From c2739705b98ebe37bb43f1650745c5e2336f163a Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Fri, 5 May 2023 01:48:27 +0000 Subject: [PATCH 1/9] pbr: ipv6 & migration bugfixes * suppress RTNETLINK errors when inserting ipv6 routes * only display global scope IPv6 gateways in status/WebUI * stop and disable vpn-policy-routing when migrating Signed-off-by: Stan Grishin --- net/pbr/Makefile | 2 +- net/pbr/files/etc/init.d/pbr.init | 6 +++--- net/pbr/files/etc/uci-defaults/90-pbr | 5 +++++ 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/net/pbr/Makefile b/net/pbr/Makefile index 9f96686c1..0ab59a28e 100644 --- a/net/pbr/Makefile +++ b/net/pbr/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pbr PKG_VERSION:=1.1.1 -PKG_RELEASE:=1 +PKG_RELEASE:=5 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Stan Grishin diff --git a/net/pbr/files/etc/init.d/pbr.init b/net/pbr/files/etc/init.d/pbr.init index a76bc30a9..d8ecaa7da 100755 --- a/net/pbr/files/etc/init.d/pbr.init +++ b/net/pbr/files/etc/init.d/pbr.init @@ -224,7 +224,7 @@ pbr_get_gateway6() { local iface="$2" dev="$3" gw network_get_gateway6 gw "$iface" true if [ -z "$gw" ] || [ "$gw" = '::/0' ] || [ "$gw" = '::0/0' ] || [ "$gw" = '::' ]; then - gw="$($ip_bin -6 a list dev "$dev" 2>/dev/null | grep inet6 | awk '{print $2}')" + gw="$($ip_bin -6 a list dev "$dev" 2>/dev/null | grep inet6 | grep 'scope global' | awk '{print $2}')" fi eval "$1"='$gw' } @@ -1771,7 +1771,7 @@ EOF ipv6_error=0 if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then - $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1 + $ip_bin -6 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv6_error=1 elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then while read -r i; do i="$(echo "$i" | sed 's/ linkdown$//')" @@ -1785,7 +1785,7 @@ EOF $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 fi fi - $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 + $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" >/dev/null 2>&1 || ipv6_error=1 fi fi if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then diff --git a/net/pbr/files/etc/uci-defaults/90-pbr b/net/pbr/files/etc/uci-defaults/90-pbr index 5d4d5d60a..95fe37768 100644 --- a/net/pbr/files/etc/uci-defaults/90-pbr +++ b/net/pbr/files/etc/uci-defaults/90-pbr @@ -5,6 +5,11 @@ readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m' # Transition from vpn-policy-routing if [ -s '/etc/config/vpn-policy-routing' ] && [ ! -s '/etc/config/pbr-opkg' ]; then + if [ -x '/etc/init.d/vpn-policy-routing' ]; then + echo "Stopping and disabling vpn-policy-routing." + /etc/init.d/vpn-policy-routing stop + /etc/init.d/vpn-policy-routing disable + fi echo "Migrating vpn-policy-routing config file." mv '/etc/config/pbr' '/etc/config/pbr-opkg' sed 's/vpn-policy-routing/pbr/g' /etc/config/vpn-policy-routing > /etc/config/pbr From 0b84504670465876c8469da7dfb42f27d34db501 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Sun, 7 May 2023 02:29:53 +0000 Subject: [PATCH 2/9] simple-adblock: add family to firewall json objects Signed-off-by: Stan Grishin --- net/simple-adblock/Makefile | 2 +- net/simple-adblock/files/simple-adblock.init | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/net/simple-adblock/Makefile b/net/simple-adblock/Makefile index cbe16be2e..db6e2bc5f 100644 --- a/net/simple-adblock/Makefile +++ b/net/simple-adblock/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=simple-adblock PKG_VERSION:=1.9.5 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=GPL-3.0-or-later diff --git a/net/simple-adblock/files/simple-adblock.init b/net/simple-adblock/files/simple-adblock.init index 1427a7b61..a08dc395d 100644 --- a/net/simple-adblock/files/simple-adblock.init +++ b/net/simple-adblock/files/simple-adblock.init @@ -1395,6 +1395,7 @@ adb_start() { json_add_string proto "tcp udp" json_add_string src_dport "$c" json_add_string dest_port "$c" + json_add_string family any json_add_boolean reflection 0 json_close_object else From 25801ddf7435e535fc0684911abdf6022549409f Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Sun, 7 May 2023 02:55:34 +0000 Subject: [PATCH 3/9] https-dns-proxy: fixes/improvements * use shared memory to store output data * add family option to firewall json objects, due to reports that IPv6 hijacking doesn't work without explicit family declaration Signed-off-by: Stan Grishin --- net/https-dns-proxy/Makefile | 2 +- net/https-dns-proxy/files/https-dns-proxy.init | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/net/https-dns-proxy/Makefile b/net/https-dns-proxy/Makefile index fb99e64d8..f7d7cc1bf 100644 --- a/net/https-dns-proxy/Makefile +++ b/net/https-dns-proxy/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=https-dns-proxy PKG_VERSION:=2022-10-15 -PKG_RELEASE:=11 +PKG_RELEASE:=12 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy/ diff --git a/net/https-dns-proxy/files/https-dns-proxy.init b/net/https-dns-proxy/files/https-dns-proxy.init index b4c55fea3..f6e32cba7 100755 --- a/net/https-dns-proxy/files/https-dns-proxy.init +++ b/net/https-dns-proxy/files/https-dns-proxy.init @@ -17,7 +17,6 @@ fi readonly PKG_VERSION='dev-test' readonly packageName='https-dns-proxy' readonly serviceName="$packageName $PKG_VERSION" -readonly sharedMemoryOutput="/dev/shm/$packageName-output" readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m' readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m' readonly PROG=/usr/sbin/https-dns-proxy @@ -33,6 +32,7 @@ is_ipv4() { expr "$1" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/ is_ipv6() { ! is_mac_address "$1" && str_contains "$1" ":"; } output() { local msg memmsg logmsg + local sharedMemoryOutput="/dev/shm/$packageName-output" [ -t 1 ] && printf "%b" "$@" msg="${1//$serviceName /service }"; if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then @@ -171,6 +171,7 @@ start_instance() { json_add_string proto 'tcp udp' json_add_string src_dport "$p" json_add_string dest_port "$p" + json_add_string family any json_add_boolean reflection 0 json_close_object else From 22b86d6e8d5025f335d01cc0214321d94aeb3ffc Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Mon, 8 May 2023 12:14:54 +0800 Subject: [PATCH 4/9] golang: Update to 1.20.4 Includes fixes for: * CVE-2023-24539: html/template: improper sanitization of CSS values * CVE-2023-24540: html/template: improper handling of JavaScript whitespace * CVE-2023-29400: html/template: improper handling of empty HTML attributes Signed-off-by: Jeffery To --- lang/golang/golang/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/golang/golang/Makefile b/lang/golang/golang/Makefile index 5ad751156..a467e08fa 100644 --- a/lang/golang/golang/Makefile +++ b/lang/golang/golang/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk GO_VERSION_MAJOR_MINOR:=1.20 -GO_VERSION_PATCH:=3 +GO_VERSION_PATCH:=4 PKG_NAME:=golang PKG_VERSION:=$(GO_VERSION_MAJOR_MINOR)$(if $(GO_VERSION_PATCH),.$(GO_VERSION_PATCH)) @@ -20,7 +20,7 @@ GO_SOURCE_URLS:=https://dl.google.com/go/ \ PKG_SOURCE:=go$(PKG_VERSION).src.tar.gz PKG_SOURCE_URL:=$(GO_SOURCE_URLS) -PKG_HASH:=e447b498cde50215c4f7619e5124b0fc4e25fb5d16ea47271c47f278e7aa763a +PKG_HASH:=9f34ace128764b7a3a4b238b805856cc1b2184304df9e5690825b0710f4202d6 PKG_MAINTAINER:=Jeffery To PKG_LICENSE:=BSD-3-Clause From f3054a90ea75dbe94c68716d1e316daa70c184b1 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Mon, 8 May 2023 09:17:07 +0200 Subject: [PATCH 5/9] banip: release 0.8.5-2 * fixed a log parser regression introduced in latest 0.8.4 update Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/banip-service.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 07bad2213..fe74a723d 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.5 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index aadeae380..b67c5a0aa 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -192,7 +192,7 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimi if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then f_log "info" "suspicious IP${proto} '${ip}'" log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" - log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")" + log_count="$(printf "%s\n" "${log_raw}" | grep -c "suspicious IP${proto} '${ip}'")" if [ "${log_count}" -ge "${ban_logcount}" ]; then if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then f_log "info" "add IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" From 1f6bd672fecd1ffc9f6b1fea152edc62bcdca026 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Mon, 28 Nov 2022 10:13:25 +0100 Subject: [PATCH 6/9] mwan3: refactoring mwan3track action handling Refactoring the score handling, so that only one action could take place during run. The behaviour should be more comprehensible, since several score actions are not processed at the same time. Signed-off-by: Florian Eckert --- net/mwan3/files/usr/sbin/mwan3track | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/net/mwan3/files/usr/sbin/mwan3track b/net/mwan3/files/usr/sbin/mwan3track index 89654f86b..c1a455b2e 100755 --- a/net/mwan3/files/usr/sbin/mwan3track +++ b/net/mwan3/files/usr/sbin/mwan3track @@ -351,34 +351,32 @@ main() { if [ $score -lt $up ]; then score=0 [ ${keep_failure_interval} -eq 1 ] && sleep_time=$failure_interval - else + elif [ $score -eq $up ]; then + disconnecting + sleep_time=$failure_interval + disconnected + elif [ $score -gt $up ]; then disconnecting sleep_time=$failure_interval fi - - if [ $score -eq $up ]; then - disconnected - score=0 - fi else if [ $score -lt $((down+up)) ] && [ $lost -gt 0 ]; then - connecting LOG info "Lost $((lost*count)) ping(s) on interface $INTERFACE ($DEVICE). Current score: $score" fi let score++ lost=0 - if [ $score -gt $up ]; then - echo "online" > $MWAN3TRACK_STATUS_DIR/$INTERFACE/STATUS - score=$((down+up)) - elif [ $score -le $up ]; then + if [ $score -lt $up ]; then + connecting + sleep_time=$recovery_interval + elif [ $score -eq $up ]; then connecting sleep_time=$recovery_interval - fi - - if [ $score -eq $up ]; then connected + elif [ $score -gt $up ]; then + echo "online" > $MWAN3TRACK_STATUS_DIR/$INTERFACE/STATUS + score=$((down+up)) fi fi From 5f0461be8b149aeb5732481d38c9d69650996f8c Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Thu, 4 May 2023 13:10:38 +0200 Subject: [PATCH 7/9] mwan3: reset score to up+down on connected Set the score value to the maximum value when the connected function is called. The same happens with a disconnected event, the score value is there set to zero. Suggested-by: Anna Tikhomirova Suggested-by: Maxim Mikityanskiy Signed-off-by: Florian Eckert --- net/mwan3/files/usr/sbin/mwan3track | 1 + 1 file changed, 1 insertion(+) diff --git a/net/mwan3/files/usr/sbin/mwan3track b/net/mwan3/files/usr/sbin/mwan3track index c1a455b2e..162bdbb7d 100755 --- a/net/mwan3/files/usr/sbin/mwan3track +++ b/net/mwan3/files/usr/sbin/mwan3track @@ -128,6 +128,7 @@ connected() { echo "online" > $MWAN3TRACK_STATUS_DIR/$INTERFACE/STATUS echo "0" > $MWAN3TRACK_STATUS_DIR/$INTERFACE/OFFLINE get_uptime > $MWAN3TRACK_STATUS_DIR/$INTERFACE/ONLINE + score=$((down+up)) host_up_count=0 lost=0 turn=0 From bc2c6e63ee9f999afe6d507288840d1779cf8a17 Mon Sep 17 00:00:00 2001 From: Anna Tikhomirova Date: Wed, 3 May 2023 10:32:22 +0300 Subject: [PATCH 8/9] mwan3: bump PKG_VERSION to 2.11.7 Signed-off-by: Anna Tikhomirova --- net/mwan3/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mwan3/Makefile b/net/mwan3/Makefile index 36adc06da..99c01712d 100644 --- a/net/mwan3/Makefile +++ b/net/mwan3/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mwan3 -PKG_VERSION:=2.11.6 +PKG_VERSION:=2.11.7 PKG_RELEASE:=1 PKG_MAINTAINER:=Florian Eckert , \ Aaron Goodman From 83dd66fd34792c692a477c2ed8430f81802d8f22 Mon Sep 17 00:00:00 2001 From: Georgi Valkov Date: Mon, 8 May 2023 12:37:08 +0300 Subject: [PATCH 9/9] coreutils: update to 9.3 Build system: Ubuntu Linux 22.04, macOS 12.6.5 Run-tested: x64, WRT3200ACM, TL-WR1043ND v4 [1] https://github.com/openwrt/packages/issues/20933 [2] https://debbugs.gnu.org/cgi/bugreport.cgi?bug=62404 Signed-off-by: Georgi Valkov --- utils/coreutils/Makefile | 4 ++-- .../coreutils/patches/001-no_docs_man_tests.patch | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/utils/coreutils/Makefile b/utils/coreutils/Makefile index dd1afd792..620707b53 100644 --- a/utils/coreutils/Makefile +++ b/utils/coreutils/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=coreutils -PKG_VERSION:=9.2 +PKG_VERSION:=9.3 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@GNU/coreutils -PKG_HASH:=6885ff47b9cdb211de47d368c17853f406daaf98b148aaecdf10de29cc04b0b3 +PKG_HASH:=adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa PKG_MAINTAINER:=Jo-Philipp Wich PKG_LICENSE:=GPL-3.0-or-later diff --git a/utils/coreutils/patches/001-no_docs_man_tests.patch b/utils/coreutils/patches/001-no_docs_man_tests.patch index 3c5bf2ec3..2bcd8fc1b 100644 --- a/utils/coreutils/patches/001-no_docs_man_tests.patch +++ b/utils/coreutils/patches/001-no_docs_man_tests.patch @@ -18,7 +18,7 @@ -include $(top_srcdir)/tests/local.mk --- a/Makefile.in +++ b/Makefile.in -@@ -4145,11 +4145,7 @@ RECURSIVE_TARGETS = all-recursive check- +@@ -4149,11 +4149,7 @@ RECURSIVE_TARGETS = all-recursive check- install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive @@ -31,7 +31,7 @@ am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ -@@ -4399,10 +4395,10 @@ am__DIST_COMMON = $(doc_coreutils_TEXINF +@@ -4403,10 +4399,10 @@ am__DIST_COMMON = $(doc_coreutils_TEXINF $(top_srcdir)/build-aux/missing \ $(top_srcdir)/build-aux/test-driver \ $(top_srcdir)/build-aux/texinfo.tex \ @@ -46,7 +46,7 @@ $(top_srcdir)/tests/local.mk ABOUT-NLS AUTHORS COPYING \ ChangeLog INSTALL NEWS README THANKS TODO build-aux/compile \ build-aux/config.guess build-aux/config.rpath \ -@@ -4516,7 +4512,7 @@ ERROR_H = @ERROR_H@ +@@ -4520,7 +4516,7 @@ ERROR_H = @ERROR_H@ ETAGS = @ETAGS@ EUIDACCESS_LIBGEN = @EUIDACCESS_LIBGEN@ EXEEXT = @EXEEXT@ @@ -55,7 +55,7 @@ FDATASYNC_LIB = @FDATASYNC_LIB@ FILE_HAS_ACL_LIB = @FILE_HAS_ACL_LIB@ FLOAT_H = @FLOAT_H@ -@@ -6171,7 +6167,7 @@ localedir_c_make = @localedir_c_make@ +@@ -6181,7 +6177,7 @@ localedir_c_make = @localedir_c_make@ localstatedir = @localstatedir@ localstatedir_c = @localstatedir_c@ localstatedir_c_make = @localstatedir_c_make@ @@ -64,7 +64,7 @@ mandir = @mandir@ mandir_c = @mandir_c@ mandir_c_make = @mandir_c_make@ -@@ -6220,7 +6216,7 @@ top_build_prefix = @top_build_prefix@ +@@ -6230,7 +6226,7 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ ALL_RECURSIVE_TARGETS = distcheck-hook check-root @@ -73,7 +73,7 @@ #if GNU_MAKE # [nicer features that work only with GNU Make] -@@ -8425,7 +8421,7 @@ all: $(BUILT_SOURCES) +@@ -8437,7 +8433,7 @@ all: $(BUILT_SOURCES) .SUFFIXES: .1 .c .dvi .log .o .obj .pl .pl$(EXEEXT) .ps .sh .sh$(EXEEXT) .trs .x .xpl .xpl$(EXEEXT) .y am--refresh: Makefile @: @@ -82,7 +82,7 @@ @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ -@@ -8447,7 +8443,7 @@ Makefile: $(srcdir)/Makefile.in $(top_bu +@@ -8459,7 +8455,7 @@ Makefile: $(srcdir)/Makefile.in $(top_bu echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__maybe_remake_depfiles)'; \ cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__maybe_remake_depfiles);; \ esac;