diff --git a/admin/zabbix/Makefile b/admin/zabbix/Makefile index 721cdb1b4..c4f8c464a 100644 --- a/admin/zabbix/Makefile +++ b/admin/zabbix/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=zabbix -PKG_VERSION:=6.2.3 -PKG_RELEASE:=3 +PKG_VERSION:=6.4.7 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://cdn.zabbix.com/zabbix/sources/stable/$(basename $(PKG_VERSION))/ \ https://cdn.zabbix.com/zabbix/sources/oldstable/$(basename $(PKG_VERSION))/ -PKG_HASH:=2be7e57fb33a55fee71480598e317ffa6a8ee5a39639a7e1b42b2ea6872107b5 +PKG_HASH:=6b4e81f07de4c82c7994871bea51be4d6427683fa9a7fbe112fd7559b3670e49 PKG_MAINTAINER:=Etienne CHAMPETIER PKG_LICENSE:=GPL-2.0 @@ -57,7 +57,7 @@ define Package/zabbix/Default TITLE:=Zabbix URL:=https://www.zabbix.com/ USERID:=zabbix=53:zabbix=53 - DEPENDS+=$(ICONV_DEPENDS) +libpcre +zlib + DEPENDS+=$(ICONV_DEPENDS) +libpcre2 +zlib endef define Package/zabbix-agentd @@ -157,6 +157,7 @@ define Package/zabbix-server/Default +ZABBIX_MYSQL:libmariadbclient \ @(!ZABBIX_SQLITE) \ +libevent2 \ + +libevent2-pthreads \ +fping endef @@ -209,6 +210,7 @@ define Package/zabbix-proxy/Default +ZABBIX_MYSQL:libmariadbclient \ +ZABBIX_SQLITE:libsqlite3 \ +libevent2 \ + +libevent2-pthreads \ +fping endef @@ -262,8 +264,8 @@ CONFIGURE_ARGS+= \ $(if $(CONFIG_ZABBIX_MYSQL),--with-mysql) \ $(if $(CONFIG_ZABBIX_POSTGRESQL),--with-postgresql) \ $(if $(CONFIG_ZABBIX_SQLITE),--with-sqlite3=$(STAGING_DIR)/usr) \ - --with-libevent=$(STAGING_DIR)/usr/include/libevent \ - --with-libpcre=$(STAGING_DIR)/usr/include \ + --with-libevent=$(STAGING_DIR)/usr/include \ + --with-libpcre2=$(STAGING_DIR)/usr/include \ --with-zlib=$(STAGING_DIR)/usr/include ifeq ($(BUILD_VARIANT),openssl) diff --git a/admin/zabbix/patches/110-reproducible-builds.patch b/admin/zabbix/patches/110-reproducible-builds.patch index 723ccfe14..471e1e6b1 100644 --- a/admin/zabbix/patches/110-reproducible-builds.patch +++ b/admin/zabbix/patches/110-reproducible-builds.patch @@ -1,6 +1,6 @@ ---- a/src/libs/zbxcommon/str.c -+++ b/src/libs/zbxcommon/str.c -@@ -49,7 +49,7 @@ static const char help_message_footer[] +--- a/src/libs/zbxcommon/misc.c ++++ b/src/libs/zbxcommon/misc.c +@@ -329,7 +329,7 @@ void zbx_help(void) void zbx_version(void) { printf("%s (Zabbix) %s\n", title_message, ZABBIX_VERSION); diff --git a/lang/php8-pecl-http/Makefile b/lang/php8-pecl-http/Makefile index 1a6543cac..07b2a5677 100644 --- a/lang/php8-pecl-http/Makefile +++ b/lang/php8-pecl-http/Makefile @@ -8,9 +8,9 @@ include $(TOPDIR)/rules.mk PECL_NAME:=pecl_http PECL_LONGNAME:=Extended HTTP Support -PKG_VERSION:=4.2.3 -PKG_RELEASE:=2 -PKG_HASH:=fa2ab558fc8f0928a10f35c0f566f7c4a1d32e727bd3a96579e4c28482ee9d6a +PKG_VERSION:=4.2.4 +PKG_RELEASE:=1 +PKG_HASH:=fb1e10c2e5edfb011ff8dc2e473cdbd2bbe0127d1279dfce4d98570555ac6ded PKG_NAME:=php8-pecl-http PKG_SOURCE:=$(PECL_NAME)-$(PKG_VERSION).tgz diff --git a/lang/php8-pecl-redis/Makefile b/lang/php8-pecl-redis/Makefile index 0a53121c9..88ed4d60f 100644 --- a/lang/php8-pecl-redis/Makefile +++ b/lang/php8-pecl-redis/Makefile @@ -8,9 +8,9 @@ include $(TOPDIR)/rules.mk PECL_NAME:=redis PECL_LONGNAME:=PHP extension for interfacing with Redis -PKG_VERSION:=6.0.1 +PKG_VERSION:=6.0.2 PKG_RELEASE:=1 -PKG_HASH:=d39136e0ef9495f8e775ef7349a97658fb41c526d12d8e517f56274f149e1e4e +PKG_HASH:=01aeccb0e14f897fe56f0509be6e6991ff0ad459f9d34e95e4556d02699b9a03 PKG_NAME:=php8-pecl-redis PKG_SOURCE:=$(PECL_NAME)-$(PKG_VERSION).tgz diff --git a/lang/php8-pecl-xdebug/Makefile b/lang/php8-pecl-xdebug/Makefile index d2a85f26c..3c62f6561 100644 --- a/lang/php8-pecl-xdebug/Makefile +++ b/lang/php8-pecl-xdebug/Makefile @@ -8,9 +8,9 @@ include $(TOPDIR)/rules.mk PECL_NAME:=xdebug PECL_LONGNAME:=Xdebug extension -PKG_VERSION:=3.2.1 +PKG_VERSION:=3.2.2 PKG_RELEASE:=1 -PKG_HASH:=ef4cb3c228192798874e4530cccceee76840cc80821909740088a1e1a8f00445 +PKG_HASH:=f48777371f90cbb315ea4ea082a1ede6765bcfb35d7d6356ab8f71fd6dfcc157 PKG_NAME:=php8-pecl-xdebug PKG_SOURCE:=$(PECL_NAME)-$(PKG_VERSION).tgz diff --git a/lang/python/python-pip/Makefile b/lang/python/python-pip/Makefile index c21d2bdff..c41b27ca4 100644 --- a/lang/python/python-pip/Makefile +++ b/lang/python/python-pip/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-pip -PKG_VERSION:=23.2.1 +PKG_VERSION:=23.3.1 PKG_RELEASE:=1 PYPI_NAME:=pip -PKG_HASH:=fb0bd5435b3200c602b5bf61d2d43c2f13c02e29c1707567ae7fbc514eb9faf2 +PKG_HASH:=1fcaa041308d01f14575f6d0d2ea4b75a3e2871fe4f9c694976f908768e14174 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE.txt diff --git a/lang/python/python-pip/patches/001-pyproject-hooks-pyc-fix.patch b/lang/python/python-pip/patches/001-pyproject-hooks-pyc-fix.patch index 27681c1af..e9eafab96 100644 --- a/lang/python/python-pip/patches/001-pyproject-hooks-pyc-fix.patch +++ b/lang/python/python-pip/patches/001-pyproject-hooks-pyc-fix.patch @@ -1,13 +1,19 @@ --- a/src/pip/_vendor/pyproject_hooks/_in_process/__init__.py +++ b/src/pip/_vendor/pyproject_hooks/_in_process/__init__.py -@@ -11,8 +11,8 @@ try: +@@ -11,8 +11,14 @@ try: except AttributeError: # Python 3.8 compatibility def _in_proc_script_path(): - return resources.path(__package__, '_in_process.py') -+ return resources.path(__package__, '_in_process.pyc') ++ filename = '_in_process.pyc' ++ if resources.is_resource(__package__, '_in_process.py'): ++ filename = '_in_process.py' ++ return resources.path(__package__, filename) else: def _in_proc_script_path(): ++ filename = '_in_process.pyc' ++ if resources.files(__package__).joinpath('_in_process.py').is_file(): ++ filename = '_in_process.py' return resources.as_file( - resources.files(__package__).joinpath('_in_process.py')) -+ resources.files(__package__).joinpath('_in_process.pyc')) ++ resources.files(__package__).joinpath(filename)) diff --git a/lang/python/python-pip/patches/002-pip-runner-pyc-fix.patch b/lang/python/python-pip/patches/002-pip-runner-pyc-fix.patch index 4616fe065..8f68049a8 100644 --- a/lang/python/python-pip/patches/002-pip-runner-pyc-fix.patch +++ b/lang/python/python-pip/patches/002-pip-runner-pyc-fix.patch @@ -1,11 +1,15 @@ --- a/src/pip/_internal/build_env.py +++ b/src/pip/_internal/build_env.py -@@ -54,7 +54,7 @@ def get_runnable_pip() -> str: +@@ -54,7 +54,11 @@ def get_runnable_pip() -> str: # case, we can use that directly. return str(source) - return os.fsdecode(source / "__pip-runner__.py") -+ return os.fsdecode(source / "__pip-runner__.pyc") ++ filename = "__pip-runner__.pyc" ++ py = source / "__pip-runner__.py" ++ if py.is_file(): ++ filename = "__pip-runner__.py" ++ return os.fsdecode(source / filename) def _get_system_sitepackages() -> Set[str]: diff --git a/lang/python/python-pip/patches/003-disable-pip-version-check.patch b/lang/python/python-pip/patches/003-disable-pip-version-check.patch index 87a8178a7..99a0258aa 100644 --- a/lang/python/python-pip/patches/003-disable-pip-version-check.patch +++ b/lang/python/python-pip/patches/003-disable-pip-version-check.patch @@ -9,7 +9,7 @@ Patch-Name: disable-pip-version-check.patch --- a/src/pip/_internal/cli/cmdoptions.py +++ b/src/pip/_internal/cli/cmdoptions.py -@@ -892,7 +892,7 @@ disable_pip_version_check: Callable[..., +@@ -895,7 +895,7 @@ disable_pip_version_check: Callable[..., "--disable-pip-version-check", dest="disable_pip_version_check", action="store_true", diff --git a/lang/python/python3-version.mk b/lang/python/python3-version.mk index 5712e0f1d..6b21bc61e 100644 --- a/lang/python/python3-version.mk +++ b/lang/python/python3-version.mk @@ -12,7 +12,7 @@ PYTHON3_VERSION_MICRO:=6 PYTHON3_VERSION:=$(PYTHON3_VERSION_MAJOR).$(PYTHON3_VERSION_MINOR) -PYTHON3_SETUPTOOLS_PKG_RELEASE:=1 +PYTHON3_SETUPTOOLS_PKG_RELEASE:=2 PYTHON3_PIP_PKG_RELEASE:=1 PYTHON3_SETUPTOOLS_VERSION:=65.5.0 diff --git a/lang/python/python3/patches-host-setuptools/0001-Adjust-library-header-paths-for-cross-compilation.patch b/lang/python/python3/patches-host-setuptools/0001-Adjust-library-header-paths-for-cross-compilation.patch new file mode 100644 index 000000000..06dbb4318 --- /dev/null +++ b/lang/python/python3/patches-host-setuptools/0001-Adjust-library-header-paths-for-cross-compilation.patch @@ -0,0 +1,38 @@ +From e359a7a3c4f9e70360a068bef19c95938fdacede Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Wed, 23 Dec 2015 11:33:14 +0100 +Subject: [PATCH] Adjust library/header paths for cross-compilation + +When cross-compiling third-party extensions, the get_python_inc() or +get_python_lib() can be called, to return the path to headers or +libraries. However, they use the sys.prefix of the host Python, which +returns incorrect paths when cross-compiling (paths pointing to host +headers and libraries). + +In order to fix this, we introduce the _python_sysroot, _python_prefix +and _python_exec_prefix variables, that allow to override these +values, and get correct header/library paths when cross-compiling +third-party Python modules. + +Signed-off-by: Thomas Petazzoni +[adapt for setuptools, rename environment variable, use fixed lib path] +Signed-off-by: Jeffery To +--- + Lib/distutils/command/build_ext.py | 5 ++++- + Lib/sysconfig.py | 15 +++++++++++---- + 2 files changed, 15 insertions(+), 5 deletions(-) + +--- a/setuptools/_distutils/command/build_ext.py ++++ b/setuptools/_distutils/command/build_ext.py +@@ -238,7 +238,10 @@ class build_ext(Command): + if sysconfig.get_config_var('Py_ENABLE_SHARED'): + if not sysconfig.python_build: + # building third party extensions +- self.library_dirs.append(sysconfig.get_config_var('LIBDIR')) ++ libdir = sysconfig.get_config_var('LIBDIR') ++ if 'STAGING_DIR' in os.environ: ++ libdir = os.environ.get('STAGING_DIR') + '/usr/lib' ++ self.library_dirs.append(libdir) + else: + # building python standard extensions + self.library_dirs.append('.') diff --git a/lang/rust/Makefile b/lang/rust/Makefile index f3189b5bf..78d95d3d9 100644 --- a/lang/rust/Makefile +++ b/lang/rust/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=rust PKG_VERSION:=1.73.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=rustc-$(PKG_VERSION)-src.tar.gz PKG_SOURCE_URL:=https://static.rust-lang.org/dist/ @@ -18,6 +18,7 @@ PKG_LICENSE:=Apache-2.0 MIT PKG_LICENSE_FILES:=LICENSE-APACHE LICENSE-MIT PKG_HOST_ONLY:=1 +PKG_BUILD_FLAGS:=no-mips16 include $(INCLUDE_DIR)/host-build.mk include $(INCLUDE_DIR)/package.mk @@ -86,6 +87,7 @@ endef define Host/Compile $(RUST_SCCACHE_VARS) \ CARGO_HOME=$(CARGO_HOME) \ + TARGET_CFLAGS="$(TARGET_CFLAGS)" \ OPENWRT_RUSTC_BOOTSTRAP_CACHE=$(DL_DIR)/rustc \ $(PYTHON) $(HOST_BUILD_DIR)/x.py \ --build-dir $(HOST_BUILD_DIR)/build \ diff --git a/lang/rust/patches/0002-rustc-bootstrap-cache.patch b/lang/rust/patches/0002-rustc-bootstrap-cache.patch index 9f434fc8d..f3e814e8f 100644 --- a/lang/rust/patches/0002-rustc-bootstrap-cache.patch +++ b/lang/rust/patches/0002-rustc-bootstrap-cache.patch @@ -11,7 +11,22 @@ os.makedirs(rustc_cache) --- a/src/bootstrap/download.rs +++ b/src/bootstrap/download.rs -@@ -520,7 +520,10 @@ impl Config { +@@ -202,7 +202,13 @@ impl Config { + Some(other) => panic!("unsupported protocol {other} in {url}"), + None => panic!("no protocol in {url}"), + } +- t!(std::fs::rename(&tempfile, dest_path)); ++ match std::fs::rename(&tempfile, dest_path) { ++ Ok(v) => v, ++ Err(_) => { ++ t!(std::fs::copy(&tempfile, dest_path)); ++ t!(std::fs::remove_file(&tempfile)); ++ } ++ } + } + + fn download_http_with_retries(&self, tempfile: &Path, url: &str, help_on_error: &str) { +@@ -520,7 +526,10 @@ impl Config { key: &str, destination: &str, ) { @@ -23,7 +38,7 @@ let cache_dir = cache_dst.join(key); if !cache_dir.exists() { t!(fs::create_dir_all(&cache_dir)); -@@ -647,7 +650,10 @@ download-rustc = false +@@ -647,7 +656,10 @@ download-rustc = false let llvm_assertions = self.llvm_assertions; let cache_prefix = format!("llvm-{llvm_sha}-{llvm_assertions}"); diff --git a/libs/efivar/Makefile b/libs/efivar/Makefile index f0563ba7b..fd5302ee4 100644 --- a/libs/efivar/Makefile +++ b/libs/efivar/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=efivar PKG_VERSION:=38 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://github.com/rhboot/efivar/releases/download/$(PKG_VERSION) @@ -25,7 +25,7 @@ define Package/efivar SECTION:=libs CATEGORY:=Libraries TITLE:=Tools and libraries to work with EFI variables - DEPENDS:=@TARGET_x86_64 + DEPENDS:=@(TARGET_x86_64||TARGET_armsr_armv8) URL:=https://github.com/rhboot/efibootmgr endef diff --git a/libs/efivar/patches/006-build-util-c-separately-for-makeguids.patch b/libs/efivar/patches/006-build-util-c-separately-for-makeguids.patch new file mode 100644 index 000000000..2305ebbac --- /dev/null +++ b/libs/efivar/patches/006-build-util-c-separately-for-makeguids.patch @@ -0,0 +1,32 @@ +From ca48d3964d26f5e3b38d73655f19b1836b16bd2d Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin +Date: Tue, 18 Jan 2022 11:53:41 +0100 +Subject: [PATCH] src/Makefile: build util.c separately for makeguids + +util.c needs to be built twice when cross-compiling: +for the build machine to be able to link with +makeguids which then runs during the same build, +and then for the actual target. + +Signed-off-by: Alexander Kanavin +--- + src/Makefile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/src/Makefile ++++ b/src/Makefile +@@ -28,10 +28,13 @@ EFIVAR_OBJECTS = $(patsubst %.S,%.o,$(pa + EFISECDB_SOURCES = efisecdb.c guid-symbols.c secdb-dump.c util.c + EFISECDB_OBJECTS = $(patsubst %.S,%.o,$(patsubst %.c,%.o,$(EFISECDB_SOURCES))) + GENERATED_SOURCES = include/efivar/efivar-guids.h guid-symbols.c +-MAKEGUIDS_SOURCES = makeguids.c util.c ++MAKEGUIDS_SOURCES = makeguids.c util-makeguids.c + MAKEGUIDS_OBJECTS = $(patsubst %.S,%.o,$(patsubst %.c,%.o,$(MAKEGUIDS_SOURCES))) + MAKEGUIDS_OUTPUT = $(GENERATED_SOURCES) guids.lds + ++util-makeguids.c : util.c ++ cp util.c util-makeguids.c ++ + ALL_SOURCES=$(LIBEFISEC_SOURCES) $(LIBEFIBOOT_SOURCES) $(LIBEFIVAR_SOURCES) \ + $(MAKEGUIDS_SOURCES) $(GENERATED_SOURCES) $(EFIVAR_SOURCES) \ + $(sort $(wildcard include/efivar/*.h)) diff --git a/libs/ngtcp2/Makefile b/libs/ngtcp2/Makefile index 5d7ad9a0c..3db59361d 100644 --- a/libs/ngtcp2/Makefile +++ b/libs/ngtcp2/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ngtcp2 -PKG_VERSION:=1.0.0 +PKG_VERSION:=1.0.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/ngtcp2/ngtcp2/releases/download/v$(PKG_VERSION)/ -PKG_HASH:=a40b18af654baaebee3431af9bb4e347f40080bf1189d658ad53f8e66bf39da3 +PKG_HASH:=df03e7e91110fcbb165ae048fa671f1dd39f77b841df3a14aef076a1c192cc27 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=COPYING diff --git a/libs/unixodbc/Makefile b/libs/unixodbc/Makefile index f2600432f..c45b69183 100644 --- a/libs/unixodbc/Makefile +++ b/libs/unixodbc/Makefile @@ -8,22 +8,27 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unixodbc -PKG_VERSION:=2.3.9 -PKG_RELEASE:=2 +PKG_VERSION:=2.3.12 +PKG_RELEASE:=1 PKG_SOURCE:=unixODBC-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.unixodbc.org -PKG_HASH:=52833eac3d681c8b0c9a5a65f2ebd745b3a964f208fc748f977e44015a31b207 +PKG_HASH:=f210501445ce21bf607ba51ef8c125e10e22dffdffec377646462df5f01915ec PKG_MAINTAINER:=Thomas Heil -PKG_LICENSE:=prog GPL libs LGPL +PKG_LICENSE:=LGPL-2.1-or-later GPL-2.0-or-later +PKG_LICENSE_FILES:=COPYING exe/COPYING PKG_CPE_ID:=cpe:/a:unixodbc:unixodbc PKG_BUILD_DIR:=$(BUILD_DIR)/unixODBC-$(PKG_VERSION) -HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/unixODBC-$(PKG_VERSION) -HOST_BUILD_DEPENDS:=unixodbc +HOST_BUILD_DIR:=$(BUILD_DIR)/host/unixODBC-$(PKG_VERSION) +PKG_BUILD_PARALLEL:=1 PKG_FIXUP:=autoreconf +PKG_INSTALL:=1 + +HOST_BUILD_DEPENDS:=unixodbc +HOST_BUILD_PARALLEL:=1 # if your other package depends on unixodbc and needs # odbc_config, add to your other Makefile @@ -35,91 +40,145 @@ include $(INCLUDE_DIR)/host-build.mk CONFIGURE_ARGS += \ --disable-gui \ --with-pic \ - --enable-drivers \ - --includedir=$(STAGING_DIR)/usr/include + --enable-drivers define Package/unixodbc/Default SUBMENU:=Database TITLE:=unixODBC - URL:=http://www.unixodbc.org + URL:=https://www.unixodbc.org endef -define Package/unixodbc - $(call Package/unixodbc/Default) - TITLE+= (libraries) +define Package/unixodbc/Default/description +unixODBC is an Open Source ODBC sub-system and an ODBC SDK for Linux, +Mac OSX, and UNIX. +endef + +define Package/libodbc +$(call Package/unixodbc/Default) + TITLE+= Driver Manager library SECTION:=libs CATEGORY:=Libraries DEPENDS:=+libltdl +libpthread + ABI_VERSION:=2 +endef + +define Package/libodbc/description +$(call Package/unixodbc/Default/description) + +This package provides the unixODBC Driver Manager library. +endef + +define Package/libodbccr +$(call Package/unixodbc/Default) + TITLE+= Cursor library + SECTION:=libs + CATEGORY:=Libraries + DEPENDS:=+libodbc +libltdl +libpthread + ABI_VERSION:=2 +endef + +define Package/libodbccr/description +$(call Package/unixodbc/Default/description) + +This package provides the unixODBC Cursor library. +endef + +define Package/libodbcinst +$(call Package/unixodbc/Default) + TITLE+= Configuration library + SECTION:=libs + CATEGORY:=Libraries + DEPENDS:=+libltdl +libpthread + ABI_VERSION:=2 +endef + +define Package/libodbcinst/description +$(call Package/unixodbc/Default/description) + +This package provides the unixODBC Configuration library. +endef + +define Package/unixodbc +$(call Package/unixodbc/Default) + TITLE+= (libraries) + SECTION:=libs + CATEGORY:=Libraries + DEPENDS:=+libodbc +libodbccr +libodbcinst endef define Package/unixodbc/description - unixODBC is an Open Source ODBC sub-system and an ODBC SDK for Linux, - Mac OSX, and UNIX. +$(call Package/unixodbc/Default/description) + +This package installs the unixODBC Driver Manager, Cursor, and +Configuration libraries. This package is provided for backwards +compatibility; these libraries are available in separate packages. endef define Package/unixodbc-tools - $(call Package/unixodbc/Default) +$(call Package/unixodbc/Default) SECTION:=utils CATEGORY:=Utilities TITLE+= Tools - DEPENDS:=+unixodbc +libncurses +libreadline + DEPENDS:=+libodbc +libodbcinst +libltdl +libreadline endef define Package/unixodbc-tools/description - Command Line Tools to help install a driver and work with SQL. +$(call Package/unixodbc/Default/description) + +This package provides command-line tools to help install a driver and +work with SQL. endef define Package/pgsqlodbc - $(call Package/unixodbc/Default) +$(call Package/unixodbc/Default) SECTION:=libs CATEGORY:=Libraries - TITLE:=Postgresql driver for ODBC - DEPENDS:=+unixodbc +libpq + TITLE:=PostgreSQL driver for ODBC + DEPENDS:=+libodbc +libpq +libltdl +libpthread + ABI_VERSION:=2 endef define Package/pgsqlodbc/description - Postgresql driver for ODBC. -endef +$(call Package/unixodbc/Default/description) -define Build/Compile - $(MAKE) -C $(PKG_BUILD_DIR) \ - DESTDIR="$(PKG_INSTALL_DIR)" \ - $(MAKE_FLAGS) \ - ARCH="$(ARCH)" \ - CC="$(TARGET_CC)" - $(MAKE) -C $(PKG_BUILD_DIR) \ - DESTDIR="$(PKG_INSTALL_DIR)" \ - $(MAKE_FLAGS) \ - ARCH="$(ARCH)" \ - install -i +This package provides the PostgreSQL driver for ODBC. endef define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include - $(CP) $(PKG_INSTALL_DIR)/$(STAGING_DIR)/usr/include/*.h $(1)/usr/include/ + $(CP) $(PKG_INSTALL_DIR)/usr/include/*.h $(1)/usr/include/ # Save autoconf config.h file for host build # copy target autoconf config.h and unixodbc_conf.h file for host build - $(INSTALL_DIR) $(1)/tmp/unixodbc - $(CP) $(PKG_BUILD_DIR)/config.h $(1)/tmp/unixodbc/ - $(CP) $(PKG_BUILD_DIR)/unixodbc_conf.h $(1)/tmp/unixodbc/ + $(INSTALL_DIR) $(1)/usr/include/unixodbc + $(CP) $(PKG_BUILD_DIR)/config.h $(1)/usr/include/unixodbc/ + $(CP) $(PKG_BUILD_DIR)/unixodbc_conf.h $(1)/usr/include/unixodbc/ $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ $(INSTALL_DIR) $(1)/etc $(CP) $(PKG_INSTALL_DIR)/etc/odbc* $(1)/etc/ $(INSTALL_DIR) $(1)/etc/ODBCDataSources - $(TARGET_CC) $(TARGET_CFLAGS) -E ./files/unixodbc_conf.h | tr '@' '\#' >$(1)/usr/include/unixodbc_conf.h endef -define Package/unixodbc/install +define Package/libodbc/install $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbc[ci]*so* $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbc.*so* $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnn*so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbc.so* $(1)/usr/lib/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/odbc.init $(1)/etc/init.d/odbc $(LN) /tmp/etc/odbcinst.ini $(1)/etc/odbcinst.ini endef +define Package/libodbccr/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbccr.so* $(1)/usr/lib/ +endef + +define Package/libodbcinst/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbcinst.so* $(1)/usr/lib/ +endef + +Package/unixodbc/install:=: + define Package/unixodbc-tools/install $(INSTALL_DIR) $(1)/usr/bin $(CP) $(PKG_INSTALL_DIR)/usr/bin/{dltest,isql,iusql,odbcinst,slencheck} $(1)/usr/bin/ @@ -127,34 +186,34 @@ endef define Package/pgsqlodbc/install $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbcpsql*so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbcpsql.so* $(1)/usr/lib/ $(INSTALL_DIR) $(1)/etc/odbcinst.ini.d/ - echo "[PostgreSQL]" > $(1)/etc/odbcinst.ini.d/pgsqlodbc.ini - echo "Description = unixODBC PostgreSQL driver" >> $(1)/etc/odbcinst.ini.d/pgsqlodbc.ini - echo "Driver = /usr/lib/libodbcpsql.so" >> $(1)/etc/odbcinst.ini.d/pgsqlodbc.ini + $(INSTALL_DATA) ./files/pgsqlodbc.ini $(1)/etc/odbcinst.ini.d/ endef define Host/Configure $(call Host/Configure/Default) - cp $(STAGING_DIR)/tmp/unixodbc/config.h $(HOST_BUILD_DIR) - sed -i -e 's!\(LIB_PREFIX \).*$$$$!\1"$(STAGING_DIR)/usr/lib"!' $(HOST_BUILD_DIR)/config.h - cp $(STAGING_DIR)/tmp/unixodbc/unixodbc_conf.h $(HOST_BUILD_DIR) + $(CP) $(STAGING_DIR)/usr/include/unixodbc/config.h $(HOST_BUILD_DIR) + $(CP) $(STAGING_DIR)/usr/include/unixodbc/unixodbc_conf.h $(HOST_BUILD_DIR) + $(CP) $(STAGING_DIR)/usr/include/unixodbc.h $(HOST_BUILD_DIR) + $(SED) 's!^#define INCLUDE_PREFIX ".*"!#define INCLUDE_PREFIX "$(STAGING_DIR)/usr/include"!' \ + -e 's!^#define LIB_PREFIX ".*"!#define LIB_PREFIX "$(STAGING_DIR)/usr/lib"!' \ + $(HOST_BUILD_DIR)/config.h \ + $(HOST_BUILD_DIR)/unixodbc_conf.h endef define Host/Compile - $(MAKE) -C $(HOST_BUILD_DIR)/exe \ - DESTDIR="$(HOST_INSTALL_DIR)" \ - CC="$(HOSTCC)" \ - CFLAGS="$(HOST_CFLAGS) -DUSE_UNIXODBC_CONF_H" \ - LDFLAGS="$(HOST_LDFLAGS)" \ - odbc_config + $(call Host/Compile/Default,-C $(HOST_BUILD_DIR)/exe odbc_config) endef define Host/Install - $(INSTALL_DIR) $(STAGING_DIR_HOST)/bin - $(INSTALL_BIN) $(HOST_BUILD_DIR)/exe/odbc_config $(STAGING_DIR_HOST)/bin + $(INSTALL_DIR) $(STAGING_DIR)/host/bin + $(INSTALL_BIN) $(HOST_BUILD_DIR)/exe/odbc_config $(STAGING_DIR)/host/bin/ endef +$(eval $(call BuildPackage,libodbc)) +$(eval $(call BuildPackage,libodbccr)) +$(eval $(call BuildPackage,libodbcinst)) $(eval $(call BuildPackage,unixodbc)) $(eval $(call BuildPackage,unixodbc-tools)) $(eval $(call BuildPackage,pgsqlodbc)) diff --git a/libs/unixodbc/files/pgsqlodbc.ini b/libs/unixodbc/files/pgsqlodbc.ini new file mode 100644 index 000000000..54a64bcfa --- /dev/null +++ b/libs/unixodbc/files/pgsqlodbc.ini @@ -0,0 +1,3 @@ +[PostgreSQL] +Description = unixODBC PostgreSQL driver +Driver = /usr/lib/libodbcpsql.so diff --git a/libs/unixodbc/files/unixodbc_conf.h b/libs/unixodbc/files/unixodbc_conf.h deleted file mode 100644 index f149d02b1..000000000 --- a/libs/unixodbc/files/unixodbc_conf.h +++ /dev/null @@ -1,22 +0,0 @@ -@ifndef HAVE_UNISTD_H - @define HAVE_UNISTD_H -@endif -@ifndef HAVE_PWD_H - @define HAVE_PWD_H -@endif -@ifndef HAVE_SYS_TYPES_H - @define HAVE_SYS_TYPES_H -@endif -@ifndef HAVE_LONG_LONG - @define HAVE_LONG_LONG -@endif -@ifndef ODBCINT64 - @define ODBCINT64 long -@endif -@ifndef UODBCINT64 - @define UODBCINT64 unsigned long -@endif -@ifndef SIZEOF_LONG_INT - @define SIZEOF_LONG_INT __SIZEOF_LONG__ -@endif - \ No newline at end of file diff --git a/libs/unixodbc/patches/100-cross-compile-odbc-config.patch b/libs/unixodbc/patches/100-cross-compile-odbc-config.patch deleted file mode 100644 index 4b952ae18..000000000 --- a/libs/unixodbc/patches/100-cross-compile-odbc-config.patch +++ /dev/null @@ -1,36 +0,0 @@ ---- a/exe/odbc-config.c -+++ b/exe/odbc-config.c -@@ -40,6 +40,33 @@ - #include - #endif - -+#ifdef USE_UNIXODBC_CONF_H -+ -+#ifdef HAVE_UNISTD_H -+#undef HAVE_UNISTD_H -+#endif -+#ifdef HAVE_PWD_H -+#undef HAVE_PWD_H -+#endif -+#ifdef HAVE_SYS_TYPES_H -+#undef HAVE_SYS_TYPES_H -+#endif -+#ifdef HAVE_LONG_LONG -+#undef HAVE_LONG_LONG -+#endif -+#ifdef ODBCINT64 -+#undef ODBCINT64 -+#endif -+#ifdef UODBCINT64 -+#undef UODBCINT64 -+#endif -+#ifdef SIZEOF_LONG_INT -+#undef SIZEOF_LONG_INT -+#endif -+ -+#include -+#endif -+ - #include - - static void usage( void ) diff --git a/libs/unixodbc/test.sh b/libs/unixodbc/test.sh new file mode 100644 index 000000000..d4c42a404 --- /dev/null +++ b/libs/unixodbc/test.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +[ "$1" = unixodbc-tools ] || exit 0 + +isql --version | grep -Fx "unixODBC $PKG_VERSION" diff --git a/mail/fdm/Makefile b/mail/fdm/Makefile index 762fd933c..522765db8 100644 --- a/mail/fdm/Makefile +++ b/mail/fdm/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fdm -PKG_VERSION:=2.0 -PKG_RELEASE:=3 +PKG_VERSION:=2.2 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/nicm/fdm/releases/download/$(PKG_VERSION) -PKG_HASH:=06b28cb6b792570bc61d7e29b13d2af46b92fea77e058b2b17e11e8f7ed0cea4 +PKG_HASH:=53aad117829834e21c1b9bf20496a1aa1c0e0fb98fe7735e1e73314266fb6c16 PKG_MAINTAINER:=Dmitry V. Zimin PKG_LICENSE:=BSD-2-Clause @@ -30,7 +30,7 @@ define Package/fdm TITLE:=fetch mail and deliver URL:=https://github.com/nicm/fdm MENU:=1 - DEPENDS:=+tdb +zlib +libopenssl +FDM_WITH_PCRE:libpcre + DEPENDS:=+tdb +zlib +libopenssl +FDM_WITH_PCRE:libpcre2 USERID:=_fdm=99:_fdm=99 endef @@ -42,7 +42,7 @@ define Package/fdm/description endef ifdef CONFIG_FDM_WITH_PCRE - CONFIGURE_ARGS += --enable-pcre + CONFIGURE_ARGS += --enable-pcre2 endif define Package/fdm/config diff --git a/mail/fdm/patches/010-ntop-fix.patch b/mail/fdm/patches/010-ntop-fix.patch deleted file mode 100644 index e32479571..000000000 --- a/mail/fdm/patches/010-ntop-fix.patch +++ /dev/null @@ -1,9 +0,0 @@ ---- a/Makefile.am -+++ b/Makefile.am -@@ -123,6 +123,3 @@ endif - if NO_STRTONUM - nodist_fdm_SOURCES += compat/strtonum.c - endif --if NO_B64_NTOP --nodist_fdm_SOURCES += compat/base64.c --endif diff --git a/mail/fdm/patches/020-Fix-compile-with-OpenSSL-1.1.0.patch b/mail/fdm/patches/020-Fix-compile-with-OpenSSL-1.1.0.patch deleted file mode 100644 index 3d2f45d40..000000000 --- a/mail/fdm/patches/020-Fix-compile-with-OpenSSL-1.1.0.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 3aa079c4885d89257c5033b4992011511b603150 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Tue, 26 Jun 2018 14:14:34 -0700 -Subject: [PATCH] Fix compile with OpenSSL 1.1.0 - -OpenSSL 1.1.0 deprecared SSL_library_init and SSL_load_error_strings. -They're part of OPENSSL_init_ssl now. ---- - fdm.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/fdm.c -+++ b/fdm.c -@@ -717,8 +717,10 @@ retry: - } - conf.lock_file = lock; - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - SSL_library_init(); - SSL_load_error_strings(); -+#endif - - /* Filter account list. */ - TAILQ_INIT(&actaq); diff --git a/mail/fdm/patches/030-cdefs.patch b/mail/fdm/patches/030-cdefs.patch deleted file mode 100644 index d1ae7af3d..000000000 --- a/mail/fdm/patches/030-cdefs.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 3232e537ccaba4417b25d9d70264e4a5533042da Mon Sep 17 00:00:00 2001 -From: Nicholas Marriott -Date: Mon, 18 Mar 2019 13:04:00 +0000 -Subject: [PATCH] Fix bas64 declarations, from makepost at firemail dot cc. - ---- - fdm.h | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - ---- a/fdm.h -+++ b/fdm.h -@@ -20,7 +20,6 @@ - #define FDM_H - - #include --#include - #include - - #ifdef HAVE_QUEUE_H -@@ -725,8 +724,8 @@ size_t strlcat(char *, const char *, s - - #ifndef HAVE_B64_NTOP - /* base64.c */ --int b64_ntop(src, srclength, target, targsize); --int b64_pton(src, target, targsize); -+int b64_ntop(u_char const *, size_t, char *, size_t); -+int b64_pton(char const *, u_char *, size_t); - #endif - - /* shm.c */ diff --git a/mail/fdm/patches/100-Fix-bugs-in-PCRE2-code-don-t-walk-off-the-end-of-the.patch b/mail/fdm/patches/100-Fix-bugs-in-PCRE2-code-don-t-walk-off-the-end-of-the.patch new file mode 100644 index 000000000..8c63f96a9 --- /dev/null +++ b/mail/fdm/patches/100-Fix-bugs-in-PCRE2-code-don-t-walk-off-the-end-of-the.patch @@ -0,0 +1,75 @@ +From f1ec1982725d60045c0d871f3e613f2880046c22 Mon Sep 17 00:00:00 2001 +From: Nicholas Marriott +Date: Wed, 1 Feb 2023 15:31:30 +0000 +Subject: [PATCH] Fix bugs in PCRE2 code - don't walk off the end of the match + list if NOMATCH is returned, and don't stop on empty matches. From Thomas + Hurst. + +--- + pcre.c | 45 ++++++++++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +--- a/pcre.c ++++ b/pcre.c +@@ -66,7 +66,7 @@ int + re_block(struct re *re, const void *buf, size_t len, struct rmlist *rml, + char **cause) + { +- int res; ++ int res, ret; + pcre2_match_data *pmd; + PCRE2_SIZE *ovector; + u_int i, j; +@@ -85,27 +85,34 @@ re_block(struct re *re, const void *buf, + } + + pmd = pcre2_match_data_create_from_pattern(re->pcre2, NULL); +- res = pcre2_match(re->pcre2, buf, len, 0, 0, pmd, NULL); +- if (res < 0 && res != PCRE2_ERROR_NOMATCH) { +- xasprintf(cause, "%s: regexec failed", re->str); +- pcre2_match_data_free(pmd); +- return (-1); +- } ++ if (pmd == NULL) ++ fatalx("pcre2_match_data_create_from_pattern failed"); + +- if (rml != NULL) { +- ovector = pcre2_get_ovector_pointer(pmd); +- for (i = 0; i < res; i++) { +- j = i * 2; +- if (ovector[j + 1] <= ovector[j]) +- break; +- rml->list[i].valid = 1; +- rml->list[i].so = ovector[j]; +- rml->list[i].eo = ovector[j + 1]; ++ res = pcre2_match(re->pcre2, buf, len, 0, 0, pmd, NULL); ++ if (res > 0) { ++ if (rml != NULL) { ++ if (res > NPMATCH) ++ res = NPMATCH; ++ ovector = pcre2_get_ovector_pointer(pmd); ++ for (i = 0; i < res; i++) { ++ j = i * 2; ++ if (ovector[j + 1] < ovector[j]) ++ break; ++ rml->list[i].valid = 1; ++ rml->list[i].so = ovector[j]; ++ rml->list[i].eo = ovector[j + 1]; ++ } ++ rml->valid = 1; + } +- rml->valid = 1; ++ ret = 1; ++ } else if (res == PCRE2_ERROR_NOMATCH) ++ ret = 0; ++ else { ++ xasprintf(cause, "%s: regexec failed", re->str); ++ ret = -1; + } +- +- return (res != PCRE2_ERROR_NOMATCH); ++ pcre2_match_data_free(pmd); ++ return (ret); + } + + void diff --git a/mail/fdm/patches/101-Fix-use-after-free-GitHub-issue-126.patch b/mail/fdm/patches/101-Fix-use-after-free-GitHub-issue-126.patch new file mode 100644 index 000000000..98024d21f --- /dev/null +++ b/mail/fdm/patches/101-Fix-use-after-free-GitHub-issue-126.patch @@ -0,0 +1,21 @@ +From 028f59bef0ea9435fb8fbe095b2939652ce63479 Mon Sep 17 00:00:00 2001 +From: Nicholas Marriott +Date: Mon, 3 Apr 2023 08:54:28 +0100 +Subject: [PATCH] Fix use-after-free, GitHub issue 126. + +--- + connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/connect.c ++++ b/connect.c +@@ -550,8 +550,8 @@ httpproxy(struct server *srv, + if (strlen(line) < 12 || + strncmp(line, "HTTP/", 5) != 0 || + strncmp(line + 8, " 200", 4) != 0) { +- xfree(line); + xasprintf(cause, "unexpected data: %s", line); ++ xfree(line); + return (-1); + } + header = 1; diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile index b86fdcb6d..313713692 100644 --- a/mail/postfix/Makefile +++ b/mail/postfix/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=postfix -PKG_VERSION:=3.5.8 -PKG_RELEASE:=3 +PKG_VERSION:=3.8.2 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ https://de.postfix.org/ftpmirror/official/ \ http://ftp.porcupine.org/mirrors/postfix-release/official/ -PKG_HASH:=22582628cf3edc18c5155c9ff44543dd95a9435fb68135d76a99f572cb07456f +PKG_HASH:=6790903cdbb5e0e47196691eb9a5f2cf8050262def941e039e6d4bf4043a5e30 PKG_MAINTAINER:=Denis Shulyaka PKG_LICENSE:=IPL-1.0 @@ -44,7 +44,7 @@ define Package/postfix postfix=25:postfix=25 \ postdrop=26:postdrop=26 URL:=http://www.postfix.org/ - DEPENDS:=+POSTFIX_CDB:tinycdb +POSTFIX_TLS:libopenssl +POSTFIX_SASL:libsasl2 +POSTFIX_LDAP:libopenldap +POSTFIX_DB:libdb47 +POSTFIX_SQLITE:libsqlite3 +POSTFIX_MYSQL:libmysqlclient +POSTFIX_PGSQL:libpq +POSTFIX_EAI:icu +POSTFIX_PCRE:libpcre + DEPENDS:=+POSTFIX_CDB:tinycdb +POSTFIX_TLS:libopenssl +POSTFIX_SASL:libsasl2 +POSTFIX_LDAP:libopenldap +POSTFIX_DB:libdb47 +POSTFIX_SQLITE:libsqlite3 +POSTFIX_MYSQL:libmysqlclient +POSTFIX_PGSQL:libpq +POSTFIX_EAI:icu +POSTFIX_PCRE:libpcre2 MENU:=1 endef @@ -172,8 +172,8 @@ ifdef CONFIG_POSTFIX_PGSQL endif ifdef CONFIG_POSTFIX_PCRE - CCARGS+=-DHAS_PCRE -I$(STAGING_DIR)/usr/include/ - AUXLIBS+=-L$(STAGING_DIR)/usr/lib -lpcre + CCARGS+=-DHAS_PCRE2 -I$(STAGING_DIR)/usr/include/ + AUXLIBS+=-L$(STAGING_DIR)/usr/lib -lpcre2-8 else CCARGS+=-DNO_PCRE endif diff --git a/mail/postfix/patches/100-correct-signature-of-closefrom-API.patch b/mail/postfix/patches/100-correct-signature-of-closefrom-API.patch index c3201097a..28754e1a4 100644 --- a/mail/postfix/patches/100-correct-signature-of-closefrom-API.patch +++ b/mail/postfix/patches/100-correct-signature-of-closefrom-API.patch @@ -44,7 +44,7 @@ Signed-off-by: Khem Raj #endif --- a/src/util/sys_defs.h +++ b/src/util/sys_defs.h -@@ -1509,7 +1509,7 @@ extern int setsid(void); +@@ -1519,7 +1519,7 @@ extern int setsid(void); #endif #ifndef HAS_CLOSEFROM @@ -53,7 +53,7 @@ Signed-off-by: Khem Raj #endif -@@ -1563,7 +1563,7 @@ typedef int pid_t; +@@ -1573,7 +1573,7 @@ typedef int pid_t; /* * Clang-style attribute tests. @@ -62,7 +62,7 @@ Signed-off-by: Khem Raj * XXX Without the unconditional test below, gcc 4.6 will barf on ``elif * defined(__clang__) && __has_attribute(__whatever__)'' with error message * ``missing binary operator before token "("''. -@@ -1577,7 +1577,7 @@ typedef int pid_t; +@@ -1587,7 +1587,7 @@ typedef int pid_t; * warn for missing initializations and other trouble. However, OPENSTEP4 * gcc 2.7.x cannot handle this so we define this only if NORETURN isn't * already defined above. @@ -71,7 +71,7 @@ Signed-off-by: Khem Raj * Data point: gcc 2.7.2 has __attribute__ (Wietse Venema) but gcc 2.6.3 does * not (Clive Jones). So we'll set the threshold at 2.7. */ -@@ -1653,12 +1653,12 @@ typedef int pid_t; +@@ -1663,12 +1663,12 @@ typedef int pid_t; * write to output parameters (for example, stat- or scanf-like functions) * or from functions that have other useful side effects (for example, * fseek- or rename-like functions). @@ -86,7 +86,7 @@ Signed-off-by: Khem Raj * XXX Prepending "(void)" won't shut up GCC. Clang behaves as expected. */ #if ((__GNUC__ == 3 && __GNUC_MINOR__ >= 4) || __GNUC__ > 3) -@@ -1747,7 +1747,7 @@ typedef const char *CONST_CHAR_STAR; +@@ -1749,7 +1749,7 @@ typedef const char *CONST_CHAR_STAR; * Safety. On some systems, ctype.h misbehaves with non-ASCII or negative * characters. More importantly, Postfix uses the ISXXX() macros to ensure * protocol compliance, so we have to rule out non-ASCII characters. diff --git a/mail/postfix/patches/300-bdb_hash_segfault.patch b/mail/postfix/patches/300-bdb_hash_segfault.patch index 1ae9359fb..fdd01706f 100644 --- a/mail/postfix/patches/300-bdb_hash_segfault.patch +++ b/mail/postfix/patches/300-bdb_hash_segfault.patch @@ -1,6 +1,6 @@ --- a/src/util/dict_db.c +++ b/src/util/dict_db.c -@@ -750,8 +750,8 @@ static DICT *dict_db_open(const char *cl +@@ -751,8 +751,8 @@ static DICT *dict_db_open(const char *cl msg_fatal("create DB database: %m"); if (db == 0) msg_panic("db_create null result"); @@ -9,5 +9,5 @@ +// if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) +// msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); db_base_buf = vstring_alloc(100); - #if DB_VERSION_MAJOR == 6 || DB_VERSION_MAJOR == 5 || \ + #if DB_VERSION_MAJOR == 18 || DB_VERSION_MAJOR == 6 || DB_VERSION_MAJOR == 5 || \ (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) diff --git a/mail/postfix/patches/400-cdb.patch b/mail/postfix/patches/400-cdb.patch index 074d03095..3afcf19dc 100644 --- a/mail/postfix/patches/400-cdb.patch +++ b/mail/postfix/patches/400-cdb.patch @@ -1,6 +1,6 @@ --- a/src/util/sys_defs.h +++ b/src/util/sys_defs.h -@@ -760,9 +760,8 @@ extern int initgroups(const char *, int) +@@ -774,9 +774,8 @@ extern int initgroups(const char *, int) #define INTERNAL_LOCK MYFLOCK_STYLE_FLOCK #define DEF_MAILBOX_LOCK "fcntl, dotlock" /* RedHat >= 4.x */ #define HAS_FSYNC diff --git a/mail/postfix/patches/500-crosscompile.patch b/mail/postfix/patches/500-crosscompile.patch index c7448a3a1..329436ce6 100644 --- a/mail/postfix/patches/500-crosscompile.patch +++ b/mail/postfix/patches/500-crosscompile.patch @@ -1,6 +1,6 @@ --- a/makedefs +++ b/makedefs -@@ -215,7 +215,7 @@ error() { +@@ -233,7 +233,7 @@ ARFL=rv case $# in # Officially supported usage. @@ -9,7 +9,7 @@ RELEASE=`(uname -r) 2>/dev/null` # No ${x%%y} support in Solaris 11 /bin/sh RELEASE_MAJOR=`expr "$RELEASE" : '\([0-9]*\)'` || exit 1 -@@ -242,6 +242,15 @@ case "$SYSTEM" in +@@ -247,6 +247,15 @@ case $# in esac case "$SYSTEM.$RELEASE" in diff --git a/mail/postfix/patches/501-include_stdio.patch b/mail/postfix/patches/501-include_stdio.patch index 84ad04a83..7681a54c1 100644 --- a/mail/postfix/patches/501-include_stdio.patch +++ b/mail/postfix/patches/501-include_stdio.patch @@ -1,6 +1,6 @@ --- a/src/posttls-finger/posttls-finger.c +++ b/src/posttls-finger/posttls-finger.c -@@ -342,6 +342,7 @@ +@@ -346,6 +346,7 @@ #include #include #include diff --git a/mail/postfix/patches/502-detect-glibc.patch b/mail/postfix/patches/502-detect-glibc.patch deleted file mode 100644 index abfc9d4fd..000000000 --- a/mail/postfix/patches/502-detect-glibc.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/src/util/sys_defs.h -+++ b/src/util/sys_defs.h -@@ -749,7 +749,8 @@ extern int initgroups(const char *, int) - /* - * LINUX. - */ --#if defined(LINUX2) || defined(LINUX3) || defined(LINUX4) || defined(LINUX5) -+#if defined(LINUX2) || defined(LINUX3) || defined(LINUX4) || defined(LINUX5) \ -+ || defined(LINUX6) - #define SUPPORTED - #define UINT32_TYPE unsigned int - #define UINT16_TYPE unsigned short diff --git a/mail/postfix/patches/700-defaultconfig.patch b/mail/postfix/patches/700-defaultconfig.patch index c779d12ed..d601ad7fb 100644 --- a/mail/postfix/patches/700-defaultconfig.patch +++ b/mail/postfix/patches/700-defaultconfig.patch @@ -1,6 +1,6 @@ --- a/conf/main.cf +++ b/conf/main.cf -@@ -40,43 +40,8 @@ compatibility_level = 2 +@@ -44,43 +44,8 @@ compatibility_level = 3.8 # #soft_bounce = no @@ -44,7 +44,7 @@ # The default_privs parameter specifies the default rights used by # the local delivery agent for delivery to external file or command. # These rights are used in the absence of a recipient user context. -@@ -632,45 +597,4 @@ debugger_command = +@@ -641,45 +606,4 @@ debugger_command = # -dmS $process_name gdb $daemon_directory/$process_name # $process_id & sleep 1 diff --git a/multimedia/tvheadend/Config.in b/multimedia/tvheadend/Config.in index de689fd33..b750bd9eb 100644 --- a/multimedia/tvheadend/Config.in +++ b/multimedia/tvheadend/Config.in @@ -36,11 +36,6 @@ choice help Use internal POSIX Regular Expressions. Note that not all EPG parsers will work with POSIX RegEx. - config TVHEADEND_REGEX_PCRE - bool "PCRE (libpcre)" - select PACKAGE_libpcre - help - Use more advanced Perl-Compatible Regular Expressions, provided by libpcre. config TVHEADEND_REGEX_PCRE2 bool "PCRE2 (libpcre2)" select PACKAGE_libpcre2 diff --git a/multimedia/tvheadend/Makefile b/multimedia/tvheadend/Makefile index f33b66662..674d2862a 100644 --- a/multimedia/tvheadend/Makefile +++ b/multimedia/tvheadend/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tvheadend PKG_VERSION:=2023-06-05 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/tvheadend/tvheadend.git @@ -36,7 +36,6 @@ define Package/tvheadend $(ICONV_DEPENDS) \ +zlib \ +TVHEADEND_AVAHI_SUPPORT:libavahi-client \ - +TVHEADEND_REGEX_PCRE:libpcre \ +TVHEADEND_REGEX_PCRE2:libpcre2 \ +BUILD_PATENTED&&TVHEADEND_CSA:libdvbcsa @@ -77,15 +76,12 @@ ifeq ($(CONFIG_TVHEADEND_TRACE),) CONFIGURE_ARGS += --disable-trace endif +CONFIGURE_ARGS += --disable-pcre ifneq ($(CONFIG_TVHEADEND_REGEX_PCRE2),) - CONFIGURE_ARGS += --disable-pcre --enable-pcre2 -else -ifneq ($(CONFIG_TVHEADEND_REGEX_PCRE),) - CONFIGURE_ARGS += --enable-pcre --disable-pcre2 + CONFIGURE_ARGS += --enable-pcre2 else ifneq ($(CONFIG_TVHEADEND_REGEX_POSIX),) - CONFIGURE_ARGS += --disable-pcre --disable-pcre2 -endif + CONFIGURE_ARGS += --disable-pcre2 endif endif diff --git a/net/aircrack-ng/Makefile b/net/aircrack-ng/Makefile index 70a13a0d4..ae5d9d66f 100644 --- a/net/aircrack-ng/Makefile +++ b/net/aircrack-ng/Makefile @@ -83,6 +83,7 @@ CONFIGURE_ARGS += \ --with-libpcap-include=$(STAGING_DIR)/usr/include \ --with-libpcap-lib=$(STAGING_DIR)/usr/lib \ --without-opt \ + --with-libbsd=no \ \ PYTHON=$(PYTHON) \ \ diff --git a/net/aircrack-ng/patches/104-build-add-option-to-disable-bsd-library-inclusion.patch b/net/aircrack-ng/patches/104-build-add-option-to-disable-bsd-library-inclusion.patch new file mode 100644 index 000000000..e575706cd --- /dev/null +++ b/net/aircrack-ng/patches/104-build-add-option-to-disable-bsd-library-inclusion.patch @@ -0,0 +1,58 @@ +From 0265e79f3c9a27a3ffd186e7d3bcd2f744052605 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Sat, 28 Oct 2023 17:30:09 +0200 +Subject: [PATCH] build: add option to disable bsd library inclusion + +It might be needed to disable bsd inclusion and fallback to the compat +functions even if bsd headers are detected. + +This is the case when multiple library are cross-compiled and someone +wants to explicitly compile aircrack-ng without linking to bsd library. + +With the current implementation, if a bsd header is detected, the bsd +library is always linked even if unwanted. Add option to configure this +with the combo --with-libbsd=yes|no|auto with auto set by default. + +Also add an extra featurw with introducing the possibility of requiring +the bsd library and fail the configure phase. + +Signed-off-by: Christian Marangi +--- + build/m4/aircrack_ng_compat.m4 | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +--- a/build/m4/aircrack_ng_compat.m4 ++++ b/build/m4/aircrack_ng_compat.m4 +@@ -38,11 +38,29 @@ dnl If you delete this exception stateme + dnl program, then also delete it here. + + AC_DEFUN([AIRCRACK_NG_COMPAT], [ ++AC_ARG_WITH(libbsd, ++ [AS_HELP_STRING([--with-libbsd[[=auto|yes|no]]], [use BSD library, [default=auto]])]) ++ ++case $with_libbsd in ++ yes | "" | auto) ++ AC_CHECK_HEADERS([bsd/string.h], [HAVE_BSD_STRING_H=yes]) ++ AC_CHECK_LIB([bsd], [strlcpy], [:]) ++ AC_CHECK_FUNCS([strlcpy strlcat], [:]) ++ ;; ++esac + +-AC_CHECK_HEADERS([bsd/string.h], [HAVE_BSD_STRING_H=yes], [HAVE_BSD_STRING_H=no]) + AM_CONDITIONAL([HAVE_BSD_STRING_H], [test "$HAVE_BSD_STRING_H" = yes]) +-AC_CHECK_LIB([bsd], [strlcpy], [ LIBS="$LIBS -lbsd" ], [:]) +-AC_CHECK_FUNCS([strlcpy strlcat], [:]) ++ ++if test $with_libbsd != no ++then ++ if test $ac_cv_lib_bsd_strlcpy = yes ++ then ++ LIBS="$LIBS -lbsd" ++ elif test $with_libbsd = yes ++ then ++ AC_MSG_ERROR([cannot configure required bsd library]) ++ fi ++fi + + have_bsd=no + if test "$cross_compiling" != yes diff --git a/net/aircrack-ng/patches/105-build-support-strlcat-strlcpy-from-musl-or-recent-gl.patch b/net/aircrack-ng/patches/105-build-support-strlcat-strlcpy-from-musl-or-recent-gl.patch new file mode 100644 index 000000000..7eacd43f3 --- /dev/null +++ b/net/aircrack-ng/patches/105-build-support-strlcat-strlcpy-from-musl-or-recent-gl.patch @@ -0,0 +1,30 @@ +From 6317063da827732dbc5cc0dd1650ed016bd2927c Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Sun, 29 Oct 2023 14:41:18 +0100 +Subject: [PATCH] build: support strlcat/strlcpy from musl or recent glibc + +Musl or recent glibc added support for these additional string function, +strlcat and strlcpy hence the compat function are not needed and the +builtin version can be used instead. + +Signed-off-by: Christian Marangi +--- + build/m4/aircrack_ng_compat.m4 | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/build/m4/aircrack_ng_compat.m4 ++++ b/build/m4/aircrack_ng_compat.m4 +@@ -41,11 +41,12 @@ AC_DEFUN([AIRCRACK_NG_COMPAT], [ + AC_ARG_WITH(libbsd, + [AS_HELP_STRING([--with-libbsd[[=auto|yes|no]]], [use BSD library, [default=auto]])]) + ++AC_CHECK_FUNCS([strlcpy strlcat], [:]) ++ + case $with_libbsd in + yes | "" | auto) + AC_CHECK_HEADERS([bsd/string.h], [HAVE_BSD_STRING_H=yes]) + AC_CHECK_LIB([bsd], [strlcpy], [:]) +- AC_CHECK_FUNCS([strlcpy strlcat], [:]) + ;; + esac + diff --git a/net/apinger/Makefile b/net/apinger/Makefile index b2f537275..244df9684 100644 --- a/net/apinger/Makefile +++ b/net/apinger/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=apinger PKG_SOURCE_DATE:=2015-04-09 PKG_SOURCE_VERSION:=78eb328721ba1a10571c19df95acddcb5f0c17c8 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/Jajcus/apinger diff --git a/net/apinger/files/apinger.init b/net/apinger/files/apinger.init index 7a287c03b..745ba6b63 100644 --- a/net/apinger/files/apinger.init +++ b/net/apinger/files/apinger.init @@ -54,10 +54,15 @@ append_target() { config_get_bool rrd "$target" rrd 0 [ -z "$address" ] && return 0 - - srcip=$(uci_get network "$interface" ipaddr) - [ -z "$srcip" ] && network_get_ipaddr srcip "$interface" - srcip="${srcip:-0.0.0.0}" + if [ -z $(echo "$address"|sed "/:/d") ]; then + srcip=$(uci_get network "$interface" ip6addr) + [ -z "$srcip"] && network_get_ipaddr6 srcip "$interface" + srcip="${srcip:-::}" + else + srcip=$(uci_get network "$interface" ipaddr) + [ -z "$srcip"] && network_get_ipaddr srcip "$interface" + srcip="${srcip:-0.0.0.0}" + fi alarms=${alarm_down:+\"${alarm_down}\"} alarms=${alarm_delay:+${alarms:+${alarms}, }}${alarm_delay:+\"${alarm_delay}\"} @@ -115,7 +120,7 @@ append_alarm_loss() { local percent_low percent_high config_get percent_low "$alarm" percent_low - config_get percent_high "$alarm" percent_low + config_get percent_high "$alarm" percent_high if [ -z "$percent_low" ] || [ -z "$percent_high" ]; then return @@ -132,9 +137,9 @@ init_apinger_config() { local debug status_interval rrd_interval instance instance=$1 - config_get_bool debug apinger debug 0 - config_get status_interval apinger status_interval 1 - config_get rrd_interval apinger rrd_interval 30 + config_get_bool debug "$instance" debug 0 + config_get status_interval "$instance" status_interval 1 + config_get rrd_interval "$instance" rrd_interval 30 [ "$debug" = "1" ] && debug=on || debug=off diff --git a/net/apinger/files/apinger.rpc b/net/apinger/files/apinger.rpc index 0be6e1657..360d473e2 100644 --- a/net/apinger/files/apinger.rpc +++ b/net/apinger/files/apinger.rpc @@ -38,7 +38,7 @@ apinger_status() { if [ -f "$status_file" ]; then _IFS="$IFS" IFS="|" - while read -r address srcip target received sent timestamp latency loss alarm; do + while read -r address srcip target sent received timestamp latency loss alarm; do json_add_object targets json_add_string interface "$iface" json_add_string target "$target" diff --git a/net/freeradius3/Makefile b/net/freeradius3/Makefile index d908ed815..4a97b8414 100644 --- a/net/freeradius3/Makefile +++ b/net/freeradius3/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=freeradius3 PKG_VERSION:=3.0.26 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=freeradius-server-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://github.com/FreeRADIUS/freeradius-server/releases/download/release_$(subst .,_,$(PKG_VERSION))/ @@ -63,7 +63,7 @@ endef define Package/freeradius3-common $(call Package/freeradius3/Default) TITLE:=common files - DEPENDS:=+USE_GLIBC:libpthread +USE_GLIBC:libbsd +FREERADIUS3_OPENSSL:libopenssl +libcap +libpcap +libncurses +libpcre +libreadline +libtalloc +libatomic + DEPENDS:=+USE_GLIBC:libpthread +USE_GLIBC:libbsd +FREERADIUS3_OPENSSL:libopenssl +libcap +libpcap +libncurses +libpcre2 +libreadline +libtalloc +libatomic endef define Package/freeradius3-default diff --git a/net/keepalived/Makefile b/net/keepalived/Makefile index 62f4373f7..da44823c5 100644 --- a/net/keepalived/Makefile +++ b/net/keepalived/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=keepalived PKG_VERSION:=2.2.8 -PKG_RELEASE:=3 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.keepalived.org/software diff --git a/net/keepalived/files/keepalived.init b/net/keepalived/files/keepalived.init index 63beb2983..cbbff4941 100644 --- a/net/keepalived/files/keepalived.init +++ b/net/keepalived/files/keepalived.init @@ -105,6 +105,11 @@ globals() { printf '%benable_script_security\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" printf '%bprocess_names\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" + printf '%bstartup_script "/bin/busybox env -i ACTION=startup /sbin/hotplug-call keepalived"\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" + printf '%bstartup_script_timeout 10\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" + printf '%bshutdown_script "/bin/busybox env -i ACTION=shutdown /sbin/hotplug-call keepalived"\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" + printf '%bshutdown_script_timeout 10\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" + config_get notification_email "$1" notification_email print_list_indent notification_email @@ -353,7 +358,7 @@ vrrp_instance() { garp_master_repeat garp_master_refresh_repeat \ no_val_vmac_xmit_base no_val_native_ipv6 no_val_accept \ no_val_dont_track_primary no_val_smtp_alert no_val_nopreempt \ - no_val_use_vmac + no_val_use_vmac no_val_no_accept print_notify "INSTANCE" "$name" "$INDENT_1" notify_backup notify_master \ notify_fault notify_stop diff --git a/net/knot/Makefile b/net/knot/Makefile index b40a2b28a..11be30e81 100644 --- a/net/knot/Makefile +++ b/net/knot/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=knot -PKG_VERSION:=3.3.1 +PKG_VERSION:=3.3.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://secure.nic.cz/files/knot-dns/ -PKG_HASH:=f3f4b1d49ec9b81113b14a38354b823bd4a470356ed7e8e555595b6fd1ac80c9 +PKG_HASH:=0d65d4b59f5df69b78c6295ade0a2ea7931831de7ef5eeee3e00f8a20af679e4 PKG_MAINTAINER:=Daniel Salzman PKG_LICENSE:=GPL-3.0 LGPL-2.0 0BSD BSD-3-Clause OLDAP-2.8 diff --git a/net/knot/patches/03_libdnssec_pkcs11_support.patch b/net/knot/patches/03_libdnssec_pkcs11_support.patch new file mode 100644 index 000000000..4e7e30c09 --- /dev/null +++ b/net/knot/patches/03_libdnssec_pkcs11_support.patch @@ -0,0 +1,17 @@ +--- a/src/libdnssec/key/key.c ++++ b/src/libdnssec/key/key.c +@@ -146,10 +146,14 @@ dnssec_key_t *dnssec_key_dup(const dnsse + + gnutls_privkey_type_t type = gnutls_privkey_get_type(key->private_key); + if (type == GNUTLS_PRIVKEY_PKCS11) { ++#ifdef ENABLE_PKCS11 + gnutls_pkcs11_privkey_t tmp; + gnutls_privkey_export_pkcs11(key->private_key, &tmp); + gnutls_privkey_import_pkcs11(dup->private_key, tmp, + GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); ++#else ++ assert(0); ++#endif + } else { + assert(type == GNUTLS_PRIVKEY_X509); + gnutls_x509_privkey_t tmp; diff --git a/net/libreswan/Makefile b/net/libreswan/Makefile index 4ecc00a44..eb407e432 100644 --- a/net/libreswan/Makefile +++ b/net/libreswan/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libreswan PKG_VERSION:=4.12 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://download.libreswan.org/ @@ -25,46 +25,65 @@ PKG_BUILD_FLAGS:=lto include $(INCLUDE_DIR)/package.mk -define Package/libreswan/Default - TITLE:=Libreswan - URL:=https://libreswan.org/ -endef - -define Package/libreswan/Default/description - Libreswan is a free software implementation of the most widely supported and - standardized VPN protocol based on ("IPsec") and the Internet Key Exchange - ("IKE"). These standards are produced and maintained by the Internet - Engineering Task Force ("IETF"). -endef - -define Package/libreswan -$(call Package/libreswan/Default) +define Package/libreswan/default SUBMENU:=VPN SECTION:=net CATEGORY:=Network - DEPENDS:= +IPV6:kmod-ip6-vti +IPV6:kmod-ipsec6 +ip-full +iptables-mod-ipsec \ - +kmod-crypto-aead +kmod-crypto-authenc +kmod-crypto-gcm \ - +kmod-crypto-hash +kmod-crypto-rng +kmod-ip-vti +kmod-ipsec \ - +kmod-ipsec4 +kmod-ipt-ipsec +kmod-xfrm-interface +libevent2 +libevent2-pthreads \ - +libldns +librt +libunbound +nss-utils +nspr +libcap-ng + TITLE:=Libreswan + URL:=https://libreswan.org/ PROVIDES:=openswan CONFLICTS:=strongswan - TITLE+= IPsec Server +endef + +define Package/libreswan + $(Package/libreswan/default) + DEPENDS:= \ + +kmod-ip-vti +IPV6:kmod-ip6-vti \ + +kmod-ipsec +kmod-ipsec4 +IPV6:kmod-ipsec6 \ + +ip-full +kmod-xfrm-interface \ + +libevent2 +libevent2-pthreads \ + +libldns +librt +libunbound +nss-utils +nspr +libcap-ng \ + +kmod-crypto-acompress \ + +kmod-crypto-aead \ + +kmod-crypto-authenc \ + +kmod-crypto-arc4 \ + +kmod-crypto-cbc \ + +kmod-crypto-ccm \ + +kmod-crypto-chacha20poly1305 \ + +kmod-crypto-cmac \ + +kmod-crypto-ctr \ + +kmod-crypto-cts \ + +kmod-crypto-des \ + +kmod-crypto-ecb \ + +kmod-crypto-ecdh \ + +kmod-crypto-gcm \ + +kmod-crypto-ghash \ + +kmod-crypto-hash \ + +kmod-crypto-hmac \ + +kmod-crypto-md4 \ + +kmod-crypto-md5 \ + +kmod-crypto-null \ + +kmod-crypto-pcbc \ + +kmod-crypto-sha1 \ + +kmod-crypto-sha256 \ + +kmod-crypto-sha512 \ + +kmod-crypto-xcbc \ + +kmod-crypto-rng endef define Package/libreswan/description -$(call Package/libreswan/Default/description) - Libreswan is a free software implementation of the most widely supported and - standardized VPN protocol based on ("IPsec") and the Internet Key Exchange - ("IKE"). These standards are produced and maintained by the Internet - Engineering Task Force ("IETF"). + Libreswan is a free software implementation of the most widely supported and + standardized VPN protocol based on ("IPsec") and the Internet Key Exchange + ("IKE"). These standards are produced and maintained by the Internet + Engineering Task Force ("IETF"). endef define Package/libreswan/conffiles /etc/ipsec.d -/etc/ipsec.conf -/etc/ipsec.secrets +/etc/config/libreswan +/etc/ipsec.user endef + TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed MAKE_FLAGS+= \ @@ -103,20 +122,82 @@ endef define Package/libreswan/install $(INSTALL_DIR) \ - $(1)/etc/init.d \ $(1)/etc/ipsec.d/policies \ $(1)/usr/libexec/ipsec \ - $(1)/usr/sbin + $(1)/usr/sbin \ + $(1)/etc/config \ + $(1)/etc/init.d \ + $(1)/etc/hotplug.d/libreswan \ + $(1)/etc/hotplug.d/iface \ + $(1)/usr/libexec/rpcd \ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec \ $(1)/usr/sbin/ipsec - $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec - $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf - $(INSTALL_DATA) ./files/ipsec.secrets $(1)/etc/ipsec.secrets $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ipsec.d/policies/* \ $(1)/etc/ipsec.d/policies/ $(CP) $(PKG_INSTALL_DIR)/usr/libexec/ipsec/* \ $(1)/usr/libexec/ipsec/ + + $(INSTALL_BIN) ./files/usr/libexec/ipsec/_updown.xfrm $(1)/usr/libexec/ipsec/_updown.xfrm + $(INSTALL_BIN) ./files/etc/init.d/ipsec $(1)/etc/init.d/ipsec + $(INSTALL_BIN) ./files/usr/libexec/rpcd/libreswan $(1)/usr/libexec/rpcd/libreswan + $(INSTALL_DATA) ./files/etc/ipsec.conf $(1)/etc/ipsec.conf + $(INSTALL_DATA) ./files/etc/ipsec.secrets $(1)/etc/ipsec.secrets + $(INSTALL_DATA) ./files/etc/config/libreswan $(1)/etc/config/libreswan + $(INSTALL_DATA) ./files/etc/hotplug.d/libreswan/01-user $(1)/etc/hotplug.d/libreswan/01-user + $(INSTALL_DATA) ./files/etc/hotplug.d/libreswan/02-vti $(1)/etc/hotplug.d/libreswan/02-vti + $(INSTALL_DATA) ./files/etc/hotplug.d/iface/89-libreswan $(1)/etc/hotplug.d/iface/89-libreswan +endef + +define Package/libreswan-nftables + $(Package/libreswan/default) + TITLE+= nftables plugin) + DEPENDS+=firewall4 +libreswan +kmod-nft-xfrm +nftables \ + +kmod-nfnetlink-log +endef + +define Package/libreswan-nftables/description + Provides Libreswan nftables plugin for adding firewall rules +endef + +define Package/libreswan-nftables/install + $(INSTALL_DIR) $(1)/etc/hotplug.d/libreswan \ + $(1)/usr/share/nftables.d/ruleset-post + + $(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d + $(CP) ./files/etc/hotplug.d/libreswan/62-nftables $(1)/etc/hotplug.d/libreswan/62-nftables + $(LN) /tmp/libreswan/firewall.d/libreswan.rules $(1)/usr/share/nftables.d/ruleset-post/10_libreswan.nft +endef + +define Package/libreswan-iptables + $(Package/libreswan/default) + TITLE+= iptables plugin) + DEPENDS+=firewall +libreswan +iptables-mod-ipsec +kmod-ipt-ipsec \ + +iptables-zz-legacy +IPV6:ip6tables-zz-legacy \ + +kmod-ipt-nflog +iptables-mod-nflog +endef + +define Package/libreswan-iptables/description + Provides Libreswan iptables plugin for adding firewall rules +endef + +define Package/libreswan-iptables/install + $(INSTALL_DIR) $(1)/etc \ + $(1)/etc/uci-defaults \ + $(1)/etc/hotplug.d/libreswan + + $(CP) ./files/etc/hotplug.d/libreswan/61-iptables $(1)/etc/hotplug.d/libreswan/61-iptables + $(CP) ./files/etc/uci-defaults/091-libreswan $(1)/etc/uci-defaults/091-libreswan + $(INSTALL_BIN) ./files/etc/libreswan_firewall.sh $(1)/etc/libreswan_firewall.sh +endef + +define Package/libreswan-iptables/postinst +#!/bin/sh +[ -n "$$IPKG_INSTROOT" ] || { + /etc/init.d/firewall reload +} endef $(eval $(call BuildPackage,libreswan)) +$(eval $(call BuildPackage,libreswan-nftables)) +$(eval $(call BuildPackage,libreswan-iptables)) diff --git a/net/libreswan/files/etc/config/libreswan b/net/libreswan/files/etc/config/libreswan new file mode 100644 index 000000000..140c8f693 --- /dev/null +++ b/net/libreswan/files/etc/config/libreswan @@ -0,0 +1,41 @@ +config libreswan 'globals' + option debug '0' # set debug mode none/all + list virtual_private '10.0.0.0/8' + list virtual_private '192.168.0.0/16' + list virtual_private '172.16.0.0/12' + list virtual_private '25.0.0.0/8' + list virtual_private '100.64.0.0/10' + list virtual_private '!100.64.0.0/24' # the address ranges that may live behind a NAT router through which a client connects + # option listen '192.168.2.100' # listening address, if set listen_interface would not be used + # option listen_interface 'wan' # listening interface + # option uniqueids 'yes' # yes/no + +# config crypto_proposal 'p1' +# list encryption_algorithm '3des' # possible values: 3des, aes, aes_ctr, aes_cbc, aes128, aes192, aes256, camellia_cbc +# list hash_algorithm 'md5' # possible values: md5, sha1, sha256, sha384, sha512 +# list dh_group 'modp1536' # possible values: modp1536, modp2048, modp3072, modp4096, modp6144, modp8192, dh19, dh20, dh21, dh22, dh31 + +# config tunnel 'vti2_1_5' +# option left '192.168.1.1' +# option left_interface 'wan' # interface ipaddr to be used as left +# option leftid '@left' # local id +# option right '192.168.2.201' # remote endpoint public ip +# option rightid '@62dd3e3f82339b002405245b' # rightid +# option auto 'start' # what operation, should be done automatically at IPsec startup +# option authby 'secret' # how the two security gateways should authenticate each other +# option psk 'AyG9RlTtQJIUxgxG' # preshare key +# option ikev2 '1' # ike version +# option ikelifetime '8h' +# option rekey '1' +# option rekeymargin '9m' +# option dpdaction 'restart' +# option dpddelay '30' +# option dpdtimeout '150' +# option interface 'vti2_1_5' # only for route based tunnels +# list leftsubnets '0.0.0.0/0' +# list rightsubnets '0.0.0.0/0' +# option phase2 'esp' # phase2 protocol +# list ike 'p1' # list of crypto_proposal (phase1 proposals) +# list phase2ag 'p1' # list of crypto_proposal (phase2 proposals') +# option nflog '0' # enable nflog +# option update_peeraddr '1' # auto update vti interface ppeeradd in /etc/config/network diff --git a/net/libreswan/files/etc/hotplug.d/iface/89-libreswan b/net/libreswan/files/etc/hotplug.d/iface/89-libreswan new file mode 100644 index 000000000..9ebc61815 --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/iface/89-libreswan @@ -0,0 +1,11 @@ +#!/bin/sh + +[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0 +[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0 + +/etc/init.d/ipsec running || exit 0 +uci show libreswan | grep -i "='$INTERFACE'$" || exit 0 + +logger -t libreswan "Restart libreswan due to $ACTION of $INTERFACE ($DEVICE)" + +/etc/init.d/ipsec restart diff --git a/net/libreswan/files/etc/hotplug.d/libreswan/00-default b/net/libreswan/files/etc/hotplug.d/libreswan/00-default new file mode 100644 index 000000000..940c49520 --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/libreswan/00-default @@ -0,0 +1,220 @@ +#!/bin/sh + +# Things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway +# communications is IPv6, then a suffix of -v6 is added +# to the verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_CONNECTION_TYPE +# is type of the connection, "tunnel" or "transport". +# +# PLUTO_CONN_POLICY +# the policy of the connection, as in: +# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC +# +failureDROP+lKOD+rKOD +# +# CAT=YES| +# if client address translation inside IPsec stack is enabled +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the real interface used by encrypted traffic and IKE traffic +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is our ID. +# +# PLUTO_METRIC +# is the metric to set for the route +# +# PLUTO_MTU +# is the mtu to set for the route +# +# PLUTO_ADD_TIME +# Time the IPsec SA was added to the kernel +# +# PLUTO_MOBIKE_EVENT +# wether the connection is underdoing MOBIKE migration +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / mask (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the protocol for this connection. Useful for +# firewalling. +# +# PLUTO_MY_PORT +# is the port. Useful for firewalling. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client subnet. +# If the client is just the peer, this will be +# the peer's own IP address / mask (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the protocol set for remote end with port +# selector. +# +# PLUTO_PEER_PORT +# is the peer's port. Useful for firewalling. +# +# PLUTO_PEER_CA +# is the DN of the peer's CA that signed its certificate +# +# PLUTO_CFG_CLIENT=0|1 +# is MODECFG or IKEv2 Config client. +# +# PLUTO_CFG_SERVER=0|1 +# is MODECFG or IKEv2 Config server. +# +# PLUTO_PEER_DNS_INFO +# The peer's supplied DNS information (IKEv1 and IKEv2) +# +# PLUTO_PEER_DOMAIN_INFO +# The peer's supplied domain list for local resolving (IKEv2 only) +# +# PLUTO_PEER_BANNER +# is the peer's provided banner +# +# PLUTO_NM_CONFIGURED=0|1 +# is NetworkManager used for resolv.conf update +# +# PLUTO_CONN_ADDRFAMILY +# is the family type, "ipv4" or "ipv6" +# +# PLUTO_CONN_KIND +# is the "kind" of connection (CK_PERMANENT, CK_INSTANCE, etc) +# +# PLUTO_STACK +# is the local IPsec kernel stack used, eg XFRM, BSDKAME, NOSTACK +# +# PLUTO_IS_PEER_CISCO=0|1 +# remote server type is cisco. Add support for cisco extensions +# when used with xauth. +# +# PLUTO_SA_REQID +# When using KAME or XFRM, the IPsec SA reqid base value. +# ESP/AH out is base, ESP/AH in = base + 1 +# IPCOMP is base + 2 plus for inbound + 1 +# +# PLUTO_XFRMI_FWMARK +# use outgoing mark +# +# PLUTO_SA_TYPE +# The type of IPsec SA (ESP or AH) +# +# PLUTO_USERNAME +# The username (XAUTH or GSSAPI) that was authenticated (if any) +# for this SA +# +# PLUTO_VIRT_INTERFACE +# is the name of ipsec interface used by clear traffic in/out +# +# INTERFACE_IP +# The IP to configure / expect on the interface? Currently is never set +# +# PLUTO_XFRM_ROUTE +# if an XFRM (ipsec-device) has been specified, value will be "yes" +# +# XAUTH_FAILED +# If xauthfail=soft this will be set to 1 if XAUTH authentication +# failed. If xauthfail=hard, the updown scripts never run. +# +# CONNMARK +# If mark= is set on the connection, this variable will be +# set with the value. It can be used for iptables or VTI. +# +# CONNMARK_IN +# the incoming mark to use +# +# CONNMARK_OUT +# the outgoing mark to use +# +# VTI_IFACE=iface +# Name of VTI interface to create +# +# VTI_ROUTING=yes|no +# Whether or not to perform ip rule and ip route commands +# covering the IPsec SA address ranges to route those packets +# into the VTI_IFACE interface. This should be enabled unless +# the IPsec SA covers 0.0.0.0/0 <-> 0.0.0.0/0 +# +# VTI_SHARED=yes|no +# Whether or not more conns (or instances) share a VTI device. +# If not shared, the VTI device is deleted when tunnel goes down. +# +# VTI_IP +# The IP to configure on the VTI device +# +# SPI_IN / SPI_OUT +# The inbound and outbound SPI's of the connection. +# +# PLUTO_INBYTES +# total bytes received +# +# PLUTO_OUTBYTES +# total bytes sent +# +# NFLOG +# is the nflog group to use +# + +case "${PLUTO_VERB}" in + prepare-host|prepare-host-v6) ;; + prepare-client|prepare-client-v6) ;; + route-host|route-host-v6) ;; + unroute-host|unroute-host-v6) ;; + route-client|route-client-v6) ;; + unroute-client|unroute-client-v6) ;; + up-host|up-host-v6) ;; + down-host|down-host-v6) ;; + up-client|up-client-v6) ;; + down-client|down-client-v6) ;; +esac diff --git a/net/libreswan/files/etc/hotplug.d/libreswan/01-user b/net/libreswan/files/etc/hotplug.d/libreswan/01-user new file mode 100644 index 000000000..120260957 --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/libreswan/01-user @@ -0,0 +1,7 @@ +#!/bin/sh + +[ -e "/etc/ipsec.user" ] && { + . /etc/ipsec.user +} + +exit 0 diff --git a/net/libreswan/files/etc/hotplug.d/libreswan/02-vti b/net/libreswan/files/etc/hotplug.d/libreswan/02-vti new file mode 100644 index 000000000..719d60e9b --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/libreswan/02-vti @@ -0,0 +1,24 @@ +#!/bin/sh + +. /lib/functions.sh + +[ "${PLUTO_VERB}" != "route-client" ] && [ "${PLUTO_VERB}" != "up-client" ] && exit 0 + +CONNECTION=${PLUTO_CONNECTION%/*} +[ -z "$CONNECTION" ] && exit 0 + +update_peeraddr=$(uci_get libreswan $CONNECTION update_peeraddr) +[ "$update_peeraddr" != "1" ] && exit 0 + +interface=$(uci_get libreswan $CONNECTION interface) +[ -z "$interface" ] && exit 0 + +proto=$(uci_get network "$interface" proto) +[ "$proto" != "vti" ] && exit 0 + +peeraddr=$(uci_get network "$interface" peeraddr) +[ "$peeraddr" == "$PLUTO_PEER" ] && exit 0 + +uci_set network "$interface" peeraddr "$PLUTO_PEER" +uci_commit network +ifup "$interface" diff --git a/net/libreswan/files/etc/hotplug.d/libreswan/61-iptables b/net/libreswan/files/etc/hotplug.d/libreswan/61-iptables new file mode 100644 index 000000000..b795d3097 --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/libreswan/61-iptables @@ -0,0 +1,76 @@ +#!/bin/sh + +. /lib/functions.sh + +FW4="$(command -v fw4)" +[ -n "$FW4" ] && exit 0 + +CONNECTION="${PLUTO_CONNECTION//\//_}" +[ -z "$CONNECTION" ] && exit 0 + +IPT_LEGACY="$(command -v iptables-legacy)" +IPT="$(command -v iptables)" +BIN="${IPT_LEGACY:-$IPT}" +[ -z "$BIN" ] && exit 0 + +LIBRESWAN_INPUT="libreswan_input" +LIBRESWAN_FORWARD="libreswan_forward" +LIBRESWAN_OUTPUT="libreswan_output" +LIBRESWAN_NFLOG_INPUT="libreswan_nflog_input" +LIBRESWAN_NFLOG_OUTPUT="libreswan_nflog_output" +LIBRESWAN_POSTROUTING="libreswan_postrouting" + +FW_DIR="/tmp/libreswan/firewall.d" +LIBRESWAN_RULES_FILE="$FW_DIR/libreswan.rules" +RULES_DIR="$FW_DIR/rules" + +IPV4_RULES_FILE="$RULES_DIR/${CONNECTION}-ipv4.rules" +IPV6_RULES_FILE="$RULES_DIR/${CONNECTION}-ipv6.rules" + +reload_firewall() { + [ ! -d "$RULES_DIR" ] && return 0 + + cat $RULES_DIR/*.rules > "$LIBRESWAN_RULES_FILE" 2>/dev/null + /etc/init.d/firewall reload +} + +up_rules() { + [ -z "$PLUTO_PEER_CLIENT" ] && return 0 + + [ ! -d "$RULES_DIR" ] && mkdir -p "$RULES_DIR" + [ "$PLUTO_PEER_CLIENT" = "0.0.0.0/0" ] && [ "$PLUTO_MY_CLIENT" = "0.0.0.0/0" ] && return 0 + + cat << EOF > $IPV4_RULES_FILE +$BIN -t filter -A $LIBRESWAN_INPUT -m policy --dir in --pol ipsec -s $PLUTO_PEER_CLIENT -d $PLUTO_MY_CLIENT -m comment --comment "$PLUTO_CONNECTION" -j ACCEPT +$BIN -t filter -A $LIBRESWAN_FORWARD -s $PLUTO_PEER_CLIENT -d $PLUTO_MY_CLIENT -m comment --comment "$PLUTO_CONNECTION" -j ACCEPT +$BIN -t filter -A $LIBRESWAN_OUTPUT -m policy --dir out --pol ipsec -s $PLUTO_MY_CLIENT -d $PLUTO_PEER_CLIENT -m comment --comment "$PLUTO_CONNECTION" -j ACCEPT +$BIN -t nat -A $LIBRESWAN_POSTROUTING -m policy --dir out --pol ipsec -s $PLUTO_MY_CLIENT -d $PLUTO_PEER_CLIENT -m comment --comment "$PLUTO_CONNECTION" -j ACCEPT +EOF + if [ -n "$NFLOG" ]; then + cat << EOF > $IPV4_RULES_FILE +$BIN -t filter -A $LIBRESWAN_NFLOG_INPUT -m policy --dir in --pol ipsec -s $PLUTO_PEER_CLIENT -d $PLUTO_MY_CLIENT -j NFLOG --nflog-group $NFLOG --nflog-prefix $PLUTO_CONNECTION +$BIN -t filter -A $LIBRESWAN_NFLOG_OUTPUT -m policy --dir out --pol ipsec -s $PLUTO_MY_CLIENT -d $PLUTO_PEER_CLIENT -j NFLOG --nflog-group $NFLOG --nflog-prefix $PLUTO_CONNECTION +EOF + + fi + + reload_firewall + + return 0 +} + +down_rules() { + if [ -f "$IPV4_RULES_FILE" ]; then + rm -rf "$IPV4_RULES_FILE" + reload_firewall + fi + + return 0 +} + +case "${PLUTO_VERB}" in + up-host|up-client) up_rules ;; + down-host|down-client) down_rules ;; + up-host-v6|down-host-v6) ;; + up-client|down-client-v6) ;; +esac diff --git a/net/libreswan/files/etc/hotplug.d/libreswan/62-nftables b/net/libreswan/files/etc/hotplug.d/libreswan/62-nftables new file mode 100644 index 000000000..fe8814769 --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/libreswan/62-nftables @@ -0,0 +1,87 @@ +#!/bin/sh + +. /lib/functions.sh + +FW4="$(command -v fw4)" +[ -z "$FW4" ] && exit 0 + +CONNECTION="${PLUTO_CONNECTION//\//_}" +[ -z "$CONNECTION" ] && exit 0 + +FW_DIR="/tmp/libreswan/firewall.d" +LIBRESWAN_RULES_FILE="$FW_DIR/libreswan.rules" +RULES_DIR="$FW_DIR/rules" + +IPV4_RULES_FILE="$RULES_DIR/${CONNECTION}-ipv4.rules" +IPV6_RULES_FILE="$RULES_DIR/${CONNECTION}-ipv6.rules" +NFLOG_ALL_RULES_FILE="$RULES_DIR/nflog_all.rules" + +reload_firewall() { + [ ! -d "$RULES_DIR" ] && return 0 + + cat $RULES_DIR/*.rules > "$LIBRESWAN_RULES_FILE" 2>/dev/null + /etc/init.d/firewall reload +} + +up_rules() { + [ -z "$PLUTO_PEER_CLIENT" ] && return 0 + + [ ! -d "$RULES_DIR" ] && mkdir -p "$RULES_DIR" + + eval $(ipsec addconn --configsetup) + + if [ -n "$nflog_all" ]; then + unset NFLOG + if [ ! -f "$NFLOG_ALL_RULES_FILE" ]; then + cat << EOF > "$NFLOG_ALL_RULES_FILE" +table inet fw4 { + chain libreswan_nflog_input { + meta ipsec exists log prefix "all-ipsec" group ${nflog_all} + } + chain libreswan_nflog_output { + rt ipsec exists log prefix "all-ipsec" group ${nflog_all} + } +} +EOF + fi + else + [ -f "$NFLOG_ALL_RULES_FILE" ] && rm -f "$NFLOG_ALL_RULES_FILE" + fi + + cat << EOF > $IPV4_RULES_FILE +table inet fw4 { + chain libreswan_input { + meta ipsec exists ipsec in ip saddr $PLUTO_PEER_CLIENT ip daddr $PLUTO_MY_CLIENT ${NFLOG:+log prefix \"${PLUTO_CONNECTION}\" group ${NFLOG}} accept comment "$PLUTO_CONNECTION" + } + chain libreswan_forward { + meta ipsec exists ipsec in ip saddr $PLUTO_PEER_CLIENT ip daddr $PLUTO_MY_CLIENT accept comment "$PLUTO_CONNECTION" + } + chain libreswan_output { + ipsec out ip saddr $PLUTO_MY_CLIENT ip daddr $PLUTO_PEER_CLIENT ${NFLOG:+log prefix \"${PLUTO_CONNECTION}\" group ${NFLOG}} accept comment "$PLUTO_CONNECTION" + } + chain libreswan_srcnat { + ip saddr $PLUTO_MY_CLIENT ip daddr $PLUTO_PEER_CLIENT accept comment "$PLUTO_CONNECTION" + } +} +EOF + + reload_firewall + + return 0 +} + +down_rules() { + if [ -f "$IPV4_RULES_FILE" ]; then + rm -rf "$IPV4_RULES_FILE" + reload_firewall + fi + + return 0 +} + +case "${PLUTO_VERB}" in + up-host|up-client) up_rules ;; + down-host|down-client) down_rules ;; + up-host-v6|down-host-v6) ;; + up-client|down-client-v6) ;; +esac diff --git a/net/libreswan/files/etc/init.d/ipsec b/net/libreswan/files/etc/init.d/ipsec new file mode 100644 index 000000000..8a9478528 --- /dev/null +++ b/net/libreswan/files/etc/init.d/ipsec @@ -0,0 +1,337 @@ +#!/bin/sh /etc/rc.common + +. "${IPKG_INSTROOT}/lib/functions/network.sh" + +START=90 +STOP=10 + +USE_PROCD=1 + +PROG="/usr/libexec/ipsec/pluto" +IPSEC_BIN="/usr/sbin/ipsec" + +IPSEC_DIR="/var/run/ipsec" +IPSEC_CONF="$IPSEC_DIR/setup.conf" +IPSEC_CONF_DIR="$IPSEC_DIR/conf.d" + +IPSEC_AUTO="${IPSEC_BIN} auto" + +extra_command "start_tunnel" "Start ipsec tunnel" +extra_command "stop_tunnel" "Stop ipsec tunnel" +extra_command "reload_tunnel" "Reload/restart ipsec tunnel" + +set_var() { + export "$1=$2" +} + +get_var() { + local var + + var=$(eval echo "\"\${${1}}\"") + [ "$var" = "1" ] && return 0 + + return 1 +} + +set_restart_flag() { + set_var "RESTART_IPSEC" 1 +} + +restart_flag() { + get_var RESTART_IPSEC +} + +set_replace_flag() { + set_var "REPLACE_${1}" 1 +} + +replace_flag() { + get_var "REPLACE_${1}" +} + +checkconfig() { + ${IPSEC_BIN} addconn --checkconfig || return 1 + mkdir -p /var/run/pluto +} + +expand_ike() { + local id="$1" + local encryption_algorithm hash_algorithm dh_group proposal + + config_get encryption_algorithm "${id}" encryption_algorithm + config_get hash_algorithm "${id}" hash_algorithm + config_get dh_group "${id}" dh_group + + encryption_algorithm="${encryption_algorithm% *}" + proposal="${encryption_algorithm:+${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}${dh_group:+;${dh_group%% *}}}}" + append ike_proposal "$proposal" "," +} + +expand_phase2alg() { + local id="$1" + local encryption_algorithm hash_algorithm dh_group + + config_get encryption_algorithm "${id}" encryption_algorithm + config_get hash_algorithm "${id}" hash_algorithm + config_get dh_group "${id}" dh_group + + phase2alg_proposal="${encryption_algorithm:+${encryption_algorithm// /+}${hash_algorithm:+-${hash_algorithm// /+}${dh_group:+-${dh_group// /+}}}}" +} + +generate_tunnel_config() { + local id=$1 + local config_file="$IPSEC_CONF_DIR/$id.conf" + local secret_file="$IPSEC_CONF_DIR/$id.secret" + local tmp_config_file="/tmp/$id.conf" + local tmp_secret_file="/tmp/$id.secret" + local ikey mark_in okey mark_out ifid + + config_get auto "$id" auto + config_get left "$id" left + config_get left_interface "$id" left_interface + [ -n "$left_interface" ] && network_get_ipaddr left "$left_interface" + config_get right "$id" right + config_get leftid "$id" leftid "$left" + config_get rightid "$id" rightid "$right" + config_get leftsourceip "$id" leftsourceip + config_get rightsourceip "$id" rightsourceip + config_get leftsubnets "$id" leftsubnets + config_get rightsubnets "$id" rightsubnets + config_get_bool ikev2 "$id" ikev2 + [ "$ikev2" = "1" ] && ikev2=yes || ikev2=no + config_get_bool rekey "$id" rekey + [ "$rekey" = "1" ] && rekey=yes || rekey=no + config_get ikelifetime "$id" ikelifetime + config_get rekeymargin "$id" rekeymargin + config_get dpdaction "$id" dpdaction + config_get dpdtimeout "$id" dpdtimeout + config_get dpddelay "$id" dpddelay + config_get phase2 "$id" phase2 + config_get phase2alg "$id" phase2alg + config_get nflog "$id" nflog 0 + [ "$nflog" = "0" ] && unset nflog + + config_list_foreach "$id" ike expand_ike + config_list_foreach "$id" phase2alg expand_phase2alg + + config_get authby "$id" authby + config_get psk "$id" psk + + if [ -n "$leftsubnets" ]; then + [[ "$leftsubnets" =~ 0.0.0.0* ]] && leftsubnets="0.0.0.0/0" + leftsubnets="{${leftsubnets// /,}}" + fi + + if [ -n "$rightsubnets" ]; then + [[ "$rightsubnets" =~ 0.0.0.0* ]] && rightsubnets="0.0.0.0/0" + rightsubnets="{${rightsubnets// /,}}" + fi + + config_get interface "$id" interface + + cat << EOF > "$tmp_secret_file" +$leftid $rightid : PSK "$psk" +EOF + + cat << EOF > "$tmp_config_file" +conn $id + auto=${auto} + authby=${authby} + ikev2=${ikev2} + left=${left%% *} + ${leftid:+leftid=${leftid}} + ${leftsourceip:+leftsourceip=${leftsourceip}} + ${leftsubnets:+leftsubnets=${leftsubnets}} + right=${right%% *} + ${rightid:+rightid=${rightid}} + ${rightsourceip:+rightsourceip=${rightsourceip}} + ${rightsubnets:+rightsubnets=${rightsubnets}} + ${dpdaction:+dpdaction=${dpdaction}} + ${dpdtimeout:+dpdtimeout=${dpdtimeout}} + ${dpddelay:+dpddelay=${dpddelay}} + ${ikelifetime:+ikelifetime=${ikelifetime}} + ${rekey:+rekey=${rekey}} + ${rekeymargin:+rekeymargin=${rekeymargin}} + ${rekeyfuzz:+rekeyfuzz=${rekeyfuzz}} + ${phase2:+phase2=${phase2}} + ${ike_proposal:+ike=${ike_proposal}} + ${phase2alg_proposal:+phase2alg=${phase2alg_proposal}} + ${nflog:+nflog=${nflog}} +EOF + + if [ -n "$interface" ]; then + proto=$(uci_get network "$interface" proto) + case "$proto" in + vti) + ikey=$(uci_get network "$interface" ikey) + okey=$(uci_get network "$interface" okey) + mark_in=$(printf "0x%x" $ikey) + mark_out=$(printf "0x%x" $okey) + echo -e "${mark_in:+\tmark-in=${mark_in}}" >> "$tmp_config_file" + echo -e "${mark_out:+\tmark-out=${mark_out}}" >> "$tmp_config_file" + echo -e "${interface:+\tvti-interface=${interface}}" >> "$tmp_config_file" + ;; + xfrm) + ifid=$(uci_get network "$interface" ifid) + echo -e "${ifid:+\tipsec-interface=${ifid}}" >> "$tmp_config_file" + ;; + esac + fi + + + [ -f "$config_file" ] && { + cmp "$config_file" "$tmp_config_file" 2>/dev/null && rm -f "$tmp_config_file" + } + + [ -f "$secret_file" ] && { + cmp "$secret_file" "$tmp_secret_file" 2>/dev/null && rm -f "$tmp_secret_file" + } + + [ -f "$tmp_config_file" ] && mv "$tmp_config_file" "$config_file" && set_replace_flag "$id" + [ -f "$tmp_secret_file" ] && mv "$tmp_secret_file" "$secret_file" && set_replace_flag "$id" + + unset ike_proposal phase2alg_proposal +} + +generate_daemon_config() { + local tmp_config_file="/tmp/setup.conf" + + config_get_bool debug globals debug 0 + [ "$debug" = "0" ] && debug=none || debug=all + config_get_bool uniqueids globals uniqueids 0 + [ "$uniqueids" = "0" ] && uniqueids=no || uniqueids=yes + config_get listen globals listen + config_get listen_interface globals listen_interface + [ -n "$listen_interface" ] && network_get_ipaddr listen "$listen_interface" + config_get virtual_private globals virtual_private + [ -z "$virtual_private" ] && virtual_private='10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 25.0.0.0/8 100.64.0.0/10 !100.64.0.0/24' + config_get nflog_all globals nflog_all 0 + [ "$nflog_all" = "0" ] && unset nflog_all + + [ ! -d $IPSEC_DIR ] && mkdir -p $IPSEC_DIR + [ ! -d $IPSEC_CONF_DIR ] && mkdir -p $IPSEC_CONF_DIR + + cat << EOF > "$tmp_config_file" +config setup + ${debug:+plutodebug=${debug}} + ${uniqueids:+uniqueids=${uniqueids}} + ${listen:+listen=${listen}} + ${virtual_private:+virtual-private=%v4:${virtual_private// /,%v4:}} + ${nflog_all:+nflog-all=${nflog_all}} +EOF + + if ! cmp "$IPSEC_CONF" "$tmp_config_file" 2>/dev/null; then + mv "$tmp_config_file" "$IPSEC_CONF" + set_restart_flag 1 + else + rm -f "$tmp_config_file" + fi + + return 0 +} + +clean_config() { + rm -f $IPSEC_CONF_DIR/*.conf $IPSEC_CONF_DIR/*.secret +} + +config_cb() { + local var="CONFIG_${1}_SECTIONS" + export $var + append "$var" "$2" +} + +generate_config() { + config_load libreswan + generate_daemon_config + config_foreach generate_tunnel_config tunnel +} + +regenerate_config() { + clean_config + generate_config +} + +active_conns() { + local active_conns file _file + + active_conns=$(${IPSEC_BIN} --trafficstatus | awk -F'[":/]' '{print $3}' | sort -u) + + for file in $IPSEC_CONF_DIR/*.conf; do + _file="${file##*/}" + list_contains active_conns "${_file%%.*}" || append active_conns "${_file%%.*}" + done + + echo "$active_conns" +} + +start_service() { + generate_config + checkconfig || return 1 + + ${IPSEC_BIN} _stackmanager start + + procd_open_instance + procd_set_param command $PROG --nofork + procd_set_param respawn + procd_close_instance +} + +stop_service() { + ${IPSEC_BIN} whack --shutdown + ${IPSEC_BIN} _stackmanager stop +} + +stop_tunnel() { + ${IPSEC_AUTO} --delete "$1" > /dev/null 2>&1 + rm -f ${IPSEC_CONF_DIR}/$1.* +} + +start_tunnel() { + generate_tunnel_config "$1" + ${IPSEC_AUTO} --add "$1" > /dev/null 2>&1 + ${IPSEC_AUTO} --rereadsecrets + ${IPSEC_AUTO} --up "$1" > /dev/null 2>&1 & +} + +reload_tunnel() { + generate_tunnel_config "$1" + + replace_flag "$1" || return 0 + + ${IPSEC_AUTO} --rereadsecrets + ${IPSEC_AUTO} --replace "$1" > /dev/null 2>&1 + ${IPSEC_AUTO} --up "$1" > /dev/null 2>&1 & +} + +reload_service() { + local active_tunnels uci_tunnels + uci_tunnels="$@" + + config_load libreswan + generate_daemon_config + + if restart_flag; then + restart + return 0 + fi + + [ -z "$uci_tunnels" ] && config_get uci_tunnels tunnel SECTIONS + + active_tunnels="$(active_conns)" + + for tunnel in $active_tunnels; do + list_contains uci_tunnels "$tunnel" || stop_tunnel "$tunnel" + done + + for tunnel in $uci_tunnels; do + if list_contains active_tunnels "$tunnel"; then + reload_tunnel "$tunnel" + else + start_tunnel "$tunnel" + fi + done +} + +service_triggers() { + procd_add_reload_trigger 'libreswan' +} diff --git a/net/libreswan/files/etc/ipsec.conf b/net/libreswan/files/etc/ipsec.conf new file mode 100644 index 000000000..3b8f2dc3f --- /dev/null +++ b/net/libreswan/files/etc/ipsec.conf @@ -0,0 +1,3 @@ +include /var/run/ipsec/setup.conf +include /var/run/ipsec/conf.d/*.conf +include /etc/ipsec.d/*.conf diff --git a/net/libreswan/files/etc/ipsec.secrets b/net/libreswan/files/etc/ipsec.secrets new file mode 100644 index 000000000..68bbe9175 --- /dev/null +++ b/net/libreswan/files/etc/ipsec.secrets @@ -0,0 +1,2 @@ +include /var/run/ipsec/conf.d/*.secret +include /etc/ipsec.d/*.secrets diff --git a/net/libreswan/files/etc/libreswan_firewall.sh b/net/libreswan/files/etc/libreswan_firewall.sh new file mode 100755 index 000000000..94ba275f6 --- /dev/null +++ b/net/libreswan/files/etc/libreswan_firewall.sh @@ -0,0 +1,90 @@ +#!/bin/sh + +FW4="$(command -v fw4)" +[ -n "$FW4" ] && exit 0 + +IPT_LEGACY="$(command -v iptables-legacy)" +IPT="$(command -v iptables)" +BIN="${IPT_LEGACY:-$IPT}" +[ -z "$BIN" ] && exit 0 + +LIBRESWAN_INPUT="libreswan_input" +LIBRESWAN_FORWARD="libreswan_forward" +LIBRESWAN_OUTPUT="libreswan_output" +LIBRESWAN_NFLOG_INPUT="libreswan_nflog_input" +LIBRESWAN_NFLOG_OUTPUT="libreswan_nflog_output" +LIBRESWAN_POSTROUTING="libreswan_postrouting" + +FW_DIR="/tmp/libreswan/firewall.d" +LIBRESWAN_RULES_FILE="$FW_DIR/libreswan.rules" + +flush_delete_chain() { + [ $# -lt 2 ] && return + + $BIN -t $1 -nL $2 > /dev/null 2>&1 || return + + $BIN -t $1 -F $2 + $BIN -t $1 -X $2 +} + +cleanup_libreswan_rules() { + $BIN -t filter -C input_rule -j $LIBRESWAN_INPUT > /dev/null 2>&1 + [ $? -eq 0 ] && $BIN -t filter -D input_rule -j $LIBRESWAN_INPUT + + $BIN -t filter -C output_rule -j $LIBRESWAN_OUTPUT > /dev/null 2>&1 + [ $? -eq 0 ] && $BIN -t filter -D output_rule -j $LIBRESWAN_OUTPUT + + $BIN -t filter -C forwarding_rule -j $LIBRESWAN_FORWARD > /dev/null 2>&1 + [ $? -eq 0 ] && $BIN -t filter -D forwarding_rule -j $LIBRESWAN_FORWARD + + $BIN -t nat -C postrouting_rule -j $LIBRESWAN_POSTROUTING > /dev/null 2>&1 + [ $? -eq 0 ] && $BIN -t nat -D postrouting_rule -j $LIBRESWAN_POSTROUTING + + flush_delete_chain filter $LIBRESWAN_NFLOG_INPUT + flush_delete_chain filter $LIBRESWAN_INPUT + flush_delete_chain filter $LIBRESWAN_FORWARD + flush_delete_chain filter $LIBRESWAN_NFLOG_OUTPUT + flush_delete_chain filter $LIBRESWAN_OUTPUT + flush_delete_chain filter $LIBRESWAN_NFLOG_INPUT + flush_delete_chain filter $LIBRESWAN_NFLOG_OUTPUT + flush_delete_chain nat $LIBRESWAN_POSTROUTING +} + +create_chain_jump() { + [ $# -lt 3 ] && return + + local table=$1 + local chain=$2 + local base_chain=$3 + + $BIN -t $table -N $chain + $BIN -t $table -C $base_chain -j $chain + [ $? -ne 0 ] && $BIN -t $table -I $base_chain -j $chain + $BIN -t $table -F $chain +} + +if ! /etc/init.d/ipsec running; then + cleanup_libreswan_rules + exit 0 +fi + +eval $(ipsec addconn --configsetup) + +create_chain_jump filter "$LIBRESWAN_INPUT" "insert_rule" +create_chain_jump filter "$LIBRESWAN_FORWARD" "forwarding_rule" +create_chain_jump filter "$LIBRESWAN_OUTPUT" "output_rule" + +create_chain_jump filter "$LIBRESWAN_NFLOG_INPUT" "$LIBRESWAN_INPUT" +create_chain_jump filter "$LIBRESWAN_NFLOG_OUTPUT" "$LIBRESWAN_OUTPUT" + +create_chain_jump nat "$LIBRESWAN_POSTROUTING" "postrouting_rule" + +[ ! -f $LIBRESWAN_RULES_FILE ] && exit 0 + +if [ -n "$nflog_all" ]; then + sed -i -e '/NFLOG/d' "$LIBRESWAN_RULES_FILE" + $BIN -t filter -I $LIBRESWAN_NFLOG_INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group ${nflog_all} --nflog-prefix all-ipsec + $BIN -t filter -I $LIBRESWAN_NFLOG_OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group ${nflog_all} --nflog-prefix all-ipsec +fi + +sh $LIBRESWAN_RULES_FILE diff --git a/net/libreswan/files/etc/uci-defaults/091-libreswan b/net/libreswan/files/etc/uci-defaults/091-libreswan new file mode 100644 index 000000000..91a16e1b3 --- /dev/null +++ b/net/libreswan/files/etc/uci-defaults/091-libreswan @@ -0,0 +1,8 @@ +#!/bin/sh + +. /lib/functions.sh + +uci_add firewall include libreswan +uci_set firewall libreswan path '/etc/libreswan_firewall.sh' +uci_set firewall libreswan reload 1 +uci_commit firewall diff --git a/net/libreswan/files/ipsec.conf b/net/libreswan/files/ipsec.conf deleted file mode 100644 index 8b7493b86..000000000 --- a/net/libreswan/files/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -config setup - # needed when using PSK only. Not needed for X.509 based servers - uniqueids=no - virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24 - -conn ikev1 - authby=secret - pfs=no - auto=add - rekey=no - left=%defaultroute - right=%any - ikev2=never - type=transport - leftprotoport=17/1701 - rightprotoport=17/%any - dpddelay=15 - dpdtimeout=30 - dpdaction=clear - -conn ikev1-nat - also=ikev1 - rightsubnet=vhost:%priv - -# include /etc/ipsec.d/*.conf diff --git a/net/libreswan/files/ipsec.init b/net/libreswan/files/ipsec.init deleted file mode 100755 index f33d41292..000000000 --- a/net/libreswan/files/ipsec.init +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh /etc/rc.common - -START=90 -STOP=10 - -USE_PROCD=1 -PROG="/usr/libexec/ipsec/pluto" -IPSEC_SECRETS=/etc/ipsec.secrets -IPSEC_CONF=/etc/ipsec.conf -IPSEC_BIN=/usr/sbin/ipsec - -checkconfig() { - ${IPSEC_BIN} addconn --checkconfig || return 1 - mkdir -p /var/run/pluto -} - -start_service() { - checkconfig || return 1 - - ipsec _stackmanager start - # Enable nflog if configured - ipsec --checknflog > /dev/null - - procd_open_instance - procd_set_param command $PROG --config ${IPSEC_CONF} --nofork --secretsfile ${IPSEC_SECRETS} - procd_set_param respawn - procd_close_instance -} - -stop_service() { - ipsec whack --shutdown - ipsec _stackmanager stop - ipsec --stopnflog > /dev/null - -} - diff --git a/net/libreswan/files/ipsec.secrets b/net/libreswan/files/ipsec.secrets deleted file mode 100644 index 5ef87b09c..000000000 --- a/net/libreswan/files/ipsec.secrets +++ /dev/null @@ -1,10 +0,0 @@ -# Unlike older openswan, this file does NOT contain any X.509 related -# information such as private key :RSA statements as these now reside -# in the NSS database. See: -# -# https://libreswan.org/wiki/Using_NSS_with_libreswan -# https://libreswan.org/wiki/Migrating_from_Openswan - -# A.B.C.D %any : PSK "SsEeCcRrEeTt" -: PSK "SsEeCcRrEeTt" -# include /etc/ipsec.d/*.secrets diff --git a/net/libreswan/files/usr/libexec/ipsec/_updown.xfrm b/net/libreswan/files/usr/libexec/ipsec/_updown.xfrm new file mode 100644 index 000000000..58b51ba28 --- /dev/null +++ b/net/libreswan/files/usr/libexec/ipsec/_updown.xfrm @@ -0,0 +1,3 @@ +#!/bin/sh + +/sbin/hotplug-call libreswan diff --git a/net/libreswan/files/usr/libexec/rpcd/libreswan b/net/libreswan/files/usr/libexec/rpcd/libreswan new file mode 100644 index 000000000..cf251f0c6 --- /dev/null +++ b/net/libreswan/files/usr/libexec/rpcd/libreswan @@ -0,0 +1,183 @@ +#!/bin/sh + +. /lib/functions.sh +. /usr/share/libubox/jshn.sh + +RPC_SCRIPTS=/usr/libexec/libreswan/rpc + +[ -d $RPC_SCRIPTS ] && include $RPC_SCRIPTS + +IPSEC_TRAFFIC_STATES="/tmp/ipsec_traffic.$$" +IPSEC_TUNNEL_STATUS="/tmp/ipsec_status.$$" + +__function__() { + type "$1" > /dev/null 2>&1 +} + +foreach_extra() { + local file obj + + [ ! -d $RPC_SCRIPTS ] && return + + for file in $RPC_SCRIPTS/*; do + obj="${file##*/}" + $1 "${obj%%.*}" + done +} + +get_index() { + [ $# -lt 2 ] && return 1 + + local var=$1 + local str=$2 + local ele + local i=1 + + eval "val=\"\${$var}\"" + + for ele in ${val}; do + if [[ "$ele" = "$str" ]]; then + echo "$i" + return 0 + fi + i="$((i+1))" + done + + return 1 +} + +phase1_established() { + grep -q "\"${1%/*}\/.*(IKE SA established)\|\"${1%/*}\/.*(established IKE SA)" "$IPSEC_TUNNEL_STATUS" +} + +phase2_established() { + grep -q "\"$1\".*(IPsec SA established)\|\"$1\".*(established Child SA)" "$IPSEC_TUNNEL_STATUS" +} + +add_tunnel_object() { + local id="$1" + local leftsubnets rightsubnets right ctime active_right + local phase1=0 phase2=0 add_time inBytes outBytes + + config_get right "$id" right + config_get leftsubnets "$id" leftsubnets + config_get rightsubnets "$id" rightsubnets + + if [ -z "$right" ] || [ "$right" = "%any" ] || [ "$right" == "0.0.0.0" ]; then + active_right=$(awk -F'[: ]' '{ if ( $4 ~ "'"$id/"'") {print $5; exit 0};}' "$IPSEC_TUNNEL_STATUS") + fi + + for lsubnet in $leftsubnets; do + lidx=$(get_index leftsubnets $lsubnet) + for rsubnet in $rightsubnets; do + ridx=$(get_index rightsubnets $rsubnet) + tid="${id}/${lidx}x${ridx}" + + eval $(awk -F, '{if ($1 ~ "'"$tid"'" ) {printf("%s %s %s", $3, $4, $5)};}' "$IPSEC_TRAFFIC_STATES") + json_add_object tunnels + json_add_string name "$id" + json_add_string right "$right${active_right:+ (${active_right})}" + json_add_string leftsubnet "$lsubnet" + json_add_string rightsubnet "$rsubnet" + json_add_int tx "$outBytes" + json_add_int rx "$inBytes" + + phase1_established "$tid" && phase1=1 + phase2_established "$tid" && phase2=1 + + json_add_boolean phase1 "$phase1" + json_add_boolean phase2 "$phase2" + + if [ "$phase1" = "1" ] && [ "$phase2" = "1" ]; then + ctime="$(date +%s)" + json_add_boolean connected 1 + json_add_int uptime "$((ctime - add_time))" + else + json_add_boolean connected 0 + json_add_int uptime 0 + fi + + json_close_object + done + done +} + +generate_libreswan_states() { + ipsec trafficstatus > "$IPSEC_TRAFFIC_STATES" + ipsec status > "$IPSEC_TUNNEL_STATUS" +} + +clean_libreswan_states() { + return + rm -f "$IPSEC_TRAFFIC_STATES" "$IPSEC_TUNNEL_STATUS" +} + +libreswan_status() { + config_load libreswan + + generate_libreswan_states + + json_init + json_add_array tunnels + config_foreach add_tunnel_object tunnel + json_close_array + json_dump + + clean_libreswan_states +} + +call_extra() { + if __function__ "$1"; then + $1 + else + json_init + json_add_string error "invalid call $1" + json_dump + fi +} + +call_method() { + case "$1" in + status) + libreswan_status + ;; + *) + call_extra $1 + ;; + esac +} + +list_extra() { + if __function__ "${1}_help"; then + ${1}_help + else + json_add_object "$1" + json_close_object + fi +} + +list_methods() { + local file + + json_init + + json_add_object status + json_close_object + + foreach_extra list_extra ${1} + + json_dump +} + +main () { + case "$1" in + list) + list_methods + ;; + call) + call_method $2 + ;; + esac +} + +main "$@" diff --git a/net/libreswan/files/usr/share/nftables.d/chain-pre/forward/001-libreswan.nft b/net/libreswan/files/usr/share/nftables.d/chain-pre/forward/001-libreswan.nft new file mode 100644 index 000000000..7861a913d --- /dev/null +++ b/net/libreswan/files/usr/share/nftables.d/chain-pre/forward/001-libreswan.nft @@ -0,0 +1 @@ +jump libreswan_forward diff --git a/net/libreswan/files/usr/share/nftables.d/chain-pre/input/001-libreswan.nft b/net/libreswan/files/usr/share/nftables.d/chain-pre/input/001-libreswan.nft new file mode 100644 index 000000000..665930953 --- /dev/null +++ b/net/libreswan/files/usr/share/nftables.d/chain-pre/input/001-libreswan.nft @@ -0,0 +1,2 @@ +jump libreswan_nflog_input +jump libreswan_input diff --git a/net/libreswan/files/usr/share/nftables.d/chain-pre/output/001-libreswan.nft b/net/libreswan/files/usr/share/nftables.d/chain-pre/output/001-libreswan.nft new file mode 100644 index 000000000..825666ade --- /dev/null +++ b/net/libreswan/files/usr/share/nftables.d/chain-pre/output/001-libreswan.nft @@ -0,0 +1,2 @@ +jump libreswan_nflog_output +jump libreswan_output diff --git a/net/libreswan/files/usr/share/nftables.d/chain-pre/srcnat/001-libreswan.nft b/net/libreswan/files/usr/share/nftables.d/chain-pre/srcnat/001-libreswan.nft new file mode 100644 index 000000000..4c9fbecf5 --- /dev/null +++ b/net/libreswan/files/usr/share/nftables.d/chain-pre/srcnat/001-libreswan.nft @@ -0,0 +1 @@ +jump libreswan_srcnat diff --git a/net/libreswan/files/usr/share/nftables.d/table-post/001-libreswan.nft b/net/libreswan/files/usr/share/nftables.d/table-post/001-libreswan.nft new file mode 100644 index 000000000..0e00ea0b0 --- /dev/null +++ b/net/libreswan/files/usr/share/nftables.d/table-post/001-libreswan.nft @@ -0,0 +1,6 @@ +chain libreswan_input {} +chain libreswan_nflog_input {} +chain libreswan_forward {} +chain libreswan_output {} +chain libreswan_nflog_output {} +chain libreswan_srcnat {} diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index e04350b7f..82b947173 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -8,16 +8,16 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd -PKG_VERSION:=1.4.72 +PKG_VERSION:=1.4.73 PKG_RELEASE:=1 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x -PKG_HASH:=f7cade4d69b754a0748c01463c33cd8b456ca9cc03bb09e85a71bcbcd54e55ec +PKG_HASH:=818816d0b314b0aa8728a7076513435f6d5eb227f3b61323468e1f10dbe84ca8 -PKG_MAINTAINER:=W. Michael Petullo +PKG_MAINTAINER:=Glenn Strauss PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=COPYING PKG_CPE_ID:=cpe:/a:lighttpd:lighttpd diff --git a/net/modemmanager/Makefile b/net/modemmanager/Makefile index 82216ae4c..e484b7fbd 100644 --- a/net/modemmanager/Makefile +++ b/net/modemmanager/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=modemmanager PKG_SOURCE_VERSION:=1.22.0 -PKG_RELEASE:=3 +PKG_RELEASE:=5 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git diff --git a/net/modemmanager/files/modemmanager.common b/net/modemmanager/files/modemmanager.common index d157cebf8..2ba2036ce 100644 --- a/net/modemmanager/files/modemmanager.common +++ b/net/modemmanager/files/modemmanager.common @@ -235,24 +235,20 @@ mm_report_modem_wait() { # Cleanup interfaces mm_cleanup_interfaces() { - local modemlist modemlength idx modeminfo modemsysfspath + local sysfs_path status - modemlist=$(mmcli --list-modems --output-keyvalue) - [ -n "${modemlist}" ] || return 0 + # Do nothing if there is no sysfs cache + [ -f "${MODEMMANAGER_SYSFS_CACHE}" ] || return - modemlength=$(modemmanager_get_field "${modemlist}" "modem-list.length") + while IFS= read -r sysfs_cache_line; do + sysfs_path=$(echo "${sysfs_cache_line}" | awk '{print $1}') + status=$(echo "${sysfs_cache_line}" | awk '{print $2}') - # do nothing if no modem reported - [ -n "${modemlength}" ] && [ "${modemlength}" -ge 1 ] && { - idx=1 - while [ $idx -le "$modemlength" ]; do - modempath=$(modemmanager_get_field "${modemlist}" "modem-list.value\[$idx\]") - modeminfo=$(mmcli --modem "${modempath}" --output-keyvalue) - modemsysfspath=$(modemmanager_get_field "${modeminfo}" "modem.generic.device") - mm_cleanup_interface_by_sysfspath "${modemsysfspath}" - idx=$((idx + 1)) - done - } + if [ "${status}" = "processed" ]; then + mm_log "debug" "call cleanup for: ${sysfs_path}" + mm_cleanup_interface_by_sysfspath "${sysfs_path}" + fi + done < ${MODEMMANAGER_SYSFS_CACHE} } mm_cleanup_interface_by_sysfspath() { diff --git a/net/modemmanager/files/modemmanager.init b/net/modemmanager/files/modemmanager.init index 7f014dc56..a036d884d 100755 --- a/net/modemmanager/files/modemmanager.init +++ b/net/modemmanager/files/modemmanager.init @@ -6,13 +6,6 @@ START=70 LOG_LEVEL="INFO" -stop_service() { - # Load common utils - . /usr/share/ModemManager/modemmanager.common - # Set all configured interfaces as unavailable - mm_cleanup_interfaces -} - start_service() { # Setup ModemManager service # diff --git a/net/modemmanager/files/usr/sbin/ModemManager-wrapper b/net/modemmanager/files/usr/sbin/ModemManager-wrapper index 4fd64227f..97c2a826d 100644 --- a/net/modemmanager/files/usr/sbin/ModemManager-wrapper +++ b/net/modemmanager/files/usr/sbin/ModemManager-wrapper @@ -20,7 +20,6 @@ main() { mkdir -p "${MODEMMANAGER_RUNDIR}" chmod 0755 "${MODEMMANAGER_RUNDIR}" - mm_cleanup_interfaces /usr/sbin/ModemManager "$@" 1>/dev/null 2>/dev/null & CHILD="$!" @@ -28,6 +27,9 @@ main() { mm_report_events_from_cache wait "$CHILD" + + # Set all configured interfaces as unavailable + mm_cleanup_interfaces } main "$@" diff --git a/net/sing-box/Makefile b/net/sing-box/Makefile index 5a4588f1e..229dc2e67 100644 --- a/net/sing-box/Makefile +++ b/net/sing-box/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sing-box -PKG_VERSION:=1.5.4 +PKG_VERSION:=1.6.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/SagerNet/sing-box/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=3238492e21246b56ef80e99f321c26ffaf9ac8877c916dce85273b61031c58b7 +PKG_HASH:=3272c9ac447d009749429f38d76e9879609c0c321442c3235ba806d995c0838a PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE_FILES:=LICENSE @@ -35,7 +35,7 @@ endef define Package/sing-box/description Sing-box is a universal proxy platform which supports hysteria, SOCKS, Shadowsocks, - ShadowsocksR, ShadowTLS, Tor, trojan, VLess, VMess, WireGuard and so on. + ShadowTLS, Tor, trojan, VLess, VMess, WireGuard and so on. endef define Package/sing-box/config @@ -77,11 +77,6 @@ define Package/sing-box/config bool "Build with reality TLS server support, see TLS." default y - config SINGBOX_WITH_SHADOWSOCKSR - bool "Build with ShadowsocksR support" - help - It will be marked deprecated in 1.5.0 and removed entirely in 1.6.0. - config SINGBOX_WITH_UTLS bool "Build with uTLS support for TLS outbound" default y @@ -106,7 +101,6 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_SINGBOX_WITH_LWIP \ CONFIG_SINGBOX_WITH_QUIC \ CONFIG_SINGBOX_WITH_REALITY_SERVER \ - CONFIG_SINGBOX_WITH_SHADOWSOCKSR \ CONFIG_SINGBOX_WITH_UTLS \ CONFIG_SINGBOX_WITH_V2RAY_API \ CONFIG_SINGBOX_WITH_WIREGUARD @@ -121,7 +115,6 @@ GO_PKG_TAGS:=$(subst $(space),$(comma),$(strip \ $(if $(CONFIG_SINGBOX_WITH_GVISOR),with_gvisor) \ $(if $(CONFIG_SINGBOX_WITH_LWIP),with_lwip) \ $(if $(CONFIG_SINGBOX_WITH_QUIC),with_quic) \ - $(if $(CONFIG_SINGBOX_WITH_SHADOWSOCKSR),with_shadowsocksr) \ $(if $(CONFIG_SINGBOX_WITH_REALITY_SERVER),with_reality_server) \ $(if $(CONFIG_SINGBOX_WITH_UTLS),with_utls) \ $(if $(CONFIG_SINGBOX_WITH_V2RAY_API),with_v2ray_api) \ diff --git a/net/tor/Makefile b/net/tor/Makefile index da2e47833..2a3c1f933 100644 --- a/net/tor/Makefile +++ b/net/tor/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tor -PKG_VERSION:=0.4.8.4 -PKG_RELEASE:=2 +PKG_VERSION:=0.4.8.7 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://dist.torproject.org/ \ https://archive.torproject.org/tor-package-archive -PKG_HASH:=09c1ce74a25fc3b48c81ff146cbd0dd538cbbb8fe4e2964fc2fb2b192f6a1d2b +PKG_HASH:=b20d2b9c74db28a00c07f090ee5b0241b2b684f3afdecccc6b8008931c557491 PKG_MAINTAINER:=Hauke Mehrtens \ Peter Wagner PKG_LICENSE_FILES:=LICENSE diff --git a/utils/dmidecode/Makefile b/utils/dmidecode/Makefile index ca6a04300..35a95114b 100644 --- a/utils/dmidecode/Makefile +++ b/utils/dmidecode/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dmidecode PKG_VERSION:=3.2 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@SAVANNAH/$(PKG_NAME) @@ -26,7 +26,7 @@ include $(INCLUDE_DIR)/package.mk define Package/dmidecode SECTION:=utils CATEGORY:=Utilities - DEPENDS:=@(TARGET_x86||TARGET_x86_64) + DEPENDS:=@(TARGET_x86||TARGET_x86_64||TARGET_armsr_armv8) TITLE:=Displays BIOS informations. URL:=https://www.nongnu.org/dmidecode/ endef diff --git a/utils/efibootmgr/Makefile b/utils/efibootmgr/Makefile index fc53f8729..1463a6c82 100644 --- a/utils/efibootmgr/Makefile +++ b/utils/efibootmgr/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=efibootmgr PKG_VERSION:=18 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/rhboot/efibootmgr.git @@ -23,7 +23,7 @@ define Package/efibootmgr SECTION:=utils CATEGORY:=Utilities TITLE:=Application to modify the EFI Boot Manager - DEPENDS:=@TARGET_x86_64 +efivar +libpopt + DEPENDS:=@(TARGET_x86_64||TARGET_armsr_armv8) +efivar +libpopt URL:=https://github.com/rhboot/efibootmgr endef diff --git a/utils/qemu/Makefile b/utils/qemu/Makefile index 4f99c320d..5e9851b06 100644 --- a/utils/qemu/Makefile +++ b/utils/qemu/Makefile @@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk PKG_NAME:=qemu -PKG_VERSION:=8.0.2 +PKG_VERSION:=8.1.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=f060abd435fbe6794125e2c398568ffc3cfa540042596907a8b18edca34cf6a5 +PKG_HASH:=541526a764576eb494d2ff5ec46aeb253e62ea29035d1c23c0a8af4e6cd4f087 PKG_SOURCE_URL:=http://download.qemu.org/ PKG_LICENSE:=GPL-2.0-only PKG_LICENSE_FILES:=LICENSE tcg/LICENSE @@ -392,7 +392,7 @@ CONFIGURE_ARGS += \ --disable-docs \ --disable-fuse \ --disable-gcrypt \ - --with-git-submodules=ignore \ + --disable-download \ --disable-glusterfs \ --disable-gnutls \ --disable-guest-agent-msi \ diff --git a/utils/qemu/patches/0001-configure-allow-disable-fortify_source.patch b/utils/qemu/patches/0001-configure-allow-disable-fortify_source.patch index 434b3d15a..e893c1788 100644 --- a/utils/qemu/patches/0001-configure-allow-disable-fortify_source.patch +++ b/utils/qemu/patches/0001-configure-allow-disable-fortify_source.patch @@ -11,9 +11,9 @@ OpenWrt base build system decide flavor of fortify_source to use --- a/configure +++ b/configure -@@ -896,6 +896,8 @@ for opt do +@@ -823,6 +823,8 @@ for opt do ;; - --disable-vfio-user-server) vfio_user_server="disabled" + --gdb=*) gdb_bin="$optarg" ;; + --disable-fortify-source) fortify_source="no" + ;; diff --git a/utils/qemu/patches/0006-util-mmap-alloc-fix-missing-MAP_SYNC.patch b/utils/qemu/patches/0006-util-mmap-alloc-fix-missing-MAP_SYNC.patch index e09447bd1..f8bfa67c2 100644 --- a/utils/qemu/patches/0006-util-mmap-alloc-fix-missing-MAP_SYNC.patch +++ b/utils/qemu/patches/0006-util-mmap-alloc-fix-missing-MAP_SYNC.patch @@ -32,9 +32,9 @@ Signed-off-by: Yousong Zhou #endif /* CONFIG_LINUX */ #include "qemu/osdep.h" -@@ -29,6 +26,13 @@ - #include +@@ -57,6 +54,13 @@ QemuFsType qemu_fd_getfs(int fd) #endif + } +#ifndef MAP_SYNC +#define MAP_SYNC 0x0 diff --git a/utils/qemu/patches/0010-no-tests.patch b/utils/qemu/patches/0010-no-tests.patch index 9c36a3914..3df92e30d 100644 --- a/utils/qemu/patches/0010-no-tests.patch +++ b/utils/qemu/patches/0010-no-tests.patch @@ -1,6 +1,6 @@ --- a/meson.build +++ b/meson.build -@@ -3192,10 +3192,6 @@ subdir('common-user') +@@ -3451,10 +3451,6 @@ subdir('common-user') subdir('bsd-user') subdir('linux-user') @@ -11,7 +11,7 @@ # accel modules tcg_real_module_ss = ss.source_set() tcg_real_module_ss.add_all(when: 'CONFIG_TCG_MODULAR', if_true: tcg_module_ss) -@@ -3687,10 +3683,6 @@ subdir('scripts') +@@ -3945,10 +3941,6 @@ subdir('scripts') subdir('tools') subdir('pc-bios') subdir('docs') diff --git a/utils/restic/Makefile b/utils/restic/Makefile index d94a36c50..89963c085 100644 --- a/utils/restic/Makefile +++ b/utils/restic/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=restic -PKG_VERSION:=0.16.1 +PKG_VERSION:=0.16.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/restic/restic/tar.gz/v${PKG_VERSION}? -PKG_HASH:=31339090e3e8a044d014b9341c025cf59bf7bc133ae267bc5acdea5ac07837a9 +PKG_HASH:=88165b5b89b6064df37a9964d660f40ac62db51d6536e459db9aaea6f2b2fc11 PKG_LICENSE:=BSD-2-Clause PKG_LICENSE_FILES:=LICENSE