Merge branch 'openwrt:master' into master

2023-11-05 19:24:26 +04:00 · 2023-11-05 19:24:26 +04:00 · 8c94ab1da7
commit 8c94ab1da7
parent 1e024d76f4 756ba29568
11 changed files with 246 additions and 90 deletions
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=banip
-PKG_VERSION:=0.9.1
+PKG_VERSION:=0.9.2
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -16,7 +16,7 @@ define Package/banip
 	SECTION:=net
 	CATEGORY:=Network
 	TITLE:=banIP blocks IPs via named nftables Sets
-	DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys
+	DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +rpcd +rpcd-mod-rpcsys
 	PKGARCH:=all
 endef

--- a/net/banip/files/README.md
+++ b/net/banip/files/README.md
@ -91,7 +91,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 * Supports allowing / blocking of certain VLAN forwards

 ## Prerequisites
-* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 and logd/logread support
+* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
 * A download utility with SSL support: 'aria2c', 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries, the latter one doesn't provide support for ETag HTTP header
 * A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
 * For E-Mail notifications you need to install and setup the additional 'msmtp' package
@ -135,13 +135,14 @@ Available commands:
 ## banIP config options

 | Option                  | Type   | Default                       | Description                                                                                                       |
-| :---------------------- | :----- | :---------------------------- | :----------------------------------------------------------------------------------------------------------- |
+| :---------------------- | :----- | :---------------------------- | :---------------------------------------------------------------------------------------------------------------- |
 | ban_enabled             | option | 0                             | enable the banIP service                                                                                          |
 | ban_nicelimit           | option | 0                             | ulimit nice level of the banIP service (range 0-19)                                                               |
 | ban_filelimit           | option | 1024                          | ulimit max open/number of files (range 1024-4096)                                                                 |
 | ban_loglimit            | option | 100                           | scan only the last n log entries permanently. A value of '0' disables the monitor                                 |
 | ban_logcount            | option | 1                             | how many times the IP must appear in the log to be considered as suspicious                                       |
 | ban_logterm             | list   | regex                         | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk)                                |
+| ban_logreadfile         | option | /var/log/messages             | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
 | ban_autodetect          | option | 1                             | auto-detect wan interfaces, devices and subnets                                                                   |
 | ban_debug               | option | 0                             | enable banIP related debug logging                                                                                |
 | ban_loginput            | option | 1                             | log drops in the wan-input chain                                                                                  |
--- a/net/banip/files/banip-functions.sh
+++ b/net/banip/files/banip-functions.sh
@ -23,7 +23,8 @@ ban_rtfile="/var/run/banip_runtime.json"
 ban_rdapfile="/var/run/banip_rdap.json"
 ban_rdapurl="https://rdap.db.ripe.net/ip/"
 ban_lock="/var/run/banip.lock"
-ban_logreadcmd="$(command -v logread)"
+ban_logreadfile="/var/log/messages"
+ban_logreadcmd=""
 ban_logcmd="$(command -v logger)"
 ban_ubuscmd="$(command -v ubus)"
 ban_nftcmd="$(command -v nft)"
@ -188,7 +189,12 @@ f_rmpid() {
 	local ppid pid pids

 	ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)"
-	[ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)"
+	if [ -n "${ppid}" ]; then
+		pids="$(pgrep -P "${ppid}" 2>/dev/null)"
+		for pid in ${pids}; do
+			pids="${pids} $(pgrep -P "${pid}" 2>/dev/null)"
+		done
+	fi
 	for pid in ${pids}; do
 		kill -INT "${pid}" >/dev/null 2>&1
 	done
@ -283,19 +289,25 @@ f_conf() {
 		}
 	}
 	config_load banip
+	[ -f "${ban_logreadfile}" ] && ban_logreadcmd="$(command -v tail)" || ban_logreadcmd="$(command -v logread)"
 }

 # get nft/monitor actuals
 #
 f_actual() {
-	local nft monitor
+	local nft monitor ppid pid

 	if "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then
 		nft="$(f_char "1")"
 	else
 		nft="$(f_char "0")"
 	fi
-	if pgrep -f "${ban_logreadcmd##*/}" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then
+
+	ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)"
+	if [ -n "${ppid}" ]; then
+		pid="$(pgrep -oP "${ppid}" 2>/dev/null)"
+	fi
+	if pgrep -f "${ban_logreadcmd##*/}" -P "${pid}" >/dev/null 2>&1; then
 		monitor="$(f_char "1")"
 	else
 		monitor="$(f_char "0")"
@ -1471,12 +1483,20 @@ f_mail() {
 # log monitor
 #
 f_monitor() {
-	local nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info
+	local logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info

-	if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
-		f_log "info" "start detached banIP log service"
+	if [ -f "${ban_logreadfile}" ]; then
+		logread_cmd="${ban_logreadcmd} -qf ${ban_logreadfile} 2>/dev/null | ${ban_grepcmd} -e \"${ban_logterm%%??}\" 2>/dev/null"
+		loglimit_cmd="${ban_logreadcmd} -qn ${ban_loglimit} ${ban_logreadfile} 2>/dev/null"
+	elif printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"logd'; then
+		logread_cmd="${ban_logreadcmd} -fe \"${ban_logterm%%??}\" 2>/dev/null"
+		loglimit_cmd="${ban_logreadcmd} -l ${ban_loglimit} 2>/dev/null"
+	fi
+
+	if [ -x "${ban_logreadcmd}" ] && [ -n "${logread_cmd}" ] && [ -n "${loglimit_cmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
+		f_log "info" "start detached banIP log service (${ban_logreadcmd})"
 		[ -n "${ban_nftexpiry}" ] && nft_expiry="timeout $(printf "%s" "${ban_nftexpiry}" | "${ban_grepcmd}" -oE "([0-9]+[d|h|m|s])+$")"
-		"${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null |
+		eval "${logread_cmd}" |
 			while read -r line; do
 				: >"${ban_rdapfile}"
 				proto=""
@ -1492,7 +1512,7 @@ f_monitor() {
 				fi
 				if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_grepcmd}" -q "^${ip}" "${ban_allowlist}"; then
 					f_log "info" "suspicious IP '${ip}'"
-					log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
+					log_raw="$(eval ${loglimit_cmd})"
 					log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")"
 					if [ "${log_count}" -ge "${ban_logcount}" ]; then
 						if [ "${ban_autoblocksubnet}" = "1" ]; then
--- a/net/dnsproxy/Makefile
+++ b/net/dnsproxy/Makefile
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=dnsproxy
 PKG_VERSION:=0.56.2
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
@ -49,6 +49,8 @@ define Package/dnsproxy/install
 	$(INSTALL_CONF) $(CURDIR)/files/dnsproxy.config $(1)/etc/config/dnsproxy
 	$(INSTALL_DIR) $(1)/etc/init.d/
 	$(INSTALL_BIN) $(CURDIR)/files/dnsproxy.init $(1)/etc/init.d/dnsproxy
+	$(INSTALL_DIR) $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) $(CURDIR)/files/dnsproxy.defaults $(1)/etc/uci-defaults/80-dnsproxy-migration
 endef

 define Package/dnsproxy/conffiles
--- a/net/dnsproxy/files/dnsproxy.config
+++ b/net/dnsproxy/files/dnsproxy.config
@ -3,13 +3,16 @@

 config dnsproxy 'global'
 	option enabled '0'
-	option listen_addr '127.0.0.1'
-	option listen_port '5353'
+	list listen_addr '127.0.0.1'
+	list listen_addr '::1'
+	list listen_port '5353'
 	option log_file ''
 	option all_servers '0'
 	option fastest_addr '0'
+	option http3 '0'
 	option insecure '0'
 	option ipv6_disabled '0'
+	option timeout ''
 	option max_go_routines ''
 	option rate_limit ''
 	option refuse_any '0'
--- a/net/dnsproxy/files/dnsproxy.defaults
+++ b/net/dnsproxy/files/dnsproxy.defaults
@ -0,0 +1,8 @@
+#!/bin/sh
+
+[ -s "/etc/config/dnsproxy" ] || exit 0
+
+#Migrate options 'listen_addr' 'listen_port' to list type
+sed -i -e "s,option listen_addr,list listen_addr,g" \
+       -e "s,option listen_port,list listen_port,g" "/etc/config/dnsproxy"
+exit 0
--- a/net/dnsproxy/files/dnsproxy.init
+++ b/net/dnsproxy/files/dnsproxy.init
@ -44,6 +44,7 @@ append_param_bool() {
 load_config_arg() {
 	append_param_bool "$1" "all_servers"
 	append_param_bool "$1" "fastest_addr"
+	append_param_bool "$1" "http3"
 	append_param_bool "$1" "insecure"
 	append_param_bool "$1" "ipv6_disabled"
 	append_param_bool "$1" "refuse_any"
@ -51,6 +52,18 @@ load_config_arg() {
 }

 load_config_list() {
+	if is_empty "global" "listen_addr"; then
+		append_param "--listen" "127.0.0.1"
+	else 
+		config_list_foreach "global" "listen_addr" "append_param '--listen'"
+	fi
+
+	if is_empty "global" "listen_port"; then
+		append_param "--port" "5353"
+	else 
+		config_list_foreach "global" "listen_port" "append_param '--port'"
+	fi
+
 	is_empty "bogus_nxdomain" "ip_addr" || config_list_foreach "bogus_nxdomain" "ip_addr" "append_param '--bogus-nxdomain'"

 	for i in "bootstrap" "fallback" "upstream"; do
@ -59,9 +72,8 @@ load_config_list() {
 }

 load_config_param() {
-	append_param_arg "global" "listen_addr" "--listen" "127.0.0.1"
-	append_param_arg "global" "listen_port" "--port" "5353"
 	append_param_arg "global" "log_file" "--output"
+	append_param_arg "global" "timeout" "--timeout"
 	append_param_arg "global" "max_go_routines" "--max-go-routines"
 	append_param_arg "global" "rate_limit" "--ratelimit"
 	append_param_arg "global" "udp_buf_size" "--udp-buf-size"
--- a/net/gensio/Makefile
+++ b/net/gensio/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=gensio
-PKG_VERSION:=2.4.2
+PKG_VERSION:=2.7.6
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@SF/ser2net
-PKG_HASH:=2593c1e7beaec3a0a4acbf60f94bbf64b99883d86f172a3b584eba5f67441b4b
+PKG_HASH:=7574fb710ddd6580d53ea44af4ddfc57f28dbcdc646d842f7ed8ccc1235fdf89

 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=COPYING
@ -39,15 +39,25 @@ include $(INCLUDE_DIR)/package.mk
 include ../../lang/python/python3-package.mk

 CONFIGURE_ARGS += \
+	--$(if $(CONFIG_GENSIO_AVAHI),with,without)-avahi \
 	--$(if $(CONFIG_GENSIO_SSL),with,without)-openssl \
 	--$(if $(CONFIG_GENSIO_SCTP),with,without)-sctp \
 	--$(if $(CONFIG_GENSIO_WRAP),with,without)-tcp-wrappers \
 	--$(if $(CONFIG_GENSIO_PTHREADS),with,without)-pthreads \
 	--$(if $(CONFIG_GENSIO_GLIB),with,without)-glib \
 	--$(if $(CONFIG_GENSIO_TCL),with,without)-tcl \
+	--without-afskmdm \
+	--without-ax25 \
+	--without-alsa \
 	--without-go \
+	--without-ipmisol \
+	--without-kiss \
 	--without-openipmi \
+	--without-portaudio \
+	--without-sound \
 	--with-cplusplus \
+	--with-flock-locking \
+	--with-uucp-locking \
 	--disable-doc

 CONFIGURE_VARS += \
@ -161,8 +171,9 @@ endef
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include/gensio/
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/include/gensio/* $(1)/usr/include/gensio/
-	$(INSTALL_DIR) $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/gensio
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/*.{so*,a,la} $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/gensio/* $(1)/usr/lib/gensio/
 	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig/
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/* $(1)/usr/lib/pkgconfig/
 ifneq ($(CONFIG_PACKAGE_python3-gensio),)
@ -173,8 +184,11 @@ endif
 endef

 define Package/libgensio/install
-	$(INSTALL_DIR) $(1)/usr/lib
+	$(INSTALL_DIR) $(1)/usr/lib/gensio
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgensio.so.* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgensioosh.so.* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgensiomdns.so.* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/gensio/* $(1)/usr/lib/gensio/
 ifeq ($(CONFIG_GENSIO_GLIB),y)
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgensioglib.so.* $(1)/usr/lib/
 endif
@ -200,7 +214,7 @@ endef

 define Package/libgensiocpp/install
 	$(INSTALL_DIR) $(1)/usr/lib
-	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgensiocpp.so.* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgensio*cpp.so.* $(1)/usr/lib/
 endef

 $(eval $(call BuildPackage,libgensio))
--- a/net/gensio/patches/100-musl-compat.patch
+++ b/net/gensio/patches/100-musl-compat.patch
@ -1,11 +0,0 @@
--- a/tools/gensiotool.c
-+++ b/tools/gensiotool.c
-@@ -44,7 +44,7 @@
- #include <signal.h>
- #include <errno.h>
- #include <sys/types.h>
-#include <sys/unistd.h>
-+#include <unistd.h>
- #include <syslog.h>
- #endif
- 
--- a/net/iperf3-mt/Makefile
+++ b/net/iperf3-mt/Makefile
@ -0,0 +1,104 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2023 Jonas Jelonek
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=iperf
+PKG_VERSION:=3.15-mt-beta1
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/esnet/iperf/tar.gz/$(PKG_NAME)-$(PKG_VERSION)?
+PKG_HASH:=4d5ad5bef9321adb832581a495c3cb1b5dec9d9678296f90bfc87166bbb7a43b
+
+PKG_MAINTAINER:=Jonas Jelonek <jelonek.jonas@gmail.com>
+PKG_LICENSE:=BSD-3-Clause
+PKG_CPE_ID:=cpe:/a:es:iperf3
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_NAME)-$(PKG_VERSION)
+PKG_BUILD_PARALLEL:=1
+PKG_INSTALL:=1
+
+PKG_FIXUP:=autoreconf
+
+include $(INCLUDE_DIR)/package.mk
+
+DISABLE_NLS:=
+
+define Package/iperf3-mt/default
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=iperf3 with multithreading
+  URL:=https://github.com/esnet/iperf
+  CONFLICTS:=iperf3 iperf3-ssl
+endef
+
+define Package/iperf3-mt
+$(call Package/iperf3-mt/default)
+  VARIANT:=nossl
+  DEPENDS:=+libiperf3-mt
+  CONFLICTS+=iperf3-mt-ssl
+endef
+
+define Package/iperf3-mt-ssl
+$(call Package/iperf3-mt/default)
+  TITLE+= and iperf_auth support
+  VARIANT:=ssl
+  DEPENDS:=+libopenssl +libatomic
+endef
+
+define Package/libiperf3-mt
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=libiperf3 with multithreading
+  URL:=https://github.com/esnet/iperf
+  CONFLICTS:=libiperf3
+  DEPENDS+=+libatomic
+endef
+
+TARGET_CFLAGS += -D_GNU_SOURCE
+TARGET_LDFLAGS += -latomic
+
+ifeq ($(BUILD_VARIANT),ssl)
+	CONFIGURE_ARGS += --with-openssl="$(STAGING_DIR)/usr" --disable-shared
+else
+	CONFIGURE_ARGS += --without-openssl
+endif
+
+MAKE_FLAGS += noinst_PROGRAMS=
+
+define Package/iperf3-mt/description
+ iPerf3 is a modern alternative for measuring TCP and UDP bandwidth
+ performance, allowing the tuning of various parameters and
+ characteristics.
+ iperf3-mt has experimental multithreading support.
+endef
+
+define Package/libiperf3-mt/description
+ Libiperf is a library providing an API for iperf3 functionality.
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiperf.* $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/include
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+endef
+
+define Package/iperf3-mt/install/Default
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/iperf3 $(1)/usr/bin/
+endef
+
+Package/iperf3-mt/install = $(Package/iperf3-mt/install/Default)
+Package/iperf3-mt-ssl/install = $(Package/iperf3-mt/install/Default)
+
+define Package/libiperf3-mt/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiperf.so.* $(1)/usr/lib
+endef
+
+$(eval $(call BuildPackage,iperf3-mt))
+$(eval $(call BuildPackage,iperf3-mt-ssl))
+$(eval $(call BuildPackage,libiperf3-mt))
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=strongswan
 PKG_VERSION:=5.9.11
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/
@ -41,6 +41,7 @@ PKG_MOD_AVAILABLE:= \
 	dnskey \
 	drbg \
 	duplicheck \
+	eap-dynamic \
 	eap-identity \
 	eap-md5 \
 	eap-mschapv2 \
@ -183,6 +184,7 @@ $(call Package/strongswan/Default)
 	+strongswan-mod-dnskey \
 	+strongswan-mod-drbg \
 	+strongswan-mod-duplicheck \
+	+strongswan-mod-eap-dynamic \
 	+strongswan-mod-eap-identity \
 	+strongswan-mod-eap-md5 \
 	+strongswan-mod-eap-mschapv2 \
@ -681,6 +683,7 @@ $(eval $(call BuildPlugin,dhcp,DHCP based attribute provider,))
 $(eval $(call BuildPlugin,dnskey,DNS RR key decoding,))
 $(eval $(call BuildPlugin,drbg,Deterministic random bit generator,,))
 $(eval $(call BuildPlugin,duplicheck,advanced duplicate checking,))
+$(eval $(call BuildPlugin,eap-dynamic,EAP dynamic selector,))
 $(eval $(call BuildPlugin,eap-identity,EAP identity helper,))
 $(eval $(call BuildPlugin,eap-md5,EAP MD5 (CHAP) EAP auth,))
 $(eval $(call BuildPlugin,eap-mschapv2,EAP MS-CHAPv2 EAP auth,+strongswan-mod-md4 +strongswan-mod-des))