We need the host build of swig only.
And the binding uses libgensiocpp - not the plain
C library, so fix the dependency.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
zerotier as default has executable stack.
[ 11.343143] process '/usr/bin/zerotier-one' started with executable stack
executable stacks are not recommend, possibly provide a threat and there
seems to be no advantage of executable stack with zerotier-one - so let's
build it without instead.
Stack is executable on x86_64, but not on all archs, such as ramips.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
- changed Config.in to enable unix sockets support by default
- release number bumped
Description:
socket support is very handy when communicating with
various REST APIs.
Size increases are very small, nearly unnoticiable.
Tested-by: Stan Grishin <stangri@melmac.ca>
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* move network.sh and jshn.sh includes into load_validate_config function
to prevent errors when adding the package to image with the Image Builder
* add @bongochong compressed domains block-list to the config
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Explicitly request the C++11 standard (codebase is not C++17 compliant).
- Removed categories.json from conffiles -- it's not a configuration
file.
- Removed commented-out convenience git hash place-holder -- for some
reason it irritates people.
- Added radix header file to devel files.
- Removed redundant call to Build/Configure (not needed).
Co-authored-by: Tianling Shen <cnsztl@gmail.com>
Signed-off-by: Darryl Sokoloski <darryl@sokoloski.ca>
* fix the auto-detection for pppoe and 6in4 tunnel interfaces
* add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance
* add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default),
notice, info, debug, audit
* status optimizations
* logging optimizations
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Added `cgroupsns` to jail, otherwise you get this failure:
```
Mon Mar 6 14:46:05 2023 user.err : jail: Not using namespaces, capabilities or seccomp !!!
```
Error is here, seems to indicate that we're running a jail without using any capability.
https://lxr.openwrt.org/source/procd/jail/jail.c#L2847
Decided to use minimal effort approach
Signed-off-by: BackSlasher <nitz.raz@gmail.com>
simple protocol support script for netifd.
netifd protocol support for cni networks makes
defining network for podman and other similar
systems using cni networking much easier and simpler.
with cni protocol support, on a cni network, where firewall
and portmapper is disabled, you may control firewalling
with openwrt's standard firewall configuration.
for example, create a container that hosts web content on
port 80 with static ip on your cni network, if your
network is 10.88.0.0/16, use for eg. 10.88.0.101 as
your containers static ip address. Create a zone, cni
to your firewall and add your interface to it.
Now you can easily set up redirectiong to 10.88.0.101:80
to expose it's port 80 to wan for serving your website.
Protocol has only one setting: device, on podman this
often is cni-podman0. This protocol may also be used
on other equillavents, such as netavark (cni replacement
in podman), where device as default is podman0.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* update to 4.17.5
* changelog: https://www.samba.org/samba/history/samba-4.17.5
* refresh patch
* CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap.
https://www.samba.org/samba/security/CVE-2022-42898.html
* CVE-2022-37966: This is the Samba CVE for the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A Samba Active Directory DC will issue weak rc4-hmac session keys for use between modern clients and servers despite all modern Kerberos implementations supporting the aes256-cts-hmac-sha1-96 cipher.
On Samba Active Directory DCs and members 'kerberos encryption types = legacy' would force rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
https://www.samba.org/samba/security/CVE-2022-37966.html
* CVE-2022-37967: This is the Samba CVE for the Windows Kerberos Elevation of Privilege Vulnerability disclosed by Microsoft on Nov 8 2022.
A service account with the special constrained delegation permission could forge a more powerful ticket than the one it was presented with.
https://www.samba.org/samba/security/CVE-2022-37967.html
* CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the same algorithms as rc4-hmac cryptography in Kerberos, and so must also be assumed to be weak.
https://www.samba.org/samba/security/CVE-2022-38023.html
* BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
This resolves errors logged during macOS TimeMachine backups.
https://bugzilla.samba.org/show_bug.cgi?id=15210
Signed-off-by: Michael Peleshenko <mpeleshenko@gmail.com>
* major performance improvements: clean-up/optimize all nft calls
* add a new "ban_reportelements" option,
to disable the (time consuming) Set element count in the report (enabled by default)
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Currently compilation fails because of:
```
opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
library: 'digital envelope routines',
reason: 'unsupported',
code: 'ERR_OSSL_EVP_UNSUPPORTED'
```
What's interesting package gets built but when trying to access UI there's
`404: page not found` error.
It has been reported in multiple places:
* https://github.com/AdguardTeam/AdGuardHome/issues/5559
* https://github.com/AdguardTeam/AdGuardHome/issues/4595
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
Backport a pending PR to add nftables support.
Upstream PR: https://github.com/v2rayA/v2rayA/pull/805
As nftables merged ipv4/ipv6 support into a single command, so simply
enable ipv6 support by default.
While at it, backport a upstreamed fix for simple-obfs plugin.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* finalized the LuCI frontend preparation (this is the minmal version to use the forthcoming LuCI frontend)
* added a Set survey, to list all elements of a certain set
* changed the default logterm for asterisk
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Netbird is similar vpn service as tailscale and zerotier.
Description:
NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.
It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
These patches should not be backported to OpenWrt, otherwise tproxy
won't work for devices connected to br-lan (bypassed by the fw rules).
We have introduced a new compile-time flag for new version (which
is not released yet), but it's unnecessray to backport redudant
patches as here is still at the old version.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Also added patch that is from alpine's same package to assist building on musl.
Hostpkg build on musl also kept failing, so I added few more overrides, which
made it work perfectly.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* add oisdbig as new feed
* LuCI frontend preparation:
- the json feed file points always to /etc/banip/banip.feeds (and is no longer compressed)
- supply country list in /etc/banip/banip.countries
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
easydns.com has supported IPv6 for awhile now using
the same update URL as IPv4. This duplicates the IPv4
entry for IPv6 to enable support for it.
Signed-off-by: James Buren <braewoods+mgh@braewoods.net>
* fix a potential race condition during initial startup (after flash) which leads to a "disabled" service
Signed-off-by: Dirk Brenken <dev@brenken.org
Signed-off-by: Dirk Brenken <dev@brenken.org>
add lighttpd-mod-webdav_min package alternative to lighttpd-mod-webdav
lighttpd-mod-webdav_min is more minimal than full lighttpd-mod-webdav.
lighttpd-mod-webdav_min does not support PROPPATCH, LOCK, UNLOCK, and
by not supporting those methods, removes dependencies on libxml2,
libsqlite3, and libuuid.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
* update default config for new oisd.nl lists
* conf.update file to migrate oisd.nl lists to the new format
* introduce AdBlockPlus lists support (new oisd.nl format)
* longer wait for WAN up/gateway detection
* make load_environemnt only execute once to suppress duplicate
warnings/errors
PS. While I was testing this, oisd.nl has brought back the old domains
lists as well, so this version supports both as I'm unclear as to
why the "big" ABPlus list is only 6.2Mb where as the "big" domains
list is whopping 19.9Mb.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This version adds compatibility with OpenSSL 3.0.
There's a patch, submitted upstream, to fix building without SSL.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The tranmission UCI config options
- `config_overwrite`
- `incomplete_dir_enabled`
- `watch_dir_enabled`
are all booleans, so we have to retrieve them using `config_get_bool` in order
to make sure they are properly interpreted in case the user sets them to a
keyword (`true`/`false`, `on`/`off` etc.) and not an integer (`0`/`1`).
Signed-off-by: Salim B <git@salim.space>
Samba4 running as Active Directory Domain Controller with the internal
DNS backend requires the nsupdate binary with GSSAPI support.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* add boot() function which waits for network.interface to come up
* switch oisd.nl hosts entry to domains
* remove erroneous oisd substitution from config-update file
Signed-off-by: Stan Grishin <stangri@melmac.ca>
- Update tailscale to version 1.36.0
- Patch iptables support
Tailscale does not (yet) support nftables.
Tailscale allows running with --netfilter=off allowing
end-user to create his own firewall rules, but this
affects only tailscale cli, not tailscaled daemon, so
connection cannot be made without error telling that
tailscaled was unable to determine execute iptables
for determining it's version.
There is a work-around for those who do not want
nft-iptables compatibility package; they can create
a script to /usr/bin/iptables which responds to
--version argument and echos fake version string
and on any other arguments or no arguments, just exits.
After this procedure and starting tailscale cli with
netfilter off- it works. Openwrt has moved on to
nftables, so iptables manipulation seems unnecessary.
Especially for other reasons, on Openwrt, firewall
should be configured on it's own, because firewall
rules made by other software, such as tailscale,
loose their firewalling rules when firewall restarts.
So I patched it to allow "fake" iptables pointing
to executable /bin/false and ignoring version
request. And I also set cli to default to
netfilter off setting.
If still end-user wants to use iptables, this
patch does not make it impossible; just install
iptables, or nft-iptables, and run tailscale
with argument --netfilter=on and it works out
as it did before, tailscaled daemon still
matches with iptables if it is found in $PATH.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Update crowdsec-firewall-bouncer to latest upstream release version 0.0.25
Signed-off-by: S. Brusch <ne20002@gmx.ch>
Maintainer: Kerma Gérald <gandalf@gk2.net>
Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.3
Rework:
- now based on uci config file
- create nftables tables and chains in initd script
Fixes CVEs:
- CVE-2022-3924: Fix serve-stale crash when recursive clients
soft quota is reached.
- CVE-2022-3736: Handle RRSIG lookups when serve-stale is
active.
- CVE-2022-3094: An UPDATE message flood could cause named to
exhaust all available memory. This flaw was addressed by adding
a new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been added to
record events when the update quota is exceeded, and the XML and
JSON statistics version numbers have been updated.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Changes in version v2.4.3 - 2023-01-16
- Fix version number in version.go
(Changes for v2.5.1 are missing)
Signed-off-by: Nick Hainke <vincent@systemli.org>
They were added in these commits [1] [2] and if they are not included,
the RIPE Atlas SW Probe does not work correctly.
This should also prevent this from happening in the future as it now. We include all
files with .sh extension file type.
[1] 70ced29fc3
[2] 71a4ff0e68
Fixes: https://github.com/openwrt/packages/issues/20338
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
When CC is set to e.g. "ccache mips-openwrt-linux-musl-gcc" it needs
to be quoted to avoid word splitting on substitution.
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
