From a79df49a5fb7fed5a525c72824c966261cbef62e Mon Sep 17 00:00:00 2001 From: Christian Lachner Date: Sat, 18 Feb 2023 07:50:27 +0100 Subject: [PATCH 01/12] haproxy: update to v2.6.9 - Update haproxy download URL and hash - This release fixes a critial flaw known as CVE-2023-25725. See: http://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=73be199c4f5f1ed468161a4c5e10ca77cd5989d8 Signed-off-by: Christian Lachner --- net/haproxy/Makefile | 4 ++-- net/haproxy/get-latest-patches.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 5c5189c48..bf84d48de 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,12 +10,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=2.6.8 +PKG_VERSION:=2.6.9 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/2.6/src -PKG_HASH:=a02ad64550dd30a94b25fd0e225ba699649d0c4037bca3b36b20e8e3235bb86f +PKG_HASH:=f01a1c5f465dc1b5cd175d0b28b98beb4dfe82b5b5b63ddcc68d1df433641701 PKG_MAINTAINER:=Thomas Heil , \ Christian Lachner diff --git a/net/haproxy/get-latest-patches.sh b/net/haproxy/get-latest-patches.sh index afd83a13a..8c17d3e4f 100755 --- a/net/haproxy/get-latest-patches.sh +++ b/net/haproxy/get-latest-patches.sh @@ -1,7 +1,7 @@ #!/bin/sh CLONEURL=https://git.haproxy.org/git/haproxy-2.6.git -BASE_TAG=v2.6.8 +BASE_TAG=v2.6.9 TMP_REPODIR=tmprepo PATCHESDIR=patches From 5c2bd22cb236f42f58394ae0f796ddd6fc64006f Mon Sep 17 00:00:00 2001 From: Van Waholtz Date: Sun, 5 Mar 2023 20:31:39 +0800 Subject: [PATCH 02/12] sing-box: add necessary dependencies and cleanup Makefile 1. Add `kmod-inet-diag` as a dependency since it is needed for https://sing-box.sagernet.org/configuration/dns/rule/#process_name 2. Remove redundant `default n` (https://github.com/openwrt/openwrt/commit/8bc72ea7be3976711dacc09f0fdab061d6e5152a) Signed-off-by: Van Waholtz --- net/sing-box/Makefile | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/net/sing-box/Makefile b/net/sing-box/Makefile index 921f599cc..22b409bb9 100644 --- a/net/sing-box/Makefile +++ b/net/sing-box/Makefile @@ -27,7 +27,7 @@ define Package/sing-box SECTION:=net CATEGORY:=Network URL:=https://sing-box.sagernet.org - DEPENDS:=$(GO_ARCH_DEPENDS) +ca-bundle +kmod-tun + DEPENDS:=$(GO_ARCH_DEPENDS) +ca-bundle +kmod-inet-diag +kmod-tun USERID:=sing-box=5566:sing-box=5566 endef @@ -42,7 +42,6 @@ define Package/sing-box/config config SINGBOX_WITH_ACME bool "Build with ACME TLS certificate issuer support" - default n config SINGBOX_WITH_CLASH_API bool "Build with Clash API support" @@ -50,15 +49,12 @@ define Package/sing-box/config config SINGBOX_WITH_ECH bool "Build with TLS ECH extension support for TLS outbound" - default n config SINGBOX_WITH_EMBEDDED_TOR bool "Build with embedded Tor support" - default n config SINGBOX_WITH_GRPC bool "Build with standard gRPC support" - default n config SINGBOX_WITH_GVISOR bool "Build with gVisor support" @@ -66,7 +62,6 @@ define Package/sing-box/config config SINGBOX_WITH_LWIP bool "Build with LWIP Tun stack support" - default n config SINGBOX_WITH_QUIC bool "Build with QUIC support" @@ -74,7 +69,6 @@ define Package/sing-box/config config SINGBOX_WITH_SHADOWSOCKSR bool "Build with ShadowsocksR support" - default n config SINGBOX_WITH_UTLS bool "Build with uTLS support for TLS outbound" @@ -82,7 +76,6 @@ define Package/sing-box/config config SINGBOX_WITH_V2RAY_API bool "Build with V2Ray API support" - default n config SINGBOX_WITH_WIREGUARD bool "Build with WireGuard support" From e6ded435709838ce70b0572d647c0b0800ec71ef Mon Sep 17 00:00:00 2001 From: Van Waholtz Date: Sun, 5 Mar 2023 20:37:37 +0800 Subject: [PATCH 03/12] sing-box: update to 1.1.6 Signed-off-by: Van Waholtz --- net/sing-box/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/sing-box/Makefile b/net/sing-box/Makefile index 22b409bb9..7103e36e1 100644 --- a/net/sing-box/Makefile +++ b/net/sing-box/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sing-box -PKG_VERSION:=1.1.5 +PKG_VERSION:=1.1.6 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/SagerNet/sing-box/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=a1e642362f41bd0e362cd9c8d2f0d29d2eca6a55a948677f6f03cfb81c4f0657 +PKG_HASH:=2fdf93fd49c9375cd14b2fe2e2163cbad4b65d0cfa422c592855e7810036ef56 PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE_FILES:=LICENSE From 0b37036e5afa5be384e577531b4e9ba26c3512a1 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Mon, 6 Mar 2023 14:19:27 +0100 Subject: [PATCH 04/12] banip: update 0.8.1-3 * finalized the LuCI frontend preparation (this is the minmal version to use the forthcoming LuCI frontend) * added a Set survey, to list all elements of a certain set * changed the default logterm for asterisk * update the readme Signed-off-by: Dirk Brenken --- net/banip/Makefile | 4 +- net/banip/files/README.md | 119 ++++++++++++++++++----------- net/banip/files/banip-functions.sh | 98 +++++++++++++++++------- net/banip/files/banip-service.sh | 2 +- net/banip/files/banip.conf | 2 +- net/banip/files/banip.init | 14 +++- 6 files changed, 159 insertions(+), 80 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index a75867df3..1979ede35 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -1,5 +1,5 @@ # -# banIP - ban incoming and outgoing ip adresses/subnets via sets in nftables +# banIP - ban incoming and outgoing ip addresses/subnets via sets in nftables # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.1 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index f936a8e5b..45d2f4839 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -55,48 +55,50 @@ IP address blocking is commonly used to protect against brute force attacks, pre | voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) | | yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -* zero-conf like automatic installation & setup, usually no manual changes needed -* all sets are handled in a separate nft table/namespace 'banIP' -* full IPv4 and IPv6 support -* supports nft atomic set loading -* supports blocking by ASN numbers and by iso country codes -* supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) -* auto-add the uplink subnet to the local allowlist -* provides a small background log monitor to ban unsuccessful login attempts in real-time -* auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist -* fast feed processing as they are handled in parallel as background jobs -* per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains) -* automatic blocklist backup & restore, the backups will be used in case of download errors or during startup -* automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget -* supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs -* deduplicate IPs accross all sets (single IPs only, no intervals) -* provides comprehensive runtime information -* provides a detailed set report -* provides a set search engine for certain IPs -* feed parsing by fast & flexible regex rulesets -* minimal status & error logging to syslog, enable debug logging to receive more output -* procd based init system support (start/stop/restart/reload/status/report/search) -* procd network interface trigger support -* ability to add new banIP feeds on your own +* Zero-conf like automatic installation & setup, usually no manual changes needed +* All sets are handled in a separate nft table/namespace 'banIP' +* Full IPv4 and IPv6 support +* Supports nft atomic set loading +* Supports blocking by ASN numbers and by iso country codes +* Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) +* Auto-add the uplink subnet to the local allowlist +* Provides a small background log monitor to ban unsuccessful login attempts in real-time +* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist +* Fast feed processing as they are handled in parallel as background jobs +* Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains) +* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup +* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget +* Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs +* Deduplicate IPs accross all sets (single IPs only, no intervals) +* Provides comprehensive runtime information +* Provides a detailed set report +* Provides a set search engine for certain IPs +* Feed parsing by fast & flexible regex rulesets +* Minimal status & error logging to syslog, enable debug logging to receive more output +* Procd based init system support (start/stop/restart/reload/status/report/search/survey) +* Procd network interface trigger support +* Ability to add new banIP feeds on your own ## Prerequisites -* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support -* a download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' SSL libraries, 'aria2c' or 'curl' is required -* a certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default -* for E-Mail notifications you need to install and setup the additional 'msmtp' package +* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support +* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' SSL libraries, 'aria2c' or 'curl' is required +* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default +* For E-Mail notifications you need to install and setup the additional 'msmtp' package **Please note the following:** * Devices with less than 256Mb of RAM are **_not_** supported * Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed) ## Installation & Usage -* update your local opkg repository (_opkg update_) -* install banIP (_opkg install banip_) - the banIP service is disabled by default -* edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below) -* start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status' +* Update your local opkg repository (_opkg update_) +* Install banIP (_opkg install banip_) - the banIP service is disabled by default +* Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip) +* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu +* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below) +* Start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status' ## banIP CLI interface -* All important banIP functions are accessible via CLI. A LuCI frontend will be available in due course. +* All important banIP functions are accessible via CLI. ``` ~# /etc/init.d/banip Syntax: /etc/init.d/banip [command] @@ -135,6 +137,7 @@ Available commands: | ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist | | ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist | | ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | +| ban_basedir | option | /tmp | base working directory while banIP processing | | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | | ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files | | ban_protov4 | option | - / autodetect | enable IPv4 support | @@ -216,19 +219,19 @@ Available commands: ``` ~# /etc/init.d/banip status ::: banIP runtime information - + status : active - + version : 0.8.1-2 - + element_count : 206644 - + active_feeds : allowlistvMAC, allowlistv4, allowlistv6, torv4, torv6, countryv6, countryv4, dohv4, dohv6, firehol1v4, deblv4, deblv6, - adguardv6, adguardv4, adguardtrackersv6, adguardtrackersv4, adawayv6, adawayv4, oisdsmallv6, oisdsmallv4, stevenblack - v6, stevenblackv4, yoyov6, yoyov4, antipopadsv4, urlhausv4, antipopadsv6, blocklistvMAC, blocklistv4, blocklistv6 + + status : active (nft: ✔, monitor: ✔) + + version : 0.8.1-3 + + element_count : 180596 + + active_feeds : allowlistvMAC, allowlistv4, allowlistv6, adawayv4, adawayv6, adguardv4, cinsscorev4, adguardv6, countryv6, countryv4, + deblv4, deblv6, dohv4, dohv6, firehol1v4, oisdsmallv6, oisdsmallv4, urlvirv4, webclientv4, blocklistvMAC, blocklistv4, + blocklistv6 + active_devices : eth2 + active_interfaces : wan, wan6 - + active_subnets : 91.61.199.218/24, 2a02:910c:0:80:e542:4b0c:846d:1d33/128 - + run_info : base_dir: /tmp, backup_dir: /mnt/data/banIP-backup, report_dir: /mnt/data/banIP-report, feed_file: /etc/banip/banip.feeds - + run_flags : proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, deduplicate: ✔, split: ✘, allowed only: ✘ - + last_run : action: restart, duration: 1m 6s, date: 2023-02-25 08:55:55 - + system_info : cores: 2, memory: 1826, device: Turris Omnia, OpenWrt SNAPSHOT r22125-52ddb38469 + + active_subnets : 91.64.168.218/24, 2a02:710c:0:80:e342:4b0c:725d:1d43/128 + + run_info : base: /tmp, backup: /mnt/data/banIP-backup, report: /mnt/data/banIP-report, feed: /etc/banip/banip.feeds + + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘ + + last_run : action: restart, duration: 0m 58s, date: 2023-03-06 13:50:27 + + system_info : cores: 2, memory: 1831, device: Turris Omnia, OpenWrt SNAPSHOT r22151-1d82a47b49 ``` **banIP search information** @@ -242,6 +245,32 @@ Available commands: IP found in set oisdbasicv4 ``` +**banIP survey information** +``` +~# /etc/init.d/banip survey cinsscorev4 +::: +::: banIP Survey +::: + List the elements of set cinsscorev4 on 2023-03-06 14:07:58 + --- +1.10.187.179 +1.10.203.30 +1.10.255.58 +1.11.67.53 +1.11.114.211 +1.11.208.29 +1.12.75.87 +1.12.231.227 +1.12.247.134 +1.12.251.141 +1.14.96.156 +1.14.250.37 +1.15.40.79 +1.15.71.140 +1.15.77.237 +[...] +``` + **allow-/blocklist handling** banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option. @@ -257,7 +286,7 @@ banIP only supports logfile scanning via logread, so to monitor attacks on Aster **tweaks for low memory systems** nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options: - * point 'ban_reportdir' and 'ban_backupdir' to an external usb drive + * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members @@ -265,7 +294,7 @@ nftables supports the atomic loading of rules/sets/members, which is cool but un By default banIP uses the following pre-configured download options: ``` * aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o - * curl: --connect-timeout 20 --silent --show-error --location -o + * curl: --connect-timeout 20 --fail --silent --show-error --location -o * uclient-fetch: --timeout=20 -O * wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O ``` diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 179d5678a..a45a0c260 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -11,13 +11,15 @@ export LC_ALL=C export PATH="/usr/sbin:/usr/bin:/sbin:/bin" ban_basedir="/tmp" -ban_backupdir="${ban_basedir}/banIP-backup" -ban_reportdir="${ban_basedir}/banIP-report" +ban_backupdir="/tmp/banIP-backup" +ban_reportdir="/tmp/banIP-report" ban_feedfile="/etc/banip/banip.feeds" -ban_pidfile="/var/run/banip.pid" -ban_lock="/var/run/banip.lock" -ban_blocklist="/etc/banip/banip.blocklist" ban_allowlist="/etc/banip/banip.allowlist" +ban_blocklist="/etc/banip/banip.blocklist" +ban_mailtemplate="/etc/banip/banip.tpl" +ban_pidfile="/var/run/banip.pid" +ban_rtfile="/var/run/banip_runtime.json" +ban_lock="/var/run/banip.lock" ban_fetchcmd="" ban_logreadcmd="$(command -v logread)" ban_logcmd="$(command -v logger)" @@ -32,7 +34,6 @@ ban_mailsender="no-reply@banIP" ban_mailreceiver="" ban_mailtopic="banIP notification" ban_mailprofile="ban_notify" -ban_mailtemplate="/etc/banip/banip.tpl" ban_nftpriority="-200" ban_nftexpiry="" ban_loglevel="warn" @@ -49,7 +50,7 @@ ban_autoallowlist="1" ban_autoblocklist="1" ban_deduplicate="1" ban_splitsize="0" -ban_autodetect="" +ban_autodetect="1" ban_feed="" ban_blockinput="" ban_blockforwardwan="" @@ -281,6 +282,24 @@ f_rmpid() { : >"${ban_pidfile}" } +# get nft/monitor actuals +# +f_actual() { + local nft monitor + + if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then + nft="$(f_char "1")" + else + nft="$(f_char "0")" + fi + if pgrep -f "logread" -P "$(cat "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then + monitor="$(f_char "1")" + else + monitor="$(f_char "0")" + fi + printf "%s" "nft: ${nft}, monitor: ${monitor}" +} + # get wan interfaces # f_getif() { @@ -387,7 +406,7 @@ f_nftinit() { # nft header (tables and chains) # printf "%s\n\n" "#!/usr/sbin/nft -f" - if "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1; then + if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then printf "%s\n" "delete table inet banIP" fi printf "%s\n" "add table inet banIP" @@ -426,6 +445,8 @@ f_nftinit() { return ${feed_rc} } +# handle downloads +# f_down() { local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forwardwan_handles forwardlan_handles handle local cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}" @@ -763,7 +784,7 @@ f_rmset() { local tmp_del table_sets input_handles forwardwan_handles forwardlan_handles handle sets feed feed_log feed_rc tmp_del="${ban_tmpfile}.final.delete" - table_sets="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}' 2>/dev/null)" + table_sets="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null | jsonfilter -qe '@.nftables[*].set.name')" input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)" forwardwan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-forward 2>/dev/null)" forwardlan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)" @@ -797,7 +818,7 @@ f_rmset() { # generate status information # f_genstatus() { - local object duration nft_table nft_feeds cnt_elements="0" split="0" status="${1}" + local object duration nft_feeds cnt_elements="0" split="0" status="${1}" [ -z "${ban_dev}" ] && f_conf if [ "${status}" = "active" ]; then @@ -805,8 +826,7 @@ f_genstatus() { ban_endtime="$(date "+%s")" duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s" fi - nft_table="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null)" - nft_feeds="$(f_trim "$(printf "%s\n" "${nft_table}" | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}')")" + nft_feeds="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null | jsonfilter -qe '@.nftables[*].set.name')" for object in ${nft_feeds}; do cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" done @@ -815,9 +835,9 @@ f_genstatus() { f_system [ ${ban_splitsize:-"0"} -gt "0" ] && split="1" - : >"${ban_basedir}/ban_runtime.json" + : >"${ban_rtfile}" json_init - json_load_file "${ban_basedir}/ban_runtime.json" >/dev/null 2>&1 + json_load_file "${ban_rtfile}" >/dev/null 2>&1 json_add_string "status" "${status}" json_add_string "version" "${ban_ver}" json_add_string "element_count" "${cnt_elements}" @@ -874,24 +894,26 @@ f_genstatus() { fi json_close_array json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, feed: ${ban_feedfile}" - json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})" + json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})" json_add_string "last_run" "${runtime:-"-"}" json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}" - json_dump >"${ban_basedir}/ban_runtime.json" + json_dump >"${ban_rtfile}" } # get status information # f_getstatus() { - local key keylist type value index_value + local key keylist type value index_value actual="${1}" [ -z "${ban_dev}" ] && f_conf - json_load_file "${ban_basedir}/ban_runtime.json" >/dev/null 2>&1 + json_load_file "${ban_rtfile}" >/dev/null 2>&1 if json_get_keys keylist; then printf "%s\n" "::: banIP runtime information" for key in ${keylist}; do json_get_var value "${key}" >/dev/null 2>&1 - if [ "${key%_*}" = "active" ]; then + if [ "${key}" = "status" ]; then + value="${value} ($(f_actual))" + elif [ "${key%_*}" = "active" ]; then json_select "${key}" >/dev/null 2>&1 index=1 while json_get_type type "${index}" && [ "${type}" = "object" ]; do @@ -905,10 +927,8 @@ f_getstatus() { done json_select ".." fi - value="$( - printf "%s" "${value}" | - awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}' - )" + value="$(printf "%s" "${value}" | + awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')" printf " + %-17s : %s\n" "${key}" "${value:-"-"}" done else @@ -964,7 +984,7 @@ f_lookup() { f_log "debug" "f_lookup ::: name: ${feed}, cnt_domain: ${cnt_domain}, cnt_ip: ${cnt_ip}, duration: ${duration}" } -# banIP table statistics +# table statistics # f_report() { local report_jsn report_txt set tmp_val nft_raw nft_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}" @@ -1070,8 +1090,8 @@ f_report() { printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::" printf "%s\n" " Timestamp: ${timestamp}" printf "%s\n" " ------------------------------" - printf "%s\n" " auto-added to allowlist: ${autoadd_allow}" - printf "%s\n\n" " auto-added to blocklist: ${autoadd_block}" + printf "%s\n" " auto-added to allowlist today: ${autoadd_allow}" + printf "%s\n\n" " auto-added to blocklist today: ${autoadd_block}" json_select "sets" >/dev/null 2>&1 json_get_keys nft_sets >/dev/null 2>&1 if [ -n "${nft_sets}" ]; then @@ -1121,14 +1141,13 @@ f_report() { esac } -# banIP set search +# set search # f_search() { local nft_sets ip proto run_search search="${1}" f_system run_search="/var/run/banIP.search" - if [ -n "${search}" ]; then ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v4" @@ -1166,6 +1185,29 @@ f_search() { rm -f "${run_search}" } +# set survey +# +f_survey() { + local set_survey set="${1}" + + f_system + if [ -n "${set}" ]; then + if "${ban_nftcmd}" -jt list set inet banIP "${set}" >/dev/null 2>&1; then + set_survey="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" + else + printf "%s\n%s\n%s\n" ":::" "::: unknown banIP set (single banIP set name)" ":::" + return + fi + else + printf "%s\n%s\n%s\n" ":::" "::: no valid survey input (single banIP set name)" ":::" + return + fi + printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" + printf "%s\n" " List the elements of set ${set} on $(date "+%Y-%m-%d %H:%M:%S")" + printf "%s\n" " ---" + printf "%s\n" "${set_survey}" +} + # send status mails # f_mail() { diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 33ac81b1e..7803376bf 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -1,5 +1,5 @@ #!/bin/sh -# banIP main service script - ban incoming and outgoing ip adresses/subnets via sets in nftables +# banIP main service script - ban incoming and outgoing ip addresses/subnets via sets in nftables # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. diff --git a/net/banip/files/banip.conf b/net/banip/files/banip.conf index ce0a9cac1..eaa30989e 100644 --- a/net/banip/files/banip.conf +++ b/net/banip/files/banip.conf @@ -6,4 +6,4 @@ config banip 'global' list ban_logterm 'luci: failed login' list ban_logterm 'error: maximum authentication attempts exceeded' list ban_logterm 'sshd.*Connection closed by.*\[preauth\]' - list ban_logterm 'SecurityEvent=\"ChallengeResponseFailed\".*RemoteAddress=' + list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 61639acfb..90587bf76 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -10,7 +10,8 @@ START=30 USE_PROCD=1 extra_command "report" "[text|json|mail] Print banIP related set statistics" -extra_command "search" "[|] Check if an element exists in the banIP sets" +extra_command "search" "[|] Check if an element exists in a banIP set" +extra_command "survey" "[] List all elements of a given banIP set" ban_init="/etc/init.d/banip" ban_service="/usr/bin/banip-service.sh" @@ -19,7 +20,7 @@ ban_pidfile="/var/run/banip.pid" ban_lock="/var/run/banip.lock" [ "${action}" = "stop" ] && ! /etc/init.d/banip running && exit 0 -[ ! -r "${ban_funlib}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "status" ]; } && exit 1 +[ ! -r "${ban_funlib}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1 [ -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && exit 1 [ ! -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && mkdir -p "${ban_lock}" @@ -71,8 +72,10 @@ status() { } status_service() { + local actual="${1}" + [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" - f_getstatus + [ -n "${actual}" ] && f_actual || f_getstatus } report() { @@ -85,6 +88,11 @@ search() { f_search "${1}" } +survey() { + [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" + f_survey "${1}" +} + service_triggers() { local iface trigger delay From 6993b5d9456f4747583082106e889eacc4d8ab08 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Sun, 19 Feb 2023 04:41:08 +0000 Subject: [PATCH 05/12] libb64: add package Add generic base64 encode/decode (static) library. Signed-off-by: Daniel Golle --- libs/libb64/Makefile | 34 +++++++++++++++++++++++++ libs/libb64/patches/100-no-Werror.patch | 11 ++++++++ 2 files changed, 45 insertions(+) create mode 100644 libs/libb64/Makefile create mode 100644 libs/libb64/patches/100-no-Werror.patch diff --git a/libs/libb64/Makefile b/libs/libb64/Makefile new file mode 100644 index 000000000..822397591 --- /dev/null +++ b/libs/libb64/Makefile @@ -0,0 +1,34 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=libb64 +PKG_VERSION:=2.0.0 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/libb64/libb64/tar.gz/v$(PKG_VERSION)? +PKG_HASH:=28c43c47674409fc50e7145d4c2d26dc1f3d200889c41205e7812c2b67f26382 + +PKG_LICENSE:=PublicDomain +PKG_LICENSE_FILES:=LICENSE.md + +PKG_MAINTAINER:=Daniel Golle + +include $(INCLUDE_DIR)/package.mk + +MAKE_FLAGS+=all_src + +define Package/libb64 + SECTION:=libs + CATEGORY:=Libraries + TITLE:=Base64 Encoding/Decoding Routines + URL:=https://github.com/libb64/libb64 + BUILDONLY:=1 +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include/b64 $(1)/usr/lib + $(CP) $(PKG_BUILD_DIR)/include/b64/*.h $(1)/usr/include/b64 + $(CP) $(PKG_BUILD_DIR)/src/*.a $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libb64)) diff --git a/libs/libb64/patches/100-no-Werror.patch b/libs/libb64/patches/100-no-Werror.patch new file mode 100644 index 000000000..548599923 --- /dev/null +++ b/libs/libb64/patches/100-no-Werror.patch @@ -0,0 +1,11 @@ +--- a/src/Makefile ++++ b/src/Makefile +@@ -15,7 +15,7 @@ TARGETS = $(LIBRARIES) + + LINK.o = gcc + +-CFLAGS += -Werror -pedantic ++CFLAGS += -pedantic + CFLAGS += -I../include + + vpath %.h ../include/b64 From 81d2b7262e510b9a4746656712d9f5a2b6521249 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Sun, 19 Feb 2023 04:41:44 +0000 Subject: [PATCH 06/12] libdeflate: add package Add package for libdeflate which is a library for fast, whole-buffer DEFLATE-based compression and decompression. Signed-off-by: Daniel Golle --- libs/libdeflate/Makefile | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 libs/libdeflate/Makefile diff --git a/libs/libdeflate/Makefile b/libs/libdeflate/Makefile new file mode 100644 index 000000000..1eb16c799 --- /dev/null +++ b/libs/libdeflate/Makefile @@ -0,0 +1,38 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=libdeflate +PKG_VERSION:=1.17 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/ebiggers/libdeflate/tar.gz/v$(PKG_VERSION)? +PKG_HASH:=fa4615af671513fa2a53dc2e7a89ff502792e2bdfc046869ef35160fcc373763 + +PKG_LICENSE:=COPYING +PKG_LICENSE_FILES:=MIT + +PKG_MAINTAINER:=Daniel Golle + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/libdeflate + SECTION:=libs + CATEGORY:=Libraries + TITLE:=library for fast, whole-buffer DEFLATE-based compression and decompression + URL:=https://github.com/ebiggers/libdeflate +endef + +define Package/libdeflate/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libdeflate.so* $(1)/usr/lib/ +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include $(1)/usr/lib/pkgconfig + $(CP) $(PKG_INSTALL_DIR)/usr/include/*.h $(1)/usr/include/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so* $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libdeflate.pc $(1)/usr/lib/pkgconfig/ +endef + +$(eval $(call BuildPackage,libdeflate)) From a281a8af9f7b74960a52a3e102fc636c0722b92c Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Sun, 19 Feb 2023 04:43:43 +0000 Subject: [PATCH 07/12] libdht: add package Add Kademlia Distributed Hash Table (DHT) library. Signed-off-by: Daniel Golle --- libs/libdht/Makefile | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 libs/libdht/Makefile diff --git a/libs/libdht/Makefile b/libs/libdht/Makefile new file mode 100644 index 000000000..f81847aa8 --- /dev/null +++ b/libs/libdht/Makefile @@ -0,0 +1,41 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=libdht +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/jech/dht +PKG_SOURCE_DATE:=2022-04-27 +PKG_SOURCE_VERSION:=111230894416d400c9a1e038a033586bfeaafc93 +PKG_MIRROR_HASH:=71decd82023e0d3ec872604e9f0d709003906b38266990a8b1bb540907d1d3f0 + +PKG_LICENSE:=MIT +PKG_LICENSE_FILES:=LICENSE + +PKG_MAINTAINER:=Daniel Golle + +include $(INCLUDE_DIR)/package.mk + +define Package/libdht + SECTION:=libs + CATEGORY:=Libraries + TITLE:=Kademlia Distributed Hash Table (DHT) library +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include/dht $(1)/usr/lib + $(CP) $(PKG_BUILD_DIR)/dht.h $(1)/usr/include/dht + $(CP) $(PKG_BUILD_DIR)/libdht.so $(1)/usr/lib/ +endef + +define Package/libdht/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_BUILD_DIR)/libdht.so $(1)/usr/lib/ +endef + +define Build/Compile + $(TARGET_CC) $(FPIC) -Wall -c -o $(PKG_BUILD_DIR)/dht.o $(PKG_BUILD_DIR)/dht.c + $(TARGET_CC) -shared -lcrypt -o $(PKG_BUILD_DIR)/libdht.so $(PKG_BUILD_DIR)/dht.o +endef + +$(eval $(call BuildPackage,libdht)) From 1ecef46f1cb00aeac717710e6a25b82b68a2970b Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Sun, 19 Feb 2023 04:44:16 +0000 Subject: [PATCH 08/12] libutp: add package Add Transmission version of the uTorrent Transport Protocol library. Signed-off-by: Daniel Golle --- libs/libutp/Makefile | 46 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 libs/libutp/Makefile diff --git a/libs/libutp/Makefile b/libs/libutp/Makefile new file mode 100644 index 000000000..28c755d9f --- /dev/null +++ b/libs/libutp/Makefile @@ -0,0 +1,46 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=libutp +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/transmission/libutp +PKG_SOURCE_DATE:=2023-02-14 +PKG_SOURCE_VERSION:=c95738b1a6644b919e5b64d3ea9736cfc5894e0b +PKG_MIRROR_HASH:=5e466da0cb45119d58e8dd847da13951c94bfe9f20936f96b43f350d1e49c625 + +PKG_LICENSE:=MIT +PKG_LICENSE_FILES:=LICENSE + +PKG_MAINTAINER:=Daniel Golle + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/libutp + SECTION:=libs + CATEGORY:=Libraries + TITLE:=The uTorrent Transport Protocol library + DEPENDS:=+libstdcpp +endef + +# MAKE_VARS+=OPT="-I$(PKG_BUILD_DIR)/include/libutp -I$(PKG_BUILD_DIR)/include" + +CMAKE_OPTIONS += \ + -DLIBUTP_SHARED:BOOL=YES \ + -DLIBUTP_ENABLE_INSTALL:BOOL=YES \ + -DLIBUTP_ENABLE_WERROR:BOOL=YES \ + -DLIBUTP_BUILD_PROGRAMS:BOOL=NO + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include/libutp $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/include/libutp/*.h $(1)/usr/include/libutp + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libutp.so $(1)/usr/lib/ +endef + +define Package/libutp/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_BUILD_DIR)/libutp.so $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libutp)) From 96fd2dc5317f811a575de449d1db8dfdee5c3e61 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Sun, 19 Feb 2023 04:44:50 +0000 Subject: [PATCH 09/12] transmission: update to version 4.0.1 This is a major release, both in numbering and in effort! It's been in active development for over a year and has a huge list of changes -- over a thousand commits -- since Transmission 3.00. For more information about the release see https://github.com/transmission/transmission/releases/tag/4.0.0 https://github.com/transmission/transmission/releases/tag/4.0.1 Signed-off-by: Daniel Golle --- net/transmission/Makefile | 65 ++++++++++++------ .../files/transmission-daemon.json | 2 + net/transmission/files/transmission.init | 2 +- .../001-apply-dscp-to-udp-sockets.patch | 68 ------------------- .../patches/010-no-intltool.patch | 12 ---- net/transmission/patches/020-mbedcrypto.patch | 13 ---- net/transmission/patches/030-wolfssl.patch | 24 ------- .../patches/080-disable-webseeding.patch | 11 --- 8 files changed, 46 insertions(+), 151 deletions(-) delete mode 100644 net/transmission/patches/001-apply-dscp-to-udp-sockets.patch delete mode 100644 net/transmission/patches/010-no-intltool.patch delete mode 100644 net/transmission/patches/020-mbedcrypto.patch delete mode 100644 net/transmission/patches/030-wolfssl.patch delete mode 100644 net/transmission/patches/080-disable-webseeding.patch diff --git a/net/transmission/Makefile b/net/transmission/Makefile index 4626c1b96..dc95537c2 100644 --- a/net/transmission/Makefile +++ b/net/transmission/Makefile @@ -8,20 +8,20 @@ include $(TOPDIR)/rules.mk PKG_NAME:=transmission -PKG_VERSION:=3.00 -PKG_RELEASE:=19 +PKG_VERSION:=4.0.1 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=@GITHUB/transmission/transmission-releases/master -PKG_HASH:=9144652fe742f7f7dd6657716e378da60b751aaeda8bef8344b3eefc4db255f2 +PKG_SOURCE_URL:=https://github.com/transmission/transmission/releases/download/$(PKG_VERSION)/ +PKG_HASH:=8fc5aef23638c983406f6a3ee9918369e4cdc84e3228bd2fb3d01dd55cdad900 PKG_MAINTAINER:=Daniel Golle PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=COPYING PKG_CPE_ID:=cpe:/a:transmissionbt:transmission -PKG_FIXUP:=autoreconf PKG_INSTALL:=1 +PKG_BUILD_DEPENDS:=libb64 node/host PKG_BUILD_PARALLEL:=1 PKG_CONFIG_DEPENDS:= \ CONFIG_LIBCURL_GNUTLS \ @@ -31,6 +31,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_LIBCURL_NOSSL include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk include $(INCLUDE_DIR)/package-seccomp.mk define Package/transmission/template @@ -39,7 +40,10 @@ define Package/transmission/template CATEGORY:=Network TITLE:=BitTorrent client URL:=https://www.transmissionbt.com - DEPENDS:=+libcurl +libevent2 +libminiupnpc +libnatpmp +libpthread +librt +zlib +LIBCURL_NOSSL:libmbedtls +LIBCURL_GNUTLS:libmbedtls + DEPENDS:=+libatomic +libcurl +libdeflate +libdht +libevent2 \ + +libevent2-pthreads +libminiupnpc +libnatpmp +libpthread +libpsl \ + +librt +libutp +zlib +LIBCURL_NOSSL:libmbedtls \ + +LIBCURL_GNUTLS:libmbedtls endef define Package/transmission-daemon @@ -87,23 +91,40 @@ define Package/transmission-daemon/conffiles /etc/config/transmission endef -TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto +TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto -DHAVE_SIZE_T -latomic TARGET_LDFLAGS += -Wl,--gc-sections -Wl,--as-needed -CONFIGURE_ARGS += \ - --enable-cli \ - --enable-daemon \ - --enable-external-natpmp \ - --enable-largefile \ - --enable-lightweight \ - --without-gtk \ - --without-kqueue \ - --without-systemd-daemon \ - $(if $(CONFIG_LIBCURL_NOSSL),--with-crypto=polarssl) \ - $(if $(CONFIG_LIBCURL_GNUTLS),--with-crypto=polarssl) \ - $(if $(CONFIG_LIBCURL_MBEDTLS),--with-crypto=polarssl) \ - $(if $(CONFIG_LIBCURL_OPENSSL),--with-crypto=openssl) \ - $(if $(CONFIG_LIBCURL_WOLFSSL),--with-crypto=cyassl) +CMAKE_OPTIONS += \ + -DENABLE_CLI:BOOL=YES \ + -DENABLE_GTK:BOOL=NO \ + -DENABLE_QT:BOOL=NO \ + -DENABLE_MAC:BOOL=NO \ + -DENABLE_TESTS:BOOL=NO \ + -DENABLE_NLS:BOOL=NO \ + -DENABLE_UTP:BOOL=YES \ + -DRUN_CLANG_TIDY:BOOL=NO \ + -DUSE_SYSTEM_EVENT2:BOOL=YES \ + -DUSE_SYSTEM_DEFLATE:BOOL=YES \ + -DUSE_SYSTEM_DHT:BOOL=YES \ + -DUSE_SYSTEM_MINIUPNPC:BOOL=YES \ + -DUSE_SYSTEM_NATPMP:BOOL=YES \ + -DUSE_SYSTEM_UTP:BOOL=YES \ + -DUSE_SYSTEM_B64:BOOL=YES \ + -DUSE_SYSTEM_PSL:BOOL=YES \ + -DWITH_INOTIFY:BOOL=YES \ + -DWITH_KQUEUE:BOOL=NO \ + -DWITH_SYSTEMD:BOOL=NO \ + -DB64_INCLUDE_DIR=$(STAGING_DIR)/usr/include \ + -DB64_LIBRARY=$(STAGING_DIR)/usr/lib/libb64.a \ + -DDHT_INCLUDE_DIR=$(STAGING_DIR)/usr/include \ + -DDHT_LIBRARY=$(STAGING_DIR)/usr/lib/libdht.so \ + -DUTP_INCLUDE_DIR=$(STAGING_DIR)/usr/include \ + -DUTP_LIBRARY=$(STAGING_DIR)/usr/lib/libutp.so \ + $(if $(CONFIG_LIBCURL_NOSSL),-DWITH_CRYPTO=mbedtls) \ + $(if $(CONFIG_LIBCURL_GNUTLS),-DWITH_CRYPTO=mbedtls) \ + $(if $(CONFIG_LIBCURL_MBEDTLS),-DWITH_CRYPTO=mbedtls) \ + $(if $(CONFIG_LIBCURL_OPENSSL),-DWITH_CRYPTO=openssl) \ + $(if $(CONFIG_LIBCURL_WOLFSSL),-DWITH_CRYPTO=wolfssl) define Package/transmission-daemon/install $(INSTALL_DIR) $(1)/usr/bin @@ -133,7 +154,7 @@ endef define Package/transmission-web/install $(INSTALL_DIR) $(1)/usr/share/transmission - $(CP) $(PKG_INSTALL_DIR)/usr/share/transmission/web $(1)/usr/share/transmission/ + $(CP) $(PKG_INSTALL_DIR)/usr/share/transmission/public_html $(1)/usr/share/transmission/ endef $(eval $(call BuildPackage,transmission-daemon)) diff --git a/net/transmission/files/transmission-daemon.json b/net/transmission/files/transmission-daemon.json index b652d3257..f1fc456ec 100644 --- a/net/transmission/files/transmission-daemon.json +++ b/net/transmission/files/transmission-daemon.json @@ -17,6 +17,7 @@ "epoll_create1", "epoll_ctl", "epoll_pwait", + "eventfd2", "exit", "exit_group", "faccessat", @@ -87,6 +88,7 @@ "sendto", "setsockopt", "shutdown", + "signalfd4", "sigreturn", "socket", "socketpair", diff --git a/net/transmission/files/transmission.init b/net/transmission/files/transmission.init index a6bc00f01..a1673087f 100644 --- a/net/transmission/files/transmission.init +++ b/net/transmission/files/transmission.init @@ -170,7 +170,7 @@ transmission() { procd_add_jail_mount_rw "$download_dir" [ "$incomplete_dir_enabled" = "1" ] && procd_add_jail_mount_rw "$incomplete_dir" [ "$watch_dir_enabled" = "1" ] && procd_add_jail_mount_rw "$watch_dir" - web_home="${web_home:-/usr/share/transmission/web}" + web_home="${web_home:-/usr/share/transmission/public_html}" [ -d "$web_home" ] && procd_add_jail_mount "$web_home" [ -f "$ca_bundle_file" ] && procd_add_jail_mount "$ca_bundle_file" procd_close_instance diff --git a/net/transmission/patches/001-apply-dscp-to-udp-sockets.patch b/net/transmission/patches/001-apply-dscp-to-udp-sockets.patch deleted file mode 100644 index a3fd63441..000000000 --- a/net/transmission/patches/001-apply-dscp-to-udp-sockets.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 98da2afa58b7bdf5350de16fd99905ddb04e1b0d Mon Sep 17 00:00:00 2001 -From: Dan Walters -Date: Sun, 13 Oct 2019 10:08:36 -0500 -Subject: [PATCH] Apply the configured peer socket TOS to UDP sockets, not just - TCP. - ---- - libtransmission/session.c | 2 ++ - libtransmission/tr-udp.c | 20 ++++++++++++++++++++ - libtransmission/tr-udp.h | 1 + - 3 files changed, 23 insertions(+) - ---- a/libtransmission/session.c -+++ b/libtransmission/session.c -@@ -2274,6 +2274,8 @@ static void toggle_utp(void* data) - - tr_udpSetSocketBuffers(session); - -+ tr_udpSetSocketTOS(session); -+ - /* But don't call tr_utpClose -- see reset_timer in tr-utp.c for an - explanation. */ - } ---- a/libtransmission/tr-udp.c -+++ b/libtransmission/tr-udp.c -@@ -125,6 +125,24 @@ void tr_udpSetSocketBuffers(tr_session* - } - } - -+void tr_udpSetSocketTOS(tr_session* session) -+{ -+ if (session->peerSocketTOS == 0) -+ { -+ return; -+ } -+ -+ if (session->udp_socket != TR_BAD_SOCKET) -+ { -+ tr_netSetTOS(session->udp_socket, session->peerSocketTOS, TR_AF_INET); -+ } -+ -+ if (session->udp6_socket != TR_BAD_SOCKET) -+ { -+ tr_netSetTOS(session->udp6_socket, session->peerSocketTOS, TR_AF_INET6); -+ } -+} -+ - /* BEP-32 has a rather nice explanation of why we need to bind to one - IPv6 address, if I may say so myself. */ - -@@ -363,6 +381,8 @@ ipv6: - - tr_udpSetSocketBuffers(ss); - -+ tr_udpSetSocketTOS(ss); -+ - if (ss->isDHTEnabled) - { - tr_dhtInit(ss); ---- a/libtransmission/tr-udp.h -+++ b/libtransmission/tr-udp.h -@@ -30,5 +30,6 @@ THE SOFTWARE. - void tr_udpInit(tr_session*); - void tr_udpUninit(tr_session*); - void tr_udpSetSocketBuffers(tr_session*); -+void tr_udpSetSocketTOS(tr_session*); - - bool tau_handle_message(tr_session* session, uint8_t const* msg, size_t msglen); diff --git a/net/transmission/patches/010-no-intltool.patch b/net/transmission/patches/010-no-intltool.patch deleted file mode 100644 index ba59092bc..000000000 --- a/net/transmission/patches/010-no-intltool.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -555,9 +555,6 @@ dnl it should be safe to re-edit 0.40 ba - use_nls=no - if test "x$enable_nls" = "xyes" ; then - use_nls=yes -- m4_ifdef([IT_PROG_INTLTOOL], -- [IT_PROG_INTLTOOL([0.35.0],[no-xml])], -- [AC_MSG_ERROR("--enable-nls requires intltool to be installed.")]) - AC_CHECK_HEADERS([libintl.h]) - GETTEXT_PACKAGE=transmission-gtk - AC_SUBST(GETTEXT_PACKAGE) diff --git a/net/transmission/patches/020-mbedcrypto.patch b/net/transmission/patches/020-mbedcrypto.patch deleted file mode 100644 index 18c33f5b7..000000000 --- a/net/transmission/patches/020-mbedcrypto.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -152,8 +152,8 @@ AS_IF([test "x$want_crypto" = "xauto" -o - ) - ]) - AS_IF([test "x$want_crypto" = "xauto" -o "x$want_crypto" = "xpolarssl"], [ -- PKG_CHECK_MODULES(MBEDTLS, [mbedtls >= $POLARSSL_MINIMUM], -- [want_crypto="polarssl"; CRYPTO_PKG="polarssl"; CRYPTO_CFLAGS="$MBEDTLS_CFLAGS"; CRYPTO_LIBS="$MBEDTLS_LIBS"; POLARSSL_IS_MBEDTLS=yes], -+ AC_CHECK_LIB(mbedcrypto, mbedtls_strerror, -+ [want_crypto="polarssl"; CRYPTO_PKG="polarssl"; CRYPTO_LIBS="-lmbedcrypto"; POLARSSL_IS_MBEDTLS=yes], - [AC_CHECK_HEADER([polarssl/version.h], - [AC_EGREP_CPP([version_ok], [#include - #if defined (POLARSSL_VERSION_NUMBER) && POLARSSL_VERSION_NUMBER >= $POLARSSL_MINIMUM diff --git a/net/transmission/patches/030-wolfssl.patch b/net/transmission/patches/030-wolfssl.patch deleted file mode 100644 index 53e1393d5..000000000 --- a/net/transmission/patches/030-wolfssl.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 82b5d4028885d75adba9b66d43aeb11592e64914 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Wed, 13 Oct 2021 18:16:55 -0700 -Subject: [PATCH] fix runtime with wolfSSL and fastmath - -wolfSSL's fastmath support requires options.h to be included before -anything else. Otherwise bad codepaths get taken and a crash occurs -during DH initialization. - -Signed-off-by: Rosen Penev ---- - libtransmission/crypto-utils-cyassl.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/libtransmission/crypto-utils-cyassl.c -+++ b/libtransmission/crypto-utils-cyassl.c -@@ -19,6 +19,7 @@ - #define API_VERSION_HEX LIBCYASSL_VERSION_HEX - #endif - -+#include API_HEADER(options.h) - #include API_HEADER_CRYPT(arc4.h) - #include API_HEADER_CRYPT(dh.h) - #include API_HEADER_CRYPT(error-crypt.h) diff --git a/net/transmission/patches/080-disable-webseeding.patch b/net/transmission/patches/080-disable-webseeding.patch deleted file mode 100644 index f63d78d3e..000000000 --- a/net/transmission/patches/080-disable-webseeding.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/libtransmission/webseed.c -+++ b/libtransmission/webseed.c -@@ -510,8 +510,6 @@ static void webseed_timer_func(evutil_so - ++w->retry_tickcount; - } - -- on_idle(w); -- - tr_timerAddMsec(w->timer, TR_IDLE_TIMER_MSEC); - } - From a3e64cdd1e799067d87a1f2bf8198f2182fee105 Mon Sep 17 00:00:00 2001 From: Aleksander Jan Bajkowski Date: Sun, 5 Mar 2023 17:25:37 +0100 Subject: [PATCH 10/12] coremark: bump to 2023-01-25 Signed-off-by: Aleksander Jan Bajkowski --- utils/coremark/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/utils/coremark/Makefile b/utils/coremark/Makefile index 0a3113c47..dc7c13eeb 100644 --- a/utils/coremark/Makefile +++ b/utils/coremark/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=coremark -PKG_SOURCE_DATE:=2022-07-27 -PKG_SOURCE_VERSION:=eefc986ebd3452d6adde22eafaff3e5c859f29e4 +PKG_SOURCE_DATE:=2023-01-25 +PKG_SOURCE_VERSION:=d5fad6bd094899101a4e5fd53af7298160ced6ab PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_DATE).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/eembc/coremark/tar.gz/$(PKG_SOURCE_VERSION)? -PKG_HASH:=a5964bf215786d65d08941b6f9a9a4f4e50524f5391fa3826db2994c47d5e7f3 +PKG_HASH:=76f3b98fc940d277521023dc6e106551ef4a2180fa4c3da8cd5bf933aa494ef2 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_SOURCE_VERSION) PKG_MAINTAINER:=Lim Guo Wei \ From 665ae34856a1c740e05f2706e02405aaeeb06d81 Mon Sep 17 00:00:00 2001 From: Oskari Rauta Date: Mon, 6 Mar 2023 11:04:17 +0000 Subject: [PATCH 11/12] conmon: update to 2.1.7 - Fix leaking symbolic links in the opt_socket_path directory - cgroup: Stumble on if we can't set up oom handling Signed-off-by: Oskari Rauta --- utils/conmon/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/conmon/Makefile b/utils/conmon/Makefile index c78c97554..48a149a48 100644 --- a/utils/conmon/Makefile +++ b/utils/conmon/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=conmon -PKG_VERSION:=2.1.6 +PKG_VERSION:=2.1.7 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/containers/$(PKG_NAME)/archive/v$(PKG_VERSION) -PKG_HASH:=340453f7aac43e6a1f9a5efe31f24471f8a7a997a849ad6d1ff3fb530a9e2874 +PKG_HASH:=7d0f9a2f7cb8a76c51990128ac837aaf0cc89950b6ef9972e94417aa9cf901fe PKG_MAINTAINER:=Oskari Rauta PKG_LICENSE:=Apache-2.0 From 58fcaf8fc4d56c929a43be14fcd5c10d349502ec Mon Sep 17 00:00:00 2001 From: Oskari Rauta Date: Mon, 6 Mar 2023 10:56:34 +0000 Subject: [PATCH 12/12] netbird: update to 0.14.2 Update from 0.12.0 -> 0.14.2 Release notes: https://github.com/netbirdio/netbird/releases Signed-off-by: Oskari Rauta --- net/netbird/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netbird/Makefile b/net/netbird/Makefile index 561557203..6f0a0d716 100644 --- a/net/netbird/Makefile +++ b/net/netbird/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=netbird -PKG_VERSION:=0.12.0 +PKG_VERSION:=0.14.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/netbirdio/netbird/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=c88b65bb9358e5a6f9c34882e77a3414b02d4c5ac13b76fb2e60b952af6a18d7 +PKG_HASH:=8ffef4569572b9eb93891e881cb7b3b9ba98b5596f3ffda3b433b32e364adb56 PKG_MAINTAINER:=Oskari Rauta PKG_LICENSE:=BSD-3-Clause