From 643e501c8d0209dbbc683447b4df0c4b2b9aed08 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Thu, 11 May 2023 23:06:20 +0000 Subject: [PATCH 01/18] pbr: bugfix: create IPv6 routes * add missing space in str_contains * unquote variable to make sure IPv6 rotues are added * add IPv6 routes display to status output in nft mode Signed-off-by: Stan Grishin --- net/pbr/Makefile | 2 +- net/pbr/files/etc/init.d/pbr.init | 15 +++++++++++---- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/net/pbr/Makefile b/net/pbr/Makefile index 0ab59a28e..744db6ab6 100644 --- a/net/pbr/Makefile +++ b/net/pbr/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pbr PKG_VERSION:=1.1.1 -PKG_RELEASE:=5 +PKG_RELEASE:=7 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Stan Grishin diff --git a/net/pbr/files/etc/init.d/pbr.init b/net/pbr/files/etc/init.d/pbr.init index d8ecaa7da..b8c9c3d82 100755 --- a/net/pbr/files/etc/init.d/pbr.init +++ b/net/pbr/files/etc/init.d/pbr.init @@ -163,7 +163,7 @@ output_failn() { output 1 "$_FAIL_\\n"; output 2 "$__FAIL__\\n"; } # shellcheck disable=SC2317 str_replace() { printf "%b" "$1" | sed -e "s/$(printf "%b" "$2")/$(printf "%b" "$3")/g"; } str_replace() { echo "${1//$2/$3}"; } -str_contains() { [ -n "$1" ] &&[ -n "$2" ] && [ "${1//$2}" != "$1" ]; } +str_contains() { [ -n "$1" ] && [ -n "$2" ] && [ "${1//$2}" != "$1" ]; } is_greater() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"; } is_greater_or_equal() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" = "$2"; } str_contains_word() { echo "$1" | grep -q -w "$2"; } @@ -307,7 +307,7 @@ get_nft_sets() { [ -x "$nft" ] && "$nft" list table inet "$nftTable" 2>/dev/null is_ipset_type_supported() { ipset help hash:"$1" >/dev/null 2>&1; } ubus_get_status() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.status.${1}"; } ubus_get_iface() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.interfaces[@.name='${1}']${2:+.$2}"; } -opkg_get_version() { grep -m1 -A1 "$1" '/usr/lib/opkg/status' | grep -m1 'Version: ' | sed 's|Version: \(.*\)|\1|'; } +opkg_get_version() { grep -m1 -A1 "Package: $1$" '/usr/lib/opkg/status' | grep -m1 'Version: ' | sed 's|Version: \(.*\)|\1|'; } load_package_config() { config_load "$packageName" @@ -1776,7 +1776,8 @@ EOF while read -r i; do i="$(echo "$i" | sed 's/ linkdown$//')" i="$(echo "$i" | sed 's/ onlink$//')" - $ip_bin -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + # shellcheck disable=SC2086 + $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 done << EOF $($ip_bin -6 route list table main | grep " dev $dev6 ") EOF @@ -1855,7 +1856,8 @@ EOF $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1 elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then while read -r i; do - $ip_bin -6 route add "$i" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + # shellcheck disable=SC2086 + $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 done << EOF $($ip_bin -6 route list table main | grep " dev $dev6 ") EOF @@ -2335,6 +2337,11 @@ status_service_nft() { echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)" echo "IPv4 table $((wan_tid + i)) rule(s):" $ip_bin -4 rule list table "$((wan_tid + i))" + if [ -n "$ipv6_enabled" ]; then + echo "IPv6 table $((wan_tid + i)) route: $($ip_bin -6 route show table $((wan_tid + i)) | grep default)" + echo "IPv6 table $((wan_tid + i)) rule(s):" + $ip_bin -6 route show table $((wan_tid + i)) + fi i=$((i + 1)) done } From 4920d96df0271bd77af5409e54dd93708535ff92 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Fri, 12 May 2023 22:30:29 +0200 Subject: [PATCH 02/18] banip: release 0.8.6-1 * made the fetch utility function/autodetection more bullet proof * no longer add suspicious IPs to the local blocklist when the nft set timeout has been set * restructure internal functions & small fixes Signed-off-by: Dirk Brenken --- net/banip/Makefile | 4 +- net/banip/files/banip-functions.sh | 149 ++++++++++++++++++++--------- net/banip/files/banip-service.sh | 56 +---------- 3 files changed, 111 insertions(+), 98 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index fe74a723d..ce1d4a7df 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.8.5 -PKG_RELEASE:=2 +PKG_VERSION:=0.8.6 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 85903d1de..bca7ac3a5 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -75,6 +75,7 @@ ban_fetchinsecure="" ban_fetchretry="5" ban_cores="" ban_memory="" +ban_packages="" ban_trigger="" ban_triggerdelay="10" ban_resolver="" @@ -90,8 +91,9 @@ f_system() { ban_debug="$(uci_get banip global ban_debug)" ban_cores="$(uci_get banip global ban_cores)" fi + ban_packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" ban_memory="$("${ban_awkcmd}" '/^MemAvailable/{printf "%s",int($2/1000)}' "/proc/meminfo" 2>/dev/null)" - ban_ver="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null | jsonfilter -ql1 -e '@.packages.banip')" + ban_ver="$(printf "%s" "${ban_packages}" | jsonfilter -ql1 -e '@.packages.banip')" ban_sysver="$(${ban_ubuscmd} -S call system board 2>/dev/null | jsonfilter -ql1 -e '@.model' -e '@.release.description' | "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')" if [ -z "${ban_cores}" ]; then @@ -171,6 +173,19 @@ f_trim() { printf "%s" "${string}" } +# remove logservice +# +f_rmpid() { + local ppid pid pids + + ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" + [ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0 + for pid in ${pids}; do + kill -INT "${pid}" >/dev/null 2>&1 + done + : >"${ban_pidfile}" +} + # write log messages # f_log() { @@ -253,30 +268,54 @@ f_conf() { [ "${ban_action}" = "boot" ] && [ -z "${ban_trigger}" ] && sleep ${ban_triggerdelay} } -# prepare fetch utility +# get nft/monitor actuals # -f_fetch() { - local item utils packages insecure +f_actual() { + local nft monitor - if [ -z "${ban_fetchcmd}" ] || [ ! -x "$(command -v "${ban_fetchcmd}")" ]; then - packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" - [ -z "${packages}" ] && f_log "err" "no local package repository" + if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then + nft="$(f_char "1")" + else + nft="$(f_char "0")" + fi + if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then + monitor="$(f_char "1")" + else + monitor="$(f_char "0")" + fi + printf "%s" "nft: ${nft}, monitor: ${monitor}" +} + +# get fetch utility +# +f_getfetch() { + local item utils insecure update="0" + + if { [ "${ban_fetchcmd}" = "uclient-fetch" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"libustream-'; } || + { [ "${ban_fetchcmd}" = "wget" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || + [ "${ban_fetchcmd}" = "curl" ] || [ "${ban_fetchcmd}" = "aria2c" ]; then + ban_fetchcmd="$(command -v "${ban_fetchcmd}")" + else + ban_fetchcmd="" + fi + + if [ "${ban_autodetect}" = "1" ] && [ ! -x "${ban_fetchcmd}" ]; then utils="aria2c curl wget uclient-fetch" for item in ${utils}; do - if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } || - { [ "${item}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || + if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"libustream-'; } || + { [ "${item}" = "wget" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || [ "${item}" = "curl" ] || [ "${item}" = "aria2c" ]; then ban_fetchcmd="$(command -v "${item}")" if [ -x "${ban_fetchcmd}" ]; then - uci_set banip global ban_fetchcmd "${ban_fetchcmd##*/}" + update="1" + uci_set banip global ban_fetchcmd "${item}" uci_commit "banip" break fi fi done - else - ban_fetchcmd="$(command -v "${ban_fetchcmd}")" fi + [ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support" case "${ban_fetchcmd##*/}" in "aria2c") @@ -297,38 +336,7 @@ f_fetch() { ;; esac - f_log "debug" "f_fetch ::: cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}" -} - -# remove logservice -# -f_rmpid() { - local ppid pid pids - - ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" - [ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0 - for pid in ${pids}; do - kill -INT "${pid}" >/dev/null 2>&1 - done - : >"${ban_pidfile}" -} - -# get nft/monitor actuals -# -f_actual() { - local nft monitor - - if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then - nft="$(f_char "1")" - else - nft="$(f_char "0")" - fi - if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then - monitor="$(f_char "1")" - else - monitor="$(f_char "0")" - fi - printf "%s" "nft: ${nft}, monitor: ${monitor}" + f_log "debug" "f_getfetch ::: auto/update: ${ban_autodetect}/${update}, cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}" } # get wan interfaces @@ -1355,6 +1363,59 @@ f_mail() { f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" } +# log monitor +# +f_monitor() { + local nft_expiry line proto ip log_raw log_count + + if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then + f_log "info" "start detached banIP log service" + [ -n "${ban_nftexpiry}" ] && nft_expiry="timeout $(printf "%s" "${ban_nftexpiry}" | "${ban_grepcmd}" -oE "([0-9]+[d|h|m|s])+$")" + # read log continuously with given logterms + # + "${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null | + while read -r line; do + proto="" + # IPv4 log parsing + # + ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')" + ip="$(f_trim "${ip}")" + ip="${ip##* }" + [ -n "${ip}" ] && proto="v4" + if [ -z "${proto}" ]; then + # IPv6 log parsing + # + ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{if(!seen[RT]++)printf "%s ",RT}')" + ip="$(f_trim "${ip}")" + ip="${ip##* }" + [ -n "${ip}" ] && proto="v6" + fi + if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then + f_log "info" "suspicious IP${proto} '${ip}'" + log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" + log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP${proto} '${ip}'")" + if [ "${log_count}" -ge "${ban_logcount}" ]; then + if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then + f_log "info" "add IP${proto} '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set" + if [ -z "${ban_nftexpiry}" ] && [ "${ban_autoblocklist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_blocklist}"; then + printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" + f_log "info" "add IP${proto} '${ip}' to local blocklist" + fi + fi + fi + fi + done + + # start detached no-op service loop + # + else + f_log "info" "start detached no-op banIP service" + while :; do + sleep 1 + done + fi +} + # initial sourcing # if [ -r "/lib/functions.sh" ] && [ -r "/lib/functions/network.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]; then diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index b67c5a0aa..3f43ef34c 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -18,7 +18,7 @@ f_log "info" "start banIP processing (${ban_action})" f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}" f_genstatus "processing" f_tmp -f_fetch +f_getfetch f_getif f_getdev f_getuplink @@ -93,7 +93,7 @@ for feed in allowlist ${ban_feed} blocklist; do eval json_get_var feed_"${object}" '${object}' >/dev/null 2>&1 done json_select .. - + # skip incomplete feeds # if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } || @@ -162,54 +162,6 @@ fi json_cleanup rm -rf "${ban_lock}" -# start detached log service +# start detached log service (infinite loop) # -if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then - f_log "info" "start detached banIP log service" - - nft_expiry="$(printf "%s" "${ban_nftexpiry}" | grep -oE "([0-9]+[h|m|s]$)")" - [ -n "${nft_expiry}" ] && nft_expiry="timeout ${nft_expiry}" - - # read log continuously with given logterms - # - "${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null | - while read -r line; do - proto="" - # IPv4 log parsing - # - ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')" - ip="$(f_trim "${ip}")" - ip="${ip##* }" - [ -n "${ip}" ] && proto="v4" - if [ -z "${proto}" ]; then - # IPv6 log parsing - # - ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{if(!seen[RT]++)printf "%s ",RT}')" - ip="$(f_trim "${ip}")" - ip="${ip##* }" - [ -n "${ip}" ] && proto="v6" - fi - if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then - f_log "info" "suspicious IP${proto} '${ip}'" - log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" - log_count="$(printf "%s\n" "${log_raw}" | grep -c "suspicious IP${proto} '${ip}'")" - if [ "${log_count}" -ge "${ban_logcount}" ]; then - if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then - f_log "info" "add IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" - if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then - printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" - f_log "info" "add IP${proto} '${ip}' to local blocklist" - fi - fi - fi - fi - done - -# start detached no-op service loop -# -else - f_log "info" "start detached no-op banIP service" - while :; do - sleep 1 - done -fi +f_monitor From a1648fbd1cbecd2e1b60af05049d2769e9210d0e Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Mon, 8 May 2023 13:21:36 +0200 Subject: [PATCH 03/18] dovecot: update to version 2.3.20 v2.3.20 2022-12-22 Aki Tuomi + Add dsync_features=no-header-hashes. When this setting is enabled and one dsync side doesn't support mail GUIDs (i.e. imapc), there is no fallback to using header hashes. Instead, dsync assumes that all mails with identical IMAP UIDs contains the same mail contents. This can significantly improve dsync performance with some IMAP servers that don't support caching Date/Message-ID headers. + lua: HTTP client has more settings now, see https://doc.dovecot.org/admin_manual/lua/#dovecot.http.client + replicator: "doveadm replicator status" command now outputs when the next sync is expected for the user. - LAYOUT=index: duplicate GUIDs were not cleaned out. Also the list recovery was not optimal. - auth: Assert crash would occur when iterating multiple userdb backends. - director: Logging into director using master user with auth_master_user_separator character redirected user to a wrong backend, unless master_user_separator setting was also set to the same value. Merged these into auth_master_user_separator. - dsync: Couldn't always fix folder GUID conflicts automatically with Maildir format. This resulted in replication repeatedly failing with "Remote lost mailbox GUID". - dsync: Failed to migrate INBOX when using namespace prefix=INBOX/, resulting in "Remote lost mailbox GUID" errors. - dsync: INBOX was created too early with namespace prefix=INBOX/, resulting a GUID conflict. This may have been resolved automatically, but not always. - dsync: v2.3.18 regression: Wrong imapc password with dsync caused Panic: file lib-event.c: line 506 (event_pop_global): assertion failed: (event == current_global_event) - imapc: Requesting STATUS for a mailbox with imapc and INDEXPVT configured did not return correct (private) unseen counts. - lib-dict: Process would crash when committing data to redis without dict proxy. - lib-mail: Corrupted cached BODYSTRUCTURE caused panic during FETCH. Fixes: Panic: file message-part-data.c: line 579 (message_part_is_attachment): assertion failed: (data != NULL). v2.3.13 regression. - lib-storage: mail_attribute_dict with dict-sql failed when it tried to lookup empty dict keys. - lib: ioloop-kqueue was missing include breaking some BSD builds. - lua-http: Dovecot Lua HTTP client could not resolve DNS names in mail processes, because it expected "dns-client" socket to exist in the current directory. - oauth2: Using %{oauth2:name} variables could cause useless introspections. - pop3: Sending POP3 command with ':' character caused an assert-crash. v2.3.18 regression. - replicator: Replication queue had various issues, potentially causing replication requests to become stuck. - stats: Invalid Prometheus label names were created with specific histogram group_by configurations. Prometheus rejected these labels. v2.3.19.1 2022-06-14 Aki Tuomi - doveadm deduplicate: Non-duplicate mails were deleted. v2.3.19 regression. - auth: Crash would occur when iterating multiple backends. Fixes: Panic: file userdb-blocking.c: line 125 (userdb_blocking_iter_next): assertion failed: (ctx->conn != NULL) v2.3.19 2022-05-10 Aki Tuomi + Added mail_user_session_finished event, which is emitted when the mail user session is finished (e.g. imap, pop3, lmtp). It also includes fields with some process statistics information. See https://doc.dovecot.org/admin_manual/list_of_events/ for more information. + Added process_shutdown_filter setting. When an event matches the filter, the process will be shutdown after the current connection(s) have finished. This is intended to reduce memory usage of long-running imap processes that keep a lot of memory allocated instead of freeing it to the OS. + auth: Add cache hit indicator to auth passdb/userdb finished events. See https://doc.dovecot.org/admin_manual/list_of_events/ for more information. + doveadm deduplicate: Performance is improved significantly. + imapc: COPY commands were sent one mail at a time to the remote IMAP server. Now the copying is buffered, so multiple mails can be copied with a single COPY command. + lib-lua: Add a Lua interface to Dovecot's HTTP client library. See https://doc.dovecot.org/admin_manual/lua/ for more information. - auth: Cache lookup would use incorrect cache key after username change. - auth: Improve handling unexpected LDAP connection errors/hangs. Try to fix up these cases by reconnecting to the LDAP server and aborting LDAP requests earlier. - auth: Process crashed if userdb iteration was attempted while auth-workers were already full handling auth requests. - auth: db-oauth2: Using %{oauth2:name} variables caused unnecessary introspection requests. - dict: Timeouts may have been leaked at deinit. - director: Ring may have become unstable if a backend's tag was changed. It could also have caused director process to crash. - doveadm kick: Numeric parameter was treated as IP address. - doveadm: Proxying can panic when flushing print output. Fixes Panic: file ioloop.c: line 865 (io_loop_destroy): assertion failed: (ioloop == current_ioloop). - doveadm sync: BROKENCHAR was wrongly changed to '_' character when migrating mailboxes. This was set by default to %, so any mailbox names containing % characters were modified to "_25". - imapc: Copying or moving mails with doveadm to an imapc mailbox could have produced "Error: Syncing mailbox '[...]' failed" Errors. The operation itself succeeded but attempting to sync the destination mailbox failed. - imapc: Prevent index log synchronization errors when two or more imapc sessions are adding messages to the same mailbox index files, i.e. INDEX=MEMORY is not used. - indexer: Process was slowly leaking memory for each indexing request. - lib-fts: fts header filters caused binary content to be sent to the indexer with non-default configuration. - doveadm-server: Process could hang in some situations when printing output to TCP client, e.g. when printing doveadm sync state. - lib-index: dovecot.index.log files were often read and parsed entirely, rather than only the parts that were actually necessary. This mainly increased CPU usage. - lmtp-proxy: Session ID forwarding would cause same session IDs being used when delivering same mail to multiple backends. - log: Log prefix update may have been lost if log process was busy. This could have caused log prefixes to be empty or in some cases reused between sessions, i.e. log lines could have been logged for the wrong user/session. - mail_crypt: Plugin crashes if it's loaded only for some users. Fixes Panic: Module context mail_crypt_user_module missing. - mail_crypt: When LMTP was delivering mails to both recipients with mail encryption enabled and not enabled, the non-encrypted recipients may have gotten mails encrypted anyway. This happened when the first recipient was encrypted (mail_crypt_save_version=2) and the 2nd recipient was not encrypted (mail_crypt_save_version=0). - pop3: Session would crash if empty line was sent. - stats: HTTP server leaked memory. - submission-login: Long credentials, such as OAUTH2 tokens, were refused during SASL interactive due to submission server applying line length limits. - submission-login: When proxying to remote host, authentication was not using interactive SASL when logging in using long credentials such as OAUTH2 tokens. This caused authentication to fail due to line length constraints in SMTP protocol. - submission: Terminating the client connection with QUIT command after mail transaction is started with MAIL command and before it is finished with DATA/BDAT can cause a segfault crash. - virtual: doveadm search queries with mailbox-guid as the only parameter crashes: Panic: file virtual-search.c: line 77 (virtual_search_get_records): assertion failed: (result != 0) Signed-off-by: Daniel Golle --- mail/dovecot/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mail/dovecot/Makefile b/mail/dovecot/Makefile index 8f9e66e15..e23e1578e 100644 --- a/mail/dovecot/Makefile +++ b/mail/dovecot/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dovecot -PKG_VERSION:=2.3.18 -PKG_RELEASE:=2 +PKG_VERSION:=2.3.20 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://dovecot.org/releases/2.3 -PKG_HASH:=06e73f668c6c093c45bdeeeb7c20398ab8dc49317234f4b5781ac5e2cc5d6c33 +PKG_HASH:=caa832eb968148abdf35ee9d0f534b779fa732c0ce4a913d9ab8c3469b218552 PKG_MAINTAINER:=Lucian Cristian PKG_LICENSE:=LGPL-2.1-only MIT BSD-3-Clause From 470c63d1c120dd31f5357391f142b932bce3d789 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Mon, 8 May 2023 13:22:01 +0200 Subject: [PATCH 04/18] pigeonhole: update to version 0.5.20 v0.5.20 2022-12-12 Aki Tuomi * No changes - release done to keep version numbers synced. Signed-off-by: Daniel Golle --- mail/pigeonhole/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mail/pigeonhole/Makefile b/mail/pigeonhole/Makefile index 7192463ed..667e2c10d 100644 --- a/mail/pigeonhole/Makefile +++ b/mail/pigeonhole/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dovecot-pigeonhole -PKG_VERSION_PLUGIN:=0.5.19 +PKG_VERSION_PLUGIN:=0.5.20 PKG_VERSION_DOVECOT:=$(shell make --no-print-directory -C ../dovecot/ val.PKG_VERSION V=s) PKG_VERSION:=$(PKG_VERSION_DOVECOT)-$(PKG_VERSION_PLUGIN) PKG_RELEASE:=1 @@ -17,7 +17,7 @@ DOVECOT_VERSION:=2.3 PKG_SOURCE:=dovecot-$(DOVECOT_VERSION)-pigeonhole-$(PKG_VERSION_PLUGIN).tar.gz PKG_SOURCE_URL:=https://pigeonhole.dovecot.org/releases/$(DOVECOT_VERSION) -PKG_HASH:=637709a83fb1338c918e5398049f96b7aeb5ae00696794ed1e5a4d4c0ca3f688 +PKG_HASH:=ae32bd4870ea2c1328ae09ba206e9ec12128046d6afca52fbbc9ef7f75617c98 PKG_MAINTAINER:=W. Michael Petullo PKG_LICENSE:=LGPL-2.1-or-later From a9eda4a1ba74c78d24df866304d782ab1668a101 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20H=C3=B6gberg?= Date: Fri, 12 May 2023 23:08:28 +0200 Subject: [PATCH 05/18] libvorbis: fix soname of shared libraries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When building with cmake we don't get libvorbis*.so.N which means that some applications may fail to dynamically load libvorbis libraries. This seems to be a problem specific to cmake (autotools builds work). Signed-off-by: Robert Högberg --- libs/libvorbis/Makefile | 2 +- libs/libvorbis/patches/010-cmake_soname.patch | 44 +++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 libs/libvorbis/patches/010-cmake_soname.patch diff --git a/libs/libvorbis/Makefile b/libs/libvorbis/Makefile index a0fc90361..a4bf63248 100644 --- a/libs/libvorbis/Makefile +++ b/libs/libvorbis/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libvorbis PKG_VERSION:=1.3.7 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://downloads.xiph.org/releases/vorbis/ diff --git a/libs/libvorbis/patches/010-cmake_soname.patch b/libs/libvorbis/patches/010-cmake_soname.patch new file mode 100644 index 000000000..fd63e1f31 --- /dev/null +++ b/libs/libvorbis/patches/010-cmake_soname.patch @@ -0,0 +1,44 @@ +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -28,8 +28,8 @@ set(PROJECT_VERSION_MINOR ${CMAKE_MATCH_ + set(PROJECT_VERSION_PATCH ${CMAKE_MATCH_3}) + set(PROJECT_VERSION ${PROJECT_VERSION_MAJOR}.${PROJECT_VERSION_MINOR}.${PROJECT_VERSION_PATCH}) + +-# Helper function to get version-info +-function(get_version_info result current_var_name age_var_name revision_var_name) ++# Helper function to get library versions ++function(get_lib_versions version_result soversion_result current_var_name age_var_name revision_var_name) + string(REGEX MATCH "${current_var_name}=([0-9]*)" DUMMY ${CONFIGURE_AC_CONTENTS}) + set(VERSION_INFO_CURRENT ${CMAKE_MATCH_1}) + +@@ -41,7 +41,8 @@ function(get_version_info result current + + math(EXPR VERSION_INFO_CURRENT_MINUS_AGE "${VERSION_INFO_CURRENT} - ${VERSION_INFO_AGE}") + +- set(${result} "${VERSION_INFO_CURRENT_MINUS_AGE}.${VERSION_INFO_AGE}.${VERSION_INFO_REVISION}" PARENT_SCOPE) ++ set(${version_result} "${VERSION_INFO_CURRENT_MINUS_AGE}.${VERSION_INFO_AGE}.${VERSION_INFO_REVISION}" PARENT_SCOPE) ++ set(${soversion_result} "${VERSION_INFO_CURRENT_MINUS_AGE}" PARENT_SCOPE) + endfunction() + + # Helper function to configure pkg-config files +--- a/lib/CMakeLists.txt ++++ b/lib/CMakeLists.txt +@@ -78,12 +78,12 @@ if (NOT BUILD_FRAMEWORK) + add_library(vorbisenc ${VORBISENC_SOURCES}) + add_library(vorbisfile ${VORBISFILE_SOURCES}) + +- get_version_info(VORBIS_VERSION_INFO "V_LIB_CURRENT" "V_LIB_AGE" "V_LIB_REVISION") +- set_target_properties(vorbis PROPERTIES SOVERSION ${VORBIS_VERSION_INFO}) +- get_version_info(VORBISENC_VERSION_INFO "VE_LIB_CURRENT" "VE_LIB_AGE" "VE_LIB_REVISION") +- set_target_properties(vorbisenc PROPERTIES SOVERSION ${VORBISENC_VERSION_INFO}) +- get_version_info(VORBISFILE_VERSION_INFO "VF_LIB_CURRENT" "VF_LIB_AGE" "VF_LIB_REVISION") +- set_target_properties(vorbisfile PROPERTIES SOVERSION ${VORBISFILE_VERSION_INFO}) ++ get_lib_versions(VORBIS_VERSION VORBIS_SOVERSION "V_LIB_CURRENT" "V_LIB_AGE" "V_LIB_REVISION") ++ set_target_properties(vorbis PROPERTIES VERSION ${VORBIS_VERSION} SOVERSION ${VORBIS_SOVERSION}) ++ get_lib_versions(VORBISENC_VERSION VORBISENC_SOVERSION "VE_LIB_CURRENT" "VE_LIB_AGE" "VE_LIB_REVISION") ++ set_target_properties(vorbisenc PROPERTIES VERSION ${VORBISENC_VERSION} SOVERSION ${VORBISENC_SOVERSION}) ++ get_lib_versions(VORBISFILE_VERSION VORBISFILE_SOVERSION "VF_LIB_CURRENT" "VF_LIB_AGE" "VF_LIB_REVISION") ++ set_target_properties(vorbisfile PROPERTIES VERSION ${VORBISFILE_VERSION} SOVERSION ${VORBISFILE_SOVERSION}) + + target_include_directories(vorbis + PUBLIC From 0d5b110077d4c51a12d797a844495ce63071a205 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Wed, 10 May 2023 20:49:24 -0400 Subject: [PATCH 06/18] lighttpd: update to lighttpd 1.4.70 release hash remove patches included upstream Signed-off-by: Glenn Strauss --- net/lighttpd/Makefile | 6 ++-- .../patches/020-meson-mod_webdav_min.patch | 2 +- .../030-meson-check-FORCE_._CRYPTO.patch | 34 ------------------- ...31-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch | 23 ------------- ...032-meson-build-fix-for-builtin_mods.patch | 20 ----------- 5 files changed, 4 insertions(+), 81 deletions(-) delete mode 100644 net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch delete mode 100644 net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch delete mode 100644 net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index a627c88ca..00616a237 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd -PKG_VERSION:=1.4.69 -PKG_RELEASE:=3 +PKG_VERSION:=1.4.70 +PKG_RELEASE:=1 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x -PKG_HASH:=16ac8db95e719629ba61949b99f8a26feba946a81d185215b28379bb4116b0b4 +PKG_HASH:=921ebe1cf4b6b9897e03779ab7a23a31f4ba40a1abe2067525c33cd3ce61fe85 PKG_MAINTAINER:=W. Michael Petullo PKG_LICENSE:=BSD-3-Clause diff --git a/net/lighttpd/patches/020-meson-mod_webdav_min.patch b/net/lighttpd/patches/020-meson-mod_webdav_min.patch index 6c7ab078e..bef6f2e56 100644 --- a/net/lighttpd/patches/020-meson-mod_webdav_min.patch +++ b/net/lighttpd/patches/020-meson-mod_webdav_min.patch @@ -9,7 +9,7 @@ Subject: [PATCH] [meson] mod_webdav_min w/o deps: xml2 sqlite3 uuid --- a/src/meson.build +++ b/src/meson.build -@@ -865,6 +865,16 @@ if libsasl.found() +@@ -879,6 +879,16 @@ if libsasl.found() ] endif diff --git a/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch b/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch deleted file mode 100644 index 6db289588..000000000 --- a/net/lighttpd/patches/030-meson-check-FORCE_._CRYPTO.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e91ad65e4aacde815679c06cb687931dd7beb9b3 Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Thu, 20 Apr 2023 21:27:36 -0400 -Subject: [PATCH] [meson] check FORCE_{WOLFSSL,MBEDTLS}_CRYPTO - ---- - src/meson.build | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- a/src/meson.build -+++ b/src/meson.build -@@ -358,15 +358,19 @@ if get_option('with_mbedtls') - libmbedtls = [ compiler.find_library('mbedtls') ] - libmbedx509 = [ compiler.find_library('mbedx509') ] - libmbedcrypto = [ compiler.find_library('mbedcrypto') ] -- libcrypto = [ compiler.find_library('mbedcrypto') ] -+ if compiler.get_define('FORCE_WOLFSSL_CRYPTO') == '' -+ libcrypto = [ compiler.find_library('mbedcrypto') ] -+ endif - conf_data.set('HAVE_LIBMBEDCRYPTO', true) - endif - if get_option('with_nettle') - # manual search: - # header: nettle/nettle-types.h - # function: nettle_md5_init (-lnettle) -- libcrypto = [ dependency('nettle') ] -- conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true) -+ if compiler.get_define('FORCE_WOLFSSL_CRYPTO') == '' and compiler.get_define('FORCE_MBEDTLS_CRYPTO') == '' -+ libcrypto = [ dependency('nettle') ] -+ conf_data.set('HAVE_NETTLE_NETTLE_TYPES_H', true) -+ endif - endif - if get_option('with_gnutls') - # manual search: diff --git a/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch b/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch deleted file mode 100644 index d50b2e90c..000000000 --- a/net/lighttpd/patches/031-mod_mbedtls-check-MBEDTLS_DEBUG_C.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 37cbdacda78f9df4aba4c39e60472025d93bb7ba Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Fri, 28 Apr 2023 03:17:16 -0400 -Subject: [PATCH] [mod_mbedtls] check MBEDTLS_DEBUG_C for debug func - ---- - src/mod_mbedtls.c | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/src/mod_mbedtls.c -+++ b/src/mod_mbedtls.c -@@ -2357,9 +2357,11 @@ CONNECTION_FUNC(mod_mbedtls_handle_con_a - * overlap, and so this debug setting is not reset upon connection close. - * Once enabled, debug hook will remain so for this mbedtls_ssl_config */ - if (hctx->conf.ssl_log_noise) {/* volume level for debug message callback */ -+ #ifdef MBEDTLS_DEBUG_C - #if MBEDTLS_VERSION_NUMBER >= 0x02000000 /* mbedtls 2.0.0 */ - mbedtls_debug_set_threshold(hctx->conf.ssl_log_noise); - #endif -+ #endif - mbedtls_ssl_conf_dbg(hctx->ssl_ctx, mod_mbedtls_debug_cb, - (void *)(intptr_t)hctx->conf.ssl_log_noise); - } diff --git a/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch b/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch deleted file mode 100644 index 2375f8a71..000000000 --- a/net/lighttpd/patches/032-meson-build-fix-for-builtin_mods.patch +++ /dev/null @@ -1,20 +0,0 @@ -From 2fc157f37ea4644ba9ac776de1926b9e518ec42b Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Sat, 29 Apr 2023 00:43:55 -0400 -Subject: [PATCH] [meson] build fix for builtin_mods - ---- - src/meson.build | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - ---- a/src/meson.build -+++ b/src/meson.build -@@ -656,7 +656,7 @@ executable('lighttpd-angel', - ) - - executable('lighttpd', configparser, -- sources: common_src + main_src, -+ sources: common_src + main_src + builtin_mods, - dependencies: [ common_flags, lighttpd_flags - , libattr - , libcrypto From a171b6a28c16bc927ee7abfc31acbbac183e39e7 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Wed, 10 May 2023 20:50:08 -0400 Subject: [PATCH 07/18] lighttpd: select wolfssl for default cryptolib wolfssl has been a base TLS library in openwrt since 21.02 Default to wolfssl instead of Nettle for digest functions in lighttpd Signed-off-by: Glenn Strauss --- net/lighttpd/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index 00616a237..d5b21c987 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -123,7 +123,7 @@ config LIGHTTPD_PCRE2 if PACKAGE_lighttpd choice prompt "crypto library" - default LIGHTTPD_CRYPTOLIB_NETTLE + default LIGHTTPD_CRYPTOLIB_WOLFSSL help library to use for cryptographic algorithms From f4152fccadc021b016b341526ddf83ddcf593ca1 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Wed, 10 May 2023 20:52:05 -0400 Subject: [PATCH 08/18] lighttpd: include mod_h2 in base package The next version of lighttpd will move HTTP/2 support from the lighttpd base executable into a separate module: mod_h2 Include patch to do so now, and update packaging to handle it. HTTP/2 support is enabled by default since lighttpd 1.4.59, but if HTTP/2 support is explicitly disabled in the configuration, then mod_h2 will not be loaded, thereby reducing lighttpd memory use. Signed-off-by: Glenn Strauss --- net/lighttpd/Makefile | 5 +- .../030-mod_h2-HTTP-2-separate-mod.patch | 87 +++++++++++++++++++ 2 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 net/lighttpd/patches/030-mod_h2-HTTP-2-separate-mod.patch diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index d5b21c987..7954afb8a 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -177,7 +177,7 @@ MESON_ARGS += \ -Dwith_zlib=$(if $(CONFIG_PACKAGE_lighttpd-mod-deflate),enabled,disabled) \ -Dwith_zstd=disabled -BASE_MODULES:=dirlisting +BASE_MODULES:=dirlisting h2 define Package/lighttpd/conffiles /etc/lighttpd/lighttpd.conf @@ -307,8 +307,9 @@ server.modules += ( \"mod_$(1)\" )" $$(1)/etc/lighttpd/conf.d/$(4)-$(1).conf ; \ $$(eval $$(call BuildPackage,lighttpd-mod-$(1))) endef -# included in BASE_MODULES:=dirlisting +# included in BASE_MODULES:=dirlisting h2 #$(eval $(call BuildPlugin,dirlisting,dirlisting,,30)) +#$(eval $(call BuildPlugin,h2,HTTP/2,,30)) # included in base lighttpd executable; # no longer loaded as separate dynamic modules diff --git a/net/lighttpd/patches/030-mod_h2-HTTP-2-separate-mod.patch b/net/lighttpd/patches/030-mod_h2-HTTP-2-separate-mod.patch new file mode 100644 index 000000000..652b214e4 --- /dev/null +++ b/net/lighttpd/patches/030-mod_h2-HTTP-2-separate-mod.patch @@ -0,0 +1,87 @@ +From 2892a7bf3f8ce92f41134fab25fbc2057f4a36bf Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Wed, 10 May 2023 19:06:42 -0400 +Subject: [PATCH] [mod_h2] HTTP/2 separate module; no longer builtin + +--- + src/CMakeLists.txt | 3 --- + src/Makefile.am | 9 +++------ + src/SConscript | 4 +--- + src/meson.build | 3 --- + 4 files changed, 4 insertions(+), 15 deletions(-) + +--- a/src/CMakeLists.txt ++++ b/src/CMakeLists.txt +@@ -922,10 +922,7 @@ set(SERVER_SRC + response.c + connections.c + h1.c +- h2.c + sock_addr_cache.c +- ls-hpack/lshpack.c +- algo_xxhash.c + fdevent_impl.c + http_range.c + network.c +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -70,12 +70,10 @@ common_src=base64.c buffer.c burl.c log. + + common_src += fdevent_win32.c fs_win32.c + +-src = server.c response.c connections.c h1.c h2.c \ ++src = server.c response.c connections.c h1.c \ + sock_addr_cache.c \ + network.c \ + network_write.c \ +- ls-hpack/lshpack.c \ +- algo_xxhash.c \ + fdevent_impl.c \ + http_range.c \ + data_config.c \ +@@ -428,6 +426,8 @@ lighttpd_LDADD = \ + $(FAM_LIBS) $(LIBEV_LIBS) $(LIBUNWIND_LIBS) + lighttpd_LDFLAGS = -export-dynamic + ++lighttpd_SOURCES += h2.c ls-hpack/lshpack.c algo_xxhash.c ++lighttpd_LDADD += $(XXHASH_LIBS) + if BUILD_WITH_MAXMINDDB + lighttpd_SOURCES += mod_maxminddb.c + lighttpd_LDADD += $(MAXMINDDB_LIB) +@@ -489,9 +489,6 @@ lighttpd_SOURCES += mod_wolfssl.c + lighttpd_CPPFLAGS += $(WOLFSSL_CFLAGS) + lighttpd_LDADD += $(WOLFSSL_LIBS) + endif +-#(until switch to mod_h2) +-#lighttpd_SOURCES += h2.c ls-hpack/lshpack.c algo_xxhash.c +-#lighttpd_LDADD += $(XXHASH_LIBS) + + else + +--- a/src/SConscript ++++ b/src/SConscript +@@ -75,10 +75,8 @@ common_src = Split("base64.c buffer.c bu + ck.c \ + ") + +-src = Split("server.c response.c connections.c h1.c h2.c \ ++src = Split("server.c response.c connections.c h1.c \ + sock_addr_cache.c \ +- ls-hpack/lshpack.c \ +- algo_xxhash.c \ + fdevent_impl.c \ + http_range.c \ + network.c \ +--- a/src/meson.build ++++ b/src/meson.build +@@ -560,10 +560,7 @@ main_src = files( + 'connections.c', + 'data_config.c', + 'h1.c', +- 'h2.c', + 'sock_addr_cache.c', +- 'ls-hpack/lshpack.c', +- 'algo_xxhash.c', + 'fdevent_impl.c', + 'http_range.c', + 'network_write.c', From 391f0979475f0c7485f7ea3d09ca62c6f7287145 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Thu, 11 May 2023 01:34:59 -0400 Subject: [PATCH 09/18] lighttpd: select mbedtls for default cryptolib wolfssl has been the base TLS library in openwrt since 21.02 mbedtls will once again be the base TLS library in openwrt 23.?? Default to mbedtls for digest functions in lighttpd Signed-off-by: Glenn Strauss --- net/lighttpd/Makefile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index 7954afb8a..db2040e23 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -60,7 +60,7 @@ PKG_BUILD_DEPENDS:= \ include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/meson.mk -# choose crypto lib for lighttpd to use for crypto algorithms (default: nettle) +# choose crypto lib for lighttpd to use for crypto algorithms # (separate from lighttpd TLS modules, which are each standalone) cryptolibdep= \ +LIGHTTPD_CRYPTOLIB_NETTLE:libnettle \ @@ -69,8 +69,6 @@ cryptolibdep= \ ifdef CONFIG_LIGHTTPD_CRYPTOLIB_MBEDTLS TARGET_CPPFLAGS += -DFORCE_MBEDTLS_CRYPTO else ifdef CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL - # (Note: if CONFIG_LIGHTTPD_CRYPTOLIB_WOLFSSL is set, - # then lighttpd-mod-mbedtls should not be selected to also be built) TARGET_CPPFLAGS += -DFORCE_WOLFSSL_CRYPTO endif @@ -123,7 +121,7 @@ config LIGHTTPD_PCRE2 if PACKAGE_lighttpd choice prompt "crypto library" - default LIGHTTPD_CRYPTOLIB_WOLFSSL + default LIGHTTPD_CRYPTOLIB_MBEDTLS help library to use for cryptographic algorithms From 24beb46bbef9acfd04993228d80caed1568e9142 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sat, 13 May 2023 22:49:50 +0200 Subject: [PATCH 10/18] siit: fix compilation warning Fix compilation warning for stack limit and variable length array. Fix compilation warning: CC [M] /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/siit-1.2/siit.o ../siit-1.2/siit.c: In function 'ip4_fragment': ../siit-1.2/siit.c:988:9: error: ISO C90 forbids variable length array 'buff' [-Werror=vla] 988 | char buff[FRAG_BUFF_SIZE+hdr_len]; /* buffer to form new fragment packet */ | ^~~~ ../siit-1.2/siit.c: In function 'siit_xmit': ../siit-1.2/siit.c:1359:1: error: the frame size of 2144 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] 1359 | } | ^ cc1: all warnings being treated as errors Signed-off-by: Christian Marangi --- net/siit/src/siit.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/net/siit/src/siit.c b/net/siit/src/siit.c index 16bb02492..8a7350b8d 100644 --- a/net/siit/src/siit.c +++ b/net/siit/src/siit.c @@ -985,10 +985,10 @@ static int ip6_ip4(char *src, int len, char *dst, int include_flag) static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_device *dev, struct ethhdr *eth_h) { struct sk_buff *skb2 = NULL; /* pointer to new struct sk_buff for transleded packet */ - char buff[FRAG_BUFF_SIZE+hdr_len]; /* buffer to form new fragment packet */ + char *buff; /* buffer to form new fragment packet */ char *cur_ptr = skb->data+hdr_len; /* pointter to current packet data with len = frag_len */ struct iphdr *ih4 = (struct iphdr *) skb->data; - struct iphdr *new_ih4 = (struct iphdr *) buff; /* point to new IPv4 hdr */ + struct iphdr *new_ih4; /* point to new IPv4 hdr */ struct ethhdr *new_eth_h; /* point to ether hdr, need to set hard header data in fragment */ int data_len = len - hdr_len; /* origin packet data len */ int rest_len = data_len; /* rest data to fragment */ @@ -999,6 +999,8 @@ static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_de __u16 frag_offset = 0; /* fragment offset */ unsigned int csum; unsigned short udp_len; + int ret = 0; + #ifdef SIIT_DEBUG printk("siit: it's DF == 0 and result IPv6 packet will be > 1280\n"); @@ -1035,6 +1037,14 @@ static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_de new_id = ih4->id; + buff = kcalloc(FRAG_BUFF_SIZE+hdr_len, sizeof(*buff), GFP_KERNEL); + if (!buff) { + printk("siit: Failed to allocate buf\n"); + return -1; + } + + new_ih4 = (struct iphdr *) buff; + while(1) { if (rest_len <= FRAG_BUFF_SIZE) { /* it's last fragmen */ @@ -1072,7 +1082,8 @@ static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_de if (!skb2) { printk(KERN_DEBUG "%s: alloc_skb failure - packet dropped.\n", dev->name); dev_kfree_skb(skb2); - return -1; + ret = -1; + goto exit; } /* allocate skb->data portion for IP header len, fragment data len and ether header len * and copy to head ether header from origin skb @@ -1094,7 +1105,8 @@ static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_de /* call translation function */ if ( ip4_ip6(buff, frag_len+hdr_len, skb2->data, 0) == -1) { dev_kfree_skb(skb2); - return -1; + ret = -1; + goto exit; } /* @@ -1123,7 +1135,9 @@ static int ip4_fragment(struct sk_buff *skb, int len, int hdr_len, struct net_de frag_offset = (frag_offset*8 + frag_len)/8; } - return 0; +exit: + kfree(buff); + return ret; } /* * Transmit a packet (called by the kernel) @@ -1156,7 +1170,6 @@ static int siit_xmit(struct sk_buff *skb, struct net_device *dev) int len; /* original packets length */ int new_packet_len; int skb_delta = 0; /* delta size for allocate new skb */ - char new_packet_buff[2048]; /* Check pointer to sk_buff and device structs */ if (skb == NULL || dev == NULL) @@ -1303,6 +1316,14 @@ static int siit_xmit(struct sk_buff *skb, struct net_device *dev) * IPv6 paket */ else if (ntohs(skb->protocol) == ETH_P_IPV6) { + char *new_packet_buff; + + new_packet_buff = kcalloc(2048, sizeof(*new_packet_buff), GFP_KERNEL); + if (!new_packet_buff) { + printk(KERN_DEBUG "%s: alloc new_packet_buff failure, packet dropped.\n", dev->name); + siit_stats(dev)->rx_dropped++; + goto end; + } #ifdef SIIT_DEBUG siit_print_dump(skb->data, sizeof(struct ipv6hdr), "siit: (in) ip6_hdr dump"); @@ -1315,6 +1336,7 @@ static int siit_xmit(struct sk_buff *skb, struct net_device *dev) { PDEBUG("siit_xmit(): error translation ipv6->ipv4, packet dropped.\n"); siit_stats(dev)->rx_dropped++; + kfree(new_packet_buff); goto end; } @@ -1323,6 +1345,7 @@ static int siit_xmit(struct sk_buff *skb, struct net_device *dev) if (!skb2) { printk(KERN_DEBUG "%s: alloc_skb failure, packet dropped.\n", dev->name); siit_stats(dev)->rx_dropped++; + kfree(new_packet_buff); goto end; } memcpy(skb_put(skb2, new_packet_len + dev->hard_header_len), (char *)eth_h, dev->hard_header_len); From f9639f0dae9781d066544b40eb0f625d65a40d54 Mon Sep 17 00:00:00 2001 From: Oskari Rauta Date: Fri, 12 May 2023 08:39:28 +0300 Subject: [PATCH 11/18] netavark: add new package podman is moving from cni to netavark. Netavark supports currently only iptables, so I was in touch some time ago with mainstream maintainer and provided a "none" firewall driver - to make it possible to use netavark without firewalling features. Driver cannot be selected at this time without environment variable that selects it, so I made a config file for openwrt and a wrapper script that takes advantage of it. Available options are iptables, nftables and none - but selecting nftables just tells user that nftables isn't yet supported. firewall "none" driver is not yet included in release, so that's why we use git version instead. I chose latest commit instead of commit with none driver. Description: Netavark is a rust based network stack for containers. It is being designed to work with Podman but is also applicable for other OCI container management applications. Signed-off-by: Oskari Rauta --- net/netavark/Makefile | 51 +++++++++++++++++++++++++++++ net/netavark/files/netavark-config | 3 ++ net/netavark/files/netavark-wrapper | 6 ++++ 3 files changed, 60 insertions(+) create mode 100644 net/netavark/Makefile create mode 100644 net/netavark/files/netavark-config create mode 100755 net/netavark/files/netavark-wrapper diff --git a/net/netavark/Makefile b/net/netavark/Makefile new file mode 100644 index 000000000..cf43a655e --- /dev/null +++ b/net/netavark/Makefile @@ -0,0 +1,51 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=netavark +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/containers/netavark.git +PKG_SOURCE_DATE:=2023-05-12 +PKG_SOURCE_VERSION:=07d63eadef1def977f2ece25b0f464f7e5d77be1 +PKG_MIRROR_HASH:=f7597d70528d039b984b2ecc6ef0e1f1c17aacfc7862907e5a79789ebe98aa89 + +PKG_MAINTAINER:=Oskari Rauta +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE + +PKG_BUILD_DEPENDS:= \ + rust/host \ + protobuf/host + +include $(INCLUDE_DIR)/package.mk +include ../../lang/rust/rust-package.mk + +define Package/netavark + SECTION:=net + CATEGORY:=Network + DEPENDS:=$(RUST_ARCH_DEPENDS) + TITLE:=A container network stack + URL:=https://github.com/containers/netavark +endef + +define Package/netavark/description + Netavark is a rust based network stack for containers. It is being designed to work with Podman but is also + applicable for other OCI container management applications. +endef + +define Package/netavark/conffiles +/etc/config/netavark +endef + +CARGO_VARS += \ + PROTOC=$(STAGING_DIR_HOSTPKG)/bin/protoc + +define Package/netavark/install + $(INSTALL_DIR) $(1)/etc/config $(1)/usr/lib/podman + $(INSTALL_CONF) ./files/netavark-config $(1)/etc/config/netavark + $(INSTALL_BIN) ./files/netavark-wrapper $(1)/usr/lib/podman/netavark + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/bin/netavark $(1)/usr/lib/podman/netavark-bin +endef + +$(eval $(call RustBinPackage,netavark)) +$(eval $(call BuildPackage,netavark)) diff --git a/net/netavark/files/netavark-config b/net/netavark/files/netavark-config new file mode 100644 index 000000000..c9c3796af --- /dev/null +++ b/net/netavark/files/netavark-config @@ -0,0 +1,3 @@ + +config firewall + option driver 'none' diff --git a/net/netavark/files/netavark-wrapper b/net/netavark/files/netavark-wrapper new file mode 100755 index 000000000..d072bb29b --- /dev/null +++ b/net/netavark/files/netavark-wrapper @@ -0,0 +1,6 @@ +#!/bin/sh + +FW_DRIVER=$(uci -q get 'netavark.@firewall[0].driver') +[ -z "$FW_DRIVER" ] && FW_DRIVER="none" + +NETAVARK_FW="$FW_DRIVER" /usr/lib/podman/netavark-bin $@ From 9c1aee4ec16b47c0d272519224f10d93c3a88a12 Mon Sep 17 00:00:00 2001 From: Oskari Rauta Date: Fri, 12 May 2023 09:10:06 +0300 Subject: [PATCH 12/18] aardvark-dns: add new package aardvark-dns is companion for netavark, recent cni replacement on podman git version used instead of release, to maintain maximal compatibility with netavark, also using git version. Description: Aardvark-dns is an authoritative dns server for A/AAAA container records. It can forward other requests to configured resolvers. Signed-off-by: Oskari Rauta --- net/aardvark-dns/Makefile | 43 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 net/aardvark-dns/Makefile diff --git a/net/aardvark-dns/Makefile b/net/aardvark-dns/Makefile new file mode 100644 index 000000000..0af515c24 --- /dev/null +++ b/net/aardvark-dns/Makefile @@ -0,0 +1,43 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=aardvark-dns +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/containers/aardvark-dns.git +PKG_SOURCE_DATE:=2023-05-12 +PKG_SOURCE_VERSION:=6e06736707d8a84240858e968a54a083083e3a09 +PKG_MIRROR_HASH:=407d73c0a01b9fd6248a1ce058541707580db46a7d18f776780fe7922ba97391 + +PKG_MAINTAINER:=Oskari Rauta +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE + +PKG_BUILD_DEPENDS:=rust/host + +include $(INCLUDE_DIR)/package.mk +include ../../lang/rust/rust-package.mk + +define Package/aardvark-dns + SECTION:=net + CATEGORY:=Network + DEPENDS:=$(RUST_ARCH_DEPENDS) + TITLE:=authoritative dns server for container records + URL:=https://github.com/containers/aardvark-dns +endef + +define Package/aardvark-dns/description + Aardvark-dns is an authoritative dns server for A/AAAA container records. + It can forward other requests to configured resolvers. + + It is mostly intended to be used with Netavark which will + launch it automatically if both are installed. +endef + +define Package/aardvark-dns/install + $(INSTALL_DIR) $(1)/usr/lib/podman + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/bin/aardvark-dns $(1)/usr/lib/podman/ +endef + +$(eval $(call RustBinPackage,aardvark-dns)) +$(eval $(call BuildPackage,aardvark-dns)) From f95cd0b3873df94e062303e0396802a2b72837de Mon Sep 17 00:00:00 2001 From: Oskari Rauta Date: Fri, 12 May 2023 09:20:47 +0300 Subject: [PATCH 13/18] podman: update to 4.5.0 - added btrfs-tools as a build depency - switch from cni networking to recommended new standard, netavark. - drop iptables config option (netavark handles that now) - patch refreshed List of changes: https://github.com/containers/podman/releases Signed-off-by: Oskari Rauta --- utils/podman/Makefile | 24 ++++-------- .../files/87-podman-bridge-iptables.conflist | 37 ------------------- utils/podman/files/87-podman-bridge.conflist | 28 -------------- utils/podman/files/containers.conf | 6 +-- utils/podman/files/podman.json | 19 ++++++++++ .../patches/010-do-not-build-docs.patch | 4 +- 6 files changed, 30 insertions(+), 88 deletions(-) delete mode 100644 utils/podman/files/87-podman-bridge-iptables.conflist delete mode 100644 utils/podman/files/87-podman-bridge.conflist create mode 100644 utils/podman/files/podman.json diff --git a/utils/podman/Makefile b/utils/podman/Makefile index 441082cb0..961ffad07 100644 --- a/utils/podman/Makefile +++ b/utils/podman/Makefile @@ -1,18 +1,18 @@ include $(TOPDIR)/rules.mk PKG_NAME:=podman -PKG_VERSION:=4.4.2 +PKG_VERSION:=4.5.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/containers/podman/archive/v$(PKG_VERSION) -PKG_HASH:=59cec158438efa8a3e651b19e150d9afd90f7e3f07c30605a997e18b8c54b67c +PKG_HASH:=830a633630bf6e61f2b8d4ca00efdd9a173ef25cdd49d4a4364c293e088561df PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE PKG_MAINTAINER:=Oskari Rauta -PKG_BUILD_DEPENDS:=golang/host protobuf/host +PKG_BUILD_DEPENDS:=golang/host protobuf/host btrfs-progs PKG_BUILD_PARALLEL:=1 PKG_BUILD_FLAGS:=no-mips16 PKG_INSTALL:=1 @@ -39,7 +39,7 @@ define Package/podman CATEGORY:=Utilities TITLE:=Podman URL:=https://podman.io - DEPENDS:=$(GO_ARCH_DEPENDS) +conmon +cni +cni-plugins +btrfs-progs +glib2 +gnupg2 +uci-firewall +libgpg-error +libseccomp +libgpgme +nsenter +zoneinfo-simple +kmod-veth +PODMAN_SELINUX_SUPPORT:libselinux + DEPENDS:=$(GO_ARCH_DEPENDS) +conmon +libgpgme +libseccomp +nsenter +zoneinfo-simple +kmod-veth +slirp4netns +netavark +aardvark-dns +PODMAN_SELINUX_SUPPORT:libselinux endef define Package/podman/description @@ -53,10 +53,6 @@ define Package/podman/config bool "Enable SELinux support" default n - config PODMAN_IPTABLES_FW - bool "Add iptabels firewall options to default podman network" - default n - endmenu endef @@ -65,7 +61,7 @@ define Package/podman/conffiles /etc/containers/storage.conf /etc/containers/registries.conf /etc/containers/containers.conf -/etc/cni/net.d/87-podman-bridge.conflist +/etc/containers/networks/podman.json endef ifdef CONFIG_PODMAN_SELINUX_SUPPORT @@ -74,12 +70,6 @@ else GO_PKG_TAGS=seccomp,exclude_graphdriver_devicemapper,apparmor endif -ifdef CONFIG_PODMAN_IPTABLES_FW - CNIFILE:=87-podman-bridge-iptables.conflist -else - CNIFILE:=87-podman-bridge.conflist -endif - MAKE_VARS += \ GO_INSTALL_BIN_PATH="$(strip $(GO_PKG_INSTALL_BIN_PATH))" \ BUILD_DIR="$(PKG_BUILD_DIR)" \ @@ -126,8 +116,8 @@ define Package/podman/install $(INSTALL_DATA) $(DL_DIR)/registries.fedora-da9a9c8778 $(1)/etc/containers/registries.conf $(INSTALL_DATA) $(PKG_BUILD_DIR)/vendor/github.com/containers/storage/storage.conf $(1)/etc/containers/storage.conf $(INSTALL_DATA) ./files/containers.conf $(1)/etc/containers/containers.conf - $(INSTALL_DIR) $(1)/etc/cni/net.d - $(INSTALL_CONF) ./files/$(CNIFILE) $(1)/etc/cni/net.d/87-podman-bridge.conflist + $(INSTALL_DIR) $(1)/etc/containers/networks + $(INSTALL_CONF) ./files/podman.json $(1)/etc/containers/networks $(INSTALL_DIR) $(1)/usr/share/containers $(INSTALL_DATA) $(PKG_BUILD_DIR)/vendor/github.com/containers/common/pkg/seccomp/seccomp.json $(1)/usr/share/containers/ $(INSTALL_DIR) $(1)/etc/init.d diff --git a/utils/podman/files/87-podman-bridge-iptables.conflist b/utils/podman/files/87-podman-bridge-iptables.conflist deleted file mode 100644 index ef760a61b..000000000 --- a/utils/podman/files/87-podman-bridge-iptables.conflist +++ /dev/null @@ -1,37 +0,0 @@ -{ - "cniVersion": "0.4.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni-podman0", - "isGateway": true, - "ipMasq": true, - "hairpinMode": true, - "ipam": { - "type": "host-local", - "routes": [{ "dst": "0.0.0.0/0" }], - "ranges": [ - [ - { - "subnet": "10.88.0.0/16", - "gateway": "10.88.0.1" - } - ] - ] - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - }, - { - "type": "firewall" - }, - { - "type": "tuning" - } - ] -} diff --git a/utils/podman/files/87-podman-bridge.conflist b/utils/podman/files/87-podman-bridge.conflist deleted file mode 100644 index 4665abdba..000000000 --- a/utils/podman/files/87-podman-bridge.conflist +++ /dev/null @@ -1,28 +0,0 @@ -{ - "cniVersion": "0.4.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni-podman0", - "isGateway": true, - "ipMasq": true, - "hairpinMode": true, - "ipam": { - "type": "host-local", - "routes": [{ "dst": "0.0.0.0/0" }], - "ranges": [ - [ - { - "subnet": "10.88.0.0/16", - "gateway": "10.88.0.1" - } - ] - ] - } - }, - { - "type": "tuning" - } - ] -} diff --git a/utils/podman/files/containers.conf b/utils/podman/files/containers.conf index 3dbaab15f..13d3fb295 100644 --- a/utils/podman/files/containers.conf +++ b/utils/podman/files/containers.conf @@ -30,10 +30,8 @@ default_sysctls = [ ] [network] -cni_plugin_dirs = [ - "/usr/lib/cni" -] -network_config_dir = "/etc/cni/net.d/" +network_backend = "netavark" +network_config_dir = "/etc/containers/networks/" default_network = "podman" [engine] diff --git a/utils/podman/files/podman.json b/utils/podman/files/podman.json new file mode 100644 index 000000000..35e705579 --- /dev/null +++ b/utils/podman/files/podman.json @@ -0,0 +1,19 @@ +{ + "name": "podman", + "id": "5ef894788befd4d42498314b6e66282ca730aa2e1e82f9b9597bf4d1725ca074", + "driver": "bridge", + "network_interface": "podman0", + "created": "2023-02-20T08:56:34.652030952Z", + "subnets": [ + { + "subnet": "10.88.0.0/16", + "gateway": "10.88.0.1" + } + ], + "ipv6_enabled": false, + "internal": false, + "dns_enabled": true, + "ipam_options": { + "driver": "host-local" + } +} diff --git a/utils/podman/patches/010-do-not-build-docs.patch b/utils/podman/patches/010-do-not-build-docs.patch index 6f77e1b87..e67810052 100644 --- a/utils/podman/patches/010-do-not-build-docs.patch +++ b/utils/podman/patches/010-do-not-build-docs.patch @@ -1,6 +1,6 @@ --- a/Makefile +++ b/Makefile -@@ -206,7 +206,7 @@ GV_SHA=aab0ac9367fc5142f5857c36ac2352bcb +@@ -209,7 +209,7 @@ GV_SHA=aab0ac9367fc5142f5857c36ac2352bcb default: all .PHONY: all @@ -9,7 +9,7 @@ .PHONY: binaries ifeq ($(shell uname -s),FreeBSD) -@@ -797,7 +797,7 @@ package-install: package ## Install rpm +@@ -790,7 +790,7 @@ package-install: package ## Install rpm /usr/bin/podman info # will catch a broken conmon .PHONY: install From d3e10fd8235d8965a032bbe221f7693976c3f1ac Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sat, 13 May 2023 23:56:18 +0200 Subject: [PATCH 14/18] netatop: fix compilation warning for kernel module Fix compilation warning for missing fallthrough. Fix compilation warning: /builder/shared-workdir/build/build_dir/target-mipsel_24kc_musl/netatop-3.1/module/netatop.c: In function 'getsockopt': /builder/shared-workdir/build/build_dir/target-mipsel_24kc_musl/netatop-3.1/module/netatop.c:1619:26: error: this statement may fall through [-Werror=implicit-fallthrough=] 1619 | tasktype = 'g'; | ~~~~~~~~~^~~~~ /builder/shared-workdir/build/build_dir/target-mipsel_24kc_musl/netatop-3.1/module/netatop.c:1621:12: note: here 1621 | case NETATOP_GETCNT_PID: | ^~~~ cc1: all warnings being treated as errors Signed-off-by: Christian Marangi --- .../100-fix-compilation-warning-fallthrough.patch | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 admin/netatop/patches/100-fix-compilation-warning-fallthrough.patch diff --git a/admin/netatop/patches/100-fix-compilation-warning-fallthrough.patch b/admin/netatop/patches/100-fix-compilation-warning-fallthrough.patch new file mode 100644 index 000000000..65de31e14 --- /dev/null +++ b/admin/netatop/patches/100-fix-compilation-warning-fallthrough.patch @@ -0,0 +1,11 @@ +--- a/module/netatop.c ++++ b/module/netatop.c +@@ -1617,7 +1617,7 @@ getsockopt(struct sock *sk, int cmd, void __user *user, int *len) + + case NETATOP_GETCNT_TGID: + tasktype = 'g'; +- // fall through ++ fallthrough; + case NETATOP_GETCNT_PID: + if (*len < sizeof(pid_t)) + return -EINVAL; From 2f86385ff56c4e204133dfeef9e0ec1cada6ba56 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 14 May 2023 15:56:08 +0200 Subject: [PATCH 15/18] libpfring: fix compilation warning Fix simple compilation warning with checking statically allocated variables and missing fallthrough. Fix compilation warning: /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/PF_RING-8.0.0/kernel/pf_ring.c: In function 'ring_release': /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/PF_RING-8.0.0/kernel/pf_ring.c:5489:6: error: the comparison will always evaluate as 'true' for the address of 'name' will never be NULL [-Werror=address] 5489 | && pfr->zc_device_entry->zc_dev.dev->name) { | ^~ In file included from ./include/linux/rtnetlink.h:7, from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/PF_RING-8.0.0/kernel/pf_ring.c:84: ./include/linux/netdevice.h:1986:33: note: 'name' declared here 1986 | char name[IFNAMSIZ]; | ^~~~ /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/PF_RING-8.0.0/kernel/pf_ring.c: In function 'ring_bind': /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/PF_RING-8.0.0/kernel/pf_ring.c:5620:18: error: the comparison will always evaluate as 'false' for the address of 'sa_data' will never be NULL [-Werror=address] 5620 | if(sa->sa_data == NULL) | ^~ In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/PF_RING-8.0.0/kernel/pf_ring.c:82: ./include/linux/socket.h:34:25: note: 'sa_data' declared here 34 | char sa_data[14]; /* 14 bytes of protocol address */ | ^~~~~~~ /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/PF_RING-8.0.0/kernel/pf_ring.c: In function 'hash_pkt_cluster': /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/PF_RING-8.0.0/kernel/pf_ring.c:3937:7: error: this statement may fall through [-Werror=implicit-fallthrough=] 3937 | if(l3_proto == IPPROTO_TCP) | ^ /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/PF_RING-8.0.0/kernel/pf_ring.c:3944:3: note: here 3944 | case cluster_per_flow_2_tuple: | ^~~~ cc1: all warnings being treated as errors Signed-off-by: Christian Marangi --- .../patches/100-fix-compilation-warning.patch | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 libs/libpfring/patches/100-fix-compilation-warning.patch diff --git a/libs/libpfring/patches/100-fix-compilation-warning.patch b/libs/libpfring/patches/100-fix-compilation-warning.patch new file mode 100644 index 000000000..18c72e734 --- /dev/null +++ b/libs/libpfring/patches/100-fix-compilation-warning.patch @@ -0,0 +1,30 @@ +--- a/kernel/pf_ring.c ++++ b/kernel/pf_ring.c +@@ -3940,7 +3940,7 @@ static int hash_pkt_cluster(ring_cluster_element *cluster_ptr, + break; + } + /* else, fall through, because it's like 2-tuple for non-TCP packets */ +- ++ fallthrough; + case cluster_per_flow_2_tuple: + case cluster_per_inner_flow_2_tuple: + flags |= mask_2_tuple; +@@ -5485,8 +5485,7 @@ static int ring_release(struct socket *sock) + remove_cluster_referee(pfr); + + if((pfr->zc_device_entry != NULL) +- && pfr->zc_device_entry->zc_dev.dev +- && pfr->zc_device_entry->zc_dev.dev->name) { ++ && pfr->zc_device_entry->zc_dev.dev) { + pfring_release_zc_dev(pfr); + } + +@@ -5617,8 +5616,6 @@ static int ring_bind(struct socket *sock, struct sockaddr *sa, int addr_len) + return(-EINVAL); + if(sa->sa_family != PF_RING) + return(-EINVAL); +- if(sa->sa_data == NULL) +- return(-EINVAL); + + memcpy(name, sa->sa_data, sizeof(sa->sa_data)); + From e15d9f75dac2888b9d863c6f2d1c19637631c1fb Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 14 May 2023 16:03:20 +0200 Subject: [PATCH 16/18] dmx_usb_module: fix compilation warning Fix compilation warning due to wrong cast. In file included from ./include/linux/kernel.h:19, from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/dmx_usb_module-19.12.1/dmx_usb.c:16: /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/dmx_usb_module-19.12.1/dmx_usb.c: In function 'dmx_usb_write': ./include/linux/kern_levels.h:5:25: error: format '%d' expects argument of type 'int', but argument 4 has type 'size_t' {aka 'long unsigned int'} [-Werror=format=] 5 | #define KERN_SOH "\001" /* ASCII Start Of Header */ | ^~~~~~ ./include/linux/printk.h:422:25: note: in definition of macro 'printk_index_wrap' 422 | _p_func(_fmt, ##__VA_ARGS__); \ | ^~~~ /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/dmx_usb_module-19.12.1/dmx_usb.c:41:45: note: in expansion of macro 'printk' 41 | #define dbg(format, arg...) do { if (debug) printk(KERN_DEBUG __FILE__ ": " format "\n" , ## arg); } while (0) | ^~~~~~ ./include/linux/kern_levels.h:15:25: note: in expansion of macro 'KERN_SOH' 15 | #define KERN_DEBUG KERN_SOH "7" /* debug-level messages */ | ^~~~~~~~ /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/dmx_usb_module-19.12.1/dmx_usb.c:41:52: note: in expansion of macro 'KERN_DEBUG' 41 | #define dbg(format, arg...) do { if (debug) printk(KERN_DEBUG __FILE__ ": " format "\n" , ## arg); } while (0) | ^~~~~~~~~~ /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/dmx_usb_module-19.12.1/dmx_usb.c:409:9: note: in expansion of macro 'dbg' 409 | dbg("%s - minor %d, count = %d", __FUNCTION__, dev->minor, count); | ^~~ cc1: all warnings being treated as errors Signed-off-by: Christian Marangi --- .../100-fix-compilation-warning-wrong-cast.patch | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 libs/dmx_usb_module/patches/100-fix-compilation-warning-wrong-cast.patch diff --git a/libs/dmx_usb_module/patches/100-fix-compilation-warning-wrong-cast.patch b/libs/dmx_usb_module/patches/100-fix-compilation-warning-wrong-cast.patch new file mode 100644 index 000000000..413cb63ea --- /dev/null +++ b/libs/dmx_usb_module/patches/100-fix-compilation-warning-wrong-cast.patch @@ -0,0 +1,11 @@ +--- a/dmx_usb.c ++++ b/dmx_usb.c +@@ -406,7 +406,7 @@ static ssize_t dmx_usb_write (struct file *file, const char *buffer, size_t coun + + dev = (struct dmx_usb_device *)file->private_data; + +- dbg("%s - minor %d, count = %d", __FUNCTION__, dev->minor, count); ++ dbg("%s - minor %d, count = %zu", __FUNCTION__, dev->minor, count); + + /* lock this object */ + down (&dev->sem); From 7118a45a9b091439348cd5341bcd632e1b2a90e8 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 14 May 2023 16:29:48 +0200 Subject: [PATCH 17/18] gl-mifi-mcu: fix compilation warning for conflicting function Module called the exit module function "exit", This conflicts with the stdlib header that use exit() to exit userspace program. Correctly assign a namespace to these functions. (init and exit) Fix compilation warning: warning: the compiler differs from the one used to build the kernel The kernel was built by: aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 12.2.0 r21757+608-895f38ca1e) 12.2.0 You are using: aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 12.2.0 r21757+1091-895f38ca1e) 12.2.0 CC [M] /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/gl-mifi-mcu-1/module.o /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/gl-mifi-mcu-1/module.c:196:20: error: conflicting types for built-in function 'exit'; expected 'void(int)' [-Werror=builtin-declaration-mismatch] 196 | static void __exit exit(void) | ^~~~ /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/gl-mifi-mcu-1/module.c:9:1: note: 'exit' is declared in header '' 8 | #include +++ |+#include 9 | cc1: all warnings being treated as errors Signed-off-by: Christian Marangi --- utils/gl-mifi-mcu/src/module.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/utils/gl-mifi-mcu/src/module.c b/utils/gl-mifi-mcu/src/module.c index 8f5a5146b..98fc7fab8 100755 --- a/utils/gl-mifi-mcu/src/module.c +++ b/utils/gl-mifi-mcu/src/module.c @@ -164,7 +164,7 @@ static enum hrtimer_restart handle_rx(struct hrtimer* timer) return result; } -static int __init init(void) +static int __init gl_mifi_mcu_init(void) { bool success = true; @@ -193,7 +193,7 @@ static int __init init(void) return success; } -static void __exit exit(void) +static void __exit gl_mifi_mcu_exit(void) { disable_irq(gpio_to_irq(gpio_rx)); hrtimer_cancel(&timer_tx); @@ -205,6 +205,6 @@ static void __exit exit(void) remove_proc_entry("gl_mifi_mcu", NULL); } -module_init(init); -module_exit(exit); +module_init(gl_mifi_mcu_init); +module_exit(gl_mifi_mcu_exit); From 25ef8616f073b8d90fe1a891adb9ad79c4b4c76b Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 14 May 2023 16:48:38 +0200 Subject: [PATCH 18/18] xr_usb_serial_common: fix compilation warning Add patch fixing compilation warning due to unused function. Fix compilation warning: /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/usb-serial-xr_usb_serial_common-2022-03-30-ecc6ebe0/xr_usb_serial_common-1a/xr_usb_serial_common.c: In function 'xr_usb_serial_ctrl_irq': /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/usb-serial-xr_usb_serial_common-2022-03-30-ecc6ebe0/xr_usb_serial_common-1a/xr_usb_serial_common.c:261:28: error: unused variable 'tty' [-Werror=unused-variable] 261 | struct tty_struct *tty; | ^~~ /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/usb-serial-xr_usb_serial_common-2022-03-30-ecc6ebe0/xr_usb_serial_common-1a/xr_usb_serial_common.c: In function 'xr_usb_serial_process_read_urb': /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/usb-serial-xr_usb_serial_common-2022-03-30-ecc6ebe0/xr_usb_serial_common-1a/xr_usb_serial_common.c:393:28: error: unused variable 'tty' [-Werror=unused-variable] 393 | struct tty_struct *tty; | ^~~ /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/usb-serial-xr_usb_serial_common-2022-03-30-ecc6ebe0/xr_usb_serial_common-1a/xr_usb_serial_common.c: In function 'xr_usb_serial_softint': /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/usb-serial-xr_usb_serial_common-2022-03-30-ecc6ebe0/xr_usb_serial_common-1a/xr_usb_serial_common.c:468:28: error: unused variable 'tty' [-Werror=unused-variable] 468 | struct tty_struct *tty; | ^~~ /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/usb-serial-xr_usb_serial_common-2022-03-30-ecc6ebe0/xr_usb_serial_common-1a/xr_usb_serial_common.c: In function 'xr_usb_serial_reset_resume': /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/usb-serial-xr_usb_serial_common-2022-03-30-ecc6ebe0/xr_usb_serial_common-1a/xr_usb_serial_common.c:1634:28: error: unused variable 'tty' [-Werror=unused-variable] 1634 | struct tty_struct *tty; | ^~~ cc1: all warnings being treated as errors Signed-off-by: Christian Marangi --- ...-compilation-warning-unused-function.patch | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 libs/xr_usb_serial_common/patches/100-fix-compilation-warning-unused-function.patch diff --git a/libs/xr_usb_serial_common/patches/100-fix-compilation-warning-unused-function.patch b/libs/xr_usb_serial_common/patches/100-fix-compilation-warning-unused-function.patch new file mode 100644 index 000000000..4e92f7a1d --- /dev/null +++ b/libs/xr_usb_serial_common/patches/100-fix-compilation-warning-unused-function.patch @@ -0,0 +1,42 @@ +--- a/xr_usb_serial_common-1a/xr_usb_serial_common.c ++++ b/xr_usb_serial_common-1a/xr_usb_serial_common.c +@@ -258,7 +258,9 @@ static void xr_usb_serial_ctrl_irq(struct urb *urb) + { + struct xr_usb_serial *xr_usb_serial = urb->context; + struct usb_cdc_notification *dr = urb->transfer_buffer; ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(3, 9, 0) + struct tty_struct *tty; ++#endif + unsigned char *data; + int newctrl; + int retval; +@@ -390,7 +392,9 @@ static int xr_usb_serial_submit_read_urbs(struct xr_usb_serial *xr_usb_serial, g + } + static void xr_usb_serial_process_read_urb(struct xr_usb_serial *xr_usb_serial, struct urb *urb) + { ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(3, 9, 0) + struct tty_struct *tty; ++#endif + if (!urb->actual_length) + return; + #if LINUX_VERSION_CODE > KERNEL_VERSION(3, 9, 0) +@@ -465,7 +469,9 @@ static void xr_usb_serial_write_bulk(struct urb *urb) + static void xr_usb_serial_softint(struct work_struct *work) + { + struct xr_usb_serial *xr_usb_serial = container_of(work, struct xr_usb_serial, work); ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(3, 9, 0) + struct tty_struct *tty; ++#endif + + dev_vdbg(&xr_usb_serial->data->dev, "%s\n", __func__); + #if LINUX_VERSION_CODE > KERNEL_VERSION(3, 9, 0) +@@ -1631,7 +1637,9 @@ err_out: + static int xr_usb_serial_reset_resume(struct usb_interface *intf) + { + struct xr_usb_serial *xr_usb_serial = usb_get_intfdata(intf); ++#if LINUX_VERSION_CODE <= KERNEL_VERSION(3, 9, 0) + struct tty_struct *tty; ++#endif + if (tty_port_initialized(&xr_usb_serial->port)){ + #if LINUX_VERSION_CODE > KERNEL_VERSION(3, 9, 0) + tty_port_tty_hangup(&xr_usb_serial->port, false);