The line to generate the argument list for 'simple connect' is quite
long and is not maintainable. To improve the handling a function
'append_param' was added for appending the 'simple connect' options.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Francisco Jose Alvarez <francisco.alvarez@galgus.net>
* Update commit head
* Rebase patch to the latest changes
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If on teardown the 'proto_notify_error' is set to 'MM_TEARDOWN_IN_PROGRESS',
then an error which is set on 'setup' is not visible in the ubus
network.interface.<iface> status output.
{
"up": false,
"pending": false,
"available": true,
"autostart": false,
"dynamic": false,
"proto": "modemmanager",
"data": {
},
"errors": [
{
"subsystem": "dualsim",
"code": "MM_TEARDOWN_IN_PROGRESS"
}
]
}
It alway shows the code 'MM_TEARDWON_IN_PROGRESS'!
By removing the line 'proto_notify_error "${interface}" MM_TEARDOWN_IN_PROGRESS'
in teardown, the last error is show in the proto stack from setup.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The tag is now prefixed with v; update PKG_SOURCE_URL and PKG_BUILD_DIR
to reflect this.
Drop upstreamed patches. Refresh leftover patch.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* fix permission to dnsmasq files for ad-blocking
* add pause function to pause the ad-blocking temporarily
* introduce pause_timeout option to control default pause time
* update default config and config-update file
* use $param instead of $1 in adb_start()
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Tor projects tries to migrate away from git.torproject.org [0,1]. We
need to adjust PKG_SOURCE and GO_PKG name. Further, we need to backport
patches to fix compiling on riscv64, so add:
- 0001-Bump-minimum-required-version-of-go.patch
- 0002-Update-dependencies.patch
Changelog:
2fa8fd9188
[0] - https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/86
[1] - 82cc0f38f7
Signed-off-by: Nick Hainke <vincent@systemli.org>
* supports allowing / blocking of certain VLAN forwards in segregated network environments,
set 'ban_vlanallow', ''ban_vlanblock' accordingly
* simplified the code/JSON to generate/parse the banIP status
* enclose nft related devices in quotation marks , e.g. to handle devices which starts with a number '10g-1'
* made the new vlan options available to LuCI (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
This version includes support for Go 1.20 (specifically 1.20.5).
This also:
* Adds a workaround for musl 1.2.4 compatibility in mattn/go-sqlite3[1]
* Sets GO_PKG_BUILD_PKG to build the main binary (ooniprobe) only
* Updates the package license; the project was relicensed in 3.13.0[2]
[1]: https://github.com/mattn/go-sqlite3/issues/1164
[2]: https://github.com/ooni/probe-cli/pull/446
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* prevent superflous etag function calls during start action (on start backups will be used anyway)
* changed the ipthreat feed download URL (load a compressed file variant to save bandwidth)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added HTTP ETag or entity tag support to download only ressources that have been updated on the server side,
to save bandwith and speed up banIP reloads
* added 4 new feeds: binarydefense, bruteforceblock, etcompromised, ipblackhole (see readme)
* updated the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Add new package to debug multicast setups. This is required to use
kselftests script for network testing.
net-mtools is used instead of mtools as it does conflicts with another
package that is also called mtools.
Some additional patch from Vladimir Oltean are added to make the tool
works on kernel selftests scripts.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
We currently have a more or less circular dependency with nginx ssl and
full variant.
FULL variant depends on every nginx module. Every nginx module depends
on nginx-ssl.
Since nginx-full depends on an nginx module, nginx-ssl is installed as
module depends on it and then the installation fails as nginx-full
conflicts with nginx-ssl.
nginx-full in it's meaning is nginx built with every config selected and
it should not have module as dependency. In fact an user should always
install them separetly as while other things, local modification to the
nginx config file are required to include the just installed module.
To fix this circular dependency problem, drop the dependency of every
nginx module for FULL variant.
Fixes: #21300
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This commit adds support for http/3. This is an experimental version
and isn't fully supported because nginx is being built with the regular
OpenSSL and the regular one doesn't support quic.
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
Update nginx to 1.25.1.
*) Feature: the "http2" directive, which enables HTTP/2 on a per-server
basis; the "http2" parameter of the "listen" directive is now
deprecated.
*) Change: HTTP/2 server push support has been removed.
*) Change: the deprecated "ssl" directive is not supported anymore.
*) Bugfix: in HTTP/3 when using OpenSSL.
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
[ improve commit title and add nginx changelog ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Backport a patch from upstream fixing wrong args handling with musl.
Before this patch non args must be passed at the end of the command due
to a musl limitation.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* update binaries to 1.7.2
* move sharedMemoryOutput variable declaration into output function as it doesn't
need to be global
* rename parse_yaml function to yaml_parse
* add TODOs for future development
* update copyright datestamps
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Fixes CVEs:
- CVE-2023-2828: The overmem cleaning process has been improved, to
prevent the cache from significantly exceeding the configured
max-cache-size limit.
- CVE-2023-2911: A query that prioritizes stale data over lookup
triggers a fetch to refresh the stale data in cache. If the fetch is
aborted for exceeding the recursion quota, it was possible for named
to enter an infinite callback loop and crash due to stack overflow.
The complete list of changes is available in the upstream release
notes at
https://ftp.isc.org/isc/bind9/cur/9.18/doc/arm/html/notes.html#notes-for-bind-9-18-16
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
* process local lists in strict sequential order to prevent possible race conditions
* support ranges in the IP search, too
* fix some minor search issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.
Manually pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
`dnsdist-full` has all optional features enabled, but is a big package
in term of both flash and memory footprint.
`dnsdist` only keeps the features that make the most sense
on embeded devices, but can also be customised to match the
user's needs, up to the point where it matches `dnsdist-full`.
Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
Major changes since version 3.1.1:
* Officially supports the 2019 version of IEEE 1588
* Improved unicast messaging
* Enhanced G.8275.2 profile
* More flexible Pulse Per Second (PPS) handling
* Virtual clock support
* Power profile support
* VLAN over bond support.
* Parallel Redundancy Protocol (PRP) trailer handling.
* Non-privileged read-only monitoring port.
* New statistics reporting.
[V2]
* reset package release
* adapt license name to the new format
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@westermo.com>
* Support MAC-/IPv4/IPv6 ranges in CIDR notation
* Support concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments (see readme)
* small fixes & cosmetics
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
OpenELP is an open source EchoLink proxy for Linux and Windows. It aims
to be efficient and maintain a small footprint, while still implementing
all of the features present in the official EchoLink proxy.
Signed-off-by: Scott K Logan <logans@cottsay.net>
If an alias name is used for the modem, then a check if the device exists
in sysfs does not work. To fix this remove the check if the sysfs device
exists. The protocoll handler already checks if the modem is responsible
for this device on the next line.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
On small systems with many virtual devices, the modem manager sometimes
could not start because it took too long until all devices for the modem
were recognised. This is because all system events that are stored in
the file events.cache have to be processed. To speed up the processing,
all devices under /sys/devices/virtual are now filtered out so that they
do not have to be processed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Fix a bug on installation of nginx-mod-luci where module.d directory
is not found and luci.module creation fails.
Correctly create empty directory for module.d include for dynamic module
loading by placing file in this directory.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
When using both ipv4 and ipv6 entries on the same host, ddns is clearing A
(or AAAA) record depending on the connection (ipv4 or ipv6).
see https://desec.readthedocs.io/en/latest/dyndns/update-api.html#determine-ip-addresses
Signed-off-by: Baptiste Fouques <bateast@duck.com>
Update comment and bump PKG_RELEASE number.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
In mesh communities, tunneldigger is widely used to create L2TPv3 tunnels
and mesh via them. Since the broker is typically installed on other
distributions, the openwrt broker package has not received any
maintenance in recent years [0]. I take now care of the further maintaince
of this package. Furthermore, I consulted with the maintainers to ensure
that they were comfortable with the change [1].
This PR is just a refactoring of the already existing opkg package from
wlanslovenija. It fixes config parsing and in general the config, adapts
to the new python syntax and fixes dependency handling.
- [0] https://github.com/wlanslovenija/firmware-packages-opkg/tree/master/net/tunneldigger-broker
- [1] https://github.com/wlanslovenija/firmware-packages-opkg/issues/24
Signed-off-by: Nick Hainke <vincent@systemli.org>
netavark v1.6.0 was released, so instead of using
git version, use release. Does not contain very
much of changes, but list is available from netavark's
commit log.
Software now comes with additional tool named
netavark-dhcp-proxy-client which is now included
in package.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Fix compilation error on kernel 6.1.
Fix compilation error:
In file included from /mnt/Data/Sources/openwrt/x-wrt/build_dir/target-aarch64_cortex-a72_musl/linux-bcm27xx_bcm2711/xtables-addons-3.24/extensions/LUA/controller.h:24,
from /mnt/Data/Sources/openwrt/x-wrt/build_dir/target-aarch64_cortex-a72_musl/linux-bcm27xx_bcm2711/xtables-addons-3.24/extensions/LUA/xt_LUA_target.c:27:
/mnt/Data/Sources/openwrt/x-wrt/build_dir/target-aarch64_cortex-a72_musl/linux-bcm27xx_bcm2711/xtables-addons-3.24/extensions/LUA/lua/lua.h:12:10: fatal error: stddef.h: No such file or directory
12 | #include <stddef.h>
| ^~~~~~~~~~
compilation terminated.
The error is caused by commit 04e85bbf71c9 ("isystem: delete global
-isystem compile option") present upstream from kernel 5.16. This
commit dropped the inclusion of system headers by default and caused
error on LUA module.
Following what is done in the commit for the required code, modify the
LUA Kbuild to include these header and restore correct compilation of
the LUA module.
Fixes: #21294
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
aardvark-dns v1.6.0 was released,
so instead of using git version, use release -
similarly like netavark.
Very much hasn't changed but list of changes
is in git commit log of aardvark-dns.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Bump nginx to new 1.25.0 release.
Changes:
*) Feature: experimental HTTP/3 support.
Every patch automatically refreshed.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Fix some problem with migration of uci conf template and include of
module.d directive.
Fix 2 case:
- uci.conf.template not versioned but with the include module.d
resulting in double include module.d
- uci.conf.template version 1.1 with the include module.d at the end
of the config. This is problematic for nginx as modules must be
included before any http directive.
Handle this 2 case to restore a working uci.conf.template configuration
on migrated config.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Bump uci conf template version to 1.2 to sync with nginx version
handling some migration problem.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
It's not possible to configure custom Transmission web home as corresponding
env var gets overwritten by the command that sets CA bundle env var.
Signed-off-by: Leonid Bogdanov <leonidbogdanov86@gmail.com>
In f8a8b71e26 openvpn introduced new hotplug events.
For server config, ipchange hotplug event produces an error.
So, make ipchange hotplug event for client only
Fixes https://github.com/openwrt/packages/issues/21200
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Update crowdsec to latest upstream release version 1.5.2
Signed-off-by: S. Brusch <ne20002@gmx.ch>
Maintainer: Kerma Gérald <gandalf@gk2.net>
Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.5
Description: update to latest version of upstream
* Optionally auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the
monitored suspicious IP, set 'ban_autoblocksubnet' accordingly (disabled by default).
For more information regarding RDAP see
https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap for reference.
* small fixes & cosmetics
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
speedtestcpp is a fork of Taganaka's speedtest, rewritten.
It has some improvements such as
- interactive result show
- use server recommended profiles, which makes it faster (can be disabled)
- and more..
It also provides it's functions in shared and static libraries
and offers development headers for integrating speedtest to
features to another projects.
This commit replaces speedtestpp since this fork has
all the same features + more.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Make modules follow a naming convention, which enables:
1. Inline ADDITIONAL_MODULES into CONFIGURE_ARGS
2. Consolidate some parts of Quilt and Download for each module into
BuildModule
Signed-off-by: Glen Huang <me@glenhuang.com>
[ fix conflict error ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
OpenWrt core has a package called ustp which is an OpenWrt adaptation (from
mstpd) for OpenWrt (using libubox, libubus, etc).
No sense in keeping mstpd anymore.
We can just update ustp.
Also, if mstpd has any updates, they can be ported over to ustp too.
Abandoned PR:
https://github.com/openwrt/packages-abandoned/pull/30
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
* update to a new upstream commit, fixes#19366
* update patches/010-cmakelists-remove-cflags.patch as upstream file was update
* remove patches/020-cmakelists-add-version.patch as version is now set elsewhere
* add patches/020-src-options.c-add-version.patch to set the version information
* adjust PROCD START time to 95
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This version includes support for Python 3.11.
This also:
* Updates Build/Compile to only build selected subpackages.
* Removes the submenu in menuconfig; there are too few subpackages to
justify the extra complexity.
Fixes: https://github.com/openwrt/packages/issues/21163
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
and also fix build error:
Package ocserv is missing dependencies for the following libraries:
liboath.so.0
Signed-off-by: Thlv Alivs <zgmzzzz18@gmail.com>
Without it, nginx could complain about incompatible dynamic modules
Signed-off-by: Glen Huang <me@glenhuang.com>
[ fix conflict error on cherry-pick ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Introduce support for migration of old uci conf template to new version.
Uci conf template are saved in config backup. This cause problem on config
restore as old config template might have compatibility problem with new
nginx implementation.
Add logic to migrate the template script at runtime to correctly align
to latest change from nginx and nginx-util.
Fixes: 65a676ed56 ("nginx: introduce support for dynamic modules")
Fixes: #20904
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add versioning to UCI conf template as a commented version.
This permits the introduction of migration script since the template is
saved and restored config restore. The migration script are handled by
nginx init.d script.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
OpenVPN supports more hooks than just 'up' and 'down'. Especially
reacting to 'route-up' and 'route-pre-down' events could be important.
When routing table changes, it can make sense to adapt firewall, run
some tests or change even more routes. This change passes those events
to hotplug, so it is easy to react to them without changing
configuration files provided by VPN provider.
Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
Allows user to provide a token for Cloudflare tunnel.
When provided along with credentials, this will take precedence.
Signed-off-by: Scott McKenzie <scott@noizyland.net>
If the build host has the Go compiler installed, then configure will
detect this and will try to compile gensio's Go support, leading to a
build failure.
This disables Go support entirely to fix this build failure.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Update crowdsec to latest upstream release version 1.5.1
Signed-off-by: S. Brusch <ne20002@gmx.ch>
Maintainer: Kerma Gérald <gandalf@gk2.net>
Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.5
Description: update to latest version of upstream
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.
Manually pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
keylength, being an acme.sh value type, uses pure numbers for rsa keys.
This can be disorienting for other acme clients. This change introduces
a new option "key_type" that aims to remove this ambiguity, and makes
all key type names follow the same pattern, making acme-common more
client agnostic.
Signed-off-by: Glen Huang <me@glenhuang.com>
_LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used
to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Fixes errors in the form of:
Building targets
github.com/mattn/go-sqlite3
sqlite3-binding.c:35901:42: error: 'pread64' undeclared here (not in a function); did you mean 'pread'?
35901 | { "pread64", (sqlite3_syscall_ptr)pread64, 0 },
| ^~~~~~~
| pread
sqlite3-binding.c:35919:42: error: 'pwrite64' undeclared here (not in a function); did you mean 'pwrite'?
35919 | { "pwrite64", (sqlite3_syscall_ptr)pwrite64, 0 },
| ^~~~~~~~
| pwrite
sqlite3-binding.c: In function 'seekAndRead':
sqlite3-binding.c:35905:49: error: unknown type name 'off64_t'; did you mean 'off_t'?
35905 | #define osPread64 ((ssize_t(*)(int,void*,size_t,off64_t))aSyscall[10].pCurrent)
| ^~~~~~~
sqlite3-binding.c:38767:11: note: in expansion of macro 'osPread64'
38767 | got = osPread64(id->h, pBuf, cnt, offset);
| ^~~~~~~~~
sqlite3-binding.c:35905:58: error: expected ')' before 'aSyscall'
35905 | #define osPread64 ((ssize_t(*)(int,void*,size_t,off64_t))aSyscall[10].pCurrent)
| ~ ^~~~~~~~
sqlite3-binding.c:38767:11: note: in expansion of macro 'osPread64'
38767 | got = osPread64(id->h, pBuf, cnt, offset);
| ^~~~~~~~~
sqlite3-binding.c: In function 'seekAndWriteFd':
sqlite3-binding.c:35923:57: error: unknown type name 'off64_t'; did you mean 'off_t'?
35923 | #define osPwrite64 ((ssize_t(*)(int,const void*,size_t,off64_t))\
| ^~~~~~~
sqlite3-binding.c:38896:17: note: in expansion of macro 'osPwrite64'
38896 | do{ rc = (int)osPwrite64(fd, pBuf, nBuf, iOff);}while( rc<0 && errno==EINTR);
| ^~~~~~~~~~
sqlite3-binding.c:35924:21: error: expected ')' before 'aSyscall'
35924 | aSyscall[13].pCurrent)
| ^~~~~~~~
sqlite3-binding.c:38896:17: note: in expansion of macro 'osPwrite64'
38896 | do{ rc = (int)osPwrite64(fd, pBuf, nBuf, iOff);}while( rc<0 && errno==EINTR);
| ^~~~~~~~~~
sqlite3-binding.c:35923:21: note: to match this '('
35923 | #define osPwrite64 ((ssize_t(*)(int,const void*,size_t,off64_t))\
| ^
sqlite3-binding.c:38896:17: note: in expansion of macro 'osPwrite64'
38896 | do{ rc = (int)osPwrite64(fd, pBuf, nBuf, iOff);}while( rc<0 && errno==EINTR);
| ^~~~~~~~~~
make[2]: *** [Makefile:153: /home/nick/openwrt/build_dir/target-aarch64_cortex-a53_musl/crowdsec-1.4.6/.built] Error 1
make[2]: Leaving directory '/home/nick/openwrt/feeds/packages/net/crowdsec'
Signed-off-by: Nick Hainke <vincent@systemli.org>
ACME clients shouldn't deal with deprecated values. They should be
processed by acme-common.
Reformatting is done by shfmt.
Signed-off-by: Glen Huang <me@glenhuang.com>
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.
Manually pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
OpenSSH 9.1p1 removed remaining dependencies and stopped linking sftp,
sftp-server and scp against libcrypto or libz. This change moves those
package dependencies from the default to those that still need them.
In particular, this will allow sftp-server to be installed for use with
Dropbear without needing to install zlib or openssl.
Signed-off-by: Darren Tucker <dtucker@dtucker.net>
fa35c29 Xtables-addons 3.24
9db4d8d DHCPMAC: resolve cppcheck warnings
4599c30 ipv4options: resolve cppcheck warnings
5a714b6 geoip: set autoflush on stdout
f16ed5c geoip: Use stdout for output and stderr for errors/diag
a711985 build: resolve compiler warnings with gcc-13
97181e3 doc, src: improve spelling
30ddb4f doc, src: improve spelling
f3f8155 xt_geoip: bump number of territories per rule
e426ad9 Xtables-addons 3.23
51761c3 build: support for Linux 6.2
409cb5a build: replace `AC_DISABLE_STATIC` macro with an argument to `LT_INIT`
0454ff6 build: replace obsolete `AC_PROG_LIBTOOL` macro with `LT_INIT`
5b3fae8 Xtables-addons 3.22
71396f9 build: support for Linux 6.1
7ad55ad build: eliminate geoip/ make recursion
b950dae build: fix failure to recurse into asn/
cd77880 xt_asn: new module
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
[ add changelog from 3.21 to 3.24 ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Use kcalloc and remove conflicting #include <stdarg.h> to fix
the following build warnings treated as errors since b2d1eb7:
error: ISO C90 forbids variable length array 'buf' [-Werror=vla]
error: "va_start" redefined [-Werror]
error: "va_arg" redefined [-Werror]
error: "va_copy" redefined [-Werror]
getstr(s)==NULL is always false
/home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/byte_array.c: In function 'byte_array_to_string':
/home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/byte_array.c:110:9: error: ISO C90 forbids variable length array 'buf' [-Werror=vla]
110 | uint8_t buf[(array->length * 3) + 255];
| ^~~~~~~
/home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/byte_array.c:112:9: error: ISO C90 forbids variable length array 'res' [-Werror=vla]
112 | char res[255 + (array->length * 3)]; /* make sure the buffer is big enough*/
| ^~~~
cc1: all warnings being treated as errors
In file included from ./include/linux/string.h:9,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/include/string.h:1,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ldebug.c:10:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
CC [M] /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lstrlib.o
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ldebug.c:8:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
CC [M] /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ltable.o
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/luaconf.h:16,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:15,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ldump.c:12:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:12:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/luaconf.h:16,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:15,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lfunc.c:13:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:12:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/luaconf.h:16,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:15,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lmem.c:13:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:12:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/include/stdio.h:1,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lobject.c:10:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lobject.c:7:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/luaconf.h:16,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:15,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/llimits.h:12,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lopcodes.h:10,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lopcodes.c:11:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:12:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
In file included from ./include/linux/kernel.h:5,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/luaconf.h:16,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:15,
from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lstate.c:13:
./include/linux/stdarg.h:6: error: "va_start" redefined [-Werror]
6 | #define va_start(v, l) __builtin_va_start(v, l)
|
In file included from /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/lua.h:12:
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:47: note: this is the location of the previous definition
47 | #define va_start(v,l) __builtin_va_start(v,l)
|
./include/linux/stdarg.h:8: error: "va_arg" redefined [-Werror]
8 | #define va_arg(v, T) __builtin_va_arg(v, T)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:49: note: this is the location of the previous definition
49 | #define va_arg(v,l) __builtin_va_arg(v,l)
|
./include/linux/stdarg.h:9: error: "va_copy" redefined [-Werror]
9 | #define va_copy(d, s) __builtin_va_copy(d, s)
|
/home/ansuel/openwrt-ansuel/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.2.0_musl/lib/gcc/aarch64-openwrt-linux-musl/12.2.0/include/stdarg.h:52: note: this is the location of the previous definition
52 | #define va_copy(d,s) __builtin_va_copy(d,s)
|
/home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ldump.c: In function 'DumpString':
/home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/xtables-addons-3.21/extensions/LUA/lua/ldump.c:63:26: error: the comparison will always evaluate as 'false' for the pointer operand in 's + 24' must not be NULL [-Werror=address]
63 | if (s==NULL || getstr(s)==NULL)
| ^~
cc1: all warnings being treated as errors
Fixes: #20993Fixes: #21006
Co-developed-by: Chen Minqiang <ptpt52@gmail.com>
Co-developed-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
aardvark-dns is companion for netavark, recent cni replacement on podman
git version used instead of release, to maintain maximal compatibility
with netavark, also using git version.
Description:
Aardvark-dns is an authoritative dns server for A/AAAA container records.
It can forward other requests to configured resolvers.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
podman is moving from cni to netavark. Netavark supports currently
only iptables, so I was in touch some time ago with mainstream
maintainer and provided a "none" firewall driver - to make it possible
to use netavark without firewalling features. Driver cannot be selected
at this time without environment variable that selects it, so I made
a config file for openwrt and a wrapper script that takes advantage of
it.
Available options are iptables, nftables and none - but selecting
nftables just tells user that nftables isn't yet supported.
firewall "none" driver is not yet included in release, so that's why
we use git version instead. I chose latest commit instead of commit
with none driver.
Description:
Netavark is a rust based network stack for containers.
It is being designed to work with Podman but is also applicable for other OCI container management applications.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Fix compilation warning for stack limit and variable length array.
Fix compilation warning:
CC [M] /home/ansuel/openwrt-ansuel/openwrt/build_dir/target-aarch64_cortex-a53_musl/linux-ipq807x_generic/siit-1.2/siit.o
../siit-1.2/siit.c: In function 'ip4_fragment':
../siit-1.2/siit.c:988:9: error: ISO C90 forbids variable length array 'buff' [-Werror=vla]
988 | char buff[FRAG_BUFF_SIZE+hdr_len]; /* buffer to form new fragment packet */
| ^~~~
../siit-1.2/siit.c: In function 'siit_xmit':
../siit-1.2/siit.c:1359:1: error: the frame size of 2144 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
1359 | }
| ^
cc1: all warnings being treated as errors
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
wolfssl has been the base TLS library in openwrt since 21.02
mbedtls will once again be the base TLS library in openwrt 23.??
Default to mbedtls for digest functions in lighttpd
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
The next version of lighttpd will move HTTP/2 support from the lighttpd
base executable into a separate module: mod_h2
Include patch to do so now, and update packaging to handle it.
HTTP/2 support is enabled by default since lighttpd 1.4.59, but if
HTTP/2 support is explicitly disabled in the configuration, then mod_h2
will not be loaded, thereby reducing lighttpd memory use.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
wolfssl has been a base TLS library in openwrt since 21.02
Default to wolfssl instead of Nettle for digest functions in lighttpd
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* made the fetch utility function/autodetection more bullet proof
* no longer add suspicious IPs to the local blocklist when the nft set timeout has been set
* restructure internal functions & small fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add missing space in str_contains
* unquote variable to make sure IPv6 rotues are added
* add IPv6 routes display to status output in nft mode
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Function start_service() is called whenever service may need reloading.
If SMB server is not running it could be simply because it has been
stopped. Reloading service in such case is not an error so:
1. Don't log error as it isn't one
2. Don't exit with error code as it was confusing procd
This change fixes scenario like:
/etc/init.d/ksmbd stop
/etc/init.d/wsdd2 reload
(previously above wasn't stopping wsdd2)
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Set the score value to the maximum value when the connected function is
called. The same happens with a disconnected event, the score value is
there set to zero.
Suggested-by: Anna Tikhomirova <vamp@vampik.ru>
Suggested-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Refactoring the score handling, so that only one action could take place
during run. The behaviour should be more comprehensible, since several
score actions are not processed at the same time.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* use shared memory to store output data
* add family option to firewall json objects, due to reports that IPv6 hijacking
doesn't work without explicit family declaration
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* add support for external allowlist URLs to reference additional IPv4/IPv6 feeds, set 'ban_allowurl' accordingly
* make download retries in case of an error configurable, set 'ban_fetchretry' accordingly (default 5)
* small fixes
* readme update
* LuCI update (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fix compilation error for stream module not converted to use the PACKAGE
config flag and a missing required dependency for the DAV ext module.
Drop additional config for STREAM module since they are now included and
built by default.
Fixes: 65a676ed56 ("nginx: introduce support for dynamic modules")
Fixes: #20906
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* suppress RTNETLINK errors when inserting ipv6 routes
* only display global scope IPv6 gateways in status/WebUI
* stop and disable vpn-policy-routing when migrating
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* add housekeeping to the autoallow function, only the current uplink will be held
* fix small issues
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Addition of routes to mwan3_connected ipset is broken. The ipset name was
changed from mwan3_connected_v4/6 to mwan3_connected_ipv4/6, but this
change was not reflected in mwan3rtmon.
Signed-off-by: Anna Tikhomirova <vamp@vampik.ru>
* Update commit message
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Addition of iptables rules for mwan3 sticky rules is broken, resulting
in non-working sticky rules. The required parameters for the function
'mwan3_set_sticky_iptables' were passed in the wrong order.
Signed-off-by: Anna Tikhomirova <vamp@vampik.ru>
* Update commit message
* Quoting function arguments
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable'
Signed-off-by: Dirk Brenken <dev@brenken.org>
*** MAKEFILE ***
* remove libubus dependency as it was causing issues
https://forum.openwrt.org/t/policy-based-routing-pbr-package-discussion/140639/318
* move firewall hotplug directory/file creation out of default section into
pbr and pbr-iptables packages sections in preparation for dropping it from pbr
* fix no new line after output when uninstalling packages
*** UCI-DEFAULTS ***
* only add firewall include to firewall config if the include file exists
* add shellcheck exception to netifd uci-defaults file
*** SCRIPTS ***
* more informative logging for firewall and iface hotplug scripts
* more informative logging for firewall include script
*** SERVICE ***
* introduce lock-file to prevent package starting on external events if it hasn't
been auto- or manually started before
* use the `ip`, not `ip-full` command to prevent errors on OpenWrt 21.02
* parse firewall WAN zone to append list of interfaces
* append error and warning "arrays" with new messages
* used shared memory to store the service output/logging messages
* improve is_ovpn function to filter out false positives when interface names started
with `tun`
* introduce is_valid_ovpn to find OpenVPN tunnels where the device name in OpenVPN config
matches the device name in network config
* introduce opkg_get_version to compare versions of principal and luci packages
* better code to obtain AdGuardHome version with betas installed
* optimize code and add better logging for errors when inserting policies with iptables
* optimize code and add better logging for errors when inserting policies with nft
* bugfix: insert policies in all specified protocols
* bugfix: support using physical devices in policies in nft mode
* bugfix: use iptPrefix, not nftPrefix in iptables commands
* implement Tor support in nft mode
* bugfix: fix spelling for User File Syntax error
* restart service fully (instead of quick reload) for OpenVPN interface events, as
the order/number of supported interfaces
* more verbose output (showing handles) of status in nft mode
* improve `icmp_interface`, `ignored_interface`, `supported_interface` validation
regexes
* improve `interface`, validation regex
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Rename nginx-all-module to nginx-full to follow pattern used by other
package and other projects.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Update lua module to latest openrestry version. Additional config are
required to correctly use it.
Switch it to luajit from liblua as this is what is currently supported
for the module since plain lua support was dropped from the module.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Start building sub package that provide dynamic modules.
Each module needs to be loaded using load_modules.
Refer to nginx documentation on how to use this.
This should result in lower memory usage as only used module are loaded.
Also fix the uci-default scripts to add the required ubus module for
luci module.
-fvisibility=hidden is needed to be dropped to correctly support loading
dynamic modules.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add support for loading dynamic module in uci template by adding .module
file in module.d directory.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
opkg runs uci-defaults if a package installs one, in acme-common's case
that's identical to postinst.
prerm shouldn't be run a image builder, so it's unnecessary to check
IPKG_INSTROOT
Signed-off-by: Glen Huang <me@glenhuang.com>
This fixes "permission denied" error when access files as a normal user.
Reported-by: Anya Lin <hukk1996@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
The root user is usually the user that clients ssh into with, so in most
cases its authorized_keys determines what clients are allowed to ssh
into this device. Without preserving this file, they could potentially
be locked out after upgrading.
Signed-off-by: Glen Huang <me@glenhuang.com>
Without these charon will warn with messages like:
plugin 'kdf': failed to load - kdf_plugin_create not found and no plugin file available
plugin 'drbg': failed to load - drbg_plugin_create not found and no plugin file available
Signed-off-by: Glen Huang <me@glenhuang.com>
This package requires poetry to build using the new Python build process
but poetry is not available, so force the old build process for now.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This package isn't compatible with the new Python build process yet, so
force the old build process for now.
This also adds a call to Py3Build/Install, for when the new build
process can be used.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Without nonce, charon won't start, so it's not an optional plugin. I
asked one of the strongSwan maintainers (ecdsa), and he confirmed this:
> It definitely has to be enabled unconditionally. The only other
> provider for the NONCE_GEN plugin feature is in charon-tkm, so
> completely irrelevant on OpenWrt
Signed-off-by: Glen Huang <me@glenhuang.com>
* add support for a custom feeds file (/etc/banip/banip.custom.feeds). Add new or edit existing banIP feeds on your own with the integrated custom feed editor (LuCI-component
* add a new option 'ban_blockpolicy' to overrule the default bblock policy (block all chains), see readme for details
* change the feed file format and add a new ipthreat feed, see readme
* refine (debug) logging
* multiple small fixes and improvements
* readme update
* luci update (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Automatically compute and substitute current values for all
$(AUTORELEASE) instances as this feature is deprecated and shouldn't be
used.
The following temporary change was made to the core:
diff --git a/rules.mk b/rules.mk
index 57d7995d4fa8..f16367de87a8 100644
--- a/rules.mk
+++ b/rules.mk
@@ -429,7 +429,7 @@ endef
abi_version_str = $(subst -,,$(subst _,,$(subst .,,$(1))))
COMMITCOUNT = $(if $(DUMP),0,$(call commitcount))
-AUTORELEASE = $(if $(DUMP),0,$(call commitcount,1))
+AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
all:
FORCE: ;
And this command used to fix affected packages:
for i in $(cd feeds/packages; git grep -l PKG_RELEASE:=.*AUTORELEASE | \
sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
make package/$i/download
done
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Split DAV_EXT from standard nginx DAV config as additional WebDAV
methods are provided by an external module.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add push external module. This is very useful for an IRC Bounder as this
module permits to register various services and receive a push
notification on the registered service.
One example is attaching a telegram bot and receive notification on your
phone when an user tags you in one of the connected channels.
Bump and drop AUTORELEASE from PKG_RELEASE since we are adding a new
module.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
We currently inclde the playback external module with a separate patch.
This is ugly and can be better handled.
Add required changes to download the external module from his own github
repository. Then create a link in the znc modules to reference the cpp
source.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
See commit 07730ff3 "treewide: add support for "lto" in PKG_BUILD_FLAGS"
on the main repository.
Note: Some packages only added `-flto` to CFLAGS and not LDFLAGS. This
fixes it and properly enables LTO.
Signed-off-by: Andre Heider <a.heider@gmail.com>
See commit da370098 "treewide: add support for "gc-sections" in
PKG_BUILD_FLAGS" on the main repository.
Note: This only touches packages which use all three parts
(-ffunction-sections, -fdata-sections and -Wl,--gc-sections) enabled by
this build flag. Some packages only use a subset, and these are left
unchanged for now.
Signed-off-by: Andre Heider <a.heider@gmail.com>
See commit 5c545bdb "treewide: replace PKG_USE_MIPS16:=0 with
PKG_BUILD_FLAGS:=no-mips16" on the main repository.
Signed-off-by: Andre Heider <a.heider@gmail.com>
* add the new init command 'lookup', to lookup the IPs of domain names in the local lists and update them
* significant acceleration of the domain lookup function
* multiple small fixes and improvements
* readme update
* luci update (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* curl_additional_param: to pass additional parameters (like proxy) to curl
* compressed_cache_dir: where to store compressed cache in non-volitile memory
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This adds the respondd package, a protocol used primarily with Freifunk
and the Gluon mesh-framework for collecting statistics.
For more information, see the project readme.
Ref: https://github.com/freifunk-gluon/respondd/
Tested: mpc85xx-p1020 / mediatek-filogic
Signed-off-by: David Bauer <mail@david-bauer.net>
The host build replaces the use of the host pip requirements file. This
also updates the dependants of setuptools-scm to depend on the host
build.
This also removes the toml host pip requirements file as toml is not
used by any other package.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* fixed missing version number when installed as separate package (not in build)
* fixed cornercase init and mailing issues
* sorted Country list by country names ascending
* fixed some shellcheck findings
Signed-off-by: Dirk Brenken <dev@brenken.org>
The commands in the function 'stop_service' do not stop the service.
Rather, they are commands that are to be executed when the service has
already been stopped. By renaming the function, the commands are now
executed after the service has been stopped.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Release Notes
Management
- Introduce a new ACL engine based on Rego (Open Policy Agent) for firewall control
- Personal access tokens generation as a first iteration toward public API release
- Add Keycloak support as an IDP manager
Agent
- Introduce a Firewall interface to apply granular access control (e.g., connection direction, port, or protocol level)
- Make the agent run on Android (mobile support)
Changelog
- Feat rego default policy
- Don't drop Rules from file storage after migration to Policies
- Add version info command to signal server
- Feat firewall controller interface
- Adding Personal Access Token generation
- Exchange proxy mode via signal
- Fix connstate indication
- Mobile
- PAT persistence
- Add Keycloak Idp Manager
- Adjustments for the change server flow
- Disable peer expiration of peers added with setup keys
- Add JWT middleware validation failure log
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
- Update haproxy PKG_VERSION and PKG_HASH
- This release includes a fix for an OOB write. The official notes
do not list a CVE entry but I guess there is a chance for
security implications
- See changes: http://git.haproxy.org/?p=haproxy-2.6.git;a=shortlog
Signed-off-by: Christian Lachner <gladiac@gmail.com>
* raise max. timeouts from 10 to 30 seconds to stabilize the autodetection on slow hardware
* made interface trigger action configurable, set 'ban_triggeraction' accordingly (default: 'start')
* made E-Mail notifications configurable to receive status E-Mais with every banIP run,
set 'ban_mailnotification' accordingly (default: disabled)
* small fixes & optimizations
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix cornercase issue with duplicate entries in black- and whitelist
* change cpbl source URL
* firewall redirects now blocks IPv4 and IPv6 (set family to "any")
Signed-off-by: Dirk Brenken <dev@brenken.org>
We need the host build of swig only.
And the binding uses libgensiocpp - not the plain
C library, so fix the dependency.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
zerotier as default has executable stack.
[ 11.343143] process '/usr/bin/zerotier-one' started with executable stack
executable stacks are not recommend, possibly provide a threat and there
seems to be no advantage of executable stack with zerotier-one - so let's
build it without instead.
Stack is executable on x86_64, but not on all archs, such as ramips.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
- changed Config.in to enable unix sockets support by default
- release number bumped
Description:
socket support is very handy when communicating with
various REST APIs.
Size increases are very small, nearly unnoticiable.
Tested-by: Stan Grishin <stangri@melmac.ca>
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* move network.sh and jshn.sh includes into load_validate_config function
to prevent errors when adding the package to image with the Image Builder
* add @bongochong compressed domains block-list to the config
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Explicitly request the C++11 standard (codebase is not C++17 compliant).
- Removed categories.json from conffiles -- it's not a configuration
file.
- Removed commented-out convenience git hash place-holder -- for some
reason it irritates people.
- Added radix header file to devel files.
- Removed redundant call to Build/Configure (not needed).
Co-authored-by: Tianling Shen <cnsztl@gmail.com>
Signed-off-by: Darryl Sokoloski <darryl@sokoloski.ca>
* fix the auto-detection for pppoe and 6in4 tunnel interfaces
* add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance
* add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default),
notice, info, debug, audit
* status optimizations
* logging optimizations
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Added `cgroupsns` to jail, otherwise you get this failure:
```
Mon Mar 6 14:46:05 2023 user.err : jail: Not using namespaces, capabilities or seccomp !!!
```
Error is here, seems to indicate that we're running a jail without using any capability.
https://lxr.openwrt.org/source/procd/jail/jail.c#L2847
Decided to use minimal effort approach
Signed-off-by: BackSlasher <nitz.raz@gmail.com>
simple protocol support script for netifd.
netifd protocol support for cni networks makes
defining network for podman and other similar
systems using cni networking much easier and simpler.
with cni protocol support, on a cni network, where firewall
and portmapper is disabled, you may control firewalling
with openwrt's standard firewall configuration.
for example, create a container that hosts web content on
port 80 with static ip on your cni network, if your
network is 10.88.0.0/16, use for eg. 10.88.0.101 as
your containers static ip address. Create a zone, cni
to your firewall and add your interface to it.
Now you can easily set up redirectiong to 10.88.0.101:80
to expose it's port 80 to wan for serving your website.
Protocol has only one setting: device, on podman this
often is cni-podman0. This protocol may also be used
on other equillavents, such as netavark (cni replacement
in podman), where device as default is podman0.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* update to 4.17.5
* changelog: https://www.samba.org/samba/history/samba-4.17.5
* refresh patch
* CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap.
https://www.samba.org/samba/security/CVE-2022-42898.html
* CVE-2022-37966: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
https://www.samba.org/samba/security/CVE-2022-37966.html
* CVE-2022-37967: This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with.
https://www.samba.org/samba/security/CVE-2022-37967.html
* CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak.
https://www.samba.org/samba/security/CVE-2022-38023.html
* BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
This resolves errors logged during macOS TimeMachine backups.
https://bugzilla.samba.org/show_bug.cgi?id=15210
Signed-off-by: Michael Peleshenko <mpeleshenko@gmail.com>
* major performance improvements: clean-up/optimize all nft calls
* add a new "ban_reportelements" option,
to disable the (time consuming) Set element count in the report (enabled by default)
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Currently compilation fails because of:
```
opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
```
What's interesting package gets built but when trying to access UI there's
`404: page not found` error.
It has been reported in multiple places:
* https://github.com/AdguardTeam/AdGuardHome/issues/5559
* https://github.com/AdguardTeam/AdGuardHome/issues/4595
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
Backport a pending PR to add nftables support.
Upstream PR: https://github.com/v2rayA/v2rayA/pull/805
As nftables merged ipv4/ipv6 support into a single command, so simply
enable ipv6 support by default.
While at it, backport a upstreamed fix for simple-obfs plugin.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* finalized the LuCI frontend preparation (this is the minmal version to use the forthcoming LuCI frontend)
* added a Set survey, to list all elements of a certain set
* changed the default logterm for asterisk
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Netbird is similar vpn service as tailscale and zerotier.
Description:
NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.
It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
These patches should not be backported to OpenWrt, otherwise tproxy
won't work for devices connected to br-lan (bypassed by the fw rules).
We have introduced a new compile-time flag for new version (which
is not released yet), but it's unnecessray to backport redudant
patches as here is still at the old version.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Also added patch that is from alpine's same package to assist building on musl.
Hostpkg build on musl also kept failing, so I added few more overrides, which
made it work perfectly.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* add oisdbig as new feed
* LuCI frontend preparation:
- the json feed file points always to /etc/banip/banip.feeds (and is no longer compressed)
- supply country list in /etc/banip/banip.countries
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
easydns.com has supported IPv6 for awhile now using
the same update URL as IPv4. This duplicates the IPv4
entry for IPv6 to enable support for it.
Signed-off-by: James Buren <braewoods+mgh@braewoods.net>
* fix a potential race condition during initial startup (after flash) which leads to a "disabled" service
Signed-off-by: Dirk Brenken <dev@brenken.org
Signed-off-by: Dirk Brenken <dev@brenken.org>
add lighttpd-mod-webdav_min package alternative to lighttpd-mod-webdav
lighttpd-mod-webdav_min is more minimal than full lighttpd-mod-webdav.
lighttpd-mod-webdav_min does not support PROPPATCH, LOCK, UNLOCK, and
by not supporting those methods, removes dependencies on libxml2,
libsqlite3, and libuuid.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
* update default config for new oisd.nl lists
* conf.update file to migrate oisd.nl lists to the new format
* introduce AdBlockPlus lists support (new oisd.nl format)
* longer wait for WAN up/gateway detection
* make load_environemnt only execute once to suppress duplicate
warnings/errors
PS. While I was testing this, oisd.nl has brought back the old domains
lists as well, so this version supports both as I'm unclear as to
why the "big" ABPlus list is only 6.2Mb where as the "big" domains
list is whopping 19.9Mb.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This version adds compatibility with OpenSSL 3.0.
There's a patch, submitted upstream, to fix building without SSL.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The tranmission UCI config options
- `config_overwrite`
- `incomplete_dir_enabled`
- `watch_dir_enabled`
are all booleans, so we have to retrieve them using `config_get_bool` in order
to make sure they are properly interpreted in case the user sets them to a
keyword (`true`/`false`, `on`/`off` etc.) and not an integer (`0`/`1`).
Signed-off-by: Salim B <git@salim.space>
Samba4 running as Active Directory Domain Controller with the internal
DNS backend requires the nsupdate binary with GSSAPI support.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* add boot() function which waits for network.interface to come up
* switch oisd.nl hosts entry to domains
* remove erroneous oisd substitution from config-update file
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Update tailscale to version 1.36.0
- Patch iptables support
Tailscale does not (yet) support nftables.
Tailscale allows running with --netfilter=off allowing
end-user to create his own firewall rules, but this
affects only tailscale cli, not tailscaled daemon, so
connection cannot be made without error telling that
tailscaled was unable to determine execute iptables
for determining it's version.
There is a work-around for those who do not want
nft-iptables compatibility package; they can create
a script to /usr/bin/iptables which responds to
--version argument and echos fake version string
and on any other arguments or no arguments, just exits.
After this procedure and starting tailscale cli with
netfilter off- it works. Openwrt has moved on to
nftables, so iptables manipulation seems unnecessary.
Especially for other reasons, on Openwrt, firewall
should be configured on it's own, because firewall
rules made by other software, such as tailscale,
loose their firewalling rules when firewall restarts.
So I patched it to allow "fake" iptables pointing
to executable /bin/false and ignoring version
request. And I also set cli to default to
netfilter off setting.
If still end-user wants to use iptables, this
patch does not make it impossible; just install
iptables, or nft-iptables, and run tailscale
with argument --netfilter=on and it works out
as it did before, tailscaled daemon still
matches with iptables if it is found in $PATH.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Update crowdsec-firewall-bouncer to latest upstream release version 0.0.25
Signed-off-by: S. Brusch <ne20002@gmx.ch>
Maintainer: Kerma Gérald <gandalf@gk2.net>
Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.3
Rework:
- now based on uci config file
- create nftables tables and chains in initd script
Fixes CVEs:
- CVE-2022-3924: Fix serve-stale crash when recursive clients
soft quota is reached.
- CVE-2022-3736: Handle RRSIG lookups when serve-stale is
active.
- CVE-2022-3094: An UPDATE message flood could cause named to
exhaust all available memory. This flaw was addressed by adding
a new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been added to
record events when the update quota is exceeded, and the XML and
JSON statistics version numbers have been updated.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Changes in version v2.4.3 - 2023-01-16
- Fix version number in version.go
(Changes for v2.5.1 are missing)
Signed-off-by: Nick Hainke <vincent@systemli.org>
They were added in these commits [1] [2] and if they are not included,
the RIPE Atlas SW Probe does not work correctly.
This should also prevent this from happening in the future as it now. We include all
files with .sh extension file type.
[1] 70ced29fc3
[2] 71a4ff0e68
Fixes: https://github.com/openwrt/packages/issues/20338
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
When CC is set to e.g. "ccache mips-openwrt-linux-musl-gcc" it needs
to be quoted to avoid word splitting on substitution.
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Add hosting.de provider. To use dynamic DNS you have to create a DDNS
host with a separate DDNS user.
Note: As of 2023-01-17 hosting.de does not work with wget which will
fail with `400: Bad Request` (it will work with `--auth-no-challenge`).
You should use curl instead. I have reported that to the provider.
Signed-off-by: Benjamin Drung <bdrung@bdrung.de>
Bugfixes:
* better error information for empty tid/mark and failure to resolve domains
* better handling of entries in /etc/iproute2/rt_tables
* update packages definitions and descriptions
* remove firewall4 from dependencies to prevent dependency recursion
Updates:
* introduce nft_user_set_policy and nft_user_set_counter to control options for
user nft sets this service creares
* use counters in internal nft sets
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Changes in version v2.4.2 - 2023-01-13
- Issue 40208: Enhance help info for capacity flag
- Issue 40232: Update README and fix help output
- Issue 40173: Increase clientIDAddrMapCapacity
- Issue 40177: Manually unlock mutex in ClientMap.SendQueue
- Issue 40177: Have SnowflakeClientConn implement io.WriterTo
- Issue 40179: Reduce turbotunnel queueSize from 2048 to 512
- Issue 40187/40199: Take ownership of buffer in QueuePacketConn QueueIncoming/WriteTo
- Add more tests for URL encoded IPs (safelog)
- Fix server flag name
- Issue 40200: Use multiple parallel KCP state machines in the server
- Add a num-turbotunnel server transport option
- Issue: 40241: Switch default proxy STUN server to stun.l.google.com
Signed-off-by: Nick Hainke <vincent@systemli.org>
ChangeLog file excert:
Fri Dec 30 12:51:11 AM CET 2022
Releasing gnunet-fuse 0.19.1: fix build for GNUnet 0.19.0+.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The gnURL-fork of cURL is no longer maintained as cURL finally supports
probing and selecting the TLS implementation at run-time.
Hence just build a gnuTLS-backed variant of libcurl, use patchelf to
change the shared object name, call the result libcurl-gnutls and be
done. Other distributions have opted for similar solutions.
In future we could convert the curl package to provide build-variants
for each TLS implementation; however, this is out of the scope of the
needs of GNUnet which used to be only user of libgnurl.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The safe-search package creates symlinks in a configured additional
hosts directory. The link targets are inside another directory which
has to be made available to dnsmasq as well.
Now that support for adding additional paths to dnsmasq was added by
commit openwrt/openwrt@aa12a0fdd1
implement adding this path using the existing uci-defaults script.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Libreswan will set DEFAULT_DNSSEC_ROOTKEY_FILE from the LINUX_VARIANT
variable, which is taken from the ID field in /etc/os-release. This
points to the host file, which is wrong.
Set both variables when calling make.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
ztDNS is a dedicated DNS server for a ZeroTier virtual network.
ztdns is alternative to zerotier's own zeronds.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Disable libmaxminddb detection to fix a build error
due to missing dependency.
(the libmaxminddb library is now detected, but is unncessary.)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Disable libmaxminddb detection to fix a build error due to
missing dependency.
(the libmaxminddb library is now detected, but is unncessary.)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
modify build command for meson type: feature options
remove -Dwith_libev=disabled (option no longer has any effect)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Besides updating the package to 1.20.1, this commit removed two patches
that the new release made unnecessary.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
* Use Boolean true for enable inline mode which is more intuitive that older ''
* Add skeleton section for openappid since it has been merged[1]
1. 2d4e7d5fd3
Signed-off-by: John Audia <therealgraysky@proton.me>
Use UCI to add temporary incoming firewall rule to accept http traffic for
challenge verification.
This should make uacme compatible with OpenWrt's fw3/4 implementation.
Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
This prevents a forwarding server named like ::1@5453 from being added
to unbound.conf as a forward-host instead of the correct forward-addr.
forward-host requires the name to be resolved, which is impossible in
the absence of another nameserver. Thus, forwarding-only configurations
referencing only the IPv6 loopback address with a port number were
broken.
Signed-off-by: Mark Mentovai <mark@mentovai.com>
This is a fix for the the following change:
3d824ea288
Before the change, it was only possible to execute a shell script. To
remove this restriction, a binary or other script language can now also
be used for 'mwan3.user'. Unfortunately, the old shell script was not
executable for older mwan3 version. During a sysupgrade with config transfer,
this 'mwan3.user' script could not be executed for newer mwan3 versions.
To fix this, the calling script checks whether the 'mwan3.user' is executable,
and if not, this executable bit is now set.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Quoting the changelog:
Changes in version 0.4.7.12 - 2022-12-06
This version contains a major change that is a new key for moria1. Also, new
metrics are exported on the MetricsPort for the congestion control
subsystem.
o Directory authority changes (moria1):
- Rotate the relay identity key and v3 identity key for moria1. They
have been online for more than a decade and refreshing keys
periodically is good practice. Advertise new ports too, to avoid
confusion. Closes ticket 40722.
o Minor feature (Congestion control metrics):
- Add additional metricsport relay metrics for congestion control.
Closes ticket 40724.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on December 06, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/12/06.
o Minor bugfixes (cpuworker, relay):
- Fix an off by one overload calculation on the number of CPUs being
used by our thread pool. Fixes bug 40719; bugfix on 0.3.5.1-alpha.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Quoting the changelog:
Changes in version 0.4.7.11 - 2022-11-10
This version contains several major fixes aimed at helping defend against
network denial of service. It is also extending drastically the MetricsPort
for relays to help us gather more internal data to investigate performance
and attacks.
We strongly recommend to upgrade to this version especially for Exit relays
in order to help the network defend against this ongoing DDoS.
o Directory authority changes (dizum, Faravahar):
- Change dizum IP address. Closes ticket 40687.
- Remove Faravahar until its operator, Sina, set it back up online
outside of Team Cymru network. Closes ticket 40688.
o Major bugfixes (geoip data):
- IPFire informed us on August 12th that databases generated after
(including) August 10th did not have proper ARIN network
allocations. We are updating the database to use the one generated
on August 9th, 2022. Fixes bug 40658; bugfix on 0.4.5.13.
o Major bugfixes (onion service):
- Set a much higher circuit build timeout for opened client rendezvous
circuit. Before this, tor would time them out very quickly leading to
unnecessary retries meaning more load on the network. Fixes bug 40694;
bugfix on 0.3.5.1-alpha.
o Major bugfixes (OSX):
- Fix coarse-time computation on Apple platforms (like Mac M1) where
the Mach absolute time ticks do not correspond directly to
nanoseconds. Previously, we computed our shift value wrong, which
led us to give incorrect timing results. Fixes bug 40684; bugfix
on 0.3.3.1-alpha.
o Major bugfixes (relay):
- Improve security of our DNS cache by randomly clipping the TTL
value. TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha.
o Minor feature (Mac and iOS build):
- Change how combine_libs works on Darwin like platforms to make
sure we don't include any `__.SYMDEF` and `__.SYMDEF SORTED`
symbols on the archive before we repack and run ${RANLIB} on the
archive. This fixes a build issue with recent Xcode versions on
Mac Silicon and iOS. Closes ticket 40683.
o Minor feature (metrics):
- Add various congestion control counters to the MetricsPort. Closes
ticket 40708.
o Minor feature (performance):
- Bump the maximum amount of CPU that can be used from 16 to 128. Note
that NumCPUs torrc option overrides this hardcoded maximum. Fixes bug
40703; bugfix on 0.3.5.1-alpha.
o Minor feature (relay):
- Make an hardcoded value for the maximum of per CPU tasks into a
consensus parameter.
- Two new consensus parameters are added to control the wait time in
queue of the onionskins. One of them is the torrc
MaxOnionQueueDelay options which supersedes the consensus
parameter. Closes ticket 40704.
o Minor feature (relay, DoS):
- Apply circuit creation anti-DoS defenses if the outbound circuit
max cell queue size is reached too many times. This introduces two
new consensus parameters to control the queue size limit and
number of times allowed to go over that limit. Closes ticket 40680.
o Minor feature (relay, metrics):
- Add DoS defenses counter to MetricsPort.
- Add congestion control RTT reset counter to MetricsPort.
- Add counters to the MetricsPort how many connections, per type,
are currently opened and how many were created.
- Add relay flags from the consensus to the MetricsPort.
- Add total number of opened circuits to MetricsPort.
- Add total number of streams seen by an Exit to the MetricsPort.
- Add traffic stats as in number of read/written bytes in total.
- Related to ticket 40194.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 10, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/11/10.
o Minor bugfixes (authorities, sandbox):
- Allow to write file my-consensus-<flavor-name> to disk when
sandbox is activated. Fixes bug 40663; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (dirauth):
- Directory authorities stop voting a consensus "Measured" weight
for relays with the Authority flag. Now these relays will be
considered unmeasured, which should reserve their bandwidth for
their dir auth role and minimize distractions from other roles. In
place of the "Measured" weight, they now include a
"MeasuredButAuthority" weight (not used by anything) so the
bandwidth authority's opinion on this relay can be recorded for
posterity. Lastly, remove the AuthDirDontVoteOnDirAuthBandwidth
torrc option which never worked right. Fixes bugs 40698 and 40700;
bugfix on 0.4.7.2-alpha.
o Minor bugfixes (onion service client):
- A collapsing onion service circuit should be seen as an
"unreachable" error so it can be retried. Fixes bug 40692; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (onion service):
- Make the service retry a rendezvous if the circuit is being
repurposed for measurements. Fixes bug 40696; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (relay overload statistics):
- Count total create cells vs dropped create cells properly, when
assessing if our fraction of dropped cells is too high. We only
count non-client circuits in the denominator, but we would include
client circuits in the numerator, leading to surprising log lines
claiming that we had dropped more than 100% of incoming create
cells. Fixes bug 40673; bugfix on 0.4.7.1-alpha.
o Code simplification and refactoring (bridges):
- Remove unused code related to ExtPort connection ID. Fixes bug
40648; bugfix on 0.3.5.1-alpha.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Now that we're packaging flent itself, there's no reason to have a
completely separate flent-tools package. So integrate the flent-tools
package specification into the main flent package so it's always kept in
sync.
Also add a dependency from flent itself on flent-tools, as the shell
versions of those utilities that Flent uses when running tests doesn't work
on the busybox shell included with openwrt.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Update the Flent package and move it to net/, renaming it to just 'flent'
instead of python3-flent (it's not a library, having the python3- prefix
makes no sense). Also add python3-defusedxml as a dependency to protect
against XML bombs if using the one of the backends that use XML-RPC, and
trim the dependencies to those used directly by Flent.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Traditionally, Snort rules are based upon packet analysis. OpenAppID
enables detection of applications/cloud applications on the network.
This package provides OpenAppID and signature files used by OpenAppID to detect
network traffic from certain applications can be used to identify rogue
application use, detect malicious applications and implement various
application policies, such as application blacklisting, limiting application
usage, and enforcing conditional controls.
To use, for example, edit /etc/snort/local.lua and add the following section
at a minimum:
appid = {
app_detector_dir = '/usr/lib/openappid',
log_stats = true,
app_stats_period = 60,
}
Signed-off-by: John Audia <therealgraysky@proton.me>
The haproxy hotplug script creates a 'combined' certificate bundle that
contains both the certificate chain and the private key. However, having a
daemon hotplug script write into CERT_DIR is not great; so let's provide
the bundle as part of the main acme framework, keeping it in $domain_dir
and just linking it into CERT_DIR. That way we can keep CERT_DIR as just a
collection of links for everything, that no consumers should need to write
into.
Also make sure to set the umask correctly so the combined file is not
world-readable (since it contains the private key).
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The acme-acmesh package hardcoded the certificate path in its hook script.
Now that we export it as a variable we can avoid hard-coding and use the
variable version instead. Also factor out the linking of certificates into
a function so it's not repeated.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The contract between the acme-common framework and consumers and hook
scripts is that certificates can be consumed from /etc/ssl/acme and that
web challenges are stored in /var/run/acme/challenge. Make this explicit by
exporting $CERT_DIR and $CHALLENGE_DIR as environment variables as well,
instead of having knowledge of those paths depend on out-of-band
information. We already exported $challenge_dir, but let's change it to
upper-case to make it clear that it's not a user configuration variable.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
state_dir is actually a hardcoded value in conffiles. Allowing users to
customize it could result in losing certificates after upgrading if they
don't also specify the dir as being preserved. We shouldn't default to
this dangerous behavior.
With the new ACME package, certificates live in the standard location
/etc/ssl/acme, users who need to do certificate customizations should
look for them in that dir instead.
Signed-off-by: Glen Huang <i@glenhuang.com>
Replace my own patch with the upstream solution, which they issued
in response to my bug report.
(Two patches as they overlooked something on the first try.
Reference to https://savannah.gnu.org/bugs/index.php?63431 )
The nettle lib evaluation is now conditional to not having "--disable-ntlm".
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
- Improved logging
- Log the executed curl command to be able to rerun and test it manually
- Log the curl exit status
- Added 30 second timeout timeout for clear-cut detection of flaky connections.
Signed-off-by: Pyry Kontio <pyry.kontio@drasa.eu>
The implementation uses a GCP service account. The user is expected to
create and secure a service account and generate a private key. The
"password" field can contain the key inline or be a file path pointing
to the key file on the router.
The GCP project name and Cloud DNS ManagedZone must also be provided.
These are taken as form-urlencoded key-value pairs in param_enc. The TTL
can optionally be supplied in param_opt.
Signed-off-by: Chris Barrick <chrisbarrick@google.com>
Fix the indentation of the preinst/postinst scripts for the privoxy
package.
Because these scripts didn't start with `#!/bin/sh`
(they instead started with the TAB character), `/bin/sh` was not used
to start them.
On x86_64 and i386_pentium-mmx, this seems to be fine, but on
arm_cortex-a15_neon-vfpv4 and aarch64_cortex-a53, running these
scripts fails with a:
```
Installing privoxy (3.0.33-3) to root...
Collected errors:
* pkg_run_script: package "privoxy" preinst script returned status 1.
* preinst_configure: Aborting installation of privoxy.
* opkg_install_cmd: Cannot install package privoxy.
```
Reported-by: Marius Dinu <m95d+git@psihoexpert.ro>
Signed-off-by: Alois Klink <alois@aloisklink.com>
* add mdns records for started instances
* Makefile: use $(PKG_VERSION) as a value for PKG_SOURCE_DATE instead of
hard-coding it
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This commit adds /etc/snort/local.lua and /etc/snort/homenet.lua for user
defined config options which is more simplistic than modifying upstream
files directly. That can be tedious and decisive to maintain in sync with
upstream changes. The init script has been adjusted accordingly.
Acknowledgment to amish who maintains the Arch Linux snort-nfqueue package[1]
for these ideas and initial code.
Another modification is dropping the following args in the call to
/usr/bin/snort by the init system as these options are provided in
/etc/snort/local.lua:
* --daq-dir /usr/lib/daq/
* -A "$alert_module"
Instructions to configure snort3:
1. Edit /etc/snort/homenet.lua and redefine HOME_NET and EXTERNAL_NET, for example:
HOME_NET = [[ 10.9.8.0/24 192.168.1.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"
2. Edit /etc/snort/local.lua to setup options unique to your use case of snort.
The default ones I included should be sane for the role of IDS (alert only),
but users may easily uncomment some options therein to use IPS (drop) mode.
3. Install or symlink rules to /etc/snort/rules/snort.rules and optionally
edit /etc/snort/local.lua to define extra rules files if not using a unified
'snort.rules'
References:
1. https://aur.archlinux.org/packages/snort-nfqueue
Signed-off-by: John Audia <therealgraysky@proton.me>
The original idea of the extra namespace variable was to set up
bpfcountd from other daemons etc. independent of what a user configured
in /etc/config/bpfcountd for instance. Like:
$ UCI_CONFIG_DIR=/var/run/bpfcountd/gluon-config \
/etc/init.d/bpfcountd start "" gluon
However there are still issues with this approach:
1) Instance specific stop calls like:
$ /etc/init.d/bpfcountd stop <instance-name> <namespace>"
will not stop the according namespaced instance, as the stop() in
/etc/rc.common will call procd_kill() without the namespace prefix.
And we can't overwrite that behaviour. And asking a user to use
"... start <in> <ns>" and "... stop <ns>.<in>" is confusing.
(and currently "... stop <ns>.<in>" would not remove the correct
unix socket).
2) A stop call without an instance/config name would always stop all
instances. So the namespace variable would be ignored.
While start without an instance "works", but:
3) It would stop any process that is not in the currently selected
UCI_CONFIG_DIR.
As all this is not easily fixable without changing OpenWrt internals,
just remove the whole namespace idea for now.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
