The "build" script was replacing a ~DATE~ with current date.
Now it uses $(SOURCE_DATE_EPOCH).
Fixes#17848
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
ipvsadm build fails on macos due to libipvs Makefiles uses system
`ar` that is not compatible with the objectes generated by OpenWrt
GCC Toolchain.
This commit adds patch to allow ar redefining
This commit modifes an old patch (removing CC=gcc is not required
due to it is redefinable)
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
In the build environment the autotools finds the `passwd` binary in
/usr/bin. But in the target image it is available under /bin instead.
Manually set the path to `passwd` binary to `/bin/passwd`
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
There is no need to remove root password from /etc/shadow as the
password in the file is blank anyway in the failsafe mode.
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
DoH is enabled by default, but disabling it removes the need to link
against libnghttp2, which may be desirable more constrained
environments.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
* consolidate dnsmasq config manipulation into one function
* more elegant code for PROCD data processing (Thanks @jow-!)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Manually added new env variable `XDG_DATA_HOME` which won't be passed
by procd by default.
Removed upstreamed patch.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
This a virtual package that is satisfied by either
strongswan-mod-socket-default or strongswan-mod-socket-dynamic, and is
required by the charon daemon. When neither of these packages is
installed, charon will not function.
Closes#16261, #16263 and #16367.
Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
There's only one of the shaper scripts (simple.qos) that uses iptables, and
it should be fine with iptables-nft for compatibility with the new default
nft-based firewall. Confusingly, we still need the iptables-mod-ipopt
package to get the DSCP match module; we never used CONNMARK, though, so
drop the iptables-mod-conntrack-extra dependency while we're at it.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
With commit 385200443554 ("babeld: add add_interface function") babeld
has a new ubus function allowing to dynamically add an interface.
Before the add_interface function, we were required to reload babeld.
The reload influenced the babeld routing. However, the remove part is
still missing and will be added at a later stage.
Signed-off-by: Nick Hainke <vincent@systemli.org>
chaosvpn Makefile detects Darwin (macos) and changes compilation
flags for macos target, but OpenWrt is always Linux so build fails.
This patch redefines OS=Linux to use Linux compilation flags.
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
nut build fails on macos due to:
1. configure script can not use AR env var due to OpenWrt build
system provides only executable name (e.g. aarch64-openwrt-linux-musl-gcc-ar)
but configure script checks if AR has '/'. As a result, configure
script ignores AR env var and uses system `ar` but macos `ar` is
not compatible with the objects generated by OpenWrt GCC toolchain.
This commit explicitly sets ac_cv_path_AR=$(TARGET_AR) to use
OpenWrt toolchain AR.
2. configure script detects if build host is macos and adds
macosx_ups driver as a build target, but this driver can not be
build with OpenWrt toolchain because OpenWrt is Linux.
This commit explicitly disables macosx_ups driver using configure
flag --without-macosx_ups
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
host-compile fails on macos due to several reasons:
1. host-compile Makefile always selected for linux
2. macos host cc (clang) fails due to implicit-function-declaration
3. ar and ranlib tools are hardcoded in softethervpn Makefiles
All three issues are fixed by this patch
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
knxd compilation fails on macos due to clang does not support
exit() builtin function that is used to detect build cc
This commit adds a patch to fix this issue (replaces `exit 0` by
`return 0` in conftest.c)
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
This intends to replace the hotplug script. It still hardcodes "wan"
interface name (as several other packages do) for lack of a deterministic
way to detect the actual wan iface before it is brought up, but at least
it is fully integrated with procd and will not start a disabled service.
The interface trigger forcefully restarts chilli as a simple reload may
not be sufficient to recover from wan changes.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This hotplug trigger unconditionaly restarts coova-chilli when the "wan"
interface sees action "ifup", without checking whether or not the
service is disabled or the upstream interface is actually called "wan".
This hotplug could be replaced by a suitable service trigger instead.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Coova Chilli creates "undo" firewall scripts that are intended to be run
when the daemon is shut down. Failure to do so results in leftover
entries in firewall and duplicated ones if chilli is subsequently
restarted.
Execute these scripts when the service stops.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Coova Chilli will fail to start if e.g. it cannot resolve names in its
configuration (like uamserver, radiusserver, etc) which is typically the
case when wan is unavailable. Prevent this situation by delaying startup
if wan is not available.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
isc-dhcp uses system ar tool so build fails on Darwin build host.
Embedded bind lib uses system ar and ranlib tools and fails on Darwin
This patch explicitly specifies ar and ranlib tools for target build
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
Backported upstream pending pull request to fix following error:
CMake Error at /foo/staging_dir/host/share/cmake-3.19/Modules/FindPackageHandleStandardArgs.cmake:218 (message):
Could NOT find CURSES (missing: CURSES_LIBRARY)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Declare the nftables variant as the DEFAULT_VARIANT
as nftables firewall4 is the now default in OpenWrt.
Additionally,
* toggle CONFLICTS placement to avoid circular dependency warning
* use AUTORELEASE
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Maintainer: me
Build system: Arch Linux x86_64
Build tested: ipq806x/R7800
Run tested : ipq806x/R7800
Signed-off-by: Daniel Bermond <danielbermond@gmail.com>
Add flag "--lookup-default-namespace" to signal that wg-installer should
look already established wireguard sessions in the default namespace.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This commit removes iptables backend support and leaves only the
netfilter backend support. This means that:
- iptables and nftables firewall based systems (firewall3 and firewall
4) are supported trough the netfilter instance mode
- the iptables/xtables mode support is disabled
For more information on the modes and how to use the new netfilter
instance checkout https://www.jool.mx/en/intro-jool.html
This move is made out of the commit upstream that sets firewall4 as the
default for new default buils and based on the conversation in #16818
and was decided that the netfilter interface is the priority since
iptables support will be dropped in the foreseeable future.
While at it update the templates provided.
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
libreswan makefile detects macos (darwin) and changes build logic
but OpenWrt is always Linux so it is required to specify linux as
target platfrom
This patch specifies Linux as a target platfrom
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
crowdsec rename the binary from crowdsec-firewall-bouncer to cs-firewall-bouncer
the initd need the correct binary name to start the process
the link for github source need also to be fixed (only the information one)
fix the BuildDate
updated copyright
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
Check if a peer is already existing with a given public key. Introduce a
response code for signaling why the server rejected the request.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Use shellcheck to rework the code. Use "export" to return variables from
a function call. Further, fix typos.
Signed-off-by: Nick Hainke <vincent@systemli.org>
* bump to 4.7.0
* enable DNS over TLS (uses libssl which was already a dependency)
* add libcurl dependency for new zone-to-cache feature.
Co-Authored-By: wout@wbnet.eu
Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
Latest Apple clang (v13) defines __cplusplus=199711 by default, but
protobuf requires at least 201103 (c++11)
Backported patch to fix c++ detection:
30fe936a88
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
Version 1.0.1 brought the following changes:
[v1.0.1] - 2021-11-26
Primarily fixes a few issues in the kernel module that were found
during a quick review from Russell King:
https://lore.kernel.org/netdev/YYPThd7aX+TBWslz@shell.armlinux.org.uk/https://lore.kernel.org/netdev/YYPU1gOvUPa00JWg@shell.armlinux.org.uk/
- mdio: The mvls subcommand now supports flushing the ATU
- mdio-netlink: Plug some glaring holes around integer overflows of
the PC.
- mdio-netlink: Release reference to MDIO bus after a transaction
completes.
So, update to the latest version and switch the kernel module back
to fetching tarballs like the userspace tool does.
Signed-off-by: Robert Marko <robimarko@gmail.com>
* Updating i2pd package to 2.40.0
* Rewrite Makefile
* Remove usage of PKG_INSTALL (package's make install)
* Rewrite init.rc configuration and script
* Remove '--service' option from init, which only sets datadir to /var/lib/i2pd
* Use '--datadir' option in init, otherwise datadir changing via uci is not works
* Update patch for i2pd.conf
Signed-off-by: R4SAS I2P <r4sas@i2pmail.org>
When ModemManager is started on boot we may end up with hotplug events
reported directly to the daemon, plus some others already cached in
the cache file before the daemon was started.
If the cached events correspond to the same device that is still
notifying ports directly, we may end up with a modem object created
before the cached events have been emitted, so the modem may not
handle all control/data ports it should.
E.g.:
- modem detected
- hotplug event for wwan0 port, cached as MM not running
- hotplug event for cdc-wdm0 port, cached as MM not running
- hotplug event for ttyUSB0, cached as MM not running
- MM starts
- hotplug event for ttyUSB1, directly processed as MM is running
- hotplug event for ttyUSB2, directly processed as MM is running
- modem object created with ttyUSB1 and ttyUSB2
- 2s after MM starts, cached events for wwan0, cdc-wdm0 and ttyUSB0
happen, but are ignored because the modem object has already been
created
MM expects that ports of the same device are reported with less than
1500ms in between ports. In other words, if ports are reported more
than 1500ms after the last reported port, they may get ignored.
If we remove the 2s timeout, the report of the cached events will
happen as soon as MM starts, which makes it much more likely to happen
in the timeslot that MM expects for ports of the same device reported.
The logic is still not perfect, and we may also need to increase that
1500ms timeout inside MM, but removing the 2s timeout right away here
makes sense.
This 2s timeout was introduced along with the new wrapper launcher for
the daemon, it didn't exist before.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
This commit adds support for starting and running jool through init
scripts, with default config files as examples.
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
Add checks not to overwrite defaultnotify options in the nut-sendmail-notify fashion.
Use lists for defaultnotify instead of option.
Add check not to overwrite notifycmd if already defined.
upssched-cmd script must not be called directly, it is called by the upssched binary with needed arguments.
Signed-off-by: Pascal Coudurier <coudu@wanadoo.fr>
Convert notifyflags options to lists as supported by the init script, so multiple options can be chosen.
Add SYSLOG default option to individuals notifyflags instead of deprecated flag 1|0.
Add comment for defaultnotify and individuals notifyflags about possible values.
Signed-off-by: Pascal Coudurier <coudu@wanadoo.fr>
lynx uses host C-compiler to build internal utility that is used to
generate files required for target build. On MacOS it uses internal
clang with MacOS system headers so host build fails due to MacOS is
not Linux
Forced to use OpenWrt host C compiler using --with-build-*
./configure flags
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
This backports a patch from upstream radsecproxy to fix compilation with glibc 2.34.
It fixes the following build problem:
radsecproxy.h:35:5: error: missing binary operator before token "("
35 | #if PTHREAD_STACK_MIN > PTHREAD_STACK_SIZE
| ^~~~~~~~~~~~~~~~~
make[5]: *** [Makefile:623: dtls.o] Error 1
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
davfs2 username and password information is typically stored in
/etc/davfs2/secrets. This information should be kept across sysupgrades.
Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
Although undocumented, there's a way to explicitly disable static linking in
Stubby, setting the CMake build option ENABLE_GETDNS_STATIC_LINK to OFF (ON by
default). Make it so.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Drop the tftpd binary, which is no longer provided upstream. Users
should switch to the atftp server as a replacement.
Avoid executing runtime tests, which are not supported in cross-build
environments.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
When zone id is explicitly provided, there is no need for the API token to have read permission. Inspired by acme.sh's cloudflare logic.
Signed-off-by: Glen Huang <heyhgl@gmail.com>
Update crowdsec-firewall-bouncer to latest upstream release version 0.0.21
Makefile rework
- use tagged version for download
Fixes
- set API_KEY in firewall bouncer config file
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
backport of upstream commit
3c66c1fec7
Original author: Nikhil Benesch <nikhil.benesch@gmail.com>
Remove unnecessary flag in macOS build
The configuration logic for adding the `-search_paths_first` linker
flag on Darwin does not correctly handle cross compilation. It should
check the value of $krb5_cv_host rather than `uname -s` to detect when
the compilation target is Darwin, rather than the build machine.
It turns out `-search_paths_first` has been the default behavior of ld
on macOS since XCode 4. So just remove that bit of logic entirely.
(The flag was added in commit acd27af0e845f8b93de2e226cc2ec9ac8af52077
in 2004; XCode 4 was released in 2010.)
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
With procd-ujail enabled, it is not possible to use HTTPS URLs, for
example when either for downloading torrent files or blocklists. The
followig example occurs when downloading a URL from the "Upload Torrent
Files" dialogue box:
Error adding
"https://releases.ubuntu.com/21.10/ubuntu-21.10-desktop-amd64.iso.torrent":
gotMetadataFromURL: http error 0: No Response
syslog will also hint that no CA_BUNDLE is being used:
transmission-daemon[6683]: [2021-12-30 20:01:30.990] web will verify
tracker certs using envvar CURL_CA_BUNDLE: none (web.c:455)
This patch rectifies this issue by adding a ca_bundle configurable,
enabled by default. This explicitly fixes the ca_bundle file location
to /etc/ssl/certs/ca-certificates.crt and adds this file to the procd
jail. On subsequent testing, HTTPS URL download functionality is
restored.
Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
The delete variable was misspelled leading to devices always being
removed although they had connected neighbors.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Update crowdsec to latest upstream release version 1.2.2
Makefile rework
- use tagged version for download
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
Issue: 2to3 support has been removed in setuptools since version 58.0.0.
Fix: openwrt/packages#17311
Requirements: 2to3/host openwrt/packages#17429
Add upstream patch: 196c55e931
To install/build for python3 from source, it is necessary to convert to py3
codebase before setup (invoke 2to3 or ./fail2ban-2to3 firstly).
> ./fail2ban-2to3
> python3 setup.py build
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
The next OpenWrt stable release aims to use firewall4 by default. As
this uses nftables as backend, miniupnpd will no longer work. Create an
iptables and nftables variant of the miniupnpd package so that miniupnpd
can be used with either firewall variant.
See #16818 for more info.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Since version 2.2.3, miniupnpd will detect MS clients and force IGDv1.
This reverts commit 7f5534ac7a.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Removed patches:
001-fix-stime-glibc-remove.patch - it is included in upstream
003-Fix-compilation-with-gcc11.patch - no longer necessary
Updated patches:
002-Avoid-problems-with-64-bit-time_t.patch
Refreshed patches:
004-Comment-out-librt-testing.patch
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
These cmake modules are actually never referenced. Stubby itself doesn't link to
libidn or libunbound, only getdns does. They're most likely leftovers from when
stubby was split from getdns to its own repository.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Full changelog available at: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.0
packr has been removed from build dependencies, per
c6888326b0 (diff-2873f79a86c0d8b3335cd7731b0ecf7dd4301eb19a82ef7a1cba7589b5252261L2)
Also added the ability to configure working directory location and moved
the directory to /var. On most setups this should not change anything,
as /var is symlinked to /tmp. The move mostly benefits setups where /var
is configured to be persistent.
The working directory is used by AdGuard to store persistent data like
query logs, filter lists, etc.
Data stored in this directory can get really huge, as such allowing
this directory to be moved elsewhere (ie. an USB drive) is very
beneficial.
Co-authored-by: Dobroslaw Kijowski <dobo90@gmail.com>
Co-authored-by: Jeffery To <jeffery.to@gmail.com>
Signed-off-by: Hiếu Lê <leorize+oss@disroot.org>
Add MaxMind's geoipupdate utility. mmdb files are downloaded to /var/GeoIP
by default. The user should update /etc/GeoIP.conf with their API key and
DB choice, currently set to country only. So as not to exceed MaxMind's
download limitations, the user should manually run the utility or set up a
cron job.
Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
Remove un-necessary crowdsec package dependency, to be able to use
crowdsec-firewall-bouncer independently from crowdsec local installation.
(with remote API)
Fix issue: https://github.com/openwrt/packages/issues/17406
Description:
using crowdsec-firewall-bouncer on many OpenWRT devices connected
with my domain LAPI server (which collect many crowdsec machines,
mostly nginx), it works great. Actually, crowdsec package is not
mandatory for that usage, it would be great if it was not a dependency.
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
Maintainer: me / @mkrkn
Compile tested: ramips/mt7620 TP-Link Archer C50 v1, ramips/mt7621 Xiaomi Mi router 3 Pro, ath79/generic TP-Link WDR-3500
Run tested: ramips/mt7620 TP-Link Archer C50 v1, ramips/mt7621 Xiaomi Mi router 3 Pro, ath79/generic TP-Link WDR-3500
openvpn: update to 2.5.5
use of CFG Spectre-mitigations in MSVC builds
bring back OpenSSL config loading to Windows builds
several build fixes, refer to https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Fixes: f88485f572 ("nft-qos: silence buildsystem errors")
Prefixing IPKG_INSTROOT to sourced includes is ineffective for this
package.
Source includes only when empty to avoid image make errors.
Signed-off-by: Imran Khan <gururug@gmail.com>
The kmod-sched-cake package already depends on kmod-sched-core, there's no need
for explicitly stating the dependency.
While at it, change PKG_RELEASE to $(AUTORELEASE).
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Enabling OPENVSWITCH in the kernel config selects MPLS. This exposes the
MPLS_ROUTING symbol, which is missing if kmod-mpls is not enabled. On
kernel 5.4 this problem doesn't show up, as the Open vSwitch package
uses the in-tree kernel modules rather than the upstream ones.
Restore the kmod-mpls dependency when using the upstream kernel modules
to fix build.
Reported-by: Matthew Hagan <mnhagan88@gmail.com>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The ifeq check for CONFIG_OPENVSWITCH_WITH_LIBUNBOUND does not evaluate
correctly within the menuconfig, resulting in libunbound not being
selected, resulting in a failing libunbound.so.8 dependency.
Instead add this condition:dependency in the manner defined in the
OpenWrt developer guide.
Signed-off-by: Matthew Hagan <mathagan@fb.com>
ovs_libovsdb_depends and ovs_libofproto_depends append the libatomic
dependency. However in these cases these variables were not previously
defined and thus a reader may search the Makefile for the definition.
Therefore change the operator to explicitly define these dependency
variables, rather than append. In addition add a space after operator to
improve readability and conform to other dependency definitions in the
Makefile.
Signed-off-by: Matthew Hagan <mathagan@fb.com>
Rather than defining dependencies, then appending the libatomic
dependency on the following line, merge all into one definition.
Simultaneously, sort by alphabetical order.
Signed-off-by: Matthew Hagan <mathagan@fb.com>
The output of the hotplug is very chatty and floods the log with
messages that are not necessary in functioning operation.
So that the log can be filtered. A log level was added to each message
as the first opiton on mm_log function call.
In addition, the facility of the hotplug script has been set to daemon,
which in my view fits better than user.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
1. prctl() check is not required for host-compile on any OS due to prctl
is not used in rpcgen which is only one is compiled during host-compile
phase. prctl() check is disabled via HOST_CONFIGURE_VARS in OpenWrt makefile
2. __DARWIN_ONLY_64_BIT_INO_T is true on macos arm64 so struct stat64
and stat64() are not available. This patch defines stat64 as stat if
__DARWIN_ONLY_64_BIT_INO_T is true
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
Breaking changes:
The database has been replaced with boltdb to try to solve the problem
of database corruption.
Note that the data will not be migrated, but the previous data will be
retained. If you need the previous data, just downgrade v2rayA (v1.5.4).
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
depend on libpcre2 instead of libpcre
also remove patches incorporated upstream into lighttpd 1.4.62
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
route-override IPAM works as meta CNI plugin to override IP route given by previous CNI plugins. It is useful in a case with network-attachment-definition.
Currently route-override verified its feature with podman and crio(with Kubernetes).
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
The way the init script is written now, we get a bad output when calling
the ubus service backend.
ubus call service list "{'verbose':true,'name':'modemmanager'}"
>{
> "modemmanager": {
> "instances": {
> "instance1": {
> "running": true,
> "pid": 20511,
> "command": [
> "sh",
> "-c",
> ".
>/usr/share/ModemManager/modemmanager.common; \t
>mkdir -m 0755 -p /var/run/modemmanager; \t
>mm_cleanup_interfaces; \t
>( mm_report_events_from_cache ) >/dev/null 2>&1 & \t
>/usr/sbin/ModemManager"
> ],
> "term_timeout": 5,
> "respawn": {
> "threshold": 3600,
> "timeout": 5,
> "retry": 5
> },
> "pidfile":"/var/run/modemmanager/modemmanager.pid"
> }
> }
> }
>}"
I also get the output in the log that the PID file cannot be created.
> daemon.err procd: Failed to remove pidfile: :No such file or directory
The changes in this commit fixes this issues, by moving startup into a
wrapper script.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
SpeedTest++
Yet another unofficial speedtest.net client cli interface
For users who instead of python based speedtest client want
to use something that was written in c++...
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Currently banip matches nginx log entries starting with
nginx[number]:...
I am running a containerized nginx with alpine as base, which
ends up adding log entries without [number] part..
like this:
nginx:...
This patch updates regex for nginx log entry search to include
both versions.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
The configuration for the ksmbd service is auto-generated when
the OpenWRT configuration changes, and also during startup,
hence ksmbd.init has to reload the kernel module. It does that by
calling kill_server, which does not perform cleanup. This results
in ksmbd being killed but not restarted properly during boot.
This patch resolves the issue by using stop_service, which performs
proper cleanup.
https://forum.openwrt.org/t/ksmbd-samba3-4-alternative-ex-cifsd-smbd-package-support-thread/51695/68
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
Django 1.x is not compatible with python 3.10.
Mark the package as BROKEN. Since its dependent packages will also
select it, they will need to be marked BROKEN as well to avoid recursive
dependencies--packages not marked as BROKEN will be able to select the
broken package.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
- Update haproxy download URL and hash
- Switched over to using USE_LIBATOMIC in favor of -latomic
- Added a patch which fixes nossl builds
Signed-off-by: Christian Lachner <gladiac@gmail.com>
7bf79a2 ubus: set scan duration to roam scan interval
b4eb49e policy: only select nodes with better signal when roaming
5d5a0be ubus: don't request measurement from unsupported STAs
abc6fe0 local-node: update STA RRM capabilites
5ec713b node: determine roamability when selecting neighbors
d0cd65b node: save created time for node
a5c21ae ubus: prioritize neighbor reports on bss transition
532a48d local-node: prioritize neighbor candidates
4862080 node: keep track of roam-sources and roam-destinations
6a20591 sta-info: add last_connected field
Signed-off-by: David Bauer <mail@david-bauer.net>
Commit 1038ac1235 ("openvswitch: add support for definining bridge ports...")
added two new options:
- drop_unknown_ports
- ports
They are missing from the README, so add them.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Fixes 'transmission-web' for users which didn't manually configure the
'web_home' option.
Assume transmission's default in case 'web_home' isn't defined and
mount the directory so it can be accessed from inside the jail.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add missing "inotify_add_watch", "inotify_init1" and "inotify_rm_watch"
syscalls to seccomp filter which are needed in case watch_dir feature
of transmission is used.
Fixes#16972
Reported-by: @siwind
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
As written in the commit message:
Depending on your conntrackd configuration, events might get lost,
leaving stuck entries in the cache forever. Skip checking the conntrack
ID to allow for lazy cleanup by when a new entry that is represented by
the same tuple is added.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Open vSwitch does not bring up ports automatically. This is not a
problem for wireless ports, or for ports configured in
/etc/config/network, but other ports will be down, and require manual
interaction to be brought up. Configuring them with proto none will
cause netifd to do some actions on them, which might cause undefined
results, and will also bloat the UCI config file.
The cleanest solution is to bring all member ports up as part of the
init script.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
statd currently fails to start due to missing /run which doesn't exist
on OpenWrt.
Add a patch moving /run to /tmp/run as the path is hardcoded in several
places and cannot be configured neither at buildtime nor at runtime.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
`time_t` on musl 1.2 is 64bit, while `long` is 32 bit. we will always get zero time with the original source on mips big endian.
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
The PCIe physdev path lookup relies on the 'vendor' and 'device'
attribute files, instead of the 'idVendor' and 'idProduct' ones, which
are USB specific.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
OVN doesn't require Python Six, since about commit
338a6ddb5e
Maybe even earlier than that.
There are some left-over installations of six in their CI, but no usage in
any Python source code.
Refreshed patches.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Python six was required to build the OVS Python libs during the time when
they were supporting both Python 2 & 3.
Python 3 is a minimum requirement for OVS Python's libs since commits:
1ca0323e7cbd90524550
and Six is no longer required since commit
0c4d144a98
The end-goal here is to get rid of the Python Six host-build.
OVS is the only user.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Release notes:
1.8.0
- Upgrade json.hpp dependency to version 3.10.2
- Check if DNS servers need to be applied on macOS
- Set MAC address before bringing up Linux TAP link
- Stop binding to temporary IPv6 addresses
- Fix for mistakenly using v6 source addresses for v4 routes on some platforms
- Fix for MacOS MTU capping issue on feth devices
- Implement a workaround for one potential source of a "coma" bug, which can occur if buggy NATs/routers stop allowing the service to communicate on a given port. ZeroTier now reassigns a new secondary port if it's offline for a while unless a secondary port is manually specified in local.conf. Working around crummy buggy routers is an ongoing effort.
- A completely rewritten desktop UI for Mac and Windows!
1.8.1
- Fix an issue that could cause clobbering of MacOS IP route settings on restart.
- Added additional hardening against address impersonation on networks (also in 1.6.6).
- MacOS IPv6 no longer binds to temporary addresses as these can cause interruptions if they expire.
- Remove support for REALLY ancient 1.1.6 or earlier network controllers.
- Fix numerous UI issues from 1.8.0 (never fully released).
Changed to git as source and added $(AUTORELEASE)
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Client and server software to query DNS over HTTPS, using Google DNS-over-HTTPS protocol and IETF DNS-over-HTTPS (RFC 8484). https://github.com/m13253/dns-over-https
Signed-off-by: Martin Schneider <martschneider@google.com>
Side-effect of dropping capabilities(7) with last commit is now we
need the `/var/run/named/` directory created for us at startup.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Reasons to drop this package:
a) this package depends on luci-app-rosy-file-server
Unfortunately, it was marked as broken as it is unmaintained.
See: 34b682afac
b) maintainer is inactive
c) rosinson website does not seem to be working
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Update to the newest versions and switch to $(AUTORELEASE) for the python3 packages (where I am the maintainer).
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
Currently when the connection times out, the interface will disconnect.
Add capability to add persistent option to re-establish connectivity.
Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
* adopt pypi name and line numbers in patches
* remove custom tar command and patch for using python3 (changed upstream)
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
It never works... And Xray-core needs root access to work.
Bump geodata to latest version while at it.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
The following CVE updates are included:
* CVE-2021-25219: The "lame-ttl" option is now forcibly set to 0. This
effectively disables the lame server cache, as it could previously be
abused by an attacker to significantly degrade resolver performance.
* CVE-2021-25218: An assertion failure occurred when named attempted
to send a UDP packet that exceeded the MTU size, if Response Rate
Limiting (RRL) was enabled.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Reload the service when interfaces flap; note that libcap support
is required to open new sockets on interfaces coming up during
a reload, otherwise a full restart would be needed.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Use newly introduced procd_add_reload_mount_trigger to reload nfsd
when a mountpoint covering an exported filesystem is added by blockd.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fix uci-defaults for PostgreSQL backends
Add user 'gnunet' to 'postgres' group
Always build with sqlite3 as configure fails when --without-sqlite
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
If an interface doesn't exist yet when vnStat is started, it won't be
monitored, as only existing interfaces can be added to the database via
the vnstat command.
This adds a hotplug script which adds any configured interfaces to the
vnStat database when it goes up.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
By default, vnstatd adds all available interfaces on startup when its
database is empty. The --noadd option prevents this, but it breaks
import of legacy databases, and causes vnstatd to exit immediately
after startup, which breaks reloading.
This changes the init script to add the --noadd option when no legacy
databases need to be imported, and patches vnstatd to keep running
even when no interfaces are configured.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
This has been replaced with the "trust-anchors" keyword, per
section 8.21.1 New Features of the Bind 9 Administrator Reference
Manual:
• In order to clarify the configuration of DNSSEC keys, the trusted-keys and managed-keys statements have been deprecated, and the new trust-anchors statement should now be used for both types of key.
When used with the keyword initial-key, trust-anchors has the same behavior as managed-keys, i.e., it configures a trust anchor that is to be maintained via RFC 5011.
When used with the new keyword static-key, trust-anchors has the same behavior as trusted-keys, i.e., it configures a permanent trust anchor that will not automatically be updated. (This usage is not recommended for the root key.) [GL #6]
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
apxs is used to get information about the apache installation when
building external modules. Currently there are issues:
1.
./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET
apache2
apxs:Error: ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/bin/apr-1-config not found!.
This error is fixed by sed script #2.
2.
./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET
cannot open ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/share/apache2/build/config_vars.mk: No such file or directory at ./staging_dir/target-mips_24kc_musl/usr/bin/apxs line 213.
This error is fixed by sed scipt #1.
Both sed scripts taken from buildroot (see [1]).
[1] https://github.com/buildroot/buildroot/blob/master/package/apache/apache.mk
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commits adds the new usteer package to the packages feed.
usteer is a daemon for steering wireless clients across frequency
bands as well as between multiple access points on a network.
Signed-off-by: David Bauer <mail@david-bauer.net>
ospf running in instance mod will keep cpu to 100% so revert offending commit
if daemon is disabled in the file while running also close that daemon
also add the pythontools to support reload
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
Some users report that DAWN sometimes crashes after a while. Mostly
this happens after the new update has been rolled out.
Since I would not like to go back to the older version, I add as
a workaround for now that DAWN automatically respawned.
Workaround for:
https://github.com/berlin-open-wireless-lab/DAWN/issues/151
Signed-off-by: Nick Hainke <vincent@systemli.org>
WWAN devices may now be exposed in the new 'wwan' subsystem in the
kernel (since 5.13), initially applicable to devices exposed in PCIe
(no USB), but at some point may also apply to USB devices that until
now were exposed via other subsystems (e.g. usbmisc, tty).
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
* bugfix: change killall param from -HUP to -s HUP
* bugfix: change tmpfs param from status to gateway
Signed-off-by: Stan Grishin <stangri@melmac.net>
* there are reports that 0.3.5-x versions do not work on some configs
* the development of the new features moved to the new package (pbr)
* revert to the last known good version of vpn-policy-routing
Signed-off-by: Stan Grishin <stangri@melmac.net>
* refresh patches
* disabling kres_gen_test is not required anymore for cross compilation, it was fixed upstream with the 5.4.1 release
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
This uses some definitions from <sys/cdefs.h> in gcc 8.4.0, not present
in musl or gcc11.
Also use clock_gettime() instead of syscall(__NR_clock_gettime,...),
which is not currently defined.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* update to [2021-09-27](da2501f542)
* fixes https://github.com/aarond10/https_dns_proxy/issues/125
* restart instead of reload on interface hotplug
* fixes https://github.com/openwrt/packages/issues/16794
* produce output and log entries on service start/stop
* prevent unnecessary dnsmasq restarts if service has previously updated dnsmasq settings
* allow both named and typed dnsmasq instance settings to be updated
* update 010-fix-cmakelists patch file
Signed-off-by: Stan Grishin <stangri@melmac.net>
Default to letsencrypt because the upstream default may change.
Passing --staging is no longer needed, since --serever will
select a staging server if needed.
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
Tested-by: Georgi Valkov <gvalkov@abv.bg>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
/net/crowdsec-firewall-bouncer/
crowdsec-firewall-bouncer will fetch new and old decisions from
a CrowdSec API to add them in a blocklist used by supported firewalls.
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
/net/crowdsec/
Crowdsec - An open-source, lightweight agent to detect
and respond to bad behaviours.
It also automatically benefits from a global community-wide
IP reputation database.
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
* c70773a - datastorage: use signal strength as a metric
* 14e0f83 - Don't display debugging output with DAWN_NO_OUTPUT
* 97e5de1 - uci: add neighbor list priority options
* 2b1a53c - dawn_uci: set default values
* 6eb747b - Use separate configs for 802.11g & 802.11a bands
* 1e34357 - Verify compatibility before parsing config message
* a7a8309 - List all neighbors with same score when kicking
* 3ba0fa4 - Change beacon request fields to appropriate values
* 009aab9 - Change mode config parameter from int to string
Signed-off-by: Nick Hainke <vincent@systemli.org>
Update to GNUnet release 0.15.3.
Note that GNUnet 0.15.x is incompatible with the previous 0.14.x
wire format.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
- Update haproxy download URL and hash
- Make build-target and parameters dependant on configured c-library
- Removed duplicate build-parameters
Signed-off-by: Christian Lachner <gladiac@gmail.com>
This commit fixes an issue where the `AUTOSSH_GATETIME` is not available in the `procd` environment which gets overwritten by the second `procd_set_param env` call.
It now calls the `procd_set_param env` once with the two variables, instead of twice.
Signed-off-by: Leo Soares <leo@hyper.ag>
Switch to AUTORELEASE for simplicity.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[remove irrelevant part from commit message after splitting changes]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Currently `travelmate` only support `<meta` tag
if it contains `"`. This updates `travelmate.sh` to support
`'` as well.
```html
<meta...content='1; url=
```
Signed-off-by: Kamil Trzciński <ayufan@ayufan.eu>
This patch to remove PowerDNS' check for whether time_t is 64-bit is not needed anymore,
due to OpenWrt now having a more recent musl libc where time_t is 64-bit on all architectures.
Signed-off-by: Wout Bertrums <wout@wbnet.eu>
Switch to AUTORELEASE for simplicity.
Switch to normal tarballs.
Add license information.
Reorganize Makefile for consistency between packages.
Add libtool patch fixing compilation under some conditions.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Testing showed that additional syscalls are needed on ARMv7.
Add "clock_gettime64" and "statx" which seem to be used now instead
of "clock_gettime" and "stat" syscalls which are already listed.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
When Open vSwitch is configured to use a controller, but is unable to
connect to it, Open vSwitch will setup flows to allow all traffic, if
the failure mode is not configured, or set to standalone.
As this might be a security hazard, it is also possible to configure
Open vSwitch in a secure failure mode. Enabling this mode causes Open
vSwitch to drop all traffic if it is unable to connect to the
controller.
Redirect stderr of the command to /dev/null as it does not support the
--if-exists option.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Due to a copy-paste error, libopenvswitch is missing a dependency when
Open vSwitch is configured to use unbound:
Package openvswitch-libopenvswitch is missing dependencies for the following libraries:
libunbound.so.8
Use the correct config symbol to solve this.
Fixes: 45c8cc9d8a ("openvswitch: make libunbound optional")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The genhash binary is only built when IPVS is enabled, so make its
installation depend on IPVS being enabled.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Add a UCI config option to set the OpenFlow datapath description. This
allows setting a human readable description of the bridge, e.g.
"Building x, Floor y, AP z", which makes it easier to recognize the AP.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Upstream released 1.0.0, so change the package to the git tag 1.0.0
Mainly documentation and argument handling changes
Signed-off-by: Damien Mascord <tusker@tusker.org>
- Added missing conffiles
- Refreshed init srcipt to adapt the new arguments
- Renamed package name to lowercase (suggestion from upstream)
- Updated dependencies and license
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* add wpa-supplicant package dependency
* removed no longer working 'db-bahn.login' and 'wifionice.login' auto-login scripts
* added the new 'wifibahn.login' script for auto-logins to captive portals WIFI@BAHN (DE),
run tested on a single ICE (station logins are currently unsupported!)
* vodafone.login prepared to support free/time limited logins (still WIP!)
* change return code handling in login scripts and travelmate
* refine f_wifi function
* fix a few conercase issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
Some versions of killall do support the `killall -SIGNAL` syntax and
have only `-s SIGNAL` which should be supported everywhere.
I see the problem with *killall (PSmisc) 23.3* on latest TurrisOS 5.2
Signed-off-by: Jan Baier <jan.baier@amagical.net>
Some versions of killall do support the `killall -SIGNAL` syntax and
have only `-s SIGNAL` which should be supported everywhere.
I see the problem with *killall (PSmisc) 23.3* on latest TurrisOS 5.2
Signed-off-by: Jan Baier <jan.baier@amagical.net>
Currently there is a problem with log spam when ipv6 network
is dropped. Fix this by backporting a patch to silence these errors
when verbose logging is not enabled.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
fail2ban v0.11.2 package version 2
Following PR #15098, add fixes to build fail2ban package:
- remove use of fail2ban-python (directly use python3 in script)
- remove link to python3 in /usr/bin (break the package build)
- remove python-tests (reduce the package size)
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
To allow the script to define what it should be run with.
This let's the user use bash if it's available, or python, or perl, etc.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
Update PKG_VERSION to 2.10.11
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The "-s -w" flags in GO_PKG_LDFLAGS tells the Go compiler to strip the
binaries it produces. Since the default Go package build process will
strip binaries when CONFIG_USE_STRIP or CONFIG_USE_SSTRIP are selected,
these flags are unnecessary.
When CONFIG_NO_STRIP is selected, these flags override the user's
intention of building unstripped packages.
This removes these flags for all relevant packages.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This will allow the server to know more info about the client like
HWADDR, very useful for managing IoT devices.
See: https://www.mankier.com/8/openvpn#--push-peer-info
Signed-off-by: Nguyen Quang Minh <minhnq31@fpt.com.vn>
Django 1.11 (host-build) is only needed for Seahub.
And won't ever be needed for anything else (hopefully).
This change moves it to the Seahub folder.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
v2rayA is a Linux web GUI client of Project V which supports V2Ray,
Xray, Shadowsocks, ShadowsocksR, Trojan and Pingtunnel.
Wiki: https://github.com/v2rayA/v2rayA/wiki
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* switch to unencrypted http downloads for ipdeny.com due to persistant certificate issues
* compact json generator code (tested with report files > 2MB)
* various code cleanups and optimizations
Signed-off-by: Dirk Brenken <dev@brenken.org>
It has been updated to the latest version shipped by upstream.
This has not been done since v4.2.1, hence the big diff.
Signed-off-by: Wout Bertrums <wout@wbnet.eu>
Recent versions of mosquitto have added a lot more fine grained control
of various options. Add UCI support for all of them, and fix a couple
of things that were configured as per listener, that are actually global
settings.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Maintainer: me
Build system: Arch Linux x86_64
Build tested: ipq806x/R7800
Run tested : ipq806x/R7800
Signed-off-by: Daniel Bermond <danielbermond@gmail.com>
Change the interface protocol prefix from "bonding-" to "bond-".
This allows longer custom interface names and useful for VLANs.
Signed-off-by: Vladislav Grigoryev <vg.aetera@gmail.com>
On buildbots the build fails because git isn't finding any git repo and
then AC_INIT refuses to run:
fatal: not a git repository (or any parent up to mount point /)
Stopping at filesystem boundary (GIT_DISCOVERY_ACROSS_FILESYSTEM not set).
configure.ac:5: error: AC_INIT should be called with package and version arguments
Address this by substituting the git command with $(PKG_VERSION).
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
* replaced pipe input for a while/read-loop with a here document/variable as input
(fix various subshell related bugs and oddities)
* further improve abort and re-connection handling
* prevent alleged detected connection failures (false positives) with an additional gw check,
to stabilize VPN connections in particular
Signed-off-by: Dirk Brenken <dev@brenken.org>
This fixes compilation issues with ASLR PIE enabled
We were compiling with '-g -DDEBUG'
https-dns-proxy_2021-07-29-*_arm_cortex-a9_vfpv3-d16.ipk
shrink from 19514 to 19095
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This init script allows to start the Kea Control Agent, the DHCPv4
server, the DHCPv6 server, and the DHCP-DDNS server. It expects the
config files to be where the packages install them.
As this is a single init script that can start 4 different binaries that
are each in their own package, these files cannot be included in any of
these other package, so create a dedicated package for it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This allows running multiple kea instances in load balancing or
hot-standby mode, minimizing risk of downtime.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* simplify the scan logic, to get rid of nifty IFS tricks
* limit the nearby scan results to process only the strongest uplinks, set 'trm_maxscan' accordingly (default '10')
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
but keep it selected by default as before
so it could be selected if nmbd and/or wssd2
should be used
Signed-off-by: Fritz D. Ansel <fdansel@yandex.ru>
On hosts that have pcapnav-config installed, there is host lib leakage.
From config.log:
LNAVLIB='-L/usr/lib64 -lpcapnav -lpcap'
LNAV_CFLAGS='-I/usr/include'
Fix this by disabling pcapnav-config, which isn't available anyway.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* support the new travelmate option 'macaddr' to use a pre-defined MAC address (per uplink)
* vpn connections are now handled separately for each uplink
* The autoadd-feature for adding open uplinks will now be limited by the 'trm_maxautoadd' option. The default is '5', '0' disables this limitation.
* more code cleanups und optimizations to reduce the repetitive connection handling workload
* bugfixes regarding multiple radio support
* refine cp detection (no longer write and parse an error file)
Signed-off-by: Dirk Brenken <dev@brenken.org>
TARGET_CXX is added, because PowerDNS now uses C++17.
pdns.conf-dist is updated to the latest version shipped by PowerDNS.
010-time_t-check.patch, which is also used in pdns-recursor and dnsdist,
is added to patch out the check for 64-bit time_t,
because OpenWrt still supports 32-bit devices.
100-pdns-disable-pdns.conf-dist.patch is refreshed.
Signed-off-by: Wout Bertrums <wout@wbnet.eu>
* supports newer shellcheck
* restore EXTRA_COMMANDS compatibility with 19.07
* move status display from various functions to status_service
* bugfix: status_service line break after output
* minor arythmetic fix in status_service
Signed-off-by: Stan Grishin <stangri@melmac.net>
Backport a pending patch in order to DSCP-mark UDP traffic. This allows for
correct binning of traffic in diffserv-capable routers.
Additionally, remove Rosen Penev from the maintainers list, as per his request.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Description: Lack of support of HTTP/2 by default starts to hurt,
for example with https-dns-proxy package, some DoH resolvers (like mullvad)
no longer support HTTP/1 and are not usable.
This enables HTTP/2 support by default (which would bring ~68Kb libnghttp).
Signed-off-by: Stan Grishin <stangri@melmac.net>
* update binary to the latest commit (2021-07-29) to fix#16222 and #16239
* add hotplug.d/iface file and update Makefile to install it
* use Cloudflare's and Google's bootstrap DNS if bootstrap DNS is missing
* minor improvements in append_bool function
* add append_counter function for verbosity setting
* add append_bootstrap function (and supporting functions) to parse/sanitize bootstrap setting
* move firewall array from 'main' instance to the first proxy instance
* delete useless 'main' instace
Signed-off-by: Stan Grishin <stangri@melmac.net>
Open vSwitch supports SSL to connect to an OpenFlow controller. This is
recommended for security. Expand the UCI ovs config section to allow
configuring SSL CA, certificate and private key.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The Open vSwitch init script does not set USE_PROCD=1. Instead, it
defines most of the functions and variables that would be set when
USE_PROCD is set to 1, but with some minor changes.
The basescript variable however, which is used when calling
procd_open_service and procd_kill, is not set. As a result, basename of
the contents of the initscript variable is used as the service name. As
the service is automatically started via its symlink in /etc/rc.d,
S15openvswitch, the service name is S15openvswitch.
Set the basescript variable so that the service name is openvswitch.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
By default, Open vSwitch will generate the OpenFlow datapath ID of a
bridge based on the MAC address of one of its ports. Due to this, it's
possible that the datapath ID changes when new ports are added. When the
datapath ID changes, Open vSwitch disconnects from the controller, as
there is no way to notify the controller that the datapath ID has
changed.
Add an option to set the datapath ID so that the above situation can be
avoided. The option takes either exactly 16 hex characters, or when
prefixed with 0x, between 1 and 16 hex characters.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The config symbol is named CONFIG_OPENVSWITCH_WITH_LIBUNBOUND, so check
for that instead of the non-existent CONFIG_OPENVSWITCH_WITH_UNBOUND.
Fixes: 45c8cc9d8a ("openvswitch: make libunbound optional")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
support for 21.02.0-rc2 and up
support for reloading a single interface on ifup/ifupdate
rename config file
updated shellcheck compatibility
remove obsolete create/remove_lock
interface processing optimizations to speed up reloads
drop dependency on curl in user scripts
uniform styling of functions
Signed-off-by: Stan Grishin <stangri@melmac.net>
Installing openvswitch on an x86/64 snapshot image pulls in a bunch of
dependencies, good for a total size of 3648406 byte. Disabling
libunbound reduces that with 559941 byte, for a total of 3088465 byte.
This is quite a big reduction for a small tradeoff: without libunbound,
hostnames can not be used to specify OpenFlow managers or controllers.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* code cleanup
* add auto login script for Julianahoeve beach resort (NL)
* add auto login script for Vodafone hotspots (DE)
* add auto login script for telekom hotspots (DE)
* enhance captive portal detection to support html redirects as well
* change default captive portal detection url to
'detectportal.firefox.com'
Signed-off-by: Dirk Brenken <dev@brenken.org>
Building without the mirror-tarballs fails to PKG_SOURCE_SUBDIR not
matching the hostapd source subdir name. Fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The current way to add ports to an Open vSwitch bridge does not allow
complex port configurations. Use a dedicated uci config section per port
instead of the current port:type syntax. This way we can easily support
more features like setting the VLAN tag or the OpenFlow port number.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Calling the ovs_bridge_init function when stopping the service will
result in ovs-vsctl being called after ovsdb-server has been shut down.
This causes the following error:
ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (No such file or directory)
Calling the ovs_bridge_init function when requesting the service status
has no added value.
Only call ovs_bridge_init during start or restart to fix this.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
CI run fails due to dirty patches, so refresh them.
Fixes: f4f1a25e80 ("openvswitch: bump to version 2.15.0")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Include default configuration files to have something to start from.
Also include snort2lua to help convert snort2 rules to snort3 to also
help with bootstrapping the configuration.
Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
bugfix: domain names bypass
rename config file
update Makefile
updated README link
updated shellcheck compatibility
support for 21.02.0-rc2 and later
updated code for interface triggers
add newline to test.sh
Signed-off-by: Stan Grishin <stangri@melmac.net>
- Bump yggdrasil-go version to v0.4.0
- Update ygguci tool for compatibility with the new yggdrasil-go version
- Yggdrasil's config file is now generated in a separate command before running the daemon
Signed-off-by: George Iv <zhoreeq@users.noreply.github.com>
This matches an ipv4 change in 21f5cdd2fa and has the same rationale.
Google requires https for both ipv6 and ipv6.
Signed-off-by: Scott Lamb <slamb@slamb.org>
A simple DNS proxy server that supports all existing DNS protocols
including DNS-over-TLS, DNS-over-HTTPS, DNSCrypt, and DNS-over-QUIC.
Moreover, it can work as a DNS-over-HTTPS, DNS-over-TLS or
DNS-over-QUIC server.
For documents, see https://github.com/AdguardTeam/dnsproxy.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
A simple command line utility to make DNS lookups. Supports all known
DNS protocols: plain DNS, DoH, DoT, DoQ, DNSCrypt.
For documents, see https://github.com/ameshkov/dnslookup.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
mdio is a low-level Linux debug tool for communicating with devices attached an MDIO bus. It improves on existing tools in this space in a few important ways:
MDIO buses are directly addressable. Previous solutions relied on at least one Ethernet PHY on the bus being attached to a net device, which is typically not the case when the device is an Ethernet switch for example.
Complex operations can be performed atomically. The old API only supported a single read or write of a single register. mdio sends byte code to the mdio-netlink kernel module that can perform multiple operations, store intermediate values, loop etc. As a result, things like read/mask/write operations and accesses to paged PHYs can be performed safely.
Signed-off-by: Damien Mascord <tusker@tusker.org>
User that don't control both OpenVPN client and server
might still need LZO support, so keep it enable by default for at least
OpenSSL variant.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
The commit updating the seccomp filter didn't bump PKG_RELEASE.
Do that now.
Fixes: 1141ee1e5 ("transmission: add new syscalls to seccomp filter)"
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Testing showed that additional syscalls are needed on ARMv7.
Add "getegid32", "geteuid32", "getgid32" and "getrandom" as they are
all innocent.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
555268b ubus: filter neighbors by SSID when preparing nr
3db9607 data storage: match SSID when searching ap entry
a22f5a7 storage: ensure SSID strings are NULL-terminated
Signed-off-by: Nick Hainke <vincent@systemli.org>
Makefile changes include:
* Remove USE_UCLIBC, as uclibc is no longer supported
* Package output modules
* Move main binary (back) to /usr/sbin, as it is system administration
related and requires superuser privileges
New patches:
* 003-add-space-for-null-byte.patch - from
374cfd2cab
* 004-more-specific-library-linking.patch - from
27b57d9da3
* 005-use-c99-format-macro-constants.patch - from
https://github.com/fln/addrwatch/pull/28
Init script changes include:
* Change from explicit disable to explicit enable, so that the service
is disabled by default and on first install
* Set config option default values to default values of the main binary
* Fix command-line option names and format (from
https://forum.openwrt.org/t/cant-start-addrwatch-service/60499/3)
* Always use the --quiet command-line option, as the procd instance is
not configured to capture stdout/stderr
* Change the syslog config option to start the syslog output module
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Until now the additional tables listed in gobal 'rt_table_lookup' were
not considered for interfaces.
In order to be able to also use interface-defined routes from tables
other than main, consider also tables listed in 'rt_table_lookup'.
Update version to 2.10.10 as requested by maintainer.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* add a tcpdump option to resolve IPs in adblock reporting,
set 'adb_represolve' accordingly (disabled by default). If enabled
tcpdump will perform a reverse DNS (PTR) lookup for each IP address
* add 'stalkerware' source (provided by @astryzia)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This option sets the interface of the policy.
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Use list's where appropriate for multi-value config variables.
Forbid absolute/relative paths for certificate and key files.
Get rid of last remnants of left/right naming.
Factor invariant code paths.
Drop redundant secrets.rsa.filename section.
Thanks to Vincent Wiemann <vincent.wiemann@ironai.com> for calling
out many of these improvements.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
We enable the option by default, but do not depend on the kernel modules
required for L2TP offloading to avoid wasting space when the feature is
not needed. To use offloading, kmod-l2tp-eth must be installed.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The UMAC-based methods provide higher performance than GMAC and aren't
suspectible to timing attacks when implemented in software (which is
always the case on OpenWrt, as OpenSSL support is disabled). Disable
GMAC by default to save a few KiB.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time.
Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a
standard style.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Give this package more love by adopting it :)
Changes since 1.4.1-4:
* change maintainer to me
* update to 1.4.3
+ add example config files sockd.conf and socks.conf
+ add service file for sockd
* update 200-fix-RTLD_NEXT.patch
- remove merged 210-deactivate-sched_setscheduler.patch
* fix Autoconf build file
Signed-off-by: David Yang <mmyangfl@gmail.com>
Add limited procd support to handle config reload
Option drop_unknown_ports can be used to ensure that only configured ports
are part of the bridge
Signed-off-by: Felix Fietkau <nbd@nbd.name>
As a daemon service, respawn is expected by default, and we have that
facility available via procd.
Suggested-in: https://github.com/openwrt/packages/pull/15272
Signed-off-by: Karl Palsson <karlp@etactica.com>
If pppoe is used for wan access. script set 'eth1' as interface for curl
call. The correct interface is however 'pppoe-wan'.
The script uses 'network_get_physdev' function to get real device for
bind_network but this is wrong. We need instead the l3_device of the the
logical interface.
In case if we don't use pppoe connection - 'l3_device' is equal to real device.
This was reported by the github user `welderpb` with P/R:
https://github.com/openwrt/packages/pull/14431
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The chrony interface hotplug script reuses the handle_allow function
from the init script to allow NTP access on interfaces specified in uci.
The function requires /lib/functions/network.sh. Include the file in the
hotplug script to make the function work as expected.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
Fix a possible security issue with OpenSSL config autoloading on Windows (CVE-2021-3606).
Include a number of small improvements and bug fixes.
remove upstreamed: 115-fix-mbedtls-without-renegotiation.patch
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
There were closing curly braces missing and it was checking for empty
strings while it should have been checking for non-empty strings.
Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
Variables set in config_ipsec() need to be shared with do_postamble()
function, so change scoping to parent (prepare_env()).
Also, remove unused settings like "remote_sourceip", "reqid", and
"packet_marker".
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Link to abandoned packages PR: https://github.com/openwrt/packages-abandoned/pull/18
AppleShare products have been unused for a while now (since Mac OS 9.2.2)
around 2002.
So, there should be fewer users requiring this package.
Last update of netatalk was in December 2018. Not sure if newer updates
will be created.
It's time to cut the cord on our end and move it to the abandoned packages.
Info: https://en.wikipedia.org/wiki/AppleShare
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Support for wolfSSL has been upstreamed to the master OpenVPN branch
in f6dca235ae560597a0763f0c98fcc9130b80ccf4 so we can use wolfSSL
directly in OpenVPN. So no more needed differnt SSL engine for OpenVPN
in systems based on wolfSSL library
Compiled && tested on ramips/mt7620, ramips/mt7621
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
configure script looks for host ssh. Just pass the configure variable
directly. --with-ssh doesn't work.
Also get rid of custom Compile section. It's not needed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* fix a small json syntax issue in adblock.sources
* add easylist addon to reg_fr source
* add switch 'adb_fetchinsecure' to allow insecure downloads
without certificate check (disabled by default)
* better explain 'adb_fetchparm' in readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This is a security and bugfix release.
Full release notes: https://mosquitto.org/blog/2021/06/version-2-0-11-released/
Fixes a remotely triggered memory leak
Fixes broker reconnections in certain failure situations
Fixes (non-standard) qos0 queuing
Signed-off-by: Karl Palsson <karlp@etactica.com>
Isochronous round trip time tool.
Useful for measuring one-way send or recv delay between hosts,
among other things.
Signed-off-by: Marcel Vital <ralmina@tuta.io>
Remove myself as maintainer from PowerDNS Related packages and add
Peter van Dijk from PowerDNS as the new maintainer
Signed-off-by: James Taylor <james@jtaylor.id.au>
ipsec uses starter, and reads /etc/ipsec.conf (which then includes
/var/ipsec/ipsec.conf, etc). This is overly complicated, and can
be problematic if you're using both swanctl and ipsec for migration.
Running charon directly from procd via the init.d script avoid
all of this.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Seeing the following error when running 'make defconfig':
tmp/.config-package.in:69874:warning: multi-line strings not supported
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Sierra Wireless modems need the string '$GPS_START' to be sent to the
GPS tty device as only then the modem firmware starts emitting
NMEA-0183 sentences.
Add an option 'sierragpsstart' to kplex' serial driver to support that
quirk as kplex can be very useful to spread GPS data over the network
while also supplying 'ugps' using a PTY, allowing for correct system
time to be set automatically on boot up from GPS.
This patch is also PR'ed at the upstream project:
https://github.com/stripydog/kplex/pull/54
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes the build problem below.
Package miniupnpd is missing dependencies for the following libraries:
libmnl.so.0
libnetfilter_conntrack.so.3
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
- New upstream major release with tons of new features and LTS (see: https://www.haproxy.com/blog/announcing-haproxy-2-4/)
- Update haproxy download URL and hash
- Activate promtheus exporter support the new way (using USE_PROMEX=1)
- Cleaned up haproxy-specific CFLAGS
- Changed the halog build to make use of the new Makefile target (admin/halog/halog)
Signed-off-by: Christian Lachner <gladiac@gmail.com>
Rrsync is a perl script that is supplied as an extra with the rsync program.
It must be used in conjunction with openssh-server or openssh-server-pam
as it requires ~/.ssh/authorized_keys which is not supported by dropbear.
Rrsync allows selective access to subdirectories in either read-only, write-only or read-write,
depending on settings in authorized_keys. This allows for safe, restrictive access.
It's particularly useful for automated backup purposes.
An example usage would be this entry:
command="/usr/bin/rrsync -ro /home" <public key here>
This would allow a system connecting with this public key to be able to rsync FROM the
/home directory tree only. It could not write to this directory, nor read from any other directory.
Signed-off-by: Matt Reeve <matt@mreeve.com>
Recreate symbolic link if it's missing after a sysupgrade with a private and public key present in /etc/atlas/
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* Create working directory when it is not present. Apparently
some recent change made adguardhome fail to start when working
directory is missing.
* Full changelog available at:
* https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.106.1
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
* fix pid file processing of the background monitor plus child
processes (bug reported in the forum)
* made the enabled/disabled switch of the background monitor functional
Signed-off-by: Dirk Brenken <dev@brenken.org>
Samplicator receives UDP datagrams on a given port and resends those
datagrams to a specified set of receivers.
Use Cases:
- replicate Flow Samples to multiple receivers
- use with conntrackd to synchronize via unicast to multiple targets
Signed-off-by: Nick Hainke <vincent@systemli.org>
In the procd refactor, support for interfaces with no tracking IPs was
inadvertentiy removed. This commit restores the previous behavior
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Fixes the following security issues:
* CVE-2021-25215 - named crashed when a DNAME record placed in the ANSWER
section during DNAME chasing turned out to be the final
answer to a client query.
* CVE-2021-25214 - Insufficient IXFR checks could result in named serving a
zone without an SOA record at the apex, leading to a
RUNTIME_CHECK assertion failure when the zone was
subsequently refreshed. This has been fixed by adding an
owner name check for all SOA records which are included
in a zone transfer.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Using `$(INSTALL_CONF)` will cause the program has no access to
configurations file when someone enabled the selinux support.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Xray now is no longer planning to keep compatibility with original
v2ray. Remove PROVIDES before it is totally broken.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
From mosquitto 2.x, port became optional and deprecated in the config,
and it was recommended that listeners be used instead. Drop the hard
requirement in our config conversion script.
Reported in: https://github.com/openwrt/packages/issues/15506
Signed-off-by: <karlp@etactica.com>
Maintainer: @neheb / @BKPepe / @zhanhb
Compile tested: ipq806x, generic, netgear_r7800, master
Run tested: ipq806x, generic, netgear_r7800, openwrt-19.07
Description:
Squid now only support HTTPS proxy in TCP tunnel mode (e.g. `ssl_bump splice all`):
https_port 3128 ssl-bump tls-cert=/etc/squid/squid.pem generate-host-certificates=on
ssl_bump splice all
In order to operate in SSL Bump mode, we need to compile with `--enable-ssl-crtd` for following configuration:
https_port 3128 ssl-bump tls-cert=/etc/squid/squid.pem generate-host-certificates=on
sslcrtd_program /usr/lib/squid/security_file_certgen -s /car/cache/squid/ssl_db -M 4MB
ssl_bump stare all
ssl_bump bump all
This PR switch the `SQUID_enable-ssl-crtd` into `default y`, therefore default enable SSL Bump mode.
Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
Staging certificates have the advantage that their retry limits are loose.
Therefore they can be obtained quickly when automatic retries are used.
Unfortunately they can not be used for deployments because their CA is not
accepted by clients. Production certificates do not have this limitation, but
their retry limits are strict. For production certificates, automatic retries
can only be performed a few times per hour. This makes automatic obtainment of
certificates tenacious.
With use_auto_staging=1, the advantages of the two certificate types are
combined. Uacme will first obtain a staging certificate. When the staging
certificate is successfully obtained, uacme will switch and obtain a production
certificate. Since the staging certificate has already been successfully
obtained, we can ensure that the production certificate is successfully
obtained in the first attempt. This means that "retries" are performed on the
staging certificate and the production certificate is obtained in the first
attempt.
In summary, this feature enables fast obtaining of production certificates when
automatic retries are used.
By default, this feature is set to use_auto_staging=0, which means that
uacme will behave as before by default.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
With this commit, issue_cert() can be called multiple times alternating
between staging and production certificates within a script.
Before this commit, the production state dir was stored in $STATE_DIR.
But in the case of $use_staging=1, this variable was overwritten in
issue_cert() with $STAGING_STATE_DIR. This made it impossible to call
issue_cert() with $use_staging=0 afterwards. Now the production state
dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden
anymore and issue_cert() can be called multiple times alternating with
production and staging.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
The get_bool() functionality was already merged to lib/functions.sh, so
it is redundant in the init script. Remove it.
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
- ignore Content-Length from backend if 101 Switching Protocols
- close HTTP/2 connection after bad password
- skip cert chain build for self-issued certs
- meson zstd fix
- ls-hpack upstream update
- discard some HTTP/2 DATA frames received after response
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
- Exit start if a probe_key is not present
- Add create_key command to generate a private_key based on the provided username in the atlas config.
- Add registration instruction in /etc/atlas
- Rework script to save probe_key on sysupgrade (the key are now adviced to be placed in the /etc/atlas dir and a link is used to make them accessible in the atlas-sw-scripts etc dir)
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* lots of fixes for many subsystems
* new messenger group chat service
* 'abd' temporarily removed due to upstream issue
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes two related security vulnerabilities (CVE-2020-15078) which
under very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup. In combination with "--auth-gen-token" or
a user-specific token auth solution it can be possible to get access to
a VPN with an otherwise-invalid account.
OpenVPN 2.5.2 also includes other bug fixes and improvements.
Add CI build test script.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* add a "whitelist only" mode, this option allows to restrict Internet
access from/to a small number of secure websites/IPs, and block access
from/to the rest of the Internet.
Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is largely based on the work from Daniel Dickinson in
PR #2096 which was never merged. I tweaked it in a number of ways.
All bugs with this package are mine, not his.
Signed-off-by: Aaron Curley <accwebs@gmail.com>
* support the RPZ trigger 'RPZ-CLIENT-IP' to always allow/block certain
clients based on their IP (currently only supported by bind!)
* avoid promiscuous mode in tcpdump setup for adblock reporting
* speed up dns report preparation
* support dns report mailing (/etc/init.d/adblock report mail)
* fix bind autodetection
* update LuCI-frontend (separate PR)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
NLS means Native Language Support and when you have it enabled (it is
not default), clamav can not be compiled as it shows following error:
Package clamav is missing dependencies for the following libraries:
libiconv.so.2
Also, it is required that package libiconv-full is compiled first/before
than clamav and then try to compile clamav.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
/etc/profile.d/50-openvpn-easy-rsa.sh was not listed as configfile
and changes were lost during upgrades.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
libseccomp can't be built on ARC, so we must disable the option here as
well. A different fix was first proposed by @zxlhhyccc in #15377.
Fixes: #15313
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add patch fixing compilation without deprecated OpenSSL APIs.
Fix installation. This never worked as the section was misnamed.
Updated tool names.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
chacha20policy1305 is also an AEAD cipher, and hence does not
permit a hash algorithm.
Fixes issue #15397.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This patch prevents multiple cron jobs from being created to run the
safe-search-maintenance script.
To reproduce this bug, perform the following:
- Install safe-search
- Perform an OpenWRT firmware upgrade (choose to preserve user settings)
- Install safe-search again
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
The strongswan-libnttfft package should not select the strongswan
package, but should depend on it instead. Otherwise a circular
dependency is created.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Rework the bonding.sh protocol handler to accept slave interface names
encoded in uci list notation. Also replace ifconfig up/down with ip
link calls while we're at it.
Fixes: #11455
Fixes: https://github.com/openwrt/luci/issues/4473
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
MacOS ignores Bonjour services for which TXT records are not returned. This changes forces umdns service to return a TXT record (`daemon=ksmbd`) for the ksmbd service. The exact content is unimportant and to the best of my knowledge nothing reads the `daemon` tag.
Symptoms of the problem (which are also debugging steps):
* Finder refuses to open the OpenWRT "computer" in the Network list.
* Discovery.app (Bonjour Browser) lists the _ssh._tcp service, but the submenu for it doesn't unfold and no address is shown.
* `dns-sd -L OpenWrt _smb._tcp` doesn't return any address.
Signed-off-by: Kirill Nikolaev <cyril7@gmail.com>
This is a security fix, affecting 2.0.0 through to 2.0.9. Mosquitto instances
could be remotely DoS'd by authenticated clients.
Release notes at: https://github.com/eclipse/mosquitto/blob/v2.0.10/ChangeLog.txt
CVE number has not yet been assigned.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Prior to this commit, the acme service attempted to obtain certificates
once and then terminated, regardless of whether the certificate could be
obtained or not. This commit introduces a new uci option "retries" to
the "certificate" section. If this option is set to N, the acme service
will attempt to obtain the certificate up to N times before terminating.
There is a waiting pause between the retries to comply with the rate
limits of Let'sEncrypt.
The waiting pause is:
- 2 minutes for staging certificates
- 24 minutes for production certificates
The current "Failed Validation" rate limits of Let'sEncrypt are:
- staging: 60 per hour -> 1 failure every 1 minute in avg.
- production: 5 per hour -> 1 failure every 12 minutes in avg.
This means that we are within rate limits by a factor of two.
By default the option "retries" is set to "1", which means that acme
behaves as before by default. If the variable is set to "0", infinite
retries are performed.
This feature is helpful, when you already want to initiate the
certificate request, but you are still waiting for your dns server to be
configured, your network to appear or other conditions.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
Before this commit, issue_cert always returned 1 no matter if uacme
returned 1, 2, 3, ... With this commit, the return code of the uacme
binary is propagated. Therefore the caller of issue_cert can
differentiate between "no renew necessary" and "an error occurred".
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
With this commit, the run-acme script can be included into other scripts
by setting INLCUDE_ONLY=1.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Derived from the ipsec initd script, with the following changes:
(1) various code improvements, corrections (get rid of left/right
updown scripts, since there's only one), etc;
(2) add reauth and fragmentation parameters;
(3) add x.509 certificate-based authentication;
and other minor changes.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
netifyd supports a '-F' filter option in 'bpf' notation to filter
packets from its consideration.
Add support for a uci 'filter' option. eg. filter to exclude SSDP
multicasts from a particularly noisy device:
option filter 'not (udp and dst 239.255.255.250 and dst port 1900 and src 192.168.1.5)'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Even it's only cosmetic and should not affect the function of regular system,
fix the name of the IPKG_INSTROOT variable.
Typo was added long ago with 8400c9a6ec.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Since v1.4.1, Xray has introduced a new feature to transfer data via
browsers, which can disguise itself as a normal browser to cheat
network censorship.
For more details, see https://github.com/XTLS/Xray-core/pull/421.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
If you shutdown ipsec service, and it doesn't clean up
/var/ipsec/ipsec.conf, then when you start swanctl service it
might see an incompatible file on startup. Remedy is to
remove unneeded files when shutting down the service. They
can always be regenerated when the service starts again.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This commit adds a number of fixes to the OpenVPN up/down hotplug command
wrapper which currently fails to actually invoke user defined up and down
commands for uci configurations not using external native configurations.
- Use the `--setenv` to pass the user configured `up` and `down` commands
as `user_up` and `user_down` environment variables respectively
- Instead of attempting to scrape the `up` and `down` settings from the
(possibly generated) native OpenVPN configuration in
`/etc/hotplug.d/openvpn/01-user`, read them from the respective
environment variables instead
- Fix parsing of native configuration values in `get_openvpn_option()`;
first try to parse a given setting as single quoted value, then as
double quoted and finally as non-quoted, potentially white-space
escaped one. This ensures that `up '/bin/foo'` is interpreted as
`/bin/foo` and not `'/bin/foo'`
Ref: https://forum.openwrt.org/t/openvpn-up-down-configuration-ignored/91126
Supersedes: #15121, #15284
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The `tmate` tool is a fork of `tmux` which allows remote access to a
device without setting up any port forwarding. This commits adds the
backend server which handles connections.
Signed-off-by: Paul Spooren <mail@aparcar.org>
These config files are only used by the ipsec interface to charon,
and shouldn't be part of the base package.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* rework the central iptables function to significantly
reduce the code complexity and the overall number of iptables calls
* check early and only once in the chain for ctstate NEW and
return otherwise (thanks @ldir-EDB0)
* made the whitelist ordering within the chain more flexible
Signed-off-by: Dirk Brenken <dev@brenken.org>
faster to compile.
A small selection of packages was tested going from:
Executed in 696.30 secs fish external
usr time 82.98 mins 395.00 micros 82.98 mins
sys time 9.02 mins 0.00 micros 9.02 mins
to:
Executed in 592.20 secs fish external
usr time 84.84 mins 361.00 micros 84.84 mins
sys time 8.85 mins 57.00 micros 8.85 mins
Tested by running make -j 12 and wiping staging/build_dir/target_x
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Having scripts diddle user written config files seems potentially
dangerous. Plus there's really no downside to including some
empty files. Best to just make the includes be permanent.
Additional feature suggested by Luiz: if a -opkg version of the
config file was created unnecessarily, remove it as part of the
upgrade process since changes won't be happening to that file
as an artifact of the service starting. The include lines are
now permanent, which means that (1) additional configuration
synthesized by UCI won't be anywhere that opkg (or sysupgrade,
for that matter) cares about since it won't be persistent, and
(2) if changes are being made, then they're being done by a
person with an editor and they really should be distinguished.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
It seems the command name output from netstat can be truncated in weird
ways, so let's get the binary name from /proc instead and use that for
matching which listener we have.
Fixes#15071.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* fix another IPv4/IPv6 related iptables chain creation problem
* fix counter during ipset creation
* fix regex for debug counters
* fix ipset housekeeping for local sources
Signed-off-by: Dirk Brenken <dev@brenken.org>
Reorganize Makefile for consistency between packages.
Switch to AUTORELEASE for simplicity.
Switch to building with Ninja for faster compilation.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* add a restrictive "jail mode only" variant, just point your
jail directory to your primary dns directory
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Occasionally, mostly at startup, miniupnpd reports "Another app is
currently holding the xtables lock. Perhaps you want to use the -w
option?"
Take iptables' advice and wait up to 1 second before giving up.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Tmate is a fork of tmux. It provides an instant pairing solution.
For more details, see https://tmate.io.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Neither the configure option nor configure variable to disable linking
against PCRE seem to work anymore, so simply drop both and add a
dependency on libpcre. As net-snmp is unlikely to fit on devices with
small flash anyway, the extra size requirement shouldn't be a problem.
If it is, feel free to submit a patch to fix the broken upstream
behaviour.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
If the interface goes into failure state (is disconnecting)
then with this change one hotplug.d event is generated.
The same is true for the recovery state (is connecting), when the interface
comes back from a failure state.
In both cases, a hotplug.d event for the iface is triggered. Once
with the $ACTION=disconnecting and once for the $ACTION=connecting.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* refine the new dns resolving process
* add a caching mechanism for the resolved IPs, the detached name
lookup takes place only during 'restart' or 'reload' action, 'start'
and 'refresh' actions are using an auto-generated backup instead.
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This is a bugfix release, with minor security fixes for outgoing bridge
connections and the client library.
Full details here: https://mosquitto.org/blog/2021/03/version-2-0-9-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
Add "wg_check_interfaces" and specify a timeout in the config file.
This allows to delete not used wireguard-interfaces automatically.
For example a cronjob can be installed that calls:
. /usr/share/wginstaller/wg_functions.sh && wg_check_interfaces
Signed-off-by: Nick Hainke <vincent@systemli.org>
* black- and whitelist now supporting domain names as well - the
corresponding IPs (IPv4 & IPv6) will be resolved in a detached
background process and added to the IPsets
Signed-off-by: Dirk Brenken <dev@brenken.org>
Major change are:
ksmbd.control -s terminate ksmbd.mountd as well as kernel server.
Update configuration.txt and README.
Turn off smb2 leases by default again.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
While searching for the boost_system library in boost.m4, configure
tries to find boost_system-mt before boost_system. The presence of
boost_system-mt in the staging dir depends on
CONFIG_boost-use-name-tags. If it is not defined (default), and there
is a boost_system-mt library in the host system, it will be used, and
the build will fail.
This adds a patch to remove the host paths from the search loop,
preserving the rest of the detection logic.
Alternatively, boost_cv_lib_context_LIBS could be used to avoid library
detection code entirely, but then the mt- variant would never be used.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The current default of hourly is too fast. Some services such as
DuckDuckGo return IPs from a pool based on the user's location instead
of a fixed IP address. This change prevents unnecessary writes to the
flash memory by only updating once per week.
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
* add adguard_tracking source (list with cname trackers)
* optimize/sort output of active sources in status
* optimize log output in EMails
Signed-off-by: Dirk Brenken <dev@brenken.org>
Switch to CMake + Ninja to fix parallel compilation.
Switched PKG_BUILD_DIR to use PKG_INSTALL_DIR for easier readability.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Wireguard has no link-local address on an interface automatically.
Add a link-local to the interface. The server has fe80::1/64 and
the client fe80::2/64.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Convert to using CMake in order to speed up compilation and to fix
compilation under glibc.
Add extra dependencies since they're now needed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
After d18692c, we need to include nls.mk to setup correct
environment variables so that linking succeeds.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
remove AVX patches as upstream has integrated and closed
all AVX issues
compiled on : x86-64, i386 generic
tested on : x86-64 VM, i386 VM
Signed-off-by: Dirk Neukirchen <plntyk.lede@plntyk.name>
After d18692c, we need to include nls.mk to setup correct
environment variables so that linking succeeds.
Reported-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
After d18692c, we need to include nls.mk to setup correct
environment variables so that linking succeeds.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
By default, ping does a reverse DNS of the IP that you are pinging.
When you have a network issue (such as when a link has just gone down
and you haven't yet marked it down), this lookup can cause failures on
tests for links that are still good.
This option only works for iputils ping.
For busybox the option is not evaluated, but it is accepted without
throwing an error.
Fixes: #14968Fixes: #14924
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Suggested-by: David Lang <david@lang.hm>
Add a missing dependency on Lua. Otherwise the script installing the
neighbor report can't be executed in case Lua is not installed on the
system.
Signed-off-by: David Bauer <mail@david-bauer.net>
* major source changes:
* split oisd.nl in basic and full variant
* add swedish regional list
* made archive categories for shallalist and utcapitole selectable
via LuCI
* made all list variants of energized and stevenblack selectable
via LuCI
* removed dns filereset mode
Signed-off-by: Dirk Brenken <dev@brenken.org>
If used with default paths, libdaq 2.x and libdaq 3.x will overwrite
some of the other version's files. Install them in different places to
avoid trouble.
Snort is the only package that uses libdaq, so update it at the same
time to avoid creating a failing commit.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
If used with default paths, libdaq 2.x and libdaq 3.x will overwrite
some of the other version's files. Install them in different places to
avoid trouble.
Snort is the only package that uses libdaq, so update it at the same
time to avoid creating a failing commit.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add GO111MODULE=auto to GO_PKG_BUILD_VARS to allow the package to be
built in non-module mode.
Module-aware mode will be mandatory in the next golang release.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add GO111MODULE=auto to GO_PKG_BUILD_VARS to allow the package to be
built in non-module mode.
Module-aware mode will be mandatory in the next golang release.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Quote NEWS item
> - Building the Linux kernel module from the OVS source tree is
> deprecated
> * Support for the Linux kernel is capped at version 5.8
> * Only bug fixes for the Linux OOT kernel module will be accepted.
> * The Linux kernel module will be fully removed from the OVS source
> tree
> in OVS branch 2.18
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Fixes spurious version bump done in 5c8fb42 and reported in #14815 and
switches source proto from git to codeload.
Upstream has changed daemon binary name to `/usr/sbin/mini-snmpd`.
Package and config/init script name stays unchanged.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Major changes for version 3.3.5 are:
- Rename "streams" parameter to "vfs objects = streams_xattr".
- Enable smb2 leases by default.
- Ignore ksmbd.subauth creation failure.
- Fix bugs that related to guest ok = yes.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
* fix search string/pipe preparation for the background service
* fix IPSet maxelem limitation, made it more flexible
* fix potential error during resume action
* add Cisco Talos IP blacklist
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add scanning for suspicious nginx events
* add a log counter to track the number of the failed requests
or login repetitions of the same ip in the log before banning,
defaults are: ssh (3), luci (3), nginx (5)
* optimize the background service handling
* add 'greensnow' as a new source
* update readme and LuCI frontend regarding the new log count options
Signed-off-by: Dirk Brenken <dev@brenken.org>
As suggested by others, I would like to take care of this tool. I am
developing certain tools that rely on the library and also owipcalc.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This has been observed by myself and @luizluca: ip route get is
appending uid0 to the output, as seen from:
root@OpenWrt2:~# ip route get 1.1.1.1
1.1.1.1 via 174.27.160.1 dev eth3 src 174.27.182.184 uid 0
cache
root@OpenWrt2:~#
so the fix is an anchored match, discarding all else. Also, using
ip -o means never having to do multiline matches...
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Separate owipcalc in client and lib part. Owipcalc brings a lot of nice
functionality with it, e.g. parsing and calculating prefixes.
Signed-off-by: Nick Hainke <vincent@systemli.org>
The second one was manually modified as quilt gets confused by the ***
and ends up removing the commit description.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The previous list was very out of date.
An always up-to-date v1-compatible list is available at:
https://download.dnscrypt.info/dnscrypt-resolvers/v1/
Also use different default resolvers since the previous ones don't
exist any longer.
Signed-off-by: Frank Denis <github@pureftpd.org>
Variable ICONV_DEPENDS is specified in nls.mk which can be found in
OpenWrt main repository.
This fixes issue:
/foo/build/staging_dir/toolchain-arm_cortex-a9+vfpv3-d16_gcc-8.4.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/8.4.0/../../../../arm-openwrt-linux-muslgnueabi/bin/ld: cannot find -liconv
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Previous code was downloading file v1.3.0, which is wrong, because in
the dl folder there might be some tarballs with that naming and they are
wrong as well.
This could lead to some issues like this:
Hash of the local file v1.3.0.tar.gz does not match (file: 87cf846b02dde6328b84832287d8725d91f12f41366eecb4d59eeda1d6c7efdf, requested: b94fba0251a4a436e25b127d0b9bc0181b991631f1dc8e344b1c8e895b55375d) - deleting download.
Even though, if you tried it on SDK or minimal build when there is a
small number of packages, you most likely don't encounter it.
The correct solution is to download files with their name and version.
E.g. nebula-version.tar.gz as it is in PKG_SOURCE variable now.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Latest version of xray-core made a change to support FullCone NAT,
which would break UDP connection from v2ray-core backend server.
So added the option for v2ray-core users, to make sure UDP works
as expected.
Signed-off-by: Tianling Shen <cnsztl@project-openwrt.eu.org>
The SVN-based version has not changed in years. Many distros use this
fork as evident here: https://github.com/streambinder/vpnc/issues/14
Compile tested against GnuTLS and OpenSSL on ramips target.
Fixes#14119.
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Add a hotplug.d-extension that automatically configures babeld for
meshing via wireguard interfaces.
It checks for "add" and "remove" of a wireguard interface with name
"wg_*". Depending on the action, it removes it from the babeld config
or adds the interface and reloads babeld.
Signed-off-by: Nick Hainke <vincent@systemli.org>
* add 'ban_extrasources' to handle banIP-unrelated sets for reporting
and queries
* add set timeouts for local sources (maclist, whitelist, blacklist)
Signed-off-by: Dirk Brenken <dev@brenken.org>
This tool can be used to automatically create wireguard tunnels. Using
rpcd a new wireguard interface is created on the server where the client
can connect to.
Wiregurad server automatically installs a user and associated ACL to use
the wireguard-installer-server features. The user is called wginstaller
and so is the password.
Get Usage:
wg-client-installer get_usage --ip 127.0.0.1 --user wginstaller
--password wginstaller
Register Interface:
wg-client-installer register --ip 127.0.0.1 --user wginstaller
--password wginstaller --bandwidth 10 --mtu 1400
Signed-off-by: Nick Hainke <vincent@systemli.org>
Not including an A record mapping will cause nsupdate to balk at
CNAME and MX records (and probably SRV as well) because the target
will be unknown at the time of parsing, until the lease gets
activated.
We need these RR's to be in place well before the servers even
come up.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Microsoft Windows, Xbox and possibly other operating systems do not
support IGDv2. With IGDv2 enabled, they send a HTTP GET request for
rootDesc.xml and WANIPCn.xml, and then nothing happens. The Microsoft
implementation probably doesn't like the WANIPCn.xml response and
decides UPnP is not available. When miniupnpd is built without IGDv2
support, after the 2 HTTP GET requests, there is a HTTP POST request to
/ctl/IPConn, and miniupnpd configures the port forward as expected.
The runtime option force_igd_desc_v1=yes (UCI: igvd1) does not solve
this problem. It's possible this was enough in earlier miniupnpd
versions, but it does not fix the problem the current version.
Since we are a modern distro, we want to support the latest and
greatest, so we should default to IGDv2 enabled. Introducing a
menuconfig option to disable IGDv2 would only help people who build
their own images, so offer a separate package variant for IGDv1.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* major rewrite
* add support for multiple chains
* add mac whitelisting
* add support for multiple ssh daemons in parallel
* add an ipset report engine
* add mail notifications
* add suspend/resume functions
* add a cron wrapper to set an ipset related auto-timer for
automatic blocklist updates
* add a list wrapper to add/remove blocklist sources
* add 19.x and Turris OS 5.x compatibility code
* sources stored in an external compressed json file
(/etc/banip/banip.sources.gz)
* change Country/ASN download sources (faster/more reliable)
* fix DHCPv6/icmpv6 issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fix starting problem:
Starting function should be named 'start_service' instead of 'start_instance'.
Fix reloading problem:
Register reload tigger for uci config itself.
And, xray does not support reload currently, so use legacy restart as reload.
Fixes: 6c9b96352f ("xray-core: add init script")
Signed-off-by: Tianling Shen <cnsztl@project-openwrt.eu.org>
Major changes are:
add "vfs objects = acl_xattr" parameter in configuration.
fix wrong group domain name in lsarpc response.
set to SID_TYPE_UNKNOWN if there is no domain sid in server.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The iputils build system embeds git tags into the generated binaries
for use by commands like ping -V. Since openwrt packaging is done in
a different repository from the upstream repo, the tags it finds
aren't particularly meaningful, and we get confusing results like
those described at https://github.com/openwrt/packages/issues/13920
This change removes the git tag inspection in favor of the static
version string that's already known to the upstream build system.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Drop obsolete patches
- 001-no-tests.patch
- 002-fix-cross-compilation.patch
Move several user-executable binaries from /usr/sbin to /usr/bin per
upstream.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Current implementation of socat's init service doesn't allow to run more
complex configurations. As an example there's no possibility to execute
following command:
socat TCP-LISTEN:8080,fork,reuseaddr,bind=192.168.1.1 \
EXEC:"/sbin/ip netns exec somenetns socat STDIO TCP:10.0.0.1:80"
In such command the first line is argv[1] and the second line is
argv[2]. SocatOptions config option is a string. As as a consequence of
this each word will be passed as a separate argv element. Socat won't be
able to parse arguments correctly.
In order to mitigate this issue, we can also accept SocatOptions as a
list of strings. Following config file will work correctly:
config socat 'tunnel_8080_into_somenetns'
option enable '1'
list SocatOptions 'TCP-LISTEN:8080,fork,reuseaddr,bind=192.168.1.1'
list SocatOptions 'EXEC:"/sbin/ip netns exec somenetns socat STDIO TCP:10.0.0.1:80"'
While we're at it, pass stdout and stderr into logread.
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
* The default local-adress makes Netopeer2-server listen on ipv4 only.
We change it to :: in order to listen on ipv6 as well as ipv4.
Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
* fix for possible exploit #13758
* sanetize all external template/config inputs
* fix some shellcheck warnings
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
I checked the hostname for existing DNS A and AAAA entries and these
ones didn't have an entry.
Signed-off-by: Gerald Hansen <gerald.hansen@cloud.ionos.com>
As the default uclient-fetch doesn't support authentication header
and the ddns provider myonlineportal.net support also username and
passwort as url parameter this can be changed.
Signed-off-by: Gerald Hansen <gerald.hansen@cloud.ionos.com>
add eoip package,this can create ethernet
tunnels compatible with Mikrotik EoIP tunnel.
At current moment it is easiest way
to create stateless tunnel with Mikrotik.
Signed-off-by: Bogdan Shatik <bogdikxxx@mail.ru>
In IPv4 the default route can be written as
0.0.0.0/0
In IPv6 the default route can be written as
::/0
If u try
owipcalc 0.0.0.0/0 contains 1.1.1.1
or
owipcalc ::/0 contains ::1
owipcalc will respond with 0 meaning that the "default prefixes" do not
contain the routes.
That is why we check now for 0 prefix.
Furthermore, if the prefix is 0, i will be 16. We will access a negative
array entry in the line:
uint8_t net1 = x->s6_addr[15-i] & m;
Divide by % 16 to prevent i becoming 16:
uint8_t i = ((128 - a->prefix) / 8) % 16;
Signed-off-by: Nick Hainke <vincent@systemli.org>
This is a helpful utility, but it does not have any dependencies
in base repository. Move it to packages feed.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This is a helpful utility, but it does not have any dependencies
in base repository. Move it to packages feed.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Some users have reported that reloading dnsmasq does not always work. It
sometimes stop responding to DNS lookup requests after being reloaded.
This patch changes "safe-search-maintenance" so that it restarts dnsmasq
instead of reloading it.
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
Ensure that the best available IP is always used for all supported
safe-search providers. This is accomplished by periodically checking
DNS for the most recent list of IP addresses associated with each
provider.
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
Start after named is running.
Add support for "cname", "domain", "mxhost", and "srvhost" configs.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* update to version 1.19.6
* remove default configuration files and documentation as
they are in the package `nginx-util`.
* do not install a `/etc/nginx/nginx.conf` file.
* use the dynamic `/etc/nginx/uci.conf` if the symlink (to
`/var/lib/nginx/uci.conf`) is not dead after calling
`nginx-util init_lan` (else try `/etc/nginx/nginx.conf`)
* replace nginx package by a dummy depending on `nginx-ssl`;
the dummies will be removed after a transition period.
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
On Arch Linux, tcpreplay is picking up the host dnet-config and adding
OS paths, thereby breaking compilation. The easiest solution is to add
libdnet support as the previous commit fixes dnet-config on OpenWrt.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Something having to do with passing a file descriptor over spamd's
Unix socket causes the ClamAV milter to fail. The milter says "ERROR:
Unknown reply from clamd," and running strace on spamd reveals "No file
descriptor received. ERROR."
Some work by others can be found on the Internet that suggests using
a TCP socket for the communication between the milter and spamd fixes
this. Lucian Cristian confirmed this on OpenWrt.
I am not sure why the Unix socket does not work. I suspect it is something
related to musl, but I have not yet found evidence of this.
This merge request adds the option to configure spamd to use a TCP
socket, and it uses this as the default. The merge request also adds an
init script for clamav-milter.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
* update to 4.13.3
* enable vfs io_uring module by default, if kernel supports it
* fix for possible exploit openwrt/packages#13758
* sanetize all external template/config inputs
* fix some shellcheck warnings
* remove old aio modules/deps
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Version 8.2[0] added support for two new key types: "ecdsa-sk" and
"ed25519-sk". These two type enable the usage of hardware tokens that
implement the FIDO (or FIDO2) standard, as an authentication method for
SSH.
Since we're already on version 8.4 all we need to do is to explicitly enable
the support for hardware keys when compiling OpenSSH and add all the
missing dependencies OpenSSH requires.
OpenSSH depends on libfido2[1], to communicate with the FIDO devices
over USB. In turn, libfido2 depends on libcbor, a C implementation of
the CBOR protocol[2] and OpenSSL.
[0]: https://lwn.net/Articles/812537/
[1]: https://github.com/Yubico/libfido2
[2]: tools.ietf.org/html/rfc7049
Signed-off-by: Linos Giannopoulos <linosgian00@gmail.com>
Add fadvise64_64 and fchmod syscalls needed on PowerPC platforms to
seccomp rules of transmission-daemon.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
When specifying a secondary password script, the output should be appended to the temporary password file and shouldn't overwrite it. If you refer to the case where there is a static secondary password, you can see that the secondary password is appended. Without this fix, only the secondary password is passed to the `openconnect` session.
Signed-off-by: Frederick Morlock <FrederickGeek8@gmail.com>
There's some kind of crash internally in wolfSSL. It doesn't seem like
anyone knows how to fix it. Just disable it for now.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Remove uClibc-ng patch as it's not in the tree anymore.
Also remove the _GNU_SOURCE CFLAG for the same reason.
Refreshed patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This package has been completely broken on several levels since
commit eadd5abe40 ("smartsnmpd: Update to 2015-02-22 version")
The update changed the configuration file syntax without fixing
the scripts generating this file. The OpenWrt package would
therefore fail to run.
Worse than that, the last upstream version is completely broken
is unable to generate proper snmp replies even if the
configuration file is fixed, This has been tested and verified
on both OpenWrt/realtek and Debian/amd64.
I considered fixing the package, but dropped it for the following
reasons
1) upstream has abandoned the project
2) the upstream fork "smithsnmp" continues to make aribitrary
changes to configuration files and other packaging challenges
3) the package is tied to the lua5.1 C API, and further upgrades
will be non-trivial
4) there are several other snmp daemons available in OpenWrt,
without any of these issues
5) no one is interested in this package
The last point is proven by the lack of testing and feedback.
The last update was not even tested by the person preparing and
commiting the update.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
It tries to link to host libraries for some reason. Add autoreconf to
fix. Also remove redundant prefixes.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The idea behind this is to prevent confusion between "virtual" package
wget and real one. Wget is provided by not just wget packages but also
by uclient-fetch so technically it is better to threat wget as virtual
package.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
* update device description framework to v1.3
* setup methods in database
* setup uhttpd to use hs20 cert
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
pass CC to configure. host CC flags can leak in the build system,
preventing compilation.
Deleted upstream backports.
Refreshed patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
It turns out that the Makefile of mdnsreponder links to absolute paths
instead of relative ones. This is an issue when compiling.
Fix for InstallDev as well.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
For some reason, the build ones do not get generated when compiling in
parallel. PKG_INSTALL_DIR is the correct solution anyway.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Start named before dhcpd so that dhcpd can prime the local zones at startup.
Restore the empty domain zone for rfc1918 addresses that previously existed.
Create an additional subsidiary named.conf.local file (initially empty)
in /tmp/bind/ that can be seeded with dynamic zones and primed with
"rndc reload", and add it to the watched list of config files for procd.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Adds failsafe support to the openssh package.
Roughly based on an earlier patch.
Ref: https://github.com/openwrt/openwrt/pull/865
Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
Removed patch as upstream fixed libtirpc support differently.
Switched to normal tarballs for simplicity.
Fixed license information.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Full changelog: https://mosquitto.org/blog/2020/12/version-2-0-2-released/
* Enables DHE ciphers
* Improved response time with http_dir and websockets
Drops a patch no longer required due to upstream fixes.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Along with the accompanying change to gpgme to install gpgme-config,
since libfko is what is actually linked to gpgme, and not
fwknop/fwknopd, an explicit dependency must be added to that package.
menuconfig now allows enabling gpg support if only fwknop is selected
without also selecting fwknopd.
Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
Enable the control port on named that rncd uses to talk to it. Use
rndc to allow for lightweight reloads of some (per-zone) or all of
the database without an interruption of service.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Commit ef388ff1f3 removed 'CMAKE_INSTALL:=1', and this makes the
development files to be not installed anymore on 'staging_dir'.
Being such, packages that needs to link against libminiupnpc fails
to build, because it cannot find the headers and the library.
Adding an InstallDev fixes this.
Build-tested on: ipq806x (R7800)
Run-tested on: ipq806x (R7800)
Signed-off-by: Daniel Bermond <danielbermond@gmail.com>
Some VPN providers require username and password for client to connect.
This commit adds an option to specify username, password and
cert_password directly in uci config which then gets expanded during
start of openpvn client.
Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
New easyrsa will look for missing vars and x509-types where easyrsa
is located (following symlink). /usr/bin/easyrsa is now a link
to /usr/lib/easyrsa/easyrsa and /usr/lib/easyrsa/{vars,x509-types} a
link to /etc/easyrsa/{vars,x509-types}. This keeps the same previous
OpenWrt easyrsa behavior which tries to use $PWD/pki and
/etc/easyrsa/{vars,x509-types}, but without patching it.
Easyrsa can also use env vars to set pki root path (instead of
/usr/lib/easyrsa), pki path (instead of $PWD/pki) and vars path.
Those variables are commented in /etc/profile.d/50-openvpn-easy-rsa.sh
as an example of how to make easyrsa run independent of $PWD. That
scriptlet also sets $EASYRSA_TEMP_DIR from $EASYRSA_PKI/tmp to /tmp
in order to avoid writing to persistent media (normally flash). However,
as a profile scriptlet, it will only be used after session is restarted.
The "build" tgz was replaced by the "source" tar. "build" version has a
different file structure, making any patch backports too complex.
I'm also putting myself as maintainer.
Closesopenwrt/openwrt#2926, since it moved to openwrt/packages.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Fix the prefix instead.
Replace custom Compile section with PKG_INSTALL.
Minor cleanups for consistency between packages.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Remove several configure options. apr-(utils) has been fixed, which
makes them useless. Also removed PKG_BUILD_DEPENDS for that reason.
Simplify NLS with autoreconf_bool.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved
Signed-off-by: Simon Day <email@simonday.info>
Added a patch to remove BUILDCXXFLAGS. For some reason, TARGET_CXXFLAGS
are leaking.
Removed custom Build/Compile section. There's already PKG_INSTALL.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Updating the system image or the package should not obliterate
the downloaded/unpacked geolocation database. If you use xt_geoip
in /etc/firewall.user you don't want the database disappearing
when sysupgrade runs and then reboots your system as you'll be
left exposed.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
specified for montioring
eg allows ipv4 and ipv6 forwarded traffic to be monitored from
both main network and dmz in single graph
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved
Signed-off-by: Simon Day <email@simonday.info>
specified for montioring
eg allows ipv4 and ipv6 forwarded traffic to be monitored from
both main network and dmz in single graph
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved
Signed-off-by: Simon Day <email@simonday.info>
Major change for version 3.3.1 are:
* Fix a segfault issue in ksmbd.mountd.
* Reorganize ndr write functions.
Major changes for version 3.3.0 are:
* Add samr and lsarpc RPC support.
* Generate subauth values for domain.
* Add Kerberos support.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Unlike ipv4, this option is supposed to be an IP address, otherwise, an
error occurs on startup:
can't parse "br-lan" as valid IPv6 listening address
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
OpenVPN recommends disabling compression, as it may weaken the security
of the connection. For users who need compression, we build with LZ4
support by default. LZO in OpenVPN pulls in liblzo at approx. 32 kB.
OpenWrt users will no longer be able to connect to OpenVPN peers that
require LZO compression, unless they build the OpenVPN package themselves.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
(unless iproute2 support is enabled).
* VLAN support when using a TAP device
Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
OpenVPN peers prior to 2.4, or peers with data cipher negotiation
disabled, will not be able to connect to a 2.5 peer unless
option data_fallback_ciphers is set on the 2.5 peer and it contains a
cipher supported by the client.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
reload_server() gracefully with SIGUSR1 to lighttpd
relog() to reopen log files with SIGHUP to lighttpd
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* update upstream version to lighttpd-1.4.56
* depend on Nettle for MD5, SHA1, SHA256
* multiple TLS options: gnutls, mbedtls, nss, openssl, wolfssl
* new module mod_authn_dbi
* mod_authn_* depend on mod_auth
* mod_authn_file is included if mod_auth is selected in build
* mod_vhostdb_* depend on mod_vhostdb
* mod_deflate subsumes mod_compress
* remove from Makefile the include of nls.mk (no longer needed)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
**tl;dr:** The functions `{add,del}_ssl` modify a server
section of the UCI config if there is no `.conf` file with
the same name in `/etc/nginx/conf.d/`.
Then `init_lan` creates `/var/lib/nginx/uci.conf` files by
copying the `/etc/nginx/uci.conf.template` and standard
options from the UCI config; additionally the special path
`logd` can be used in `{access,error}_log`.
The init does not change the configuration beside
re-creating self-signed certificates when needed. This is
also the only purpose of the new `check_ssl`, which is
installed as yearly cron job.
**Initialization:**
Invoking `nginx-util init_lan` parses the UCI configuration
for package `nginx`. It creates a server part in
`/var/lib/nginx/uci.conf` for each `section server '$name'`
by copying all UCI options but the following:
* `option uci_manage_ssl` is skipped. It is set to
'self-signed' by `nginx-util add_ssl $name`, removed by
`nginx-util del_ssl $name` and used by
`nginx-util check_ssl` (see below).
* `logd` as path in `error_log` or `access_log` writes them
to STDERR respective STDOUT, which are fowarded by Nginx's
init to the log daemon. Specifically:
`option error_log 'logd'` becomes `error_log stderr;` and
`option access_log 'logd openwrt'` becomes
`access_log /proc/self/fd/1 openwrt;`
Other `[option|list] key 'value'` entries just become
`key value;` directives.
The init.d calls internally also `check_ssl` for rebuilding
self-signed SSL certificates if needed (see below). And it
still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as
it is doing in the current version (so they stay available).
**Defaults:**
The package installs the file `/etc/nginx/restrict_locally`
containing allow/deny directives for restricting the access
to LAN addresses by including it into a server part. The
default server '_lan' includes this file and listens on all
IPs (instead of only the local IPs as it did before; other
servers do not need to listen explicitly on the local IPs
anymore). The default server is contained together with a
server that redirects HTTP requests for inexistent URLs to
HTTPS in the UCI configuration file `/etc/config/nginx`.
Furthermore, the packages installs a
`/etc/nginx/uci.conf.template` containing the current setup
and a marker, which will be replaced by the created UCI
servers when calling `init_lan`.
**Other:**
If there is a file named `/etc/nginx/conf.d/$name.conf` the
functions `init_lan`, `add_ssl $name` and `del_ssl $name`
will use that file instead of a UCI server section (this is
similar to the current version).
Else it selects the UCI `section server $name`, or, when
there is no such section, it searches for the first one
having `option server_name '… $name …'`. For this section:
* `nginx-util add_ssl $name` will add to it:
`option uci_manage_ssl 'self-signed'`
`option ssl_certificate '/etc/nginx/conf.d/$name.crt'`
`option ssl_certificate_key '/etc/nginx/conf.d/$name.key'`
`option ssl_session_cache 'shared:SSL:32k'`
`option ssl_session_timeout '64m'`
If these options are already present, they will stay the
same; just the first option `uci_manage_ssl` will always be
changed to 'self-signed'. The command also changes all
`listen` list items to use port 443 and ssl instead of port
80 (without ssl). If they stated another port than 80
before, they are kept the same. Furthermore, it creates a
self-signed SSL certificate if necessary, i.e., if there is
no *valid* certificate and key at the locations given by
the options `ssl_certificate` and `ssl_certificate_key`.
* `nginx-util del_ssl $name` checks if `uci_manage_ssl` is
set 'self-signed' in the corresponding UCI section. Only
then it removes all of the above options regardless of the
value looking just at the key name. Then, it also changes
all `listen` list items to use port 80 (without ssl)
instead of port 443 with ssl. If stating another port than
443, they are kept the same. Furthermore, it removes the
SSL certificate and key that were indicated by
`ssl_certificate{,_key}`.
* `nginx-util check_ssl` looks through all server sections
of the UCI config for `uci_manage_ssl 'self-signed'`. On
every hit it checks if the SSL certificate-key-pair
indicated by the options `ssl_certificate{,_key}` is
expired. Then it re-creates a self-signed certificate.
If there exists at least one `section server` with
`uci_manage_ssl 'self-signed'`, it will try to install
itself as cron job. If there are no such sections, it
removes that cron job if possible.
For installing a ssl certificate and key managed by
another app, you can call:
`nginx-util add_ssl $name $manager $crtpath $keypath`
Hereby `$name` is as above, `$manager` is an arbitrary
string, and the the ssl certificate and its key are
indicated by their absolute path. If you want to remove
the directives again, then you can use:
`nginx-util del_ssl $name $manager`
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
It's useful to be able to dump sections of the database by country
for scripting or just plain sanity checking.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Snort 3.0.3-1 requires libdaq 3.0.0-beta1, but this version is no longer
compatible with Snort 2. Thus OpenWrt now provides both a libdaq and
libdaq3 package. This modifies the snort3 package to require the latter.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
procd-seccomp switched to OCI-compliant seccomp parser instead of our
(legacy, OpenWrt-specific) format. Convert ruleset to new format.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
iputils upstream changed build params with version s20200821
Latest OpenWRT iputils ping now appears to report the openwrt
version tag, rather than iputils date tag
This commit sends a test ping to localhost to evaluate the
capabilities of iputils ping.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Allow `mwan3 interfaces` to get uptime via an internal function and
thus remove the dependency on rpcd for `mwan3 interface` calls.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Upstream commit 90884c62 ("xl2tpd-control refactoring") introduced in
1.3.16 changed command names
The l2tp protocol handler part was from @danvd in pull request
openwrt/packages#13866
Fixes f07319d6 ("xl2tpd: bump to version 1.3.16")
Ref: https://github.com/openwrt/packages/pull/13866
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Maintainer: @codemarauder
Compile tested: Yes
Run tested: x86_64 PCEngines APU
Description:
A Tunnel which Improves your Network Quality on a High-latency Lossy Link by using Forward Error Correction,for All Traffics(TCP/UDP/ICMP)
It does it by sending redundant packets and re-arranging them to account for packet loss over the link. It uses Reed–Solomon code.
Signed-off-by: Nishant Sharma <codemarauder@gmail.com>
Signed-off-by: Andrew Mackintosh <amackint@waikato.ac.nz>
Maintainer: me / @null-cipher
Compile tested: Raspberry Pi 3 / brcm2708-bcm2710, OpenWrt 19.07.4
Hyper-V VM / x86_64, OpenWrt 19.07.4
Run tested: Raspberry Pi 3 / brcm2708-bcm2710, OpenWrt 19.07.4
Hyper-V VM / x86_64, OpenWrt 19.07.4
Description:
The NetStinky IDS is a component of the NetStinky suite of tools. It
monitors the traffic on the LAN interfaces of your router for
Indications of Compromise (IoCs), drawn from an auto-updating list of
definitions. IoCs are subsequently reported to the NetStinky smartphone
applications.
In recent commits, there were removed Transmission SSL variants and
there is just used one variant of transmission-daemon. Let's adjust it here as well.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
It was somewhat opaque how the variable a is questioned. To show this
better the variable is now a string and not a boolean. So you can see
directly what should happen. With a boolean you always have to think
about what it means when 0 or 1 is used.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Replace locks on /var/run/mwan3.lock with locks via procd.
This fixes a deadlock issue where mwan3 stop would have a procd
lock, but a hotplug script would have the /var/run/mwan3.lock
Locking can be removed from mwan3rtmon since:
1) procd will have sent the KILL signal to the process during
shutdown, so it will not add routes to already removed interfaces on
mwan3 shutdown and
2) mwan3rtmon checks if an interface is active based on the
mwan3_iface_in_<IFACE> entry in iptables, and the hotplug script
always adds this before creating the route table and removes it
before deleting the route table
Fixes github issue #13704
(https://github.com/openwrt/packages/issues/13704)
when the network procd service restarts, it flushes the ip rules. We
need to add these rules back. Since hotplug events are triggered when
the networks come back online, adding this call to the hotplug script
is the most convenient place to refresh the rules.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
he line is too long. For the future it is better to split it into
several lines and make it more clearly arranged. In case of a future
change, not the whole line will be marked as a change.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Will only run when no events are pending.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
[ Update description and split into own commit ]
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Initialize TRACK_OUTPUT has been set after INTERFACE variable initialization.
Move definition into main fixes this issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
In a recent commit, there was a fixed typo in config file of rp-ppoe
package. As there was no increased version in PKG_VERSION/PKG_RELEASE,
it means that fixed typo will be applied for users, who install
rp-pppoe now. Existing users will not be aware that there is an updated
package with fixed typo. They will need to do force overwrite/reinstall via opkg.
It makes a little bit complicated as we are fixing typo in conffile, but
this change will be applied to users who do not touch it. In any case,
there should be a bumped version.
Fixes: fe709078ff ("rp-pppoe: fix typo")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
DNS flag day 2020, software should reflect the minimum EDNS 1232 bytes.
Added iface_wan and iface_lan to control internal DNS assignemnts and
to control what is local service ACL. Interface wild cards are not
explicitly set so that they can be customized in extended conf.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
* since openwrt master has merged the depending P/R, the old
extra_help/extra_commands syntax is no longer working, see #13798 for
reference
* removed test.sh script from package
Signed-off-by: Dirk Brenken <dev@brenken.org>
* since openwrt master has merged the depending P/R, the old
extra_help/extra_commands syntax is no longer working, see #13798 for
reference
* removed logd dependency, see #13820 for reference
Signed-off-by: Dirk Brenken <dev@brenken.org>
* since openwrt master has merged the depending P/R, the old
extra_help/extra_commands syntax is no longer working, see #13798 for
reference
Signed-off-by: Dirk Brenken <dev@brenken.org>
libudev-zero as well as libudev-fbsd have PROVIDES:=libudev . These
packages have nothing specific that requires one or the other.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
If procd relaunches the ModemManager daemon after e.g. a crash, we
also want it to notify all cached hotplug events, or otherwise we
would end up leaving the daemon running without the full initial
processing done.
This change modifies the init script to include all the required init
commands as part of the procd instance command, so that procd launches
all of them on every respawn.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Boost headers try to include experimental/string_view when std is less
than c++17. This does not work ith libcxx where this header is not
present.
Refreshed patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- DNS Flag Day 2020
(default EDNS buffer size changed from 4096 to 1232 bytes)
-- Added patch, which should be part of the next release
It fixes an issue while cross-compilation (I linked it in the commit
message with issue link)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
When the ModemManager daemon is started by the init script, we're
explicitly calling mm_report_events_from_cache() so that all the
hotplug events that happened before that moment are properly notified
to the newly launched daemon.
This initial reporting of events does a wait for the ModemManager
process to be available in DBus, and if the daemon isn't registered in
the bus in a given time, the process is considered failed:
Sun Sep 6 16:20:02 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:02 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:03 2020 [2180]: <info> ModemManager (version 1.14.6) starting in system bus...
Sun Sep 6 16:20:03 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:04 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:05 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:05 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:06 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:06 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:07 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:07 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:08 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:08 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:09 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:09 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:10 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:10 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:11 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:11 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:12 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:12 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:12 2020 ModemManager: hotplug: error: couldn't report initial kernel events: ModemManager not running
Update the default wait time for this initial event notification from
10s to 60s, because there are cases where the daemon is slower to
boot, e.g. during the first boot after a sysupgrade.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Extend configuration of NTP sources in UCI:
- Add nts option to enable NTS
- Add disabled option to allow inactive sources
Add nts section to UCI with:
- rtccheck option to disable certificate time checks on systems that
don't have an RTC to avoid the chicken-and-egg problem (it is less
secure, but still should be better than no NTS at all)
- systemcerts option to disable system certificates
- trustedcerts option to specify path to trusted certificates
Save NTS keys and cookies by default to avoid unnecessary NTS-KE
sessions when restarted or switching back to an already used NTS source.
Also, save the drift to stabilize the clock after chronyd restart.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
- Use the chronyc onoffline command to update state of all sources
per current routing configuration
- Don't ignore the "ifupdate" action
- Add NTP servers from DHCP for the interface that went up instead of
the wan4+wan6 interfaces
- Save the servers to files loaded by the sourcedir directive to not
lose them when chronyd is restarted, and remove them when the
interface goes down
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
Instead of loading /etc/chrony/chrony.conf from the file generated from
the chrony UCI configuration, use the confdir directive in the main
config to load the generated file. This should make it obvious that
chrony is configured in UCI and it can also be easily disabled.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
If relay/bridge support isn't required, this variant is about 300 kiB smaller
than the full tor daemon.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Extracted from:
http://deb.debian.org/debian/pool/main/i/ifstat/ifstat_1.1-8.1.diff.gz
Note that I also created a new git repository with these fixes:
https://github.com/matttbe/ifstat/
The original author of these modification is:
Goswin von Brederlow <goswin-v-b@web.de>
ChangeLog:
* snmp.c: fix 2 pointer targets differ in signedness warnings
* Adding upport for 64bit /proc/net/dev counters.
* Clean up compiler warnings.
More modifications are available in the patch from the Debian project
but mostly related to the "debian" dir, man page and debug mode. Here I
only took the modifications related to the .c and .h files.
The most important fix is related to the support for 64bit counters in
/proc/net/dev instead of displaying 0 after a while.
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
- support trailing route space from iproute2
- add routes even when iface is down
- fix source_routing argument check
- add quotes in logging to better detect issues with trailing spaces
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Contains following list of changes:
ab4c3471b261 tests: add cram based unit tests
7b4e3241e1bd tests: add cgi-io built with clang sanitizers
21831f45d16d Disable session ACLs during unit testing
2f525417b5df Add initial GitLab CI support
57f1c4f18cb6 Add .gitignore
09f9ac5066ee Fix off-by-one in postdecode_fields
ed8ce0d5d28b Add fuzzing of utility functions
a61581819800 Add fuzzing of multipart_parser
6b0615b728ed Refactor utility functions into static library
a0ed2c9a7a72 Fix clang compiler errors
232659da19a4 Fix possible NULL dereference
8e5719b37a67 Fix warnings reported by clang-10 static analyzer
b99aa8a64cca Remove Makefile
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Allows the Makefile to be cleaned up and to have fewer dependencies.
There's no need for multiple TLS libraries to be installed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
openconnect v8.10 supports 4 VPN protocols
--protocol=anyconnect Compatible with Cisco AnyConnect SSL VPN, as well as ocserv (default)
--protocol=nc Compatible with Juniper Network Connect
--protocol=gp Compatible with Palo Alto Networks (PAN) GlobalProtect SSL VPN
--protocol=pulse Compatible with Pulse Connect Secure SSL VPN
This patch allows user to specify protocol use the new "vpn_protocol"
option and deprecate the old option "juniper" which seems to be missing in
the current openconnect client.
Signed-off-by: Mengyang Li <mayli.he@gmail.com>
version 8.2.6 (October 19, 2020):
- try and address license concerns with LICENSE.md
- replace usleep with nanosleep (Rosen Penev <rosenp@gmail.com>)
- console: Add 'k' option to exit on console-down (Mylène Josserand <mylene.josserand@collabora.com>)
- Fix#48 - apply ipv4 CIDR access list when compiled with ipv6 support
Signed-off-by: Bjørn Mork <bjorn@mork.no>
The additional directory is created and can be used e.g. for configurations
which are created e.g. dynamically from an uci config.
Signed-off-by: Helge Mader <ma@dev.tdt.de>
For applications writing their own xinetd configuration to the /etc/xinetd.d
directory it would be necessary to save them (e.g. a user edits them manually)
Signed-off-by: Helge Mader <ma@dev.tdt.de>
When the interface section was changed, the changed configuration
options were not applied.
This commit adds the service reload handling again.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* switch all safesearch providers to dynamic ips (derived from cname)
* made the new safesearch approach compatible with bind-nslookup
* removed 3.x config compatibility code
Signed-off-by: Dirk Brenken <dev@brenken.org>
Django 3.1 supports relative paths for static_url.
Use it to make it more flexible.
Minor fixes for upgrade:
* ignore-fail-on-non-empty for rmdir /usr/share/etesync-server/etesync_server
* do not stop service (it is stopped already and init file is removed)
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
The underlying `acme.sh` allows custom ACME server URLs (using `--server`). Adding the necessary field to specify a custom ACME server URL from UCI.
Signed-off-by: Jannis Pinter <jannis+openwrt@pinterjann.is>
Use "mwan3 use" to wrap a command with interface bindings so that you can
avoid the mwan3 rules and test behavior on a specific interface.
eg "mwan3 use wan ping -c1 1.1.1.1"
Additional binding arguments to the command will have their system
calls intercepted and ignored.
eg "mwan3 use wan ping -c1 -I tun0 1.1.1.1" will use the
device associated with "wan", rather than "tun0".
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Rather than using a special mwan3 user to manage mwan3track's tracking
packets, this commit implements a small helper library to bind to
device and to set a fwmark so that the tracking packets can be routed
out of the correct interface.
This provides a consistent method for binding to a device rather than
relying on various packages potentially buggy implementations. For
example: #8139 and #12836
This helper issue also allows for more tracking methods to be added
even if they do not have a command line option to bind to device,
such as iperf3 (eg #13050).
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
start all mwan3mon and mwan3track instances on mwan3 start
if an interface is down when mwan3track starts, it waits
for a signal from the hotplug script to start
procd can then handle stopping all of the scripts when mwan3
is halted
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
correctly terminate interface status checks with new lines so that
interface status does not get confused when one interface is a prefix
of another interface.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
handle creation of routing tables in mwan3rtmon to avoid race
conditions and potentially missing routes
handle ipv6 routes that have expiry
update directly connected ipset when routes are added or deleted
add fall through rules so that the default routing table is not
used if no rule in the interface-specific routing table matches
add option to comply with mwan3 source based routing
get default route parameters from main routing table
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Remove paxctl stuff. pax is not packaged in OpenWrt.
Add reload support.
Install lua cfg file as 644. It's needed to be readable as prosody user
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* Change KEY/HMAC_KEY to __CHANGEME__, which is rejected by fwknopd
during start-up. The value CHANGEME is used only by LuCI package
luci-app-fwknopd - pull request for generating keys directly from
LuCI has been created already.
* Add sensible defaults for ENABLE_IPT_FORWARDING and ENABLE_NAT_DNS,
which both are/were set by luci-app-fwknopd. Move the defaults here.
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
The substring "release_" does not reflect the version number.
In addition, package names will be shorter.
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
mbedcrypto should be searched, not mbedtls. Also, there is no pkgconfig
file with mbedtls. Fixed that as well. Removed Makefile hacks.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
No functional changes, just moved the sources into out of tree
project[1] so it's going to be easier to do CI with unit testing,
fuzzing etc.
1. https://git.openwrt.org/?p=project/cgi-io.git;a=shortlog
Signed-off-by: Petr Štetiar <ynezz@true.cz>
AdGuardHome is a network-wide ads and trackers blocking DNS server.
After installing it with opkg, start it like every service:
/etc/init.d/adguardhome start
In order to complete the installation vist http://{YOUR_ROUTERS_IP}:3000.
Then you can setup dnsmasq to forward DNS traffic to AdGuardHome:
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#{PORT_SET_DURING_INSTALL}
uci set dhcp.@dnsmasq[0].noresolv=1
uci commit dhcp
/etc/init.d/dnsmasq restart
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
If lighttpd loads mod-auth, it also automatically tries to load
mod-authn_file, and fails if it's not available. That is a compatibility
feature of lighttpd after the funtionality was split into modules.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
* fix a vpn/iptables race condition
* remove needless dnsmasq dependency
* synchronize code-base of all auto-login scripts, due to
COVID-19 restrictions all of them are still untested/WIP
* various small cleanups
Signed-off-by: Dirk Brenken <dev@brenken.org>
This meta-package contains only dependencies for modules needed in
FreeRADIUS default configuration.
This commit adds missing description and install sections.
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
The provider could also be read from the custom directory. To get always
the latest version of the provider config json file, we read first the custom
directory and after that we also check the default directory, if we could not
find the provider file
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Since we can also install custom ddns services, the name for the default
services is not optimally chosen. To emphasize this the folder with the
standard services for the package feed will be renamed to default.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If we install ddns-scripts we also install the default
ddns-scripts-services package. So the behabviour for the user does not
change.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This package does not currently compile.
This is needed to do so that it compiles:
- fix emptying CXX variable in configure script
- fix automake not generating Makefile (remove doxygen definitions)
- force gnu++11 by patch, does not work with configure variable
Also because of changed API in libmicrohttpd:
- fix HttpServer
Moreover this package does not support --disable-slp configure option
anymore, remove it.
Signed-off-by: Marek Behún <kabel@blackhole.sk>
Note:
Fixes CVE-2020-1472 in case smb.conf
contains 'server schannel = no' or 'server schannel = auto'
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
Since we no longer need to edit the service and serive_ipv6 files during
installation, the preinst and postinst script can be removed. They are
not neede anymore.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
From my point of view there are several reasons why this uci default
script should be deleted.
- This script is no longer maintained and there was no significant
change since the old stable release openwrt-18.06.
- The script is installed with every additional package. Which is kind
of funny. It would be better to maintain a separate uci default upgrade
script for each package. So uci default tasks that are no longer needed
can simply be deleted without having to watch and test the whole scirpt.
- The script is also not so easy to maintain, because the code is not
easy to read.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Stan Grishin <stangri@melmac.net>
shellchecked
Signed-off-by: Stan Grishin <stangri@melmac.net>
shellchecked
Signed-off-by: Stan Grishin <stangri@melmac.net>
- new package dependency: curl (plus one of the wpad variants)
- optional package dependencies:
- 'msmtp' for email notification support
- 'wireguard' or 'openvpn' for vpn support
- removed WEP support, only WPA/WPA2/WPA3 are supported!
- new, more robust setup wizard (CLI and LuCI)
- more robust captive portal detection
- randomize mac addresses with every uplnk connect
- automatic vpn handling during uplink switch (only classic/simple
client-setups for wireguard or openvpn are supported)
- email notifications after successful uplink connections
- automatically disable uplinks after n minutes, e.g. for timed
connections
- automatically (re-)enable uplinks after n minutes, e.g. after failed
login attempts
- complete LuCI rewrite - migrated to client side JS (separate PR)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Don't build the sntp binary and libevent2-pthread dependency unless
ntp-utils is selected.
Re-add ntp-keygen dependency libevent2-core.
Fixes openwrt#10307
Signed-off-by: Kenneth J. Miller <ken@miller.ec>
With openwrt/openwrt@51ec51871f one can
now use user/group names instead of numeric uid/gid in FILE_MODES.
Make use of that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Apart from adapting to upstream changes also switch to use FILE_MODES
instead of chown/chmod in init-script.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* update to 4.12.6
* fix optional modules not included on module build (vfs_btrfs, vfs_linux_xfs_sgid)
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Change URL to codeload. It redirects to it anyway. I was getting a 404
error with the original. I couldn't figure it out.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- remove patch that has been included upstream
- remove dependence on resolveip
- remove hotplug script that is handled by "proto_add_host_dependency"
- use openfortivpn default tunnel ip if none specified
- add status checking with uclient-fetch
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
If a daemon listens on multiple addresses at once, it'll show up multiple
times in get_listeners() which will clobber the config for uhttpd. Fix this
by skipping subsequent handlings of the same daemon binary.
Fixes#13325.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Update to 40.89.244.237 which is the new IP address that duckduckgo.com is using for safe-search.
Signed-off-by: Greg Dietsche <gregory.dietsche@cuw.edu>
The creation of the dummy package nginx creates some problem with dependency detection for the all-module variant. Reorganize the dependency and compile nginx before the the sub-variant.
Fixes#13275
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Canonical radtest start results in an error:
$ radtest bob hello localhost 0 testing123
/usr/bin/radtest: line 1: hostname: not found
(0) Error parsing "stdin": Failed to get value
hostname command is not present in OpenWrt.
Instead, hostname can be obtained from file /proc/sys/kernel/hostname.
added: 004-get-hostname-from-proc-in-radtest.patch
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
radtest utility is used in many manuals to check the operation of
radius server.
At the moment all parameters must be specified at startup, for example:
$ radtest bob hello localhost 0 testing123 0 localhost
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
Support for kernel 4.14 has been removed in main repo, so drop the
dependencies here as well (and those for even older 4.9).
Also drop a patch that is required only for 4.14 and lower.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Since support for kernel 4.14 has been removed, kmod-sched-cake-oot
is gone, and the kmod-sched-cake-virtual package is not needed
anymore.
This effectively reverts 9114244fbd ("sqm-scripts: Switch sch_cake
dependency to new virtual package")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This also removes PKG_BUILD_PARALLEL:=0 that was added for packages that
use HOST_PYTHON3_PACKAGE_BUILD_DEPENDS.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This commit allows for UCI configuration of the "left=" and the
"mark=" values in a StrongSwan IPSec connection. This improves
VTI support and allows certain stricter connection scenarios.
Signed-off-by: Michael C. Bazarewsky <github@bazstuff.com>
openconnect may emit following error logs every minute when negotiating
with deployments forbidding usage of dtls
Thu Aug 27 04:11:59 2020 daemon.notice openconnect[12024]: DTLS handshake failed: Error in the push function.
Thu Aug 27 04:11:59 2020 daemon.notice openconnect[12024]: (Is a firewall preventing you from sending UDP packets?)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Required by ovn-ctl for stopping ovn ovsdb instances
This utility was introduced since 20.03.0 after the project was
maintained in its own repo
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Package libcurl is missing dependencies for the following libraries:
libzstd.so.1
Previous patch by Hans Dedecker <dedeckeh@gmail.com> took the easy way
out :)
Suggested-by: Syrone Wong <wong.syrone@gmail.com>
Signed-off-by: Tony Butler <spudz76@gmail.com>
[fixed title]
Signed-off-by: Paul Spooren <mail@aparcar.org>
Instead of using mbedtls by default use wolfssl. We now integrate
wolfssl in the default build so use it also as default ssl library for
curl.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Backport a commit from upstream curl to fix a problem in configure with
wolfssl.
checking size of time_t... configure: error: cannot determine a size for time_t
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Move package over from openwrt.git based on the Hamburg 2019 decision
that non essential packages should be maintained in packages.git
Signed-off-by: Paul Spooren <mail@aparcar.org>
Several security issures are addressed:
- CVE-2020-8620 It was possible to trigger an assertion failure by sending
a specially crafted large TCP DNS message.
- CVE-2020-8621 named could crash after failing an assertion check in
certain query resolution scenarios where QNAME minimization and
forwarding were both enabled. To prevent such crashes, QNAME minimization is
now always disabled for a given query resolution process, if forwarders are
used at any point.
- CVE-2020-8622 It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
- CVE-2020-8623 When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code determining the
number of bits in the PKCS#11 RSA public key with a specially crafted
packet.
- CVE-2020-8624 update-policy rules of type subdomain were incorrectly
treated as zonesub rules, which allowed keys used in subdomain rules to
update names outside of the specified subdomains. The problem was fixed by
making sure subdomain rules are again processed as described in the ARM.
Full release notes are available at
https://ftp.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Drops pid files, no longer needed with procd management.
Now properly reloads on reload_config after UCI changes.
Signed-off-by: Karl Palsson <karlp@etactica.com>
[ Fixed two shellcheck warnings and bump PKG_RELEASE ]
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
The openfortivpn routes are a bit different than the standard ppp
routes so we need to handle them with a custom ppp-up script.
Gateway should not be set, and src should be set to the PPP local ip
address.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
fakepop is a fake pop3 daemon. It returns always the same messages to all users, it does not care about usernames and passwords. All user/pass combinations are accepted.
Signed-off-by: Marc Egerton <foxtrot@realloc.me>
Includes:
- dawn_uci: fix crashing when uci config is received
- tcpsocket: add option to add server ip
A new config option allows to add a server ip
option server_ip '10.0.0.2'
However, this server does not send anything back. Therefore it is not
possible to change the node configuration. This will probably be added
soon. The main goal of this commit is to allow monitoring of all nodes
in a network with DAWN, e.g. clients, channel utilization, ...
Also a network option (3) has been added which allows to use TCP but
not to announce your daemon in the broadcast domain. This allows you to
create a monitor-only node that holds only the local information and
forwards it to the central server.
A monitor-only node could be configured like
option server_ip '10.0.0.1'
option tcp_port '1026'
option network_option '3'
Another possible config is
option server_ip '10.0.0.1'
option tcp_port '1026'
option network_option '2'
Here, the node shares information with a central server, which can be
located outside the broadcast domain. Nevertheless, it also shares
information within its broadcast domain and can therefore perform
client steering.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Security release. From the changelog:
- In some circumstances, Mosquitto could leak memory when handling PUBLISH
messages. This is limited to incoming QoS 2 messages, and is related
to the combination of the broker having persistence enabled, a clean
session=false client, which was connected prior to the broker restarting,
then has reconnected and has now sent messages at a sufficiently high rate
that the incoming queue at the broker has filled up and hence messages are
being dropped. This is more likely to have an effect where
max_queued_messages is a small value. This has now been fixed. Closes
https://github.com/eclipse/mosquitto/issues/1793
Changelog: https://mosquitto.org/blog/2020/08/version-1-6-12-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
This patch makes it possible to configure and limit per-client internet
speed based on MAC address and it can work with SQM.
This feature is what OpenWRT currently lacks. This patch is largely based
on static.sh and the configuration file is similar to original nft-qos.
New configuration options and examples are listed below
config default 'default'
option limit_mac_enable '1'
config client
option drunit 'kbytes'
option urunit 'kbytes'
option hostname 'tv-box'
option macaddr 'AB:CD:EF:01:23:45'
option drate '1000'
option urate '50'
config client
option drunit 'kbytes'
option urunit 'kbytes'
option hostname 'my-pc'
option macaddr 'AB:CD:EF:01:23:46'
option drate '3000'
option urate '2000'
limit_mac_enable - enable rate limit based on MAC address
drunit - download rate unit
urunit - upload rate unit
macaddr - client MAC address
drate - download rate
urate - upload rate
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
improve startup and runtime performance by
1) moving common startup procedures out of hotplug script when called
from mwan3 start
2) reducing calls to iptables to check status of rules
3) consolidating iptables updates and updating with iptables-restore
4) do not wait for kill if nothing was killed
5) running interface hotplug scripts in parallel
6) eliminate operations in hotplug script that check status on every
single interface unnecessarily
7) consolidate how mwan3track makes hotplug calls
8) do not restart mwan3track on connected events
This is a significant refactor, but should not result in any breaking
changes or require users to update their configurations.
version bump to 2.9.0
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
In hash-checking mode[1], pip will verify downloaded package archives
(source tarballs in our case) against known SHA256 hashes before
installing the packages.
As a consequence, this requires the use of requirements files[2] and
pinning packages to known versions.
The syntax for package Makefiles has changed slightly;
HOST_PYTHON3_PACKAGE_BUILD_DEPENDS no longer accepts requirement
specifiers like "foo>=1.0", only requirements file names (which are the
same as package names in the most common case).
This also updates affected packages, in particular:
* python-zipp: "setuptools_scm[toml]" has been split into
"setuptools-scm toml" to reuse the requirements file for
setuptools-scm (the extra depends installed by "setuptools_scm[toml]"
is toml).
* python-pycparser: This previously used ply 3.10, whereas the
requirements file will now install 3.11.
[1]: https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode
[2]: https://pip.pypa.io/en/stable/user_guide/#requirements-files
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Setup user database if non-existent, configure uhttpd .php interpreter
and patch php scripts to work out-of-the-box.
Also ship Hotspot 2.0 SPP and OMA DM XML schema/DTD files needed at
run-time for both client and server.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
use only committed uci changes for updating routing table
use functions.sh functions rather than uci command line tool
to find interfaces for routing table.
consolidate rtmon_ipv4 and rtmon_ipv6 functions into a single function
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Add hs20-server and hs20-client packages correspoding to the
hs20/client and hs20/server folder in hostap.git.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* remove 'dshield' and 'sysctl' (discontinued)
* switch 'malwaredomains', 'shallalist' and 'winhelp' to https
* add a second regional list for poland (provided by matx1002)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Signed-off-by: Dirk Brenken <dev@brenken.org>
Added signal refresh rate option
modemmanager: update readme.md
Added description for added proto options.
Added compile option to compile --with-at-command-via-dbus for allowing
AT commands to modem without --debug flag
Changes to be committed:
modified: net/modemmanager/Config.in
modified: net/modemmanager/Makefile
modified: net/modemmanager/files/modemmanager.init
modified: net/modemmanager/files/modemmanager.proto
modified: README.md
Signed-off-by: Valtteri Holopainen <valtsu@gmail.com>
Fix shellcheck SC2230
> which is non-standard. Use builtin 'command -v' instead.
Once applied to everything concerning OpenWrt we can disable the busybox
feature `which` and save 3.8kB.
Signed-off-by: Paul Spooren <mail@aparcar.org>
GCC10 defaults to -fno-common, which breaks compilation when there are
multiple definitions of implicit "extern" variables. Remove the extra
definitions.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
From CHANGES_2.4:
SECURITY: CVE-2020-11984 (cve.mitre.org)
mod_proxy_uwsgi: Malicious request may result in information disclosure
or RCE of existing file on the server running under a malicious process
environment. [Yann Ylavic]
SECURITY: CVE-2020-11993 (cve.mitre.org)
mod_http2: when throttling connection requests, log statements
where possibly made that result in concurrent, unsafe use of
a memory pool. [Stefan Eissing]
SECURITY:
mod_http2: a specially crafted value for the 'Cache-Digest' header
request would result in a crash when the server actually tries
to HTTP/2 PUSH a resource afterwards.
[Stefan Eissing, Eric Covener, Christophe Jaillet]
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
test_storage: fix compilation with musl 1.2.0
datastorage/test: improve scalability and performance
datastorage: fixed use of wrong client search
general: add memory auditing
memory auditing: bug fixes to memory auditing and hearing map
datastorage: fixes to linked list handling
tcpsocket: fix read callback function and arbitrary memory allocations
tcpsocket: leave loop if we read 0 byte
Furthermore, you can now dump the memory usage by sending a SIGHUP to
dawn process.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This fixes misleading errors in the status file, and increases buffer
sizes to match the python implementation.
Signed-off-by: Karl Palsson <karlp@etactica.com>
At the moment ss-server seems to be the only component using these two
options. It also accepts "local_address" of either ip4 or ip6 address,
but the meaning is different from that of ss-local, ss-tunnel etc.
where it is for listen bind
With this commit, we start deprecation process of uci option
"bind_address". The name was replaced with "local_addr" in upstream
project commit 5fa98a66 ("Fix #1911") and available as json config
option "local_address". This upstream change was released in 3.2.0
Link: 4a42da641b
Link: https://github.com/openwrt/packages/issues/12931
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Config files
/etc/freeradius3/policy.d/accounting
/etc/freeradius3/policy.d/filter
/etc/freeradius3/proxy.conf
/etc/freeradius3/sites-available/default
and link
/etc/freeradius3/sites-enabled/default
are in the freeradius3 package and are mentioned in the main config file
/etc/freeradius3/radiusd.conf
Thus, they must be explicitly specified in the Makefile.
File
/etc/freeradius3/sites/default
is not included in the package, is not created during installation,
is not mentioned in the main config file and should therefore be excluded
from the Makefile.
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
