From 548fdba3fdc832fca85f953ca78ddf322efb016d Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Thu, 26 Oct 2023 20:16:42 +0800 Subject: [PATCH 01/40] python-pip: Update to 23.3.1, redo/refresh patches 001-pyproject-hooks-pyc-fix.patch and 002-pip-runner-pyc-fix.patch are redone to use source files if they are present. Signed-off-by: Jeffery To --- lang/python/python-pip/Makefile | 4 ++-- .../patches/001-pyproject-hooks-pyc-fix.patch | 12 +++++++++--- .../python-pip/patches/002-pip-runner-pyc-fix.patch | 8 ++++++-- .../patches/003-disable-pip-version-check.patch | 2 +- 4 files changed, 18 insertions(+), 8 deletions(-) diff --git a/lang/python/python-pip/Makefile b/lang/python/python-pip/Makefile index c21d2bdff..c41b27ca4 100644 --- a/lang/python/python-pip/Makefile +++ b/lang/python/python-pip/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-pip -PKG_VERSION:=23.2.1 +PKG_VERSION:=23.3.1 PKG_RELEASE:=1 PYPI_NAME:=pip -PKG_HASH:=fb0bd5435b3200c602b5bf61d2d43c2f13c02e29c1707567ae7fbc514eb9faf2 +PKG_HASH:=1fcaa041308d01f14575f6d0d2ea4b75a3e2871fe4f9c694976f908768e14174 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE.txt diff --git a/lang/python/python-pip/patches/001-pyproject-hooks-pyc-fix.patch b/lang/python/python-pip/patches/001-pyproject-hooks-pyc-fix.patch index 27681c1af..e9eafab96 100644 --- a/lang/python/python-pip/patches/001-pyproject-hooks-pyc-fix.patch +++ b/lang/python/python-pip/patches/001-pyproject-hooks-pyc-fix.patch @@ -1,13 +1,19 @@ --- a/src/pip/_vendor/pyproject_hooks/_in_process/__init__.py +++ b/src/pip/_vendor/pyproject_hooks/_in_process/__init__.py -@@ -11,8 +11,8 @@ try: +@@ -11,8 +11,14 @@ try: except AttributeError: # Python 3.8 compatibility def _in_proc_script_path(): - return resources.path(__package__, '_in_process.py') -+ return resources.path(__package__, '_in_process.pyc') ++ filename = '_in_process.pyc' ++ if resources.is_resource(__package__, '_in_process.py'): ++ filename = '_in_process.py' ++ return resources.path(__package__, filename) else: def _in_proc_script_path(): ++ filename = '_in_process.pyc' ++ if resources.files(__package__).joinpath('_in_process.py').is_file(): ++ filename = '_in_process.py' return resources.as_file( - resources.files(__package__).joinpath('_in_process.py')) -+ resources.files(__package__).joinpath('_in_process.pyc')) ++ resources.files(__package__).joinpath(filename)) diff --git a/lang/python/python-pip/patches/002-pip-runner-pyc-fix.patch b/lang/python/python-pip/patches/002-pip-runner-pyc-fix.patch index 4616fe065..8f68049a8 100644 --- a/lang/python/python-pip/patches/002-pip-runner-pyc-fix.patch +++ b/lang/python/python-pip/patches/002-pip-runner-pyc-fix.patch @@ -1,11 +1,15 @@ --- a/src/pip/_internal/build_env.py +++ b/src/pip/_internal/build_env.py -@@ -54,7 +54,7 @@ def get_runnable_pip() -> str: +@@ -54,7 +54,11 @@ def get_runnable_pip() -> str: # case, we can use that directly. return str(source) - return os.fsdecode(source / "__pip-runner__.py") -+ return os.fsdecode(source / "__pip-runner__.pyc") ++ filename = "__pip-runner__.pyc" ++ py = source / "__pip-runner__.py" ++ if py.is_file(): ++ filename = "__pip-runner__.py" ++ return os.fsdecode(source / filename) def _get_system_sitepackages() -> Set[str]: diff --git a/lang/python/python-pip/patches/003-disable-pip-version-check.patch b/lang/python/python-pip/patches/003-disable-pip-version-check.patch index 87a8178a7..99a0258aa 100644 --- a/lang/python/python-pip/patches/003-disable-pip-version-check.patch +++ b/lang/python/python-pip/patches/003-disable-pip-version-check.patch @@ -9,7 +9,7 @@ Patch-Name: disable-pip-version-check.patch --- a/src/pip/_internal/cli/cmdoptions.py +++ b/src/pip/_internal/cli/cmdoptions.py -@@ -892,7 +892,7 @@ disable_pip_version_check: Callable[..., +@@ -895,7 +895,7 @@ disable_pip_version_check: Callable[..., "--disable-pip-version-check", dest="disable_pip_version_check", action="store_true", From 5cb304e2b3484691b9f60a3a47a707dfcf5fa34b Mon Sep 17 00:00:00 2001 From: Rui Salvaterra Date: Sun, 3 Sep 2023 18:22:55 +0100 Subject: [PATCH 02/40] tor: update to 0.4.8.7 stable Bugfix release, see the changelog [1] for what's new. [1] https://gitlab.torproject.org/tpo/core/tor/-/raw/tor-0.4.8.7/ChangeLog Signed-off-by: Rui Salvaterra --- net/tor/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/tor/Makefile b/net/tor/Makefile index da2e47833..2a3c1f933 100644 --- a/net/tor/Makefile +++ b/net/tor/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tor -PKG_VERSION:=0.4.8.4 -PKG_RELEASE:=2 +PKG_VERSION:=0.4.8.7 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://dist.torproject.org/ \ https://archive.torproject.org/tor-package-archive -PKG_HASH:=09c1ce74a25fc3b48c81ff146cbd0dd538cbbb8fe4e2964fc2fb2b192f6a1d2b +PKG_HASH:=b20d2b9c74db28a00c07f090ee5b0241b2b684f3afdecccc6b8008931c557491 PKG_MAINTAINER:=Hauke Mehrtens \ Peter Wagner PKG_LICENSE_FILES:=LICENSE From 12a05ec2828f36795154a7e500c35b4be9af76ec Mon Sep 17 00:00:00 2001 From: Michael Heimpold Date: Sat, 28 Oct 2023 11:33:14 +0200 Subject: [PATCH 03/40] php8-pecl-xdebug: update to 3.2.2 Signed-off-by: Michael Heimpold --- lang/php8-pecl-xdebug/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/php8-pecl-xdebug/Makefile b/lang/php8-pecl-xdebug/Makefile index d2a85f26c..3c62f6561 100644 --- a/lang/php8-pecl-xdebug/Makefile +++ b/lang/php8-pecl-xdebug/Makefile @@ -8,9 +8,9 @@ include $(TOPDIR)/rules.mk PECL_NAME:=xdebug PECL_LONGNAME:=Xdebug extension -PKG_VERSION:=3.2.1 +PKG_VERSION:=3.2.2 PKG_RELEASE:=1 -PKG_HASH:=ef4cb3c228192798874e4530cccceee76840cc80821909740088a1e1a8f00445 +PKG_HASH:=f48777371f90cbb315ea4ea082a1ede6765bcfb35d7d6356ab8f71fd6dfcc157 PKG_NAME:=php8-pecl-xdebug PKG_SOURCE:=$(PECL_NAME)-$(PKG_VERSION).tgz From 252b4faf001401d984f0bde48a4f1d3f297ce48a Mon Sep 17 00:00:00 2001 From: Michael Heimpold Date: Sat, 28 Oct 2023 11:34:56 +0200 Subject: [PATCH 04/40] php8-pecl-redis: update to 6.0.2 Signed-off-by: Michael Heimpold --- lang/php8-pecl-redis/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/php8-pecl-redis/Makefile b/lang/php8-pecl-redis/Makefile index 0a53121c9..88ed4d60f 100644 --- a/lang/php8-pecl-redis/Makefile +++ b/lang/php8-pecl-redis/Makefile @@ -8,9 +8,9 @@ include $(TOPDIR)/rules.mk PECL_NAME:=redis PECL_LONGNAME:=PHP extension for interfacing with Redis -PKG_VERSION:=6.0.1 +PKG_VERSION:=6.0.2 PKG_RELEASE:=1 -PKG_HASH:=d39136e0ef9495f8e775ef7349a97658fb41c526d12d8e517f56274f149e1e4e +PKG_HASH:=01aeccb0e14f897fe56f0509be6e6991ff0ad459f9d34e95e4556d02699b9a03 PKG_NAME:=php8-pecl-redis PKG_SOURCE:=$(PECL_NAME)-$(PKG_VERSION).tgz From 83d5a0851595deeb2a112ece9149aefa45fb6283 Mon Sep 17 00:00:00 2001 From: Jochen Dolze Date: Wed, 25 Oct 2023 16:58:12 +0000 Subject: [PATCH 05/40] apinger: fixed bugs in apinger.init and apinger.rpc Fix bug in init_apinger_config - debug/status_interval/rrd_interval were never set correctly Fix bug in apinger_status - send and receive were swapped Fix bug in apinger_status - added ability to use ipv6 on wan6 Signed-off-by: Jochen Dolze --- net/apinger/Makefile | 2 +- net/apinger/files/apinger.init | 21 +++++++++++++-------- net/apinger/files/apinger.rpc | 2 +- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/net/apinger/Makefile b/net/apinger/Makefile index b2f537275..244df9684 100644 --- a/net/apinger/Makefile +++ b/net/apinger/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=apinger PKG_SOURCE_DATE:=2015-04-09 PKG_SOURCE_VERSION:=78eb328721ba1a10571c19df95acddcb5f0c17c8 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/Jajcus/apinger diff --git a/net/apinger/files/apinger.init b/net/apinger/files/apinger.init index 7a287c03b..745ba6b63 100644 --- a/net/apinger/files/apinger.init +++ b/net/apinger/files/apinger.init @@ -54,10 +54,15 @@ append_target() { config_get_bool rrd "$target" rrd 0 [ -z "$address" ] && return 0 - - srcip=$(uci_get network "$interface" ipaddr) - [ -z "$srcip" ] && network_get_ipaddr srcip "$interface" - srcip="${srcip:-0.0.0.0}" + if [ -z $(echo "$address"|sed "/:/d") ]; then + srcip=$(uci_get network "$interface" ip6addr) + [ -z "$srcip"] && network_get_ipaddr6 srcip "$interface" + srcip="${srcip:-::}" + else + srcip=$(uci_get network "$interface" ipaddr) + [ -z "$srcip"] && network_get_ipaddr srcip "$interface" + srcip="${srcip:-0.0.0.0}" + fi alarms=${alarm_down:+\"${alarm_down}\"} alarms=${alarm_delay:+${alarms:+${alarms}, }}${alarm_delay:+\"${alarm_delay}\"} @@ -115,7 +120,7 @@ append_alarm_loss() { local percent_low percent_high config_get percent_low "$alarm" percent_low - config_get percent_high "$alarm" percent_low + config_get percent_high "$alarm" percent_high if [ -z "$percent_low" ] || [ -z "$percent_high" ]; then return @@ -132,9 +137,9 @@ init_apinger_config() { local debug status_interval rrd_interval instance instance=$1 - config_get_bool debug apinger debug 0 - config_get status_interval apinger status_interval 1 - config_get rrd_interval apinger rrd_interval 30 + config_get_bool debug "$instance" debug 0 + config_get status_interval "$instance" status_interval 1 + config_get rrd_interval "$instance" rrd_interval 30 [ "$debug" = "1" ] && debug=on || debug=off diff --git a/net/apinger/files/apinger.rpc b/net/apinger/files/apinger.rpc index 0be6e1657..360d473e2 100644 --- a/net/apinger/files/apinger.rpc +++ b/net/apinger/files/apinger.rpc @@ -38,7 +38,7 @@ apinger_status() { if [ -f "$status_file" ]; then _IFS="$IFS" IFS="|" - while read -r address srcip target received sent timestamp latency loss alarm; do + while read -r address srcip target sent received timestamp latency loss alarm; do json_add_object targets json_add_string interface "$iface" json_add_string target "$target" From 4b7d365b8644586029823f04c57a03a6f721e5ab Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 29 Oct 2023 15:16:41 +0100 Subject: [PATCH 06/40] postfix: bump to 3.8.2 release Bump postfix to 3.8.2 release. Refresh patches and drop patch 502-detect-glibc.patch as it got merged upstream. Signed-off-by: Christian Marangi --- mail/postfix/Makefile | 6 +++--- .../100-correct-signature-of-closefrom-API.patch | 10 +++++----- mail/postfix/patches/300-bdb_hash_segfault.patch | 4 ++-- mail/postfix/patches/400-cdb.patch | 2 +- mail/postfix/patches/500-crosscompile.patch | 4 ++-- mail/postfix/patches/501-include_stdio.patch | 2 +- mail/postfix/patches/502-detect-glibc.patch | 12 ------------ mail/postfix/patches/700-defaultconfig.patch | 4 ++-- 8 files changed, 16 insertions(+), 28 deletions(-) delete mode 100644 mail/postfix/patches/502-detect-glibc.patch diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile index b86fdcb6d..f979f7ed5 100644 --- a/mail/postfix/Makefile +++ b/mail/postfix/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=postfix -PKG_VERSION:=3.5.8 -PKG_RELEASE:=3 +PKG_VERSION:=3.8.2 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ https://de.postfix.org/ftpmirror/official/ \ http://ftp.porcupine.org/mirrors/postfix-release/official/ -PKG_HASH:=22582628cf3edc18c5155c9ff44543dd95a9435fb68135d76a99f572cb07456f +PKG_HASH:=6790903cdbb5e0e47196691eb9a5f2cf8050262def941e039e6d4bf4043a5e30 PKG_MAINTAINER:=Denis Shulyaka PKG_LICENSE:=IPL-1.0 diff --git a/mail/postfix/patches/100-correct-signature-of-closefrom-API.patch b/mail/postfix/patches/100-correct-signature-of-closefrom-API.patch index c3201097a..28754e1a4 100644 --- a/mail/postfix/patches/100-correct-signature-of-closefrom-API.patch +++ b/mail/postfix/patches/100-correct-signature-of-closefrom-API.patch @@ -44,7 +44,7 @@ Signed-off-by: Khem Raj #endif --- a/src/util/sys_defs.h +++ b/src/util/sys_defs.h -@@ -1509,7 +1509,7 @@ extern int setsid(void); +@@ -1519,7 +1519,7 @@ extern int setsid(void); #endif #ifndef HAS_CLOSEFROM @@ -53,7 +53,7 @@ Signed-off-by: Khem Raj #endif -@@ -1563,7 +1563,7 @@ typedef int pid_t; +@@ -1573,7 +1573,7 @@ typedef int pid_t; /* * Clang-style attribute tests. @@ -62,7 +62,7 @@ Signed-off-by: Khem Raj * XXX Without the unconditional test below, gcc 4.6 will barf on ``elif * defined(__clang__) && __has_attribute(__whatever__)'' with error message * ``missing binary operator before token "("''. -@@ -1577,7 +1577,7 @@ typedef int pid_t; +@@ -1587,7 +1587,7 @@ typedef int pid_t; * warn for missing initializations and other trouble. However, OPENSTEP4 * gcc 2.7.x cannot handle this so we define this only if NORETURN isn't * already defined above. @@ -71,7 +71,7 @@ Signed-off-by: Khem Raj * Data point: gcc 2.7.2 has __attribute__ (Wietse Venema) but gcc 2.6.3 does * not (Clive Jones). So we'll set the threshold at 2.7. */ -@@ -1653,12 +1653,12 @@ typedef int pid_t; +@@ -1663,12 +1663,12 @@ typedef int pid_t; * write to output parameters (for example, stat- or scanf-like functions) * or from functions that have other useful side effects (for example, * fseek- or rename-like functions). @@ -86,7 +86,7 @@ Signed-off-by: Khem Raj * XXX Prepending "(void)" won't shut up GCC. Clang behaves as expected. */ #if ((__GNUC__ == 3 && __GNUC_MINOR__ >= 4) || __GNUC__ > 3) -@@ -1747,7 +1747,7 @@ typedef const char *CONST_CHAR_STAR; +@@ -1749,7 +1749,7 @@ typedef const char *CONST_CHAR_STAR; * Safety. On some systems, ctype.h misbehaves with non-ASCII or negative * characters. More importantly, Postfix uses the ISXXX() macros to ensure * protocol compliance, so we have to rule out non-ASCII characters. diff --git a/mail/postfix/patches/300-bdb_hash_segfault.patch b/mail/postfix/patches/300-bdb_hash_segfault.patch index 1ae9359fb..fdd01706f 100644 --- a/mail/postfix/patches/300-bdb_hash_segfault.patch +++ b/mail/postfix/patches/300-bdb_hash_segfault.patch @@ -1,6 +1,6 @@ --- a/src/util/dict_db.c +++ b/src/util/dict_db.c -@@ -750,8 +750,8 @@ static DICT *dict_db_open(const char *cl +@@ -751,8 +751,8 @@ static DICT *dict_db_open(const char *cl msg_fatal("create DB database: %m"); if (db == 0) msg_panic("db_create null result"); @@ -9,5 +9,5 @@ +// if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) +// msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); db_base_buf = vstring_alloc(100); - #if DB_VERSION_MAJOR == 6 || DB_VERSION_MAJOR == 5 || \ + #if DB_VERSION_MAJOR == 18 || DB_VERSION_MAJOR == 6 || DB_VERSION_MAJOR == 5 || \ (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) diff --git a/mail/postfix/patches/400-cdb.patch b/mail/postfix/patches/400-cdb.patch index 074d03095..3afcf19dc 100644 --- a/mail/postfix/patches/400-cdb.patch +++ b/mail/postfix/patches/400-cdb.patch @@ -1,6 +1,6 @@ --- a/src/util/sys_defs.h +++ b/src/util/sys_defs.h -@@ -760,9 +760,8 @@ extern int initgroups(const char *, int) +@@ -774,9 +774,8 @@ extern int initgroups(const char *, int) #define INTERNAL_LOCK MYFLOCK_STYLE_FLOCK #define DEF_MAILBOX_LOCK "fcntl, dotlock" /* RedHat >= 4.x */ #define HAS_FSYNC diff --git a/mail/postfix/patches/500-crosscompile.patch b/mail/postfix/patches/500-crosscompile.patch index c7448a3a1..329436ce6 100644 --- a/mail/postfix/patches/500-crosscompile.patch +++ b/mail/postfix/patches/500-crosscompile.patch @@ -1,6 +1,6 @@ --- a/makedefs +++ b/makedefs -@@ -215,7 +215,7 @@ error() { +@@ -233,7 +233,7 @@ ARFL=rv case $# in # Officially supported usage. @@ -9,7 +9,7 @@ RELEASE=`(uname -r) 2>/dev/null` # No ${x%%y} support in Solaris 11 /bin/sh RELEASE_MAJOR=`expr "$RELEASE" : '\([0-9]*\)'` || exit 1 -@@ -242,6 +242,15 @@ case "$SYSTEM" in +@@ -247,6 +247,15 @@ case $# in esac case "$SYSTEM.$RELEASE" in diff --git a/mail/postfix/patches/501-include_stdio.patch b/mail/postfix/patches/501-include_stdio.patch index 84ad04a83..7681a54c1 100644 --- a/mail/postfix/patches/501-include_stdio.patch +++ b/mail/postfix/patches/501-include_stdio.patch @@ -1,6 +1,6 @@ --- a/src/posttls-finger/posttls-finger.c +++ b/src/posttls-finger/posttls-finger.c -@@ -342,6 +342,7 @@ +@@ -346,6 +346,7 @@ #include #include #include diff --git a/mail/postfix/patches/502-detect-glibc.patch b/mail/postfix/patches/502-detect-glibc.patch deleted file mode 100644 index abfc9d4fd..000000000 --- a/mail/postfix/patches/502-detect-glibc.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/src/util/sys_defs.h -+++ b/src/util/sys_defs.h -@@ -749,7 +749,8 @@ extern int initgroups(const char *, int) - /* - * LINUX. - */ --#if defined(LINUX2) || defined(LINUX3) || defined(LINUX4) || defined(LINUX5) -+#if defined(LINUX2) || defined(LINUX3) || defined(LINUX4) || defined(LINUX5) \ -+ || defined(LINUX6) - #define SUPPORTED - #define UINT32_TYPE unsigned int - #define UINT16_TYPE unsigned short diff --git a/mail/postfix/patches/700-defaultconfig.patch b/mail/postfix/patches/700-defaultconfig.patch index c779d12ed..d601ad7fb 100644 --- a/mail/postfix/patches/700-defaultconfig.patch +++ b/mail/postfix/patches/700-defaultconfig.patch @@ -1,6 +1,6 @@ --- a/conf/main.cf +++ b/conf/main.cf -@@ -40,43 +40,8 @@ compatibility_level = 2 +@@ -44,43 +44,8 @@ compatibility_level = 3.8 # #soft_bounce = no @@ -44,7 +44,7 @@ # The default_privs parameter specifies the default rights used by # the local delivery agent for delivery to external file or command. # These rights are used in the absence of a recipient user context. -@@ -632,45 +597,4 @@ debugger_command = +@@ -641,45 +606,4 @@ debugger_command = # -dmS $process_name gdb $daemon_directory/$process_name # $process_id & sleep 1 From f585559690e4d607f5fea5eeed4517d5c157098c Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 29 Oct 2023 15:18:19 +0100 Subject: [PATCH 07/40] postfix: move to PCRE2 library Move to PCRE2 library as PCRE is EOL and won't receive any security updates anymore. Signed-off-by: Christian Marangi --- mail/postfix/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mail/postfix/Makefile b/mail/postfix/Makefile index f979f7ed5..313713692 100644 --- a/mail/postfix/Makefile +++ b/mail/postfix/Makefile @@ -44,7 +44,7 @@ define Package/postfix postfix=25:postfix=25 \ postdrop=26:postdrop=26 URL:=http://www.postfix.org/ - DEPENDS:=+POSTFIX_CDB:tinycdb +POSTFIX_TLS:libopenssl +POSTFIX_SASL:libsasl2 +POSTFIX_LDAP:libopenldap +POSTFIX_DB:libdb47 +POSTFIX_SQLITE:libsqlite3 +POSTFIX_MYSQL:libmysqlclient +POSTFIX_PGSQL:libpq +POSTFIX_EAI:icu +POSTFIX_PCRE:libpcre + DEPENDS:=+POSTFIX_CDB:tinycdb +POSTFIX_TLS:libopenssl +POSTFIX_SASL:libsasl2 +POSTFIX_LDAP:libopenldap +POSTFIX_DB:libdb47 +POSTFIX_SQLITE:libsqlite3 +POSTFIX_MYSQL:libmysqlclient +POSTFIX_PGSQL:libpq +POSTFIX_EAI:icu +POSTFIX_PCRE:libpcre2 MENU:=1 endef @@ -172,8 +172,8 @@ ifdef CONFIG_POSTFIX_PGSQL endif ifdef CONFIG_POSTFIX_PCRE - CCARGS+=-DHAS_PCRE -I$(STAGING_DIR)/usr/include/ - AUXLIBS+=-L$(STAGING_DIR)/usr/lib -lpcre + CCARGS+=-DHAS_PCRE2 -I$(STAGING_DIR)/usr/include/ + AUXLIBS+=-L$(STAGING_DIR)/usr/lib -lpcre2-8 else CCARGS+=-DNO_PCRE endif From 3dfb00c6c6758524282c6fa4a1995280ea613e9c Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 29 Oct 2023 15:45:45 +0100 Subject: [PATCH 08/40] zabbix: move to PCRE2 library Move to PCRE2 library as PCRE is not EOL and won't receive any security updates anymore. Signed-off-by: Christian Marangi --- admin/zabbix/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/admin/zabbix/Makefile b/admin/zabbix/Makefile index 721cdb1b4..e91cf986f 100644 --- a/admin/zabbix/Makefile +++ b/admin/zabbix/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=zabbix PKG_VERSION:=6.2.3 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://cdn.zabbix.com/zabbix/sources/stable/$(basename $(PKG_VERSION))/ \ @@ -57,7 +57,7 @@ define Package/zabbix/Default TITLE:=Zabbix URL:=https://www.zabbix.com/ USERID:=zabbix=53:zabbix=53 - DEPENDS+=$(ICONV_DEPENDS) +libpcre +zlib + DEPENDS+=$(ICONV_DEPENDS) +libpcre2 +zlib endef define Package/zabbix-agentd @@ -263,7 +263,7 @@ CONFIGURE_ARGS+= \ $(if $(CONFIG_ZABBIX_POSTGRESQL),--with-postgresql) \ $(if $(CONFIG_ZABBIX_SQLITE),--with-sqlite3=$(STAGING_DIR)/usr) \ --with-libevent=$(STAGING_DIR)/usr/include/libevent \ - --with-libpcre=$(STAGING_DIR)/usr/include \ + --with-libpcre2=$(STAGING_DIR)/usr/include \ --with-zlib=$(STAGING_DIR)/usr/include ifeq ($(BUILD_VARIANT),openssl) From d78505bcfa3101fab00fcee680b120f5b6b5307e Mon Sep 17 00:00:00 2001 From: Oliver Sedlbauer Date: Tue, 17 Oct 2023 17:13:37 +0200 Subject: [PATCH 09/40] modemmanager: improve cleanup of ifaces Change workflow to cleanup interfaces using the sysfscache. The sysfscache stores the processed sysfs-paths. Using this instead of mmcli -L, the interfaces can be properly cleaned up even if, for example, ModemManager crashes and mmcli is no longer usable. Signed-off-by: Oliver Sedlbauer --- net/modemmanager/Makefile | 2 +- net/modemmanager/files/modemmanager.common | 26 +++++++++------------- 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/net/modemmanager/Makefile b/net/modemmanager/Makefile index 82216ae4c..bef514550 100644 --- a/net/modemmanager/Makefile +++ b/net/modemmanager/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=modemmanager PKG_SOURCE_VERSION:=1.22.0 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git diff --git a/net/modemmanager/files/modemmanager.common b/net/modemmanager/files/modemmanager.common index d157cebf8..2ba2036ce 100644 --- a/net/modemmanager/files/modemmanager.common +++ b/net/modemmanager/files/modemmanager.common @@ -235,24 +235,20 @@ mm_report_modem_wait() { # Cleanup interfaces mm_cleanup_interfaces() { - local modemlist modemlength idx modeminfo modemsysfspath + local sysfs_path status - modemlist=$(mmcli --list-modems --output-keyvalue) - [ -n "${modemlist}" ] || return 0 + # Do nothing if there is no sysfs cache + [ -f "${MODEMMANAGER_SYSFS_CACHE}" ] || return - modemlength=$(modemmanager_get_field "${modemlist}" "modem-list.length") + while IFS= read -r sysfs_cache_line; do + sysfs_path=$(echo "${sysfs_cache_line}" | awk '{print $1}') + status=$(echo "${sysfs_cache_line}" | awk '{print $2}') - # do nothing if no modem reported - [ -n "${modemlength}" ] && [ "${modemlength}" -ge 1 ] && { - idx=1 - while [ $idx -le "$modemlength" ]; do - modempath=$(modemmanager_get_field "${modemlist}" "modem-list.value\[$idx\]") - modeminfo=$(mmcli --modem "${modempath}" --output-keyvalue) - modemsysfspath=$(modemmanager_get_field "${modeminfo}" "modem.generic.device") - mm_cleanup_interface_by_sysfspath "${modemsysfspath}" - idx=$((idx + 1)) - done - } + if [ "${status}" = "processed" ]; then + mm_log "debug" "call cleanup for: ${sysfs_path}" + mm_cleanup_interface_by_sysfspath "${sysfs_path}" + fi + done < ${MODEMMANAGER_SYSFS_CACHE} } mm_cleanup_interface_by_sysfspath() { From 074741e343b059b560194f3afb25bfe505a0f3a2 Mon Sep 17 00:00:00 2001 From: Oliver Sedlbauer Date: Mon, 23 Oct 2023 17:52:38 +0200 Subject: [PATCH 10/40] modemmanager: move iface cleanup to wrapper script If the ModemManager process crashes, the interfaces are not cleaned up properly because the stop_service method is not called. With this change, the interfaces are cleaned up both when stopping the service and during a crash. Therefore it is no longer necessary to perform a cleanup at the beginning. Signed-off-by: Oliver Sedlbauer --- net/modemmanager/Makefile | 2 +- net/modemmanager/files/modemmanager.init | 7 ------- net/modemmanager/files/usr/sbin/ModemManager-wrapper | 4 +++- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/net/modemmanager/Makefile b/net/modemmanager/Makefile index bef514550..e484b7fbd 100644 --- a/net/modemmanager/Makefile +++ b/net/modemmanager/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=modemmanager PKG_SOURCE_VERSION:=1.22.0 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git diff --git a/net/modemmanager/files/modemmanager.init b/net/modemmanager/files/modemmanager.init index 7f014dc56..a036d884d 100755 --- a/net/modemmanager/files/modemmanager.init +++ b/net/modemmanager/files/modemmanager.init @@ -6,13 +6,6 @@ START=70 LOG_LEVEL="INFO" -stop_service() { - # Load common utils - . /usr/share/ModemManager/modemmanager.common - # Set all configured interfaces as unavailable - mm_cleanup_interfaces -} - start_service() { # Setup ModemManager service # diff --git a/net/modemmanager/files/usr/sbin/ModemManager-wrapper b/net/modemmanager/files/usr/sbin/ModemManager-wrapper index 4fd64227f..97c2a826d 100644 --- a/net/modemmanager/files/usr/sbin/ModemManager-wrapper +++ b/net/modemmanager/files/usr/sbin/ModemManager-wrapper @@ -20,7 +20,6 @@ main() { mkdir -p "${MODEMMANAGER_RUNDIR}" chmod 0755 "${MODEMMANAGER_RUNDIR}" - mm_cleanup_interfaces /usr/sbin/ModemManager "$@" 1>/dev/null 2>/dev/null & CHILD="$!" @@ -28,6 +27,9 @@ main() { mm_report_events_from_cache wait "$CHILD" + + # Set all configured interfaces as unavailable + mm_cleanup_interfaces } main "$@" From 9783678926767317cce87608ba0f2f44bade3dc0 Mon Sep 17 00:00:00 2001 From: Michael Heimpold Date: Mon, 9 Oct 2023 15:40:43 +0200 Subject: [PATCH 11/40] php8-pecl-http: update to 4.2.4 Signed-off-by: Michael Heimpold --- lang/php8-pecl-http/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lang/php8-pecl-http/Makefile b/lang/php8-pecl-http/Makefile index 1a6543cac..07b2a5677 100644 --- a/lang/php8-pecl-http/Makefile +++ b/lang/php8-pecl-http/Makefile @@ -8,9 +8,9 @@ include $(TOPDIR)/rules.mk PECL_NAME:=pecl_http PECL_LONGNAME:=Extended HTTP Support -PKG_VERSION:=4.2.3 -PKG_RELEASE:=2 -PKG_HASH:=fa2ab558fc8f0928a10f35c0f566f7c4a1d32e727bd3a96579e4c28482ee9d6a +PKG_VERSION:=4.2.4 +PKG_RELEASE:=1 +PKG_HASH:=fb1e10c2e5edfb011ff8dc2e473cdbd2bbe0127d1279dfce4d98570555ac6ded PKG_NAME:=php8-pecl-http PKG_SOURCE:=$(PECL_NAME)-$(PKG_VERSION).tgz From eb2ed206454ac72c73f0af0f5386cb7f5d79672d Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Fri, 20 Oct 2023 10:59:53 +0200 Subject: [PATCH 12/40] keepalived: add startup and shutdown script handling The keepalived does support script call handling on start and stop. All scripts located under '/etc/hotplug.d/keepalived' gets now called with the env ACTION set to startup or shutdown. The script that want to get called on this keepalived events could evalutate this env to run on startup or shutdown. Signed-off-by: Florian Eckert --- net/keepalived/Makefile | 2 +- net/keepalived/files/keepalived.init | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/net/keepalived/Makefile b/net/keepalived/Makefile index 62f4373f7..bf09b4992 100644 --- a/net/keepalived/Makefile +++ b/net/keepalived/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=keepalived PKG_VERSION:=2.2.8 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.keepalived.org/software diff --git a/net/keepalived/files/keepalived.init b/net/keepalived/files/keepalived.init index 63beb2983..804c6213e 100644 --- a/net/keepalived/files/keepalived.init +++ b/net/keepalived/files/keepalived.init @@ -105,6 +105,11 @@ globals() { printf '%benable_script_security\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" printf '%bprocess_names\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" + printf '%bstartup_script "/bin/busybox env -i ACTION=startup /sbin/hotplug-call keepalived"\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" + printf '%bstartup_script_timeout 10\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" + printf '%bshutdown_script "/bin/busybox env -i ACTION=shutdown /sbin/hotplug-call keepalived"\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" + printf '%bshutdown_script_timeout 10\n' "${INDENT_1}" >> "$KEEPALIVED_CONF" + config_get notification_email "$1" notification_email print_list_indent notification_email From f9ed5a9f3af0c587b29e12f85fd9b82b8394be71 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Fri, 20 Oct 2023 11:30:43 +0200 Subject: [PATCH 13/40] keepalived: add missing no_accept option This commit adds the missing option 'no_accept'. Signed-off-by: Florian Eckert --- net/keepalived/Makefile | 2 +- net/keepalived/files/keepalived.init | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/keepalived/Makefile b/net/keepalived/Makefile index bf09b4992..da44823c5 100644 --- a/net/keepalived/Makefile +++ b/net/keepalived/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=keepalived PKG_VERSION:=2.2.8 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.keepalived.org/software diff --git a/net/keepalived/files/keepalived.init b/net/keepalived/files/keepalived.init index 804c6213e..cbbff4941 100644 --- a/net/keepalived/files/keepalived.init +++ b/net/keepalived/files/keepalived.init @@ -358,7 +358,7 @@ vrrp_instance() { garp_master_repeat garp_master_refresh_repeat \ no_val_vmac_xmit_base no_val_native_ipv6 no_val_accept \ no_val_dont_track_primary no_val_smtp_alert no_val_nopreempt \ - no_val_use_vmac + no_val_use_vmac no_val_no_accept print_notify "INSTANCE" "$name" "$INDENT_1" notify_backup notify_master \ notify_fault notify_stop From 7a393aea9f277358ee6ba7db6761609fba402a7d Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Sun, 29 Oct 2023 19:33:15 +0000 Subject: [PATCH 14/40] ngtcp2: update to 1.0.1 * https://github.com/ngtcp2/ngtcp2/compare/v1.0.0...v1.0.1 Signed-off-by: Stan Grishin --- libs/ngtcp2/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/ngtcp2/Makefile b/libs/ngtcp2/Makefile index 5d7ad9a0c..3db59361d 100644 --- a/libs/ngtcp2/Makefile +++ b/libs/ngtcp2/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ngtcp2 -PKG_VERSION:=1.0.0 +PKG_VERSION:=1.0.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/ngtcp2/ngtcp2/releases/download/v$(PKG_VERSION)/ -PKG_HASH:=a40b18af654baaebee3431af9bb4e347f40080bf1189d658ad53f8e66bf39da3 +PKG_HASH:=df03e7e91110fcbb165ae048fa671f1dd39f77b841df3a14aef076a1c192cc27 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=COPYING From a517b7660b50dee284e0b0b2d33c9670738c29ec Mon Sep 17 00:00:00 2001 From: Vladimir Ermakov Date: Sat, 28 Oct 2023 11:38:07 +0200 Subject: [PATCH 15/40] qemu: update to 8.1.2 Changes: - Update to 8.1.2 - Refresh patches - Replace absent option --with-git-submodules with --disable-download Fix #22530 Signed-off-by: Vladimir Ermakov --- utils/qemu/Makefile | 6 +++--- .../0001-configure-allow-disable-fortify_source.patch | 4 ++-- .../patches/0006-util-mmap-alloc-fix-missing-MAP_SYNC.patch | 4 ++-- utils/qemu/patches/0010-no-tests.patch | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/utils/qemu/Makefile b/utils/qemu/Makefile index 4f99c320d..5e9851b06 100644 --- a/utils/qemu/Makefile +++ b/utils/qemu/Makefile @@ -9,10 +9,10 @@ include $(TOPDIR)/rules.mk PKG_NAME:=qemu -PKG_VERSION:=8.0.2 +PKG_VERSION:=8.1.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=f060abd435fbe6794125e2c398568ffc3cfa540042596907a8b18edca34cf6a5 +PKG_HASH:=541526a764576eb494d2ff5ec46aeb253e62ea29035d1c23c0a8af4e6cd4f087 PKG_SOURCE_URL:=http://download.qemu.org/ PKG_LICENSE:=GPL-2.0-only PKG_LICENSE_FILES:=LICENSE tcg/LICENSE @@ -392,7 +392,7 @@ CONFIGURE_ARGS += \ --disable-docs \ --disable-fuse \ --disable-gcrypt \ - --with-git-submodules=ignore \ + --disable-download \ --disable-glusterfs \ --disable-gnutls \ --disable-guest-agent-msi \ diff --git a/utils/qemu/patches/0001-configure-allow-disable-fortify_source.patch b/utils/qemu/patches/0001-configure-allow-disable-fortify_source.patch index 434b3d15a..e893c1788 100644 --- a/utils/qemu/patches/0001-configure-allow-disable-fortify_source.patch +++ b/utils/qemu/patches/0001-configure-allow-disable-fortify_source.patch @@ -11,9 +11,9 @@ OpenWrt base build system decide flavor of fortify_source to use --- a/configure +++ b/configure -@@ -896,6 +896,8 @@ for opt do +@@ -823,6 +823,8 @@ for opt do ;; - --disable-vfio-user-server) vfio_user_server="disabled" + --gdb=*) gdb_bin="$optarg" ;; + --disable-fortify-source) fortify_source="no" + ;; diff --git a/utils/qemu/patches/0006-util-mmap-alloc-fix-missing-MAP_SYNC.patch b/utils/qemu/patches/0006-util-mmap-alloc-fix-missing-MAP_SYNC.patch index e09447bd1..f8bfa67c2 100644 --- a/utils/qemu/patches/0006-util-mmap-alloc-fix-missing-MAP_SYNC.patch +++ b/utils/qemu/patches/0006-util-mmap-alloc-fix-missing-MAP_SYNC.patch @@ -32,9 +32,9 @@ Signed-off-by: Yousong Zhou #endif /* CONFIG_LINUX */ #include "qemu/osdep.h" -@@ -29,6 +26,13 @@ - #include +@@ -57,6 +54,13 @@ QemuFsType qemu_fd_getfs(int fd) #endif + } +#ifndef MAP_SYNC +#define MAP_SYNC 0x0 diff --git a/utils/qemu/patches/0010-no-tests.patch b/utils/qemu/patches/0010-no-tests.patch index 9c36a3914..3df92e30d 100644 --- a/utils/qemu/patches/0010-no-tests.patch +++ b/utils/qemu/patches/0010-no-tests.patch @@ -1,6 +1,6 @@ --- a/meson.build +++ b/meson.build -@@ -3192,10 +3192,6 @@ subdir('common-user') +@@ -3451,10 +3451,6 @@ subdir('common-user') subdir('bsd-user') subdir('linux-user') @@ -11,7 +11,7 @@ # accel modules tcg_real_module_ss = ss.source_set() tcg_real_module_ss.add_all(when: 'CONFIG_TCG_MODULAR', if_true: tcg_module_ss) -@@ -3687,10 +3683,6 @@ subdir('scripts') +@@ -3945,10 +3941,6 @@ subdir('scripts') subdir('tools') subdir('pc-bios') subdir('docs') From fbfa63a03be5916873e3b2d1d17d21d1742de7de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=A1k?= Date: Wed, 25 Oct 2023 15:20:12 +0200 Subject: [PATCH 16/40] knot: update to version 3.3.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan Hák --- net/knot/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/knot/Makefile b/net/knot/Makefile index b40a2b28a..11be30e81 100644 --- a/net/knot/Makefile +++ b/net/knot/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=knot -PKG_VERSION:=3.3.1 +PKG_VERSION:=3.3.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://secure.nic.cz/files/knot-dns/ -PKG_HASH:=f3f4b1d49ec9b81113b14a38354b823bd4a470356ed7e8e555595b6fd1ac80c9 +PKG_HASH:=0d65d4b59f5df69b78c6295ade0a2ea7931831de7ef5eeee3e00f8a20af679e4 PKG_MAINTAINER:=Daniel Salzman PKG_LICENSE:=GPL-3.0 LGPL-2.0 0BSD BSD-3-Clause OLDAP-2.8 From 3efee178f23ef9bf78678369be48bcaa430456b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=A1k?= Date: Thu, 26 Oct 2023 16:03:38 +0200 Subject: [PATCH 17/40] knot: patch enabling PKCS11 related code only if PKCS11 is available MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan Hák --- .../patches/03_libdnssec_pkcs11_support.patch | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 net/knot/patches/03_libdnssec_pkcs11_support.patch diff --git a/net/knot/patches/03_libdnssec_pkcs11_support.patch b/net/knot/patches/03_libdnssec_pkcs11_support.patch new file mode 100644 index 000000000..4e7e30c09 --- /dev/null +++ b/net/knot/patches/03_libdnssec_pkcs11_support.patch @@ -0,0 +1,17 @@ +--- a/src/libdnssec/key/key.c ++++ b/src/libdnssec/key/key.c +@@ -146,10 +146,14 @@ dnssec_key_t *dnssec_key_dup(const dnsse + + gnutls_privkey_type_t type = gnutls_privkey_get_type(key->private_key); + if (type == GNUTLS_PRIVKEY_PKCS11) { ++#ifdef ENABLE_PKCS11 + gnutls_pkcs11_privkey_t tmp; + gnutls_privkey_export_pkcs11(key->private_key, &tmp); + gnutls_privkey_import_pkcs11(dup->private_key, tmp, + GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); ++#else ++ assert(0); ++#endif + } else { + assert(type == GNUTLS_PRIVKEY_X509); + gnutls_x509_privkey_t tmp; From 52af24ff563c94a28b2c44c4be67bbc40ca364d3 Mon Sep 17 00:00:00 2001 From: Jaymin Patel Date: Mon, 22 Aug 2022 16:41:33 +0530 Subject: [PATCH 18/40] libreswan: uci configuration support Add libreswan UCI configuration and hotplug support Signed-off-by: Jaymin Patel --- net/libreswan/Makefile | 147 ++++++-- net/libreswan/files/etc/config/libreswan | 41 +++ .../files/etc/hotplug.d/iface/89-libreswan | 11 + .../files/etc/hotplug.d/libreswan/00-default | 220 ++++++++++++ .../files/etc/hotplug.d/libreswan/01-user | 7 + .../files/etc/hotplug.d/libreswan/02-vti | 24 ++ .../files/etc/hotplug.d/libreswan/61-iptables | 76 ++++ .../files/etc/hotplug.d/libreswan/62-nftables | 87 +++++ net/libreswan/files/etc/init.d/ipsec | 337 ++++++++++++++++++ net/libreswan/files/etc/ipsec.conf | 3 + net/libreswan/files/etc/ipsec.secrets | 2 + net/libreswan/files/etc/libreswan_firewall.sh | 90 +++++ .../files/etc/uci-defaults/091-libreswan | 8 + net/libreswan/files/ipsec.conf | 25 -- net/libreswan/files/ipsec.init | 36 -- net/libreswan/files/ipsec.secrets | 10 - .../files/usr/libexec/ipsec/_updown.xfrm | 3 + .../files/usr/libexec/rpcd/libreswan | 183 ++++++++++ .../chain-pre/forward/001-libreswan.nft | 1 + .../chain-pre/input/001-libreswan.nft | 2 + .../chain-pre/output/001-libreswan.nft | 2 + .../chain-pre/srcnat/001-libreswan.nft | 1 + .../nftables.d/table-post/001-libreswan.nft | 6 + 23 files changed, 1218 insertions(+), 104 deletions(-) create mode 100644 net/libreswan/files/etc/config/libreswan create mode 100644 net/libreswan/files/etc/hotplug.d/iface/89-libreswan create mode 100644 net/libreswan/files/etc/hotplug.d/libreswan/00-default create mode 100644 net/libreswan/files/etc/hotplug.d/libreswan/01-user create mode 100644 net/libreswan/files/etc/hotplug.d/libreswan/02-vti create mode 100644 net/libreswan/files/etc/hotplug.d/libreswan/61-iptables create mode 100644 net/libreswan/files/etc/hotplug.d/libreswan/62-nftables create mode 100644 net/libreswan/files/etc/init.d/ipsec create mode 100644 net/libreswan/files/etc/ipsec.conf create mode 100644 net/libreswan/files/etc/ipsec.secrets create mode 100755 net/libreswan/files/etc/libreswan_firewall.sh create mode 100644 net/libreswan/files/etc/uci-defaults/091-libreswan delete mode 100644 net/libreswan/files/ipsec.conf delete mode 100755 net/libreswan/files/ipsec.init delete mode 100644 net/libreswan/files/ipsec.secrets create mode 100644 net/libreswan/files/usr/libexec/ipsec/_updown.xfrm create mode 100644 net/libreswan/files/usr/libexec/rpcd/libreswan create mode 100644 net/libreswan/files/usr/share/nftables.d/chain-pre/forward/001-libreswan.nft create mode 100644 net/libreswan/files/usr/share/nftables.d/chain-pre/input/001-libreswan.nft create mode 100644 net/libreswan/files/usr/share/nftables.d/chain-pre/output/001-libreswan.nft create mode 100644 net/libreswan/files/usr/share/nftables.d/chain-pre/srcnat/001-libreswan.nft create mode 100644 net/libreswan/files/usr/share/nftables.d/table-post/001-libreswan.nft diff --git a/net/libreswan/Makefile b/net/libreswan/Makefile index 4ecc00a44..eb407e432 100644 --- a/net/libreswan/Makefile +++ b/net/libreswan/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libreswan PKG_VERSION:=4.12 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://download.libreswan.org/ @@ -25,46 +25,65 @@ PKG_BUILD_FLAGS:=lto include $(INCLUDE_DIR)/package.mk -define Package/libreswan/Default - TITLE:=Libreswan - URL:=https://libreswan.org/ -endef - -define Package/libreswan/Default/description - Libreswan is a free software implementation of the most widely supported and - standardized VPN protocol based on ("IPsec") and the Internet Key Exchange - ("IKE"). These standards are produced and maintained by the Internet - Engineering Task Force ("IETF"). -endef - -define Package/libreswan -$(call Package/libreswan/Default) +define Package/libreswan/default SUBMENU:=VPN SECTION:=net CATEGORY:=Network - DEPENDS:= +IPV6:kmod-ip6-vti +IPV6:kmod-ipsec6 +ip-full +iptables-mod-ipsec \ - +kmod-crypto-aead +kmod-crypto-authenc +kmod-crypto-gcm \ - +kmod-crypto-hash +kmod-crypto-rng +kmod-ip-vti +kmod-ipsec \ - +kmod-ipsec4 +kmod-ipt-ipsec +kmod-xfrm-interface +libevent2 +libevent2-pthreads \ - +libldns +librt +libunbound +nss-utils +nspr +libcap-ng + TITLE:=Libreswan + URL:=https://libreswan.org/ PROVIDES:=openswan CONFLICTS:=strongswan - TITLE+= IPsec Server +endef + +define Package/libreswan + $(Package/libreswan/default) + DEPENDS:= \ + +kmod-ip-vti +IPV6:kmod-ip6-vti \ + +kmod-ipsec +kmod-ipsec4 +IPV6:kmod-ipsec6 \ + +ip-full +kmod-xfrm-interface \ + +libevent2 +libevent2-pthreads \ + +libldns +librt +libunbound +nss-utils +nspr +libcap-ng \ + +kmod-crypto-acompress \ + +kmod-crypto-aead \ + +kmod-crypto-authenc \ + +kmod-crypto-arc4 \ + +kmod-crypto-cbc \ + +kmod-crypto-ccm \ + +kmod-crypto-chacha20poly1305 \ + +kmod-crypto-cmac \ + +kmod-crypto-ctr \ + +kmod-crypto-cts \ + +kmod-crypto-des \ + +kmod-crypto-ecb \ + +kmod-crypto-ecdh \ + +kmod-crypto-gcm \ + +kmod-crypto-ghash \ + +kmod-crypto-hash \ + +kmod-crypto-hmac \ + +kmod-crypto-md4 \ + +kmod-crypto-md5 \ + +kmod-crypto-null \ + +kmod-crypto-pcbc \ + +kmod-crypto-sha1 \ + +kmod-crypto-sha256 \ + +kmod-crypto-sha512 \ + +kmod-crypto-xcbc \ + +kmod-crypto-rng endef define Package/libreswan/description -$(call Package/libreswan/Default/description) - Libreswan is a free software implementation of the most widely supported and - standardized VPN protocol based on ("IPsec") and the Internet Key Exchange - ("IKE"). These standards are produced and maintained by the Internet - Engineering Task Force ("IETF"). + Libreswan is a free software implementation of the most widely supported and + standardized VPN protocol based on ("IPsec") and the Internet Key Exchange + ("IKE"). These standards are produced and maintained by the Internet + Engineering Task Force ("IETF"). endef define Package/libreswan/conffiles /etc/ipsec.d -/etc/ipsec.conf -/etc/ipsec.secrets +/etc/config/libreswan +/etc/ipsec.user endef + TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed MAKE_FLAGS+= \ @@ -103,20 +122,82 @@ endef define Package/libreswan/install $(INSTALL_DIR) \ - $(1)/etc/init.d \ $(1)/etc/ipsec.d/policies \ $(1)/usr/libexec/ipsec \ - $(1)/usr/sbin + $(1)/usr/sbin \ + $(1)/etc/config \ + $(1)/etc/init.d \ + $(1)/etc/hotplug.d/libreswan \ + $(1)/etc/hotplug.d/iface \ + $(1)/usr/libexec/rpcd \ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec \ $(1)/usr/sbin/ipsec - $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec - $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf - $(INSTALL_DATA) ./files/ipsec.secrets $(1)/etc/ipsec.secrets $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ipsec.d/policies/* \ $(1)/etc/ipsec.d/policies/ $(CP) $(PKG_INSTALL_DIR)/usr/libexec/ipsec/* \ $(1)/usr/libexec/ipsec/ + + $(INSTALL_BIN) ./files/usr/libexec/ipsec/_updown.xfrm $(1)/usr/libexec/ipsec/_updown.xfrm + $(INSTALL_BIN) ./files/etc/init.d/ipsec $(1)/etc/init.d/ipsec + $(INSTALL_BIN) ./files/usr/libexec/rpcd/libreswan $(1)/usr/libexec/rpcd/libreswan + $(INSTALL_DATA) ./files/etc/ipsec.conf $(1)/etc/ipsec.conf + $(INSTALL_DATA) ./files/etc/ipsec.secrets $(1)/etc/ipsec.secrets + $(INSTALL_DATA) ./files/etc/config/libreswan $(1)/etc/config/libreswan + $(INSTALL_DATA) ./files/etc/hotplug.d/libreswan/01-user $(1)/etc/hotplug.d/libreswan/01-user + $(INSTALL_DATA) ./files/etc/hotplug.d/libreswan/02-vti $(1)/etc/hotplug.d/libreswan/02-vti + $(INSTALL_DATA) ./files/etc/hotplug.d/iface/89-libreswan $(1)/etc/hotplug.d/iface/89-libreswan +endef + +define Package/libreswan-nftables + $(Package/libreswan/default) + TITLE+= nftables plugin) + DEPENDS+=firewall4 +libreswan +kmod-nft-xfrm +nftables \ + +kmod-nfnetlink-log +endef + +define Package/libreswan-nftables/description + Provides Libreswan nftables plugin for adding firewall rules +endef + +define Package/libreswan-nftables/install + $(INSTALL_DIR) $(1)/etc/hotplug.d/libreswan \ + $(1)/usr/share/nftables.d/ruleset-post + + $(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d + $(CP) ./files/etc/hotplug.d/libreswan/62-nftables $(1)/etc/hotplug.d/libreswan/62-nftables + $(LN) /tmp/libreswan/firewall.d/libreswan.rules $(1)/usr/share/nftables.d/ruleset-post/10_libreswan.nft +endef + +define Package/libreswan-iptables + $(Package/libreswan/default) + TITLE+= iptables plugin) + DEPENDS+=firewall +libreswan +iptables-mod-ipsec +kmod-ipt-ipsec \ + +iptables-zz-legacy +IPV6:ip6tables-zz-legacy \ + +kmod-ipt-nflog +iptables-mod-nflog +endef + +define Package/libreswan-iptables/description + Provides Libreswan iptables plugin for adding firewall rules +endef + +define Package/libreswan-iptables/install + $(INSTALL_DIR) $(1)/etc \ + $(1)/etc/uci-defaults \ + $(1)/etc/hotplug.d/libreswan + + $(CP) ./files/etc/hotplug.d/libreswan/61-iptables $(1)/etc/hotplug.d/libreswan/61-iptables + $(CP) ./files/etc/uci-defaults/091-libreswan $(1)/etc/uci-defaults/091-libreswan + $(INSTALL_BIN) ./files/etc/libreswan_firewall.sh $(1)/etc/libreswan_firewall.sh +endef + +define Package/libreswan-iptables/postinst +#!/bin/sh +[ -n "$$IPKG_INSTROOT" ] || { + /etc/init.d/firewall reload +} endef $(eval $(call BuildPackage,libreswan)) +$(eval $(call BuildPackage,libreswan-nftables)) +$(eval $(call BuildPackage,libreswan-iptables)) diff --git a/net/libreswan/files/etc/config/libreswan b/net/libreswan/files/etc/config/libreswan new file mode 100644 index 000000000..140c8f693 --- /dev/null +++ b/net/libreswan/files/etc/config/libreswan @@ -0,0 +1,41 @@ +config libreswan 'globals' + option debug '0' # set debug mode none/all + list virtual_private '10.0.0.0/8' + list virtual_private '192.168.0.0/16' + list virtual_private '172.16.0.0/12' + list virtual_private '25.0.0.0/8' + list virtual_private '100.64.0.0/10' + list virtual_private '!100.64.0.0/24' # the address ranges that may live behind a NAT router through which a client connects + # option listen '192.168.2.100' # listening address, if set listen_interface would not be used + # option listen_interface 'wan' # listening interface + # option uniqueids 'yes' # yes/no + +# config crypto_proposal 'p1' +# list encryption_algorithm '3des' # possible values: 3des, aes, aes_ctr, aes_cbc, aes128, aes192, aes256, camellia_cbc +# list hash_algorithm 'md5' # possible values: md5, sha1, sha256, sha384, sha512 +# list dh_group 'modp1536' # possible values: modp1536, modp2048, modp3072, modp4096, modp6144, modp8192, dh19, dh20, dh21, dh22, dh31 + +# config tunnel 'vti2_1_5' +# option left '192.168.1.1' +# option left_interface 'wan' # interface ipaddr to be used as left +# option leftid '@left' # local id +# option right '192.168.2.201' # remote endpoint public ip +# option rightid '@62dd3e3f82339b002405245b' # rightid +# option auto 'start' # what operation, should be done automatically at IPsec startup +# option authby 'secret' # how the two security gateways should authenticate each other +# option psk 'AyG9RlTtQJIUxgxG' # preshare key +# option ikev2 '1' # ike version +# option ikelifetime '8h' +# option rekey '1' +# option rekeymargin '9m' +# option dpdaction 'restart' +# option dpddelay '30' +# option dpdtimeout '150' +# option interface 'vti2_1_5' # only for route based tunnels +# list leftsubnets '0.0.0.0/0' +# list rightsubnets '0.0.0.0/0' +# option phase2 'esp' # phase2 protocol +# list ike 'p1' # list of crypto_proposal (phase1 proposals) +# list phase2ag 'p1' # list of crypto_proposal (phase2 proposals') +# option nflog '0' # enable nflog +# option update_peeraddr '1' # auto update vti interface ppeeradd in /etc/config/network diff --git a/net/libreswan/files/etc/hotplug.d/iface/89-libreswan b/net/libreswan/files/etc/hotplug.d/iface/89-libreswan new file mode 100644 index 000000000..9ebc61815 --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/iface/89-libreswan @@ -0,0 +1,11 @@ +#!/bin/sh + +[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0 +[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0 + +/etc/init.d/ipsec running || exit 0 +uci show libreswan | grep -i "='$INTERFACE'$" || exit 0 + +logger -t libreswan "Restart libreswan due to $ACTION of $INTERFACE ($DEVICE)" + +/etc/init.d/ipsec restart diff --git a/net/libreswan/files/etc/hotplug.d/libreswan/00-default b/net/libreswan/files/etc/hotplug.d/libreswan/00-default new file mode 100644 index 000000000..940c49520 --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/libreswan/00-default @@ -0,0 +1,220 @@ +#!/bin/sh + +# Things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway +# communications is IPv6, then a suffix of -v6 is added +# to the verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_CONNECTION_TYPE +# is type of the connection, "tunnel" or "transport". +# +# PLUTO_CONN_POLICY +# the policy of the connection, as in: +# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC +# +failureDROP+lKOD+rKOD +# +# CAT=YES| +# if client address translation inside IPsec stack is enabled +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the real interface used by encrypted traffic and IKE traffic +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is our ID. +# +# PLUTO_METRIC +# is the metric to set for the route +# +# PLUTO_MTU +# is the mtu to set for the route +# +# PLUTO_ADD_TIME +# Time the IPsec SA was added to the kernel +# +# PLUTO_MOBIKE_EVENT +# wether the connection is underdoing MOBIKE migration +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / mask (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the protocol for this connection. Useful for +# firewalling. +# +# PLUTO_MY_PORT +# is the port. Useful for firewalling. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client subnet. +# If the client is just the peer, this will be +# the peer's own IP address / mask (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the protocol set for remote end with port +# selector. +# +# PLUTO_PEER_PORT +# is the peer's port. Useful for firewalling. +# +# PLUTO_PEER_CA +# is the DN of the peer's CA that signed its certificate +# +# PLUTO_CFG_CLIENT=0|1 +# is MODECFG or IKEv2 Config client. +# +# PLUTO_CFG_SERVER=0|1 +# is MODECFG or IKEv2 Config server. +# +# PLUTO_PEER_DNS_INFO +# The peer's supplied DNS information (IKEv1 and IKEv2) +# +# PLUTO_PEER_DOMAIN_INFO +# The peer's supplied domain list for local resolving (IKEv2 only) +# +# PLUTO_PEER_BANNER +# is the peer's provided banner +# +# PLUTO_NM_CONFIGURED=0|1 +# is NetworkManager used for resolv.conf update +# +# PLUTO_CONN_ADDRFAMILY +# is the family type, "ipv4" or "ipv6" +# +# PLUTO_CONN_KIND +# is the "kind" of connection (CK_PERMANENT, CK_INSTANCE, etc) +# +# PLUTO_STACK +# is the local IPsec kernel stack used, eg XFRM, BSDKAME, NOSTACK +# +# PLUTO_IS_PEER_CISCO=0|1 +# remote server type is cisco. Add support for cisco extensions +# when used with xauth. +# +# PLUTO_SA_REQID +# When using KAME or XFRM, the IPsec SA reqid base value. +# ESP/AH out is base, ESP/AH in = base + 1 +# IPCOMP is base + 2 plus for inbound + 1 +# +# PLUTO_XFRMI_FWMARK +# use outgoing mark +# +# PLUTO_SA_TYPE +# The type of IPsec SA (ESP or AH) +# +# PLUTO_USERNAME +# The username (XAUTH or GSSAPI) that was authenticated (if any) +# for this SA +# +# PLUTO_VIRT_INTERFACE +# is the name of ipsec interface used by clear traffic in/out +# +# INTERFACE_IP +# The IP to configure / expect on the interface? Currently is never set +# +# PLUTO_XFRM_ROUTE +# if an XFRM (ipsec-device) has been specified, value will be "yes" +# +# XAUTH_FAILED +# If xauthfail=soft this will be set to 1 if XAUTH authentication +# failed. If xauthfail=hard, the updown scripts never run. +# +# CONNMARK +# If mark= is set on the connection, this variable will be +# set with the value. It can be used for iptables or VTI. +# +# CONNMARK_IN +# the incoming mark to use +# +# CONNMARK_OUT +# the outgoing mark to use +# +# VTI_IFACE=iface +# Name of VTI interface to create +# +# VTI_ROUTING=yes|no +# Whether or not to perform ip rule and ip route commands +# covering the IPsec SA address ranges to route those packets +# into the VTI_IFACE interface. This should be enabled unless +# the IPsec SA covers 0.0.0.0/0 <-> 0.0.0.0/0 +# +# VTI_SHARED=yes|no +# Whether or not more conns (or instances) share a VTI device. +# If not shared, the VTI device is deleted when tunnel goes down. +# +# VTI_IP +# The IP to configure on the VTI device +# +# SPI_IN / SPI_OUT +# The inbound and outbound SPI's of the connection. +# +# PLUTO_INBYTES +# total bytes received +# +# PLUTO_OUTBYTES +# total bytes sent +# +# NFLOG +# is the nflog group to use +# + +case "${PLUTO_VERB}" in + prepare-host|prepare-host-v6) ;; + prepare-client|prepare-client-v6) ;; + route-host|route-host-v6) ;; + unroute-host|unroute-host-v6) ;; + route-client|route-client-v6) ;; + unroute-client|unroute-client-v6) ;; + up-host|up-host-v6) ;; + down-host|down-host-v6) ;; + up-client|up-client-v6) ;; + down-client|down-client-v6) ;; +esac diff --git a/net/libreswan/files/etc/hotplug.d/libreswan/01-user b/net/libreswan/files/etc/hotplug.d/libreswan/01-user new file mode 100644 index 000000000..120260957 --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/libreswan/01-user @@ -0,0 +1,7 @@ +#!/bin/sh + +[ -e "/etc/ipsec.user" ] && { + . /etc/ipsec.user +} + +exit 0 diff --git a/net/libreswan/files/etc/hotplug.d/libreswan/02-vti b/net/libreswan/files/etc/hotplug.d/libreswan/02-vti new file mode 100644 index 000000000..719d60e9b --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/libreswan/02-vti @@ -0,0 +1,24 @@ +#!/bin/sh + +. /lib/functions.sh + +[ "${PLUTO_VERB}" != "route-client" ] && [ "${PLUTO_VERB}" != "up-client" ] && exit 0 + +CONNECTION=${PLUTO_CONNECTION%/*} +[ -z "$CONNECTION" ] && exit 0 + +update_peeraddr=$(uci_get libreswan $CONNECTION update_peeraddr) +[ "$update_peeraddr" != "1" ] && exit 0 + +interface=$(uci_get libreswan $CONNECTION interface) +[ -z "$interface" ] && exit 0 + +proto=$(uci_get network "$interface" proto) +[ "$proto" != "vti" ] && exit 0 + +peeraddr=$(uci_get network "$interface" peeraddr) +[ "$peeraddr" == "$PLUTO_PEER" ] && exit 0 + +uci_set network "$interface" peeraddr "$PLUTO_PEER" +uci_commit network +ifup "$interface" diff --git a/net/libreswan/files/etc/hotplug.d/libreswan/61-iptables b/net/libreswan/files/etc/hotplug.d/libreswan/61-iptables new file mode 100644 index 000000000..b795d3097 --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/libreswan/61-iptables @@ -0,0 +1,76 @@ +#!/bin/sh + +. /lib/functions.sh + +FW4="$(command -v fw4)" +[ -n "$FW4" ] && exit 0 + +CONNECTION="${PLUTO_CONNECTION//\//_}" +[ -z "$CONNECTION" ] && exit 0 + +IPT_LEGACY="$(command -v iptables-legacy)" +IPT="$(command -v iptables)" +BIN="${IPT_LEGACY:-$IPT}" +[ -z "$BIN" ] && exit 0 + +LIBRESWAN_INPUT="libreswan_input" +LIBRESWAN_FORWARD="libreswan_forward" +LIBRESWAN_OUTPUT="libreswan_output" +LIBRESWAN_NFLOG_INPUT="libreswan_nflog_input" +LIBRESWAN_NFLOG_OUTPUT="libreswan_nflog_output" +LIBRESWAN_POSTROUTING="libreswan_postrouting" + +FW_DIR="/tmp/libreswan/firewall.d" +LIBRESWAN_RULES_FILE="$FW_DIR/libreswan.rules" +RULES_DIR="$FW_DIR/rules" + +IPV4_RULES_FILE="$RULES_DIR/${CONNECTION}-ipv4.rules" +IPV6_RULES_FILE="$RULES_DIR/${CONNECTION}-ipv6.rules" + +reload_firewall() { + [ ! -d "$RULES_DIR" ] && return 0 + + cat $RULES_DIR/*.rules > "$LIBRESWAN_RULES_FILE" 2>/dev/null + /etc/init.d/firewall reload +} + +up_rules() { + [ -z "$PLUTO_PEER_CLIENT" ] && return 0 + + [ ! -d "$RULES_DIR" ] && mkdir -p "$RULES_DIR" + [ "$PLUTO_PEER_CLIENT" = "0.0.0.0/0" ] && [ "$PLUTO_MY_CLIENT" = "0.0.0.0/0" ] && return 0 + + cat << EOF > $IPV4_RULES_FILE +$BIN -t filter -A $LIBRESWAN_INPUT -m policy --dir in --pol ipsec -s $PLUTO_PEER_CLIENT -d $PLUTO_MY_CLIENT -m comment --comment "$PLUTO_CONNECTION" -j ACCEPT +$BIN -t filter -A $LIBRESWAN_FORWARD -s $PLUTO_PEER_CLIENT -d $PLUTO_MY_CLIENT -m comment --comment "$PLUTO_CONNECTION" -j ACCEPT +$BIN -t filter -A $LIBRESWAN_OUTPUT -m policy --dir out --pol ipsec -s $PLUTO_MY_CLIENT -d $PLUTO_PEER_CLIENT -m comment --comment "$PLUTO_CONNECTION" -j ACCEPT +$BIN -t nat -A $LIBRESWAN_POSTROUTING -m policy --dir out --pol ipsec -s $PLUTO_MY_CLIENT -d $PLUTO_PEER_CLIENT -m comment --comment "$PLUTO_CONNECTION" -j ACCEPT +EOF + if [ -n "$NFLOG" ]; then + cat << EOF > $IPV4_RULES_FILE +$BIN -t filter -A $LIBRESWAN_NFLOG_INPUT -m policy --dir in --pol ipsec -s $PLUTO_PEER_CLIENT -d $PLUTO_MY_CLIENT -j NFLOG --nflog-group $NFLOG --nflog-prefix $PLUTO_CONNECTION +$BIN -t filter -A $LIBRESWAN_NFLOG_OUTPUT -m policy --dir out --pol ipsec -s $PLUTO_MY_CLIENT -d $PLUTO_PEER_CLIENT -j NFLOG --nflog-group $NFLOG --nflog-prefix $PLUTO_CONNECTION +EOF + + fi + + reload_firewall + + return 0 +} + +down_rules() { + if [ -f "$IPV4_RULES_FILE" ]; then + rm -rf "$IPV4_RULES_FILE" + reload_firewall + fi + + return 0 +} + +case "${PLUTO_VERB}" in + up-host|up-client) up_rules ;; + down-host|down-client) down_rules ;; + up-host-v6|down-host-v6) ;; + up-client|down-client-v6) ;; +esac diff --git a/net/libreswan/files/etc/hotplug.d/libreswan/62-nftables b/net/libreswan/files/etc/hotplug.d/libreswan/62-nftables new file mode 100644 index 000000000..fe8814769 --- /dev/null +++ b/net/libreswan/files/etc/hotplug.d/libreswan/62-nftables @@ -0,0 +1,87 @@ +#!/bin/sh + +. /lib/functions.sh + +FW4="$(command -v fw4)" +[ -z "$FW4" ] && exit 0 + +CONNECTION="${PLUTO_CONNECTION//\//_}" +[ -z "$CONNECTION" ] && exit 0 + +FW_DIR="/tmp/libreswan/firewall.d" +LIBRESWAN_RULES_FILE="$FW_DIR/libreswan.rules" +RULES_DIR="$FW_DIR/rules" + +IPV4_RULES_FILE="$RULES_DIR/${CONNECTION}-ipv4.rules" +IPV6_RULES_FILE="$RULES_DIR/${CONNECTION}-ipv6.rules" +NFLOG_ALL_RULES_FILE="$RULES_DIR/nflog_all.rules" + +reload_firewall() { + [ ! -d "$RULES_DIR" ] && return 0 + + cat $RULES_DIR/*.rules > "$LIBRESWAN_RULES_FILE" 2>/dev/null + /etc/init.d/firewall reload +} + +up_rules() { + [ -z "$PLUTO_PEER_CLIENT" ] && return 0 + + [ ! -d "$RULES_DIR" ] && mkdir -p "$RULES_DIR" + + eval $(ipsec addconn --configsetup) + + if [ -n "$nflog_all" ]; then + unset NFLOG + if [ ! -f "$NFLOG_ALL_RULES_FILE" ]; then + cat << EOF > "$NFLOG_ALL_RULES_FILE" +table inet fw4 { + chain libreswan_nflog_input { + meta ipsec exists log prefix "all-ipsec" group ${nflog_all} + } + chain libreswan_nflog_output { + rt ipsec exists log prefix "all-ipsec" group ${nflog_all} + } +} +EOF + fi + else + [ -f "$NFLOG_ALL_RULES_FILE" ] && rm -f "$NFLOG_ALL_RULES_FILE" + fi + + cat << EOF > $IPV4_RULES_FILE +table inet fw4 { + chain libreswan_input { + meta ipsec exists ipsec in ip saddr $PLUTO_PEER_CLIENT ip daddr $PLUTO_MY_CLIENT ${NFLOG:+log prefix \"${PLUTO_CONNECTION}\" group ${NFLOG}} accept comment "$PLUTO_CONNECTION" + } + chain libreswan_forward { + meta ipsec exists ipsec in ip saddr $PLUTO_PEER_CLIENT ip daddr $PLUTO_MY_CLIENT accept comment "$PLUTO_CONNECTION" + } + chain libreswan_output { + ipsec out ip saddr $PLUTO_MY_CLIENT ip daddr $PLUTO_PEER_CLIENT ${NFLOG:+log prefix \"${PLUTO_CONNECTION}\" group ${NFLOG}} accept comment "$PLUTO_CONNECTION" + } + chain libreswan_srcnat { + ip saddr $PLUTO_MY_CLIENT ip daddr $PLUTO_PEER_CLIENT accept comment "$PLUTO_CONNECTION" + } +} +EOF + + reload_firewall + + return 0 +} + +down_rules() { + if [ -f "$IPV4_RULES_FILE" ]; then + rm -rf "$IPV4_RULES_FILE" + reload_firewall + fi + + return 0 +} + +case "${PLUTO_VERB}" in + up-host|up-client) up_rules ;; + down-host|down-client) down_rules ;; + up-host-v6|down-host-v6) ;; + up-client|down-client-v6) ;; +esac diff --git a/net/libreswan/files/etc/init.d/ipsec b/net/libreswan/files/etc/init.d/ipsec new file mode 100644 index 000000000..8a9478528 --- /dev/null +++ b/net/libreswan/files/etc/init.d/ipsec @@ -0,0 +1,337 @@ +#!/bin/sh /etc/rc.common + +. "${IPKG_INSTROOT}/lib/functions/network.sh" + +START=90 +STOP=10 + +USE_PROCD=1 + +PROG="/usr/libexec/ipsec/pluto" +IPSEC_BIN="/usr/sbin/ipsec" + +IPSEC_DIR="/var/run/ipsec" +IPSEC_CONF="$IPSEC_DIR/setup.conf" +IPSEC_CONF_DIR="$IPSEC_DIR/conf.d" + +IPSEC_AUTO="${IPSEC_BIN} auto" + +extra_command "start_tunnel" "Start ipsec tunnel" +extra_command "stop_tunnel" "Stop ipsec tunnel" +extra_command "reload_tunnel" "Reload/restart ipsec tunnel" + +set_var() { + export "$1=$2" +} + +get_var() { + local var + + var=$(eval echo "\"\${${1}}\"") + [ "$var" = "1" ] && return 0 + + return 1 +} + +set_restart_flag() { + set_var "RESTART_IPSEC" 1 +} + +restart_flag() { + get_var RESTART_IPSEC +} + +set_replace_flag() { + set_var "REPLACE_${1}" 1 +} + +replace_flag() { + get_var "REPLACE_${1}" +} + +checkconfig() { + ${IPSEC_BIN} addconn --checkconfig || return 1 + mkdir -p /var/run/pluto +} + +expand_ike() { + local id="$1" + local encryption_algorithm hash_algorithm dh_group proposal + + config_get encryption_algorithm "${id}" encryption_algorithm + config_get hash_algorithm "${id}" hash_algorithm + config_get dh_group "${id}" dh_group + + encryption_algorithm="${encryption_algorithm% *}" + proposal="${encryption_algorithm:+${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}${dh_group:+;${dh_group%% *}}}}" + append ike_proposal "$proposal" "," +} + +expand_phase2alg() { + local id="$1" + local encryption_algorithm hash_algorithm dh_group + + config_get encryption_algorithm "${id}" encryption_algorithm + config_get hash_algorithm "${id}" hash_algorithm + config_get dh_group "${id}" dh_group + + phase2alg_proposal="${encryption_algorithm:+${encryption_algorithm// /+}${hash_algorithm:+-${hash_algorithm// /+}${dh_group:+-${dh_group// /+}}}}" +} + +generate_tunnel_config() { + local id=$1 + local config_file="$IPSEC_CONF_DIR/$id.conf" + local secret_file="$IPSEC_CONF_DIR/$id.secret" + local tmp_config_file="/tmp/$id.conf" + local tmp_secret_file="/tmp/$id.secret" + local ikey mark_in okey mark_out ifid + + config_get auto "$id" auto + config_get left "$id" left + config_get left_interface "$id" left_interface + [ -n "$left_interface" ] && network_get_ipaddr left "$left_interface" + config_get right "$id" right + config_get leftid "$id" leftid "$left" + config_get rightid "$id" rightid "$right" + config_get leftsourceip "$id" leftsourceip + config_get rightsourceip "$id" rightsourceip + config_get leftsubnets "$id" leftsubnets + config_get rightsubnets "$id" rightsubnets + config_get_bool ikev2 "$id" ikev2 + [ "$ikev2" = "1" ] && ikev2=yes || ikev2=no + config_get_bool rekey "$id" rekey + [ "$rekey" = "1" ] && rekey=yes || rekey=no + config_get ikelifetime "$id" ikelifetime + config_get rekeymargin "$id" rekeymargin + config_get dpdaction "$id" dpdaction + config_get dpdtimeout "$id" dpdtimeout + config_get dpddelay "$id" dpddelay + config_get phase2 "$id" phase2 + config_get phase2alg "$id" phase2alg + config_get nflog "$id" nflog 0 + [ "$nflog" = "0" ] && unset nflog + + config_list_foreach "$id" ike expand_ike + config_list_foreach "$id" phase2alg expand_phase2alg + + config_get authby "$id" authby + config_get psk "$id" psk + + if [ -n "$leftsubnets" ]; then + [[ "$leftsubnets" =~ 0.0.0.0* ]] && leftsubnets="0.0.0.0/0" + leftsubnets="{${leftsubnets// /,}}" + fi + + if [ -n "$rightsubnets" ]; then + [[ "$rightsubnets" =~ 0.0.0.0* ]] && rightsubnets="0.0.0.0/0" + rightsubnets="{${rightsubnets// /,}}" + fi + + config_get interface "$id" interface + + cat << EOF > "$tmp_secret_file" +$leftid $rightid : PSK "$psk" +EOF + + cat << EOF > "$tmp_config_file" +conn $id + auto=${auto} + authby=${authby} + ikev2=${ikev2} + left=${left%% *} + ${leftid:+leftid=${leftid}} + ${leftsourceip:+leftsourceip=${leftsourceip}} + ${leftsubnets:+leftsubnets=${leftsubnets}} + right=${right%% *} + ${rightid:+rightid=${rightid}} + ${rightsourceip:+rightsourceip=${rightsourceip}} + ${rightsubnets:+rightsubnets=${rightsubnets}} + ${dpdaction:+dpdaction=${dpdaction}} + ${dpdtimeout:+dpdtimeout=${dpdtimeout}} + ${dpddelay:+dpddelay=${dpddelay}} + ${ikelifetime:+ikelifetime=${ikelifetime}} + ${rekey:+rekey=${rekey}} + ${rekeymargin:+rekeymargin=${rekeymargin}} + ${rekeyfuzz:+rekeyfuzz=${rekeyfuzz}} + ${phase2:+phase2=${phase2}} + ${ike_proposal:+ike=${ike_proposal}} + ${phase2alg_proposal:+phase2alg=${phase2alg_proposal}} + ${nflog:+nflog=${nflog}} +EOF + + if [ -n "$interface" ]; then + proto=$(uci_get network "$interface" proto) + case "$proto" in + vti) + ikey=$(uci_get network "$interface" ikey) + okey=$(uci_get network "$interface" okey) + mark_in=$(printf "0x%x" $ikey) + mark_out=$(printf "0x%x" $okey) + echo -e "${mark_in:+\tmark-in=${mark_in}}" >> "$tmp_config_file" + echo -e "${mark_out:+\tmark-out=${mark_out}}" >> "$tmp_config_file" + echo -e "${interface:+\tvti-interface=${interface}}" >> "$tmp_config_file" + ;; + xfrm) + ifid=$(uci_get network "$interface" ifid) + echo -e "${ifid:+\tipsec-interface=${ifid}}" >> "$tmp_config_file" + ;; + esac + fi + + + [ -f "$config_file" ] && { + cmp "$config_file" "$tmp_config_file" 2>/dev/null && rm -f "$tmp_config_file" + } + + [ -f "$secret_file" ] && { + cmp "$secret_file" "$tmp_secret_file" 2>/dev/null && rm -f "$tmp_secret_file" + } + + [ -f "$tmp_config_file" ] && mv "$tmp_config_file" "$config_file" && set_replace_flag "$id" + [ -f "$tmp_secret_file" ] && mv "$tmp_secret_file" "$secret_file" && set_replace_flag "$id" + + unset ike_proposal phase2alg_proposal +} + +generate_daemon_config() { + local tmp_config_file="/tmp/setup.conf" + + config_get_bool debug globals debug 0 + [ "$debug" = "0" ] && debug=none || debug=all + config_get_bool uniqueids globals uniqueids 0 + [ "$uniqueids" = "0" ] && uniqueids=no || uniqueids=yes + config_get listen globals listen + config_get listen_interface globals listen_interface + [ -n "$listen_interface" ] && network_get_ipaddr listen "$listen_interface" + config_get virtual_private globals virtual_private + [ -z "$virtual_private" ] && virtual_private='10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 25.0.0.0/8 100.64.0.0/10 !100.64.0.0/24' + config_get nflog_all globals nflog_all 0 + [ "$nflog_all" = "0" ] && unset nflog_all + + [ ! -d $IPSEC_DIR ] && mkdir -p $IPSEC_DIR + [ ! -d $IPSEC_CONF_DIR ] && mkdir -p $IPSEC_CONF_DIR + + cat << EOF > "$tmp_config_file" +config setup + ${debug:+plutodebug=${debug}} + ${uniqueids:+uniqueids=${uniqueids}} + ${listen:+listen=${listen}} + ${virtual_private:+virtual-private=%v4:${virtual_private// /,%v4:}} + ${nflog_all:+nflog-all=${nflog_all}} +EOF + + if ! cmp "$IPSEC_CONF" "$tmp_config_file" 2>/dev/null; then + mv "$tmp_config_file" "$IPSEC_CONF" + set_restart_flag 1 + else + rm -f "$tmp_config_file" + fi + + return 0 +} + +clean_config() { + rm -f $IPSEC_CONF_DIR/*.conf $IPSEC_CONF_DIR/*.secret +} + +config_cb() { + local var="CONFIG_${1}_SECTIONS" + export $var + append "$var" "$2" +} + +generate_config() { + config_load libreswan + generate_daemon_config + config_foreach generate_tunnel_config tunnel +} + +regenerate_config() { + clean_config + generate_config +} + +active_conns() { + local active_conns file _file + + active_conns=$(${IPSEC_BIN} --trafficstatus | awk -F'[":/]' '{print $3}' | sort -u) + + for file in $IPSEC_CONF_DIR/*.conf; do + _file="${file##*/}" + list_contains active_conns "${_file%%.*}" || append active_conns "${_file%%.*}" + done + + echo "$active_conns" +} + +start_service() { + generate_config + checkconfig || return 1 + + ${IPSEC_BIN} _stackmanager start + + procd_open_instance + procd_set_param command $PROG --nofork + procd_set_param respawn + procd_close_instance +} + +stop_service() { + ${IPSEC_BIN} whack --shutdown + ${IPSEC_BIN} _stackmanager stop +} + +stop_tunnel() { + ${IPSEC_AUTO} --delete "$1" > /dev/null 2>&1 + rm -f ${IPSEC_CONF_DIR}/$1.* +} + +start_tunnel() { + generate_tunnel_config "$1" + ${IPSEC_AUTO} --add "$1" > /dev/null 2>&1 + ${IPSEC_AUTO} --rereadsecrets + ${IPSEC_AUTO} --up "$1" > /dev/null 2>&1 & +} + +reload_tunnel() { + generate_tunnel_config "$1" + + replace_flag "$1" || return 0 + + ${IPSEC_AUTO} --rereadsecrets + ${IPSEC_AUTO} --replace "$1" > /dev/null 2>&1 + ${IPSEC_AUTO} --up "$1" > /dev/null 2>&1 & +} + +reload_service() { + local active_tunnels uci_tunnels + uci_tunnels="$@" + + config_load libreswan + generate_daemon_config + + if restart_flag; then + restart + return 0 + fi + + [ -z "$uci_tunnels" ] && config_get uci_tunnels tunnel SECTIONS + + active_tunnels="$(active_conns)" + + for tunnel in $active_tunnels; do + list_contains uci_tunnels "$tunnel" || stop_tunnel "$tunnel" + done + + for tunnel in $uci_tunnels; do + if list_contains active_tunnels "$tunnel"; then + reload_tunnel "$tunnel" + else + start_tunnel "$tunnel" + fi + done +} + +service_triggers() { + procd_add_reload_trigger 'libreswan' +} diff --git a/net/libreswan/files/etc/ipsec.conf b/net/libreswan/files/etc/ipsec.conf new file mode 100644 index 000000000..3b8f2dc3f --- /dev/null +++ b/net/libreswan/files/etc/ipsec.conf @@ -0,0 +1,3 @@ +include /var/run/ipsec/setup.conf +include /var/run/ipsec/conf.d/*.conf +include /etc/ipsec.d/*.conf diff --git a/net/libreswan/files/etc/ipsec.secrets b/net/libreswan/files/etc/ipsec.secrets new file mode 100644 index 000000000..68bbe9175 --- /dev/null +++ b/net/libreswan/files/etc/ipsec.secrets @@ -0,0 +1,2 @@ +include /var/run/ipsec/conf.d/*.secret +include /etc/ipsec.d/*.secrets diff --git a/net/libreswan/files/etc/libreswan_firewall.sh b/net/libreswan/files/etc/libreswan_firewall.sh new file mode 100755 index 000000000..94ba275f6 --- /dev/null +++ b/net/libreswan/files/etc/libreswan_firewall.sh @@ -0,0 +1,90 @@ +#!/bin/sh + +FW4="$(command -v fw4)" +[ -n "$FW4" ] && exit 0 + +IPT_LEGACY="$(command -v iptables-legacy)" +IPT="$(command -v iptables)" +BIN="${IPT_LEGACY:-$IPT}" +[ -z "$BIN" ] && exit 0 + +LIBRESWAN_INPUT="libreswan_input" +LIBRESWAN_FORWARD="libreswan_forward" +LIBRESWAN_OUTPUT="libreswan_output" +LIBRESWAN_NFLOG_INPUT="libreswan_nflog_input" +LIBRESWAN_NFLOG_OUTPUT="libreswan_nflog_output" +LIBRESWAN_POSTROUTING="libreswan_postrouting" + +FW_DIR="/tmp/libreswan/firewall.d" +LIBRESWAN_RULES_FILE="$FW_DIR/libreswan.rules" + +flush_delete_chain() { + [ $# -lt 2 ] && return + + $BIN -t $1 -nL $2 > /dev/null 2>&1 || return + + $BIN -t $1 -F $2 + $BIN -t $1 -X $2 +} + +cleanup_libreswan_rules() { + $BIN -t filter -C input_rule -j $LIBRESWAN_INPUT > /dev/null 2>&1 + [ $? -eq 0 ] && $BIN -t filter -D input_rule -j $LIBRESWAN_INPUT + + $BIN -t filter -C output_rule -j $LIBRESWAN_OUTPUT > /dev/null 2>&1 + [ $? -eq 0 ] && $BIN -t filter -D output_rule -j $LIBRESWAN_OUTPUT + + $BIN -t filter -C forwarding_rule -j $LIBRESWAN_FORWARD > /dev/null 2>&1 + [ $? -eq 0 ] && $BIN -t filter -D forwarding_rule -j $LIBRESWAN_FORWARD + + $BIN -t nat -C postrouting_rule -j $LIBRESWAN_POSTROUTING > /dev/null 2>&1 + [ $? -eq 0 ] && $BIN -t nat -D postrouting_rule -j $LIBRESWAN_POSTROUTING + + flush_delete_chain filter $LIBRESWAN_NFLOG_INPUT + flush_delete_chain filter $LIBRESWAN_INPUT + flush_delete_chain filter $LIBRESWAN_FORWARD + flush_delete_chain filter $LIBRESWAN_NFLOG_OUTPUT + flush_delete_chain filter $LIBRESWAN_OUTPUT + flush_delete_chain filter $LIBRESWAN_NFLOG_INPUT + flush_delete_chain filter $LIBRESWAN_NFLOG_OUTPUT + flush_delete_chain nat $LIBRESWAN_POSTROUTING +} + +create_chain_jump() { + [ $# -lt 3 ] && return + + local table=$1 + local chain=$2 + local base_chain=$3 + + $BIN -t $table -N $chain + $BIN -t $table -C $base_chain -j $chain + [ $? -ne 0 ] && $BIN -t $table -I $base_chain -j $chain + $BIN -t $table -F $chain +} + +if ! /etc/init.d/ipsec running; then + cleanup_libreswan_rules + exit 0 +fi + +eval $(ipsec addconn --configsetup) + +create_chain_jump filter "$LIBRESWAN_INPUT" "insert_rule" +create_chain_jump filter "$LIBRESWAN_FORWARD" "forwarding_rule" +create_chain_jump filter "$LIBRESWAN_OUTPUT" "output_rule" + +create_chain_jump filter "$LIBRESWAN_NFLOG_INPUT" "$LIBRESWAN_INPUT" +create_chain_jump filter "$LIBRESWAN_NFLOG_OUTPUT" "$LIBRESWAN_OUTPUT" + +create_chain_jump nat "$LIBRESWAN_POSTROUTING" "postrouting_rule" + +[ ! -f $LIBRESWAN_RULES_FILE ] && exit 0 + +if [ -n "$nflog_all" ]; then + sed -i -e '/NFLOG/d' "$LIBRESWAN_RULES_FILE" + $BIN -t filter -I $LIBRESWAN_NFLOG_INPUT -m policy --dir in --pol ipsec -j NFLOG --nflog-group ${nflog_all} --nflog-prefix all-ipsec + $BIN -t filter -I $LIBRESWAN_NFLOG_OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group ${nflog_all} --nflog-prefix all-ipsec +fi + +sh $LIBRESWAN_RULES_FILE diff --git a/net/libreswan/files/etc/uci-defaults/091-libreswan b/net/libreswan/files/etc/uci-defaults/091-libreswan new file mode 100644 index 000000000..91a16e1b3 --- /dev/null +++ b/net/libreswan/files/etc/uci-defaults/091-libreswan @@ -0,0 +1,8 @@ +#!/bin/sh + +. /lib/functions.sh + +uci_add firewall include libreswan +uci_set firewall libreswan path '/etc/libreswan_firewall.sh' +uci_set firewall libreswan reload 1 +uci_commit firewall diff --git a/net/libreswan/files/ipsec.conf b/net/libreswan/files/ipsec.conf deleted file mode 100644 index 8b7493b86..000000000 --- a/net/libreswan/files/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -config setup - # needed when using PSK only. Not needed for X.509 based servers - uniqueids=no - virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v4:!100.64.0.0/24 - -conn ikev1 - authby=secret - pfs=no - auto=add - rekey=no - left=%defaultroute - right=%any - ikev2=never - type=transport - leftprotoport=17/1701 - rightprotoport=17/%any - dpddelay=15 - dpdtimeout=30 - dpdaction=clear - -conn ikev1-nat - also=ikev1 - rightsubnet=vhost:%priv - -# include /etc/ipsec.d/*.conf diff --git a/net/libreswan/files/ipsec.init b/net/libreswan/files/ipsec.init deleted file mode 100755 index f33d41292..000000000 --- a/net/libreswan/files/ipsec.init +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh /etc/rc.common - -START=90 -STOP=10 - -USE_PROCD=1 -PROG="/usr/libexec/ipsec/pluto" -IPSEC_SECRETS=/etc/ipsec.secrets -IPSEC_CONF=/etc/ipsec.conf -IPSEC_BIN=/usr/sbin/ipsec - -checkconfig() { - ${IPSEC_BIN} addconn --checkconfig || return 1 - mkdir -p /var/run/pluto -} - -start_service() { - checkconfig || return 1 - - ipsec _stackmanager start - # Enable nflog if configured - ipsec --checknflog > /dev/null - - procd_open_instance - procd_set_param command $PROG --config ${IPSEC_CONF} --nofork --secretsfile ${IPSEC_SECRETS} - procd_set_param respawn - procd_close_instance -} - -stop_service() { - ipsec whack --shutdown - ipsec _stackmanager stop - ipsec --stopnflog > /dev/null - -} - diff --git a/net/libreswan/files/ipsec.secrets b/net/libreswan/files/ipsec.secrets deleted file mode 100644 index 5ef87b09c..000000000 --- a/net/libreswan/files/ipsec.secrets +++ /dev/null @@ -1,10 +0,0 @@ -# Unlike older openswan, this file does NOT contain any X.509 related -# information such as private key :RSA statements as these now reside -# in the NSS database. See: -# -# https://libreswan.org/wiki/Using_NSS_with_libreswan -# https://libreswan.org/wiki/Migrating_from_Openswan - -# A.B.C.D %any : PSK "SsEeCcRrEeTt" -: PSK "SsEeCcRrEeTt" -# include /etc/ipsec.d/*.secrets diff --git a/net/libreswan/files/usr/libexec/ipsec/_updown.xfrm b/net/libreswan/files/usr/libexec/ipsec/_updown.xfrm new file mode 100644 index 000000000..58b51ba28 --- /dev/null +++ b/net/libreswan/files/usr/libexec/ipsec/_updown.xfrm @@ -0,0 +1,3 @@ +#!/bin/sh + +/sbin/hotplug-call libreswan diff --git a/net/libreswan/files/usr/libexec/rpcd/libreswan b/net/libreswan/files/usr/libexec/rpcd/libreswan new file mode 100644 index 000000000..cf251f0c6 --- /dev/null +++ b/net/libreswan/files/usr/libexec/rpcd/libreswan @@ -0,0 +1,183 @@ +#!/bin/sh + +. /lib/functions.sh +. /usr/share/libubox/jshn.sh + +RPC_SCRIPTS=/usr/libexec/libreswan/rpc + +[ -d $RPC_SCRIPTS ] && include $RPC_SCRIPTS + +IPSEC_TRAFFIC_STATES="/tmp/ipsec_traffic.$$" +IPSEC_TUNNEL_STATUS="/tmp/ipsec_status.$$" + +__function__() { + type "$1" > /dev/null 2>&1 +} + +foreach_extra() { + local file obj + + [ ! -d $RPC_SCRIPTS ] && return + + for file in $RPC_SCRIPTS/*; do + obj="${file##*/}" + $1 "${obj%%.*}" + done +} + +get_index() { + [ $# -lt 2 ] && return 1 + + local var=$1 + local str=$2 + local ele + local i=1 + + eval "val=\"\${$var}\"" + + for ele in ${val}; do + if [[ "$ele" = "$str" ]]; then + echo "$i" + return 0 + fi + i="$((i+1))" + done + + return 1 +} + +phase1_established() { + grep -q "\"${1%/*}\/.*(IKE SA established)\|\"${1%/*}\/.*(established IKE SA)" "$IPSEC_TUNNEL_STATUS" +} + +phase2_established() { + grep -q "\"$1\".*(IPsec SA established)\|\"$1\".*(established Child SA)" "$IPSEC_TUNNEL_STATUS" +} + +add_tunnel_object() { + local id="$1" + local leftsubnets rightsubnets right ctime active_right + local phase1=0 phase2=0 add_time inBytes outBytes + + config_get right "$id" right + config_get leftsubnets "$id" leftsubnets + config_get rightsubnets "$id" rightsubnets + + if [ -z "$right" ] || [ "$right" = "%any" ] || [ "$right" == "0.0.0.0" ]; then + active_right=$(awk -F'[: ]' '{ if ( $4 ~ "'"$id/"'") {print $5; exit 0};}' "$IPSEC_TUNNEL_STATUS") + fi + + for lsubnet in $leftsubnets; do + lidx=$(get_index leftsubnets $lsubnet) + for rsubnet in $rightsubnets; do + ridx=$(get_index rightsubnets $rsubnet) + tid="${id}/${lidx}x${ridx}" + + eval $(awk -F, '{if ($1 ~ "'"$tid"'" ) {printf("%s %s %s", $3, $4, $5)};}' "$IPSEC_TRAFFIC_STATES") + json_add_object tunnels + json_add_string name "$id" + json_add_string right "$right${active_right:+ (${active_right})}" + json_add_string leftsubnet "$lsubnet" + json_add_string rightsubnet "$rsubnet" + json_add_int tx "$outBytes" + json_add_int rx "$inBytes" + + phase1_established "$tid" && phase1=1 + phase2_established "$tid" && phase2=1 + + json_add_boolean phase1 "$phase1" + json_add_boolean phase2 "$phase2" + + if [ "$phase1" = "1" ] && [ "$phase2" = "1" ]; then + ctime="$(date +%s)" + json_add_boolean connected 1 + json_add_int uptime "$((ctime - add_time))" + else + json_add_boolean connected 0 + json_add_int uptime 0 + fi + + json_close_object + done + done +} + +generate_libreswan_states() { + ipsec trafficstatus > "$IPSEC_TRAFFIC_STATES" + ipsec status > "$IPSEC_TUNNEL_STATUS" +} + +clean_libreswan_states() { + return + rm -f "$IPSEC_TRAFFIC_STATES" "$IPSEC_TUNNEL_STATUS" +} + +libreswan_status() { + config_load libreswan + + generate_libreswan_states + + json_init + json_add_array tunnels + config_foreach add_tunnel_object tunnel + json_close_array + json_dump + + clean_libreswan_states +} + +call_extra() { + if __function__ "$1"; then + $1 + else + json_init + json_add_string error "invalid call $1" + json_dump + fi +} + +call_method() { + case "$1" in + status) + libreswan_status + ;; + *) + call_extra $1 + ;; + esac +} + +list_extra() { + if __function__ "${1}_help"; then + ${1}_help + else + json_add_object "$1" + json_close_object + fi +} + +list_methods() { + local file + + json_init + + json_add_object status + json_close_object + + foreach_extra list_extra ${1} + + json_dump +} + +main () { + case "$1" in + list) + list_methods + ;; + call) + call_method $2 + ;; + esac +} + +main "$@" diff --git a/net/libreswan/files/usr/share/nftables.d/chain-pre/forward/001-libreswan.nft b/net/libreswan/files/usr/share/nftables.d/chain-pre/forward/001-libreswan.nft new file mode 100644 index 000000000..7861a913d --- /dev/null +++ b/net/libreswan/files/usr/share/nftables.d/chain-pre/forward/001-libreswan.nft @@ -0,0 +1 @@ +jump libreswan_forward diff --git a/net/libreswan/files/usr/share/nftables.d/chain-pre/input/001-libreswan.nft b/net/libreswan/files/usr/share/nftables.d/chain-pre/input/001-libreswan.nft new file mode 100644 index 000000000..665930953 --- /dev/null +++ b/net/libreswan/files/usr/share/nftables.d/chain-pre/input/001-libreswan.nft @@ -0,0 +1,2 @@ +jump libreswan_nflog_input +jump libreswan_input diff --git a/net/libreswan/files/usr/share/nftables.d/chain-pre/output/001-libreswan.nft b/net/libreswan/files/usr/share/nftables.d/chain-pre/output/001-libreswan.nft new file mode 100644 index 000000000..825666ade --- /dev/null +++ b/net/libreswan/files/usr/share/nftables.d/chain-pre/output/001-libreswan.nft @@ -0,0 +1,2 @@ +jump libreswan_nflog_output +jump libreswan_output diff --git a/net/libreswan/files/usr/share/nftables.d/chain-pre/srcnat/001-libreswan.nft b/net/libreswan/files/usr/share/nftables.d/chain-pre/srcnat/001-libreswan.nft new file mode 100644 index 000000000..4c9fbecf5 --- /dev/null +++ b/net/libreswan/files/usr/share/nftables.d/chain-pre/srcnat/001-libreswan.nft @@ -0,0 +1 @@ +jump libreswan_srcnat diff --git a/net/libreswan/files/usr/share/nftables.d/table-post/001-libreswan.nft b/net/libreswan/files/usr/share/nftables.d/table-post/001-libreswan.nft new file mode 100644 index 000000000..0e00ea0b0 --- /dev/null +++ b/net/libreswan/files/usr/share/nftables.d/table-post/001-libreswan.nft @@ -0,0 +1,6 @@ +chain libreswan_input {} +chain libreswan_nflog_input {} +chain libreswan_forward {} +chain libreswan_output {} +chain libreswan_nflog_output {} +chain libreswan_srcnat {} From f3d25a747288dee52c0ca103f88882f220591e29 Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Fri, 27 Oct 2023 14:10:59 +0800 Subject: [PATCH 19/40] unixodbc: Remove custom unixodbc_conf.h As unixodbc_conf.h is now generated by configure instead of odbc_config[1], it is not necessary to use a custom copy of the header file anymore. [1]: https://github.com/lurcher/unixODBC/commit/be3341cdc61623a533d3a17529cc65b101bfa8a0 Signed-off-by: Jeffery To --- libs/unixodbc/Makefile | 5 ++- libs/unixodbc/files/unixodbc_conf.h | 22 ------------ .../100-cross-compile-odbc-config.patch | 36 ------------------- 3 files changed, 2 insertions(+), 61 deletions(-) delete mode 100644 libs/unixodbc/files/unixodbc_conf.h delete mode 100644 libs/unixodbc/patches/100-cross-compile-odbc-config.patch diff --git a/libs/unixodbc/Makefile b/libs/unixodbc/Makefile index f2600432f..bdc52e713 100644 --- a/libs/unixodbc/Makefile +++ b/libs/unixodbc/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unixodbc PKG_VERSION:=2.3.9 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=unixODBC-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.unixodbc.org @@ -107,7 +107,6 @@ define Build/InstallDev $(INSTALL_DIR) $(1)/etc $(CP) $(PKG_INSTALL_DIR)/etc/odbc* $(1)/etc/ $(INSTALL_DIR) $(1)/etc/ODBCDataSources - $(TARGET_CC) $(TARGET_CFLAGS) -E ./files/unixodbc_conf.h | tr '@' '\#' >$(1)/usr/include/unixodbc_conf.h endef define Package/unixodbc/install @@ -145,7 +144,7 @@ define Host/Compile $(MAKE) -C $(HOST_BUILD_DIR)/exe \ DESTDIR="$(HOST_INSTALL_DIR)" \ CC="$(HOSTCC)" \ - CFLAGS="$(HOST_CFLAGS) -DUSE_UNIXODBC_CONF_H" \ + CFLAGS="$(HOST_CFLAGS) \ LDFLAGS="$(HOST_LDFLAGS)" \ odbc_config endef diff --git a/libs/unixodbc/files/unixodbc_conf.h b/libs/unixodbc/files/unixodbc_conf.h deleted file mode 100644 index f149d02b1..000000000 --- a/libs/unixodbc/files/unixodbc_conf.h +++ /dev/null @@ -1,22 +0,0 @@ -@ifndef HAVE_UNISTD_H - @define HAVE_UNISTD_H -@endif -@ifndef HAVE_PWD_H - @define HAVE_PWD_H -@endif -@ifndef HAVE_SYS_TYPES_H - @define HAVE_SYS_TYPES_H -@endif -@ifndef HAVE_LONG_LONG - @define HAVE_LONG_LONG -@endif -@ifndef ODBCINT64 - @define ODBCINT64 long -@endif -@ifndef UODBCINT64 - @define UODBCINT64 unsigned long -@endif -@ifndef SIZEOF_LONG_INT - @define SIZEOF_LONG_INT __SIZEOF_LONG__ -@endif - \ No newline at end of file diff --git a/libs/unixodbc/patches/100-cross-compile-odbc-config.patch b/libs/unixodbc/patches/100-cross-compile-odbc-config.patch deleted file mode 100644 index 4b952ae18..000000000 --- a/libs/unixodbc/patches/100-cross-compile-odbc-config.patch +++ /dev/null @@ -1,36 +0,0 @@ ---- a/exe/odbc-config.c -+++ b/exe/odbc-config.c -@@ -40,6 +40,33 @@ - #include - #endif - -+#ifdef USE_UNIXODBC_CONF_H -+ -+#ifdef HAVE_UNISTD_H -+#undef HAVE_UNISTD_H -+#endif -+#ifdef HAVE_PWD_H -+#undef HAVE_PWD_H -+#endif -+#ifdef HAVE_SYS_TYPES_H -+#undef HAVE_SYS_TYPES_H -+#endif -+#ifdef HAVE_LONG_LONG -+#undef HAVE_LONG_LONG -+#endif -+#ifdef ODBCINT64 -+#undef ODBCINT64 -+#endif -+#ifdef UODBCINT64 -+#undef UODBCINT64 -+#endif -+#ifdef SIZEOF_LONG_INT -+#undef SIZEOF_LONG_INT -+#endif -+ -+#include -+#endif -+ - #include - - static void usage( void ) From 61de50de5f787b08e06de9425ec409c8fd1ffcbf Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Fri, 27 Oct 2023 14:18:54 +0800 Subject: [PATCH 20/40] unixodbc: Change host build directories to be target-specific Since the host odbc_config returns target-specific information, it should be built and placed into target-specific locations. This changes HOST_BUILD_DIR to be in $(BUILD_DIR)/host, and installs odbc_config inside $(STAGING_DIR)/host. Signed-off-by: Jeffery To --- libs/unixodbc/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libs/unixodbc/Makefile b/libs/unixodbc/Makefile index bdc52e713..c99b8e4f6 100644 --- a/libs/unixodbc/Makefile +++ b/libs/unixodbc/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unixodbc PKG_VERSION:=2.3.9 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=unixODBC-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.unixodbc.org @@ -20,7 +20,7 @@ PKG_LICENSE:=prog GPL libs LGPL PKG_CPE_ID:=cpe:/a:unixodbc:unixodbc PKG_BUILD_DIR:=$(BUILD_DIR)/unixODBC-$(PKG_VERSION) -HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/unixODBC-$(PKG_VERSION) +HOST_BUILD_DIR:=$(BUILD_DIR)/host/unixODBC-$(PKG_VERSION) HOST_BUILD_DEPENDS:=unixodbc PKG_FIXUP:=autoreconf @@ -150,8 +150,8 @@ define Host/Compile endef define Host/Install - $(INSTALL_DIR) $(STAGING_DIR_HOST)/bin - $(INSTALL_BIN) $(HOST_BUILD_DIR)/exe/odbc_config $(STAGING_DIR_HOST)/bin + $(INSTALL_DIR) $(STAGING_DIR)/host/bin + $(INSTALL_BIN) $(HOST_BUILD_DIR)/exe/odbc_config $(STAGING_DIR)/host/bin/ endef $(eval $(call BuildPackage,unixodbc)) From ec2ca90dc10c883200089b52ac5b5cef9a2256d9 Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Fri, 27 Oct 2023 16:18:36 +0800 Subject: [PATCH 21/40] unixodbc: Use InstallDev directory to transfer include files This uses the default InstallDev directory instead of a "tmp" directory to transfer include files from the target package to host build. Using a "tmp" directory implies that the files inside are safe to delete, but without these include files the host build will not succeed. Signed-off-by: Jeffery To --- libs/unixodbc/Makefile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libs/unixodbc/Makefile b/libs/unixodbc/Makefile index c99b8e4f6..cd006066d 100644 --- a/libs/unixodbc/Makefile +++ b/libs/unixodbc/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unixodbc PKG_VERSION:=2.3.9 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=unixODBC-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.unixodbc.org @@ -99,9 +99,9 @@ define Build/InstallDev $(CP) $(PKG_INSTALL_DIR)/$(STAGING_DIR)/usr/include/*.h $(1)/usr/include/ # Save autoconf config.h file for host build # copy target autoconf config.h and unixodbc_conf.h file for host build - $(INSTALL_DIR) $(1)/tmp/unixodbc - $(CP) $(PKG_BUILD_DIR)/config.h $(1)/tmp/unixodbc/ - $(CP) $(PKG_BUILD_DIR)/unixodbc_conf.h $(1)/tmp/unixodbc/ + $(INSTALL_DIR) $(1)/usr/include/unixodbc + $(CP) $(PKG_BUILD_DIR)/config.h $(1)/usr/include/unixodbc/ + $(CP) $(PKG_BUILD_DIR)/unixodbc_conf.h $(1)/usr/include/unixodbc/ $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ $(INSTALL_DIR) $(1)/etc @@ -135,9 +135,9 @@ endef define Host/Configure $(call Host/Configure/Default) - cp $(STAGING_DIR)/tmp/unixodbc/config.h $(HOST_BUILD_DIR) + cp $(STAGING_DIR)/usr/include/unixodbc/config.h $(HOST_BUILD_DIR) sed -i -e 's!\(LIB_PREFIX \).*$$$$!\1"$(STAGING_DIR)/usr/lib"!' $(HOST_BUILD_DIR)/config.h - cp $(STAGING_DIR)/tmp/unixodbc/unixodbc_conf.h $(HOST_BUILD_DIR) + cp $(STAGING_DIR)/usr/include/unixodbc/unixodbc_conf.h $(HOST_BUILD_DIR) endef define Host/Compile From b0699060c91345fdb964a4acbb6e26e77b8046cb Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Fri, 27 Oct 2023 17:01:10 +0800 Subject: [PATCH 22/40] unixodbc: Use default build recipes Signed-off-by: Jeffery To --- libs/unixodbc/Makefile | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/libs/unixodbc/Makefile b/libs/unixodbc/Makefile index cd006066d..c3c17b703 100644 --- a/libs/unixodbc/Makefile +++ b/libs/unixodbc/Makefile @@ -24,6 +24,7 @@ HOST_BUILD_DIR:=$(BUILD_DIR)/host/unixODBC-$(PKG_VERSION) HOST_BUILD_DEPENDS:=unixodbc PKG_FIXUP:=autoreconf +PKG_INSTALL:=1 # if your other package depends on unixodbc and needs # odbc_config, add to your other Makefile @@ -81,19 +82,6 @@ define Package/pgsqlodbc/description Postgresql driver for ODBC. endef -define Build/Compile - $(MAKE) -C $(PKG_BUILD_DIR) \ - DESTDIR="$(PKG_INSTALL_DIR)" \ - $(MAKE_FLAGS) \ - ARCH="$(ARCH)" \ - CC="$(TARGET_CC)" - $(MAKE) -C $(PKG_BUILD_DIR) \ - DESTDIR="$(PKG_INSTALL_DIR)" \ - $(MAKE_FLAGS) \ - ARCH="$(ARCH)" \ - install -i -endef - define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include $(CP) $(PKG_INSTALL_DIR)/$(STAGING_DIR)/usr/include/*.h $(1)/usr/include/ @@ -141,12 +129,7 @@ define Host/Configure endef define Host/Compile - $(MAKE) -C $(HOST_BUILD_DIR)/exe \ - DESTDIR="$(HOST_INSTALL_DIR)" \ - CC="$(HOSTCC)" \ - CFLAGS="$(HOST_CFLAGS) \ - LDFLAGS="$(HOST_LDFLAGS)" \ - odbc_config + $(call Host/Compile/Default,-C $(HOST_BUILD_DIR)/exe odbc_config) endef define Host/Install From 3ab793f09e73e654265a3a6a49bcebef85926690 Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Fri, 27 Oct 2023 17:51:58 +0800 Subject: [PATCH 23/40] unixodbc: Use default includedir for target configure Replace INCLUDE_PREFIX in config.h for host odbc_config instead of specifying includedir to target configure. This also updates the prefixes in unixodbc_conf.h to keep config.h and unixodbc_conf.h in sync. Signed-off-by: Jeffery To --- libs/unixodbc/Makefile | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libs/unixodbc/Makefile b/libs/unixodbc/Makefile index c3c17b703..4dc5b553b 100644 --- a/libs/unixodbc/Makefile +++ b/libs/unixodbc/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unixodbc PKG_VERSION:=2.3.9 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE:=unixODBC-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.unixodbc.org @@ -36,8 +36,7 @@ include $(INCLUDE_DIR)/host-build.mk CONFIGURE_ARGS += \ --disable-gui \ --with-pic \ - --enable-drivers \ - --includedir=$(STAGING_DIR)/usr/include + --enable-drivers define Package/unixodbc/Default SUBMENU:=Database @@ -84,7 +83,7 @@ endef define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include - $(CP) $(PKG_INSTALL_DIR)/$(STAGING_DIR)/usr/include/*.h $(1)/usr/include/ + $(CP) $(PKG_INSTALL_DIR)/usr/include/*.h $(1)/usr/include/ # Save autoconf config.h file for host build # copy target autoconf config.h and unixodbc_conf.h file for host build $(INSTALL_DIR) $(1)/usr/include/unixodbc @@ -123,9 +122,12 @@ endef define Host/Configure $(call Host/Configure/Default) - cp $(STAGING_DIR)/usr/include/unixodbc/config.h $(HOST_BUILD_DIR) - sed -i -e 's!\(LIB_PREFIX \).*$$$$!\1"$(STAGING_DIR)/usr/lib"!' $(HOST_BUILD_DIR)/config.h - cp $(STAGING_DIR)/usr/include/unixodbc/unixodbc_conf.h $(HOST_BUILD_DIR) + $(CP) $(STAGING_DIR)/usr/include/unixodbc/config.h $(HOST_BUILD_DIR) + $(CP) $(STAGING_DIR)/usr/include/unixodbc/unixodbc_conf.h $(HOST_BUILD_DIR) + $(SED) 's!^#define INCLUDE_PREFIX ".*"!#define INCLUDE_PREFIX "$(STAGING_DIR)/usr/include"!' \ + -e 's!^#define LIB_PREFIX ".*"!#define LIB_PREFIX "$(STAGING_DIR)/usr/lib"!' \ + $(HOST_BUILD_DIR)/config.h \ + $(HOST_BUILD_DIR)/unixodbc_conf.h endef define Host/Compile From 80aeb31082823fbd9c84791d3dc35570a659cebe Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Fri, 27 Oct 2023 21:09:53 +0800 Subject: [PATCH 24/40] unixodbc: Copy pgsqlodbc.ini instead of creating it dynamically Signed-off-by: Jeffery To --- libs/unixodbc/Makefile | 4 +--- libs/unixodbc/files/pgsqlodbc.ini | 3 +++ 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 libs/unixodbc/files/pgsqlodbc.ini diff --git a/libs/unixodbc/Makefile b/libs/unixodbc/Makefile index 4dc5b553b..52ff9959b 100644 --- a/libs/unixodbc/Makefile +++ b/libs/unixodbc/Makefile @@ -115,9 +115,7 @@ define Package/pgsqlodbc/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbcpsql*so* $(1)/usr/lib/ $(INSTALL_DIR) $(1)/etc/odbcinst.ini.d/ - echo "[PostgreSQL]" > $(1)/etc/odbcinst.ini.d/pgsqlodbc.ini - echo "Description = unixODBC PostgreSQL driver" >> $(1)/etc/odbcinst.ini.d/pgsqlodbc.ini - echo "Driver = /usr/lib/libodbcpsql.so" >> $(1)/etc/odbcinst.ini.d/pgsqlodbc.ini + $(INSTALL_DATA) ./files/pgsqlodbc.ini $(1)/etc/odbcinst.ini.d/ endef define Host/Configure diff --git a/libs/unixodbc/files/pgsqlodbc.ini b/libs/unixodbc/files/pgsqlodbc.ini new file mode 100644 index 000000000..54a64bcfa --- /dev/null +++ b/libs/unixodbc/files/pgsqlodbc.ini @@ -0,0 +1,3 @@ +[PostgreSQL] +Description = unixODBC PostgreSQL driver +Driver = /usr/lib/libodbcpsql.so From 9563c6f018c12805628c3c774b1f531ee66eb7cd Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Fri, 27 Oct 2023 21:03:23 +0800 Subject: [PATCH 25/40] unixodbc: Split libraries package into separate packages This splits the unixodbc package into separate packages (libodbc, libodbccr, libodbcinst). This also keeps the unixodbc package for backwards compatibility. The Internet News Server driver (libnn) is omitted as the driver README describes it as "in mid-hack"[1] and it is doubtful if there is any real-world use for it. This also updates the package license information and URL, and sets PKG_BUILD_PARALLEL and HOST_BUILD_PARALLEL. [1]: https://github.com/lurcher/unixODBC/blob/9b31cd228d01e768a7ad9126d5da8860f1ed72a9/Drivers/nn/README#L17-L19 Signed-off-by: Jeffery To --- libs/unixodbc/Makefile | 118 +++++++++++++++++++++++++++++++++-------- 1 file changed, 97 insertions(+), 21 deletions(-) diff --git a/libs/unixodbc/Makefile b/libs/unixodbc/Makefile index 52ff9959b..87e94f639 100644 --- a/libs/unixodbc/Makefile +++ b/libs/unixodbc/Makefile @@ -9,23 +9,27 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unixodbc PKG_VERSION:=2.3.9 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_SOURCE:=unixODBC-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.unixodbc.org PKG_HASH:=52833eac3d681c8b0c9a5a65f2ebd745b3a964f208fc748f977e44015a31b207 PKG_MAINTAINER:=Thomas Heil -PKG_LICENSE:=prog GPL libs LGPL +PKG_LICENSE:=LGPL-2.1-or-later GPL-2.0-or-later +PKG_LICENSE_FILES:=COPYING exe/COPYING PKG_CPE_ID:=cpe:/a:unixodbc:unixodbc PKG_BUILD_DIR:=$(BUILD_DIR)/unixODBC-$(PKG_VERSION) HOST_BUILD_DIR:=$(BUILD_DIR)/host/unixODBC-$(PKG_VERSION) -HOST_BUILD_DEPENDS:=unixodbc +PKG_BUILD_PARALLEL:=1 PKG_FIXUP:=autoreconf PKG_INSTALL:=1 +HOST_BUILD_DEPENDS:=unixodbc +HOST_BUILD_PARALLEL:=1 + # if your other package depends on unixodbc and needs # odbc_config, add to your other Makefile # PKG_BUILD_DEPENDS:=unixodbc/host @@ -41,44 +45,103 @@ CONFIGURE_ARGS += \ define Package/unixodbc/Default SUBMENU:=Database TITLE:=unixODBC - URL:=http://www.unixodbc.org + URL:=https://www.unixodbc.org endef -define Package/unixodbc - $(call Package/unixodbc/Default) - TITLE+= (libraries) +define Package/unixodbc/Default/description +unixODBC is an Open Source ODBC sub-system and an ODBC SDK for Linux, +Mac OSX, and UNIX. +endef + +define Package/libodbc +$(call Package/unixodbc/Default) + TITLE+= Driver Manager library SECTION:=libs CATEGORY:=Libraries DEPENDS:=+libltdl +libpthread + ABI_VERSION:=2 +endef + +define Package/libodbc/description +$(call Package/unixodbc/Default/description) + +This package provides the unixODBC Driver Manager library. +endef + +define Package/libodbccr +$(call Package/unixodbc/Default) + TITLE+= Cursor library + SECTION:=libs + CATEGORY:=Libraries + DEPENDS:=+libodbc +libltdl +libpthread + ABI_VERSION:=2 +endef + +define Package/libodbccr/description +$(call Package/unixodbc/Default/description) + +This package provides the unixODBC Cursor library. +endef + +define Package/libodbcinst +$(call Package/unixodbc/Default) + TITLE+= Configuration library + SECTION:=libs + CATEGORY:=Libraries + DEPENDS:=+libltdl +libpthread + ABI_VERSION:=2 +endef + +define Package/libodbcinst/description +$(call Package/unixodbc/Default/description) + +This package provides the unixODBC Configuration library. +endef + +define Package/unixodbc +$(call Package/unixodbc/Default) + TITLE+= (libraries) + SECTION:=libs + CATEGORY:=Libraries + DEPENDS:=+libodbc +libodbccr +libodbcinst endef define Package/unixodbc/description - unixODBC is an Open Source ODBC sub-system and an ODBC SDK for Linux, - Mac OSX, and UNIX. +$(call Package/unixodbc/Default/description) + +This package installs the unixODBC Driver Manager, Cursor, and +Configuration libraries. This package is provided for backwards +compatibility; these libraries are available in separate packages. endef define Package/unixodbc-tools - $(call Package/unixodbc/Default) +$(call Package/unixodbc/Default) SECTION:=utils CATEGORY:=Utilities TITLE+= Tools - DEPENDS:=+unixodbc +libncurses +libreadline + DEPENDS:=+libodbc +libodbcinst +libltdl +libreadline endef define Package/unixodbc-tools/description - Command Line Tools to help install a driver and work with SQL. +$(call Package/unixodbc/Default/description) + +This package provides command-line tools to help install a driver and +work with SQL. endef define Package/pgsqlodbc - $(call Package/unixodbc/Default) +$(call Package/unixodbc/Default) SECTION:=libs CATEGORY:=Libraries - TITLE:=Postgresql driver for ODBC - DEPENDS:=+unixodbc +libpq + TITLE:=PostgreSQL driver for ODBC + DEPENDS:=+libodbc +libpq +libltdl +libpthread + ABI_VERSION:=2 endef define Package/pgsqlodbc/description - Postgresql driver for ODBC. +$(call Package/unixodbc/Default/description) + +This package provides the PostgreSQL driver for ODBC. endef define Build/InstallDev @@ -96,16 +159,26 @@ define Build/InstallDev $(INSTALL_DIR) $(1)/etc/ODBCDataSources endef -define Package/unixodbc/install +define Package/libodbc/install $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbc[ci]*so* $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbc.*so* $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnn*so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbc.so* $(1)/usr/lib/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/odbc.init $(1)/etc/init.d/odbc $(LN) /tmp/etc/odbcinst.ini $(1)/etc/odbcinst.ini endef +define Package/libodbccr/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbccr.so* $(1)/usr/lib/ +endef + +define Package/libodbcinst/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbcinst.so* $(1)/usr/lib/ +endef + +Package/unixodbc/install:=: + define Package/unixodbc-tools/install $(INSTALL_DIR) $(1)/usr/bin $(CP) $(PKG_INSTALL_DIR)/usr/bin/{dltest,isql,iusql,odbcinst,slencheck} $(1)/usr/bin/ @@ -113,7 +186,7 @@ endef define Package/pgsqlodbc/install $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbcpsql*so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libodbcpsql.so* $(1)/usr/lib/ $(INSTALL_DIR) $(1)/etc/odbcinst.ini.d/ $(INSTALL_DATA) ./files/pgsqlodbc.ini $(1)/etc/odbcinst.ini.d/ endef @@ -137,6 +210,9 @@ define Host/Install $(INSTALL_BIN) $(HOST_BUILD_DIR)/exe/odbc_config $(STAGING_DIR)/host/bin/ endef +$(eval $(call BuildPackage,libodbc)) +$(eval $(call BuildPackage,libodbccr)) +$(eval $(call BuildPackage,libodbcinst)) $(eval $(call BuildPackage,unixodbc)) $(eval $(call BuildPackage,unixodbc-tools)) $(eval $(call BuildPackage,pgsqlodbc)) From 14c8d269be0a00d49f8169c9d7198a1a64fd49bf Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Mon, 30 Oct 2023 12:45:16 +0800 Subject: [PATCH 26/40] unixodbc: Update to 2.3.12 This also adds a test.sh script for the packages feed CI. Signed-off-by: Jeffery To --- libs/unixodbc/Makefile | 7 ++++--- libs/unixodbc/test.sh | 5 +++++ 2 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 libs/unixodbc/test.sh diff --git a/libs/unixodbc/Makefile b/libs/unixodbc/Makefile index 87e94f639..c45b69183 100644 --- a/libs/unixodbc/Makefile +++ b/libs/unixodbc/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unixodbc -PKG_VERSION:=2.3.9 -PKG_RELEASE:=7 +PKG_VERSION:=2.3.12 +PKG_RELEASE:=1 PKG_SOURCE:=unixODBC-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.unixodbc.org -PKG_HASH:=52833eac3d681c8b0c9a5a65f2ebd745b3a964f208fc748f977e44015a31b207 +PKG_HASH:=f210501445ce21bf607ba51ef8c125e10e22dffdffec377646462df5f01915ec PKG_MAINTAINER:=Thomas Heil PKG_LICENSE:=LGPL-2.1-or-later GPL-2.0-or-later @@ -195,6 +195,7 @@ define Host/Configure $(call Host/Configure/Default) $(CP) $(STAGING_DIR)/usr/include/unixodbc/config.h $(HOST_BUILD_DIR) $(CP) $(STAGING_DIR)/usr/include/unixodbc/unixodbc_conf.h $(HOST_BUILD_DIR) + $(CP) $(STAGING_DIR)/usr/include/unixodbc.h $(HOST_BUILD_DIR) $(SED) 's!^#define INCLUDE_PREFIX ".*"!#define INCLUDE_PREFIX "$(STAGING_DIR)/usr/include"!' \ -e 's!^#define LIB_PREFIX ".*"!#define LIB_PREFIX "$(STAGING_DIR)/usr/lib"!' \ $(HOST_BUILD_DIR)/config.h \ diff --git a/libs/unixodbc/test.sh b/libs/unixodbc/test.sh new file mode 100644 index 000000000..d4c42a404 --- /dev/null +++ b/libs/unixodbc/test.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +[ "$1" = unixodbc-tools ] || exit 0 + +isql --version | grep -Fx "unixODBC $PKG_VERSION" From 9a40592543e7e55e4738e4b85f3dbb3ebd038ec1 Mon Sep 17 00:00:00 2001 From: Fabian Lipken Date: Mon, 30 Oct 2023 18:52:11 +0100 Subject: [PATCH 27/40] restic: update to 0.16.2 Signed-off-by: Fabian Lipken --- utils/restic/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/restic/Makefile b/utils/restic/Makefile index d94a36c50..89963c085 100644 --- a/utils/restic/Makefile +++ b/utils/restic/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=restic -PKG_VERSION:=0.16.1 +PKG_VERSION:=0.16.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/restic/restic/tar.gz/v${PKG_VERSION}? -PKG_HASH:=31339090e3e8a044d014b9341c025cf59bf7bc133ae267bc5acdea5ac07837a9 +PKG_HASH:=88165b5b89b6064df37a9964d660f40ac62db51d6536e459db9aaea6f2b2fc11 PKG_LICENSE:=BSD-2-Clause PKG_LICENSE_FILES:=LICENSE From bd21652b79175de0ec017761ff1e259a562104e9 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sat, 28 Oct 2023 18:48:16 +0200 Subject: [PATCH 28/40] aircrack-ng: fix wrong inclusion of libbsd if detected Currently aircrack-ng try to link with libbsd if it does detect the library in staging_dir. This is the case with buildbot where every package is selected and compiled. Fix this by adding a pending patch that permits to disable libbsd inclusion even if detected and set the related config flag. aircrack-ng use 2 function of libbsd and it's not worth to include the entire library for 2 simple function for string manipulation. Also add an additional patch that permits to use musl or glibc version of these string functions. Signed-off-by: Christian Marangi --- net/aircrack-ng/Makefile | 1 + ...ion-to-disable-bsd-library-inclusion.patch | 58 +++++++++++++++++++ ...rlcat-strlcpy-from-musl-or-recent-gl.patch | 30 ++++++++++ 3 files changed, 89 insertions(+) create mode 100644 net/aircrack-ng/patches/104-build-add-option-to-disable-bsd-library-inclusion.patch create mode 100644 net/aircrack-ng/patches/105-build-support-strlcat-strlcpy-from-musl-or-recent-gl.patch diff --git a/net/aircrack-ng/Makefile b/net/aircrack-ng/Makefile index 70a13a0d4..ae5d9d66f 100644 --- a/net/aircrack-ng/Makefile +++ b/net/aircrack-ng/Makefile @@ -83,6 +83,7 @@ CONFIGURE_ARGS += \ --with-libpcap-include=$(STAGING_DIR)/usr/include \ --with-libpcap-lib=$(STAGING_DIR)/usr/lib \ --without-opt \ + --with-libbsd=no \ \ PYTHON=$(PYTHON) \ \ diff --git a/net/aircrack-ng/patches/104-build-add-option-to-disable-bsd-library-inclusion.patch b/net/aircrack-ng/patches/104-build-add-option-to-disable-bsd-library-inclusion.patch new file mode 100644 index 000000000..e575706cd --- /dev/null +++ b/net/aircrack-ng/patches/104-build-add-option-to-disable-bsd-library-inclusion.patch @@ -0,0 +1,58 @@ +From 0265e79f3c9a27a3ffd186e7d3bcd2f744052605 Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Sat, 28 Oct 2023 17:30:09 +0200 +Subject: [PATCH] build: add option to disable bsd library inclusion + +It might be needed to disable bsd inclusion and fallback to the compat +functions even if bsd headers are detected. + +This is the case when multiple library are cross-compiled and someone +wants to explicitly compile aircrack-ng without linking to bsd library. + +With the current implementation, if a bsd header is detected, the bsd +library is always linked even if unwanted. Add option to configure this +with the combo --with-libbsd=yes|no|auto with auto set by default. + +Also add an extra featurw with introducing the possibility of requiring +the bsd library and fail the configure phase. + +Signed-off-by: Christian Marangi +--- + build/m4/aircrack_ng_compat.m4 | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +--- a/build/m4/aircrack_ng_compat.m4 ++++ b/build/m4/aircrack_ng_compat.m4 +@@ -38,11 +38,29 @@ dnl If you delete this exception stateme + dnl program, then also delete it here. + + AC_DEFUN([AIRCRACK_NG_COMPAT], [ ++AC_ARG_WITH(libbsd, ++ [AS_HELP_STRING([--with-libbsd[[=auto|yes|no]]], [use BSD library, [default=auto]])]) ++ ++case $with_libbsd in ++ yes | "" | auto) ++ AC_CHECK_HEADERS([bsd/string.h], [HAVE_BSD_STRING_H=yes]) ++ AC_CHECK_LIB([bsd], [strlcpy], [:]) ++ AC_CHECK_FUNCS([strlcpy strlcat], [:]) ++ ;; ++esac + +-AC_CHECK_HEADERS([bsd/string.h], [HAVE_BSD_STRING_H=yes], [HAVE_BSD_STRING_H=no]) + AM_CONDITIONAL([HAVE_BSD_STRING_H], [test "$HAVE_BSD_STRING_H" = yes]) +-AC_CHECK_LIB([bsd], [strlcpy], [ LIBS="$LIBS -lbsd" ], [:]) +-AC_CHECK_FUNCS([strlcpy strlcat], [:]) ++ ++if test $with_libbsd != no ++then ++ if test $ac_cv_lib_bsd_strlcpy = yes ++ then ++ LIBS="$LIBS -lbsd" ++ elif test $with_libbsd = yes ++ then ++ AC_MSG_ERROR([cannot configure required bsd library]) ++ fi ++fi + + have_bsd=no + if test "$cross_compiling" != yes diff --git a/net/aircrack-ng/patches/105-build-support-strlcat-strlcpy-from-musl-or-recent-gl.patch b/net/aircrack-ng/patches/105-build-support-strlcat-strlcpy-from-musl-or-recent-gl.patch new file mode 100644 index 000000000..7eacd43f3 --- /dev/null +++ b/net/aircrack-ng/patches/105-build-support-strlcat-strlcpy-from-musl-or-recent-gl.patch @@ -0,0 +1,30 @@ +From 6317063da827732dbc5cc0dd1650ed016bd2927c Mon Sep 17 00:00:00 2001 +From: Christian Marangi +Date: Sun, 29 Oct 2023 14:41:18 +0100 +Subject: [PATCH] build: support strlcat/strlcpy from musl or recent glibc + +Musl or recent glibc added support for these additional string function, +strlcat and strlcpy hence the compat function are not needed and the +builtin version can be used instead. + +Signed-off-by: Christian Marangi +--- + build/m4/aircrack_ng_compat.m4 | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/build/m4/aircrack_ng_compat.m4 ++++ b/build/m4/aircrack_ng_compat.m4 +@@ -41,11 +41,12 @@ AC_DEFUN([AIRCRACK_NG_COMPAT], [ + AC_ARG_WITH(libbsd, + [AS_HELP_STRING([--with-libbsd[[=auto|yes|no]]], [use BSD library, [default=auto]])]) + ++AC_CHECK_FUNCS([strlcpy strlcat], [:]) ++ + case $with_libbsd in + yes | "" | auto) + AC_CHECK_HEADERS([bsd/string.h], [HAVE_BSD_STRING_H=yes]) + AC_CHECK_LIB([bsd], [strlcpy], [:]) +- AC_CHECK_FUNCS([strlcpy strlcat], [:]) + ;; + esac + From f9f1e0220f872263d8f12c38df9984a40625430f Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Thu, 26 Oct 2023 15:48:28 +0800 Subject: [PATCH 29/40] rust: Fix compile error if build dir and DL_DIR on separate filesystems The rust bootstrap downloads files into a "tmp" directory then moves the files into the "cache" directory using std::fs::rename. There are no issues in the original/unpatched case as "tmp" and "cache" are subdirectories in the build directory ($(HOST_BUILD_DIR)/build) and so are nearly guaranteed to be on the same filesystem. 35768bf31e5867046874dc6fd0374ff8fe575da2 changed where files are saved/cached (in $(DL_DIR)/rustc). If HOST_BUILD_DIR and DL_DIR are on separate filesystems, then using std::fs::rename to move the files will fail.[1] This updates 0002-rustc-bootstrap-cache.patch to account for this case, i.e. if std::fs::rename fails, fall back to copying the file then removing the original. [1]: https://github.com/openwrt/packages/pull/22457 Fixes: 35768bf31e58 ("rust: Cache bootstrap downloads to $(DL_DIR)/rustc") Signed-off-by: Jeffery To --- .../patches/0002-rustc-bootstrap-cache.patch | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/lang/rust/patches/0002-rustc-bootstrap-cache.patch b/lang/rust/patches/0002-rustc-bootstrap-cache.patch index 9f434fc8d..f3e814e8f 100644 --- a/lang/rust/patches/0002-rustc-bootstrap-cache.patch +++ b/lang/rust/patches/0002-rustc-bootstrap-cache.patch @@ -11,7 +11,22 @@ os.makedirs(rustc_cache) --- a/src/bootstrap/download.rs +++ b/src/bootstrap/download.rs -@@ -520,7 +520,10 @@ impl Config { +@@ -202,7 +202,13 @@ impl Config { + Some(other) => panic!("unsupported protocol {other} in {url}"), + None => panic!("no protocol in {url}"), + } +- t!(std::fs::rename(&tempfile, dest_path)); ++ match std::fs::rename(&tempfile, dest_path) { ++ Ok(v) => v, ++ Err(_) => { ++ t!(std::fs::copy(&tempfile, dest_path)); ++ t!(std::fs::remove_file(&tempfile)); ++ } ++ } + } + + fn download_http_with_retries(&self, tempfile: &Path, url: &str, help_on_error: &str) { +@@ -520,7 +526,10 @@ impl Config { key: &str, destination: &str, ) { @@ -23,7 +38,7 @@ let cache_dir = cache_dst.join(key); if !cache_dir.exists() { t!(fs::create_dir_all(&cache_dir)); -@@ -647,7 +650,10 @@ download-rustc = false +@@ -647,7 +656,10 @@ download-rustc = false let llvm_assertions = self.llvm_assertions; let cache_prefix = format!("llvm-{llvm_sha}-{llvm_assertions}"); From 54616e7049701996fab1dfb85ba0ebc3189b53ec Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Thu, 26 Oct 2023 16:11:06 +0800 Subject: [PATCH 30/40] rust: Fix compile error for mipsel_24kc+24kf Currently, rust fails to build for mipsel_24kc+24kf with "opcode not supported on this processor: mips1 (mips1)" errors when building libunwind. Because mipsel_24kc+24kf is hard-float, a certain section of src/llvm-project/libunwind/src/UnwindRegistersRestore.S is selected to be compiled; the instructions in this section require MIPS II. mipsel_24kc+24kf is compiled for MIPS32 Release 2 (MIPS32 is based on MIPS II), but the C flags used to select this architecture were not passed to the rust bootstrap (to be passed back to gcc). This passes the C flags to rust bootstrap to fix this compile error. This also adds PKG_BUILD_FLAGS:=no-mips16 as attempting to generate MIPS16 code leads to a different compile error. Signed-off-by: Jeffery To --- lang/rust/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lang/rust/Makefile b/lang/rust/Makefile index f3189b5bf..78d95d3d9 100644 --- a/lang/rust/Makefile +++ b/lang/rust/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=rust PKG_VERSION:=1.73.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=rustc-$(PKG_VERSION)-src.tar.gz PKG_SOURCE_URL:=https://static.rust-lang.org/dist/ @@ -18,6 +18,7 @@ PKG_LICENSE:=Apache-2.0 MIT PKG_LICENSE_FILES:=LICENSE-APACHE LICENSE-MIT PKG_HOST_ONLY:=1 +PKG_BUILD_FLAGS:=no-mips16 include $(INCLUDE_DIR)/host-build.mk include $(INCLUDE_DIR)/package.mk @@ -86,6 +87,7 @@ endef define Host/Compile $(RUST_SCCACHE_VARS) \ CARGO_HOME=$(CARGO_HOME) \ + TARGET_CFLAGS="$(TARGET_CFLAGS)" \ OPENWRT_RUSTC_BOOTSTRAP_CACHE=$(DL_DIR)/rustc \ $(PYTHON) $(HOST_BUILD_DIR)/x.py \ --build-dir $(HOST_BUILD_DIR)/build \ From 13982c13d09803b8979f7934c6048db9ad240338 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 29 Oct 2023 16:15:02 +0100 Subject: [PATCH 31/40] fdm: update to 2.2 release and switch to PCRE2 Update to release 2.2 and switch to PCRE2. New release switched from PCRE to PCRE2 and is now required. Drop patch merged upstream and backport 2 additional patch that fix a user-after-free and a PCRE2 bug. Signed-off-by: Christian Marangi --- mail/fdm/Makefile | 10 +-- mail/fdm/patches/010-ntop-fix.patch | 9 --- .../020-Fix-compile-with-OpenSSL-1.1.0.patch | 24 ------ mail/fdm/patches/030-cdefs.patch | 30 -------- ...2-code-don-t-walk-off-the-end-of-the.patch | 75 +++++++++++++++++++ ...-Fix-use-after-free-GitHub-issue-126.patch | 21 ++++++ 6 files changed, 101 insertions(+), 68 deletions(-) delete mode 100644 mail/fdm/patches/010-ntop-fix.patch delete mode 100644 mail/fdm/patches/020-Fix-compile-with-OpenSSL-1.1.0.patch delete mode 100644 mail/fdm/patches/030-cdefs.patch create mode 100644 mail/fdm/patches/100-Fix-bugs-in-PCRE2-code-don-t-walk-off-the-end-of-the.patch create mode 100644 mail/fdm/patches/101-Fix-use-after-free-GitHub-issue-126.patch diff --git a/mail/fdm/Makefile b/mail/fdm/Makefile index 762fd933c..522765db8 100644 --- a/mail/fdm/Makefile +++ b/mail/fdm/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fdm -PKG_VERSION:=2.0 -PKG_RELEASE:=3 +PKG_VERSION:=2.2 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/nicm/fdm/releases/download/$(PKG_VERSION) -PKG_HASH:=06b28cb6b792570bc61d7e29b13d2af46b92fea77e058b2b17e11e8f7ed0cea4 +PKG_HASH:=53aad117829834e21c1b9bf20496a1aa1c0e0fb98fe7735e1e73314266fb6c16 PKG_MAINTAINER:=Dmitry V. Zimin PKG_LICENSE:=BSD-2-Clause @@ -30,7 +30,7 @@ define Package/fdm TITLE:=fetch mail and deliver URL:=https://github.com/nicm/fdm MENU:=1 - DEPENDS:=+tdb +zlib +libopenssl +FDM_WITH_PCRE:libpcre + DEPENDS:=+tdb +zlib +libopenssl +FDM_WITH_PCRE:libpcre2 USERID:=_fdm=99:_fdm=99 endef @@ -42,7 +42,7 @@ define Package/fdm/description endef ifdef CONFIG_FDM_WITH_PCRE - CONFIGURE_ARGS += --enable-pcre + CONFIGURE_ARGS += --enable-pcre2 endif define Package/fdm/config diff --git a/mail/fdm/patches/010-ntop-fix.patch b/mail/fdm/patches/010-ntop-fix.patch deleted file mode 100644 index e32479571..000000000 --- a/mail/fdm/patches/010-ntop-fix.patch +++ /dev/null @@ -1,9 +0,0 @@ ---- a/Makefile.am -+++ b/Makefile.am -@@ -123,6 +123,3 @@ endif - if NO_STRTONUM - nodist_fdm_SOURCES += compat/strtonum.c - endif --if NO_B64_NTOP --nodist_fdm_SOURCES += compat/base64.c --endif diff --git a/mail/fdm/patches/020-Fix-compile-with-OpenSSL-1.1.0.patch b/mail/fdm/patches/020-Fix-compile-with-OpenSSL-1.1.0.patch deleted file mode 100644 index 3d2f45d40..000000000 --- a/mail/fdm/patches/020-Fix-compile-with-OpenSSL-1.1.0.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 3aa079c4885d89257c5033b4992011511b603150 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Tue, 26 Jun 2018 14:14:34 -0700 -Subject: [PATCH] Fix compile with OpenSSL 1.1.0 - -OpenSSL 1.1.0 deprecared SSL_library_init and SSL_load_error_strings. -They're part of OPENSSL_init_ssl now. ---- - fdm.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/fdm.c -+++ b/fdm.c -@@ -717,8 +717,10 @@ retry: - } - conf.lock_file = lock; - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L - SSL_library_init(); - SSL_load_error_strings(); -+#endif - - /* Filter account list. */ - TAILQ_INIT(&actaq); diff --git a/mail/fdm/patches/030-cdefs.patch b/mail/fdm/patches/030-cdefs.patch deleted file mode 100644 index d1ae7af3d..000000000 --- a/mail/fdm/patches/030-cdefs.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 3232e537ccaba4417b25d9d70264e4a5533042da Mon Sep 17 00:00:00 2001 -From: Nicholas Marriott -Date: Mon, 18 Mar 2019 13:04:00 +0000 -Subject: [PATCH] Fix bas64 declarations, from makepost at firemail dot cc. - ---- - fdm.h | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - ---- a/fdm.h -+++ b/fdm.h -@@ -20,7 +20,6 @@ - #define FDM_H - - #include --#include - #include - - #ifdef HAVE_QUEUE_H -@@ -725,8 +724,8 @@ size_t strlcat(char *, const char *, s - - #ifndef HAVE_B64_NTOP - /* base64.c */ --int b64_ntop(src, srclength, target, targsize); --int b64_pton(src, target, targsize); -+int b64_ntop(u_char const *, size_t, char *, size_t); -+int b64_pton(char const *, u_char *, size_t); - #endif - - /* shm.c */ diff --git a/mail/fdm/patches/100-Fix-bugs-in-PCRE2-code-don-t-walk-off-the-end-of-the.patch b/mail/fdm/patches/100-Fix-bugs-in-PCRE2-code-don-t-walk-off-the-end-of-the.patch new file mode 100644 index 000000000..8c63f96a9 --- /dev/null +++ b/mail/fdm/patches/100-Fix-bugs-in-PCRE2-code-don-t-walk-off-the-end-of-the.patch @@ -0,0 +1,75 @@ +From f1ec1982725d60045c0d871f3e613f2880046c22 Mon Sep 17 00:00:00 2001 +From: Nicholas Marriott +Date: Wed, 1 Feb 2023 15:31:30 +0000 +Subject: [PATCH] Fix bugs in PCRE2 code - don't walk off the end of the match + list if NOMATCH is returned, and don't stop on empty matches. From Thomas + Hurst. + +--- + pcre.c | 45 ++++++++++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +--- a/pcre.c ++++ b/pcre.c +@@ -66,7 +66,7 @@ int + re_block(struct re *re, const void *buf, size_t len, struct rmlist *rml, + char **cause) + { +- int res; ++ int res, ret; + pcre2_match_data *pmd; + PCRE2_SIZE *ovector; + u_int i, j; +@@ -85,27 +85,34 @@ re_block(struct re *re, const void *buf, + } + + pmd = pcre2_match_data_create_from_pattern(re->pcre2, NULL); +- res = pcre2_match(re->pcre2, buf, len, 0, 0, pmd, NULL); +- if (res < 0 && res != PCRE2_ERROR_NOMATCH) { +- xasprintf(cause, "%s: regexec failed", re->str); +- pcre2_match_data_free(pmd); +- return (-1); +- } ++ if (pmd == NULL) ++ fatalx("pcre2_match_data_create_from_pattern failed"); + +- if (rml != NULL) { +- ovector = pcre2_get_ovector_pointer(pmd); +- for (i = 0; i < res; i++) { +- j = i * 2; +- if (ovector[j + 1] <= ovector[j]) +- break; +- rml->list[i].valid = 1; +- rml->list[i].so = ovector[j]; +- rml->list[i].eo = ovector[j + 1]; ++ res = pcre2_match(re->pcre2, buf, len, 0, 0, pmd, NULL); ++ if (res > 0) { ++ if (rml != NULL) { ++ if (res > NPMATCH) ++ res = NPMATCH; ++ ovector = pcre2_get_ovector_pointer(pmd); ++ for (i = 0; i < res; i++) { ++ j = i * 2; ++ if (ovector[j + 1] < ovector[j]) ++ break; ++ rml->list[i].valid = 1; ++ rml->list[i].so = ovector[j]; ++ rml->list[i].eo = ovector[j + 1]; ++ } ++ rml->valid = 1; + } +- rml->valid = 1; ++ ret = 1; ++ } else if (res == PCRE2_ERROR_NOMATCH) ++ ret = 0; ++ else { ++ xasprintf(cause, "%s: regexec failed", re->str); ++ ret = -1; + } +- +- return (res != PCRE2_ERROR_NOMATCH); ++ pcre2_match_data_free(pmd); ++ return (ret); + } + + void diff --git a/mail/fdm/patches/101-Fix-use-after-free-GitHub-issue-126.patch b/mail/fdm/patches/101-Fix-use-after-free-GitHub-issue-126.patch new file mode 100644 index 000000000..98024d21f --- /dev/null +++ b/mail/fdm/patches/101-Fix-use-after-free-GitHub-issue-126.patch @@ -0,0 +1,21 @@ +From 028f59bef0ea9435fb8fbe095b2939652ce63479 Mon Sep 17 00:00:00 2001 +From: Nicholas Marriott +Date: Mon, 3 Apr 2023 08:54:28 +0100 +Subject: [PATCH] Fix use-after-free, GitHub issue 126. + +--- + connect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/connect.c ++++ b/connect.c +@@ -550,8 +550,8 @@ httpproxy(struct server *srv, + if (strlen(line) < 12 || + strncmp(line, "HTTP/", 5) != 0 || + strncmp(line + 8, " 200", 4) != 0) { +- xfree(line); + xasprintf(cause, "unexpected data: %s", line); ++ xfree(line); + return (-1); + } + header = 1; From 9ea2ec7cd1d9902352a67d6152107e9c452d6dbb Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 29 Oct 2023 17:22:22 +0100 Subject: [PATCH 32/40] tvheadend: drop support for PCRE Drop support for PCRE as it's now EOL and won't receive any security updates anymore. Signed-off-by: Christian Marangi --- multimedia/tvheadend/Config.in | 5 ----- multimedia/tvheadend/Makefile | 12 ++++-------- 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/multimedia/tvheadend/Config.in b/multimedia/tvheadend/Config.in index de689fd33..b750bd9eb 100644 --- a/multimedia/tvheadend/Config.in +++ b/multimedia/tvheadend/Config.in @@ -36,11 +36,6 @@ choice help Use internal POSIX Regular Expressions. Note that not all EPG parsers will work with POSIX RegEx. - config TVHEADEND_REGEX_PCRE - bool "PCRE (libpcre)" - select PACKAGE_libpcre - help - Use more advanced Perl-Compatible Regular Expressions, provided by libpcre. config TVHEADEND_REGEX_PCRE2 bool "PCRE2 (libpcre2)" select PACKAGE_libpcre2 diff --git a/multimedia/tvheadend/Makefile b/multimedia/tvheadend/Makefile index f33b66662..674d2862a 100644 --- a/multimedia/tvheadend/Makefile +++ b/multimedia/tvheadend/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tvheadend PKG_VERSION:=2023-06-05 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/tvheadend/tvheadend.git @@ -36,7 +36,6 @@ define Package/tvheadend $(ICONV_DEPENDS) \ +zlib \ +TVHEADEND_AVAHI_SUPPORT:libavahi-client \ - +TVHEADEND_REGEX_PCRE:libpcre \ +TVHEADEND_REGEX_PCRE2:libpcre2 \ +BUILD_PATENTED&&TVHEADEND_CSA:libdvbcsa @@ -77,15 +76,12 @@ ifeq ($(CONFIG_TVHEADEND_TRACE),) CONFIGURE_ARGS += --disable-trace endif +CONFIGURE_ARGS += --disable-pcre ifneq ($(CONFIG_TVHEADEND_REGEX_PCRE2),) - CONFIGURE_ARGS += --disable-pcre --enable-pcre2 -else -ifneq ($(CONFIG_TVHEADEND_REGEX_PCRE),) - CONFIGURE_ARGS += --enable-pcre --disable-pcre2 + CONFIGURE_ARGS += --enable-pcre2 else ifneq ($(CONFIG_TVHEADEND_REGEX_POSIX),) - CONFIGURE_ARGS += --disable-pcre --disable-pcre2 -endif + CONFIGURE_ARGS += --disable-pcre2 endif endif From 624fb955619c0b4b368e2ac1880619f159e3b8d6 Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Mon, 30 Oct 2023 23:56:43 +0800 Subject: [PATCH 33/40] python3: Fix building C extensions with setuptools setuptools provides a local copy of distutils and when building a C extension, this distutils will add the target LIBDIR (/usr/lib) to the list of library paths. If the build system has a libpython3.11.so in /usr/lib, then the linker will try to link to this shared library and fail. This adapts 008-distutils-use-python-sysroot.patch for host setuptools to add the correct library directory. Fixes: https://github.com/openwrt/packages/issues/22330 Signed-off-by: Jeffery To --- lang/python/python3-version.mk | 2 +- ...y-header-paths-for-cross-compilation.patch | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 lang/python/python3/patches-host-setuptools/0001-Adjust-library-header-paths-for-cross-compilation.patch diff --git a/lang/python/python3-version.mk b/lang/python/python3-version.mk index 5712e0f1d..6b21bc61e 100644 --- a/lang/python/python3-version.mk +++ b/lang/python/python3-version.mk @@ -12,7 +12,7 @@ PYTHON3_VERSION_MICRO:=6 PYTHON3_VERSION:=$(PYTHON3_VERSION_MAJOR).$(PYTHON3_VERSION_MINOR) -PYTHON3_SETUPTOOLS_PKG_RELEASE:=1 +PYTHON3_SETUPTOOLS_PKG_RELEASE:=2 PYTHON3_PIP_PKG_RELEASE:=1 PYTHON3_SETUPTOOLS_VERSION:=65.5.0 diff --git a/lang/python/python3/patches-host-setuptools/0001-Adjust-library-header-paths-for-cross-compilation.patch b/lang/python/python3/patches-host-setuptools/0001-Adjust-library-header-paths-for-cross-compilation.patch new file mode 100644 index 000000000..06dbb4318 --- /dev/null +++ b/lang/python/python3/patches-host-setuptools/0001-Adjust-library-header-paths-for-cross-compilation.patch @@ -0,0 +1,38 @@ +From e359a7a3c4f9e70360a068bef19c95938fdacede Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Wed, 23 Dec 2015 11:33:14 +0100 +Subject: [PATCH] Adjust library/header paths for cross-compilation + +When cross-compiling third-party extensions, the get_python_inc() or +get_python_lib() can be called, to return the path to headers or +libraries. However, they use the sys.prefix of the host Python, which +returns incorrect paths when cross-compiling (paths pointing to host +headers and libraries). + +In order to fix this, we introduce the _python_sysroot, _python_prefix +and _python_exec_prefix variables, that allow to override these +values, and get correct header/library paths when cross-compiling +third-party Python modules. + +Signed-off-by: Thomas Petazzoni +[adapt for setuptools, rename environment variable, use fixed lib path] +Signed-off-by: Jeffery To +--- + Lib/distutils/command/build_ext.py | 5 ++++- + Lib/sysconfig.py | 15 +++++++++++---- + 2 files changed, 15 insertions(+), 5 deletions(-) + +--- a/setuptools/_distutils/command/build_ext.py ++++ b/setuptools/_distutils/command/build_ext.py +@@ -238,7 +238,10 @@ class build_ext(Command): + if sysconfig.get_config_var('Py_ENABLE_SHARED'): + if not sysconfig.python_build: + # building third party extensions +- self.library_dirs.append(sysconfig.get_config_var('LIBDIR')) ++ libdir = sysconfig.get_config_var('LIBDIR') ++ if 'STAGING_DIR' in os.environ: ++ libdir = os.environ.get('STAGING_DIR') + '/usr/lib' ++ self.library_dirs.append(libdir) + else: + # building python standard extensions + self.library_dirs.append('.') From 19ec30255f1379cb2d25f7ace22523039cc8aa67 Mon Sep 17 00:00:00 2001 From: Martin Strobel Date: Sun, 29 Oct 2023 16:16:57 +0100 Subject: [PATCH 34/40] freeradius3: switch to pcre2 use libpcre2 as dependency for freeradius3-common because PCRE is EOL with no further updates Compile & run tested on mediatek mt76 ubnt-ui6-lr-v1 with musl Signed-off-by: Martin Strobel --- net/freeradius3/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/freeradius3/Makefile b/net/freeradius3/Makefile index d908ed815..4a97b8414 100644 --- a/net/freeradius3/Makefile +++ b/net/freeradius3/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=freeradius3 PKG_VERSION:=3.0.26 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=freeradius-server-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://github.com/FreeRADIUS/freeradius-server/releases/download/release_$(subst .,_,$(PKG_VERSION))/ @@ -63,7 +63,7 @@ endef define Package/freeradius3-common $(call Package/freeradius3/Default) TITLE:=common files - DEPENDS:=+USE_GLIBC:libpthread +USE_GLIBC:libbsd +FREERADIUS3_OPENSSL:libopenssl +libcap +libpcap +libncurses +libpcre +libreadline +libtalloc +libatomic + DEPENDS:=+USE_GLIBC:libpthread +USE_GLIBC:libbsd +FREERADIUS3_OPENSSL:libopenssl +libcap +libpcap +libncurses +libpcre2 +libreadline +libtalloc +libatomic endef define Package/freeradius3-default From ee47bf4a5202f610251c7192b219481ee2d84dfe Mon Sep 17 00:00:00 2001 From: Anton Antonov Date: Tue, 3 Oct 2023 12:55:54 +0100 Subject: [PATCH 35/40] dmidecode: Add armsr target support Signed-off-by: Anton Antonov --- utils/dmidecode/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/dmidecode/Makefile b/utils/dmidecode/Makefile index ca6a04300..35a95114b 100644 --- a/utils/dmidecode/Makefile +++ b/utils/dmidecode/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dmidecode PKG_VERSION:=3.2 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@SAVANNAH/$(PKG_NAME) @@ -26,7 +26,7 @@ include $(INCLUDE_DIR)/package.mk define Package/dmidecode SECTION:=utils CATEGORY:=Utilities - DEPENDS:=@(TARGET_x86||TARGET_x86_64) + DEPENDS:=@(TARGET_x86||TARGET_x86_64||TARGET_armsr_armv8) TITLE:=Displays BIOS informations. URL:=https://www.nongnu.org/dmidecode/ endef From c618100c8282867d8dc10a98472060c6b432dbc2 Mon Sep 17 00:00:00 2001 From: Anton Antonov Date: Tue, 3 Oct 2023 12:56:39 +0100 Subject: [PATCH 36/40] efivar: Add armsr target support Backport up-stream patch: https://github.com/rhboot/efivar/commit/ca48d3964d26f5e3b38d73655f19b1836b16bd2d Signed-off-by: Anton Antonov --- libs/efivar/Makefile | 4 +-- ...uild-util-c-separately-for-makeguids.patch | 32 +++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 libs/efivar/patches/006-build-util-c-separately-for-makeguids.patch diff --git a/libs/efivar/Makefile b/libs/efivar/Makefile index f0563ba7b..fd5302ee4 100644 --- a/libs/efivar/Makefile +++ b/libs/efivar/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=efivar PKG_VERSION:=38 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://github.com/rhboot/efivar/releases/download/$(PKG_VERSION) @@ -25,7 +25,7 @@ define Package/efivar SECTION:=libs CATEGORY:=Libraries TITLE:=Tools and libraries to work with EFI variables - DEPENDS:=@TARGET_x86_64 + DEPENDS:=@(TARGET_x86_64||TARGET_armsr_armv8) URL:=https://github.com/rhboot/efibootmgr endef diff --git a/libs/efivar/patches/006-build-util-c-separately-for-makeguids.patch b/libs/efivar/patches/006-build-util-c-separately-for-makeguids.patch new file mode 100644 index 000000000..2305ebbac --- /dev/null +++ b/libs/efivar/patches/006-build-util-c-separately-for-makeguids.patch @@ -0,0 +1,32 @@ +From ca48d3964d26f5e3b38d73655f19b1836b16bd2d Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin +Date: Tue, 18 Jan 2022 11:53:41 +0100 +Subject: [PATCH] src/Makefile: build util.c separately for makeguids + +util.c needs to be built twice when cross-compiling: +for the build machine to be able to link with +makeguids which then runs during the same build, +and then for the actual target. + +Signed-off-by: Alexander Kanavin +--- + src/Makefile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/src/Makefile ++++ b/src/Makefile +@@ -28,10 +28,13 @@ EFIVAR_OBJECTS = $(patsubst %.S,%.o,$(pa + EFISECDB_SOURCES = efisecdb.c guid-symbols.c secdb-dump.c util.c + EFISECDB_OBJECTS = $(patsubst %.S,%.o,$(patsubst %.c,%.o,$(EFISECDB_SOURCES))) + GENERATED_SOURCES = include/efivar/efivar-guids.h guid-symbols.c +-MAKEGUIDS_SOURCES = makeguids.c util.c ++MAKEGUIDS_SOURCES = makeguids.c util-makeguids.c + MAKEGUIDS_OBJECTS = $(patsubst %.S,%.o,$(patsubst %.c,%.o,$(MAKEGUIDS_SOURCES))) + MAKEGUIDS_OUTPUT = $(GENERATED_SOURCES) guids.lds + ++util-makeguids.c : util.c ++ cp util.c util-makeguids.c ++ + ALL_SOURCES=$(LIBEFISEC_SOURCES) $(LIBEFIBOOT_SOURCES) $(LIBEFIVAR_SOURCES) \ + $(MAKEGUIDS_SOURCES) $(GENERATED_SOURCES) $(EFIVAR_SOURCES) \ + $(sort $(wildcard include/efivar/*.h)) From 3be58aa1d317877415c810bc8dc6a43030064a64 Mon Sep 17 00:00:00 2001 From: Anton Antonov Date: Tue, 3 Oct 2023 12:57:17 +0100 Subject: [PATCH 37/40] efibootmgr: Add armsr target support Signed-off-by: Anton Antonov --- utils/efibootmgr/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/efibootmgr/Makefile b/utils/efibootmgr/Makefile index fc53f8729..1463a6c82 100644 --- a/utils/efibootmgr/Makefile +++ b/utils/efibootmgr/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=efibootmgr PKG_VERSION:=18 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/rhboot/efibootmgr.git @@ -23,7 +23,7 @@ define Package/efibootmgr SECTION:=utils CATEGORY:=Utilities TITLE:=Application to modify the EFI Boot Manager - DEPENDS:=@TARGET_x86_64 +efivar +libpopt + DEPENDS:=@(TARGET_x86_64||TARGET_armsr_armv8) +efivar +libpopt URL:=https://github.com/rhboot/efibootmgr endef From 84c431702e97ba70228ec45b60482163fc0d974d Mon Sep 17 00:00:00 2001 From: Leo Douglas Date: Tue, 31 Oct 2023 11:04:30 +0800 Subject: [PATCH 38/40] sing-box: update to v1.6.0 see changelog: https://github.com/SagerNet/sing-box/releases/tag/v1.6.0 Signed-off-by: Leo Douglas --- net/sing-box/Makefile | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/net/sing-box/Makefile b/net/sing-box/Makefile index 5a4588f1e..229dc2e67 100644 --- a/net/sing-box/Makefile +++ b/net/sing-box/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=sing-box -PKG_VERSION:=1.5.4 +PKG_VERSION:=1.6.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/SagerNet/sing-box/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=3238492e21246b56ef80e99f321c26ffaf9ac8877c916dce85273b61031c58b7 +PKG_HASH:=3272c9ac447d009749429f38d76e9879609c0c321442c3235ba806d995c0838a PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE_FILES:=LICENSE @@ -35,7 +35,7 @@ endef define Package/sing-box/description Sing-box is a universal proxy platform which supports hysteria, SOCKS, Shadowsocks, - ShadowsocksR, ShadowTLS, Tor, trojan, VLess, VMess, WireGuard and so on. + ShadowTLS, Tor, trojan, VLess, VMess, WireGuard and so on. endef define Package/sing-box/config @@ -77,11 +77,6 @@ define Package/sing-box/config bool "Build with reality TLS server support, see TLS." default y - config SINGBOX_WITH_SHADOWSOCKSR - bool "Build with ShadowsocksR support" - help - It will be marked deprecated in 1.5.0 and removed entirely in 1.6.0. - config SINGBOX_WITH_UTLS bool "Build with uTLS support for TLS outbound" default y @@ -106,7 +101,6 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_SINGBOX_WITH_LWIP \ CONFIG_SINGBOX_WITH_QUIC \ CONFIG_SINGBOX_WITH_REALITY_SERVER \ - CONFIG_SINGBOX_WITH_SHADOWSOCKSR \ CONFIG_SINGBOX_WITH_UTLS \ CONFIG_SINGBOX_WITH_V2RAY_API \ CONFIG_SINGBOX_WITH_WIREGUARD @@ -121,7 +115,6 @@ GO_PKG_TAGS:=$(subst $(space),$(comma),$(strip \ $(if $(CONFIG_SINGBOX_WITH_GVISOR),with_gvisor) \ $(if $(CONFIG_SINGBOX_WITH_LWIP),with_lwip) \ $(if $(CONFIG_SINGBOX_WITH_QUIC),with_quic) \ - $(if $(CONFIG_SINGBOX_WITH_SHADOWSOCKSR),with_shadowsocksr) \ $(if $(CONFIG_SINGBOX_WITH_REALITY_SERVER),with_reality_server) \ $(if $(CONFIG_SINGBOX_WITH_UTLS),with_utls) \ $(if $(CONFIG_SINGBOX_WITH_V2RAY_API),with_v2ray_api) \ From 4f9ced5cf9d411dc54a815beb365b539c561bbfb Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Tue, 17 Oct 2023 14:14:58 +0200 Subject: [PATCH 39/40] zabbix: update to version 6.4.7 Switch to current stable version 6.4.7. See release notes: https://www.zabbix.com/rn/rn6.4.7 So that the new version builds cleanly. The 'libevent2-pthreads' must be added as dependency. Signed-off-by: Florian Eckert --- admin/zabbix/Makefile | 10 ++++++---- admin/zabbix/patches/110-reproducible-builds.patch | 6 +++--- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/admin/zabbix/Makefile b/admin/zabbix/Makefile index e91cf986f..c4f8c464a 100644 --- a/admin/zabbix/Makefile +++ b/admin/zabbix/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=zabbix -PKG_VERSION:=6.2.3 -PKG_RELEASE:=4 +PKG_VERSION:=6.4.7 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://cdn.zabbix.com/zabbix/sources/stable/$(basename $(PKG_VERSION))/ \ https://cdn.zabbix.com/zabbix/sources/oldstable/$(basename $(PKG_VERSION))/ -PKG_HASH:=2be7e57fb33a55fee71480598e317ffa6a8ee5a39639a7e1b42b2ea6872107b5 +PKG_HASH:=6b4e81f07de4c82c7994871bea51be4d6427683fa9a7fbe112fd7559b3670e49 PKG_MAINTAINER:=Etienne CHAMPETIER PKG_LICENSE:=GPL-2.0 @@ -157,6 +157,7 @@ define Package/zabbix-server/Default +ZABBIX_MYSQL:libmariadbclient \ @(!ZABBIX_SQLITE) \ +libevent2 \ + +libevent2-pthreads \ +fping endef @@ -209,6 +210,7 @@ define Package/zabbix-proxy/Default +ZABBIX_MYSQL:libmariadbclient \ +ZABBIX_SQLITE:libsqlite3 \ +libevent2 \ + +libevent2-pthreads \ +fping endef @@ -262,7 +264,7 @@ CONFIGURE_ARGS+= \ $(if $(CONFIG_ZABBIX_MYSQL),--with-mysql) \ $(if $(CONFIG_ZABBIX_POSTGRESQL),--with-postgresql) \ $(if $(CONFIG_ZABBIX_SQLITE),--with-sqlite3=$(STAGING_DIR)/usr) \ - --with-libevent=$(STAGING_DIR)/usr/include/libevent \ + --with-libevent=$(STAGING_DIR)/usr/include \ --with-libpcre2=$(STAGING_DIR)/usr/include \ --with-zlib=$(STAGING_DIR)/usr/include diff --git a/admin/zabbix/patches/110-reproducible-builds.patch b/admin/zabbix/patches/110-reproducible-builds.patch index 723ccfe14..471e1e6b1 100644 --- a/admin/zabbix/patches/110-reproducible-builds.patch +++ b/admin/zabbix/patches/110-reproducible-builds.patch @@ -1,6 +1,6 @@ ---- a/src/libs/zbxcommon/str.c -+++ b/src/libs/zbxcommon/str.c -@@ -49,7 +49,7 @@ static const char help_message_footer[] +--- a/src/libs/zbxcommon/misc.c ++++ b/src/libs/zbxcommon/misc.c +@@ -329,7 +329,7 @@ void zbx_help(void) void zbx_version(void) { printf("%s (Zabbix) %s\n", title_message, ZABBIX_VERSION); From f3e26bef52ef4c401a3a582b839bc632376d4de7 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Tue, 31 Oct 2023 01:09:38 -0400 Subject: [PATCH 40/40] lighttpd: update to lighttpd 1.4.73 release hash * update to lighttpd 1.4.73 release hash * update maintainer Signed-off-by: Glenn Strauss --- net/lighttpd/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index e04350b7f..82b947173 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -8,16 +8,16 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd -PKG_VERSION:=1.4.72 +PKG_VERSION:=1.4.73 PKG_RELEASE:=1 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x -PKG_HASH:=f7cade4d69b754a0748c01463c33cd8b456ca9cc03bb09e85a71bcbcd54e55ec +PKG_HASH:=818816d0b314b0aa8728a7076513435f6d5eb227f3b61323468e1f10dbe84ca8 -PKG_MAINTAINER:=W. Michael Petullo +PKG_MAINTAINER:=Glenn Strauss PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=COPYING PKG_CPE_ID:=cpe:/a:lighttpd:lighttpd