This is not supported by letsencrypt, so issuing the certificate will fail.
Instead, add 3072 bits as an intermediate option.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
As pointed out by @andersk, acme.sh already supports ECC certificates, and
they can be set manually in the uci file, just not in Luci. Fix this by
changing the key size selector into a listbox, and adding ECC certs as
options.
Fixes#7825.
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Under certain circumstances nutshutdown was causing a forced
shutdown of the UPS even though killpower was not indicated.
Prevent that. Also clarify the logic for powering off server
by avoiding && || chains.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Fix a crashloop under procd when attempting to bind
to any address when no interfaces are yet available.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
It hasn't been maintained for years and doesn't have recent features such as AEAD crypto and IPv6.
(The "recent" update is fix compilation without deprecated OpenSSL APIs, which is made by Rosen Penev)
It has been superseded by shadowsocks-libev, which is recently maintained by community and has LuCI frontend.
Despite its smaller size, it depends on OpenSSL, which is way larger than MbedTLS, the one shadowsocks-libev used. Thus, it doesn't really fit in space-constrained devices.
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
The configure script checks for the existence of OpenSSL by checking a
deprecated function. This works around it. The other changes have been done
previously
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Now that the library has been updated, we can also update this.
Switched to codeload as we don't need the submodule anymore.
Various other Makefile consistency updates.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* add automatic blocklist backup & restore, they will be used
in case of download errors or during startup in backup mode
* add a 'backup mode' to re-use blocklist backups during startup,
get fresh lists via reload or restart action
* procd interface trigger now supports multiple WAN interfaces
* change URL for abuse.ch/feodo list source in default config
* small fixes
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This package install both server client and bridge app... This is useless if someone needs to run only the server on the device. Split the package in 3 subpackage and a base package that contains file needed by all 3. This also upgrade the package to latest release to fix some bug and memory leak.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Update to 1.15.8. Also use HTTPS
PKG_VERSION (nginx version) in 3rd-party modules tarball filename is dispensable and can be dropped to avoid unnecessary downloading
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
PKG_SOURCE_DIR and PKG_BUILD_DIR are just the default, so remove them
from the gitolite Makefile
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
This is a new package to add tooling for IPv6 Neighbor Discovery
Protocol, ndptool. Builds libndp and ndptool.
Signed-off-by: Thomas Guyot-Sionnest <dermoth@aei.ca>
I am no longer able to support maintaining the stubby daemon for openwrt. I suggest Jonathan Underwood <jonathan.underwood@gmail.com> as a replacement.
* report engine supports multiple listening ports, set
'adb_replisten' to a space separated list of ports,
default '53'
* report engine supports multiple interfaces, set 'adb_repiface'
to 'any'
* small fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
There have been a couple of point releases, so pull in those changes.
Also codeload seems to be preferred to git tarballs when using github, so
switch to codeload.
Finally, fix a typo in project URL.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
One local removal was missed in last push of this fix, so
in certain circumstances upsd would run as root even when
it shouldn't.
Fixes f48b060fa7 ("nut: Fix upsd runs as root")
Closes: #6697 (properly)
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Update the commented out settings in /etc/config/nut_server that
shows the available sections with their default settings.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
There was a cut & paste error in the handling of 'other'
variables (i.e. driver variables not specifically known
to the package but which some users may require to be add).
There was also a logic error from not switching sufficient
after cut & paste.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Handling of driver variable defaults, overrides, and additional
(other) variables changed and left behind some extraneous
config reads (config_get and config_list_foreach). Remove those.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
The build system allows changing uclibc++ to libstdcpp globally. This
avoids an unnecessary depends in the case of libstdcpp usage.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* add adblock dns query reporting via tcpdump (see readme for details)
* fix tld compression on low memory systems (< 64 MB)
* fix various small issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
Remove hack to avoid readline host dependency, now that readline is
being host/built.
Pass on HOST_CFLAGS, HOST_CPPFLAGS, & HOST_LDFLAGS, to fix buildbots
host-compile errors about not finding openssl headers.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
If safe search is built directly into an image, the /etc/config/dhcp
file will have multiple entries added to it after using sysupgrade
for the nth time (2 or more sysupgrade cycles).
In /etc/config/dhcp, this bug creates duplicate entries like this:
config dnsmasq
list addnhosts '/etc/safe-search/enabled'
list addnhosts '/etc/safe-search/enabled'
This patch ensures that safe search only registers itself one time.
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
The original configure file mixed tab and space
characters as indentation, so use 4 spaces as the
default indentation character.
Add /etc/nginx/conf.d/*.conf as nginx additional configure
files. Then we can add individual conf file for other http
applications without modify the main nginx configure file.
Signed-off-by: James Qian <sotux82@gmail.com>
Changelog prepared by upstream maintainer. It's mostly about code cleanup and
doc amendment
v1.3.13 (December 3, 2018)
* Specify email address for reporting security vulnerabilities [Samir Hussain]
* Fix compile warning with USE_KERNEL in xl2tpd.c [Samir Hussain]
* Applying patch that reduces compile warnings and fixes warnings from gcc and clang. [Gareth Ansell]
* Fix compiler warnings in network.c [Gareth Ansell]
* Add a make command for packaging's prep work [Samir Hussain]
* Add Makefile directive for getting version [Samir Hussain]
* Add a preproc for Watchguard firewall (Github issue #136) [daniel1111]
* Convert from ISO-8859 to UTF-8 [Simon Deziel]
* Update README to provide latest info on xl2tpd + Linux kernel 4.15+ [Samir Hussain]
* Use dh_auto_build in order to allow cross compiles [Helmut Grohne]
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* remove "torify" script
- "torify" script is just a wrapper around torsocks,
but torsocks is not currently present in packages.
* tor-geoip: fix "install" recipe:
- use $(INSTALL_DATA) instead of $(CP) as a proper way
of installing files
* drop deprecated configure option:
"--with-ssl-dir" is considered deprecated and obsolete,
while "--with-openssl-dir" is already present.
* build in parallel
* build with -ffunction-sections, -fdata-sections,
--gc-sections and -flto
* remove "--disable-largefile" in CONFIGURE_ARGS
* remove "-std=gnu99" in EXTRA_CFLAGS
* use $(FPIC) in EXTRA_CFLAGS
* remove trailing whitespace
Compile- and run-tested on ar71xx/generic,
TP-Link Archer C7 v2 (world-wide version).
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
This bumps nginx to latest release, adds support for STREAM MODULE and bump rtmp version to fix a compilation error
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
libevent2 bundled with netatalk is not compatible with openssl 1.1.x.
The binary that links to it, netatalk, is not included in the final
package, so there's no dependency to add.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Patch that changes the order of some include files in ngx_rtp_cenc.c
that caused a compilation failure. Patch submitted upstream (#13).
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
When using serial-port based UPSes with NUT, it is handy to be able to
configure a USB serial port to have be set tot the NUT runas user, so
that NUT can access the serial port automagically.
Closes#6997
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Closes#6997 - Allows upsd to runas a non-privileged user.
If any driver is running as non-privileged user, the last driver's
user will be used as the server non-privileged user, otherwise the
user specified in config upsd, otherwise nut. Previously the
localisation of RUNAS variable was in the wrong locations.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Ptunnel-NG is a bugfixed and refactored version of Ptunnel.
Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
A short while after 3.2.2 was tagged, it was superseded by 3.2.3 with a
minor fix for aligned memory allocation for 32-bit arch
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* remove the "--spider" download option from captive portal
detection to make the heartbeat function more robust.
Keep the uplink connection 'alive' with all sorts of portals.
Signed-off-by: Dirk Brenken <dev@brenken.org>
Adds support for acl_plugin, and acl_opt_* options.
acl_opt_* requires some care as it relies on the internal behaviour of
cfg_load setting environment variables in a certain form. However,
given that _all_ of the cfg_load infrastructure relies on that, we can
be pretty sure that it won't change in a way that will hurt us.
Originally reported as: https://github.com/openwrt/packages/pull/7434
Signed-off-by: Karl Palsson <karlp@etactica.com>
This is to correct the variable name CONFIGSTR in the export_bool
sub-routine: the variable in line 26 was written CONFIGSTRING instead
of CONFIGSTR.
Signed-off-by: Jean-Michel Lacroix <lacroix@lepine-lacroix.info>
Fixes compilation without deprecated OpenSSL APIs
Switched to codeload for simplicity and to fix package upgrades.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This prevents updates from failing if multiple instances of the
script are running in parallel. This fixes#7492.
Signed-off-by: Martin Konrad <info@martin-konrad.net>
Avoid specifying variables that are not specificy set in order to avoid breaking
drivers for which those variables do not exist. Closes: #7096.
As part of these fixes make sure we have all the variables we need. Closes: #7001.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Various path and permissions fixes to properly allow nut-server and nut-monitor to
start properly.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Serial drivers don't add much to main NUT and appear to be common,
so make it possible for users to use NUT with serial UPS drivers without
a custom build.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
The mechanism for making sure hotplug doesn't execute during forced shutdown
was interfering with initial start of hotplug script due to checking for path
that doesn't exist at initial start. This fixes that and closes#6966.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Leading zeroes left in ProductId results in some UPS hardware not being matched
by the hotplug script lead to bad permissions and driver not starting.
Closes: #6966
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
This is the irssi-abi-8 branch that was not merged back to master but is
necessary for compilation. As it touches a submodule, I can't add a patch
for it. But I can backport all of the master commits.
Get rid of quasselc dependency as it's now a submodule.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* support multiple WAN interfaces in iptables rules,
set 'ban_iface' option accordingly (as space separated list)
or use the LuCI frontend
* add new "refresh" mode while triggered by fw changes (no download)
* add required ip dependency
* fix wrong 'settype' definition for firehol1 in config
Signed-off-by: Dirk Brenken <dev@brenken.org>
This is to change the init script to a procd init script
This also enable some additional parameters in the binary that
were present but not enabled:
The export file (option export_file)
The import file (option import_file)
The daylog (option daylog_file)
These are disabled by default. Also, the option to run as a daemon
is removed, as not compatible with procd.
There is no change in the binary.
Signed-off-by: Jean-Michel Lacroix <lacroix@lepine-lacroix.info>
Switch to codeload for simplicity and easier package bumping.
Added dependency on pytz on build time as django-admin requires it.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Add to ubus the missing output information "policies" which could already
be observed with the command "mwan3 status".
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The source download storage contains a 0 byte version
of the webui-aria2 sources, which breaks buildbot.
Trigger a new download by bumping the version by a date.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Using the input chain can only limit the upload rate in local network.
Since to do the limit rate on both native and remote, we have to
replace the input hook with prerouting.
Signed-off-by: Rosy Song <rosysong@rosinson.com>
(Added Makefile version bump)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Not all interfaces may have been allocated address at nlbwmon startup so
it may not collect statistics as expected/configured.
Add interface triggers to catch dhcp events and restart as required.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
a new script based package called "banIP" to block
incoming & outgoing ip adresses/subnets via ipset.
Features:
* a shell script which uses ipset and iptables
to ban a large number of IP addresses
published in various IP blacklists (bogon, firehol etc.)
* support blocking by ASN numbers
* support blocking by iso country codes
* support local white & blacklist (IPv4, IPv6 & CIDR notation)
* auto-add unsuccessful ssh login attempts to local blacklist
* auto-add the uplink subnet to local whitelist
* per source configuration of SRC (incoming) and DST (outgoing)
* supports IPv4 & IPv6
Strong LuCI support:
* easy interface to track & change all aspects of your ipset
configuration on the fly
* integrated IPSet-Lookup
* integrated RIPE-Lookup
* Log-Viewer & online configuration of white- & blacklist
LuCI-Screenshots will follow in the second post.
Forum discussion:
https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985
Signed-off-by: Dirk Brenken <dev@brenken.org>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[correct configure flag from enable-ssl to enable-openssl]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Simple bump from 4.3 to 4.4
Changelog since 4.3:
netdb not saving to disk (#311)
Fix memory leak when parsing SNMP packet (#313)
Fix several windows build issues (#309)
Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
Allow compilation with minimal OpenSSL (#281)
Fixed %USER_CA_CERT_xx and %USER_CERT_xx crashes (#301)
Improve const correctness for hash_link (#300)
Bug #4893: Malformed %>ru URIs for CONNECT requests (#299)
Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
tor-fw-helper is a helper to automatically configuring port forwarding
for tor, using UPnP or NAT-PMP NAT traversal.
This is a tor-fw-helper rewrite in Go that functions as a drop in
replacement for the original C code.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This is the nftables implementation for qos on OpenWrt,
Currently, it has below features:
* Static QoS : setting limit rate for devices or global network.
* Dynamic/Auto QoS : setting limit rate according to the network
bandwidth and adjust itself automatically (hotplug event).
* Traffic Priority : this feature is like traffic shaping under tc,
it uses ingress hook to handle to packets here.
Signed-off-by: Rosy Song <rosysong@rosinson.com>
All of these are either not needed or not valid.
Added a patch to remove the OPENSSL_WITH_DEPRECATED dependency.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* proactively scan and switch to a higher prioritized uplink,
despite of an already existing connection,
this is configurable via 'trm_proactive' option
(default '1', enabled)
* fix some minor list trim issues
* optimize wlan scanning behavior
* refine debug messages
Signed-off-by: Dirk Brenken <dev@brenken.org>
A multi-year DNSSEC root key update is in progress, as described at
https://www.isc.org/downloads/bind/bind-keys/. This change refreshes the
bind.keys file, ensuring that the new key, in place as of 2018-10-11,
will be recognized and trusted.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
delv is a tool for sending DNS queries and validating the results, using the
same internal resolver and validator logic as named.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This includes the fix for CVE-2018-5738: When recursion is enabled but the
allow-recursion and allow-query-cache ACLs are not specified, they should be
limited to local networks, but they were inadvertently set to match the default
allow-query, thus allowing remote queries.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
- fix AXFR zones to delay a potentially large download with ntp-hotplug
- fix odhcpd link script to properly delete expired lease data from DNS
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
If we set the option "local_source" in the globals mwan3 section to "none",
traffic generated by the router it self will always use the default route from
the wan interface with the lowest metric. If this interface is down
the router traffic still uses the connection with the lowest metric but
this is disconnected. Load balancing and failover from the lan site is
still possible. Only router generated traffic is not load balanced and
could not use failover.
To solve this issue with router initiated traffic add the additional
option "online_metric" to the mwan3 interface section.
If the interface is connected then this lower "online metric" is set in the
default routing table.
With this change we have at least a failover with router initiated
traffic.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
During runntime of mwan3 we could add dynamicly networks to this ipset
which would then treated as connected networks by mwan3.
This is also usefull for ipsec.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
With the list param "rt_table_lookup" in the mwan3 section globals,
it is now possible to add a additional routing table numbers which would get
also parsed and will be added to the connected network.
So mwan3 will treat them as they are directly connected to this device.
This could be usefull if we use ipsec.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The generation for reporting the policies uses the same code add a
common function to reduce duplication.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This adds a couple of patches when setting some openssl options:
* ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be
be guarded by OPENSSL_HAS_ECC; otherwise, it will not build with
openssl compiled without ECC support.
* Fix openssl version number in openbsd-compat/openssl-compat.c which
failed to compile --with-ssl-engine; this option is used when
CONFIG_OPENSSL_ENGINE_CRYPTO=y
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Peter Wagner <tripolar@gmx.at>
This package forces the use of Google and Bing safe search by default.
It does this by adding hosts files for dnsmasq to use. These hosts replace the
normal IP addresses for Google and Bing with addresses that force safe
search to be turned on all the time.
Google and Bing Safe Search are suitable for most businesses, schools, and
families who wish to block adult content. This package also offers
YouTube's restricted and 'restricted moderate' via a configuration
option. The reason that this is not enabled is that it is probably more
suitable for children rather than a wide audience.
This package is designed so that other services that offer safe search can be
added easily in the future.
For more information about safe search please visit these URLs:
- https://support.google.com/websearch/answer/186669
- https://help.bing.microsoft.com/#apex/18/en-US/10003/0
- https://support.google.com/a/answer/6212415
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
Disable PCRE process searching to avoid linking against libprce, which
would cause the build to fail due to a missing dependency. With the
--without-pcre switch, build fails due to an undefined reference, so do
it via CONFIGURE_VARS instead.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[disable PCRE process searching]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
darkstat includes its own strlcat and strlcpy, making the dependency
somewhat pointless.
Fixes compilation ever since glibc dependency on libbsd was removed.
Also removed std=gnu99 as it's not needed with GCC7.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switch to codeload for simplicity. Rearranged Makefile a bit for consistency between Makefiles.
Removed version dependency for seafile-server to avoid breaking builds.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This commit brings UCI support to the stubby package.
o All options are documented in the README.md file.
o The README.md file has been re-written to include a short usage
manual.
o The default configuration now includes more Cloudflare addresses.
o The stubby service is (re)started using procd triggers from a
specified interface with a configurable time delay.
o Round robin use of upstream resolvers is now activated by
default.
o Client privacy is now activated by default.
o Options are added for specifying the log level of the daemon and
command line options passed to the stubby command.
Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
