* fix validation for force_dns_port when missing in config
* fix validation for dns_instance when * or - are used
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Pcre (1) is unmaintained and reached its end of life in 2021.
The base system provides pcre2 exclusively since May.
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
Most distros allow dropping site configuration files into
/etc/sshd_config.d/ so that you don't have to tweak the main
server configuration file.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Add a new package for the OpenThread Border Router. Comes with a netifd
protocol handler. See README.md for more information.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
v0.19.4:
- No changes
v0.19.3:
- We now detect MySQL's strange, version-dependent my_bool type on configure.
- Add pkg-config definitions for gnunet messenger.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
I've noticed my AppleTV's refresh their leases ever minute unless
I explicitly force their renewal time higher, because it doesn't
default to 50% of the lease time.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This commit updates openvpn to version 2.6.5 and add DCO support.
There are several changes:
- Starting with version 2.6.0, the sources are only provided as .tar.gz
file.
- removed OPENVPN_<variant>_ENABLE_MULTIHOME:
multihome support is always included and cannot be disabled anymore
with 2.6.x.
- removed OPENVPN_<variant>_ENABLE_DEF_AUTH:
deferred auth support is always included and cannot be disabled
anymore with 2.6.x.
- removed OPENVPN_<variant>_ENABLE_PF:
PF (packet filtering) support was removed in 2.6.x.
- The internal lz4 library was removed in 2.6.x; we now use the liblz4
package if needed
- To increase reproducibility, _DATE_ is only used for development
builds and not in release builds in 2.6.x.
- wolfSSL support was integrated into upstream openvpn
- DES support was removed from openvpn
The first two wolfSSL patches were created following these 2 commits:
4cf01c8e43028b501734
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
The line to generate the argument list for 'simple connect' is quite
long and is not maintainable. To improve the handling a function
'append_param' was added for appending the 'simple connect' options.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Francisco Jose Alvarez <francisco.alvarez@galgus.net>
* Update commit head
* Rebase patch to the latest changes
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If on teardown the 'proto_notify_error' is set to 'MM_TEARDOWN_IN_PROGRESS',
then an error which is set on 'setup' is not visible in the ubus
network.interface.<iface> status output.
{
"up": false,
"pending": false,
"available": true,
"autostart": false,
"dynamic": false,
"proto": "modemmanager",
"data": {
},
"errors": [
{
"subsystem": "dualsim",
"code": "MM_TEARDOWN_IN_PROGRESS"
}
]
}
It alway shows the code 'MM_TEARDWON_IN_PROGRESS'!
By removing the line 'proto_notify_error "${interface}" MM_TEARDOWN_IN_PROGRESS'
in teardown, the last error is show in the proto stack from setup.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The tag is now prefixed with v; update PKG_SOURCE_URL and PKG_BUILD_DIR
to reflect this.
Drop upstreamed patches. Refresh leftover patch.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* fix permission to dnsmasq files for ad-blocking
* add pause function to pause the ad-blocking temporarily
* introduce pause_timeout option to control default pause time
* update default config and config-update file
* use $param instead of $1 in adb_start()
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Tor projects tries to migrate away from git.torproject.org [0,1]. We
need to adjust PKG_SOURCE and GO_PKG name. Further, we need to backport
patches to fix compiling on riscv64, so add:
- 0001-Bump-minimum-required-version-of-go.patch
- 0002-Update-dependencies.patch
Changelog:
2fa8fd9188
[0] - https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/86
[1] - 82cc0f38f7
Signed-off-by: Nick Hainke <vincent@systemli.org>
* supports allowing / blocking of certain VLAN forwards in segregated network environments,
set 'ban_vlanallow', ''ban_vlanblock' accordingly
* simplified the code/JSON to generate/parse the banIP status
* enclose nft related devices in quotation marks , e.g. to handle devices which starts with a number '10g-1'
* made the new vlan options available to LuCI (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
This version includes support for Go 1.20 (specifically 1.20.5).
This also:
* Adds a workaround for musl 1.2.4 compatibility in mattn/go-sqlite3[1]
* Sets GO_PKG_BUILD_PKG to build the main binary (ooniprobe) only
* Updates the package license; the project was relicensed in 3.13.0[2]
[1]: https://github.com/mattn/go-sqlite3/issues/1164
[2]: https://github.com/ooni/probe-cli/pull/446
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* prevent superflous etag function calls during start action (on start backups will be used anyway)
* changed the ipthreat feed download URL (load a compressed file variant to save bandwidth)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added HTTP ETag or entity tag support to download only ressources that have been updated on the server side,
to save bandwith and speed up banIP reloads
* added 4 new feeds: binarydefense, bruteforceblock, etcompromised, ipblackhole (see readme)
* updated the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Add new package to debug multicast setups. This is required to use
kselftests script for network testing.
net-mtools is used instead of mtools as it does conflicts with another
package that is also called mtools.
Some additional patch from Vladimir Oltean are added to make the tool
works on kernel selftests scripts.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
We currently have a more or less circular dependency with nginx ssl and
full variant.
FULL variant depends on every nginx module. Every nginx module depends
on nginx-ssl.
Since nginx-full depends on an nginx module, nginx-ssl is installed as
module depends on it and then the installation fails as nginx-full
conflicts with nginx-ssl.
nginx-full in it's meaning is nginx built with every config selected and
it should not have module as dependency. In fact an user should always
install them separetly as while other things, local modification to the
nginx config file are required to include the just installed module.
To fix this circular dependency problem, drop the dependency of every
nginx module for FULL variant.
Fixes: #21300
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This commit adds support for http/3. This is an experimental version
and isn't fully supported because nginx is being built with the regular
OpenSSL and the regular one doesn't support quic.
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
Update nginx to 1.25.1.
*) Feature: the "http2" directive, which enables HTTP/2 on a per-server
basis; the "http2" parameter of the "listen" directive is now
deprecated.
*) Change: HTTP/2 server push support has been removed.
*) Change: the deprecated "ssl" directive is not supported anymore.
*) Bugfix: in HTTP/3 when using OpenSSL.
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
[ improve commit title and add nginx changelog ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Backport a patch from upstream fixing wrong args handling with musl.
Before this patch non args must be passed at the end of the command due
to a musl limitation.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* update binaries to 1.7.2
* move sharedMemoryOutput variable declaration into output function as it doesn't
need to be global
* rename parse_yaml function to yaml_parse
* add TODOs for future development
* update copyright datestamps
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Fixes CVEs:
- CVE-2023-2828: The overmem cleaning process has been improved, to
prevent the cache from significantly exceeding the configured
max-cache-size limit.
- CVE-2023-2911: A query that prioritizes stale data over lookup
triggers a fetch to refresh the stale data in cache. If the fetch is
aborted for exceeding the recursion quota, it was possible for named
to enter an infinite callback loop and crash due to stack overflow.
The complete list of changes is available in the upstream release
notes at
https://ftp.isc.org/isc/bind9/cur/9.18/doc/arm/html/notes.html#notes-for-bind-9-18-16
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
* process local lists in strict sequential order to prevent possible race conditions
* support ranges in the IP search, too
* fix some minor search issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.
Manually pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
`dnsdist-full` has all optional features enabled, but is a big package
in term of both flash and memory footprint.
`dnsdist` only keeps the features that make the most sense
on embeded devices, but can also be customised to match the
user's needs, up to the point where it matches `dnsdist-full`.
Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
Major changes since version 3.1.1:
* Officially supports the 2019 version of IEEE 1588
* Improved unicast messaging
* Enhanced G.8275.2 profile
* More flexible Pulse Per Second (PPS) handling
* Virtual clock support
* Power profile support
* VLAN over bond support.
* Parallel Redundancy Protocol (PRP) trailer handling.
* Non-privileged read-only monitoring port.
* New statistics reporting.
[V2]
* reset package release
* adapt license name to the new format
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@westermo.com>
* Support MAC-/IPv4/IPv6 ranges in CIDR notation
* Support concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments (see readme)
* small fixes & cosmetics
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
OpenELP is an open source EchoLink proxy for Linux and Windows. It aims
to be efficient and maintain a small footprint, while still implementing
all of the features present in the official EchoLink proxy.
Signed-off-by: Scott K Logan <logans@cottsay.net>
If an alias name is used for the modem, then a check if the device exists
in sysfs does not work. To fix this remove the check if the sysfs device
exists. The protocoll handler already checks if the modem is responsible
for this device on the next line.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
On small systems with many virtual devices, the modem manager sometimes
could not start because it took too long until all devices for the modem
were recognised. This is because all system events that are stored in
the file events.cache have to be processed. To speed up the processing,
all devices under /sys/devices/virtual are now filtered out so that they
do not have to be processed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Fix a bug on installation of nginx-mod-luci where module.d directory
is not found and luci.module creation fails.
Correctly create empty directory for module.d include for dynamic module
loading by placing file in this directory.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
When using both ipv4 and ipv6 entries on the same host, ddns is clearing A
(or AAAA) record depending on the connection (ipv4 or ipv6).
see https://desec.readthedocs.io/en/latest/dyndns/update-api.html#determine-ip-addresses
Signed-off-by: Baptiste Fouques <bateast@duck.com>
Update comment and bump PKG_RELEASE number.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
In mesh communities, tunneldigger is widely used to create L2TPv3 tunnels
and mesh via them. Since the broker is typically installed on other
distributions, the openwrt broker package has not received any
maintenance in recent years [0]. I take now care of the further maintaince
of this package. Furthermore, I consulted with the maintainers to ensure
that they were comfortable with the change [1].
This PR is just a refactoring of the already existing opkg package from
wlanslovenija. It fixes config parsing and in general the config, adapts
to the new python syntax and fixes dependency handling.
- [0] https://github.com/wlanslovenija/firmware-packages-opkg/tree/master/net/tunneldigger-broker
- [1] https://github.com/wlanslovenija/firmware-packages-opkg/issues/24
Signed-off-by: Nick Hainke <vincent@systemli.org>
netavark v1.6.0 was released, so instead of using
git version, use release. Does not contain very
much of changes, but list is available from netavark's
commit log.
Software now comes with additional tool named
netavark-dhcp-proxy-client which is now included
in package.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Fix compilation error on kernel 6.1.
Fix compilation error:
In file included from /mnt/Data/Sources/openwrt/x-wrt/build_dir/target-aarch64_cortex-a72_musl/linux-bcm27xx_bcm2711/xtables-addons-3.24/extensions/LUA/controller.h:24,
from /mnt/Data/Sources/openwrt/x-wrt/build_dir/target-aarch64_cortex-a72_musl/linux-bcm27xx_bcm2711/xtables-addons-3.24/extensions/LUA/xt_LUA_target.c:27:
/mnt/Data/Sources/openwrt/x-wrt/build_dir/target-aarch64_cortex-a72_musl/linux-bcm27xx_bcm2711/xtables-addons-3.24/extensions/LUA/lua/lua.h:12:10: fatal error: stddef.h: No such file or directory
12 | #include <stddef.h>
| ^~~~~~~~~~
compilation terminated.
The error is caused by commit 04e85bbf71c9 ("isystem: delete global
-isystem compile option") present upstream from kernel 5.16. This
commit dropped the inclusion of system headers by default and caused
error on LUA module.
Following what is done in the commit for the required code, modify the
LUA Kbuild to include these header and restore correct compilation of
the LUA module.
Fixes: #21294
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
aardvark-dns v1.6.0 was released,
so instead of using git version, use release -
similarly like netavark.
Very much hasn't changed but list of changes
is in git commit log of aardvark-dns.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Bump nginx to new 1.25.0 release.
Changes:
*) Feature: experimental HTTP/3 support.
Every patch automatically refreshed.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Fix some problem with migration of uci conf template and include of
module.d directive.
Fix 2 case:
- uci.conf.template not versioned but with the include module.d
resulting in double include module.d
- uci.conf.template version 1.1 with the include module.d at the end
of the config. This is problematic for nginx as modules must be
included before any http directive.
Handle this 2 case to restore a working uci.conf.template configuration
on migrated config.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Bump uci conf template version to 1.2 to sync with nginx version
handling some migration problem.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
It's not possible to configure custom Transmission web home as corresponding
env var gets overwritten by the command that sets CA bundle env var.
Signed-off-by: Leonid Bogdanov <leonidbogdanov86@gmail.com>
In f8a8b71e26 openvpn introduced new hotplug events.
For server config, ipchange hotplug event produces an error.
So, make ipchange hotplug event for client only
Fixes https://github.com/openwrt/packages/issues/21200
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Update crowdsec to latest upstream release version 1.5.2
Signed-off-by: S. Brusch <ne20002@gmx.ch>
Maintainer: Kerma Gérald <gandalf@gk2.net>
Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.5
Description: update to latest version of upstream
* Optionally auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the
monitored suspicious IP, set 'ban_autoblocksubnet' accordingly (disabled by default).
For more information regarding RDAP see
https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap for reference.
* small fixes & cosmetics
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
speedtestcpp is a fork of Taganaka's speedtest, rewritten.
It has some improvements such as
- interactive result show
- use server recommended profiles, which makes it faster (can be disabled)
- and more..
It also provides it's functions in shared and static libraries
and offers development headers for integrating speedtest to
features to another projects.
This commit replaces speedtestpp since this fork has
all the same features + more.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Make modules follow a naming convention, which enables:
1. Inline ADDITIONAL_MODULES into CONFIGURE_ARGS
2. Consolidate some parts of Quilt and Download for each module into
BuildModule
Signed-off-by: Glen Huang <me@glenhuang.com>
[ fix conflict error ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
OpenWrt core has a package called ustp which is an OpenWrt adaptation (from
mstpd) for OpenWrt (using libubox, libubus, etc).
No sense in keeping mstpd anymore.
We can just update ustp.
Also, if mstpd has any updates, they can be ported over to ustp too.
Abandoned PR:
https://github.com/openwrt/packages-abandoned/pull/30
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
* update to a new upstream commit, fixes#19366
* update patches/010-cmakelists-remove-cflags.patch as upstream file was update
* remove patches/020-cmakelists-add-version.patch as version is now set elsewhere
* add patches/020-src-options.c-add-version.patch to set the version information
* adjust PROCD START time to 95
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This version includes support for Python 3.11.
This also:
* Updates Build/Compile to only build selected subpackages.
* Removes the submenu in menuconfig; there are too few subpackages to
justify the extra complexity.
Fixes: https://github.com/openwrt/packages/issues/21163
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
and also fix build error:
Package ocserv is missing dependencies for the following libraries:
liboath.so.0
Signed-off-by: Thlv Alivs <zgmzzzz18@gmail.com>
Without it, nginx could complain about incompatible dynamic modules
Signed-off-by: Glen Huang <me@glenhuang.com>
[ fix conflict error on cherry-pick ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Introduce support for migration of old uci conf template to new version.
Uci conf template are saved in config backup. This cause problem on config
restore as old config template might have compatibility problem with new
nginx implementation.
Add logic to migrate the template script at runtime to correctly align
to latest change from nginx and nginx-util.
Fixes: 65a676ed56 ("nginx: introduce support for dynamic modules")
Fixes: #20904
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add versioning to UCI conf template as a commented version.
This permits the introduction of migration script since the template is
saved and restored config restore. The migration script are handled by
nginx init.d script.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
OpenVPN supports more hooks than just 'up' and 'down'. Especially
reacting to 'route-up' and 'route-pre-down' events could be important.
When routing table changes, it can make sense to adapt firewall, run
some tests or change even more routes. This change passes those events
to hotplug, so it is easy to react to them without changing
configuration files provided by VPN provider.
Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
Allows user to provide a token for Cloudflare tunnel.
When provided along with credentials, this will take precedence.
Signed-off-by: Scott McKenzie <scott@noizyland.net>
If the build host has the Go compiler installed, then configure will
detect this and will try to compile gensio's Go support, leading to a
build failure.
This disables Go support entirely to fix this build failure.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Update crowdsec to latest upstream release version 1.5.1
Signed-off-by: S. Brusch <ne20002@gmx.ch>
Maintainer: Kerma Gérald <gandalf@gk2.net>
Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.5
Description: update to latest version of upstream
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.
Manually pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
keylength, being an acme.sh value type, uses pure numbers for rsa keys.
This can be disorienting for other acme clients. This change introduces
a new option "key_type" that aims to remove this ambiguity, and makes
all key type names follow the same pattern, making acme-common more
client agnostic.
Signed-off-by: Glen Huang <me@glenhuang.com>
_LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used
to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Fixes errors in the form of:
Building targets
github.com/mattn/go-sqlite3
sqlite3-binding.c:35901:42: error: 'pread64' undeclared here (not in a function); did you mean 'pread'?
35901 | { "pread64", (sqlite3_syscall_ptr)pread64, 0 },
| ^~~~~~~
| pread
sqlite3-binding.c:35919:42: error: 'pwrite64' undeclared here (not in a function); did you mean 'pwrite'?
35919 | { "pwrite64", (sqlite3_syscall_ptr)pwrite64, 0 },
| ^~~~~~~~
| pwrite
sqlite3-binding.c: In function 'seekAndRead':
sqlite3-binding.c:35905:49: error: unknown type name 'off64_t'; did you mean 'off_t'?
35905 | #define osPread64 ((ssize_t(*)(int,void*,size_t,off64_t))aSyscall[10].pCurrent)
| ^~~~~~~
sqlite3-binding.c:38767:11: note: in expansion of macro 'osPread64'
38767 | got = osPread64(id->h, pBuf, cnt, offset);
| ^~~~~~~~~
sqlite3-binding.c:35905:58: error: expected ')' before 'aSyscall'
35905 | #define osPread64 ((ssize_t(*)(int,void*,size_t,off64_t))aSyscall[10].pCurrent)
| ~ ^~~~~~~~
sqlite3-binding.c:38767:11: note: in expansion of macro 'osPread64'
38767 | got = osPread64(id->h, pBuf, cnt, offset);
| ^~~~~~~~~
sqlite3-binding.c: In function 'seekAndWriteFd':
sqlite3-binding.c:35923:57: error: unknown type name 'off64_t'; did you mean 'off_t'?
35923 | #define osPwrite64 ((ssize_t(*)(int,const void*,size_t,off64_t))\
| ^~~~~~~
sqlite3-binding.c:38896:17: note: in expansion of macro 'osPwrite64'
38896 | do{ rc = (int)osPwrite64(fd, pBuf, nBuf, iOff);}while( rc<0 && errno==EINTR);
| ^~~~~~~~~~
sqlite3-binding.c:35924:21: error: expected ')' before 'aSyscall'
35924 | aSyscall[13].pCurrent)
| ^~~~~~~~
sqlite3-binding.c:38896:17: note: in expansion of macro 'osPwrite64'
38896 | do{ rc = (int)osPwrite64(fd, pBuf, nBuf, iOff);}while( rc<0 && errno==EINTR);
| ^~~~~~~~~~
sqlite3-binding.c:35923:21: note: to match this '('
35923 | #define osPwrite64 ((ssize_t(*)(int,const void*,size_t,off64_t))\
| ^
sqlite3-binding.c:38896:17: note: in expansion of macro 'osPwrite64'
38896 | do{ rc = (int)osPwrite64(fd, pBuf, nBuf, iOff);}while( rc<0 && errno==EINTR);
| ^~~~~~~~~~
make[2]: *** [Makefile:153: /home/nick/openwrt/build_dir/target-aarch64_cortex-a53_musl/crowdsec-1.4.6/.built] Error 1
make[2]: Leaving directory '/home/nick/openwrt/feeds/packages/net/crowdsec'
Signed-off-by: Nick Hainke <vincent@systemli.org>
ACME clients shouldn't deal with deprecated values. They should be
processed by acme-common.
Reformatting is done by shfmt.
Signed-off-by: Glen Huang <me@glenhuang.com>
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.
Manually pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
OpenSSH 9.1p1 removed remaining dependencies and stopped linking sftp,
sftp-server and scp against libcrypto or libz. This change moves those
package dependencies from the default to those that still need them.
In particular, this will allow sftp-server to be installed for use with
Dropbear without needing to install zlib or openssl.
Signed-off-by: Darren Tucker <dtucker@dtucker.net>
fa35c29 Xtables-addons 3.24
9db4d8d DHCPMAC: resolve cppcheck warnings
4599c30 ipv4options: resolve cppcheck warnings
5a714b6 geoip: set autoflush on stdout
f16ed5c geoip: Use stdout for output and stderr for errors/diag
a711985 build: resolve compiler warnings with gcc-13
97181e3 doc, src: improve spelling
30ddb4f doc, src: improve spelling
f3f8155 xt_geoip: bump number of territories per rule
e426ad9 Xtables-addons 3.23
51761c3 build: support for Linux 6.2
409cb5a build: replace `AC_DISABLE_STATIC` macro with an argument to `LT_INIT`
0454ff6 build: replace obsolete `AC_PROG_LIBTOOL` macro with `LT_INIT`
5b3fae8 Xtables-addons 3.22
71396f9 build: support for Linux 6.1
7ad55ad build: eliminate geoip/ make recursion
b950dae build: fix failure to recurse into asn/
cd77880 xt_asn: new module
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
[ add changelog from 3.21 to 3.24 ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Use kcalloc and remove conflicting #include <stdarg.h> to fix
the following build warnings treated as errors since b2d1eb7:
error: ISO C90 forbids variable length array 'buf' [-Werror=vla]
error: "va_start" redefined [-Werror]
error: "va_arg" redefined [-Werror]
error: "va_copy" redefined [-Werror]
getstr(s)==NULL is always false
/home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/byte_array.c: In function 'byte_array_to_string':
/home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/byte_array.c:110:9: error: ISO C90 forbids variable length array 'buf' [-Werror=vla]
110 | uint8_t buf[(array->length * 3) + 255];
| ^~~~~~~
/home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/byte_array.c:112:9: error: ISO C90 forbids variable length array 'res' [-Werror=vla]
112 | char res[255 + (array->length * 3)]; /* make sure the buffer is big enough*/
| ^~~~
cc1: all warnings being treated as errors
In file included from ./include/linux/string.h:9,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/include/string.h:1,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ldebug.c:10:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
CC [M] /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lstrlib.o
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ldebug.c:8:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
CC [M] /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ltable.o
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/luaconf.h:16,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:15,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ldump.c:12:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:12:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/luaconf.h:16,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:15,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lfunc.c:13:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:12:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/luaconf.h:16,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:15,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lmem.c:13:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:12:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/include/stdio.h:1,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lobject.c:10:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lobject.c:7:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/luaconf.h:16,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:15,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/llimits.h:12,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lopcodes.h:10,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lopcodes.c:11:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:12:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/luaconf.h:16,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:15,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lstate.c:13:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:12:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
/home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ldump.c: In function 'DumpString':
/home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ldump.c:63:26: error: the comparison will always evaluate as 'false' for the pointer operand in 's + 24' must not be NULL [-Werror=address]
63 | if (s==NULL || getstr(s)==NULL)
| ^~
cc1: all warnings being treated as errors
Fixes: #20993Fixes: #21006
Co-developed-by: Chen Minqiang <ptpt52@gmail.com>
Co-developed-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
aardvark-dns is companion for netavark, recent cni replacement on podman
git version used instead of release, to maintain maximal compatibility
with netavark, also using git version.
Description:
Aardvark-dns is an authoritative dns server for A/AAAA container records.
It can forward other requests to configured resolvers.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
podman is moving from cni to netavark. Netavark supports currently
only iptables, so I was in touch some time ago with mainstream
maintainer and provided a "none" firewall driver - to make it possible
to use netavark without firewalling features. Driver cannot be selected
at this time without environment variable that selects it, so I made
a config file for openwrt and a wrapper script that takes advantage of
it.
Available options are iptables, nftables and none - but selecting
nftables just tells user that nftables isn't yet supported.
firewall "none" driver is not yet included in release, so that's why
we use git version instead. I chose latest commit instead of commit
with none driver.
Description:
Netavark is a rust based network stack for containers.
It is being designed to work with Podman but is also applicable for other OCI container management applications.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Fix compilation warning for stack limit and variable length array.
Fix compilation warning:
CC [M] /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/siit-1.2/siit.o
../siit-1.2/siit.c: In function 'ip4_fragment':
../siit-1.2/siit.c:988:9: error: ISO C90 forbids variable length array 'buff' [-Werror=vla]
988 | char buff[FRAG_BUFF_SIZE+hdr_len]; /* buffer to form new fragment packet */
| ^~~~
../siit-1.2/siit.c: In function 'siit_xmit':
../siit-1.2/siit.c:1359:1: error: the frame size of 2144 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
1359 | }
| ^
cc1: all warnings being treated as errors
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
wolfssl has been the base TLS library in openwrt since 21.02
mbedtls will once again be the base TLS library in openwrt 23.??
Default to mbedtls for digest functions in lighttpd
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
The next version of lighttpd will move HTTP/2 support from the lighttpd
base executable into a separate module: mod_h2
Include patch to do so now, and update packaging to handle it.
HTTP/2 support is enabled by default since lighttpd 1.4.59, but if
HTTP/2 support is explicitly disabled in the configuration, then mod_h2
will not be loaded, thereby reducing lighttpd memory use.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
wolfssl has been a base TLS library in openwrt since 21.02
Default to wolfssl instead of Nettle for digest functions in lighttpd
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* made the fetch utility function/autodetection more bullet proof
* no longer add suspicious IPs to the local blocklist when the nft set timeout has been set
* restructure internal functions & small fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add missing space in str_contains
* unquote variable to make sure IPv6 rotues are added
* add IPv6 routes display to status output in nft mode
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Function start_service() is called whenever service may need reloading.
If SMB server is not running it could be simply because it has been
stopped. Reloading service in such case is not an error so:
1. Don't log error as it isn't one
2. Don't exit with error code as it was confusing procd
This change fixes scenario like:
/etc/init.d/ksmbd stop
/etc/init.d/wsdd2 reload
(previously above wasn't stopping wsdd2)
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Set the score value to the maximum value when the connected function is
called. The same happens with a disconnected event, the score value is
there set to zero.
Suggested-by: Anna Tikhomirova <vamp@vampik.ru>
Suggested-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Refactoring the score handling, so that only one action could take place
during run. The behaviour should be more comprehensible, since several
score actions are not processed at the same time.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* use shared memory to store output data
* add family option to firewall json objects, due to reports that IPv6 hijacking
doesn't work without explicit family declaration
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* add support for external allowlist URLs to reference additional IPv4/IPv6 feeds, set 'ban_allowurl' accordingly
* make download retries in case of an error configurable, set 'ban_fetchretry' accordingly (default 5)
* small fixes
* readme update
* LuCI update (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fix compilation error for stream module not converted to use the PACKAGE
config flag and a missing required dependency for the DAV ext module.
Drop additional config for STREAM module since they are now included and
built by default.
Fixes: 65a676ed56 ("nginx: introduce support for dynamic modules")
Fixes: #20906
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* suppress RTNETLINK errors when inserting ipv6 routes
* only display global scope IPv6 gateways in status/WebUI
* stop and disable vpn-policy-routing when migrating
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* add housekeeping to the autoallow function, only the current uplink will be held
* fix small issues
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Addition of routes to mwan3_connected ipset is broken. The ipset name was
changed from mwan3_connected_v4/6 to mwan3_connected_ipv4/6, but this
change was not reflected in mwan3rtmon.
Signed-off-by: Anna Tikhomirova <vamp@vampik.ru>
* Update commit message
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Addition of iptables rules for mwan3 sticky rules is broken, resulting
in non-working sticky rules. The required parameters for the function
'mwan3_set_sticky_iptables' were passed in the wrong order.
Signed-off-by: Anna Tikhomirova <vamp@vampik.ru>
* Update commit message
* Quoting function arguments
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable'
Signed-off-by: Dirk Brenken <dev@brenken.org>
*** MAKEFILE ***
* remove libubus dependency as it was causing issues
https://forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/318
* move firewall hotplug directory/file creation out of default section into
pbr and pbr-iptables packages sections in preparation for dropping it from pbr
* fix no new line after output when uninstalling packages
*** UCI-DEFAULTS ***
* only add firewall include to firewall config if the include file exists
* add shellcheck exception to netifd uci-defaults file
*** SCRIPTS ***
* more informative logging for firewall and iface hotplug scripts
* more informative logging for firewall include script
*** SERVICE ***
* introduce lock-file to prevent package starting on external events if it hasn't
been auto- or manually started before
* use the `ip`, not `ip-full` command to prevent errors on OpenWrt 21.02
* parse firewall WAN zone to append list of interfaces
* append error and warning "arrays" with new messages
* used shared memory to store the service output/logging messages
* improve is_ovpn function to filter out false positives when interface names started
with `tun`
* introduce is_valid_ovpn to find OpenVPN tunnels where the device name in OpenVPN config
matches the device name in network config
* introduce opkg_get_version to compare versions of principal and luci packages
* better code to obtain AdGuardHome version with betas installed
* optimize code and add better logging for errors when inserting policies with iptables
* optimize code and add better logging for errors when inserting policies with nft
* bugfix: insert policies in all specified protocols
* bugfix: support using physical devices in policies in nft mode
* bugfix: use iptPrefix, not nftPrefix in iptables commands
* implement Tor support in nft mode
* bugfix: fix spelling for User File Syntax error
* restart service fully (instead of quick reload) for OpenVPN interface events, as
the order/number of supported interfaces
* more verbose output (showing handles) of status in nft mode
* improve `icmp_interface`, `ignored_interface`, `supported_interface` validation
regexes
* improve `interface`, validation regex
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Rename nginx-all-module to nginx-full to follow pattern used by other
package and other projects.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Update lua module to latest openrestry version. Additional config are
required to correctly use it.
Switch it to luajit from liblua as this is what is currently supported
for the module since plain lua support was dropped from the module.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Start building sub package that provide dynamic modules.
Each module needs to be loaded using load_modules.
Refer to nginx documentation on how to use this.
This should result in lower memory usage as only used module are loaded.
Also fix the uci-default scripts to add the required ubus module for
luci module.
-fvisibility=hidden is needed to be dropped to correctly support loading
dynamic modules.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add support for loading dynamic module in uci template by adding .module
file in module.d directory.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
opkg runs uci-defaults if a package installs one, in acme-common's case
that's identical to postinst.
prerm shouldn't be run a image builder, so it's unnecessary to check
IPKG_INSTROOT
Signed-off-by: Glen Huang <me@glenhuang.com>
This fixes "permission denied" error when access files as a normal user.
Reported-by: Anya Lin <hukk1996@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
The root user is usually the user that clients ssh into with, so in most
cases its authorized_keys determines what clients are allowed to ssh
into this device. Without preserving this file, they could potentially
be locked out after upgrading.
Signed-off-by: Glen Huang <me@glenhuang.com>
Without these charon will warn with messages like:
plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
plugin 'drbg': failed to load - drbg_plugin_create not found and no plugin file available
Signed-off-by: Glen Huang <me@glenhuang.com>
This package requires poetry to build using the new Python build process
but poetry is not available, so force the old build process for now.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This package isn't compatible with the new Python build process yet, so
force the old build process for now.
This also adds a call to Py3Build/Install, for when the new build
process can be used.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Without nonce, charon won't start, so it's not an optional plugin. I
asked one of the strongSwan maintainers (ecdsa), and he confirmed this:
> It definitely has to be enabled unconditionally. The only other
> provider for the NONCE_GEN plugin feature is in charon-tkm, so
> completely irrelevant on OpenWrt
Signed-off-by: Glen Huang <me@glenhuang.com>
* add support for a custom feeds file (/etc/banip/banip.custom.feeds). Add new or edit existing banIP feeds on your own with the integrated custom feed editor (LuCI-component
* add a new option 'ban_blockpolicy' to overrule the default bblock policy (block all chains), see readme for details
* change the feed file format and add a new ipthreat feed, see readme
* refine (debug) logging
* multiple small fixes and improvements
* readme update
* luci update (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Automatically compute and substitute current values for all
$(AUTORELEASE) instances as this feature is deprecated and shouldn't be
used.
The following temporary change was made to the core:
diff --git a/rules.mk b/rules.mk
index 57d7995d4fa8..f16367de87a8 100644
--- a/rules.mk
+++ b/rules.mk
@@ -429,7 +429,7 @@ endef
abi_version_str = $(subst -,,$(subst _,,$(subst .,,$(1))))
COMMITCOUNT = $(if $(DUMP),0,$(call commitcount))
-AUTORELEASE = $(if $(DUMP),0,$(call commitcount,1))
+AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
all:
FORCE: ;
And this command used to fix affected packages:
for i in $(cd feeds/packages; git grep -l PKG_RELEASE:=.*AUTORELEASE | \
sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
make package/$i/download
done
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Split DAV_EXT from standard nginx DAV config as additional WebDAV
methods are provided by an external module.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add push external module. This is very useful for an IRC Bounder as this
module permits to register various services and receive a push
notification on the registered service.
One example is attaching a telegram bot and receive notification on your
phone when an user tags you in one of the connected channels.
Bump and drop AUTORELEASE from PKG_RELEASE since we are adding a new
module.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
We currently inclde the playback external module with a separate patch.
This is ugly and can be better handled.
Add required changes to download the external module from his own github
repository. Then create a link in the znc modules to reference the cpp
source.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
See commit 07730ff3 "treewide: add support for "lto" in PKG_BUILD_FLAGS"
on the main repository.
Note: Some packages only added `-flto` to CFLAGS and not LDFLAGS. This
fixes it and properly enables LTO.
Signed-off-by: Andre Heider <a.heider@gmail.com>
See commit da370098 "treewide: add support for "gc-sections" in
PKG_BUILD_FLAGS" on the main repository.
Note: This only touches packages which use all three parts
(-ffunction-sections, -fdata-sections and -Wl,--gc-sections) enabled by
this build flag. Some packages only use a subset, and these are left
unchanged for now.
Signed-off-by: Andre Heider <a.heider@gmail.com>
See commit 5c545bdb "treewide: replace PKG_USE_MIPS16:=0 with
PKG_BUILD_FLAGS:=no-mips16" on the main repository.
Signed-off-by: Andre Heider <a.heider@gmail.com>
* add the new init command 'lookup', to lookup the IPs of domain names in the local lists and update them
* significant acceleration of the domain lookup function
* multiple small fixes and improvements
* readme update
* luci update (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* curl_additional_param: to pass additional parameters (like proxy) to curl
* compressed_cache_dir: where to store compressed cache in non-volitile memory
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This adds the respondd package, a protocol used primarily with Freifunk
and the Gluon mesh-framework for collecting statistics.
For more information, see the project readme.
Ref: https://github.com/freifunk-gluon/respondd/
Tested: mpc85xx-p1020 / mediatek-filogic
Signed-off-by: David Bauer <mail@david-bauer.net>
The host build replaces the use of the host pip requirements file. This
also updates the dependants of setuptools-scm to depend on the host
build.
This also removes the toml host pip requirements file as toml is not
used by any other package.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* fixed missing version number when installed as separate package (not in build)
* fixed cornercase init and mailing issues
* sorted Country list by country names ascending
* fixed some shellcheck findings
Signed-off-by: Dirk Brenken <dev@brenken.org>
The commands in the function 'stop_service' do not stop the service.
Rather, they are commands that are to be executed when the service has
already been stopped. By renaming the function, the commands are now
executed after the service has been stopped.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Release Notes
Management
- Introduce a new ACL engine based on Rego (Open Policy Agent) for firewall control
- Personal access tokens generation as a first iteration toward public API release
- Add Keycloak support as an IDP manager
Agent
- Introduce a Firewall interface to apply granular access control (e.g., connection direction, port, or protocol level)
- Make the agent run on Android (mobile support)
Changelog
- Feat rego default policy
- Don't drop Rules from file storage after migration to Policies
- Add version info command to signal server
- Feat firewall controller interface
- Adding Personal Access Token generation
- Exchange proxy mode via signal
- Fix connstate indication
- Mobile
- PAT persistence
- Add Keycloak Idp Manager
- Adjustments for the change server flow
- Disable peer expiration of peers added with setup keys
- Add JWT middleware validation failure log
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
- Update haproxy PKG_VERSION and PKG_HASH
- This release includes a fix for an OOB write. The official notes
do not list a CVE entry but I guess there is a chance for
security implications
- See changes: http://git.haproxy.org/?p=haproxy-2.6.git;a=shortlog
Signed-off-by: Christian Lachner <gladiac@gmail.com>
* raise max. timeouts from 10 to 30 seconds to stabilize the autodetection on slow hardware
* made interface trigger action configurable, set 'ban_triggeraction' accordingly (default: 'start')
* made E-Mail notifications configurable to receive status E-Mais with every banIP run,
set 'ban_mailnotification' accordingly (default: disabled)
* small fixes & optimizations
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix cornercase issue with duplicate entries in black- and whitelist
* change cpbl source URL
* firewall redirects now blocks IPv4 and IPv6 (set family to "any")
Signed-off-by: Dirk Brenken <dev@brenken.org>
We need the host build of swig only.
And the binding uses libgensiocpp - not the plain
C library, so fix the dependency.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
zerotier as default has executable stack.
[ 11.343143] process '/usr/bin/zerotier-one' started with executable stack
executable stacks are not recommend, possibly provide a threat and there
seems to be no advantage of executable stack with zerotier-one - so let's
build it without instead.
Stack is executable on x86_64, but not on all archs, such as ramips.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
- changed Config.in to enable unix sockets support by default
- release number bumped
Description:
socket support is very handy when communicating with
various REST APIs.
Size increases are very small, nearly unnoticiable.
Tested-by: Stan Grishin <stangri@melmac.ca>
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* move network.sh and jshn.sh includes into load_validate_config function
to prevent errors when adding the package to image with the Image Builder
* add @bongochong compressed domains block-list to the config
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Explicitly request the C++11 standard (codebase is not C++17 compliant).
- Removed categories.json from conffiles -- it's not a configuration
file.
- Removed commented-out convenience git hash place-holder -- for some
reason it irritates people.
- Added radix header file to devel files.
- Removed redundant call to Build/Configure (not needed).
Co-authored-by: Tianling Shen <cnsztl@gmail.com>
Signed-off-by: Darryl Sokoloski <darryl@sokoloski.ca>
* fix the auto-detection for pppoe and 6in4 tunnel interfaces
* add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance
* add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default),
notice, info, debug, audit
* status optimizations
* logging optimizations
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Added `cgroupsns` to jail, otherwise you get this failure:
```
Mon Mar 6 14:46:05 2023 user.err : jail: Not using namespaces, capabilities or seccomp !!!
```
Error is here, seems to indicate that we're running a jail without using any capability.
https://lxr.openwrt.org/source/procd/jail/jail.c#L2847
Decided to use minimal effort approach
Signed-off-by: BackSlasher <nitz.raz@gmail.com>
simple protocol support script for netifd.
netifd protocol support for cni networks makes
defining network for podman and other similar
systems using cni networking much easier and simpler.
with cni protocol support, on a cni network, where firewall
and portmapper is disabled, you may control firewalling
with openwrt's standard firewall configuration.
for example, create a container that hosts web content on
port 80 with static ip on your cni network, if your
network is 10.88.0.0/16, use for eg. 10.88.0.101 as
your containers static ip address. Create a zone, cni
to your firewall and add your interface to it.
Now you can easily set up redirectiong to 10.88.0.101:80
to expose it's port 80 to wan for serving your website.
Protocol has only one setting: device, on podman this
often is cni-podman0. This protocol may also be used
on other equillavents, such as netavark (cni replacement
in podman), where device as default is podman0.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* update to 4.17.5
* changelog: https://www.samba.org/samba/history/samba-4.17.5
* refresh patch
* CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap.
https://www.samba.org/samba/security/CVE-2022-42898.html
* CVE-2022-37966: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
https://www.samba.org/samba/security/CVE-2022-37966.html
* CVE-2022-37967: This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with.
https://www.samba.org/samba/security/CVE-2022-37967.html
* CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak.
https://www.samba.org/samba/security/CVE-2022-38023.html
* BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
This resolves errors logged during macOS TimeMachine backups.
https://bugzilla.samba.org/show_bug.cgi?id=15210
Signed-off-by: Michael Peleshenko <mpeleshenko@gmail.com>
* major performance improvements: clean-up/optimize all nft calls
* add a new "ban_reportelements" option,
to disable the (time consuming) Set element count in the report (enabled by default)
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Currently compilation fails because of:
```
opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
```
What's interesting package gets built but when trying to access UI there's
`404: page not found` error.
It has been reported in multiple places:
* https://github.com/AdguardTeam/AdGuardHome/issues/5559
* https://github.com/AdguardTeam/AdGuardHome/issues/4595
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
Backport a pending PR to add nftables support.
Upstream PR: https://github.com/v2rayA/v2rayA/pull/805
As nftables merged ipv4/ipv6 support into a single command, so simply
enable ipv6 support by default.
While at it, backport a upstreamed fix for simple-obfs plugin.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* finalized the LuCI frontend preparation (this is the minmal version to use the forthcoming LuCI frontend)
* added a Set survey, to list all elements of a certain set
* changed the default logterm for asterisk
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Netbird is similar vpn service as tailscale and zerotier.
Description:
NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.
It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
These patches should not be backported to OpenWrt, otherwise tproxy
won't work for devices connected to br-lan (bypassed by the fw rules).
We have introduced a new compile-time flag for new version (which
is not released yet), but it's unnecessray to backport redudant
patches as here is still at the old version.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Also added patch that is from alpine's same package to assist building on musl.
Hostpkg build on musl also kept failing, so I added few more overrides, which
made it work perfectly.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* add oisdbig as new feed
* LuCI frontend preparation:
- the json feed file points always to /etc/banip/banip.feeds (and is no longer compressed)
- supply country list in /etc/banip/banip.countries
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
easydns.com has supported IPv6 for awhile now using
the same update URL as IPv4. This duplicates the IPv4
entry for IPv6 to enable support for it.
Signed-off-by: James Buren <braewoods+mgh@braewoods.net>
* fix a potential race condition during initial startup (after flash) which leads to a "disabled" service
Signed-off-by: Dirk Brenken <dev@brenken.org
Signed-off-by: Dirk Brenken <dev@brenken.org>
add lighttpd-mod-webdav_min package alternative to lighttpd-mod-webdav
lighttpd-mod-webdav_min is more minimal than full lighttpd-mod-webdav.
lighttpd-mod-webdav_min does not support PROPPATCH, LOCK, UNLOCK, and
by not supporting those methods, removes dependencies on libxml2,
libsqlite3, and libuuid.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
* update default config for new oisd.nl lists
* conf.update file to migrate oisd.nl lists to the new format
* introduce AdBlockPlus lists support (new oisd.nl format)
* longer wait for WAN up/gateway detection
* make load_environemnt only execute once to suppress duplicate
warnings/errors
PS. While I was testing this, oisd.nl has brought back the old domains
lists as well, so this version supports both as I'm unclear as to
why the "big" ABPlus list is only 6.2Mb where as the "big" domains
list is whopping 19.9Mb.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This version adds compatibility with OpenSSL 3.0.
There's a patch, submitted upstream, to fix building without SSL.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The tranmission UCI config options
- `config_overwrite`
- `incomplete_dir_enabled`
- `watch_dir_enabled`
are all booleans, so we have to retrieve them using `config_get_bool` in order
to make sure they are properly interpreted in case the user sets them to a
keyword (`true`/`false`, `on`/`off` etc.) and not an integer (`0`/`1`).
Signed-off-by: Salim B <git@salim.space>
Samba4 running as Active Directory Domain Controller with the internal
DNS backend requires the nsupdate binary with GSSAPI support.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* add boot() function which waits for network.interface to come up
* switch oisd.nl hosts entry to domains
* remove erroneous oisd substitution from config-update file
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Update tailscale to version 1.36.0
- Patch iptables support
Tailscale does not (yet) support nftables.
Tailscale allows running with --netfilter=off allowing
end-user to create his own firewall rules, but this
affects only tailscale cli, not tailscaled daemon, so
connection cannot be made without error telling that
tailscaled was unable to determine execute iptables
for determining it's version.
There is a work-around for those who do not want
nft-iptables compatibility package; they can create
a script to /usr/bin/iptables which responds to
--version argument and echos fake version string
and on any other arguments or no arguments, just exits.
After this procedure and starting tailscale cli with
netfilter off- it works. Openwrt has moved on to
nftables, so iptables manipulation seems unnecessary.
Especially for other reasons, on Openwrt, firewall
should be configured on it's own, because firewall
rules made by other software, such as tailscale,
loose their firewalling rules when firewall restarts.
So I patched it to allow "fake" iptables pointing
to executable /bin/false and ignoring version
request. And I also set cli to default to
netfilter off setting.
If still end-user wants to use iptables, this
patch does not make it impossible; just install
iptables, or nft-iptables, and run tailscale
with argument --netfilter=on and it works out
as it did before, tailscaled daemon still
matches with iptables if it is found in $PATH.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Update crowdsec-firewall-bouncer to latest upstream release version 0.0.25
Signed-off-by: S. Brusch <ne20002@gmx.ch>
Maintainer: Kerma Gérald <gandalf@gk2.net>
Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.3
Rework:
- now based on uci config file
- create nftables tables and chains in initd script
Fixes CVEs:
- CVE-2022-3924: Fix serve-stale crash when recursive clients
soft quota is reached.
- CVE-2022-3736: Handle RRSIG lookups when serve-stale is
active.
- CVE-2022-3094: An UPDATE message flood could cause named to
exhaust all available memory. This flaw was addressed by adding
a new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been added to
record events when the update quota is exceeded, and the XML and
JSON statistics version numbers have been updated.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Changes in version v2.4.3 - 2023-01-16
- Fix version number in version.go
(Changes for v2.5.1 are missing)
Signed-off-by: Nick Hainke <vincent@systemli.org>
They were added in these commits [1] [2] and if they are not included,
the RIPE Atlas SW Probe does not work correctly.
This should also prevent this from happening in the future as it now. We include all
files with .sh extension file type.
[1] 70ced29fc3
[2] 71a4ff0e68
Fixes: https://github.com/openwrt/packages/issues/20338
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
When CC is set to e.g. "ccache mips-openwrt-linux-musl-gcc" it needs
to be quoted to avoid word splitting on substitution.
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Add hosting.de provider. To use dynamic DNS you have to create a DDNS
host with a separate DDNS user.
Note: As of 2023-01-17 hosting.de does not work with wget which will
fail with `400: Bad Request` (it will work with `--auth-no-challenge`).
You should use curl instead. I have reported that to the provider.
Signed-off-by: Benjamin Drung <bdrung@bdrung.de>
Bugfixes:
* better error information for empty tid/mark and failure to resolve domains
* better handling of entries in /etc/iproute2/rt_tables
* update packages definitions and descriptions
* remove firewall4 from dependencies to prevent dependency recursion
Updates:
* introduce nft_user_set_policy and nft_user_set_counter to control options for
user nft sets this service creares
* use counters in internal nft sets
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Changes in version v2.4.2 - 2023-01-13
- Issue 40208: Enhance help info for capacity flag
- Issue 40232: Update README and fix help output
- Issue 40173: Increase clientIDAddrMapCapacity
- Issue 40177: Manually unlock mutex in ClientMap.SendQueue
- Issue 40177: Have SnowflakeClientConn implement io.WriterTo
- Issue 40179: Reduce turbotunnel queueSize from 2048 to 512
- Issue 40187/40199: Take ownership of buffer in QueuePacketConn QueueIncoming/WriteTo
- Add more tests for URL encoded IPs (safelog)
- Fix server flag name
- Issue 40200: Use multiple parallel KCP state machines in the server
- Add a num-turbotunnel server transport option
- Issue: 40241: Switch default proxy STUN server to stun.l.google.com
Signed-off-by: Nick Hainke <vincent@systemli.org>
ChangeLog file excert:
Fri Dec 30 12:51:11 AM CET 2022
Releasing gnunet-fuse 0.19.1: fix build for GNUnet 0.19.0+.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The gnURL-fork of cURL is no longer maintained as cURL finally supports
probing and selecting the TLS implementation at run-time.
Hence just build a gnuTLS-backed variant of libcurl, use patchelf to
change the shared object name, call the result libcurl-gnutls and be
done. Other distributions have opted for similar solutions.
In future we could convert the curl package to provide build-variants
for each TLS implementation; however, this is out of the scope of the
needs of GNUnet which used to be only user of libgnurl.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The safe-search package creates symlinks in a configured additional
hosts directory. The link targets are inside another directory which
has to be made available to dnsmasq as well.
Now that support for adding additional paths to dnsmasq was added by
commit openwrt/openwrt@aa12a0fdd1
implement adding this path using the existing uci-defaults script.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Libreswan will set DEFAULT_DNSSEC_ROOTKEY_FILE from the LINUX_VARIANT
variable, which is taken from the ID field in /etc/os-release. This
points to the host file, which is wrong.
Set both variables when calling make.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
ztDNS is a dedicated DNS server for a ZeroTier virtual network.
ztdns is alternative to zerotier's own zeronds.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
