Besides updating the package to 1.20.1, this commit removed two patches
that the new release made unnecessary.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
* Use Boolean true for enable inline mode which is more intuitive that older ''
* Add skeleton section for openappid since it has been merged[1]
1. 2d4e7d5fd3
Signed-off-by: John Audia <therealgraysky@proton.me>
Use UCI to add temporary incoming firewall rule to accept http traffic for
challenge verification.
This should make uacme compatible with OpenWrt's fw3/4 implementation.
Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
This prevents a forwarding server named like ::1@5453 from being added
to unbound.conf as a forward-host instead of the correct forward-addr.
forward-host requires the name to be resolved, which is impossible in
the absence of another nameserver. Thus, forwarding-only configurations
referencing only the IPv6 loopback address with a port number were
broken.
Signed-off-by: Mark Mentovai <mark@mentovai.com>
This is a fix for the the following change:
3d824ea288
Before the change, it was only possible to execute a shell script. To
remove this restriction, a binary or other script language can now also
be used for 'mwan3.user'. Unfortunately, the old shell script was not
executable for older mwan3 version. During a sysupgrade with config transfer,
this 'mwan3.user' script could not be executed for newer mwan3 versions.
To fix this, the calling script checks whether the 'mwan3.user' is executable,
and if not, this executable bit is now set.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Quoting the changelog:
Changes in version 0.4.7.12 - 2022-12-06
This version contains a major change that is a new key for moria1. Also, new
metrics are exported on the MetricsPort for the congestion control
subsystem.
o Directory authority changes (moria1):
- Rotate the relay identity key and v3 identity key for moria1. They
have been online for more than a decade and refreshing keys
periodically is good practice. Advertise new ports too, to avoid
confusion. Closes ticket 40722.
o Minor feature (Congestion control metrics):
- Add additional metricsport relay metrics for congestion control.
Closes ticket 40724.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on December 06, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/12/06.
o Minor bugfixes (cpuworker, relay):
- Fix an off by one overload calculation on the number of CPUs being
used by our thread pool. Fixes bug 40719; bugfix on 0.3.5.1-alpha.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Quoting the changelog:
Changes in version 0.4.7.11 - 2022-11-10
This version contains several major fixes aimed at helping defend against
network denial of service. It is also extending drastically the MetricsPort
for relays to help us gather more internal data to investigate performance
and attacks.
We strongly recommend to upgrade to this version especially for Exit relays
in order to help the network defend against this ongoing DDoS.
o Directory authority changes (dizum, Faravahar):
- Change dizum IP address. Closes ticket 40687.
- Remove Faravahar until its operator, Sina, set it back up online
outside of Team Cymru network. Closes ticket 40688.
o Major bugfixes (geoip data):
- IPFire informed us on August 12th that databases generated after
(including) August 10th did not have proper ARIN network
allocations. We are updating the database to use the one generated
on August 9th, 2022. Fixes bug 40658; bugfix on 0.4.5.13.
o Major bugfixes (onion service):
- Set a much higher circuit build timeout for opened client rendezvous
circuit. Before this, tor would time them out very quickly leading to
unnecessary retries meaning more load on the network. Fixes bug 40694;
bugfix on 0.3.5.1-alpha.
o Major bugfixes (OSX):
- Fix coarse-time computation on Apple platforms (like Mac M1) where
the Mach absolute time ticks do not correspond directly to
nanoseconds. Previously, we computed our shift value wrong, which
led us to give incorrect timing results. Fixes bug 40684; bugfix
on 0.3.3.1-alpha.
o Major bugfixes (relay):
- Improve security of our DNS cache by randomly clipping the TTL
value. TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha.
o Minor feature (Mac and iOS build):
- Change how combine_libs works on Darwin like platforms to make
sure we don't include any `__.SYMDEF` and `__.SYMDEF SORTED`
symbols on the archive before we repack and run ${RANLIB} on the
archive. This fixes a build issue with recent Xcode versions on
Mac Silicon and iOS. Closes ticket 40683.
o Minor feature (metrics):
- Add various congestion control counters to the MetricsPort. Closes
ticket 40708.
o Minor feature (performance):
- Bump the maximum amount of CPU that can be used from 16 to 128. Note
that NumCPUs torrc option overrides this hardcoded maximum. Fixes bug
40703; bugfix on 0.3.5.1-alpha.
o Minor feature (relay):
- Make an hardcoded value for the maximum of per CPU tasks into a
consensus parameter.
- Two new consensus parameters are added to control the wait time in
queue of the onionskins. One of them is the torrc
MaxOnionQueueDelay options which supersedes the consensus
parameter. Closes ticket 40704.
o Minor feature (relay, DoS):
- Apply circuit creation anti-DoS defenses if the outbound circuit
max cell queue size is reached too many times. This introduces two
new consensus parameters to control the queue size limit and
number of times allowed to go over that limit. Closes ticket 40680.
o Minor feature (relay, metrics):
- Add DoS defenses counter to MetricsPort.
- Add congestion control RTT reset counter to MetricsPort.
- Add counters to the MetricsPort how many connections, per type,
are currently opened and how many were created.
- Add relay flags from the consensus to the MetricsPort.
- Add total number of opened circuits to MetricsPort.
- Add total number of streams seen by an Exit to the MetricsPort.
- Add traffic stats as in number of read/written bytes in total.
- Related to ticket 40194.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 10, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/11/10.
o Minor bugfixes (authorities, sandbox):
- Allow to write file my-consensus-<flavor-name> to disk when
sandbox is activated. Fixes bug 40663; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (dirauth):
- Directory authorities stop voting a consensus "Measured" weight
for relays with the Authority flag. Now these relays will be
considered unmeasured, which should reserve their bandwidth for
their dir auth role and minimize distractions from other roles. In
place of the "Measured" weight, they now include a
"MeasuredButAuthority" weight (not used by anything) so the
bandwidth authority's opinion on this relay can be recorded for
posterity. Lastly, remove the AuthDirDontVoteOnDirAuthBandwidth
torrc option which never worked right. Fixes bugs 40698 and 40700;
bugfix on 0.4.7.2-alpha.
o Minor bugfixes (onion service client):
- A collapsing onion service circuit should be seen as an
"unreachable" error so it can be retried. Fixes bug 40692; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (onion service):
- Make the service retry a rendezvous if the circuit is being
repurposed for measurements. Fixes bug 40696; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (relay overload statistics):
- Count total create cells vs dropped create cells properly, when
assessing if our fraction of dropped cells is too high. We only
count non-client circuits in the denominator, but we would include
client circuits in the numerator, leading to surprising log lines
claiming that we had dropped more than 100% of incoming create
cells. Fixes bug 40673; bugfix on 0.4.7.1-alpha.
o Code simplification and refactoring (bridges):
- Remove unused code related to ExtPort connection ID. Fixes bug
40648; bugfix on 0.3.5.1-alpha.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Now that we're packaging flent itself, there's no reason to have a
completely separate flent-tools package. So integrate the flent-tools
package specification into the main flent package so it's always kept in
sync.
Also add a dependency from flent itself on flent-tools, as the shell
versions of those utilities that Flent uses when running tests doesn't work
on the busybox shell included with openwrt.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Update the Flent package and move it to net/, renaming it to just 'flent'
instead of python3-flent (it's not a library, having the python3- prefix
makes no sense). Also add python3-defusedxml as a dependency to protect
against XML bombs if using the one of the backends that use XML-RPC, and
trim the dependencies to those used directly by Flent.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Traditionally, Snort rules are based upon packet analysis. OpenAppID
enables detection of applications/cloud applications on the network.
This package provides OpenAppID and signature files used by OpenAppID to detect
network traffic from certain applications can be used to identify rogue
application use, detect malicious applications and implement various
application policies, such as application blacklisting, limiting application
usage, and enforcing conditional controls.
To use, for example, edit /etc/snort/local.lua and add the following section
at a minimum:
appid = {
app_detector_dir = '/usr/lib/openappid',
log_stats = true,
app_stats_period = 60,
}
Signed-off-by: John Audia <therealgraysky@proton.me>
The haproxy hotplug script creates a 'combined' certificate bundle that
contains both the certificate chain and the private key. However, having a
daemon hotplug script write into CERT_DIR is not great; so let's provide
the bundle as part of the main acme framework, keeping it in $domain_dir
and just linking it into CERT_DIR. That way we can keep CERT_DIR as just a
collection of links for everything, that no consumers should need to write
into.
Also make sure to set the umask correctly so the combined file is not
world-readable (since it contains the private key).
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The acme-acmesh package hardcoded the certificate path in its hook script.
Now that we export it as a variable we can avoid hard-coding and use the
variable version instead. Also factor out the linking of certificates into
a function so it's not repeated.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The contract between the acme-common framework and consumers and hook
scripts is that certificates can be consumed from /etc/ssl/acme and that
web challenges are stored in /var/run/acme/challenge. Make this explicit by
exporting $CERT_DIR and $CHALLENGE_DIR as environment variables as well,
instead of having knowledge of those paths depend on out-of-band
information. We already exported $challenge_dir, but let's change it to
upper-case to make it clear that it's not a user configuration variable.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
state_dir is actually a hardcoded value in conffiles. Allowing users to
customize it could result in losing certificates after upgrading if they
don't also specify the dir as being preserved. We shouldn't default to
this dangerous behavior.
With the new ACME package, certificates live in the standard location
/etc/ssl/acme, users who need to do certificate customizations should
look for them in that dir instead.
Signed-off-by: Glen Huang <i@glenhuang.com>
Replace my own patch with the upstream solution, which they issued
in response to my bug report.
(Two patches as they overlooked something on the first try.
Reference to https://savannah.gnu.org/bugs/index.php?63431 )
The nettle lib evaluation is now conditional to not having "--disable-ntlm".
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
- Improved logging
- Log the executed curl command to be able to rerun and test it manually
- Log the curl exit status
- Added 30 second timeout timeout for clear-cut detection of flaky connections.
Signed-off-by: Pyry Kontio <pyry.kontio@drasa.eu>
The implementation uses a GCP service account. The user is expected to
create and secure a service account and generate a private key. The
"password" field can contain the key inline or be a file path pointing
to the key file on the router.
The GCP project name and Cloud DNS ManagedZone must also be provided.
These are taken as form-urlencoded key-value pairs in param_enc. The TTL
can optionally be supplied in param_opt.
Signed-off-by: Chris Barrick <chrisbarrick@google.com>
Fix the indentation of the preinst/postinst scripts for the privoxy
package.
Because these scripts didn't start with `#!/bin/sh`
(they instead started with the TAB character), `/bin/sh` was not used
to start them.
On x86_64 and i386_pentium-mmx, this seems to be fine, but on
arm_cortex-a15_neon-vfpv4 and aarch64_cortex-a53, running these
scripts fails with a:
```
Installing privoxy (3.0.33-3) to root...
Collected errors:
* pkg_run_script: package "privoxy" preinst script returned status 1.
* preinst_configure: Aborting installation of privoxy.
* opkg_install_cmd: Cannot install package privoxy.
```
Reported-by: Marius Dinu <m95d+git@psihoexpert.ro>
Signed-off-by: Alois Klink <alois@aloisklink.com>
* add mdns records for started instances
* Makefile: use $(PKG_VERSION) as a value for PKG_SOURCE_DATE instead of
hard-coding it
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This commit adds /etc/snort/local.lua and /etc/snort/homenet.lua for user
defined config options which is more simplistic than modifying upstream
files directly. That can be tedious and decisive to maintain in sync with
upstream changes. The init script has been adjusted accordingly.
Acknowledgment to amish who maintains the Arch Linux snort-nfqueue package[1]
for these ideas and initial code.
Another modification is dropping the following args in the call to
/usr/bin/snort by the init system as these options are provided in
/etc/snort/local.lua:
* --daq-dir /usr/lib/daq/
* -A "$alert_module"
Instructions to configure snort3:
1. Edit /etc/snort/homenet.lua and redefine HOME_NET and EXTERNAL_NET, for example:
HOME_NET = [[ 10.9.8.0/24 192.168.1.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"
2. Edit /etc/snort/local.lua to setup options unique to your use case of snort.
The default ones I included should be sane for the role of IDS (alert only),
but users may easily uncomment some options therein to use IPS (drop) mode.
3. Install or symlink rules to /etc/snort/rules/snort.rules and optionally
edit /etc/snort/local.lua to define extra rules files if not using a unified
'snort.rules'
References:
1. https://aur.archlinux.org/packages/snort-nfqueue
Signed-off-by: John Audia <therealgraysky@proton.me>
The original idea of the extra namespace variable was to set up
bpfcountd from other daemons etc. independent of what a user configured
in /etc/config/bpfcountd for instance. Like:
$ UCI_CONFIG_DIR=/var/run/bpfcountd/gluon-config \
/etc/init.d/bpfcountd start "" gluon
However there are still issues with this approach:
1) Instance specific stop calls like:
$ /etc/init.d/bpfcountd stop <instance-name> <namespace>"
will not stop the according namespaced instance, as the stop() in
/etc/rc.common will call procd_kill() without the namespace prefix.
And we can't overwrite that behaviour. And asking a user to use
"... start <in> <ns>" and "... stop <ns>.<in>" is confusing.
(and currently "... stop <ns>.<in>" would not remove the correct
unix socket).
2) A stop call without an instance/config name would always stop all
instances. So the namespace variable would be ignored.
While start without an instance "works", but:
3) It would stop any process that is not in the currently selected
UCI_CONFIG_DIR.
As all this is not easily fixable without changing OpenWrt internals,
just remove the whole namespace idea for now.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Had to add a patch to allow builds of targets containing '+' in their dir name
Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B
Signed-off-by: John Audia <therealgraysky@proton.me>
NATMap is a program for opening port behind full cone NAT (NAT-1),
without the need for using UPnP or another port forward settings.
More details can be found at original repo: https://github.com/heiher/natmap
Signed-off-by: Richard Yu <yurichard3839@gmail.com>
Changes in version v2.4.1 - 2022-12-01
- Issue 40224: Bug fix in utls roundtripper
Changes in version v2.4.0 - 2022-11-29
- Fix proxy command line help output
- Issue 40123: Reduce multicast DNS candidates
- Add ICE ephemeral ports range setting
- Reformat using Go 1.19
- Update CI tests to include latest and minimum Go versions
- Issue 40184: Use fixed unit for bandwidth logging
- Update gorilla/websocket to v1.5.0
- Issue 40175: Server performance improvements
- Issue 40183: Change snowflake proxy log verbosity
- Issue 40117: Display proxy NAT type in logs
- Issue 40198: Add a `orport-srcaddr` server transport option
- Add gofmt output to CI test
- Issue 40185: Change bandwidth type from int to int64 to prevent overflow
- Add version output support to snowflake
- Issue 40229: Change regexes for ipv6 addresses to catch url-encoded addresses
- Issue 40220: Close stale connections in standalone proxy
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* The makefile produces the nft and iptables capable `pbr` package
and the `pbr-iptables` package for legacy setups
* This replaces `vpnbypass` and `vpn-policy-routing` packages
* I'm soliciting feedback on this package and my intention is to
update the version to 1.0.0 before this is merged, but I need the
feedback on this and luci-app-pbr before then.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
bpfcountd was created to obtain packet statistics in larger networks
without stressing the cpu resources. bpfcountd will count the amount
of packages and bytes over time (for each defined rule). The rules
are defined using the tcpdump filter syntax (bpf). The collected
data is provided on a unix socket in plaintext.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Maintainer: @neheb (find it by checking history of the package Makefile)
Compile tested: aarch64/ipq8074
Run tested: aarch64/ipq8074
Description: stubby: bump to latest 0.4.2
Signed-off-by: Rudy Andram <rmandrad@gmail.com>
* store all error/warning messages with the error text id so that
they can be made localizable for the luci app
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Update wget to 1.21.3
* Remove patch 100-fix-hsts-time.patch as upstream has issued
its own version on the fixes
* Add a hack (and fixup autoreconf) to fix an upstream bug that
forces the nettle library into nossl even if NTLM is disabled.
Upstream bug filed: https://savannah.gnu.org/bugs/?63431
* Remove old maintainer who has not been active
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* instead of doing stop/start which involves restarting dnsmasq twice,
kill the existing service instances on restart instead
Signed-off-by: Stan Grishin <stangri@melmac.ca>
It may take a long time waiting for a new tag, so backport these
important bug fixes for now.
While at it, added 3 new options provided by upstream, and deprecated
the usage of `$(AUTORELEASE)`.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
The github repository has been archived; the project is now hosted on
Codeberg. Update the PKG_SOURCE_URL accordingly.
Gitea doesn't seem to add a version suffix to the directory in the
tarball, so use a custom PKG_BUILD_DIR.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* introduce the new curl_max_file_size option
* prevent warnings/errors to be displayed each time the load_environment
is invoked
* better organize dl_command appendixes
* implement support for downloading/using external dnsmasq config file
* refactor adb_check and adb_allow for better readability
* update default values for some options in the uci_load_validate call
* update reload trigger to include curl options
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This adds the missing protocol (e.g. /tcp and /udp) to the entry in
/etc/services. If the entry already exists, it will add the /tcp to it.
Otherwise, it will look and add the tcp and udp entries if either is
missing.
fixes: openwrt#19665
Signed-off-by: Josh Powers <powersj@fastmail.com>
Switch to git tarball as the meson files did not get added to the
official one.
Backport busybox style binaries. Saves on size.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* update default config file to list options alphabetically
* rearrange some of the init script code to support transition
of WebUI to javascript
* rename wan6_trigger to procd_trigger_wan6 for readability
Signed-off-by: Stan Grishin <stangri@melmac.ca>
In some situations you need to set the compress param without an
algorithm. Compression will be turned off, but the packet framing for
compression will still be enabled, allowing a different setting to be
pushed later.
As it is not possible to have options with optional values at the
moment, I've introduced a pseudo value "frames_only" which will be
removed in the init script.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* update to 7.86.0: https://curl.se/changes.html#7_86_0
* remove 300-curl-wolfssl.m4-error-out-if-wolfSSL-is-not-usable.patch as
it was fixed upstream: https://github.com/curl/curl/pull/9682
* update configure options for OpenSSL as --without-ssl is breaking build
* remove --without-libidn configure arg as it's no longer recognized
Signed-off-by: Stan Grishin <stangri@melmac.ca>
The newest master branch has important fixes. However, no new release is
published [0]. Switch to git and update to latest master commit.
This introduces new version scheme by using YYYY-MM-DD of the commit.
In addition, add necessary "PKG_FIXUP" and "PKG_REMOVE_FILES" to allow
compile the new version. Also add enable "PKG_BUILD_PARALLEL".
Further, use a pidfile and remove outdated patches.
https://github.com/sleinen/samplicator/issues/73
Signed-off-by: Nick Hainke <vincent@systemli.org>
* rename wan6_trigger to procd_trigger_wan6
* rename update_dnsmasq_config to dnsmasq_config_update
* add the uci-defaults file to run sed on config file
* update Makefile to include uci-defaults file
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Changes to time_t cause SIGSEGV error on 32bit system and cause ripe
atlas malfunction. (registration successful but no traffic)
Also introduce minor patch to fix some compilation warning.
While at it move PKG_RELEASE to AUTORELEASE macro.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* add patches/020-cmakelists-add-version.patch (thanks @baranyaib90)
to add version information to the binary and fix https://github.com/aarond10/https_dns_proxy/issues/149
* modify Makefile to add version information for the binary
* rename patches/010-fix-cmakelists.patch for better readability
* revert back to service restart in WAN/WAN6 trigger
* update test.sh to test both init script and binary versions
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bugfix: properly restore empty server config for dnsmasq (to
address issue brought up in https://github.com/stangri/source.openwrt.melmac.net/pull/162)
* better handling of non-existant wan/wan6 interface for triggers
* add resolver url to ubus data for future-proofing WebUI js move
Signed-off-by: Stan Grishin <stangri@melmac.ca>
acme.sh by default use public DNS resolvers to check if TXT record was
correctly added when using DNS-01. This can be undesirable in a private
environment where the DNS server is not publicly accessible.
This option allows bypassing such check and simply waiting for a
specific length of time for the TXT record to take effect.
Signed-off-by: Glen Huang <i@glenhuang.com>
Directly calling `/etc/init.d/<service> reload` in a hotplug script can
inadvertently start a stopped service.
Signed-off-by: Glen Huang <i@glenhuang.com>
iputils-ping6 was a subpackage of the iputils package providing the
ping4 and ping6 command before iputils was moved from core to packages.
Currently ping4 and ping6 are replaced by ping -4/-6 and compatibility
symlinks are only installed when explicitly told so with an option, but
the functionality is always provided by iputils-ping.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
* When $wan/$wan6 are empty but double-quoted, it leads to creation
of an interface trigger with empty interface
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* fixed broken/blocked oisd download links (switched to the official github mirror)
* made sure that curl error out on http errors as well
* removed obsolete compatibility stuff from init script
Signed-off-by: Dirk Brenken <dev@brenken.org>
* bugfix: canary domains persistence (as described in
https://forum.openwrt.org/t/https-dns-proxy-canary-domain-persistance/139967)
* minor: remove global variables and make them local in
service_start/service_stop/service_triggers
* minor: split DEFAULT_BOOTSTRAP into BOOTSTRAP_CF and BOOTSTRAP_GOOGLE for
better code readability
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Exit directly will result procd service inactive and uci
configuration changes are no longer monitored.
Reported-by: Lvc Revincx <revincx233@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
So that the busybox configuration does not have to be adapted, the
dependency has been changed to coreutils-timeout, which provides the
same functionality.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* made the reporting/top statistics flexible, see "top_count" parm in CLI or in LuCI (default 10), fixes#19622
* added the new blocklist source cpbl (provided by PascalCoffeeLake@gmail.com)
* added/separated Easylist/Easyprivacy blocklist sources (provided by PascalCoffeeLake@gmail.com)
* added reg_jp blocklist_source (provided by PascalCoffeeLake@gmail.com)
* removed the easylist addons from the other regional lists
* removed the second/obsolete pl regional list and renamed the first one to "reg_pl"
* updated the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* make PKG_VERSION of the init script readonly to remove shellcheck
exception
* replace exit with return in the the procd scripts per:
https://github.com/openwrt/packages/pull/19617
* remove custom boot() function as it prevented creation of procd
firewall object on start on boot
* improve performance of allowing domains code
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Up to now on every interface down event a mwan3 disconnected event was
send. This is wrong because if the interface was never connected, then a
disconnected event should not get generated. This commit fixes this bug.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* upstream bugfix: Add a forgotten 'NULL' initialize for ca_info
if not manually set
* make init script PKG_VERSION variable readonly so that a
shellcheck excettion can be removed
* add procd interface trigger to 'wan6' if IPv6 wan interface name
cannot be obtained on start
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Adding perlbase-json-pp to samba4-libs dependencies was the wrong approach and caused
samba packages not to be offered by menuconfig. AFAIK perlbase-json-pp is a perl helper
to building samba4 and seems to be already included in perl/host so use that instead to
fix the menuconfig issues.
Signed-off-by: Andrew Sim <andrewsimz@gmail.com>
With the newer wget version, wget-nossl can not be compiled due to
missing library, so let's revert it.
Package wget-nossl is missing dependencies for the following libraries:
libnettle.so.8
This reverts commit 5075f5b701.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This commit contains the following:
* Update binary to version 1.6.1
* Update README URLs in the Makefile to link OpenWrt-specific info
* Separate the binary, the init script and netifd script into 3 packages:
nebula, nebula-service and nebula-proto accordingly
* implement yml parser for init script to fetch variables from it
* add the netifd script for nebula protocol
* update test file to address all built packages
* make the PKG_VERSION variable of init/proto scripts readonly
Signed-off-by: Stan Grishin <stangri@melmac.ca>
add new package keepalived-sync to synchronize files and data
between master and backup node. The master node uses SSH over rsync
to send and the backup node will use inotifywatch to watch received files.
The master node can track rsync.sh script to send configuration file on
a backup node based on the vrrp_script configuration of the same script.
The backup node will have a keepalived-inotify service, which would watch
for newly received files and it would call hotplug event. Each service
can keep its respective script under the keepalived hotplug directory and
executes commands to stop, start service or update any config in real-time.
Whenever a switchover will happen, the backup node would have the latest
config and data files from the master node.
Hotplug events can be used to apply config when files are received.
Signed-off-by: Jaymin Patel <jem.patel@gmail.com>
tailscale version, tailscaled -version and the web UI reported the wrong
version number which doesn't cause any issues, but it can be confusing.
This is fixed by specifying the version in go ldflags similar to how
it's done in many other go packages and the official tailscale Dockerfile.
version.Long version can not be specified in GO_PKG_LDFLAGS_X because it
contains a space and GO_PKG_LDFLAGS_X is always split at a space.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
* ddns-scripts-services: provide ddns-scripts_service
* ddns-scripts-cloudflare: provide ddns-scripts_digitalocean.com-v2
* ddns-scripts-freedns: provide ddns-scripts_freedns_42_pl
* ddns-scripts-godaddy: provide ddns-scripts_godaddy.com-v1
* ddns-scripts-noip: provide ddns-scripts_no-ip_com
* ddns-scripts-nsupdate: provide ddns-scripts_nsupdate
* ddns-scripts-route53: provide ddns-scripts_route53-v1
* ddns-scripts-cnkuai: provide ddns-scripts_cnkuai_cn
https://github.com/openwrt/packages/pull/13509 renamed many ddns-scripts
packages, but didn't include a PROVIDES for the old package names to
make updates work well.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
When we explicitly declare, that we would like to have curl built with
wolfSSL support using `--with-wolfssl` configure option, then we should
make sure, that we either endup with curl having that support, or it
shouldn't be available at all, otherwise we risk, that we end up with
regressions like following:
configure:25299: checking for wolfSSL_Init in -lwolfssl
configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33,
from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35,
from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
from conftest.c:47:
target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory
#include <wolfssl/wolfcrypt/sp_int.h>
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
and in the end thus produce curl without https support:
curl: (1) Protocol "https" not supported or disabled in libcurl
So fix it, by making the working wolfSSL mandatory and error out in
configure step when that's not the case:
checking for wolfSSL_Init in -lwolfssl... no
configure: error: --with-wolfssl but wolfSSL was not found or doesn't work
References: #19005, #19547
Upstream-Status: Accepted [https://github.com/curl/curl/pull/9682]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
* update to upstream version 2022-08-12
* add ca_certs_file option for CA certs file for curl
* add procd_add_interface_trigger for wan6 (hopefully fixes
https://github.com/openwrt/packages/issues/19531)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
There are many places in the packages' install recipes whith multiple
commands being executed in the same shell invocation, separated with a
semicolon (;). The return status will depend only on the last command
being run. The same thing happens in loops, where only the last file
will determine the result of the command.
Change the ';' to '&&', and exit the loop if any operation fails.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
There are six places pointing to files that do not exist any more:
- gns-import.sh in package gnunet-gns (dropped in v0.11.0)
- libgnunetdnsstub.so* in gnunet-vpn (integrated into util in v0.11.0)
- libgnunettun.so* in gnunet-vpn (integrated into util in v0.11.0)
- gnunet-service-ats-new in package gnunet (dropped in v0.12.0)
- libgnunetreclaimattribute.so.* (integrated into reclaim in v0.13.0)
- libgnunetabe.so.* in gnunet-reclaim (dropped in v0.17.2)
They were not noticed because their failing copy commands were part of
loops in which only the last operation had its exit status checked.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
According to the package's configure.ac, reclaimID OpenID Connect plugin
depends on jose. It is installed by the gnunet-rest plugin package:
libgnunnetrest_openid_connect.so.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* add setting to enable/disable blocking access to iCloud Private Relay resolvers
* add setting to enable/disable blocking access to Mozilla resolvers
* rename variables loaded from config in the init script
Signed-off-by: Stan Grishin <stangri@melmac.ca>
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
* fix bug in download_lists and adb_allow to prevent unintended exclisions from
the block-lists of domains containing allowed domain. Fixes issue:
https://github.com/stangri/source.openwrt.melmac.net/issues/160
* add support for returning NXDOMAIN/blocking iCloud & Mozilla canary domains,
disabled by default
Signed-off-by: Stan Grishin <stangri@melmac.ca>
It was a bit confusing to use *verbosity* level for Dry Run mode. Add
explicity switch for it and designed DRY_RUN variable to make code
easier to understand.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rename variable to make code easier to understand. This variable
specifies how many times in row ddns script tried to update IP without a
success.
Previous name ("ERR_UPDATE") didn't suggest it was for counting
anything. It also didn't specify was error was it related to.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Local suggests something related to the local network or available
locally only. All that code related to the "local" IP was actually
dealing with *current* device external IP address. Using name "current"
should make code a bit easier to understand.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rename variable to make code easier to understand. This variable
specifies how many times ddns script should try to send a request.
Previous name ("retry_count") suggested it was for *counting* attempts.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Section 'Persistence' in 'luci-app-mosquitto' is unusable without 'persistence'
section in config file.
Signed-off-by: Ptilopsis Leucotis <PtilopsisLeucotis@yandex.com>
* remove obsolete block-lists from config
* add removal of obsolete lists to config-update
* add AdGuard team's block-list to config
* improve allow command
* improve nftset support
* move config load to uci_load_validate, which required some code refactoring which
looks dramatic, but isn't
* always use dnsmasq_restart instead of dnsmasq_hup for all dns resolution options
for dnsmasq
Signed-off-by: Stan Grishin <stangri@melmac.ca>
snowflake-proxy doesn't write any files
=> run in read-only rootfs environment
the process needs to read SSL certs but no other files
=> only exposed path is /etc/ssl/certificates (read-only)
running as unpriviledged user with no additional capabilities
=> set no-new-privs bit
By default procd-ujail also isolates the process by executing it in
a separate new IPC and PID namespace.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Package Tor's Snowflake system components so users can offer e.g.
a standalone Snowflake proxy on their routers or other devices.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Gatling is a high-performance webserver from fefe. It gives a
fairly decent feature-set at really small size. And its fast.
Co-authored-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Signed-off-by: Martin Hübner <martin.hubner@web.de>
mausezahn is a multicast traffic generator which is part of the
netsniff-ng sources. This utility is needed for the upcoming
kernel-selftests-net-forwarding package. Add a new package for it.
netsniff-ng will automatically detect all installed dependencies and
build only the utilities whose dependencies are installed (meaning:
mausezahn is not build when for example libcli is not installed and
other tools are not build if for example zlib is missing). Depending
on the selected packages (netsniff-ng or mausezahn) the OpenWrt build
system has to trigger netsniff-ng's configure script, which will then
pick up and automatically build the programs (mausezahn, netsniff-ng,
trafgen, ...) for which all dependencies are installed.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
The new package would help measuring one-way delays using ICMP type 13
packets. This is important for various scripts that automatically adjust
CAKE shaper bandwidth based on the observed bufferbloat. They need to
understand whether the delay is on the way up or on the way down, so
that they can adjust the bandwidth of the proper part of the shaper.
https://forum.openwrt.org/t/cake-w-adaptive-bandwidth-historic/108848https://forum.openwrt.org/t/cake-w-adaptive-bandwidth/135379
V2: refreshed patches
Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
Fixes multiple security issues:
CVE-2022-38178 - Fix memory leak in EdDSA verify processing
CVE-2022-3080 - Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query
CVE-2022-2906 - Fix memory leaks in the DH code when using OpenSSL 3.0.0
and later versions. The openssldh_compare(),
openssldh_paramcompare(), and openssldh_todns()
functions were affected
CVE-2022-2881 - When an HTTP connection was reused to get
statistics from the stats channel, and zlib
compression was in use, each successive
response sent larger and larger blocks of memory,
potentially reading past the end of the allocated
buffer
CVE-2022-2795 - Prevent excessive resource use while processing large
delegations
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This version better decodes SSID names which contain emoji, control
characters, and other non-ascii characters.
https://github.com/awilliams/wifi-presence/pull/8
Signed-off-by: Adam Williams <pwnfactory@gmail.com>
Update the mdio-netlink kmod and userspace mdio-tools to version 1.2.0.
This allows dropping the time64 musl patch which was upstreamed.
[v1.2.0] - 2022-09-15
---------------------
- mdio: A new addressing mode "mmd-c22": Used to access MMDs attached
to MDIO controllers without Clause 45 support by using registers 13
and 14 in the device's Clause 22 register space
- mdio: Pretty print gigabit link capability information from a PHY's
extended status register
- mdio: Pretty print lots of status information from MMDs (C45 PHYs)
- mvls: Decode priority override information of ATU entries
- mvls: Table listings now always prints out the device information,
even on single chip systems.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Use an upstream commit to ensure time_t is defined in upsclient.h,
fixing a compile failure in collectd.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add --without-linux-i2c to configure arguments to avoid using i2c if
found in the staging dir.
Switch to AUTORELEASE.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
- enable json by default to generate json stats
- add rpc to generate json status
- add kmod-nf-ipvs dependencies for virtual servers
- set default vip labels on virtual interfaces
- set process name for keepalived child processes
Signed-off-by: Jaymin Patel <jem.patel@gmail.com>
In the Makefile the library installation was accidentally called
"Package/iperf3/install" and not "Package/libiperf3/install". Fix this
typo. Thanks to Hartmut spotting this.
Also the iperf3-ssl does not need to depend on libiperf3.
Fixes ae48be8e21 ("iperf3: add shared libiperf library and link iperf3 dynamically")
Signed-off-by: Nick Hainke <vincent@systemli.org>
The metrics and weight need to be the same. A 50% balanced would be
require member policies of the same metric and weight value.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
