diff --git a/admin/netatop/patches/100-fix-compilation-warning-fallthrough.patch b/admin/netatop/patches/100-fix-compilation-warning-fallthrough.patch new file mode 100644 index 000000000..65de31e14 --- /dev/null +++ b/admin/netatop/patches/100-fix-compilation-warning-fallthrough.patch @@ -0,0 +1,11 @@ +--- a/module/netatop.c ++++ b/module/netatop.c +@@ -1617,7 +1617,7 @@ getsockopt(struct sock *sk, int cmd, void __user *user, int *len) + + case NETATOP_GETCNT_TGID: + tasktype = 'g'; +- // fall through ++ fallthrough; + case NETATOP_GETCNT_PID: + if (*len < sizeof(pid_t)) + return -EINVAL; diff --git a/libs/dmx_usb_module/patches/100-fix-compilation-warning-wrong-cast.patch b/libs/dmx_usb_module/patches/100-fix-compilation-warning-wrong-cast.patch new file mode 100644 index 000000000..413cb63ea --- /dev/null +++ b/libs/dmx_usb_module/patches/100-fix-compilation-warning-wrong-cast.patch @@ -0,0 +1,11 @@ +--- a/dmx_usb.c ++++ b/dmx_usb.c +@@ -406,7 +406,7 @@ static ssize_t dmx_usb_write (struct file *file, const char *buffer, size_t coun + + dev = (struct dmx_usb_device *)file->private_data; + +- dbg("%s - minor %d, count = %d", __FUNCTION__, dev->minor, count); ++ dbg("%s - minor %d, count = %zu", __FUNCTION__, dev->minor, count); + + /* lock this object */ + down (&dev->sem); diff --git a/libs/libpfring/patches/100-fix-compilation-warning.patch b/libs/libpfring/patches/100-fix-compilation-warning.patch new file mode 100644 index 000000000..18c72e734 --- /dev/null +++ b/libs/libpfring/patches/100-fix-compilation-warning.patch @@ -0,0 +1,30 @@ +--- a/kernel/pf_ring.c ++++ b/kernel/pf_ring.c +@@ -3940,7 +3940,7 @@ static int hash_pkt_cluster(ring_cluster_element *cluster_ptr, + break; + } + /* else, fall through, because it's like 2-tuple for non-TCP packets */ +- ++ fallthrough; + case cluster_per_flow_2_tuple: + case cluster_per_inner_flow_2_tuple: + flags |= mask_2_tuple; +@@ -5485,8 +5485,7 @@ static int ring_release(struct socket *sock) + remove_cluster_referee(pfr); + + if((pfr->zc_device_entry != NULL) +- && pfr->zc_device_entry->zc_dev.dev +- && pfr->zc_device_entry->zc_dev.dev->name) { ++ && pfr->zc_device_entry->zc_dev.dev) { + pfring_release_zc_dev(pfr); + } + +@@ -5617,8 +5616,6 @@ static int ring_bind(struct socket *sock, struct sockaddr *sa, int addr_len) + return(-EINVAL); + if(sa->sa_family != PF_RING) + return(-EINVAL); +- if(sa->sa_data == NULL) +- return(-EINVAL); + + memcpy(name, sa->sa_data, sizeof(sa->sa_data)); + diff --git a/libs/libvorbis/Makefile b/libs/libvorbis/Makefile index a0fc90361..a4bf63248 100644 --- a/libs/libvorbis/Makefile +++ b/libs/libvorbis/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libvorbis PKG_VERSION:=1.3.7 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://downloads.xiph.org/releases/vorbis/ diff --git a/libs/libvorbis/patches/010-cmake_soname.patch b/libs/libvorbis/patches/010-cmake_soname.patch new file mode 100644 index 000000000..fd63e1f31 --- /dev/null +++ b/libs/libvorbis/patches/010-cmake_soname.patch @@ -0,0 +1,44 @@ +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -28,8 +28,8 @@ set(PROJECT_VERSION_MINOR ${CMAKE_MATCH_ + set(PROJECT_VERSION_PATCH ${CMAKE_MATCH_3}) + set(PROJECT_VERSION ${PROJECT_VERSION_MAJOR}.${PROJECT_VERSION_MINOR}.${PROJECT_VERSION_PATCH}) + +-# Helper function to get version-info +-function(get_version_info result current_var_name age_var_name revision_var_name) ++# Helper function to get library versions ++function(get_lib_versions version_result soversion_result current_var_name age_var_name revision_var_name) + string(REGEX MATCH "${current_var_name}=([0-9]*)" DUMMY ${CONFIGURE_AC_CONTENTS}) + set(VERSION_INFO_CURRENT ${CMAKE_MATCH_1}) + +@@ -41,7 +41,8 @@ function(get_version_info result current + + math(EXPR VERSION_INFO_CURRENT_MINUS_AGE "${VERSION_INFO_CURRENT} - ${VERSION_INFO_AGE}") + +- set(${result} "${VERSION_INFO_CURRENT_MINUS_AGE}.${VERSION_INFO_AGE}.${VERSION_INFO_REVISION}" PARENT_SCOPE) ++ set(${version_result} "${VERSION_INFO_CURRENT_MINUS_AGE}.${VERSION_INFO_AGE}.${VERSION_INFO_REVISION}" PARENT_SCOPE) ++ set(${soversion_result} "${VERSION_INFO_CURRENT_MINUS_AGE}" PARENT_SCOPE) + endfunction() + + # Helper function to configure pkg-config files +--- a/lib/CMakeLists.txt ++++ b/lib/CMakeLists.txt +@@ -78,12 +78,12 @@ if (NOT BUILD_FRAMEWORK) + add_library(vorbisenc ${VORBISENC_SOURCES}) + add_library(vorbisfile ${VORBISFILE_SOURCES}) + +- get_version_info(VORBIS_VERSION_INFO "V_LIB_CURRENT" "V_LIB_AGE" "V_LIB_REVISION") +- set_target_properties(vorbis PROPERTIES SOVERSION ${VORBIS_VERSION_INFO}) +- get_version_info(VORBISENC_VERSION_INFO "VE_LIB_CURRENT" "VE_LIB_AGE" "VE_LIB_REVISION") +- set_target_properties(vorbisenc PROPERTIES SOVERSION ${VORBISENC_VERSION_INFO}) +- get_version_info(VORBISFILE_VERSION_INFO "VF_LIB_CURRENT" "VF_LIB_AGE" "VF_LIB_REVISION") +- set_target_properties(vorbisfile PROPERTIES SOVERSION ${VORBISFILE_VERSION_INFO}) ++ get_lib_versions(VORBIS_VERSION VORBIS_SOVERSION "V_LIB_CURRENT" "V_LIB_AGE" "V_LIB_REVISION") ++ set_target_properties(vorbis PROPERTIES VERSION ${VORBIS_VERSION} SOVERSION ${VORBIS_SOVERSION}) ++ get_lib_versions(VORBISENC_VERSION VORBISENC_SOVERSION "VE_LIB_CURRENT" "VE_LIB_AGE" "VE_LIB_REVISION") ++ set_target_properties(vorbisenc PROPERTIES VERSION ${VORBISENC_VERSION} SOVERSION ${VORBISENC_SOVERSION}) ++ get_lib_versions(VORBISFILE_VERSION VORBISFILE_SOVERSION "VF_LIB_CURRENT" "VF_LIB_AGE" "VF_LIB_REVISION") ++ set_target_properties(vorbisfile PROPERTIES VERSION ${VORBISFILE_VERSION} SOVERSION ${VORBISFILE_SOVERSION}) + + target_include_directories(vorbis + PUBLIC diff --git a/libs/xr_usb_serial_common/patches/100-fix-compilation-warning-unused-function.patch b/libs/xr_usb_serial_common/patches/100-fix-compilation-warning-unused-function.patch new file mode 100644 index 000000000..4e92f7a1d --- /dev/null +++ b/libs/xr_usb_serial_common/patches/100-fix-compilation-warning-unused-function.patch @@ -0,0 +1,42 @@ +--- a/xr_usb_serial_common-1a/xr_usb_serial_common.c ++++ b/xr_usb_serial_common-1a/xr_usb_serial_common.c +@@ -258,7 +258,9 @@ static void xr_usb_serial_ctrl_irq(struct urb *urb) + { + struct xr_usb_serial *xr_usb_serial = urb->context; + struct usb_cdc_notification *dr = urb->transfer_buffer; ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(3, 9, 0) + struct tty_struct *tty; ++#endif + unsigned char *data; + int newctrl; + int retval; +@@ -390,7 +392,9 @@ static int xr_usb_serial_submit_read_urbs(struct xr_usb_serial *xr_usb_serial, g + } + static void xr_usb_serial_process_read_urb(struct xr_usb_serial *xr_usb_serial, struct urb *urb) + { ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(3, 9, 0) + struct tty_struct *tty; ++#endif + if (!urb->actual_length) + return; + #if LINUX_VERSION_CODE > KERNEL_VERSION(3, 9, 0) +@@ -465,7 +469,9 @@ static void xr_usb_serial_write_bulk(struct urb *urb) + static void xr_usb_serial_softint(struct work_struct *work) + { + struct xr_usb_serial *xr_usb_serial = container_of(work, struct xr_usb_serial, work); ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(3, 9, 0) + struct tty_struct *tty; ++#endif + + dev_vdbg(&xr_usb_serial->data->dev, "%s\n", __func__); + #if LINUX_VERSION_CODE > KERNEL_VERSION(3, 9, 0) +@@ -1631,7 +1637,9 @@ err_out: + static int xr_usb_serial_reset_resume(struct usb_interface *intf) + { + struct xr_usb_serial *xr_usb_serial = usb_get_intfdata(intf); ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(3, 9, 0) + struct tty_struct *tty; ++#endif + if (tty_port_initialized(&xr_usb_serial->port)){ + #if LINUX_VERSION_CODE > KERNEL_VERSION(3, 9, 0) + tty_port_tty_hangup(&xr_usb_serial->port, false); diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile index 8f9e66e15..e23e1578e 100644 --- a/mail/dovecot/Makefile +++ b/mail/dovecot/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dovecot -PKG_VERSION:=2.3.18 -PKG_RELEASE:=2 +PKG_VERSION:=2.3.20 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://dovecot.org/releases/2.3 -PKG_HASH:=06e73f668c6c093c45bdeeeb7c20398ab8dc49317234f4b5781ac5e2cc5d6c33 +PKG_HASH:=caa832eb968148abdf35ee9d0f534b779fa732c0ce4a913d9ab8c3469b218552 PKG_MAINTAINER:=Lucian Cristian PKG_LICENSE:=LGPL-2.1-only MIT BSD-3-Clause diff --git a/mail/pigeonhole/Makefile b/mail/pigeonhole/Makefile index 7192463ed..667e2c10d 100644 --- a/mail/pigeonhole/Makefile +++ b/mail/pigeonhole/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dovecot-pigeonhole -PKG_VERSION_PLUGIN:=0.5.19 +PKG_VERSION_PLUGIN:=0.5.20 PKG_VERSION_DOVECOT:=$(shell make --no-print-directory -C ../dovecot/ val.PKG_VERSION V=s) PKG_VERSION:=$(PKG_VERSION_DOVECOT)-$(PKG_VERSION_PLUGIN) PKG_RELEASE:=1 @@ -17,7 +17,7 @@ DOVECOT_VERSION:=2.3 PKG_SOURCE:=dovecot-$(DOVECOT_VERSION)-pigeonhole-$(PKG_VERSION_PLUGIN).tar.gz PKG_SOURCE_URL:=https://pigeonhole.dovecot.org/releases/$(DOVECOT_VERSION) -PKG_HASH:=637709a83fb1338c918e5398049f96b7aeb5ae00696794ed1e5a4d4c0ca3f688 +PKG_HASH:=ae32bd4870ea2c1328ae09ba206e9ec12128046d6afca52fbbc9ef7f75617c98 PKG_MAINTAINER:=W. Michael Petullo PKG_LICENSE:=LGPL-2.1-or-later diff --git a/net/aardvark-dns/Makefile b/net/aardvark-dns/Makefile new file mode 100644 index 000000000..0af515c24 --- /dev/null +++ b/net/aardvark-dns/Makefile @@ -0,0 +1,43 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=aardvark-dns +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/containers/aardvark-dns.git +PKG_SOURCE_DATE:=2023-05-12 +PKG_SOURCE_VERSION:=6e06736707d8a84240858e968a54a083083e3a09 +PKG_MIRROR_HASH:=407d73c0a01b9fd6248a1ce058541707580db46a7d18f776780fe7922ba97391 + +PKG_MAINTAINER:=Oskari Rauta +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE + +PKG_BUILD_DEPENDS:=rust/host + +include $(INCLUDE_DIR)/package.mk +include ../../lang/rust/rust-package.mk + +define Package/aardvark-dns + SECTION:=net + CATEGORY:=Network + DEPENDS:=$(RUST_ARCH_DEPENDS) + TITLE:=authoritative dns server for container records + URL:=https://github.com/containers/aardvark-dns +endef + +define Package/aardvark-dns/description + Aardvark-dns is an authoritative dns server for A/AAAA container records. + It can forward other requests to configured resolvers. + + It is mostly intended to be used with Netavark which will + launch it automatically if both are installed. +endef + +define Package/aardvark-dns/install + $(INSTALL_DIR) $(1)/usr/lib/podman + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/bin/aardvark-dns $(1)/usr/lib/podman/ +endef + +$(eval $(call RustBinPackage,aardvark-dns)) +$(eval $(call BuildPackage,aardvark-dns)) diff --git a/net/banip/Makefile b/net/banip/Makefile index fe74a723d..ce1d4a7df 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.8.5 -PKG_RELEASE:=2 +PKG_VERSION:=0.8.6 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 85903d1de..bca7ac3a5 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -75,6 +75,7 @@ ban_fetchinsecure="" ban_fetchretry="5" ban_cores="" ban_memory="" +ban_packages="" ban_trigger="" ban_triggerdelay="10" ban_resolver="" @@ -90,8 +91,9 @@ f_system() { ban_debug="$(uci_get banip global ban_debug)" ban_cores="$(uci_get banip global ban_cores)" fi + ban_packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" ban_memory="$("${ban_awkcmd}" '/^MemAvailable/{printf "%s",int($2/1000)}' "/proc/meminfo" 2>/dev/null)" - ban_ver="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null | jsonfilter -ql1 -e '@.packages.banip')" + ban_ver="$(printf "%s" "${ban_packages}" | jsonfilter -ql1 -e '@.packages.banip')" ban_sysver="$(${ban_ubuscmd} -S call system board 2>/dev/null | jsonfilter -ql1 -e '@.model' -e '@.release.description' | "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')" if [ -z "${ban_cores}" ]; then @@ -171,6 +173,19 @@ f_trim() { printf "%s" "${string}" } +# remove logservice +# +f_rmpid() { + local ppid pid pids + + ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" + [ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0 + for pid in ${pids}; do + kill -INT "${pid}" >/dev/null 2>&1 + done + : >"${ban_pidfile}" +} + # write log messages # f_log() { @@ -253,30 +268,54 @@ f_conf() { [ "${ban_action}" = "boot" ] && [ -z "${ban_trigger}" ] && sleep ${ban_triggerdelay} } -# prepare fetch utility +# get nft/monitor actuals # -f_fetch() { - local item utils packages insecure +f_actual() { + local nft monitor - if [ -z "${ban_fetchcmd}" ] || [ ! -x "$(command -v "${ban_fetchcmd}")" ]; then - packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" - [ -z "${packages}" ] && f_log "err" "no local package repository" + if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then + nft="$(f_char "1")" + else + nft="$(f_char "0")" + fi + if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then + monitor="$(f_char "1")" + else + monitor="$(f_char "0")" + fi + printf "%s" "nft: ${nft}, monitor: ${monitor}" +} + +# get fetch utility +# +f_getfetch() { + local item utils insecure update="0" + + if { [ "${ban_fetchcmd}" = "uclient-fetch" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"libustream-'; } || + { [ "${ban_fetchcmd}" = "wget" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || + [ "${ban_fetchcmd}" = "curl" ] || [ "${ban_fetchcmd}" = "aria2c" ]; then + ban_fetchcmd="$(command -v "${ban_fetchcmd}")" + else + ban_fetchcmd="" + fi + + if [ "${ban_autodetect}" = "1" ] && [ ! -x "${ban_fetchcmd}" ]; then utils="aria2c curl wget uclient-fetch" for item in ${utils}; do - if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } || - { [ "${item}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || + if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"libustream-'; } || + { [ "${item}" = "wget" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || [ "${item}" = "curl" ] || [ "${item}" = "aria2c" ]; then ban_fetchcmd="$(command -v "${item}")" if [ -x "${ban_fetchcmd}" ]; then - uci_set banip global ban_fetchcmd "${ban_fetchcmd##*/}" + update="1" + uci_set banip global ban_fetchcmd "${item}" uci_commit "banip" break fi fi done - else - ban_fetchcmd="$(command -v "${ban_fetchcmd}")" fi + [ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support" case "${ban_fetchcmd##*/}" in "aria2c") @@ -297,38 +336,7 @@ f_fetch() { ;; esac - f_log "debug" "f_fetch ::: cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}" -} - -# remove logservice -# -f_rmpid() { - local ppid pid pids - - ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" - [ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0 - for pid in ${pids}; do - kill -INT "${pid}" >/dev/null 2>&1 - done - : >"${ban_pidfile}" -} - -# get nft/monitor actuals -# -f_actual() { - local nft monitor - - if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then - nft="$(f_char "1")" - else - nft="$(f_char "0")" - fi - if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then - monitor="$(f_char "1")" - else - monitor="$(f_char "0")" - fi - printf "%s" "nft: ${nft}, monitor: ${monitor}" + f_log "debug" "f_getfetch ::: auto/update: ${ban_autodetect}/${update}, cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}" } # get wan interfaces @@ -1355,6 +1363,59 @@ f_mail() { f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" } +# log monitor +# +f_monitor() { + local nft_expiry line proto ip log_raw log_count + + if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then + f_log "info" "start detached banIP log service" + [ -n "${ban_nftexpiry}" ] && nft_expiry="timeout $(printf "%s" "${ban_nftexpiry}" | "${ban_grepcmd}" -oE "([0-9]+[d|h|m|s])+$")" + # read log continuously with given logterms + # + "${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null | + while read -r line; do + proto="" + # IPv4 log parsing + # + ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')" + ip="$(f_trim "${ip}")" + ip="${ip##* }" + [ -n "${ip}" ] && proto="v4" + if [ -z "${proto}" ]; then + # IPv6 log parsing + # + ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{if(!seen[RT]++)printf "%s ",RT}')" + ip="$(f_trim "${ip}")" + ip="${ip##* }" + [ -n "${ip}" ] && proto="v6" + fi + if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then + f_log "info" "suspicious IP${proto} '${ip}'" + log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" + log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP${proto} '${ip}'")" + if [ "${log_count}" -ge "${ban_logcount}" ]; then + if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then + f_log "info" "add IP${proto} '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set" + if [ -z "${ban_nftexpiry}" ] && [ "${ban_autoblocklist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_blocklist}"; then + printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" + f_log "info" "add IP${proto} '${ip}' to local blocklist" + fi + fi + fi + fi + done + + # start detached no-op service loop + # + else + f_log "info" "start detached no-op banIP service" + while :; do + sleep 1 + done + fi +} + # initial sourcing # if [ -r "/lib/functions.sh" ] && [ -r "/lib/functions/network.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]; then diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index b67c5a0aa..3f43ef34c 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -18,7 +18,7 @@ f_log "info" "start banIP processing (${ban_action})" f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}" f_genstatus "processing" f_tmp -f_fetch +f_getfetch f_getif f_getdev f_getuplink @@ -93,7 +93,7 @@ for feed in allowlist ${ban_feed} blocklist; do eval json_get_var feed_"${object}" '${object}' >/dev/null 2>&1 done json_select .. - + # skip incomplete feeds # if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } || @@ -162,54 +162,6 @@ fi json_cleanup rm -rf "${ban_lock}" -# start detached log service +# start detached log service (infinite loop) # -if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then - f_log "info" "start detached banIP log service" - - nft_expiry="$(printf "%s" "${ban_nftexpiry}" | grep -oE "([0-9]+[h|m|s]$)")" - [ -n "${nft_expiry}" ] && nft_expiry="timeout ${nft_expiry}" - - # read log continuously with given logterms - # - "${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null | - while read -r line; do - proto="" - # IPv4 log parsing - # - ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')" - ip="$(f_trim "${ip}")" - ip="${ip##* }" - [ -n "${ip}" ] && proto="v4" - if [ -z "${proto}" ]; then - # IPv6 log parsing - # - ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{if(!seen[RT]++)printf "%s ",RT}')" - ip="$(f_trim "${ip}")" - ip="${ip##* }" - [ -n "${ip}" ] && proto="v6" - fi - if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then - f_log "info" "suspicious IP${proto} '${ip}'" - log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" - log_count="$(printf "%s\n" "${log_raw}" | grep -c "suspicious IP${proto} '${ip}'")" - if [ "${log_count}" -ge "${ban_logcount}" ]; then - if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then - f_log "info" "add IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" - if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then - printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" - f_log "info" "add IP${proto} '${ip}' to local blocklist" - fi - fi - fi - fi - done - -# start detached no-op service loop -# -else - f_log "info" "start detached no-op banIP service" - while :; do - sleep 1 - done -fi +f_monitor diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index a627c88ca..db2040e23 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd -PKG_VERSION:=1.4.69 -PKG_RELEASE:=3 +PKG_VERSION:=1.4.70 +PKG_RELEASE:=1 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x -PKG_HASH:=16ac8db95e719629ba61949b99f8a26feba946a81d185215b28379bb4116b0b4 +PKG_HASH:=921ebe1cf4b6b9897e03779ab7a23a31f4ba40a1abe2067525c33cd3ce61fe85 PKG_MAINTAINER:=W. Michael Petullo PKG_LICENSE:=BSD-3-Clause @@ -60,7 +60,7 @@ PKG_BUILD_DEPENDS:= \ include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/meson.mk -# choose crypto lib for lighttpd to use for crypto algorithms (default: nettle) +# choose crypto lib for lighttpd to use for crypto algorithms # (separate from lighttpd TLS modules, which are each standalone) cryptolibdep= \ +LIGHTTPD_CRYPTOLIB_NETTLE:libnettle \ @@ -69,8 +69,6 @@ cryptolibdep= \ ifdef CONFIG_LIGHTTPD_CRYPTOLIB_MBEDTLS TARGET_CPPFLAGS += -DFORCE_MBEDTLS_CRYPTO else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL - # (Note: if CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL is set, - # then lighttpd-mod-mbedtls should not be selected to also be built) TARGET_CPPFLAGS += -DFORCE_WOLFSSL_CRYPTO endif @@ -123,7 +121,7 @@ config LIGHTTPD_PCRE2 if PACKAGE_lighttpd choice prompt "crypto library" - default LIGHTTPD_CRYPTOLIB_NETTLE + default LIGHTTPD_CRYPTOLIB_MBEDTLS help library to use for cryptographic algorithms @@ -177,7 +175,7 @@ MESON_ARGS += \ -Dwith_zlib=$(if $(CONFIG_PACKAGE_lighttpd-mod-deflate),enabled,disabled) \ -Dwith_zstd=disabled -BASE_MODULES:=dirlisting +BASE_MODULES:=dirlisting h2 define Package/lighttpd/conffiles /etc/lighttpd/lighttpd.conf @@ -307,8 +305,9 @@ server.modules += ( \"mod_$(1)\" )" $$(1)/etc/lighttpd/conf.d/$(4)-$(1).conf ; \ $$(eval $$(call BuildPackage,lighttpd-mod-$(1))) endef -# included in BASE_MODULES:=dirlisting +# included in BASE_MODULES:=dirlisting h2 #$(eval $(call BuildPlugin,dirlisting,dirlisting,,30)) +#$(eval $(call BuildPlugin,h2,HTTP/2,,30)) # included in base lighttpd executable; # no longer loaded as separate dynamic modules diff --git a/net/lighttpd/patches/020-meson-mod_webdav_min.patch b/net/lighttpd/patches/020-meson-mod_webdav_min.patch index 6c7ab078e..bef6f2e56 100644 --- a/net/lighttpd/patches/020-meson-mod_webdav_min.patch +++ b/net/lighttpd/patches/020-meson-mod_webdav_min.patch @@ -9,7 +9,7 @@ Subject: [PATCH] [meson] mod_webdav_min w/o deps: xml2 sqlite3 uuid --- a/src/meson.build +++ b/src/meson.build -@@ -865,6 +865,16 @@ if libsasl.found() +@@ -879,6 +879,16 @@ if libsasl.found() ] endif diff --git a/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch b/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch deleted file mode 100644 index 6db289588..000000000 --- a/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e91ad65e4aacde815679c06cb687931dd7beb9b3 Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Thu, 20 Apr 2023 21:27:36 -0400 -Subject: [PATCH] [meson] check FORCE_{WOLFSSL,MBEDTLS}_CRYPTO - ---- - src/meson.build | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/src/meson.build -+++ b/src/meson.build -@@ -358,15 +358,19 @@ if get_option('with_mbedtls') - libmbedtls = [ compiler.find_library('mbedtls') ] - libmbedx509 = [ compiler.find_library('mbedx509') ] - libmbedcrypto = [ compiler.find_library('mbedcrypto') ] -- libcrypto = [ compiler.find_library('mbedcrypto') ] -+ if compiler.get_define('FORCE_WOLFSSL_CRYPTO') == '' -+ libcrypto = [ compiler.find_library('mbedcrypto') ] -+ endif - conf_data.set('HAVE_LIBMBEDCRYPTO', true) - endif - if get_option('with_nettle') - # manual search: - # header: nettle/nettle-types.h - # function: nettle_md5_init (-lnettle) -- libcrypto = [ dependency('nettle') ] -- conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true) -+ if compiler.get_define('FORCE_WOLFSSL_CRYPTO') == '' and compiler.get_define('FORCE_MBEDTLS_CRYPTO') == '' -+ libcrypto = [ dependency('nettle') ] -+ conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true) -+ endif - endif - if get_option('with_gnutls') - # manual search: diff --git a/net/lighttpd/patches/030-mod_h2-HTTP-2-separate-mod.patch b/net/lighttpd/patches/030-mod_h2-HTTP-2-separate-mod.patch new file mode 100644 index 000000000..652b214e4 --- /dev/null +++ b/net/lighttpd/patches/030-mod_h2-HTTP-2-separate-mod.patch @@ -0,0 +1,87 @@ +From 2892a7bf3f8ce92f41134fab25fbc2057f4a36bf Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Wed, 10 May 2023 19:06:42 -0400 +Subject: [PATCH] [mod_h2] HTTP/2 separate module; no longer builtin + +--- + src/CMakeLists.txt | 3 --- + src/Makefile.am | 9 +++------ + src/SConscript | 4 +--- + src/meson.build | 3 --- + 4 files changed, 4 insertions(+), 15 deletions(-) + +--- a/src/CMakeLists.txt ++++ b/src/CMakeLists.txt +@@ -922,10 +922,7 @@ set(SERVER_SRC + response.c + connections.c + h1.c +- h2.c + sock_addr_cache.c +- ls-hpack/lshpack.c +- algo_xxhash.c + fdevent_impl.c + http_range.c + network.c +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -70,12 +70,10 @@ common_src=base64.c buffer.c burl.c log. + + common_src += fdevent_win32.c fs_win32.c + +-src = server.c response.c connections.c h1.c h2.c \ ++src = server.c response.c connections.c h1.c \ + sock_addr_cache.c \ + network.c \ + network_write.c \ +- ls-hpack/lshpack.c \ +- algo_xxhash.c \ + fdevent_impl.c \ + http_range.c \ + data_config.c \ +@@ -428,6 +426,8 @@ lighttpd_LDADD = \ + $(FAM_LIBS) $(LIBEV_LIBS) $(LIBUNWIND_LIBS) + lighttpd_LDFLAGS = -export-dynamic + ++lighttpd_SOURCES += h2.c ls-hpack/lshpack.c algo_xxhash.c ++lighttpd_LDADD += $(XXHASH_LIBS) + if BUILD_WITH_MAXMINDDB + lighttpd_SOURCES += mod_maxminddb.c + lighttpd_LDADD += $(MAXMINDDB_LIB) +@@ -489,9 +489,6 @@ lighttpd_SOURCES += mod_wolfssl.c + lighttpd_CPPFLAGS += $(WOLFSSL_CFLAGS) + lighttpd_LDADD += $(WOLFSSL_LIBS) + endif +-#(until switch to mod_h2) +-#lighttpd_SOURCES += h2.c ls-hpack/lshpack.c algo_xxhash.c +-#lighttpd_LDADD += $(XXHASH_LIBS) + + else + +--- a/src/SConscript ++++ b/src/SConscript +@@ -75,10 +75,8 @@ common_src = Split("base64.c buffer.c bu + ck.c \ + ") + +-src = Split("server.c response.c connections.c h1.c h2.c \ ++src = Split("server.c response.c connections.c h1.c \ + sock_addr_cache.c \ +- ls-hpack/lshpack.c \ +- algo_xxhash.c \ + fdevent_impl.c \ + http_range.c \ + network.c \ +--- a/src/meson.build ++++ b/src/meson.build +@@ -560,10 +560,7 @@ main_src = files( + 'connections.c', + 'data_config.c', + 'h1.c', +- 'h2.c', + 'sock_addr_cache.c', +- 'ls-hpack/lshpack.c', +- 'algo_xxhash.c', + 'fdevent_impl.c', + 'http_range.c', + 'network_write.c', diff --git a/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch b/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch deleted file mode 100644 index d50b2e90c..000000000 --- a/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 37cbdacda78f9df4aba4c39e60472025d93bb7ba Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Fri, 28 Apr 2023 03:17:16 -0400 -Subject: [PATCH] [mod_mbedtls] check MBEDTLS_DEBUG_C for debug func - ---- - src/mod_mbedtls.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/src/mod_mbedtls.c -+++ b/src/mod_mbedtls.c -@@ -2357,9 +2357,11 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_a - * overlap, and so this debug setting is not reset upon connection close. - * Once enabled, debug hook will remain so for this mbedtls_ssl_config */ - if (hctx->conf.ssl_log_noise) {/* volume level for debug message callback */ -+ #ifdef MBEDTLS_DEBUG_C - #if MBEDTLS_VERSION_NUMBER >= 0x02000000 /* mbedtls 2.0.0 */ - mbedtls_debug_set_threshold(hctx->conf.ssl_log_noise); - #endif -+ #endif - mbedtls_ssl_conf_dbg(hctx->ssl_ctx, mod_mbedtls_debug_cb, - (void *)(intptr_t)hctx->conf.ssl_log_noise); - } diff --git a/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch b/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch deleted file mode 100644 index 2375f8a71..000000000 --- a/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch +++ /dev/null @@ -1,20 +0,0 @@ -From 2fc157f37ea4644ba9ac776de1926b9e518ec42b Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Sat, 29 Apr 2023 00:43:55 -0400 -Subject: [PATCH] [meson] build fix for builtin_mods - ---- - src/meson.build | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - ---- a/src/meson.build -+++ b/src/meson.build -@@ -656,7 +656,7 @@ executable('lighttpd-angel', - ) - - executable('lighttpd', configparser, -- sources: common_src + main_src, -+ sources: common_src + main_src + builtin_mods, - dependencies: [ common_flags, lighttpd_flags - , libattr - , libcrypto diff --git a/net/netavark/Makefile b/net/netavark/Makefile new file mode 100644 index 000000000..cf43a655e --- /dev/null +++ b/net/netavark/Makefile @@ -0,0 +1,51 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=netavark +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/containers/netavark.git +PKG_SOURCE_DATE:=2023-05-12 +PKG_SOURCE_VERSION:=07d63eadef1def977f2ece25b0f464f7e5d77be1 +PKG_MIRROR_HASH:=f7597d70528d039b984b2ecc6ef0e1f1c17aacfc7862907e5a79789ebe98aa89 + +PKG_MAINTAINER:=Oskari Rauta +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE + +PKG_BUILD_DEPENDS:= \ + rust/host \ + protobuf/host + +include $(INCLUDE_DIR)/package.mk +include ../../lang/rust/rust-package.mk + +define Package/netavark + SECTION:=net + CATEGORY:=Network + DEPENDS:=$(RUST_ARCH_DEPENDS) + TITLE:=A container network stack + URL:=https://github.com/containers/netavark +endef + +define Package/netavark/description + Netavark is a rust based network stack for containers. It is being designed to work with Podman but is also + applicable for other OCI container management applications. +endef + +define Package/netavark/conffiles +/etc/config/netavark +endef + +CARGO_VARS += \ + PROTOC=$(STAGING_DIR_HOSTPKG)/bin/protoc + +define Package/netavark/install + $(INSTALL_DIR) $(1)/etc/config $(1)/usr/lib/podman + $(INSTALL_CONF) ./files/netavark-config $(1)/etc/config/netavark + $(INSTALL_BIN) ./files/netavark-wrapper $(1)/usr/lib/podman/netavark + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/bin/netavark $(1)/usr/lib/podman/netavark-bin +endef + +$(eval $(call RustBinPackage,netavark)) +$(eval $(call BuildPackage,netavark)) diff --git a/net/netavark/files/netavark-config b/net/netavark/files/netavark-config new file mode 100644 index 000000000..c9c3796af --- /dev/null +++ b/net/netavark/files/netavark-config @@ -0,0 +1,3 @@ + +config firewall + option driver 'none' diff --git a/net/netavark/files/netavark-wrapper b/net/netavark/files/netavark-wrapper new file mode 100755 index 000000000..d072bb29b --- /dev/null +++ b/net/netavark/files/netavark-wrapper @@ -0,0 +1,6 @@ +#!/bin/sh + +FW_DRIVER=$(uci -q get 'netavark.@firewall[0].driver') +[ -z "$FW_DRIVER" ] && FW_DRIVER="none" + +NETAVARK_FW="$FW_DRIVER" /usr/lib/podman/netavark-bin $@ diff --git a/net/pbr/Makefile b/net/pbr/Makefile index 0ab59a28e..744db6ab6 100644 --- a/net/pbr/Makefile +++ b/net/pbr/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pbr PKG_VERSION:=1.1.1 -PKG_RELEASE:=5 +PKG_RELEASE:=7 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Stan Grishin diff --git a/net/pbr/files/etc/init.d/pbr.init b/net/pbr/files/etc/init.d/pbr.init index d8ecaa7da..b8c9c3d82 100755 --- a/net/pbr/files/etc/init.d/pbr.init +++ b/net/pbr/files/etc/init.d/pbr.init @@ -163,7 +163,7 @@ output_failn() { output 1 "$_FAIL_\\n"; output 2 "$__FAIL__\\n"; } # shellcheck disable=SC2317 str_replace() { printf "%b" "$1" | sed -e "s/$(printf "%b" "$2")/$(printf "%b" "$3")/g"; } str_replace() { echo "${1//$2/$3}"; } -str_contains() { [ -n "$1" ] &&[ -n "$2" ] && [ "${1//$2}" != "$1" ]; } +str_contains() { [ -n "$1" ] && [ -n "$2" ] && [ "${1//$2}" != "$1" ]; } is_greater() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"; } is_greater_or_equal() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" = "$2"; } str_contains_word() { echo "$1" | grep -q -w "$2"; } @@ -307,7 +307,7 @@ get_nft_sets() { [ -x "$nft" ] && "$nft" list table inet "$nftTable" 2>/dev/null is_ipset_type_supported() { ipset help hash:"$1" >/dev/null 2>&1; } ubus_get_status() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.status.${1}"; } ubus_get_iface() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.interfaces[@.name='${1}']${2:+.$2}"; } -opkg_get_version() { grep -m1 -A1 "$1" '/usr/lib/opkg/status' | grep -m1 'Version: ' | sed 's|Version: \(.*\)|\1|'; } +opkg_get_version() { grep -m1 -A1 "Package: $1$" '/usr/lib/opkg/status' | grep -m1 'Version: ' | sed 's|Version: \(.*\)|\1|'; } load_package_config() { config_load "$packageName" @@ -1776,7 +1776,8 @@ EOF while read -r i; do i="$(echo "$i" | sed 's/ linkdown$//')" i="$(echo "$i" | sed 's/ onlink$//')" - $ip_bin -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + # shellcheck disable=SC2086 + $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 done << EOF $($ip_bin -6 route list table main | grep " dev $dev6 ") EOF @@ -1855,7 +1856,8 @@ EOF $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1 elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then while read -r i; do - $ip_bin -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + # shellcheck disable=SC2086 + $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 done << EOF $($ip_bin -6 route list table main | grep " dev $dev6 ") EOF @@ -2335,6 +2337,11 @@ status_service_nft() { echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)" echo "IPv4 table $((wan_tid + i)) rule(s):" $ip_bin -4 rule list table "$((wan_tid + i))" + if [ -n "$ipv6_enabled" ]; then + echo "IPv6 table $((wan_tid + i)) route: $($ip_bin -6 route show table $((wan_tid + i)) | grep default)" + echo "IPv6 table $((wan_tid + i)) rule(s):" + $ip_bin -6 route show table $((wan_tid + i)) + fi i=$((i + 1)) done } diff --git a/net/siit/src/siit.c b/net/siit/src/siit.c index 16bb02492..8a7350b8d 100644 --- a/net/siit/src/siit.c +++ b/net/siit/src/siit.c @@ -985,10 +985,10 @@ static int ip6_ip4(char *src, int len, char *dst, int include_flag) static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_device *dev, struct ethhdr *eth_h) { struct sk_buff *skb2 = NULL; /* pointer to new struct sk_buff for transleded packet */ - char buff[FRAG_BUFF_SIZE+hdr_len]; /* buffer to form new fragment packet */ + char *buff; /* buffer to form new fragment packet */ char *cur_ptr = skb->data+hdr_len; /* pointter to current packet data with len = frag_len */ struct iphdr *ih4 = (struct iphdr *) skb->data; - struct iphdr *new_ih4 = (struct iphdr *) buff; /* point to new IPv4 hdr */ + struct iphdr *new_ih4; /* point to new IPv4 hdr */ struct ethhdr *new_eth_h; /* point to ether hdr, need to set hard header data in fragment */ int data_len = len - hdr_len; /* origin packet data len */ int rest_len = data_len; /* rest data to fragment */ @@ -999,6 +999,8 @@ static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_de __u16 frag_offset = 0; /* fragment offset */ unsigned int csum; unsigned short udp_len; + int ret = 0; + #ifdef SIIT_DEBUG printk("siit: it's DF == 0 and result IPv6 packet will be > 1280\n"); @@ -1035,6 +1037,14 @@ static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_de new_id = ih4->id; + buff = kcalloc(FRAG_BUFF_SIZE+hdr_len, sizeof(*buff), GFP_KERNEL); + if (!buff) { + printk("siit: Failed to allocate buf\n"); + return -1; + } + + new_ih4 = (struct iphdr *) buff; + while(1) { if (rest_len <= FRAG_BUFF_SIZE) { /* it's last fragmen */ @@ -1072,7 +1082,8 @@ static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_de if (!skb2) { printk(KERN_DEBUG "%s: alloc_skb failure - packet dropped.\n", dev->name); dev_kfree_skb(skb2); - return -1; + ret = -1; + goto exit; } /* allocate skb->data portion for IP header len, fragment data len and ether header len * and copy to head ether header from origin skb @@ -1094,7 +1105,8 @@ static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_de /* call translation function */ if ( ip4_ip6(buff, frag_len+hdr_len, skb2->data, 0) == -1) { dev_kfree_skb(skb2); - return -1; + ret = -1; + goto exit; } /* @@ -1123,7 +1135,9 @@ static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_de frag_offset = (frag_offset*8 + frag_len)/8; } - return 0; +exit: + kfree(buff); + return ret; } /* * Transmit a packet (called by the kernel) @@ -1156,7 +1170,6 @@ static int siit_xmit(struct sk_buff *skb, struct net_device *dev) int len; /* original packets length */ int new_packet_len; int skb_delta = 0; /* delta size for allocate new skb */ - char new_packet_buff[2048]; /* Check pointer to sk_buff and device structs */ if (skb == NULL || dev == NULL) @@ -1303,6 +1316,14 @@ static int siit_xmit(struct sk_buff *skb, struct net_device *dev) * IPv6 paket */ else if (ntohs(skb->protocol) == ETH_P_IPV6) { + char *new_packet_buff; + + new_packet_buff = kcalloc(2048, sizeof(*new_packet_buff), GFP_KERNEL); + if (!new_packet_buff) { + printk(KERN_DEBUG "%s: alloc new_packet_buff failure, packet dropped.\n", dev->name); + siit_stats(dev)->rx_dropped++; + goto end; + } #ifdef SIIT_DEBUG siit_print_dump(skb->data, sizeof(struct ipv6hdr), "siit: (in) ip6_hdr dump"); @@ -1315,6 +1336,7 @@ static int siit_xmit(struct sk_buff *skb, struct net_device *dev) { PDEBUG("siit_xmit(): error translation ipv6->ipv4, packet dropped.\n"); siit_stats(dev)->rx_dropped++; + kfree(new_packet_buff); goto end; } @@ -1323,6 +1345,7 @@ static int siit_xmit(struct sk_buff *skb, struct net_device *dev) if (!skb2) { printk(KERN_DEBUG "%s: alloc_skb failure, packet dropped.\n", dev->name); siit_stats(dev)->rx_dropped++; + kfree(new_packet_buff); goto end; } memcpy(skb_put(skb2, new_packet_len + dev->hard_header_len), (char *)eth_h, dev->hard_header_len); diff --git a/utils/gl-mifi-mcu/src/module.c b/utils/gl-mifi-mcu/src/module.c index 8f5a5146b..98fc7fab8 100755 --- a/utils/gl-mifi-mcu/src/module.c +++ b/utils/gl-mifi-mcu/src/module.c @@ -164,7 +164,7 @@ static enum hrtimer_restart handle_rx(struct hrtimer* timer) return result; } -static int __init init(void) +static int __init gl_mifi_mcu_init(void) { bool success = true; @@ -193,7 +193,7 @@ static int __init init(void) return success; } -static void __exit exit(void) +static void __exit gl_mifi_mcu_exit(void) { disable_irq(gpio_to_irq(gpio_rx)); hrtimer_cancel(&timer_tx); @@ -205,6 +205,6 @@ static void __exit exit(void) remove_proc_entry("gl_mifi_mcu", NULL); } -module_init(init); -module_exit(exit); +module_init(gl_mifi_mcu_init); +module_exit(gl_mifi_mcu_exit); diff --git a/utils/podman/Makefile b/utils/podman/Makefile index 441082cb0..961ffad07 100644 --- a/utils/podman/Makefile +++ b/utils/podman/Makefile @@ -1,18 +1,18 @@ include $(TOPDIR)/rules.mk PKG_NAME:=podman -PKG_VERSION:=4.4.2 +PKG_VERSION:=4.5.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/containers/podman/archive/v$(PKG_VERSION) -PKG_HASH:=59cec158438efa8a3e651b19e150d9afd90f7e3f07c30605a997e18b8c54b67c +PKG_HASH:=830a633630bf6e61f2b8d4ca00efdd9a173ef25cdd49d4a4364c293e088561df PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE PKG_MAINTAINER:=Oskari Rauta -PKG_BUILD_DEPENDS:=golang/host protobuf/host +PKG_BUILD_DEPENDS:=golang/host protobuf/host btrfs-progs PKG_BUILD_PARALLEL:=1 PKG_BUILD_FLAGS:=no-mips16 PKG_INSTALL:=1 @@ -39,7 +39,7 @@ define Package/podman CATEGORY:=Utilities TITLE:=Podman URL:=https://podman.io - DEPENDS:=$(GO_ARCH_DEPENDS) +conmon +cni +cni-plugins +btrfs-progs +glib2 +gnupg2 +uci-firewall +libgpg-error +libseccomp +libgpgme +nsenter +zoneinfo-simple +kmod-veth +PODMAN_SELINUX_SUPPORT:libselinux + DEPENDS:=$(GO_ARCH_DEPENDS) +conmon +libgpgme +libseccomp +nsenter +zoneinfo-simple +kmod-veth +slirp4netns +netavark +aardvark-dns +PODMAN_SELINUX_SUPPORT:libselinux endef define Package/podman/description @@ -53,10 +53,6 @@ define Package/podman/config bool "Enable SELinux support" default n - config PODMAN_IPTABLES_FW - bool "Add iptabels firewall options to default podman network" - default n - endmenu endef @@ -65,7 +61,7 @@ define Package/podman/conffiles /etc/containers/storage.conf /etc/containers/registries.conf /etc/containers/containers.conf -/etc/cni/net.d/87-podman-bridge.conflist +/etc/containers/networks/podman.json endef ifdef CONFIG_PODMAN_SELINUX_SUPPORT @@ -74,12 +70,6 @@ else GO_PKG_TAGS=seccomp,exclude_graphdriver_devicemapper,apparmor endif -ifdef CONFIG_PODMAN_IPTABLES_FW - CNIFILE:=87-podman-bridge-iptables.conflist -else - CNIFILE:=87-podman-bridge.conflist -endif - MAKE_VARS += \ GO_INSTALL_BIN_PATH="$(strip $(GO_PKG_INSTALL_BIN_PATH))" \ BUILD_DIR="$(PKG_BUILD_DIR)" \ @@ -126,8 +116,8 @@ define Package/podman/install $(INSTALL_DATA) $(DL_DIR)/registries.fedora-da9a9c8778 $(1)/etc/containers/registries.conf $(INSTALL_DATA) $(PKG_BUILD_DIR)/vendor/github.com/containers/storage/storage.conf $(1)/etc/containers/storage.conf $(INSTALL_DATA) ./files/containers.conf $(1)/etc/containers/containers.conf - $(INSTALL_DIR) $(1)/etc/cni/net.d - $(INSTALL_CONF) ./files/$(CNIFILE) $(1)/etc/cni/net.d/87-podman-bridge.conflist + $(INSTALL_DIR) $(1)/etc/containers/networks + $(INSTALL_CONF) ./files/podman.json $(1)/etc/containers/networks $(INSTALL_DIR) $(1)/usr/share/containers $(INSTALL_DATA) $(PKG_BUILD_DIR)/vendor/github.com/containers/common/pkg/seccomp/seccomp.json $(1)/usr/share/containers/ $(INSTALL_DIR) $(1)/etc/init.d diff --git a/utils/podman/files/87-podman-bridge-iptables.conflist b/utils/podman/files/87-podman-bridge-iptables.conflist deleted file mode 100644 index ef760a61b..000000000 --- a/utils/podman/files/87-podman-bridge-iptables.conflist +++ /dev/null @@ -1,37 +0,0 @@ -{ - "cniVersion": "0.4.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni-podman0", - "isGateway": true, - "ipMasq": true, - "hairpinMode": true, - "ipam": { - "type": "host-local", - "routes": [{ "dst": "0.0.0.0/0" }], - "ranges": [ - [ - { - "subnet": "10.88.0.0/16", - "gateway": "10.88.0.1" - } - ] - ] - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - }, - { - "type": "firewall" - }, - { - "type": "tuning" - } - ] -} diff --git a/utils/podman/files/87-podman-bridge.conflist b/utils/podman/files/87-podman-bridge.conflist deleted file mode 100644 index 4665abdba..000000000 --- a/utils/podman/files/87-podman-bridge.conflist +++ /dev/null @@ -1,28 +0,0 @@ -{ - "cniVersion": "0.4.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni-podman0", - "isGateway": true, - "ipMasq": true, - "hairpinMode": true, - "ipam": { - "type": "host-local", - "routes": [{ "dst": "0.0.0.0/0" }], - "ranges": [ - [ - { - "subnet": "10.88.0.0/16", - "gateway": "10.88.0.1" - } - ] - ] - } - }, - { - "type": "tuning" - } - ] -} diff --git a/utils/podman/files/containers.conf b/utils/podman/files/containers.conf index 3dbaab15f..13d3fb295 100644 --- a/utils/podman/files/containers.conf +++ b/utils/podman/files/containers.conf @@ -30,10 +30,8 @@ default_sysctls = [ ] [network] -cni_plugin_dirs = [ - "/usr/lib/cni" -] -network_config_dir = "/etc/cni/net.d/" +network_backend = "netavark" +network_config_dir = "/etc/containers/networks/" default_network = "podman" [engine] diff --git a/utils/podman/files/podman.json b/utils/podman/files/podman.json new file mode 100644 index 000000000..35e705579 --- /dev/null +++ b/utils/podman/files/podman.json @@ -0,0 +1,19 @@ +{ + "name": "podman", + "id": "5ef894788befd4d42498314b6e66282ca730aa2e1e82f9b9597bf4d1725ca074", + "driver": "bridge", + "network_interface": "podman0", + "created": "2023-02-20T08:56:34.652030952Z", + "subnets": [ + { + "subnet": "10.88.0.0/16", + "gateway": "10.88.0.1" + } + ], + "ipv6_enabled": false, + "internal": false, + "dns_enabled": true, + "ipam_options": { + "driver": "host-local" + } +} diff --git a/utils/podman/patches/010-do-not-build-docs.patch b/utils/podman/patches/010-do-not-build-docs.patch index 6f77e1b87..e67810052 100644 --- a/utils/podman/patches/010-do-not-build-docs.patch +++ b/utils/podman/patches/010-do-not-build-docs.patch @@ -1,6 +1,6 @@ --- a/Makefile +++ b/Makefile -@@ -206,7 +206,7 @@ GV_SHA=aab0ac9367fc5142f5857c36ac2352bcb +@@ -209,7 +209,7 @@ GV_SHA=aab0ac9367fc5142f5857c36ac2352bcb default: all .PHONY: all @@ -9,7 +9,7 @@ .PHONY: binaries ifeq ($(shell uname -s),FreeBSD) -@@ -797,7 +797,7 @@ package-install: package ## Install rpm +@@ -790,7 +790,7 @@ package-install: package ## Install rpm /usr/bin/podman info # will catch a broken conmon .PHONY: install