Use UCI to add temporary incoming firewall rule to accept http traffic for
challenge verification.
This should make uacme compatible with OpenWrt's fw3/4 implementation.
Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
This prevents a forwarding server named like ::1@5453 from being added
to unbound.conf as a forward-host instead of the correct forward-addr.
forward-host requires the name to be resolved, which is impossible in
the absence of another nameserver. Thus, forwarding-only configurations
referencing only the IPv6 loopback address with a port number were
broken.
Signed-off-by: Mark Mentovai <mark@mentovai.com>
This is a fix for the the following change:
3d824ea288
Before the change, it was only possible to execute a shell script. To
remove this restriction, a binary or other script language can now also
be used for 'mwan3.user'. Unfortunately, the old shell script was not
executable for older mwan3 version. During a sysupgrade with config transfer,
this 'mwan3.user' script could not be executed for newer mwan3 versions.
To fix this, the calling script checks whether the 'mwan3.user' is executable,
and if not, this executable bit is now set.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Quoting the changelog:
Changes in version 0.4.7.12 - 2022-12-06
This version contains a major change that is a new key for moria1. Also, new
metrics are exported on the MetricsPort for the congestion control
subsystem.
o Directory authority changes (moria1):
- Rotate the relay identity key and v3 identity key for moria1. They
have been online for more than a decade and refreshing keys
periodically is good practice. Advertise new ports too, to avoid
confusion. Closes ticket 40722.
o Minor feature (Congestion control metrics):
- Add additional metricsport relay metrics for congestion control.
Closes ticket 40724.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on December 06, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/12/06.
o Minor bugfixes (cpuworker, relay):
- Fix an off by one overload calculation on the number of CPUs being
used by our thread pool. Fixes bug 40719; bugfix on 0.3.5.1-alpha.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Quoting the changelog:
Changes in version 0.4.7.11 - 2022-11-10
This version contains several major fixes aimed at helping defend against
network denial of service. It is also extending drastically the MetricsPort
for relays to help us gather more internal data to investigate performance
and attacks.
We strongly recommend to upgrade to this version especially for Exit relays
in order to help the network defend against this ongoing DDoS.
o Directory authority changes (dizum, Faravahar):
- Change dizum IP address. Closes ticket 40687.
- Remove Faravahar until its operator, Sina, set it back up online
outside of Team Cymru network. Closes ticket 40688.
o Major bugfixes (geoip data):
- IPFire informed us on August 12th that databases generated after
(including) August 10th did not have proper ARIN network
allocations. We are updating the database to use the one generated
on August 9th, 2022. Fixes bug 40658; bugfix on 0.4.5.13.
o Major bugfixes (onion service):
- Set a much higher circuit build timeout for opened client rendezvous
circuit. Before this, tor would time them out very quickly leading to
unnecessary retries meaning more load on the network. Fixes bug 40694;
bugfix on 0.3.5.1-alpha.
o Major bugfixes (OSX):
- Fix coarse-time computation on Apple platforms (like Mac M1) where
the Mach absolute time ticks do not correspond directly to
nanoseconds. Previously, we computed our shift value wrong, which
led us to give incorrect timing results. Fixes bug 40684; bugfix
on 0.3.3.1-alpha.
o Major bugfixes (relay):
- Improve security of our DNS cache by randomly clipping the TTL
value. TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha.
o Minor feature (Mac and iOS build):
- Change how combine_libs works on Darwin like platforms to make
sure we don't include any `__.SYMDEF` and `__.SYMDEF SORTED`
symbols on the archive before we repack and run ${RANLIB} on the
archive. This fixes a build issue with recent Xcode versions on
Mac Silicon and iOS. Closes ticket 40683.
o Minor feature (metrics):
- Add various congestion control counters to the MetricsPort. Closes
ticket 40708.
o Minor feature (performance):
- Bump the maximum amount of CPU that can be used from 16 to 128. Note
that NumCPUs torrc option overrides this hardcoded maximum. Fixes bug
40703; bugfix on 0.3.5.1-alpha.
o Minor feature (relay):
- Make an hardcoded value for the maximum of per CPU tasks into a
consensus parameter.
- Two new consensus parameters are added to control the wait time in
queue of the onionskins. One of them is the torrc
MaxOnionQueueDelay options which supersedes the consensus
parameter. Closes ticket 40704.
o Minor feature (relay, DoS):
- Apply circuit creation anti-DoS defenses if the outbound circuit
max cell queue size is reached too many times. This introduces two
new consensus parameters to control the queue size limit and
number of times allowed to go over that limit. Closes ticket 40680.
o Minor feature (relay, metrics):
- Add DoS defenses counter to MetricsPort.
- Add congestion control RTT reset counter to MetricsPort.
- Add counters to the MetricsPort how many connections, per type,
are currently opened and how many were created.
- Add relay flags from the consensus to the MetricsPort.
- Add total number of opened circuits to MetricsPort.
- Add total number of streams seen by an Exit to the MetricsPort.
- Add traffic stats as in number of read/written bytes in total.
- Related to ticket 40194.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 10, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/11/10.
o Minor bugfixes (authorities, sandbox):
- Allow to write file my-consensus-<flavor-name> to disk when
sandbox is activated. Fixes bug 40663; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (dirauth):
- Directory authorities stop voting a consensus "Measured" weight
for relays with the Authority flag. Now these relays will be
considered unmeasured, which should reserve their bandwidth for
their dir auth role and minimize distractions from other roles. In
place of the "Measured" weight, they now include a
"MeasuredButAuthority" weight (not used by anything) so the
bandwidth authority's opinion on this relay can be recorded for
posterity. Lastly, remove the AuthDirDontVoteOnDirAuthBandwidth
torrc option which never worked right. Fixes bugs 40698 and 40700;
bugfix on 0.4.7.2-alpha.
o Minor bugfixes (onion service client):
- A collapsing onion service circuit should be seen as an
"unreachable" error so it can be retried. Fixes bug 40692; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (onion service):
- Make the service retry a rendezvous if the circuit is being
repurposed for measurements. Fixes bug 40696; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (relay overload statistics):
- Count total create cells vs dropped create cells properly, when
assessing if our fraction of dropped cells is too high. We only
count non-client circuits in the denominator, but we would include
client circuits in the numerator, leading to surprising log lines
claiming that we had dropped more than 100% of incoming create
cells. Fixes bug 40673; bugfix on 0.4.7.1-alpha.
o Code simplification and refactoring (bridges):
- Remove unused code related to ExtPort connection ID. Fixes bug
40648; bugfix on 0.3.5.1-alpha.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Now that we're packaging flent itself, there's no reason to have a
completely separate flent-tools package. So integrate the flent-tools
package specification into the main flent package so it's always kept in
sync.
Also add a dependency from flent itself on flent-tools, as the shell
versions of those utilities that Flent uses when running tests doesn't work
on the busybox shell included with openwrt.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Update the Flent package and move it to net/, renaming it to just 'flent'
instead of python3-flent (it's not a library, having the python3- prefix
makes no sense). Also add python3-defusedxml as a dependency to protect
against XML bombs if using the one of the backends that use XML-RPC, and
trim the dependencies to those used directly by Flent.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Traditionally, Snort rules are based upon packet analysis. OpenAppID
enables detection of applications/cloud applications on the network.
This package provides OpenAppID and signature files used by OpenAppID to detect
network traffic from certain applications can be used to identify rogue
application use, detect malicious applications and implement various
application policies, such as application blacklisting, limiting application
usage, and enforcing conditional controls.
To use, for example, edit /etc/snort/local.lua and add the following section
at a minimum:
appid = {
app_detector_dir = '/usr/lib/openappid',
log_stats = true,
app_stats_period = 60,
}
Signed-off-by: John Audia <therealgraysky@proton.me>
The haproxy hotplug script creates a 'combined' certificate bundle that
contains both the certificate chain and the private key. However, having a
daemon hotplug script write into CERT_DIR is not great; so let's provide
the bundle as part of the main acme framework, keeping it in $domain_dir
and just linking it into CERT_DIR. That way we can keep CERT_DIR as just a
collection of links for everything, that no consumers should need to write
into.
Also make sure to set the umask correctly so the combined file is not
world-readable (since it contains the private key).
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The acme-acmesh package hardcoded the certificate path in its hook script.
Now that we export it as a variable we can avoid hard-coding and use the
variable version instead. Also factor out the linking of certificates into
a function so it's not repeated.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The contract between the acme-common framework and consumers and hook
scripts is that certificates can be consumed from /etc/ssl/acme and that
web challenges are stored in /var/run/acme/challenge. Make this explicit by
exporting $CERT_DIR and $CHALLENGE_DIR as environment variables as well,
instead of having knowledge of those paths depend on out-of-band
information. We already exported $challenge_dir, but let's change it to
upper-case to make it clear that it's not a user configuration variable.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
state_dir is actually a hardcoded value in conffiles. Allowing users to
customize it could result in losing certificates after upgrading if they
don't also specify the dir as being preserved. We shouldn't default to
this dangerous behavior.
With the new ACME package, certificates live in the standard location
/etc/ssl/acme, users who need to do certificate customizations should
look for them in that dir instead.
Signed-off-by: Glen Huang <i@glenhuang.com>
Replace my own patch with the upstream solution, which they issued
in response to my bug report.
(Two patches as they overlooked something on the first try.
Reference to https://savannah.gnu.org/bugs/index.php?63431 )
The nettle lib evaluation is now conditional to not having "--disable-ntlm".
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
- Improved logging
- Log the executed curl command to be able to rerun and test it manually
- Log the curl exit status
- Added 30 second timeout timeout for clear-cut detection of flaky connections.
Signed-off-by: Pyry Kontio <pyry.kontio@drasa.eu>
The implementation uses a GCP service account. The user is expected to
create and secure a service account and generate a private key. The
"password" field can contain the key inline or be a file path pointing
to the key file on the router.
The GCP project name and Cloud DNS ManagedZone must also be provided.
These are taken as form-urlencoded key-value pairs in param_enc. The TTL
can optionally be supplied in param_opt.
Signed-off-by: Chris Barrick <chrisbarrick@google.com>
Fix the indentation of the preinst/postinst scripts for the privoxy
package.
Because these scripts didn't start with `#!/bin/sh`
(they instead started with the TAB character), `/bin/sh` was not used
to start them.
On x86_64 and i386_pentium-mmx, this seems to be fine, but on
arm_cortex-a15_neon-vfpv4 and aarch64_cortex-a53, running these
scripts fails with a:
```
Installing privoxy (3.0.33-3) to root...
Collected errors:
* pkg_run_script: package "privoxy" preinst script returned status 1.
* preinst_configure: Aborting installation of privoxy.
* opkg_install_cmd: Cannot install package privoxy.
```
Reported-by: Marius Dinu <m95d+git@psihoexpert.ro>
Signed-off-by: Alois Klink <alois@aloisklink.com>
* add mdns records for started instances
* Makefile: use $(PKG_VERSION) as a value for PKG_SOURCE_DATE instead of
hard-coding it
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This commit adds /etc/snort/local.lua and /etc/snort/homenet.lua for user
defined config options which is more simplistic than modifying upstream
files directly. That can be tedious and decisive to maintain in sync with
upstream changes. The init script has been adjusted accordingly.
Acknowledgment to amish who maintains the Arch Linux snort-nfqueue package[1]
for these ideas and initial code.
Another modification is dropping the following args in the call to
/usr/bin/snort by the init system as these options are provided in
/etc/snort/local.lua:
* --daq-dir /usr/lib/daq/
* -A "$alert_module"
Instructions to configure snort3:
1. Edit /etc/snort/homenet.lua and redefine HOME_NET and EXTERNAL_NET, for example:
HOME_NET = [[ 10.9.8.0/24 192.168.1.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"
2. Edit /etc/snort/local.lua to setup options unique to your use case of snort.
The default ones I included should be sane for the role of IDS (alert only),
but users may easily uncomment some options therein to use IPS (drop) mode.
3. Install or symlink rules to /etc/snort/rules/snort.rules and optionally
edit /etc/snort/local.lua to define extra rules files if not using a unified
'snort.rules'
References:
1. https://aur.archlinux.org/packages/snort-nfqueue
Signed-off-by: John Audia <therealgraysky@proton.me>
The original idea of the extra namespace variable was to set up
bpfcountd from other daemons etc. independent of what a user configured
in /etc/config/bpfcountd for instance. Like:
$ UCI_CONFIG_DIR=/var/run/bpfcountd/gluon-config \
/etc/init.d/bpfcountd start "" gluon
However there are still issues with this approach:
1) Instance specific stop calls like:
$ /etc/init.d/bpfcountd stop <instance-name> <namespace>"
will not stop the according namespaced instance, as the stop() in
/etc/rc.common will call procd_kill() without the namespace prefix.
And we can't overwrite that behaviour. And asking a user to use
"... start <in> <ns>" and "... stop <ns>.<in>" is confusing.
(and currently "... stop <ns>.<in>" would not remove the correct
unix socket).
2) A stop call without an instance/config name would always stop all
instances. So the namespace variable would be ignored.
While start without an instance "works", but:
3) It would stop any process that is not in the currently selected
UCI_CONFIG_DIR.
As all this is not easily fixable without changing OpenWrt internals,
just remove the whole namespace idea for now.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Had to add a patch to allow builds of targets containing '+' in their dir name
Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B
Signed-off-by: John Audia <therealgraysky@proton.me>
NATMap is a program for opening port behind full cone NAT (NAT-1),
without the need for using UPnP or another port forward settings.
More details can be found at original repo: https://github.com/heiher/natmap
Signed-off-by: Richard Yu <yurichard3839@gmail.com>
Changes in version v2.4.1 - 2022-12-01
- Issue 40224: Bug fix in utls roundtripper
Changes in version v2.4.0 - 2022-11-29
- Fix proxy command line help output
- Issue 40123: Reduce multicast DNS candidates
- Add ICE ephemeral ports range setting
- Reformat using Go 1.19
- Update CI tests to include latest and minimum Go versions
- Issue 40184: Use fixed unit for bandwidth logging
- Update gorilla/websocket to v1.5.0
- Issue 40175: Server performance improvements
- Issue 40183: Change snowflake proxy log verbosity
- Issue 40117: Display proxy NAT type in logs
- Issue 40198: Add a `orport-srcaddr` server transport option
- Add gofmt output to CI test
- Issue 40185: Change bandwidth type from int to int64 to prevent overflow
- Add version output support to snowflake
- Issue 40229: Change regexes for ipv6 addresses to catch url-encoded addresses
- Issue 40220: Close stale connections in standalone proxy
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* The makefile produces the nft and iptables capable `pbr` package
and the `pbr-iptables` package for legacy setups
* This replaces `vpnbypass` and `vpn-policy-routing` packages
* I'm soliciting feedback on this package and my intention is to
update the version to 1.0.0 before this is merged, but I need the
feedback on this and luci-app-pbr before then.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
bpfcountd was created to obtain packet statistics in larger networks
without stressing the cpu resources. bpfcountd will count the amount
of packages and bytes over time (for each defined rule). The rules
are defined using the tcpdump filter syntax (bpf). The collected
data is provided on a unix socket in plaintext.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Maintainer: @neheb (find it by checking history of the package Makefile)
Compile tested: aarch64/ipq8074
Run tested: aarch64/ipq8074
Description: stubby: bump to latest 0.4.2
Signed-off-by: Rudy Andram <rmandrad@gmail.com>
* store all error/warning messages with the error text id so that
they can be made localizable for the luci app
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Update wget to 1.21.3
* Remove patch 100-fix-hsts-time.patch as upstream has issued
its own version on the fixes
* Add a hack (and fixup autoreconf) to fix an upstream bug that
forces the nettle library into nossl even if NTLM is disabled.
Upstream bug filed: https://savannah.gnu.org/bugs/?63431
* Remove old maintainer who has not been active
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* instead of doing stop/start which involves restarting dnsmasq twice,
kill the existing service instances on restart instead
Signed-off-by: Stan Grishin <stangri@melmac.ca>
It may take a long time waiting for a new tag, so backport these
important bug fixes for now.
While at it, added 3 new options provided by upstream, and deprecated
the usage of `$(AUTORELEASE)`.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
The github repository has been archived; the project is now hosted on
Codeberg. Update the PKG_SOURCE_URL accordingly.
Gitea doesn't seem to add a version suffix to the directory in the
tarball, so use a custom PKG_BUILD_DIR.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* introduce the new curl_max_file_size option
* prevent warnings/errors to be displayed each time the load_environment
is invoked
* better organize dl_command appendixes
* implement support for downloading/using external dnsmasq config file
* refactor adb_check and adb_allow for better readability
* update default values for some options in the uci_load_validate call
* update reload trigger to include curl options
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This adds the missing protocol (e.g. /tcp and /udp) to the entry in
/etc/services. If the entry already exists, it will add the /tcp to it.
Otherwise, it will look and add the tcp and udp entries if either is
missing.
fixes: openwrt#19665
Signed-off-by: Josh Powers <powersj@fastmail.com>
Switch to git tarball as the meson files did not get added to the
official one.
Backport busybox style binaries. Saves on size.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* update default config file to list options alphabetically
* rearrange some of the init script code to support transition
of WebUI to javascript
* rename wan6_trigger to procd_trigger_wan6 for readability
Signed-off-by: Stan Grishin <stangri@melmac.ca>
In some situations you need to set the compress param without an
algorithm. Compression will be turned off, but the packet framing for
compression will still be enabled, allowing a different setting to be
pushed later.
As it is not possible to have options with optional values at the
moment, I've introduced a pseudo value "frames_only" which will be
removed in the init script.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* update to 7.86.0: https://curl.se/changes.html#7_86_0
* remove 300-curl-wolfssl.m4-error-out-if-wolfSSL-is-not-usable.patch as
it was fixed upstream: https://github.com/curl/curl/pull/9682
* update configure options for OpenSSL as --without-ssl is breaking build
* remove --without-libidn configure arg as it's no longer recognized
Signed-off-by: Stan Grishin <stangri@melmac.ca>
The newest master branch has important fixes. However, no new release is
published [0]. Switch to git and update to latest master commit.
This introduces new version scheme by using YYYY-MM-DD of the commit.
In addition, add necessary "PKG_FIXUP" and "PKG_REMOVE_FILES" to allow
compile the new version. Also add enable "PKG_BUILD_PARALLEL".
Further, use a pidfile and remove outdated patches.
https://github.com/sleinen/samplicator/issues/73
Signed-off-by: Nick Hainke <vincent@systemli.org>
* rename wan6_trigger to procd_trigger_wan6
* rename update_dnsmasq_config to dnsmasq_config_update
* add the uci-defaults file to run sed on config file
* update Makefile to include uci-defaults file
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Changes to time_t cause SIGSEGV error on 32bit system and cause ripe
atlas malfunction. (registration successful but no traffic)
Also introduce minor patch to fix some compilation warning.
While at it move PKG_RELEASE to AUTORELEASE macro.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* add patches/020-cmakelists-add-version.patch (thanks @baranyaib90)
to add version information to the binary and fix https://github.com/aarond10/https_dns_proxy/issues/149
* modify Makefile to add version information for the binary
* rename patches/010-fix-cmakelists.patch for better readability
* revert back to service restart in WAN/WAN6 trigger
* update test.sh to test both init script and binary versions
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bugfix: properly restore empty server config for dnsmasq (to
address issue brought up in https://github.com/stangri/source.openwrt.melmac.net/pull/162)
* better handling of non-existant wan/wan6 interface for triggers
* add resolver url to ubus data for future-proofing WebUI js move
Signed-off-by: Stan Grishin <stangri@melmac.ca>
acme.sh by default use public DNS resolvers to check if TXT record was
correctly added when using DNS-01. This can be undesirable in a private
environment where the DNS server is not publicly accessible.
This option allows bypassing such check and simply waiting for a
specific length of time for the TXT record to take effect.
Signed-off-by: Glen Huang <i@glenhuang.com>
Directly calling `/etc/init.d/<service> reload` in a hotplug script can
inadvertently start a stopped service.
Signed-off-by: Glen Huang <i@glenhuang.com>
iputils-ping6 was a subpackage of the iputils package providing the
ping4 and ping6 command before iputils was moved from core to packages.
Currently ping4 and ping6 are replaced by ping -4/-6 and compatibility
symlinks are only installed when explicitly told so with an option, but
the functionality is always provided by iputils-ping.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
* When $wan/$wan6 are empty but double-quoted, it leads to creation
of an interface trigger with empty interface
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* fixed broken/blocked oisd download links (switched to the official github mirror)
* made sure that curl error out on http errors as well
* removed obsolete compatibility stuff from init script
Signed-off-by: Dirk Brenken <dev@brenken.org>
* bugfix: canary domains persistence (as described in
https://forum.openwrt.org/t/https-dns-proxy-canary-domain-persistance/139967)
* minor: remove global variables and make them local in
service_start/service_stop/service_triggers
* minor: split DEFAULT_BOOTSTRAP into BOOTSTRAP_CF and BOOTSTRAP_GOOGLE for
better code readability
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Exit directly will result procd service inactive and uci
configuration changes are no longer monitored.
Reported-by: Lvc Revincx <revincx233@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
So that the busybox configuration does not have to be adapted, the
dependency has been changed to coreutils-timeout, which provides the
same functionality.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* made the reporting/top statistics flexible, see "top_count" parm in CLI or in LuCI (default 10), fixes#19622
* added the new blocklist source cpbl (provided by PascalCoffeeLake@gmail.com)
* added/separated Easylist/Easyprivacy blocklist sources (provided by PascalCoffeeLake@gmail.com)
* added reg_jp blocklist_source (provided by PascalCoffeeLake@gmail.com)
* removed the easylist addons from the other regional lists
* removed the second/obsolete pl regional list and renamed the first one to "reg_pl"
* updated the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* make PKG_VERSION of the init script readonly to remove shellcheck
exception
* replace exit with return in the the procd scripts per:
https://github.com/openwrt/packages/pull/19617
* remove custom boot() function as it prevented creation of procd
firewall object on start on boot
* improve performance of allowing domains code
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Up to now on every interface down event a mwan3 disconnected event was
send. This is wrong because if the interface was never connected, then a
disconnected event should not get generated. This commit fixes this bug.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* upstream bugfix: Add a forgotten 'NULL' initialize for ca_info
if not manually set
* make init script PKG_VERSION variable readonly so that a
shellcheck excettion can be removed
* add procd interface trigger to 'wan6' if IPv6 wan interface name
cannot be obtained on start
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Adding perlbase-json-pp to samba4-libs dependencies was the wrong approach and caused
samba packages not to be offered by menuconfig. AFAIK perlbase-json-pp is a perl helper
to building samba4 and seems to be already included in perl/host so use that instead to
fix the menuconfig issues.
Signed-off-by: Andrew Sim <andrewsimz@gmail.com>
With the newer wget version, wget-nossl can not be compiled due to
missing library, so let's revert it.
Package wget-nossl is missing dependencies for the following libraries:
libnettle.so.8
This reverts commit 5075f5b701.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This commit contains the following:
* Update binary to version 1.6.1
* Update README URLs in the Makefile to link OpenWrt-specific info
* Separate the binary, the init script and netifd script into 3 packages:
nebula, nebula-service and nebula-proto accordingly
* implement yml parser for init script to fetch variables from it
* add the netifd script for nebula protocol
* update test file to address all built packages
* make the PKG_VERSION variable of init/proto scripts readonly
Signed-off-by: Stan Grishin <stangri@melmac.ca>
add new package keepalived-sync to synchronize files and data
between master and backup node. The master node uses SSH over rsync
to send and the backup node will use inotifywatch to watch received files.
The master node can track rsync.sh script to send configuration file on
a backup node based on the vrrp_script configuration of the same script.
The backup node will have a keepalived-inotify service, which would watch
for newly received files and it would call hotplug event. Each service
can keep its respective script under the keepalived hotplug directory and
executes commands to stop, start service or update any config in real-time.
Whenever a switchover will happen, the backup node would have the latest
config and data files from the master node.
Hotplug events can be used to apply config when files are received.
Signed-off-by: Jaymin Patel <jem.patel@gmail.com>
tailscale version, tailscaled -version and the web UI reported the wrong
version number which doesn't cause any issues, but it can be confusing.
This is fixed by specifying the version in go ldflags similar to how
it's done in many other go packages and the official tailscale Dockerfile.
version.Long version can not be specified in GO_PKG_LDFLAGS_X because it
contains a space and GO_PKG_LDFLAGS_X is always split at a space.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
* ddns-scripts-services: provide ddns-scripts_service
* ddns-scripts-cloudflare: provide ddns-scripts_digitalocean.com-v2
* ddns-scripts-freedns: provide ddns-scripts_freedns_42_pl
* ddns-scripts-godaddy: provide ddns-scripts_godaddy.com-v1
* ddns-scripts-noip: provide ddns-scripts_no-ip_com
* ddns-scripts-nsupdate: provide ddns-scripts_nsupdate
* ddns-scripts-route53: provide ddns-scripts_route53-v1
* ddns-scripts-cnkuai: provide ddns-scripts_cnkuai_cn
https://github.com/openwrt/packages/pull/13509 renamed many ddns-scripts
packages, but didn't include a PROVIDES for the old package names to
make updates work well.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
When we explicitly declare, that we would like to have curl built with
wolfSSL support using `--with-wolfssl` configure option, then we should
make sure, that we either endup with curl having that support, or it
shouldn't be available at all, otherwise we risk, that we end up with
regressions like following:
configure:25299: checking for wolfSSL_Init in -lwolfssl
configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33,
from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35,
from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
from conftest.c:47:
target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory
#include <wolfssl/wolfcrypt/sp_int.h>
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
and in the end thus produce curl without https support:
curl: (1) Protocol "https" not supported or disabled in libcurl
So fix it, by making the working wolfSSL mandatory and error out in
configure step when that's not the case:
checking for wolfSSL_Init in -lwolfssl... no
configure: error: --with-wolfssl but wolfSSL was not found or doesn't work
References: #19005, #19547
Upstream-Status: Accepted [https://github.com/curl/curl/pull/9682]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
* update to upstream version 2022-08-12
* add ca_certs_file option for CA certs file for curl
* add procd_add_interface_trigger for wan6 (hopefully fixes
https://github.com/openwrt/packages/issues/19531)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
There are many places in the packages' install recipes whith multiple
commands being executed in the same shell invocation, separated with a
semicolon (;). The return status will depend only on the last command
being run. The same thing happens in loops, where only the last file
will determine the result of the command.
Change the ';' to '&&', and exit the loop if any operation fails.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
There are six places pointing to files that do not exist any more:
- gns-import.sh in package gnunet-gns (dropped in v0.11.0)
- libgnunetdnsstub.so* in gnunet-vpn (integrated into util in v0.11.0)
- libgnunettun.so* in gnunet-vpn (integrated into util in v0.11.0)
- gnunet-service-ats-new in package gnunet (dropped in v0.12.0)
- libgnunetreclaimattribute.so.* (integrated into reclaim in v0.13.0)
- libgnunetabe.so.* in gnunet-reclaim (dropped in v0.17.2)
They were not noticed because their failing copy commands were part of
loops in which only the last operation had its exit status checked.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
According to the package's configure.ac, reclaimID OpenID Connect plugin
depends on jose. It is installed by the gnunet-rest plugin package:
libgnunnetrest_openid_connect.so.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* add setting to enable/disable blocking access to iCloud Private Relay resolvers
* add setting to enable/disable blocking access to Mozilla resolvers
* rename variables loaded from config in the init script
Signed-off-by: Stan Grishin <stangri@melmac.ca>
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
* fix bug in download_lists and adb_allow to prevent unintended exclisions from
the block-lists of domains containing allowed domain. Fixes issue:
https://github.com/stangri/source.openwrt.melmac.net/issues/160
* add support for returning NXDOMAIN/blocking iCloud & Mozilla canary domains,
disabled by default
Signed-off-by: Stan Grishin <stangri@melmac.ca>
It was a bit confusing to use *verbosity* level for Dry Run mode. Add
explicity switch for it and designed DRY_RUN variable to make code
easier to understand.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rename variable to make code easier to understand. This variable
specifies how many times in row ddns script tried to update IP without a
success.
Previous name ("ERR_UPDATE") didn't suggest it was for counting
anything. It also didn't specify was error was it related to.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Local suggests something related to the local network or available
locally only. All that code related to the "local" IP was actually
dealing with *current* device external IP address. Using name "current"
should make code a bit easier to understand.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rename variable to make code easier to understand. This variable
specifies how many times ddns script should try to send a request.
Previous name ("retry_count") suggested it was for *counting* attempts.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Section 'Persistence' in 'luci-app-mosquitto' is unusable without 'persistence'
section in config file.
Signed-off-by: Ptilopsis Leucotis <PtilopsisLeucotis@yandex.com>
* remove obsolete block-lists from config
* add removal of obsolete lists to config-update
* add AdGuard team's block-list to config
* improve allow command
* improve nftset support
* move config load to uci_load_validate, which required some code refactoring which
looks dramatic, but isn't
* always use dnsmasq_restart instead of dnsmasq_hup for all dns resolution options
for dnsmasq
Signed-off-by: Stan Grishin <stangri@melmac.ca>
snowflake-proxy doesn't write any files
=> run in read-only rootfs environment
the process needs to read SSL certs but no other files
=> only exposed path is /etc/ssl/certificates (read-only)
running as unpriviledged user with no additional capabilities
=> set no-new-privs bit
By default procd-ujail also isolates the process by executing it in
a separate new IPC and PID namespace.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Package Tor's Snowflake system components so users can offer e.g.
a standalone Snowflake proxy on their routers or other devices.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Gatling is a high-performance webserver from fefe. It gives a
fairly decent feature-set at really small size. And its fast.
Co-authored-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Signed-off-by: Martin Hübner <martin.hubner@web.de>
mausezahn is a multicast traffic generator which is part of the
netsniff-ng sources. This utility is needed for the upcoming
kernel-selftests-net-forwarding package. Add a new package for it.
netsniff-ng will automatically detect all installed dependencies and
build only the utilities whose dependencies are installed (meaning:
mausezahn is not build when for example libcli is not installed and
other tools are not build if for example zlib is missing). Depending
on the selected packages (netsniff-ng or mausezahn) the OpenWrt build
system has to trigger netsniff-ng's configure script, which will then
pick up and automatically build the programs (mausezahn, netsniff-ng,
trafgen, ...) for which all dependencies are installed.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
The new package would help measuring one-way delays using ICMP type 13
packets. This is important for various scripts that automatically adjust
CAKE shaper bandwidth based on the observed bufferbloat. They need to
understand whether the delay is on the way up or on the way down, so
that they can adjust the bandwidth of the proper part of the shaper.
https://forum.openwrt.org/t/cake-w-adaptive-bandwidth-historic/108848https://forum.openwrt.org/t/cake-w-adaptive-bandwidth/135379
V2: refreshed patches
Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
Fixes multiple security issues:
CVE-2022-38178 - Fix memory leak in EdDSA verify processing
CVE-2022-3080 - Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query
CVE-2022-2906 - Fix memory leaks in the DH code when using OpenSSL 3.0.0
and later versions. The openssldh_compare(),
openssldh_paramcompare(), and openssldh_todns()
functions were affected
CVE-2022-2881 - When an HTTP connection was reused to get
statistics from the stats channel, and zlib
compression was in use, each successive
response sent larger and larger blocks of memory,
potentially reading past the end of the allocated
buffer
CVE-2022-2795 - Prevent excessive resource use while processing large
delegations
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This version better decodes SSID names which contain emoji, control
characters, and other non-ascii characters.
https://github.com/awilliams/wifi-presence/pull/8
Signed-off-by: Adam Williams <pwnfactory@gmail.com>
Update the mdio-netlink kmod and userspace mdio-tools to version 1.2.0.
This allows dropping the time64 musl patch which was upstreamed.
[v1.2.0] - 2022-09-15
---------------------
- mdio: A new addressing mode "mmd-c22": Used to access MMDs attached
to MDIO controllers without Clause 45 support by using registers 13
and 14 in the device's Clause 22 register space
- mdio: Pretty print gigabit link capability information from a PHY's
extended status register
- mdio: Pretty print lots of status information from MMDs (C45 PHYs)
- mvls: Decode priority override information of ATU entries
- mvls: Table listings now always prints out the device information,
even on single chip systems.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Use an upstream commit to ensure time_t is defined in upsclient.h,
fixing a compile failure in collectd.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add --without-linux-i2c to configure arguments to avoid using i2c if
found in the staging dir.
Switch to AUTORELEASE.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
- enable json by default to generate json stats
- add rpc to generate json status
- add kmod-nf-ipvs dependencies for virtual servers
- set default vip labels on virtual interfaces
- set process name for keepalived child processes
Signed-off-by: Jaymin Patel <jem.patel@gmail.com>
In the Makefile the library installation was accidentally called
"Package/iperf3/install" and not "Package/libiperf3/install". Fix this
typo. Thanks to Hartmut spotting this.
Also the iperf3-ssl does not need to depend on libiperf3.
Fixes ae48be8e21 ("iperf3: add shared libiperf library and link iperf3 dynamically")
Signed-off-by: Nick Hainke <vincent@systemli.org>
The metrics and weight need to be the same. A 50% balanced would be
require member policies of the same metric and weight value.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Add library for creating own functions with iperf3 functionality.
Example: https://github.com/esnet/iperf/blob/master/examples/mis.c
This library is needed by python3-iperf3.
Build iperf3 binary with dynamically linked libiperf3. However, still
build iperf3-ssl as static binary due to a lack of shipping two libiperf
versions.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Re-mount '$config_file' inside the '$config_dir' will cause aria2 process unable to start.
Signed-off-by: Naraku J <74468372+Narakuku@users.noreply.github.com>
* some more cleanups, forgotten with the last update
* optimized unbound syntax ('always_nxdomain' & 'always_transparent')
* optimized oisd download sources (use wilcard variants which are much smaller)
* removed superfluous version information/function
Signed-off-by: Dirk Brenken <dev@brenken.org>
-- Release Message Snippet https://networkupstools.org/ --
After a long and windy trip since the last official release v2.7.4 half
a dozen years ago ... NUT v2.8.0! ... the new release includes numerous
new drivers, sub-drivers, protocols and bug-fixes, with many companies
and individuals chipping in with contributions of code. ...
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
* dnsmasq upstream has changed the code for domain handling
and recommends the 'local' syntax for large blocklists
* remove pipefail command, see #19043 for reference
* removed the unused 'adb_dnsinotify' parameter
* removed the 'adb_maxqueue' parameter,
the queue size will be automatically set by the number of cpu cores
* various cleanups, mostly shellcheck related
Signed-off-by: Dirk Brenken <dev@brenken.org>
This package uses the macro
AC_PROG_LEX(yywrap)
which in new versions of GNU Autoconf
specifically looks for the yywrap function in the libraries,
and considers lex/flex not present if the function is not found.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Project V is a set of network tools that help you to build your own computer network.
It secures your network connections and thus protects your privacy.
For more details, see https://www.v2fly.org/en_US/guide/faq.html
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Beware that switching to the new major version 0.17.x results in
incompatibility with clients still running 0.16.x.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(LoRa) Basicstation is an implementation of a LoRa packet forwarder and is
intended to be run on the host of a LoRa-based gateway. Basicstation forwards
RF packets recieved by a concentrator to a LoRaWAN network server (LNS).
It also transmits RF packets received from the LNS to one or multiple LoRa
end devices. Further information: https://lora-developers.semtech.com/build/
software/lora-basics/lora-basics-for-gateways
Signed-off-by: Marcus Schref <mschref@web.de>
- Bump to the latest Git version in order to increase the package version
for simpler opkg upgrade of the broken version
- (Re-)Introduce PKG_RELEASE into the package, omitting it may lead to
opkg segmentation faults under certain circumstances
- Utilize automatic include hooks to drop the isolated miniupnpd table
in favor to chains within the main inet fw4 table, otherwise PCP is
unreliable as the upnp table might accept traffic which is later
rejected by fw4
- Install a fw4 script hook to restart miniupnpd on fw4 restarts and
reloads in order to repopulate the upnp chains with forward rules
- Register the used miniupnpd configuration file and the firewall uci
configuration as change sources, otherwise `/etc/init.d/miniupnpd reload`
has no effect if the firewall or upnpd config was changed
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
is to disable engine support as engine support is deprecated. For ath79 architecture
build with autodetection engine support fails, so explicitly set off for now.
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Update the package to a commit that fixes an issue with removing PCP
mappings from nftables.
This also allows us to fix the nftables miniupnpd implementation on
openwrt.
In this new implementation, a table is created at the start of miniupnpd
and it is dedicated to miniupnpd with a priority above the firewall4
table. This allows miniupnpd to go ahead of the drop rules of firewall4
and forward traffic as needed. There was the possibility of adding a
chain inside the firewall4 table, but this would raise an issue where
if firewall4 was reloaded the port forwardings would be lost and
miniupnpd could be out of sync. When miniupnpd is stopped the table is
deleted, taking the port forwardings with it.
Some of this commit is based of msylgj's work, mainly the logic of the
init/hotplug scripts and the makefile build parameters.
Signed-off-by: ZiMing Mo <msylgj@immortalwrt.org>
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
Always use pthread_mutexattr_settype() the
pthread_mutexattr_setkind_np() function is not available in the
glibc and musl version used by OpenWrt.
This fixes the following compile error:
arc-openwrt-linux-gnu/bin/ld: gnunet_fuse-mutex.o: in function `GNUNET_mutex_create':
mutex.c:(.text+0x14): undefined reference to `pthread_mutexattr_setkind_np'
arc-openwrt-linux-gnu/bin/ld: mutex.c:(.text+0x14): undefined reference to `pthread_mutexattr_setkind_np'
arc-openwrt-linux-gnu/bin/ld: mutex.c:(.text+0x76): undefined reference to `pthread_mutexattr_setkind_np'
arc-openwrt-linux-gnu/bin/ld: mutex.c:(.text+0x76): undefined reference to `pthread_mutexattr_setkind_np'
collect2: error: ld returned 1 exit status
This patch was taken from:
https://aur.archlinux.org/cgit/aur.git/plain/pthread_mutexattr_settype.patch?h=gnunet-fuse
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add a patch which removes a call in Libxml2Parser.cc to 'xmlSetFeature'.
This function belongs to the 'depreciated' API part and is not
available in OpenWrt builds.
According to my understanding, this call can be removed safely since
it disables the feature "substitute entities" which is disabled by default.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
The _init() function collides with a _init() function in crti.o.
This results in the following error in OpenWrt:
arc-openwrt-linux-gnu/bin/ld: libxt_coova.o: in function `_init':
/lib/gcc/arc-openwrt-linux-gnu/11.3.0/crti.o:(.init+0x4): first defined here
collect2: error: ld returned 1 exit status
make[7]: *** [Makefile:22: libxt_coova.so] Error 1
Fix this by suing a constructor attribute instead. This function will
still be called after the shared library was loaded.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* vpn support can be disabled (enabled by default), fixes#19107 (see trm_vpn option)
* vpn support can be limited to certain interfaces (see trm_vpnifacelist list option)
* openvpn support works now per instance (same as wireguard today)
* add an auto-login script for tplink-omada hotspots provided by Sebastian Muszynski <basti@linkt.de>
* remove pipefail command, see #19043 for reference
Signed-off-by: Dirk Brenken <dev@brenken.org>
* Update maintainer's email address
* Style Make and init file to OpenWrt standard
* Rename dnsmasq and unbound-related variables to better reflect
their use
* New 'allow' CLI parameter to quickly unblock domain(s)
* Switch to uci wrappers
* Beautify the output of the 'check' CLI parameter
* Better handling of output files directory creation error
* Support for (upcoming) dnsmasq nftsets
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Enabling fast sampling to support four digit (e.g., 1.0000) precision in reports' timestamps. Useful for sub-millisecond sampling.
Changelog: https://sourceforge.net/p/iperf2/code/ci/2-1-8/tree/README
Signed-off-by: Alberto Martinez-Alvarez <amteza@gmail.com>
Maintainer: @nbd168
Compile tested: ath79, ramips, bcm27xx
The original PR for this change is #16373, where it's cleary stated it
doesn't work. This should have never been merged. It causes the
following recursive dependency:
tmp/.config-package.in:122354:error: recursive dependency detected!
tmp/.config-package.in:122354: symbol PACKAGE_strongswan-default depends on PACKAGE_strongswan-mod-socket-default
tmp/.config-package.in:123534: symbol PACKAGE_strongswan-mod-socket-default is selected by PACKAGE_strongswan-default
This reverts commit 603f70e96b.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
With the new OW release approaching, it might be better to get an officially
tagged upstream release in as PR#19087 just contained a fix for CVE-2022-29154
which itself introduced a few bugs.
Signed-off-by: John Audia <therealgraysky@proton.me>
The rsync package is vulnerable to CVE-2022-29154[1], which is not yet in a
non-preview release. This commit applies the upstream commit to fix it and
several subsequent commits needed to fix bugs the initial fix introduced[2].
1. https://rsync.samba.org/ftp/rsync/NEWS#SECURITY_FIXES-3.2.5
2. https://bugs.archlinux.org/task/75558
Signed-off-by: John Audia <therealgraysky@proton.me>
One of common use cases for SMB3 server in routers is sharing hotplugged
drives. Users make many attempts setting that up which often are not
optimal.
This script handles it in the cleanest way by using:
1. hotplug.d mount subsystem
2. runtime config in the /var/run/config/
It provides a working basic solution that can be later adjusted by
modifying provided hotplug script.
A pretty much idential solution was part of the samba36 package. It was
added in the OpenWrt commit ef1efa756e0d0 ("samba36: add package with
hotplug.d script for auto sharing") as an answer for feature required by
the Rosinson company.
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Dynamically created shares shouldn't be stored in the /etc/config/
because of:
1. Flash wearing
2. Risk of inconsistent state on reboots
With this change all automation/hotplug.d scripts can store runtime in
the /var/run/config/samba. It's useful e.g. for USB drives that user
wants to be automatically shared.
Also: automated scripts should never call "uci [foo] commit" as that
could flush incomplete config. This problem also gets solved.
Identical feature was added to samba36 in the OpenWrt commit
5a59e2c059866 ("samba36: append config from /var/run/config/ for runtime
shares") but wasn't ported to ksmbd until now.
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Remove nft rules file generated by ss-rules if ss-rules was or should be
turned off for by configuration. Use "fw4 restart" instead of "fw4
reload" to force the runtime rule reloading
Ref: https://github.com/openwrt/packages/pull/17937#issuecomment-1207357037
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Allow connection via a proxy server (required on some sites where
direct outbound HTTP(S) access is not permitted).
Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
- add package apinger-rrd for RRD graphs
- add RPC to get an overview and update graphs
- fix interface hotplug to restart apinger instance
- add patch to split alarms list in the status
Signed-off-by: Jaymin Patel <jem.patel@gmail.com>
The decision to switch the default to wolfSSL was taken because of
hostapd back from when curl was in base. Unfortunately, not only is
wolfSSL bigger but it has also been causing issues recently. There's
also no relation between hostapd and curl.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
bb362db datastorage: fix ap_array_unlink_entry always returns NULL
47e98ef network: ping pong keepalive for tcp connections
eba0354 network: add timeout for client connections
In the dawn config the con_timeout needs to be added:
option con_timeout '60'
Signed-off-by: Nick Hainke <vincent@systemli.org>
The update fixes GCC-10 (or newer) builds. Remove 010-uclibc.patch as it
has been applied upstream in this new version.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Global Socket allows two workstations on different private networks to
communicate with each other. Through firewalls and through NAT - like
there is no firewall.
The TCP connection is secured with AES-256 and using OpenSSL's SRP
protocol (RFC 5054). It does not require a PKI and has forward
secrecy and (optional) TOR support.
The gsocket tools derive temporary session keys and IDs and connect
two TCP pipes through the Global Socket Relay Network (GSRN). This is
done regardless and independent of the local IP Address or geographical
location.
The session keys (secrets) never leave the workstation. The GSRN sees only
the encrypted traffic.
The workhorse is 'gs-netcat' which opens a ssh-like interactive PTY
command shell to a remote workstation (which resides on a private and
remote network and/or behind a firewall).
Also added test.sh file to run test it inside containeer
Signed-off-by: Ralf Kaiser <skyper@thc.org>
- convert apinger into procd instances
- generate instance specific apinger.conf from uci
- hotplug handling for apinger alarms
- restart apinger interface instance on ifup action of interface
- don't exit on packet count mismatch, allows to use apinger as monitor
for multiple targets handling
- add srcip option to target configuration, allows specifying source ip
used to monitor target
- allow creating status file in script parseable format
Patches are ported against latest version of apinger and referenced from
https://git.pld-linux.org/?p=packages/apinger.git;a=summary
Signed-off-by: Jaymin Patel <jem.patel@gmail.com>
Usually, no other local service depends on the start of ser2net, so
let's start it later in the boot process.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
A network restart where netifd is cleanly restarted involves bringing
the network interfaces down. The 'modemmanager' protocol handler will
run a mmcli --simple-disconnect in this case, but only if there are
bearer objects found.
If the network restart happened *during* the connection attempt
procedure, while the modem is e.g. being registered in the network, no
bearer objects exist yet, and so, we would skip doing anything during
the interface teardown operation. This would lead to the original
connection attempt succeeding, so leaving the modem in ModemManager
in connected state, while the associated interface in netifd is
reported down.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Kea expects /var/run/kea to exist. Without it, errors occur:
Mon Jun 13 10:31:45 2022 daemon.err kea-dhcp6[2977]: Unable to use interprocess sync lockfile (No such file or directory): /var/run/kea/logger_lockfile
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
From the changelog…
o Major bugfixes (congestion control, TROVE-2022-001):
- Fix a scenario where RTT estimation can become wedged, seriously
degrading congestion control performance on all circuits. This
impacts clients, onion services, and relays, and can be triggered
remotely by a malicious endpoint. Tracked as CVE-2022-33903. Fixes
bug 40626; bugfix on 0.4.7.5-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 17, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/06/17.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (logging):
- Demote a harmless warn log message about finding a second hop to
from warn level to info level, if we do not have enough
descriptors yet. Leave it at notice level for other cases. Fixes
bug 40603; bugfix on 0.4.7.1-alpha.
- Demote a notice log message about "Unexpected path length" to info
level. These cases seem to happen arbitrarily, and we likely will
never find all of them before the switch to arti. Fixes bug 40612;
bugfix on 0.4.7.5-alpha.
o Minor bugfixes (relay, logging):
- Demote a harmless XOFF log message to from notice level to info
level. Fixes bug 40620; bugfix on 0.4.7.5-alpha.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
- convert autossh into procd instances
- add new uci config options to handle local and remote
port forwarding
- remove hotplug down actions causing service to stop on
any interface down event
Signed-off-by: Jaymin Patel <jem.patel@gmail.com>
Remove upstreamed patches:
- 100-fix-setstacksize-for-glibc-2.34.patch
Refresh patches:
- 200-logdest-on-foreground.patch
Changes:
Misc:
- OpenSSL 3.0 compatibility
Bug Fixes:
- Fix refused startup with openssl <1.1
- Fix compiler issue for Fedora 33 on s390x
- Fix small memory leak in config parser
- Fix lazy certificate check when connecting to TLS servers
- Fix connect is aborted if first host in list has invalid certificate
- Fix setstacksize for glibc 2.34
- Fix system defaults/settings for TLS version not honored
Signed-off-by: Nick Hainke <vincent@systemli.org>
Maintainer: Tom Stöveken <tom@naaa.de>, Markus Weippert handed over, see: https://github.com/openwrt/packages/pull/18715#issuecomment-1153567619
Compile tested: SDK for OpenWrt 21.02.3
Run tested: x86/64, J&W Technologies I1171D001 Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, OpenWrt 21.02.3
Description:
Updated to version 0.11.0
Added new configuration parameters
Signed-off-by: Tom Stöveken <tom@naaa.de>
luajit provides higher performance for requests handled in Lua hooks.
It also enables access to dnsdist functionality only exposed via FFI,
and allows configurations/hooks to call functions in any C library
without providing separate bindings.
Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
- New major LTS release (https://www.mail-archive.com/haproxy@formilux.org/msg42371.html)
- Sadly, no QUIC/H3 support for now because the QuicTLS library - which is a fork of OpenSSL - would be needed. However, we do not have a package for that and I currently do not want to build and statically link it into the haproxy package
- Update haproxy download URL and hash
Signed-off-by: Christian Lachner <gladiac@gmail.com>
89d5d2e091 only patched importing
MutableMapping from collections, but importing Mapping has to be patched
too
Closes: #18681
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
1. Switched to use prebuilt web files to get rid of massive Node.js.
2. Increased nofile limitation to avoid "too many open files" error.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
mdio-tools have a app dedicated to reading Marvell Link Street switch
properties which is really usefull to not have to manually do it via
MDIO.
So, install the mvls binary as well.
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Update the mdio-netlink kmod and userspace mdio-tools to version 1.1.1.
mdio-tools required a musl time64 compatibility fix that I have an PR
open for already.
Changelog:
[v1.1.1] - 2022-05-23
---------------------
Tiny bugfix release.
- mdio: The bench operation is now much more reliable when stacked on
other devices than regular PHYs (e.g. paged PHYs or Marvell
switches).
- mvls: The STU can now be dumped chips from the Peridot generation.
[v1.1.0] - 2022-05-04
---------------------
A sprawling release, adding various mvls related introspection
features. mvls also gains a JSON output format.
- mvls: The STU can now be dumped (requires Linux 5.17 or later). This
is useful now that mv88e6xxx supports offloading of MST states
- mvls: Output can now be formatted as JSON for easier scripting
- mdio: mvls: A subset of MIB counters can now be dumped. This let's
you get at counters for DSA ports, which are not reachable from
ethtool
- mdio: mvls: The LAG mask and LAG map tables can now be dumped
- mdio: Improve usage message by including the examples from the
manual
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
This fixes "too many open files" error caused by max-file limitation
when xray processes large traffic.
Reported-by: Terry Ding <terryding77@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Major changes are:
Add support for Heimdal as the Kerberos 5 implementation.
Add smbd max io size parameter.
Accept global share options.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Previously it was using killall with procd respand enabled
This was causing yggdrasil to restart after being killed
root@r3test-hap:/# service yggdrasil stop ; echo $? ; sleep 10s ; ps | grep yggdrasil
Terminated
143
6701 root 653m S /usr/sbin/yggdrasil -useconffile /tmp/yggdrasil.conf
6748 root 1308 S grep yggdrasil
Now it's just using whatever procd is using and see there, it actually stops
root@r3test-hap:/# service yggdrasil stop ; echo $? ; sleep 10s ; ps | grep yggdrasil
0
6802 root 1308 S grep yggdrasil
I assume there was some procd bug that kept it from being used properly
Signed-off-by: Maciej Krüger <mkg20001@gmail.com>
According to David Woodhouse, OpenConnect has no issues reconnecting on any
interface. Make the host dependency optional, as it can cause issues in multiple
WAN scenarios.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
The --juniper switch has been deprecated in favour of --protocol=nc. Fix the
proto script thusly, while keeping compatibility with existing configurations.
Note that, as far as UCI is concerned, if both options juniper and vpn_protocol
are specified, the latter takes precedence.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Using resolveip is more robust and predictable than depending on nslookup and
awk.
This reverts commit 131ec7b3bd.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
banIP 0.7.x is not compatible with new nft firewall (default in master and 22.03).
Mark the package as BROKEN for now.
Signed-off-by: Dirk Brenken <dev@brenken.org>
Force restart stubby if any of the trigger interfaces goes up or down.
Avoids DoT DNS lookup timeouts when default route changes, in case of multiple
upstream interfaces.
Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>
This commit fixes two issues on macos:
1. Added a patch to fix 'echo -n' issue with MacOS shell
(backported from upstream)
2. Redefined sys.platform='linux' for target build if build host is
MacOS (otherwise, build script tries to use MacOS logic for
OpenWrt(Linux) target build)
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
Use nft instead of iptables to open port 80 in the firewall when getting a
cert. Since nft doesn't allow deleting a rule by its contents, capture and
save the handle when creating the rule, and use that to delete.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Backport a patch in order to allow building OpenConnect against OpenSSL 1.1.x
without the need for deprecated API (further fixes will be required for OpenSSL
3.x, though).
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
On systems using seccomp, the hostapd socket files will be owned by the
'network' user/group ([source][0]). In this case, if wifi-presence is
run as root/root, then it does not have permissions to open the
hostapd socket files. This was discussed in awilliams/wifi-presence#3.
This change allows the process user/group to be specified in
/etc/config/wifi-presence. If no explicit user/group is set, then the
init script will use the owner of the socket files in /var/run/hostapd/
to determine the appropriate process user/group.
[0]: ec6293febc/package/network/services/hostapd/files/wpad.init (L35-L36)
Signed-off-by: Adam Williams <pwnfactory@gmail.com>
softflowd can filter the traffic with an optional bpf program,
specified on the command-line as a BPF expression
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
1. Fixed init script would kill itself when trying to stop a service.
2. Upgrade privoxy release to 3.0.33
3. Set PKG_RELEASE to AUTORELEASE
Signed-off-by: He Xian <hexian000@outlook.com>
at least driver apcsmart-old (maybe more) allow for specifying the
type of cable used. My old UPS does will not function when cable type
is not specified.
This will add support for configuration option 'cable'
Signed-off-by: Rob J. Epping <epping@renf.us>
Now with basic support for the Array Networks SSL VPN protocol.
Also fix the OpenSSL build. OpenConnect requires support for deprecated APIs,
for the time being, so select them if compiling against OpenSSL.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
This adds support for the child SA to be rekeyed through the byte/packet
threshold. The default is blank (which disables the byte/packet thresholds).
Signed-off-by: Joel Low <joel@joelsplace.sg>
Otherwise it will fail as follows:
failed to find a module named mdio-netlink
ERROR: mdio-netlink module not detected, and could not be loaded.
Run-tested on: ramips/mt7621
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
To fix the errors:
Sun Apr 10 14:19:41 2022 daemon.err transmission-daemon[29831]: [2022-04-10 14:19:41.098] watchdir Failed to open directory "/mnt/sda1/openwrt/transmission/watch" (2): No such file or directory (watchdir.c:358)
and
Sun Apr 10 14:20:18 2022 daemon.err transmission-daemon[30175]: [2022-04-10 14:20:18.641] Couldn't create "/mnt/sda1/openwrt/transmission/incomplete": Permission denied (file-posix.c:243)
References:
- https://github.com/openwrt/packages/issues/17674
Signed-off-by: Alexander Egorenkov <egorenar-dev@posteo.net>
* add new 'hblock' compilation source (XL, see https://hblock.molinero.dev for reference)
* print runtime/date information in ISO-8601 standard format
* minor cleanups
Signed-off-by: Dirk Brenken <dev@brenken.org>
The dependency has a PACKAGE_uacme-ualpn condition so that libev won't
be unnecessarily built if uacme-ualpn is not selected.
Remove PKG_USE_MIPS16:=0, as it is not necessary when not using the
libev that is bundled with uacme.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The default firewall is the fw4, which uses nft. In order to not
install the legacy implementation when installing strongswan, the build
system should decide which firewall backend to use.
While we are at it, I have also added the dependency packages for IPV6.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The host build is used to build kea-msg-compiler, which is only needed
when there are changes to .mes files. Since we're not making any changes
to such files, we do not need this.
As host build fails for Kea 2.0.2, and the git history for kea doesn't
contain any reasoning for enabling it, let's just drop it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Using https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git to download the source code.
Added compile option to compile qrtr support.
Enabled lto and additional gcc flags for perfomance and less size.
Modified to use meson as upstream has abandoned autotools.
Removed BUILD_PARALLEL options. These are default with ninja/meson.
Signed-off-by: Maxim Anisimov <maxim.anisimov.ua@gmail.com>
Adding libsctp adds IPV6 dependency to gensio, so this patch is
an attempt at working around that with the goal of getting rid of
the circular dependency error.
Signed-off-by: Nita Vesa <werecatf@outlook.com>
The updated version requires libgensio, libyaml and libpthread,
so those have been added accordingly to dependencies.
Also added arguments for the configure-script to always attempt
to build ser2net with the same settings, instead of leaving it
to guess, for consistency.
Signed-off-by: Nita Vesa <werecatf@outlook.com>
Let's move the iptables IPsec dependencies out of the strongswan package
and into the plugin package that actually depends on it,
strongswan-mod-updown. As the default updown script calls the iptables
binary, also add a dependency on the iptables-legacy package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Change notes:
Updated Makefile package version and hash.
Added libpcre2 dependency
Removed USELIBPCRE make flag (no longer optional within sslh)
Updated patch 001 to work with new sslh Makefile
Signed-off-by: Martin Moreno <fett3270@yahoo.com>
Make sure /etc/gnunet and all its files and sub-directories are owned
by gnunet:gnunet. This is somehow necessary as file ownership otherwise
doesn't survive sysupgrade.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Enable AUTORELEASE in a separate commit so that the next commit can be
reverted without having to manually re-introduce it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Only notable change since 0.14.0 is that pthread_mutexattr_setkind_np()
is now no longer used.
pthread_mutexattr_setkind_np() is deprecated and non-standard.
The standard version is called pthread_mutexattr_settype()
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This is a bugfix release for gnunet 0.16.1.
Noteworthy changes in 0.16.2 (since 0.16.1)
DHT: Fix path signature handling.
GNS: Fix BOX handling in zone apex.
NAMESTORE: Prevent storing under invalid labels.
Buildsystem: Fix build on *BSD and Guix.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes multiple security issues:
* CVE-2022-0667 -- An assertion could occur in resume_dslookup() if the
fetch had been shut down earlier
* CVE-2022-0635 -- Lookups involving a DNAME could trigger an INSIST when
"synth-from-dnssec" was enabled
* CVE-2022-0396 -- A synchronous call to closehandle_cb() caused
isc__nm_process_sock_buffer() to be called recursively,
which in turn left TCP connections hanging in the CLOSE_WAIT
state blocking indefinitely when out-of-order processing was
disabled.
* CVE-2021-25220 -- The rules for acceptance of records into the cache
have been tightened to prevent the possibility of
poisoning if forwarders send records outside the
configured bailiwick
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
As per the discussion in PR #18047, split the MTR package into
two, one with jansson enabled for JSON output, and one without.
This commit also bumps the version to 0.95. Since the MTR project
website does not seem to be updated with builds any longer, switch
to GitHub Codeload instead.
Also enable PKG_FIXUP:=autoreconf so that MTRs bootstrap.sh process
is executed properly.
Signed-off-by: Marc Egerton <marc@malloc.me>
* remove upstreamed gcc10 and cerrno patches
* disable SSO and OIDC as it needs Rust/Cargo support
Signed-off-by: Moritz Warning <moritzwarning@web.de>
Enable AUTORELEASE in a separate commit so that the next commit can be
reverted without having to manually re-introduce it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Note that on 32-bit ARM with MUSL we don't have Unwind_GetIP() so
we need to disable backtraces.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Unless we're using "mktemp -u ..." (not recommended), it will
create the temp file as part of its safety checking. Thus you
should only create the name (file) if you're going to use it,
and always remove it if you have created it.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
If named is configured to not listen on any IPv6 interfaces,
then we should run 'nsupdate' with the '-4' argument.
Also:
* cleanup RFC-1918 address detection;
* don't generate PTR records for domain entries that aren't
RFC-1918 addresses or these will generate NOTAUTH failures;
We're assuming that we're doing DNS split-horizon and that
internal addresses aren't routable.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
To allow using gnunet on systems with firewall4, add replace direct
dependency on 'firewall' with 'uci-firewall' which is satisfied by
either 'firewall' or 'firewall4'.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
It turns out that under high system load, ipsets cannot be deleted. This
is because there is still a reference in iptables. A short sleep should
give the system time to clean this up.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Nft does not directly support ipsets, nft sets must be used instead.
The mwan3 uses ipsets for certain tasks. They can be combinded. So called
an ipset of ipsets. This list type is not available in nft. So that
mwan3 could be ported to nft in the feature, the ipset handling should be
split. So we have for each ipset an iptables rule.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
ddns-confgen is a useful tool for generating partial zones for
transfer/update in dynamic DNS (ddns) scenarios.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* OPUS and Pulse can be configured nicely by default now, no longer
need a local patch for that
* mysql version checks fail when cross-compiling, add patch to remove
them and always assume MySQL >8.0.
* Package new services, communicators, ...
This is a new major release. It breaks protocol compatibility with the
0.15.x versions. Please be aware that Git master is thus henceforth
(and has been for a while) INCOMPATIBLE with the 0.15.x GNUnet network,
and interactions between old and new peers will result in issues.
0.15.x peers will be able to communicate with Git master or 0.16.x
peers, but some services - in particular GNS - will not be compatible.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
There is no reason for the kmod to depend on the binary package
itself, neither for building nor for installing.
That dependency prevents phase1 from building the kmod even though
support is enabled in the binary.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
It was leftover from the previous rewrite of ss-rules. The built
package has no ref to it so no need to update PKG_RELEASE
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
I believe these packages should be removed (and imported into the
abandoned packages repo[1]) as Seafile Server and Seahub have been
marked as broken for some time, and I do not believe I will have time to
fix or update these packages in the foreseeable future.
[1]: https://github.com/openwrt/packages-abandoned/pull/22
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Both packages provide the same packages and should conflict to each
other.
Fixes:
```
Packages 'haproxy' and 'haproxy-nossl' do not conflict while providing same file: /usr/sbin/haproxy
Packages 'haproxy' and 'haproxy-nossl' do not conflict while providing same file: /etc/haproxy.cfg
Packages 'haproxy' and 'haproxy-nossl' do not conflict while providing same file: /etc/init.d/haproxy
```
They should not be installed side by side.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
- There should be shorter TITLE in Package/haproxy/Default
otherwise it is not shown
- No need to call Build/Prepare/Default
- Remove twice TITLE in non-SSL variant
- Make conffiles more clear
- Remove empty menu for halog
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Both packages provide the same files:
/usr/bin/chronyc
/usr/sbin/chronyd
/etc/chrony/chrony.conf
/etc/hotplug.d/iface/20-chrony
/etc/init.d/chronyd
They should not be installed side by side.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Both packages provides the same files:
- /usr/bin/u2boat
- /usr/bin/u2spewfoo
- /usr/bin/snort
- /etc/init.d/snort
- /etc/config/snort
So they should be in conflict.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Fix the following build failures by adding the missing dependencies:
Package strongswan-mod-connmark is missing dependencies for the following libraries:
libip4tc.so.2
Package strongswan-mod-forecast is missing dependencies for the following libraries:
libip4tc.so.2
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Following recent dependency rework, we can switch
between iptables-legacy and iptables-nft, and they both
PROVIDES iptables. Make it easier for user that want/need to
stick to firewall3/iptables-legacy to do so.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
It will be mostly implemented with ucode templates installed at
/usr/share/ss-rules and called from init script. The generated nftables
rules will be stored at /etc/nftables.d/
Incompatible changes were introduced as described in the README.md file
- Netfilter ipset was replaced with nftables sets
- UCI options ipt_args and dst_forward_recentrst of section ss_rules
are now deprecated. The former does not apply to nftables. The
later not yet implemented with nftables.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
ss-rules with iptables needs presence of netfilter nat table to work.
ss-rules works before without explicitly requesting it as a dependency
because it's present by default on a pre-firewall4/nftables OpenWrt
install. We request it explicitly now to make life easier in case
people would like to try ss-rules/iptables on firewall4/nftables enabled
OpenWrt system
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
shorewall-core macos build fails due to:
1. MacOS bash is too old (3.x), but shorewall-core requires bash>4
This patch uses OpenWrt tools/bash built for macos (bash 5.x)
2. install.sh detects Darwin using uname and changes install logic,
but it fails in case of cross-platform build
This patch uses fakeuname/host tool to avoid Darwin detection
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
shorewall macos build fails due to:
1. MacOS bash is too old (3.x), but shorewall requires bash>4
This patch uses OpenWrt tools/bash built for macos (bash 5.x)
2. install.sh detects Darwin using uname and changes install logic,
but it fails in case of cross-platform build
This patch uses fakeuname/host tool to avoid Darwin detection
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
shorewall6-lite macos build fails due to:
1. MacOS bash is too old (3.x), but shorewall6-lite requires bash>4
This patch uses OpenWrt tools/bash built for macos (bash 5.x)
2. install.sh detects Darwin using uname and changes install logic,
but it fails in case of cross-platform build
This patch uses fakeuname/host tool to avoid Darwin detection
3. fakeuname does not work in install.sh because install.sh
redefines PATH.
This patch removes PATH=... from install.sh on macos
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
shorewall6 macos build fails due to:
1. MacOS bash is too old (3.x), but shorewall6 requires bash>4
This patch uses OpenWrt tools/bash built for macos (bash 5.x)
2. install.sh detects Darwin using uname and changes install logic,
but it fails in case of cross-platform build
This patch uses fakeuname/host tool to avoid Darwin detection
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
shorewall-lite macos build fails due to:
1. MacOS bash is too old (3.x), but shorewall-lite requires bash>4
This patch uses OpenWrt tools/bash built for macos (bash 5.x)
2. install.sh detects Darwin using uname and changes install logic,
but it fails in case of cross-platform build
This patch uses fakeuname/host tool to avoid Darwin detection
3. fakeuname does not work in install.sh because install.sh
redefines PATH.
This patch removes PATH=... from install.sh on macos
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
The FreeBSD project stopped publishing HTTP date headers and seeks to
limit further resource taxing by distributed htpdate clients using the
www.freebsd.org host as default time source.
Fixes: #17924
Reported-by: Allan Jude <allanjude@freebsd.org>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* include gnunet-service-zonemaster-monitor in gnunet-gns package
* rename namestore-heap back to namestore-flat
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The "build" script was replacing a ~DATE~ with current date.
Now it uses $(SOURCE_DATE_EPOCH).
Fixes#17848
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
ipvsadm build fails on macos due to libipvs Makefiles uses system
`ar` that is not compatible with the objectes generated by OpenWrt
GCC Toolchain.
This commit adds patch to allow ar redefining
This commit modifes an old patch (removing CC=gcc is not required
due to it is redefinable)
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
In the build environment the autotools finds the `passwd` binary in
/usr/bin. But in the target image it is available under /bin instead.
Manually set the path to `passwd` binary to `/bin/passwd`
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
There is no need to remove root password from /etc/shadow as the
password in the file is blank anyway in the failsafe mode.
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
DoH is enabled by default, but disabling it removes the need to link
against libnghttp2, which may be desirable more constrained
environments.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
* consolidate dnsmasq config manipulation into one function
* more elegant code for PROCD data processing (Thanks @jow-!)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Manually added new env variable `XDG_DATA_HOME` which won't be passed
by procd by default.
Removed upstreamed patch.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
This a virtual package that is satisfied by either
strongswan-mod-socket-default or strongswan-mod-socket-dynamic, and is
required by the charon daemon. When neither of these packages is
installed, charon will not function.
Closes#16261, #16263 and #16367.
Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
There's only one of the shaper scripts (simple.qos) that uses iptables, and
it should be fine with iptables-nft for compatibility with the new default
nft-based firewall. Confusingly, we still need the iptables-mod-ipopt
package to get the DSCP match module; we never used CONNMARK, though, so
drop the iptables-mod-conntrack-extra dependency while we're at it.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
With commit 385200443554 ("babeld: add add_interface function") babeld
has a new ubus function allowing to dynamically add an interface.
Before the add_interface function, we were required to reload babeld.
The reload influenced the babeld routing. However, the remove part is
still missing and will be added at a later stage.
Signed-off-by: Nick Hainke <vincent@systemli.org>
chaosvpn Makefile detects Darwin (macos) and changes compilation
flags for macos target, but OpenWrt is always Linux so build fails.
This patch redefines OS=Linux to use Linux compilation flags.
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
nut build fails on macos due to:
1. configure script can not use AR env var due to OpenWrt build
system provides only executable name (e.g. aarch64-openwrt-linux-musl-gcc-ar)
but configure script checks if AR has '/'. As a result, configure
script ignores AR env var and uses system `ar` but macos `ar` is
not compatible with the objects generated by OpenWrt GCC toolchain.
This commit explicitly sets ac_cv_path_AR=$(TARGET_AR) to use
OpenWrt toolchain AR.
2. configure script detects if build host is macos and adds
macosx_ups driver as a build target, but this driver can not be
build with OpenWrt toolchain because OpenWrt is Linux.
This commit explicitly disables macosx_ups driver using configure
flag --without-macosx_ups
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
host-compile fails on macos due to several reasons:
1. host-compile Makefile always selected for linux
2. macos host cc (clang) fails due to implicit-function-declaration
3. ar and ranlib tools are hardcoded in softethervpn Makefiles
All three issues are fixed by this patch
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
knxd compilation fails on macos due to clang does not support
exit() builtin function that is used to detect build cc
This commit adds a patch to fix this issue (replaces `exit 0` by
`return 0` in conftest.c)
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
This intends to replace the hotplug script. It still hardcodes "wan"
interface name (as several other packages do) for lack of a deterministic
way to detect the actual wan iface before it is brought up, but at least
it is fully integrated with procd and will not start a disabled service.
The interface trigger forcefully restarts chilli as a simple reload may
not be sufficient to recover from wan changes.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This hotplug trigger unconditionaly restarts coova-chilli when the "wan"
interface sees action "ifup", without checking whether or not the
service is disabled or the upstream interface is actually called "wan".
This hotplug could be replaced by a suitable service trigger instead.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Coova Chilli creates "undo" firewall scripts that are intended to be run
when the daemon is shut down. Failure to do so results in leftover
entries in firewall and duplicated ones if chilli is subsequently
restarted.
Execute these scripts when the service stops.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Coova Chilli will fail to start if e.g. it cannot resolve names in its
configuration (like uamserver, radiusserver, etc) which is typically the
case when wan is unavailable. Prevent this situation by delaying startup
if wan is not available.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
isc-dhcp uses system ar tool so build fails on Darwin build host.
Embedded bind lib uses system ar and ranlib tools and fails on Darwin
This patch explicitly specifies ar and ranlib tools for target build
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
Backported upstream pending pull request to fix following error:
CMake Error at /foo/staging_dir/host/share/cmake-3.19/Modules/FindPackageHandleStandardArgs.cmake:218 (message):
Could NOT find CURSES (missing: CURSES_LIBRARY)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Declare the nftables variant as the DEFAULT_VARIANT
as nftables firewall4 is the now default in OpenWrt.
Additionally,
* toggle CONFLICTS placement to avoid circular dependency warning
* use AUTORELEASE
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Maintainer: me
Build system: Arch Linux x86_64
Build tested: ipq806x/R7800
Run tested : ipq806x/R7800
Signed-off-by: Daniel Bermond <danielbermond@gmail.com>
Add flag "--lookup-default-namespace" to signal that wg-installer should
look already established wireguard sessions in the default namespace.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This commit removes iptables backend support and leaves only the
netfilter backend support. This means that:
- iptables and nftables firewall based systems (firewall3 and firewall
4) are supported trough the netfilter instance mode
- the iptables/xtables mode support is disabled
For more information on the modes and how to use the new netfilter
instance checkout https://www.jool.mx/en/intro-jool.html
This move is made out of the commit upstream that sets firewall4 as the
default for new default buils and based on the conversation in #16818
and was decided that the netfilter interface is the priority since
iptables support will be dropped in the foreseeable future.
While at it update the templates provided.
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
libreswan makefile detects macos (darwin) and changes build logic
but OpenWrt is always Linux so it is required to specify linux as
target platfrom
This patch specifies Linux as a target platfrom
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
crowdsec rename the binary from crowdsec-firewall-bouncer to cs-firewall-bouncer
the initd need the correct binary name to start the process
the link for github source need also to be fixed (only the information one)
fix the BuildDate
updated copyright
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
Check if a peer is already existing with a given public key. Introduce a
response code for signaling why the server rejected the request.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Use shellcheck to rework the code. Use "export" to return variables from
a function call. Further, fix typos.
Signed-off-by: Nick Hainke <vincent@systemli.org>
* bump to 4.7.0
* enable DNS over TLS (uses libssl which was already a dependency)
* add libcurl dependency for new zone-to-cache feature.
Co-Authored-By: wout@wbnet.eu
Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
Latest Apple clang (v13) defines __cplusplus=199711 by default, but
protobuf requires at least 201103 (c++11)
Backported patch to fix c++ detection:
30fe936a88
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
Version 1.0.1 brought the following changes:
[v1.0.1] - 2021-11-26
Primarily fixes a few issues in the kernel module that were found
during a quick review from Russell King:
https://lore.kernel.org/netdev/YYPThd7aX+TBWslz@shell.armlinux.org.uk/https://lore.kernel.org/netdev/YYPU1gOvUPa00JWg@shell.armlinux.org.uk/
- mdio: The mvls subcommand now supports flushing the ATU
- mdio-netlink: Plug some glaring holes around integer overflows of
the PC.
- mdio-netlink: Release reference to MDIO bus after a transaction
completes.
So, update to the latest version and switch the kernel module back
to fetching tarballs like the userspace tool does.
Signed-off-by: Robert Marko <robimarko@gmail.com>
* Updating i2pd package to 2.40.0
* Rewrite Makefile
* Remove usage of PKG_INSTALL (package's make install)
* Rewrite init.rc configuration and script
* Remove '--service' option from init, which only sets datadir to /var/lib/i2pd
* Use '--datadir' option in init, otherwise datadir changing via uci is not works
* Update patch for i2pd.conf
Signed-off-by: R4SAS I2P <r4sas@i2pmail.org>
When ModemManager is started on boot we may end up with hotplug events
reported directly to the daemon, plus some others already cached in
the cache file before the daemon was started.
If the cached events correspond to the same device that is still
notifying ports directly, we may end up with a modem object created
before the cached events have been emitted, so the modem may not
handle all control/data ports it should.
E.g.:
- modem detected
- hotplug event for wwan0 port, cached as MM not running
- hotplug event for cdc-wdm0 port, cached as MM not running
- hotplug event for ttyUSB0, cached as MM not running
- MM starts
- hotplug event for ttyUSB1, directly processed as MM is running
- hotplug event for ttyUSB2, directly processed as MM is running
- modem object created with ttyUSB1 and ttyUSB2
- 2s after MM starts, cached events for wwan0, cdc-wdm0 and ttyUSB0
happen, but are ignored because the modem object has already been
created
MM expects that ports of the same device are reported with less than
1500ms in between ports. In other words, if ports are reported more
than 1500ms after the last reported port, they may get ignored.
If we remove the 2s timeout, the report of the cached events will
happen as soon as MM starts, which makes it much more likely to happen
in the timeslot that MM expects for ports of the same device reported.
The logic is still not perfect, and we may also need to increase that
1500ms timeout inside MM, but removing the 2s timeout right away here
makes sense.
This 2s timeout was introduced along with the new wrapper launcher for
the daemon, it didn't exist before.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
This commit adds support for starting and running jool through init
scripts, with default config files as examples.
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
Add checks not to overwrite defaultnotify options in the nut-sendmail-notify fashion.
Use lists for defaultnotify instead of option.
Add check not to overwrite notifycmd if already defined.
upssched-cmd script must not be called directly, it is called by the upssched binary with needed arguments.
Signed-off-by: Pascal Coudurier <coudu@wanadoo.fr>
Convert notifyflags options to lists as supported by the init script, so multiple options can be chosen.
Add SYSLOG default option to individuals notifyflags instead of deprecated flag 1|0.
Add comment for defaultnotify and individuals notifyflags about possible values.
Signed-off-by: Pascal Coudurier <coudu@wanadoo.fr>
lynx uses host C-compiler to build internal utility that is used to
generate files required for target build. On MacOS it uses internal
clang with MacOS system headers so host build fails due to MacOS is
not Linux
Forced to use OpenWrt host C compiler using --with-build-*
./configure flags
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
This backports a patch from upstream radsecproxy to fix compilation with glibc 2.34.
It fixes the following build problem:
radsecproxy.h:35:5: error: missing binary operator before token "("
35 | #if PTHREAD_STACK_MIN > PTHREAD_STACK_SIZE
| ^~~~~~~~~~~~~~~~~
make[5]: *** [Makefile:623: dtls.o] Error 1
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
davfs2 username and password information is typically stored in
/etc/davfs2/secrets. This information should be kept across sysupgrades.
Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
Although undocumented, there's a way to explicitly disable static linking in
Stubby, setting the CMake build option ENABLE_GETDNS_STATIC_LINK to OFF (ON by
default). Make it so.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Drop the tftpd binary, which is no longer provided upstream. Users
should switch to the atftp server as a replacement.
Avoid executing runtime tests, which are not supported in cross-build
environments.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
When zone id is explicitly provided, there is no need for the API token to have read permission. Inspired by acme.sh's cloudflare logic.
Signed-off-by: Glen Huang <heyhgl@gmail.com>
Update crowdsec-firewall-bouncer to latest upstream release version 0.0.21
Makefile rework
- use tagged version for download
Fixes
- set API_KEY in firewall bouncer config file
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
backport of upstream commit
3c66c1fec7
Original author: Nikhil Benesch <nikhil.benesch@gmail.com>
Remove unnecessary flag in macOS build
The configuration logic for adding the `-search_paths_first` linker
flag on Darwin does not correctly handle cross compilation. It should
check the value of $krb5_cv_host rather than `uname -s` to detect when
the compilation target is Darwin, rather than the build machine.
It turns out `-search_paths_first` has been the default behavior of ld
on macOS since XCode 4. So just remove that bit of logic entirely.
(The flag was added in commit acd27af0e845f8b93de2e226cc2ec9ac8af52077
in 2004; XCode 4 was released in 2010.)
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
With procd-ujail enabled, it is not possible to use HTTPS URLs, for
example when either for downloading torrent files or blocklists. The
followig example occurs when downloading a URL from the "Upload Torrent
Files" dialogue box:
Error adding
"https://releases.ubuntu.com/21.10/ubuntu-21.10-desktop-amd64.iso.torrent":
gotMetadataFromURL: http error 0: No Response
syslog will also hint that no CA_BUNDLE is being used:
transmission-daemon[6683]: [2021-12-30 20:01:30.990] web will verify
tracker certs using envvar CURL_CA_BUNDLE: none (web.c:455)
This patch rectifies this issue by adding a ca_bundle configurable,
enabled by default. This explicitly fixes the ca_bundle file location
to /etc/ssl/certs/ca-certificates.crt and adds this file to the procd
jail. On subsequent testing, HTTPS URL download functionality is
restored.
Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
The delete variable was misspelled leading to devices always being
removed although they had connected neighbors.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Update crowdsec to latest upstream release version 1.2.2
Makefile rework
- use tagged version for download
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
Issue: 2to3 support has been removed in setuptools since version 58.0.0.
Fix: openwrt/packages#17311
Requirements: 2to3/host openwrt/packages#17429
Add upstream patch: 196c55e931
To install/build for python3 from source, it is necessary to convert to py3
codebase before setup (invoke 2to3 or ./fail2ban-2to3 firstly).
> ./fail2ban-2to3
> python3 setup.py build
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
The next OpenWrt stable release aims to use firewall4 by default. As
this uses nftables as backend, miniupnpd will no longer work. Create an
iptables and nftables variant of the miniupnpd package so that miniupnpd
can be used with either firewall variant.
See #16818 for more info.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Since version 2.2.3, miniupnpd will detect MS clients and force IGDv1.
This reverts commit 7f5534ac7a.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Removed patches:
001-fix-stime-glibc-remove.patch - it is included in upstream
003-Fix-compilation-with-gcc11.patch - no longer necessary
Updated patches:
002-Avoid-problems-with-64-bit-time_t.patch
Refreshed patches:
004-Comment-out-librt-testing.patch
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
These cmake modules are actually never referenced. Stubby itself doesn't link to
libidn or libunbound, only getdns does. They're most likely leftovers from when
stubby was split from getdns to its own repository.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Full changelog available at: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.0
packr has been removed from build dependencies, per
c6888326b0 (diff-2873f79a86c0d8b3335cd7731b0ecf7dd4301eb19a82ef7a1cba7589b5252261L2)
Also added the ability to configure working directory location and moved
the directory to /var. On most setups this should not change anything,
as /var is symlinked to /tmp. The move mostly benefits setups where /var
is configured to be persistent.
The working directory is used by AdGuard to store persistent data like
query logs, filter lists, etc.
Data stored in this directory can get really huge, as such allowing
this directory to be moved elsewhere (ie. an USB drive) is very
beneficial.
Co-authored-by: Dobroslaw Kijowski <dobo90@gmail.com>
Co-authored-by: Jeffery To <jeffery.to@gmail.com>
Signed-off-by: Hiếu Lê <leorize+oss@disroot.org>
Add MaxMind's geoipupdate utility. mmdb files are downloaded to /var/GeoIP
by default. The user should update /etc/GeoIP.conf with their API key and
DB choice, currently set to country only. So as not to exceed MaxMind's
download limitations, the user should manually run the utility or set up a
cron job.
Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
Remove un-necessary crowdsec package dependency, to be able to use
crowdsec-firewall-bouncer independently from crowdsec local installation.
(with remote API)
Fix issue: https://github.com/openwrt/packages/issues/17406
Description:
using crowdsec-firewall-bouncer on many OpenWRT devices connected
with my domain LAPI server (which collect many crowdsec machines,
mostly nginx), it works great. Actually, crowdsec package is not
mandatory for that usage, it would be great if it was not a dependency.
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
Maintainer: me / @mkrkn
Compile tested: ramips/mt7620 TP-Link Archer C50 v1, ramips/mt7621 Xiaomi Mi router 3 Pro, ath79/generic TP-Link WDR-3500
Run tested: ramips/mt7620 TP-Link Archer C50 v1, ramips/mt7621 Xiaomi Mi router 3 Pro, ath79/generic TP-Link WDR-3500
openvpn: update to 2.5.5
use of CFG Spectre-mitigations in MSVC builds
bring back OpenSSL config loading to Windows builds
several build fixes, refer to https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Fixes: f88485f572 ("nft-qos: silence buildsystem errors")
Prefixing IPKG_INSTROOT to sourced includes is ineffective for this
package.
Source includes only when empty to avoid image make errors.
Signed-off-by: Imran Khan <gururug@gmail.com>
The kmod-sched-cake package already depends on kmod-sched-core, there's no need
for explicitly stating the dependency.
While at it, change PKG_RELEASE to $(AUTORELEASE).
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Enabling OPENVSWITCH in the kernel config selects MPLS. This exposes the
MPLS_ROUTING symbol, which is missing if kmod-mpls is not enabled. On
kernel 5.4 this problem doesn't show up, as the Open vSwitch package
uses the in-tree kernel modules rather than the upstream ones.
Restore the kmod-mpls dependency when using the upstream kernel modules
to fix build.
Reported-by: Matthew Hagan <mnhagan88@gmail.com>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The ifeq check for CONFIG_OPENVSWITCH_WITH_LIBUNBOUND does not evaluate
correctly within the menuconfig, resulting in libunbound not being
selected, resulting in a failing libunbound.so.8 dependency.
Instead add this condition:dependency in the manner defined in the
OpenWrt developer guide.
Signed-off-by: Matthew Hagan <mathagan@fb.com>
ovs_libovsdb_depends and ovs_libofproto_depends append the libatomic
dependency. However in these cases these variables were not previously
defined and thus a reader may search the Makefile for the definition.
Therefore change the operator to explicitly define these dependency
variables, rather than append. In addition add a space after operator to
improve readability and conform to other dependency definitions in the
Makefile.
Signed-off-by: Matthew Hagan <mathagan@fb.com>
Rather than defining dependencies, then appending the libatomic
dependency on the following line, merge all into one definition.
Simultaneously, sort by alphabetical order.
Signed-off-by: Matthew Hagan <mathagan@fb.com>
The output of the hotplug is very chatty and floods the log with
messages that are not necessary in functioning operation.
So that the log can be filtered. A log level was added to each message
as the first opiton on mm_log function call.
In addition, the facility of the hotplug script has been set to daemon,
which in my view fits better than user.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
1. prctl() check is not required for host-compile on any OS due to prctl
is not used in rpcgen which is only one is compiled during host-compile
phase. prctl() check is disabled via HOST_CONFIGURE_VARS in OpenWrt makefile
2. __DARWIN_ONLY_64_BIT_INO_T is true on macos arm64 so struct stat64
and stat64() are not available. This patch defines stat64 as stat if
__DARWIN_ONLY_64_BIT_INO_T is true
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
Breaking changes:
The database has been replaced with boltdb to try to solve the problem
of database corruption.
Note that the data will not be migrated, but the previous data will be
retained. If you need the previous data, just downgrade v2rayA (v1.5.4).
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
depend on libpcre2 instead of libpcre
also remove patches incorporated upstream into lighttpd 1.4.62
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
route-override IPAM works as meta CNI plugin to override IP route given by previous CNI plugins. It is useful in a case with network-attachment-definition.
Currently route-override verified its feature with podman and crio(with Kubernetes).
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
The way the init script is written now, we get a bad output when calling
the ubus service backend.
ubus call service list "{'verbose':true,'name':'modemmanager'}"
>{
> "modemmanager": {
> "instances": {
> "instance1": {
> "running": true,
> "pid": 20511,
> "command": [
> "sh",
> "-c",
> ".
>/usr/share/ModemManager/modemmanager.common; \t
>mkdir -m 0755 -p /var/run/modemmanager; \t
>mm_cleanup_interfaces; \t
>( mm_report_events_from_cache ) >/dev/null 2>&1 & \t
>/usr/sbin/ModemManager"
> ],
> "term_timeout": 5,
> "respawn": {
> "threshold": 3600,
> "timeout": 5,
> "retry": 5
> },
> "pidfile":"/var/run/modemmanager/modemmanager.pid"
> }
> }
> }
>}"
I also get the output in the log that the PID file cannot be created.
> daemon.err procd: Failed to remove pidfile: :No such file or directory
The changes in this commit fixes this issues, by moving startup into a
wrapper script.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
SpeedTest++
Yet another unofficial speedtest.net client cli interface
For users who instead of python based speedtest client want
to use something that was written in c++...
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Currently banip matches nginx log entries starting with
nginx[number]:...
I am running a containerized nginx with alpine as base, which
ends up adding log entries without [number] part..
like this:
nginx:...
This patch updates regex for nginx log entry search to include
both versions.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
The configuration for the ksmbd service is auto-generated when
the OpenWRT configuration changes, and also during startup,
hence ksmbd.init has to reload the kernel module. It does that by
calling kill_server, which does not perform cleanup. This results
in ksmbd being killed but not restarted properly during boot.
This patch resolves the issue by using stop_service, which performs
proper cleanup.
https://forum.openwrt.org/t/ksmbd-samba3-4-alternative-ex-cifsd-smbd-package-support-thread/51695/68
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
Django 1.x is not compatible with python 3.10.
Mark the package as BROKEN. Since its dependent packages will also
select it, they will need to be marked BROKEN as well to avoid recursive
dependencies--packages not marked as BROKEN will be able to select the
broken package.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
- Update haproxy download URL and hash
- Switched over to using USE_LIBATOMIC in favor of -latomic
- Added a patch which fixes nossl builds
Signed-off-by: Christian Lachner <gladiac@gmail.com>
7bf79a2 ubus: set scan duration to roam scan interval
b4eb49e policy: only select nodes with better signal when roaming
5d5a0be ubus: don't request measurement from unsupported STAs
abc6fe0 local-node: update STA RRM capabilites
5ec713b node: determine roamability when selecting neighbors
d0cd65b node: save created time for node
a5c21ae ubus: prioritize neighbor reports on bss transition
532a48d local-node: prioritize neighbor candidates
4862080 node: keep track of roam-sources and roam-destinations
6a20591 sta-info: add last_connected field
Signed-off-by: David Bauer <mail@david-bauer.net>
Commit 1038ac1235 ("openvswitch: add support for definining bridge ports...")
added two new options:
- drop_unknown_ports
- ports
They are missing from the README, so add them.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Fixes 'transmission-web' for users which didn't manually configure the
'web_home' option.
Assume transmission's default in case 'web_home' isn't defined and
mount the directory so it can be accessed from inside the jail.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add missing "inotify_add_watch", "inotify_init1" and "inotify_rm_watch"
syscalls to seccomp filter which are needed in case watch_dir feature
of transmission is used.
Fixes#16972
Reported-by: @siwind
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
As written in the commit message:
Depending on your conntrackd configuration, events might get lost,
leaving stuck entries in the cache forever. Skip checking the conntrack
ID to allow for lazy cleanup by when a new entry that is represented by
the same tuple is added.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Open vSwitch does not bring up ports automatically. This is not a
problem for wireless ports, or for ports configured in
/etc/config/network, but other ports will be down, and require manual
interaction to be brought up. Configuring them with proto none will
cause netifd to do some actions on them, which might cause undefined
results, and will also bloat the UCI config file.
The cleanest solution is to bring all member ports up as part of the
init script.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
statd currently fails to start due to missing /run which doesn't exist
on OpenWrt.
Add a patch moving /run to /tmp/run as the path is hardcoded in several
places and cannot be configured neither at buildtime nor at runtime.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
`time_t` on musl 1.2 is 64bit, while `long` is 32 bit. we will always get zero time with the original source on mips big endian.
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
The PCIe physdev path lookup relies on the 'vendor' and 'device'
attribute files, instead of the 'idVendor' and 'idProduct' ones, which
are USB specific.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
OVN doesn't require Python Six, since about commit
338a6ddb5e
Maybe even earlier than that.
There are some left-over installations of six in their CI, but no usage in
any Python source code.
Refreshed patches.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Python six was required to build the OVS Python libs during the time when
they were supporting both Python 2 & 3.
Python 3 is a minimum requirement for OVS Python's libs since commits:
1ca0323e7cbd90524550
and Six is no longer required since commit
0c4d144a98
The end-goal here is to get rid of the Python Six host-build.
OVS is the only user.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Release notes:
1.8.0
- Upgrade json.hpp dependency to version 3.10.2
- Check if DNS servers need to be applied on macOS
- Set MAC address before bringing up Linux TAP link
- Stop binding to temporary IPv6 addresses
- Fix for mistakenly using v6 source addresses for v4 routes on some platforms
- Fix for MacOS MTU capping issue on feth devices
- Implement a workaround for one potential source of a "coma" bug, which can occur if buggy NATs/routers stop allowing the service to communicate on a given port. ZeroTier now reassigns a new secondary port if it's offline for a while unless a secondary port is manually specified in local.conf. Working around crummy buggy routers is an ongoing effort.
- A completely rewritten desktop UI for Mac and Windows!
1.8.1
- Fix an issue that could cause clobbering of MacOS IP route settings on restart.
- Added additional hardening against address impersonation on networks (also in 1.6.6).
- MacOS IPv6 no longer binds to temporary addresses as these can cause interruptions if they expire.
- Remove support for REALLY ancient 1.1.6 or earlier network controllers.
- Fix numerous UI issues from 1.8.0 (never fully released).
Changed to git as source and added $(AUTORELEASE)
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Client and server software to query DNS over HTTPS, using Google DNS-over-HTTPS protocol and IETF DNS-over-HTTPS (RFC 8484). https://github.com/m13253/dns-over-https
Signed-off-by: Martin Schneider <martschneider@google.com>
Side-effect of dropping capabilities(7) with last commit is now we
need the `/var/run/named/` directory created for us at startup.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Reasons to drop this package:
a) this package depends on luci-app-rosy-file-server
Unfortunately, it was marked as broken as it is unmaintained.
See: 34b682afac
b) maintainer is inactive
c) rosinson website does not seem to be working
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Update to the newest versions and switch to $(AUTORELEASE) for the python3 packages (where I am the maintainer).
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
Currently when the connection times out, the interface will disconnect.
Add capability to add persistent option to re-establish connectivity.
Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
* adopt pypi name and line numbers in patches
* remove custom tar command and patch for using python3 (changed upstream)
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
It never works... And Xray-core needs root access to work.
Bump geodata to latest version while at it.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
The following CVE updates are included:
* CVE-2021-25219: The "lame-ttl" option is now forcibly set to 0. This
effectively disables the lame server cache, as it could previously be
abused by an attacker to significantly degrade resolver performance.
* CVE-2021-25218: An assertion failure occurred when named attempted
to send a UDP packet that exceeded the MTU size, if Response Rate
Limiting (RRL) was enabled.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Reload the service when interfaces flap; note that libcap support
is required to open new sockets on interfaces coming up during
a reload, otherwise a full restart would be needed.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Use newly introduced procd_add_reload_mount_trigger to reload nfsd
when a mountpoint covering an exported filesystem is added by blockd.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fix uci-defaults for PostgreSQL backends
Add user 'gnunet' to 'postgres' group
Always build with sqlite3 as configure fails when --without-sqlite
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
If an interface doesn't exist yet when vnStat is started, it won't be
monitored, as only existing interfaces can be added to the database via
the vnstat command.
This adds a hotplug script which adds any configured interfaces to the
vnStat database when it goes up.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
By default, vnstatd adds all available interfaces on startup when its
database is empty. The --noadd option prevents this, but it breaks
import of legacy databases, and causes vnstatd to exit immediately
after startup, which breaks reloading.
This changes the init script to add the --noadd option when no legacy
databases need to be imported, and patches vnstatd to keep running
even when no interfaces are configured.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
This has been replaced with the "trust-anchors" keyword, per
section 8.21.1 New Features of the Bind 9 Administrator Reference
Manual:
• In order to clarify the configuration of DNSSEC keys, the trusted-keys and managed-keys statements have been deprecated, and the new trust-anchors statement should now be used for both types of key.
When used with the keyword initial-key, trust-anchors has the same behavior as managed-keys, i.e., it configures a trust anchor that is to be maintained via RFC 5011.
When used with the new keyword static-key, trust-anchors has the same behavior as trusted-keys, i.e., it configures a permanent trust anchor that will not automatically be updated. (This usage is not recommended for the root key.) [GL #6]
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
apxs is used to get information about the apache installation when
building external modules. Currently there are issues:
1.
./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET
apache2
apxs:Error: ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/bin/apr-1-config not found!.
This error is fixed by sed script #2.
2.
./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET
cannot open ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/share/apache2/build/config_vars.mk: No such file or directory at ./staging_dir/target-mips_24kc_musl/usr/bin/apxs line 213.
This error is fixed by sed scipt #1.
Both sed scripts taken from buildroot (see [1]).
[1] https://github.com/buildroot/buildroot/blob/master/package/apache/apache.mk
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commits adds the new usteer package to the packages feed.
usteer is a daemon for steering wireless clients across frequency
bands as well as between multiple access points on a network.
Signed-off-by: David Bauer <mail@david-bauer.net>
ospf running in instance mod will keep cpu to 100% so revert offending commit
if daemon is disabled in the file while running also close that daemon
also add the pythontools to support reload
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
Some users report that DAWN sometimes crashes after a while. Mostly
this happens after the new update has been rolled out.
Since I would not like to go back to the older version, I add as
a workaround for now that DAWN automatically respawned.
Workaround for:
https://github.com/berlin-open-wireless-lab/DAWN/issues/151
Signed-off-by: Nick Hainke <vincent@systemli.org>
WWAN devices may now be exposed in the new 'wwan' subsystem in the
kernel (since 5.13), initially applicable to devices exposed in PCIe
(no USB), but at some point may also apply to USB devices that until
now were exposed via other subsystems (e.g. usbmisc, tty).
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
* bugfix: change killall param from -HUP to -s HUP
* bugfix: change tmpfs param from status to gateway
Signed-off-by: Stan Grishin <stangri@melmac.net>
* there are reports that 0.3.5-x versions do not work on some configs
* the development of the new features moved to the new package (pbr)
* revert to the last known good version of vpn-policy-routing
Signed-off-by: Stan Grishin <stangri@melmac.net>
* refresh patches
* disabling kres_gen_test is not required anymore for cross compilation, it was fixed upstream with the 5.4.1 release
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
This uses some definitions from <sys/cdefs.h> in gcc 8.4.0, not present
in musl or gcc11.
Also use clock_gettime() instead of syscall(__NR_clock_gettime,...),
which is not currently defined.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* update to [2021-09-27](da2501f542)
* fixes https://github.com/aarond10/https_dns_proxy/issues/125
* restart instead of reload on interface hotplug
* fixes https://github.com/openwrt/packages/issues/16794
* produce output and log entries on service start/stop
* prevent unnecessary dnsmasq restarts if service has previously updated dnsmasq settings
* allow both named and typed dnsmasq instance settings to be updated
* update 010-fix-cmakelists patch file
Signed-off-by: Stan Grishin <stangri@melmac.net>
Default to letsencrypt because the upstream default may change.
Passing --staging is no longer needed, since --serever will
select a staging server if needed.
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
Tested-by: Georgi Valkov <gvalkov@abv.bg>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
/net/crowdsec-firewall-bouncer/
crowdsec-firewall-bouncer will fetch new and old decisions from
a CrowdSec API to add them in a blocklist used by supported firewalls.
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
/net/crowdsec/
Crowdsec - An open-source, lightweight agent to detect
and respond to bad behaviours.
It also automatically benefits from a global community-wide
IP reputation database.
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
* c70773a - datastorage: use signal strength as a metric
* 14e0f83 - Don't display debugging output with DAWN_NO_OUTPUT
* 97e5de1 - uci: add neighbor list priority options
* 2b1a53c - dawn_uci: set default values
* 6eb747b - Use separate configs for 802.11g & 802.11a bands
* 1e34357 - Verify compatibility before parsing config message
* a7a8309 - List all neighbors with same score when kicking
* 3ba0fa4 - Change beacon request fields to appropriate values
* 009aab9 - Change mode config parameter from int to string
Signed-off-by: Nick Hainke <vincent@systemli.org>
Update to GNUnet release 0.15.3.
Note that GNUnet 0.15.x is incompatible with the previous 0.14.x
wire format.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
- Update haproxy download URL and hash
- Make build-target and parameters dependant on configured c-library
- Removed duplicate build-parameters
Signed-off-by: Christian Lachner <gladiac@gmail.com>
This commit fixes an issue where the `AUTOSSH_GATETIME` is not available in the `procd` environment which gets overwritten by the second `procd_set_param env` call.
It now calls the `procd_set_param env` once with the two variables, instead of twice.
Signed-off-by: Leo Soares <leo@hyper.ag>
Switch to AUTORELEASE for simplicity.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[remove irrelevant part from commit message after splitting changes]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Currently `travelmate` only support `<meta` tag
if it contains `"`. This updates `travelmate.sh` to support
`'` as well.
```html
<meta...content='1; url=
```
Signed-off-by: Kamil Trzciński <ayufan@ayufan.eu>
This patch to remove PowerDNS' check for whether time_t is 64-bit is not needed anymore,
due to OpenWrt now having a more recent musl libc where time_t is 64-bit on all architectures.
Signed-off-by: Wout Bertrums <wout@wbnet.eu>
Switch to AUTORELEASE for simplicity.
Switch to normal tarballs.
Add license information.
Reorganize Makefile for consistency between packages.
Add libtool patch fixing compilation under some conditions.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Testing showed that additional syscalls are needed on ARMv7.
Add "clock_gettime64" and "statx" which seem to be used now instead
of "clock_gettime" and "stat" syscalls which are already listed.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
When Open vSwitch is configured to use a controller, but is unable to
connect to it, Open vSwitch will setup flows to allow all traffic, if
the failure mode is not configured, or set to standalone.
As this might be a security hazard, it is also possible to configure
Open vSwitch in a secure failure mode. Enabling this mode causes Open
vSwitch to drop all traffic if it is unable to connect to the
controller.
Redirect stderr of the command to /dev/null as it does not support the
--if-exists option.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Due to a copy-paste error, libopenvswitch is missing a dependency when
Open vSwitch is configured to use unbound:
Package openvswitch-libopenvswitch is missing dependencies for the following libraries:
libunbound.so.8
Use the correct config symbol to solve this.
Fixes: 45c8cc9d8a ("openvswitch: make libunbound optional")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The genhash binary is only built when IPVS is enabled, so make its
installation depend on IPVS being enabled.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Add a UCI config option to set the OpenFlow datapath description. This
allows setting a human readable description of the bridge, e.g.
"Building x, Floor y, AP z", which makes it easier to recognize the AP.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Upstream released 1.0.0, so change the package to the git tag 1.0.0
Mainly documentation and argument handling changes
Signed-off-by: Damien Mascord <tusker@tusker.org>
- Added missing conffiles
- Refreshed init srcipt to adapt the new arguments
- Renamed package name to lowercase (suggestion from upstream)
- Updated dependencies and license
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* add wpa-supplicant package dependency
* removed no longer working 'db-bahn.login' and 'wifionice.login' auto-login scripts
* added the new 'wifibahn.login' script for auto-logins to captive portals WIFI@BAHN (DE),
run tested on a single ICE (station logins are currently unsupported!)
* vodafone.login prepared to support free/time limited logins (still WIP!)
* change return code handling in login scripts and travelmate
* refine f_wifi function
* fix a few conercase issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
Some versions of killall do support the `killall -SIGNAL` syntax and
have only `-s SIGNAL` which should be supported everywhere.
I see the problem with *killall (PSmisc) 23.3* on latest TurrisOS 5.2
Signed-off-by: Jan Baier <jan.baier@amagical.net>
Some versions of killall do support the `killall -SIGNAL` syntax and
have only `-s SIGNAL` which should be supported everywhere.
I see the problem with *killall (PSmisc) 23.3* on latest TurrisOS 5.2
Signed-off-by: Jan Baier <jan.baier@amagical.net>
Currently there is a problem with log spam when ipv6 network
is dropped. Fix this by backporting a patch to silence these errors
when verbose logging is not enabled.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
