Unbound is configured to restart on hotplug/iface but this can result
in numerous restarts at boot. Unbound also has a restart for NTP.
This was observed to generate trouble and even with procd robustness
too many crashes might occur (rare). Unbound would not be running.
Give more care to /var/lib/unbound/root.key during restarts. Use procd
for iface restarts. Check pidof() to wait one more second for Unbound.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
The checks in the incdefs.sh script do not fully work when cross
compiling. It probably checks the hosts libc. Just provide the settings
manually, as our musl at least supports all these features.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
On dynamic interface proto (dhcp/pppoe) the hotplug will not execude (exit 9)
because the gateway is already released. The check will now only be made
on a ifup ACTION event.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Fortified headers don't seem to like _GNU_SOURCE in this case,
but we can remove that define since it's not needed. Add a patch
for LEDE until a new horst version is released.
Signed-off-by: Bruno Randolf <br1@einfach.org>
simple-adblock: version 1.5 introduces background processing of downloaded list while the next list is being downloaded
Signed-off-by: Stan Grishin <stangri@melmac.net>
remove answer checking for dnsexit as their API allows for too many return codes to handle them all.
Signed-off-by: Xavier Douville <zorxd@users.noreply.github.com>
options 'add_local_fqdn' and 'add_wan_fqdn' can be affected
by race conditions when they are at level 4. Interface name
may not be returned by network tools. The conf file has bad
record formats and Unbound just will not load. Detect this
and fall back to only the host FQDN (level 3).
squash: improve documentation wording and format codes.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Read UNBOUND_TXT_DOMAIN from main unbound configuration.
This prevents records to be added into Unbound in the default 'lan' zone.
Signed-off-by: Audric Schiltknecht <storm+github@chemicalstorm.org>
For consistency, use full name instead of $(PKG_NAME) in define and eval
lines for all packages.
I've seen reviews that asked to do this before, and I am asking the same
during reviews now. To avoid this in the future, fix this treewide so
when people use existing packages as example, we will not have to
request this change anymore.
This makes all packages consistent with both LEDE and OpenWrt base
repositories.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* optimized connection handling -
removed needless timeouts & wireless commits
* set the pre-configured reload timeout to
a more conservative/realistic value of 30 seconds
* further logging tweaks
Signed-off-by: Dirk Brenken <dev@brenken.org>
includes switch to new CADET implementation.
rps hasn't been ported yet, hence marked as @BROKEN for now.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
vpnbypass: No longer depends on hardcoded WAN interface name).
vpnbypass: Table ID, IPSET name and FW_MARK as well as FW_MASK can be defined in config file.
vpnbypass: Uses iptables, not ip rules for handling local IPs/ranges.
vpnbypass: More reliable creation/destruction of VPNBYPASS iptables chain.
vpnbypass: Updated Web UI enables/start and stops/disables service.
vpnbypass: Beautified output.
Signed-off-by: Stan Grishin <stangri@melmac.net>
* add an "active mode", where travelmate will be restarted
every n seconds (default 60) and checks existing uplink connection
regardless of ifdown event trigger (disabled by default)
* enhance multiple radio support
* fix the ap detection
* respect different radios during scanning & connection handling
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Unbound UCI tries to protect embedded flash from excess
use. Unbound RFC5011 KSK tracking can rewrite root.key
every few minutes to an hour. It also writes and destroys
files in the same directory during the process.
Recommended UCI delays for copying busy work in /var/
back to /etc/ may be too conservative. These are all
changed from 28 to 9 days.
The RFC5011 KSK results were also destroyed by an
init.d restart, even if /var/ is mounted on persistent
storage like USB drive. /var/lib/unbound/root.key is
now preserved during this process, unless a newer key
is installed in /etc/ manually or package update.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
* add tld compression,
this new "top level domain compression" removes up to 40 thousand
needless host entries from the block lists and
lowers the memory footprint for the dns backends by 8-10 MByte
* optimize restart behavior in case of an error
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Adds support for the fwmark option.
FwMark is a 32-bit fwmark for outgoing packets.
If set to 0 or "off", this option is disabled.
Signed-off-by: Dan Luedtke <mail@danrl.com>
Unbound 1.6.1 has a few bug fixes for resource leaks,
configuration robustness, compile environment interaction,
and maintaining the trust anchor. The 2017 trust anchor
(DS) is built into unbound and unbound-anchor.
File /etc/unbound/root.key holds 2010/2017 DS record until 2018
https://www.icann.org/resources/pages/ksk-rolloverhttps://www.iana.org/domains/root
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
To have service working nicely with procd it should be running in the
foreground. Otherwise it's not possible to e.g. stop it with the init.d
script. Luckily for us pptpd has a simple switch that allows it.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Fixes: 15e7f611af ("pptpd: convert init script to procd")
This fixes upstream regression introduced in 1.4.40. It was reported &
debugged in https://redmine.lighttpd.net/issues/2793
This fix is queued for 1.4.46 in the personal/gstrauss/master upstream
branch.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* optimize memory consumption &
enable overall sort only on devices with > 64MB RAM,
this prevents sort related kernel dumps
Signed-off-by: Dirk Brenken <dev@brenken.org>
Update to 1.4.42 introduced a problem with starting lighttpd as
OpenWrt/LEDE service. It was stopping whole init process at sth like:
783 root 1124 S {S50lighttpd} /bin/sh /etc/rc.common /etc/rc.d/S50lighttpd boot
799 root 1164 S /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
It was hanging until getting random pool:
[ 176.340007] random: nonblocking pool is initialized
and then immediately the rest of init process followed:
[ 176.423475] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[ 176.430754] jffs2_build_filesystem(): unlocking the mtd device... done.
[ 176.437615] jffs2_build_filesystem(): erasing all blocks after the end marker... done.
This was fixed in 1.4.44, but bump directly to 1.4.45 while at it.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* add 'enabled' check in init script
* support multiple radios (see online doc)
* fix race condition in ap check
Signed-off-by: Dirk Brenken <dev@brenken.org>
* various optimizations & corner case fixes
* removed no longer needed debug information
* polished up for forthcoming LEDE release ;-)
Signed-off-by: Dirk Brenken <dev@brenken.org>
This is a long-needed clean-up.
These applications are not gone! They live in the
luci repo now, where all their friends already are.
Signed-off-by: Dan Luedtke <mail@danrl.com>
Makefile had sed commands in "prepare" step that modified the
source files directly. That lead to feed update failure at the
buildbot.
Remove those commands as the first aid.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
According to the snmpd.conf man page, the engineID of an snmp agent
should be consistent through time. However, it seems that the engineID
changes every reboot. Add options to configure how the engineID is
generated. The default setting generates it based on the MAC address of
the eth0 interface.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
When for example 'package/net/adblock' and DNSSEC vs NTP robustness
is enabled, significant restart thrashing can occur at boot up. DHCP
lease triggers may be occuring at the same time. Unbounds DNS-DHCP
may be incomplete until new DHCP solicit events. Solve this by
leaving a passive but complete host conf file during lease trigger.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
This reverts commit 79b6e9dc61.
Undo the recent vnstat update due to upstream bugs preventing database
restoration.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Bug fix dhcp4_slaac6 option was adding to all IP6 routes.
Filtering was added to this process to only include addresses
served from "this dhcp interface."
adblock 2.3.0 file output is now detected and automatically
integrated into Unbound local-zones. adblock deposites its
block site zone-files into /var/lib/unbound. If this is not
desired, then disable adblock or reconfigure to avoid Unbound.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
* automatically selects dnsmasq or unbound as dns backend
* add the new 'adguard' source, a combined/quite effective block list
* remove needless dns backend restarts
* optimize adblock restart behavior
* optimize block list processing on inotify enabled filesystems
* better return code checking on block list download
* fix boot function/startup on Chaos Calmer
* fix a bug in blocklist removal function
* add more (optional) debug output
* move backup options to global config
* documentation update
Signed-off-by: Dirk Brenken <dev@brenken.org>
fixed: stop function used to kill the hotplug file
fixed: despite ubus wait_for network.interface.wan and WAN-IF hotplug, sometimes we'd get no WAN ip on start
Signed-off-by: Stan Grishin <stangri@melmac.net>
Update nginx to version 1.10.3.
Add new configuration options to enable the following optional
modules (disabled by default):
- http_auth_request_module
- http_v2_module
- http_realip_module
- http_secure_link_module
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
The needed shaper modules are now in kmod-sched-core, so we don't need
to depend on the full kmod-sched anymore.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
samba.org has apparently started to enforce https-only downloads,
so update the download links for rsync and cifs-utils.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Stan Grishin <stangri@melmac.net>
vpnbypass: fixed renamed option in stop_service
Signed-off-by: Stan Grishin <stangri@melmac.net>
vpnbypass: fixed typo in makefile, switch FW_MARK to 0x010000 to play nice with SQM/mwan (thanks Hannu)
Signed-off-by: Stan Grishin <stangri@melmac.net>
vpnbypass: proper masking in setting mark
Signed-off-by: Stan Grishin <stangri@melmac.net>
vpnbypass: separating luci-app-vpnbypass into different tree
Signed-off-by: Stan Grishin <stangri@melmac.net>
vpnbypass: fixed incorrect use of procd_add_reload_interface_trigger according to http://wiki.prplfoundation.org/wiki/Procd_reference
Signed-off-by: Stan Grishin <stangri@melmac.net>
Unbound+DHCP (server of your choice) should be able to replicate
a lot of what dnsmasq provides. With this change set Unbound
still works with dnsmasq, but also it can work with a plain
DHCP server. Features have been added within the UCI itself
to act like dnsmasq.
- alone: name each interface relative to router hostname
- alone: prevent upstream leakage of your domain and '.local'
- dnsmasq: use dnsmasq UCI to configure forwarding clauses
- dhcp: work with odhcpd as example of companion DHCP-DNS
- dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records
- all: enable encrypted remote unbound-control using splice conf
- all: allow user spliced conf-files for hybrid UCI and manual conf
-- 'unbound_srv.conf' will be spliced into the 'server:' clause
-- 'unbound_ext.conf' will add clauses to the end, example 'forward:'
README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and
unbound-with-odhcpd have better/added UCI starters. HOW TO for
including unbound_srv.conf and unbound_ext.conf are added.
Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6,
dhcp_link, domain, and domain_type
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
This is bare minimum change in 'unbound.sh' and
'dnsmasq.sh' to migrate the UCI option set for
more flexibility. The boolean(s) to link to
dnsmasq are being changed to a state to include
odhcpd. It is executable but a small step for
clear change management.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
The UCI for Unbound already links to dnsmasq, but what
if with Unbound, we want to configure a plain dhcp server.
Most servers can call a script for lease events. That
script can then formulate DNS records and load them
with unbound-control (dependency).
The files added here work with OpenWRT/LEDE odhcpd, such
that it can be run alone. They can be used as examples
for any dhcp server. 'odhcpd.sh' is to be called by
odhcpd when a lease event occurs. 'odhcpd.awk' is called
internal to the shell script. The awk script handles
any tricky reformating that may be required.
/etc/config/dhcp
config odhcpd 'odhcpd'
option leasetrigger '/usr/lib/unbound/odhcpd.sh'
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
If Unbound was disabled and at later time enabled, then it
would operate in DNSSEC less-secure mode. When NTP hotplug
was called, the timestamp file was not updated. This was
found testing Unbound vs other tools (bind, dnsmasq).
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
The virtual package declared by PROVIDES must not have the same name as the
variant declaring it, otherwise buildroot will fail with errors like:
cp: '.../pkginfo/mosquitto.provides' and '.../pkginfo/mosquitto.provides' are the same file
In order to fix the above error, rename the existing "mosquitto" and
"libmosquitto" packages into "mosquitto-ssl" and "libmosquitto-ssl"
respectively.
Also substitute use of $(PKG_NAME) with literal "mosquitto" in
Package/* defines to improve readability of the Makefile.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Compile tested: LEDE HEAD
If unixodbc package is present in the environment, subversion
fails to compile due to missing dependencies.
Fixes the dependency on unixodbc if unixodbc package is selected.
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
Update the pen package to upstream release v0.34.0 in order to fix the
following build error reported by the buildbot:
ssl.o: In function `ssl_create_context':
ssl.c:(.text+0x9c): undefined reference to `SSLv3_method'
collect2: error: ld returned 1 exit status
Also switch from PKG_MD5SUM to PKG_HASH with SHA256 while we're at it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The buildbots fail to build socat due to the following error:
nestlex.c:14:7: error: unknown type name 'ptrdiff_t'
It appears that certain source files do not include all required headers,
depending on the configure options passed to socat.
Work around the error by passing `-include stddef.h` via `TARGET_CFLAGS` to
forcibly inject this header file into all compilation units.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Adding PROVIDES to both the daemon and library and -nossl variants allow
downstream packages to simply declare a single dependency.
mosquitto-client however, still needs to explicitly depend on the ssl or
nossl variant however.
Signed-off-by: Karl Palsson <karlp@etactica.com>
use ntpq to check the status of the ntp server as all other status scripts included in the ntp tarball are
based on perl which would dramatically increase the footprint of ntpd
Signed-off-by: Peter Wagner <tripolar@gmx.at>
Wondershaper has been superseded by both qos-scripts and sqm-scripts, it's time to retire it for good.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Mark the directories containing the keys for hidden services as
conffiles to preserve them over sysupgrade.
Fixes: #2247
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In addition update some configure options and use EXTRA_CFLAGS.
Setting RunAsDaemon to 1 will be overwritten by the init script option
"--runasdaemon 0" anyway and we want it in foreground for procd.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Adds configuration option for NFQ capture, moves often written
configuration files to /var/etc.
Signed-off-by: Jonathan Bennett <JBennett@incomsystems.biz>
Released version 1.7.2 with the following main changes :
- BUG/MEDIUM: lua: In some case, the return of sample-fetches is ignored (2)
- SCRIPTS: git-show-backports: fix a harmless typo
- SCRIPTS: git-show-backports: add -H to use the hash of the commit message
- BUG/MINOR: stream-int: automatically release SI_FL_WAIT_DATA on SHUTW_NOW
- DOC: lua: documentation about time parser functions
- DOC: lua: section declared twice
- BUG/MINOR: lua/cli: bad error message
- DOC: fix small typo in fe_id (backend instead of frontend)
- BUG/MINOR: Fix the sending function in Lua's cosocket
- BUG/MINOR: lua: memory leak executing tasks
- BUG/MINOR: lua: bad return code
- BUG/MEDIUM: ssl: properly reset the reused_sess during a forced handshake
- BUG/MEDIUM: ssl: avoid double free when releasing bind_confs
- BUG/MINOR: stats: fix be/sessions/current out in typed stats
- BUG/MINOR: backend: nbsrv() should return 0 if backend is disabled
- BUG/MEDIUM: ssl: for a handshake when server-side SNI changes
- BUG/MINOR: systemd: potential zombie processes
- DOC: Add timings events schemas
- BUILD: lua: build failed on FreeBSD.
- BUG/MINOR: option prefer-last-server must be ignored in some case
- MINOR: stats: Support "select all" for backend actions
- BUG/MINOR: sample-fetches/stick-tables: bad type for the sample fetches sc*_get_gpt0
- BUG/MAJOR: channel: Fix the definition order of channel analyzers
- BUG/MINOR: http: report real parser state in error captures
- BUILD: scripts: automatically update the branch in version.h when releasing
- BUG/MAJOR: http: fix risk of getting invalid reports of bad requests
- MINOR: http: custom status reason.
- MINOR: connection: add sample fetch "fc_rcvd_proxy"
- BUG/MINOR: config: emit a warning if http-reuse is enabled with incompatible options
- BUG/MINOR: tools: fix off-by-one in port size check
- BUG/MEDIUM: server: consider AF_UNSPEC as a valid address family
- MEDIUM: server: split the address and the port into two different fields
- MINOR: tools: make str2sa_range() return the port in a separate argument
- MINOR: server: take the destination port from the port field, not the addr
- MEDIUM: server: disable protocol validations when the server doesn't resolve
- BUG/MEDIUM: tools: do not force an unresolved address to AF_INET:0.0.0.0
- BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey usage
- MINOR: proto_http.c 502 error txt typo.
- DOC: add deprecation notice to "block"
- BUG/MINOR: Reset errno variable before calling strtol(3)
Signed-off-by: heil <heil@terminal-consulting.de>
We believe snmpd-static isn't useful, but download stats show it's still
being downloaded. Instead of dropping it, make it a dummy package that
depends on snmpd.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
This fixes a bug when mosquitto is crosscompiled in LEDE on OS X.
UNAME is explicitly executed on the host, when we want it to be treated
as a regular linux build.
This patch passes the proper UNAME=Linux variable to the mosquitto
make file in order to respect linux as cross-compiler.
Signed-off-by: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
Reviewed-by: Karl Palsson <karlp@tweak.net.au>
This change fixes multiple denial-of-service vulnerabilities:
* CVE-2016-9131: A malformed response to an ANY query can cause an
assertion failure during recursion
* CVE-2016-9147: An error handling a query response containing
inconsistent DNSSEC information could cause an assertion failure
* CVE-2016-9444: An unusually-formed DS record response could cause
an assertion failure
* CVE-2016-9778: An error handling certain queries using the
nxdomain-redirect feature could cause a REQUIRE assertion failure
in db.c
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Per user request ship the sample upsset.conf file so that
upsset functionality can be used with nut-cgi
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
Current maintainer (Martin Rowe) offered to hand over
maintership because I'm interested in doing more with
the package than he requires for his own use, so he
felt it made sense for me to maintain the package.
I accepted, hence this commit.
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
Use /var/run/nut as statepath and set appropriate owner
and permissions on /var/run/nut in order to avoid pidfile
for nut being world-readable.
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
It looks like serial support was accidentally dropped due to missing
pieces on Config.in and Makefile. Add back serial support by fixing
that.
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
With a LuCI app (of which I have one written) ucification makes
sense (and is in fact needed), so ucify the initscripts.
Also, rather than making selection of things to include an image
a matter of selecting compile-time config options, make optional
things into seperate packages that are built in default builds,
and leave selection of what to include or not up to the user
(e.g. using ImageBuilder, or adding packages via opkg).
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
- fix ip extraction if knot host is used together with glue records
- fix ip extraction from nslookup if reverse dns record has ip with dot reported at http://forum.lede-project.org/t/ddns-scripts-error/909
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Add a few mirrors in-front of main site for offloading
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Peter Wagner <tripolar@gmx.at>
As both LEDE and OpenWrt have STAGING_DIR_HOSTPKG now, we can start to rely
on it. See 73b7f55424 for more information on
STAGING_DIR_HOSTPKG.
STAGING_DIR_HOSTPKG won't actually be changed before the first LEDE release
(it is equivalent to $(STAGING_DIR)/host), so this simple search/replace
cleanup is safe to apply. Doing this cleanup now will be useful for the
Gluon project (an OpenWrt/LEDE based firmware framework) for experimenting
with modifying STAGING_DIR_HOSTPKG before doing this in the LEDE upstream.
Also fixes a typo in the dbus Makefile ("STAGIND_DIR").
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Before this change logging was always activated and then IoTivity wrote
a lot of debug messages. Make it now configurable.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Install the header files needed to build something against IoTivity.
This will have it easier to build an application using IoTivity library.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
These patches are making it possible to provide the compiler settings
from the environment so LEDE can change them. This replaces the old
patches with the versions send for upstream inclusion.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This does the following changes:
* update to version 1.2.1
* add iotivity-resource-directory-lib, this is needed by most
applications now
* do not activate security support by default, this caused some
problems and needs some more settings to setup.
* use sqlite version from normal package feed instead of using an own
version
* build against LEDE version of mbedtls
* update example security configuration
* remove some patches that went upstream
* add some new patches fixing problems observed in my environment, most
of them are on their way upstream.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
