err = iptables.NewWithProtocol(iptables.ProtocolIPv6) + if err != nil { +- return nil, err ++ ipt6, err = iptables.NewFakeWithProtocol(iptables.ProtocolIPv6) + } + } + +@@ -1635,11 +1635,6 @@ func checkIPv6(logf logger.Logf) error { + return fmt.Errorf("kernel doesn't support IPv6 policy routing: %w", err) + } + +- // Some distros ship ip6tables separately from iptables. +- if _, err := exec.LookPath("ip6tables"); err != nil { +- return err +- } +- + return nil + } + diff --git a/net/tailscale/patches/030-default_to_netfilter_off.patch b/net/tailscale/patches/030-default_to_netfilter_off.patch new file mode 100644 index 000000000..90c78fe69 --- /dev/null +++ b/net/tailscale/patches/030-default_to_netfilter_off.patch @@ -0,0 +1,11 @@ +--- a/cmd/tailscale/cli/up.go ++++ b/cmd/tailscale/cli/up.go +@@ -143,7 +143,7 @@ func defaultNetfilterMode() string { + if distro.Get() == distro.Synology { + return "off" + } +- return "on" ++ return "off" + } + + type upArgsT struct { diff --git a/net/tailscale/test.sh b/net/tailscale/test.sh old mode 100644 new mode 100755 index f50de6fc0..0130d4929 --- a/net/tailscale/test.sh +++ b/net/tailscale/test.sh @@ -1,8 +1,10 @@ #!/bin/sh -if command -v tailscale; then - tailscale version | grep "$2" || exit 1 -fi -if command -v tailscaled; then - tailscaled -version | grep "$2" -fi +case "$1" in + tailscale) + tailscale version | grep "$2" + ;; + tailscaled) + tailscaled -version | grep "$2" + ;; +esac diff --git a/net/xl2tpd/Makefile b/net/xl2tpd/Makefile index 15074090c..8abf25699 100644 --- a/net/xl2tpd/Makefile +++ b/net/xl2tpd/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=xl2tpd -PKG_VERSION:=1.3.17 +PKG_VERSION:=1.3.18 PKG_RELEASE:=1 PKG_MAINTAINER:=Yousong Zhou PKG_LICENSE:=GPL-2.0 @@ -19,7 +19,7 @@ PKG_SOURCE_URL:=https://github.com/xelerance/xl2tpd.git PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE_VERSION:=v$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_MIRROR_HASH:=5fbc1fe5a01ebd5b0eb2929b85e68eb271e29cc2989320aa1ae2b32f0ac0e540 +PKG_MIRROR_HASH:=f4faa15357063a2ac11e427adbcac6b51c755cc294f1a26fe4eb0c008840df31 PKG_INSTALL:=1