From b748d59e07b5acf0c495e1a295dd6c6f554c5a07 Mon Sep 17 00:00:00 2001 From: "S. Brusch" Date: Mon, 30 Jan 2023 19:26:59 +0100 Subject: [PATCH 01/14] crowdsec-firewall-bouncer: update to 0.0.25 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update crowdsec-firewall-bouncer to latest upstream release version 0.0.25 Signed-off-by: S. Brusch Maintainer: Kerma GĂ©rald Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.3 Rework: - now based on uci config file - create nftables tables and chains in initd script --- net/crowdsec-firewall-bouncer/Makefile | 33 +-- .../files/crowdsec-firewall-bouncer.defaults | 23 -- .../files/crowdsec-firewall-bouncer.firewall | 4 - .../files/crowdsec-firewall-bouncer.initd | 246 +++++++++++++++--- .../files/crowdsec.config | 15 ++ .../001-fix_config_iptables_chains.patch | 9 - 6 files changed, 228 insertions(+), 102 deletions(-) delete mode 100644 net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.defaults delete mode 100644 net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.firewall create mode 100644 net/crowdsec-firewall-bouncer/files/crowdsec.config delete mode 100644 net/crowdsec-firewall-bouncer/patches/001-fix_config_iptables_chains.patch diff --git a/net/crowdsec-firewall-bouncer/Makefile b/net/crowdsec-firewall-bouncer/Makefile index 52318f563..b8ea0b18e 100644 --- a/net/crowdsec-firewall-bouncer/Makefile +++ b/net/crowdsec-firewall-bouncer/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=crowdsec-firewall-bouncer -PKG_VERSION:=0.0.21 -PKG_RELEASE:=$(AUTORELEASE) +PKG_VERSION:=0.0.25 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/cs-firewall-bouncer/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=c92e02085c4c8481009a46ba80374329d102a45933fd0fd2164901954331923e +PKG_HASH:=15ffaa38644215a4cf5e5d5d3a6fc6f0800057bc55d4bd25778d8e952679506e PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE @@ -47,8 +47,7 @@ endef define Package/crowdsec-firewall-bouncer $(call Package/crowdsec-firewall-bouncer/Default) - DEPENDS:=@(PACKAGE_iptables||PACKAGE_nftables) \ - $(GO_ARCH_DEPENDS) + DEPENDS:=$(GO_ARCH_DEPENDS) endef define Package/golang-crowdsec-firewall-bouncer-dev @@ -65,7 +64,7 @@ define Package/crowdsec-firewall-bouncer/Default/description crowdsec-firewall-bouncer will fetch new and old decisions from a CrowdSec API to add them in a blocklist used by supported firewalls. - You must install iptables+ipset or nftables. + You must install nftables. endef define Package/crowdsec-firewall-bouncer/description @@ -83,29 +82,15 @@ endef define Package/crowdsec-firewall-bouncer/install $(call GoPackage/Package/Install/Bin,$(1)) - $(INSTALL_DIR) $(1)/etc/crowdsec/bouncers - $(INSTALL_DATA) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/crowdsec-firewall-bouncer.yaml \ - $(1)/etc/crowdsec/bouncers + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_CONF) ./files/crowdsec.config $(1)/etc/config/crowdsec $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) \ - ./files/crowdsec-firewall-bouncer.initd \ - $(1)/etc/init.d/crowdsec-firewall-bouncer - - $(INSTALL_DIR) $(1)/etc - $(INSTALL_BIN) \ - ./files/crowdsec-firewall-bouncer.firewall \ - $(1)/etc/firewall.cs - - $(INSTALL_DIR) $(1)/etc/uci-defaults - $(INSTALL_BIN) \ - ./files/crowdsec-firewall-bouncer.defaults \ - $(1)/etc/uci-defaults/99_crowdsec-firewall-bouncer + $(INSTALL_BIN) ./files/crowdsec-firewall-bouncer.initd $(1)/etc/init.d/crowdsec-firewall-bouncer endef define Package/crowdsec-firewall-bouncer/conffiles -/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml +/etc/config/crowdsec endef $(eval $(call GoBinPackage,crowdsec-firewall-bouncer)) diff --git a/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.defaults b/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.defaults deleted file mode 100644 index 64d69a2f1..000000000 --- a/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.defaults +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -CONFIG=/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -## Gen&ConfigApiKey -if grep -q "{API_KEY}" "$CONFIG"; then - SUFFIX=`tr -dc A-Za-z0-9 + +USE_PROCD=1 START=99 -USE_PROCD=1 + NAME=crowdsec-firewall-bouncer PROG=/usr/bin/cs-firewall-bouncer -CONFIG=/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -BACKEND=iptables VARCONFIGDIR=/var/etc/crowdsec/bouncers VARCONFIG=/var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -FW_BACKEND="iptables" + +CONFIGURATION=crowdsec + +TABLE="crowdsec" +TABLE6="crowdsec6" service_triggers() { procd_add_reload_trigger crowdsec-firewall-bouncer + procd_add_config_trigger "config.change" "crowdsec" /etc/init.d/crowdsec-firewall-bouncer reload } -init_config() { - ## CheckFirewall - iptables="true" - which iptables > /dev/null - FW_BACKEND="" - if [[ $? != 0 ]]; then - echo "iptables is not present" - iptables="false" - else - FW_BACKEND="iptables" - echo "iptables found" - fi +init_yaml() { - nftables="true" - which nft > /dev/null - if [[ $? != 0 ]]; then - echo "nftables is not present" - nftables="false" - else - FW_BACKEND="nftables" - echo "nftables found" - fi + local section="$1" - if [ "$nftables" = "true" -a "$iptables" = "true" ]; then - echo "Found nftables(default) and iptables..." - fi + local update_frequency + local log_level + local api_url + local api_key + local ipv6 + local deny_action + local deny_log + local log_prefix + local log_max_size + local log_max_backups + local log_max_age + local ipv4 + local input_chain_name + local input6_chain_name - if [ "$FW_BACKEND" = "iptables" ]; then - which ipset > /dev/null - if [[ $? != 0 ]]; then - echo "ipset not found, install it !" - fi - fi - BACKEND=$FW_BACKEND + config_get update_frequency $section update_frequency '10s' + config_get log_level $section log_level 'info' + config_get api_url $section api_url "http://127.0.0.1:8080" + config_get api_key $section api_key "API_KEY" + config_get_bool ipv6 $section ipv6 '1' + config_get deny_action $section deny_action "drop" + config_get_bool deny_log $section deny_log '0' + config_get log_prefix $section log_prefix "crowdsec: " + config_get log_max_size $section log_max_size '100' + config_get log_max_backups $section log_max_backups '3' + config_get log_max_age $section log_max_age '30' + config_get_bool ipv4 $section ipv4 '1' + config_get input_chain_name $section input_chain_name "input" + config_get input6_chain_name $section input6_chain_name "input" # Create tmp dir & permissions if needed if [ ! -d "${VARCONFIGDIR}" ]; then mkdir -m 0755 -p "${VARCONFIGDIR}" fi; - cp $CONFIG $VARCONFIG + cat > $VARCONFIG <<-EOM + mode: nftables + pid_dir: /var/run/ + update_frequency: $update_frequency + daemonize: true + log_mode: file + log_dir: /var/log/ + log_level: $log_level + log_compression: true + log_max_size: $log_max_size + log_max_backups: $log_max_backups + log_max_age: $log_max_age + api_url: $api_url + api_key: $api_key + insecure_skip_verify: true + disable_ipv6: boolnot($ipv6) + deny_action: $deny_action + deny_log: bool($deny_log) + supported_decisions_type: + - ban + #to change log prefix + deny_log_prefix: "$log_prefix" + #to change the blacklists name + blacklists_ipv4: crowdsec-blacklists + blacklists_ipv6: crowdsec6-blacklists + #type of ipset to use + ipset_type: nethash + #if present, insert rule in those chains + iptables_chains: + - INPUT + # - FORWARD + # - DOCKER-USER + ## nftables + nftables: + ipv4: + enabled: bool($ipv4) + set-only: true + table: $TABLE + chain: $input_chain_name + ipv6: + enabled: bool($ipv6) + set-only: true + table: $TABLE6 + chain: $input6_chain_name + # packet filter + pf: + # an empty disables the anchor + anchor_name: "" + prometheus: + enabled: false + listen_addr: 127.0.0.1 + listen_port: 60601 + EOM - sed -i "s,^\(\s*mode\s*:\s*\).*\$,\1$BACKEND," $VARCONFIG + sed -i "s/bool(1)/true/g" $VARCONFIG + sed -i "s/bool(0)/false/g" $VARCONFIG + sed -i "s/boolnot(1)/false/g" $VARCONFIG + sed -i "s/boolnot(0)/true/g" $VARCONFIG + sed -i "s,^\(\s*api_url\s*:\s*\).*\$,\1$api_url," $VARCONFIG + sed -i "s,^\(\s*api_key\s*:\s*\).*\$,\1$api_key," $VARCONFIG +} + +init_nftables() { + + local section="$1" + + local priority + local deny_action + local deny_log + local log_prefix + local ipv4 + local ipv6 + local filter_input + local filter_forward + local input_chain_name + local forward_chain_name + local input6_chain_name + local forward6_chain_name + local interface + local log_term="" + + config_get priority $section priority "4" + config_get deny_action $section deny_action "drop" + config_get_bool deny_log $section deny_log '0' + config_get log_prefix $section log_prefix "crowdsec: " + config_get_bool ipv4 $section ipv4 '1' + config_get_bool ipv6 $section ipv6 '1' + config_get_bool filter_input $section filter_input '1' + config_get_bool filter_forward $section filter_forward '1' + config_get input_chain_name $section input_chain_name "input" + config_get forward_chain_name $section forward_chain_name "forward" + config_get input6_chain_name $section input6_chain_name "input" + config_get forward6_chain_name $section forward6_chain_name "forward" + config_get interface $section interface 'eth1' + + if [ "$deny_log" -eq "1" ] ; then + local log_term="log prefix \"${log_prefix}\"" + fi + + local interface="${interface// /, }" + + #as of kernel 3.18 we can delete a table without need to flush it + nft delete table ip crowdsec 2>/dev/null + nft delete table ip6 crowdsec6 2>/dev/null + + if [ "$ipv4" -eq "1" ] ; then + + nft add table ip crowdsec + nft add set ip crowdsec crowdsec-blacklists '{ type ipv4_addr; flags timeout; }' + + if [ "$filter_input" -eq "1" ] ; then + nft add chain ip "$TABLE" $input_chain_name "{ type filter hook input priority $priority; policy accept; }" + nft add rule ip "$TABLE" $input_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action + fi + if [ "$filter_forward" -eq "1" ] ; then + nft add chain ip "$TABLE" $forward_chain_name "{ type filter hook forward priority $priority; policy accept; }" + nft add rule ip "$TABLE" $forward_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action + fi + fi + + if [ "$ipv6" -eq "1" ] ; then + + nft add table ip6 crowdsec6 + nft add set ip6 crowdsec6 crowdsec6-blacklists '{ type ipv6_addr; flags timeout; }' + + if [ "$filter_input" -eq "1" ] ; then + nft add chain ip6 "$TABLE6" $input6_chain_name "{ type filter hook input priority $priority; policy accept; }" + nft add rule ip6 "$TABLE6" $input6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action + fi + if [ "$filter_forward" -eq "1" ] ; then + nft add chain ip6 "$TABLE6" $forward6_chain_name "{ type filter hook forward priority $priority; policy accept; }" + nft add rule ip6 "$TABLE6" $forward6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action + fi + fi +} + +run_bouncer() { + + local section="$1" + + local enabled + config_get_bool enabled $section enabled 0 + + if [ "$enabled" -eq "1" ] ; then + + init_yaml "$section" + init_nftables "$section" + + procd_open_instance + procd_set_param command "$PROG" -c "$VARCONFIG" + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_close_instance + fi } start_service() { - init_config - procd_open_instance - procd_set_param command "$PROG" -c "$VARCONFIG" - procd_close_instance + config_load "${CONFIGURATION}" + config_foreach run_bouncer bouncer } + +service_stopped() { + + rm $VARCONFIG + + nft delete table ip crowdsec 2>/dev/null + nft delete table ip6 crowdsec6 2>/dev/null +} + + diff --git a/net/crowdsec-firewall-bouncer/files/crowdsec.config b/net/crowdsec-firewall-bouncer/files/crowdsec.config new file mode 100644 index 000000000..ad43bd119 --- /dev/null +++ b/net/crowdsec-firewall-bouncer/files/crowdsec.config @@ -0,0 +1,15 @@ +config bouncer + option enabled '0' + option ipv4 '1' + option ipv6 '1' + option api_url 'http://localhost:8080/' + option api_key '' + option update_frequency '10s' + option deny_action 'drop' + option deny_log '0' + option log_prefix 'crowdsec: ' + option log_level 'info' + option filter_input '1' + option filter_forward '1' + list interface 'eth1' + diff --git a/net/crowdsec-firewall-bouncer/patches/001-fix_config_iptables_chains.patch b/net/crowdsec-firewall-bouncer/patches/001-fix_config_iptables_chains.patch deleted file mode 100644 index f129ad89f..000000000 --- a/net/crowdsec-firewall-bouncer/patches/001-fix_config_iptables_chains.patch +++ /dev/null @@ -1,9 +0,0 @@ ---- a/config/crowdsec-firewall-bouncer.yaml -+++ b/config/crowdsec-firewall-bouncer.yaml -@@ -20,5 +20,5 @@ supported_decisions_types: - #if present, insert rule in those chains - iptables_chains: - - INPUT --# - FORWARD -+ - FORWARD - # - DOCKER-USER From 5c43c1bade7a4cedfb0966e1f1bba2f1bf9c17e4 Mon Sep 17 00:00:00 2001 From: Sibren Vasse Date: Thu, 2 Feb 2023 21:52:14 +0100 Subject: [PATCH 02/14] openssh: update to 9.2p1 Signed-off-by: Sibren Vasse --- net/openssh/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/openssh/Makefile b/net/openssh/Makefile index cc5c27b91..ccce6968f 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssh -PKG_VERSION:=9.1p1 +PKG_VERSION:=9.2p1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ https://ftp.spline.de/pub/OpenBSD/OpenSSH/portable/ -PKG_HASH:=19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288 +PKG_HASH:=3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46 PKG_LICENSE:=BSD ISC PKG_LICENSE_FILES:=LICENCE From d41e918a36026ef9319084930fa411e81f93ac26 Mon Sep 17 00:00:00 2001 From: Sibren Vasse Date: Fri, 3 Feb 2023 14:42:23 +0100 Subject: [PATCH 03/14] openssh: actually build openssh-server-pam with pam support Signed-off-by: Sibren Vasse --- net/openssh/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/openssh/Makefile b/net/openssh/Makefile index ccce6968f..8d103f604 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -36,7 +36,6 @@ define Package/openssh/Default MAINTAINER:=Peter Wagner URL:=http://www.openssh.com/ SUBMENU:=SSH - VARIANT:=without-pam endef define Package/openssh-moduli @@ -89,6 +88,7 @@ define Package/openssh-server DEPENDS+= +openssh-keygen +OPENSSH_LIBFIDO2:libfido2 TITLE+= server USERID:=sshd=22:sshd=22 + VARIANT:=without-pam endef define Package/openssh-server/config From a67b2f4759d68dfabcad147017e5a4e87dcc2d86 Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Tue, 31 Jan 2023 16:54:23 +0100 Subject: [PATCH 04/14] pdns-recursor: update to 4.8.2 Signed-off-by: Peter van Dijk --- net/pdns-recursor/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/pdns-recursor/Makefile b/net/pdns-recursor/Makefile index 36b5a75a2..5be05462f 100644 --- a/net/pdns-recursor/Makefile +++ b/net/pdns-recursor/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pdns-recursor -PKG_VERSION:=4.8.1 +PKG_VERSION:=4.8.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://downloads.powerdns.com/releases/ -PKG_HASH:=d7b03447009257e512f01fcc46cbdb9c859b672a1c9b23faf382e870765b0f0d +PKG_HASH:=4382d3e84f13401685772779dfede6cbc8157ecf6763fa7fdb1dd33ee3f79ac7 PKG_MAINTAINER:=Peter van Dijk PKG_LICENCE:=GPL-2.0-only From aabfc3f51027d653455bca91587774e47f26e3b7 Mon Sep 17 00:00:00 2001 From: Oskari Rauta Date: Wed, 1 Feb 2023 07:13:44 +0000 Subject: [PATCH 05/14] tailscale: update to 1.36.0 - Update tailscale to version 1.36.0 - Patch iptables support Tailscale does not (yet) support nftables. Tailscale allows running with --netfilter=off allowing end-user to create his own firewall rules, but this affects only tailscale cli, not tailscaled daemon, so connection cannot be made without error telling that tailscaled was unable to determine execute iptables for determining it's version. There is a work-around for those who do not want nft-iptables compatibility package; they can create a script to /usr/bin/iptables which responds to --version argument and echos fake version string and on any other arguments or no arguments, just exits. After this procedure and starting tailscale cli with netfilter off- it works. Openwrt has moved on to nftables, so iptables manipulation seems unnecessary. Especially for other reasons, on Openwrt, firewall should be configured on it's own, because firewall rules made by other software, such as tailscale, loose their firewalling rules when firewall restarts. So I patched it to allow "fake" iptables pointing to executable /bin/false and ignoring version request. And I also set cli to default to netfilter off setting. If still end-user wants to use iptables, this patch does not make it impossible; just install iptables, or nft-iptables, and run tailscale with argument --netfilter=on and it works out as it did before, tailscaled daemon still matches with iptables if it is found in $PATH. Signed-off-by: Oskari Rauta --- net/tailscale/Makefile | 40 ++++++++++---- net/tailscale/README.md | 5 ++ net/tailscale/patches/010-fake_iptables.patch | 53 +++++++++++++++++++ .../020-tailscaled_fake_iptables.patch | 32 +++++++++++ .../030-default_to_netfilter_off.patch | 11 ++++ net/tailscale/test.sh | 14 ++--- 6 files changed, 139 insertions(+), 16 deletions(-) create mode 100644 net/tailscale/patches/010-fake_iptables.patch create mode 100644 net/tailscale/patches/020-tailscaled_fake_iptables.patch create mode 100644 net/tailscale/patches/030-default_to_netfilter_off.patch mode change 100644 => 100755 net/tailscale/test.sh diff --git a/net/tailscale/Makefile b/net/tailscale/Makefile index e15b54aa1..6dd8fb7aa 100644 --- a/net/tailscale/Makefile +++ b/net/tailscale/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tailscale -PKG_VERSION:=1.32.3 +PKG_VERSION:=1.36.0 PKG_RELEASE:=1 PKG_SOURCE:=tailscale-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=4cf88a1d754240ce71b29d3a65ca480091ad9c614ac99c541cef6fdaf0585dd4 +PKG_HASH:=25b293a7e65d7b962f0c56454d66fa56c89c3aa995467218f24efa335b924c76 PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=BSD-3-Clause @@ -61,24 +61,44 @@ endef Package/tailscaled/description:=$(Package/tailscale/description) +define Package/tailscaled/conffiles +/etc/config/tailscale +/etc/tailscale/tailscaled.state +endef + +GO_IPTABLES_VERSION:=0.6.0 +GO_IPTABLES_FILE:=$(PKG_NAME)-go-iptables-$(GO_IPTABLES_VERSION).tar.gz + +define Download/go-iptables + URL:=https://codeload.github.com/coreos/go-iptables/tar.gz/v$(GO_IPTABLES_VERSION)? + URL_FILE:=$(GO_IPTABLES_FILE) + FILE:=$(GO_IPTABLES_FILE) + HASH:=a784cc17fcb17879f073eae47bc4c2e899f59f6906dac5a0aa7a9cc9f95ea66d +endef + +define Build/Prepare + $(PKG_UNPACK) + [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR) + $(eval $(call Download,go-iptables)) + ( \ + mkdir -p $(PKG_BUILD_DIR)/patched/ ; \ + gzip -dc $(DL_DIR)/$(GO_IPTABLES_FILE) | $(HOST_TAR) -C $(PKG_BUILD_DIR)/patched $(TAR_OPTIONS) ; \ + mv $(PKG_BUILD_DIR)/patched/go-iptables-$(GO_IPTABLES_VERSION) $(PKG_BUILD_DIR)/patched/go-iptables ; \ + ) + $(Build/Patch) +endef + define Package/tailscale/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscale $(1)/usr/sbin endef define Package/tailscaled/install - $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d $(1)/etc/config $(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscaled $(1)/usr/sbin - $(INSTALL_DIR) $(1)/etc/init.d/ $(INSTALL_BIN) ./files//tailscale.init $(1)/etc/init.d/tailscale - $(INSTALL_DIR) $(1)/etc/config/ $(INSTALL_DATA) ./files//tailscale.conf $(1)/etc/config/tailscale endef -define Package/tailscaled/conffiles -/etc/config/tailscale -/etc/tailscale/tailscaled.state -endef - $(eval $(call BuildPackage,tailscale)) $(eval $(call BuildPackage,tailscaled)) diff --git a/net/tailscale/README.md b/net/tailscale/README.md index d3b58e7ce..eaffa57d7 100644 --- a/net/tailscale/README.md +++ b/net/tailscale/README.md @@ -25,4 +25,9 @@ Run command and finish device registration with the given URL. tailscale up ``` +If you are running with nftables, it is not supported by tailscale, +so disable it and configure firewall by yourself and add argument +--netfilter-mode off +to tailscale up command to disable iptables use. + After that, you should see your router in tailscale admin page. diff --git a/net/tailscale/patches/010-fake_iptables.patch b/net/tailscale/patches/010-fake_iptables.patch new file mode 100644 index 000000000..07e14fbf5 --- /dev/null +++ b/net/tailscale/patches/010-fake_iptables.patch @@ -0,0 +1,53 @@ +--- a/go.mod ++++ b/go.mod +@@ -2,6 +2,8 @@ module tailscale.com + + go 1.19 + ++replace github.com/coreos/go-iptables => ./patched/go-iptables ++ + require ( + filippo.io/mkcert v1.4.3 + github.com/Microsoft/go-winio v0.6.0 +--- a/patched/go-iptables/iptables/iptables.go ++++ b/patched/go-iptables/iptables/iptables.go +@@ -149,12 +149,39 @@ func New(opts ...option) (*IPTables, err + return ipt, nil + } + ++func NewFake(opts ...option) (*IPTables, error) { ++ ++ ipt := &IPTables{ ++ path: "/bin/false", ++ proto: ProtocolIPv4, ++ hasCheck: false, ++ hasWait: false, ++ waitSupportSecond: false, ++ hasRandomFully: false, ++ v1: 0, ++ v2: 0, ++ v3: 0, ++ mode: "legacy", ++ timeout: 0, ++ } ++ ++ for _, opt := range opts { ++ opt(ipt) ++ } ++ ++ return ipt, nil ++} ++ + // New creates a new IPTables for the given proto. + // The proto will determine which command is used, either "iptables" or "ip6tables". + func NewWithProtocol(proto Protocol) (*IPTables, error) { + return New(IPFamily(proto), Timeout(0)) + } + ++func NewFakeWithProtocol(proto Protocol) (*IPTables, error) { ++ return NewFake(IPFamily(proto), Timeout(0)) ++} ++ + // Proto returns the protocol used by this IPTables. + func (ipt *IPTables) Proto() Protocol { + return ipt.proto diff --git a/net/tailscale/patches/020-tailscaled_fake_iptables.patch b/net/tailscale/patches/020-tailscaled_fake_iptables.patch new file mode 100644 index 000000000..2180080ca --- /dev/null +++ b/net/tailscale/patches/020-tailscaled_fake_iptables.patch @@ -0,0 +1,32 @@ +--- a/wgengine/router/router_linux.go ++++ b/wgengine/router/router_linux.go +@@ -129,7 +129,7 @@ func newUserspaceRouter(logf logger.Logf + + ipt4, err := iptables.NewWithProtocol(iptables.ProtocolIPv4) + if err != nil { +- return nil, err ++ ipt4, err = iptables.NewFakeWithProtocol(iptables.ProtocolIPv4) + } + + v6err := checkIPv6(logf) +@@ -148,7 +148,7 @@ func newUserspaceRouter(logf logger.Logf + // if unavailable. We want that to be a non-fatal error. + ipt6, err = iptables.NewWithProtocol(iptables.ProtocolIPv6) + if err != nil { +- return nil, err ++ ipt6, err = iptables.NewFakeWithProtocol(iptables.ProtocolIPv6) + } + } + +@@ -1635,11 +1635,6 @@ func checkIPv6(logf logger.Logf) error { + return fmt.Errorf("kernel doesn't support IPv6 policy routing: %w", err) + } + +- // Some distros ship ip6tables separately from iptables. +- if _, err := exec.LookPath("ip6tables"); err != nil { +- return err +- } +- + return nil + } + diff --git a/net/tailscale/patches/030-default_to_netfilter_off.patch b/net/tailscale/patches/030-default_to_netfilter_off.patch new file mode 100644 index 000000000..90c78fe69 --- /dev/null +++ b/net/tailscale/patches/030-default_to_netfilter_off.patch @@ -0,0 +1,11 @@ +--- a/cmd/tailscale/cli/up.go ++++ b/cmd/tailscale/cli/up.go +@@ -143,7 +143,7 @@ func defaultNetfilterMode() string { + if distro.Get() == distro.Synology { + return "off" + } +- return "on" ++ return "off" + } + + type upArgsT struct { diff --git a/net/tailscale/test.sh b/net/tailscale/test.sh old mode 100644 new mode 100755 index f50de6fc0..0130d4929 --- a/net/tailscale/test.sh +++ b/net/tailscale/test.sh @@ -1,8 +1,10 @@ #!/bin/sh -if command -v tailscale; then - tailscale version | grep "$2" || exit 1 -fi -if command -v tailscaled; then - tailscaled -version | grep "$2" -fi +case "$1" in + tailscale) + tailscale version | grep "$2" + ;; + tailscaled) + tailscaled -version | grep "$2" + ;; +esac From e897824537ef1e5b623caf18a70f120c28c8fe78 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Wed, 14 Dec 2022 16:10:31 +0200 Subject: [PATCH 06/14] python-chardet: bump to version 5.1.0 Signed-off-by: Alexandru Ardelean --- lang/python/python-chardet/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lang/python/python-chardet/Makefile b/lang/python/python-chardet/Makefile index 27b53b79d..83e1799bd 100644 --- a/lang/python/python-chardet/Makefile +++ b/lang/python/python-chardet/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-chardet -PKG_VERSION:=5.0.0 -PKG_RELEASE:=$(AUTORELEASE) +PKG_VERSION:=5.1.0 +PKG_RELEASE:=1 PKG_LICENSE:=LGPL-2.1 PYPI_NAME:=chardet -PKG_HASH:=0368df2bfd78b5fc20572bb4e9bb7fb53e2c094f60ae9993339e8671d0afb8aa +PKG_HASH:=0d62712b956bc154f85fb0a266e2a3c5913c2967e00348701b32411d6def31e5 include ../pypi.mk include $(INCLUDE_DIR)/package.mk @@ -26,7 +26,7 @@ define Package/python3-chardet MAINTAINER:=Alexandru Ardelean URL:=https://github.com/chardet/chardet TITLE:=Universal encoding detector - DEPENDS:=+python3-light + DEPENDS:=+python3-light +python3-logging endef define Package/python3-chardet/description From 23b09de42d86492bb44c6472f2b0f4c1385449e8 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Sat, 4 Feb 2023 17:22:31 +0200 Subject: [PATCH 07/14] python-evdev: bump to version 1.6.1 Signed-off-by: Alexandru Ardelean --- lang/python/python-evdev/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lang/python/python-evdev/Makefile b/lang/python/python-evdev/Makefile index 35c0b6066..bc26068a6 100644 --- a/lang/python/python-evdev/Makefile +++ b/lang/python/python-evdev/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=python-evdev -PKG_VERSION:=1.6.0 -PKG_RELEASE:=$(AUTORELEASE) +PKG_VERSION:=1.6.1 +PKG_RELEASE:=1 PKG_LICENSE:=BSD-3-Clause PKG_MAINTAINER:=Paulo Costa , Alexandru Ardelean PYPI_NAME:=evdev -PKG_HASH:=ecfa01b5c84f7e8c6ced3367ac95288f43cd84efbfd7dd7d0cdbfc0d18c87a6a +PKG_HASH:=299db8628cc73b237fc1cc57d3c2948faa0756e2a58b6194b5bf81dc2081f1e3 include ../pypi.mk include $(INCLUDE_DIR)/package.mk From 18ce78753061e44b18e49513f352c25c5578f056 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Sat, 4 Feb 2023 18:47:00 +0200 Subject: [PATCH 08/14] sudo: bump to version 1.9.12p2 Signed-off-by: Alexandru Ardelean --- admin/sudo/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/admin/sudo/Makefile b/admin/sudo/Makefile index 55e36e37f..fbb6adcc0 100644 --- a/admin/sudo/Makefile +++ b/admin/sudo/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sudo -PKG_VERSION:=1.9.12p1 -PKG_RELEASE:=$(AUTORELEASE) +PKG_VERSION:=1.9.12p2 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.sudo.ws/dist -PKG_HASH:=475a18a8eb3da8b2917ceab063a6baf51ea09128c3c47e3e0e33ab7497bab7d8 +PKG_HASH:=b9a0b1ae0f1ddd9be7f3eafe70be05ee81f572f6f536632c44cd4101bb2a8539 PKG_MAINTAINER:=Alexandru Ardelean From 8c8384611b0a8f5d9e6aca46e8cf72918c74198b Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Sat, 4 Feb 2023 22:34:53 +0000 Subject: [PATCH 09/14] simple-adblock: update to 1.9.3-7 * add boot() function which waits for network.interface to come up * switch oisd.nl hosts entry to domains * remove erroneous oisd substitution from config-update file Signed-off-by: Stan Grishin --- net/simple-adblock/Makefile | 2 +- net/simple-adblock/files/simple-adblock.conf | 4 +- .../files/simple-adblock.conf.update | 1 - net/simple-adblock/files/simple-adblock.init | 50 ++++++++++--------- 4 files changed, 30 insertions(+), 27 deletions(-) diff --git a/net/simple-adblock/Makefile b/net/simple-adblock/Makefile index de1ca0e05..497c6c3bd 100644 --- a/net/simple-adblock/Makefile +++ b/net/simple-adblock/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=simple-adblock PKG_VERSION:=1.9.3 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=GPL-3.0-or-later diff --git a/net/simple-adblock/files/simple-adblock.conf b/net/simple-adblock/files/simple-adblock.conf index e005f2317..03b016fe1 100644 --- a/net/simple-adblock/files/simple-adblock.conf +++ b/net/simple-adblock/files/simple-adblock.conf @@ -71,9 +71,9 @@ config simple-adblock 'config' # enabling this will disable processing of any other block/allow-lists # option dnsmasq_config_file_url 'https://dnsmasq.oisd.nl/' -# File size: 34.0M +# File size: 19.0M # block-list too big for most routers -# list blocked_hosts_url 'https://hosts.oisd.nl/' +# list blocked_domains_url 'https://dbl.oisd.nl/' # site was down on last check # list blocked_domains_url 'http://support.it-mate.co.uk/downloads/hosts.txt' diff --git a/net/simple-adblock/files/simple-adblock.conf.update b/net/simple-adblock/files/simple-adblock.conf.update index b9fde68ee..2d42d1712 100644 --- a/net/simple-adblock/files/simple-adblock.conf.update +++ b/net/simple-adblock/files/simple-adblock.conf.update @@ -4,7 +4,6 @@ s|blacklist_hosts_url|blocked_hosts_url|g s|blacklist_domains_url|blocked_domains_url|g s|blacklist_domain|blocked_domain|g s|ssl.bblck.me|cdn.jsdelivr.net/gh/paulgb/BarbBlock|g -s|dbl.oisd.nl|hosts.oisd.nl|g s|raw.githubusercontent.com/StevenBlack/hosts/|cdn.jsdelivr.net/gh/StevenBlack/hosts@|g s|raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/|cdn.jsdelivr.net/gh/hoshsadiq/adblock-nocoin-list@|g s|raw.githubusercontent.com/jawz101/MobileAdTrackers/|cdn.jsdelivr.net/gh/jawz101/MobileAdTrackers@|g diff --git a/net/simple-adblock/files/simple-adblock.init b/net/simple-adblock/files/simple-adblock.init index fb6e99588..89ef3fd7b 100644 --- a/net/simple-adblock/files/simple-adblock.init +++ b/net/simple-adblock/files/simple-adblock.init @@ -1409,16 +1409,29 @@ adb_stop() { fi } +allow() { load_validate_config 'config' adb_allow "'$*'"; } +boot() { + ubus -t 30 wait_for network.interface 2>/dev/null + rc_procd start_service 'on_boot' +} +check() { load_validate_config 'config' adb_check "'$*'"; } +dl() { rc_procd start_service 'download'; } +killcache() { + rm -f "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" + rm -f "$dnsmasqConfCache" "$dnsmasqConfGzip" + rm -f "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" + rm -f "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" + rm -f "$dnsmasqServersCache" "$dnsmasqServersGzip" + rm -f "$unboundCache" "$unboundGzip" + config_load 'dhcp' + config_foreach resolver 'dnsmasq' 'cleanup' + uci_commit 'dhcp' + return 0 +} +reload_service() { rc_procd start_service 'restart'; } +restart_service() { rc_procd start_service 'restart'; } service_started() { procd_set_config_changed firewall; } service_stopped() { procd_set_config_changed firewall; } -restart_service() { rc_procd start_service 'restart'; } -reload_service() { rc_procd start_service 'restart'; } -start_service() { - load_validate_config 'config' adb_config_update "'$*'" - load_validate_config 'config' adb_start "'$*'" -} -stop_service() { load_validate_config 'config' adb_stop "'$*'"; } -status_service() { load_validate_config 'config' adb_status "''"; } service_triggers() { local wan wan6 i local procd_trigger_wan6 @@ -1437,22 +1450,13 @@ service_triggers() { done procd_add_config_trigger "config.change" "$packageName" "/etc/init.d/${packageName}" reload } -allow() { load_validate_config 'config' adb_allow "'$*'"; } -check() { load_validate_config 'config' adb_check "'$*'"; } -dl() { rc_procd start_service 'download'; } -killcache() { - rm -f "$dnsmasqAddnhostsCache" "$dnsmasqAddnhostsGzip" - rm -f "$dnsmasqConfCache" "$dnsmasqConfGzip" - rm -f "$dnsmasqIpsetCache" "$dnsmasqIpsetGzip" - rm -f "$dnsmasqNftsetCache" "$dnsmasqNftsetGzip" - rm -f "$dnsmasqServersCache" "$dnsmasqServersGzip" - rm -f "$unboundCache" "$unboundGzip" - config_load 'dhcp' - config_foreach resolver 'dnsmasq' 'cleanup' - uci_commit 'dhcp' - return 0 -} sizes() { load_validate_config 'config' adb_sizes "''"; } +start_service() { + load_validate_config 'config' adb_config_update "'$*'" + load_validate_config 'config' adb_start "'$*'" +} +status_service() { load_validate_config 'config' adb_status "''"; } +stop_service() { load_validate_config 'config' adb_stop "'$*'"; } version() { echo "$PKG_VERSION"; } load_validate_config() { From 93b75d0058a0f6a26c15b49d1047837bd5610828 Mon Sep 17 00:00:00 2001 From: Rucke Teg Date: Thu, 2 Feb 2023 20:59:07 +0100 Subject: [PATCH 10/14] bind: Fix ipv6 detection logic Bug was introduced in a7b770eec4370087a5ccd27887386dac9266214e and results in bind always stating with the `-4` flag. Signed-off-by: Rucke Teg --- net/bind/files/named.init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bind/files/named.init b/net/bind/files/named.init index 312e297fb..288d8f885 100644 --- a/net/bind/files/named.init +++ b/net/bind/files/named.init @@ -73,7 +73,7 @@ start_service() { touch $conf_local_file local args= - [ no_ipv6 ] && args="-4" + no_ipv6 && args="-4" procd_open_instance procd_set_param command /usr/sbin/named -u bind -f $args -c $config_file From 6cf293dc2ee0ff36c48da813258c993c8d65efba Mon Sep 17 00:00:00 2001 From: Rucke Teg Date: Thu, 2 Feb 2023 21:37:34 +0100 Subject: [PATCH 11/14] bind: bump release number Signed-off-by: Rucke Teg --- net/bind/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index a65cfe764..5f753ddc8 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind PKG_VERSION:=9.18.11 -PKG_RELEASE:=1 +PKG_RELEASE:=2 USERID:=bind=57:bind=57 PKG_MAINTAINER:=Noah Meyerhans From ca52ebd5bfe6f44f0757906d7f0641f4b73c8e7d Mon Sep 17 00:00:00 2001 From: Stijn Tintel Date: Sun, 29 Jan 2023 00:35:52 +0200 Subject: [PATCH 12/14] bind: add option to enable GSSAPI support Samba4 running as Active Directory Domain Controller with the internal DNS backend requires the nsupdate binary with GSSAPI support. Signed-off-by: Stijn Tintel --- net/bind/Config.in | 8 ++++++++ net/bind/Makefile | 14 ++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/net/bind/Config.in b/net/bind/Config.in index 07bcc1c63..f1b83c746 100644 --- a/net/bind/Config.in +++ b/net/bind/Config.in @@ -33,4 +33,12 @@ config BIND_ENABLE_DOH You can disable DoHTTPS if you do not need it or need to avoid the additional library dependency. +config BIND_ENABLE_GSSAPI + bool + default n + prompt "Include GSSPAI support in bind" + help + BIND 9 supports GSSAPI. This depends on libcomerr and krb5-libs. + Disable it by default as krb5-libs is rather large. + endif diff --git a/net/bind/Makefile b/net/bind/Makefile index 5f753ddc8..9f49d7ee5 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -34,7 +34,8 @@ PKG_BUILD_PARALLEL:=1 PKG_CONFIG_DEPENDS := \ CONFIG_BIND_LIBJSON \ CONFIG_BIND_LIBXML2 \ - CONFIG_BIND_ENABLE_DOH + CONFIG_BIND_ENABLE_DOH \ + CONFIG_BIND_ENABLE_GSSAPI PKG_BUILD_DEPENDS += BIND_LIBXML2:libxml2 BIND_LIBJSON:libjson-c @@ -61,6 +62,8 @@ define Package/bind-libs +libatomic \ +libuv \ +BIND_ENABLE_DOH:libnghttp2 \ + +BIND_ENABLE_GSSAPI:krb5-libs \ + +BIND_ENABLE_GSSAPI:libcomerr \ +BIND_LIBXML2:libxml2 \ +BIND_LIBJSON:libjson-c TITLE:=bind shared libraries @@ -147,7 +150,6 @@ CONFIGURE_ARGS += \ --with-openssl="$(STAGING_DIR)/usr" \ --without-lmdb \ --enable-epoll \ - --without-gssapi \ --without-readline \ --sysconfdir=/etc/bind @@ -176,6 +178,14 @@ else --disable-doh endif +ifdef CONFIG_BIND_ENABLE_GSSAPI + CONFIGURE_ARGS += \ + --with-gssapi +else + CONFIGURE_ARGS += \ + --without-gssapi +endif + CONFIGURE_VARS += \ BUILD_CC="$(TARGET_CC)" \ From f6a9bd935f0fdf8b90b6c35a5470d9fe04a628f1 Mon Sep 17 00:00:00 2001 From: Noah Meyerhans Date: Sun, 5 Feb 2023 09:47:34 -0800 Subject: [PATCH 13/14] bind: bump PKG_RELEASE --- net/bind/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bind/Makefile b/net/bind/Makefile index 9f49d7ee5..dfa48cb52 100644 --- a/net/bind/Makefile +++ b/net/bind/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=bind PKG_VERSION:=9.18.11 -PKG_RELEASE:=2 +PKG_RELEASE:=3 USERID:=bind=57:bind=57 PKG_MAINTAINER:=Noah Meyerhans From a111405eac397f4a48492e9d710cea3aeb9092c3 Mon Sep 17 00:00:00 2001 From: Yousong Zhou Date: Sat, 4 Feb 2023 11:27:43 +0800 Subject: [PATCH 14/14] xl2tpd: bump to version 1.3.18 Signed-off-by: Yousong Zhou --- net/xl2tpd/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/xl2tpd/Makefile b/net/xl2tpd/Makefile index 15074090c..8abf25699 100644 --- a/net/xl2tpd/Makefile +++ b/net/xl2tpd/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=xl2tpd -PKG_VERSION:=1.3.17 +PKG_VERSION:=1.3.18 PKG_RELEASE:=1 PKG_MAINTAINER:=Yousong Zhou PKG_LICENSE:=GPL-2.0 @@ -19,7 +19,7 @@ PKG_SOURCE_URL:=https://github.com/xelerance/xl2tpd.git PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE_VERSION:=v$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_MIRROR_HASH:=5fbc1fe5a01ebd5b0eb2929b85e68eb271e29cc2989320aa1ae2b32f0ac0e540 +PKG_MIRROR_HASH:=f4faa15357063a2ac11e427adbcac6b51c755cc294f1a26fe4eb0c008840df31 PKG_INSTALL:=1