Security release. From the changelog:
- In some circumstances, Mosquitto could leak memory when handling PUBLISH
messages. This is limited to incoming QoS 2 messages, and is related
to the combination of the broker having persistence enabled, a clean
session=false client, which was connected prior to the broker restarting,
then has reconnected and has now sent messages at a sufficiently high rate
that the incoming queue at the broker has filled up and hence messages are
being dropped. This is more likely to have an effect where
max_queued_messages is a small value. This has now been fixed. Closes
https://github.com/eclipse/mosquitto/issues/1793
Changelog: https://mosquitto.org/blog/2020/08/version-1-6-12-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
This patch makes it possible to configure and limit per-client internet
speed based on MAC address and it can work with SQM.
This feature is what OpenWRT currently lacks. This patch is largely based
on static.sh and the configuration file is similar to original nft-qos.
New configuration options and examples are listed below
config default 'default'
option limit_mac_enable '1'
config client
option drunit 'kbytes'
option urunit 'kbytes'
option hostname 'tv-box'
option macaddr 'AB:CD:EF:01:23:45'
option drate '1000'
option urate '50'
config client
option drunit 'kbytes'
option urunit 'kbytes'
option hostname 'my-pc'
option macaddr 'AB:CD:EF:01:23:46'
option drate '3000'
option urate '2000'
limit_mac_enable - enable rate limit based on MAC address
drunit - download rate unit
urunit - upload rate unit
macaddr - client MAC address
drate - download rate
urate - upload rate
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
improve startup and runtime performance by
1) moving common startup procedures out of hotplug script when called
from mwan3 start
2) reducing calls to iptables to check status of rules
3) consolidating iptables updates and updating with iptables-restore
4) do not wait for kill if nothing was killed
5) running interface hotplug scripts in parallel
6) eliminate operations in hotplug script that check status on every
single interface unnecessarily
7) consolidate how mwan3track makes hotplug calls
8) do not restart mwan3track on connected events
This is a significant refactor, but should not result in any breaking
changes or require users to update their configurations.
version bump to 2.9.0
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
In hash-checking mode[1], pip will verify downloaded package archives
(source tarballs in our case) against known SHA256 hashes before
installing the packages.
As a consequence, this requires the use of requirements files[2] and
pinning packages to known versions.
The syntax for package Makefiles has changed slightly;
HOST_PYTHON3_PACKAGE_BUILD_DEPENDS no longer accepts requirement
specifiers like "foo>=1.0", only requirements file names (which are the
same as package names in the most common case).
This also updates affected packages, in particular:
* python-zipp: "setuptools_scm[toml]" has been split into
"setuptools-scm toml" to reuse the requirements file for
setuptools-scm (the extra depends installed by "setuptools_scm[toml]"
is toml).
* python-pycparser: This previously used ply 3.10, whereas the
requirements file will now install 3.11.
[1]: https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode
[2]: https://pip.pypa.io/en/stable/user_guide/#requirements-files
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Setup user database if non-existent, configure uhttpd .php interpreter
and patch php scripts to work out-of-the-box.
Also ship Hotspot 2.0 SPP and OMA DM XML schema/DTD files needed at
run-time for both client and server.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
use only committed uci changes for updating routing table
use functions.sh functions rather than uci command line tool
to find interfaces for routing table.
consolidate rtmon_ipv4 and rtmon_ipv6 functions into a single function
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Add hs20-server and hs20-client packages correspoding to the
hs20/client and hs20/server folder in hostap.git.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* remove 'dshield' and 'sysctl' (discontinued)
* switch 'malwaredomains', 'shallalist' and 'winhelp' to https
* add a second regional list for poland (provided by matx1002)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fix shellcheck SC2230
> which is non-standard. Use builtin 'command -v' instead.
Once applied to everything concerning OpenWrt we can disable the busybox
feature `which` and save 3.8kB.
Signed-off-by: Paul Spooren <mail@aparcar.org>
GCC10 defaults to -fno-common, which breaks compilation when there are
multiple definitions of implicit "extern" variables. Remove the extra
definitions.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
From CHANGES_2.4:
SECURITY: CVE-2020-11984 (cve.mitre.org)
mod_proxy_uwsgi: Malicious request may result in information disclosure
or RCE of existing file on the server running under a malicious process
environment. [Yann Ylavic]
SECURITY: CVE-2020-11993 (cve.mitre.org)
mod_http2: when throttling connection requests, log statements
where possibly made that result in concurrent, unsafe use of
a memory pool. [Stefan Eissing]
SECURITY:
mod_http2: a specially crafted value for the 'Cache-Digest' header
request would result in a crash when the server actually tries
to HTTP/2 PUSH a resource afterwards.
[Stefan Eissing, Eric Covener, Christophe Jaillet]
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
test_storage: fix compilation with musl 1.2.0
datastorage/test: improve scalability and performance
datastorage: fixed use of wrong client search
general: add memory auditing
memory auditing: bug fixes to memory auditing and hearing map
datastorage: fixes to linked list handling
tcpsocket: fix read callback function and arbitrary memory allocations
tcpsocket: leave loop if we read 0 byte
Furthermore, you can now dump the memory usage by sending a SIGHUP to
dawn process.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This fixes misleading errors in the status file, and increases buffer
sizes to match the python implementation.
Signed-off-by: Karl Palsson <karlp@etactica.com>
At the moment ss-server seems to be the only component using these two
options. It also accepts "local_address" of either ip4 or ip6 address,
but the meaning is different from that of ss-local, ss-tunnel etc.
where it is for listen bind
With this commit, we start deprecation process of uci option
"bind_address". The name was replaced with "local_addr" in upstream
project commit 5fa98a66 ("Fix #1911") and available as json config
option "local_address". This upstream change was released in 3.2.0
Link: 4a42da641b
Link: https://github.com/openwrt/packages/issues/12931
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Config files
/etc/freeradius3/policy.d/accounting
/etc/freeradius3/policy.d/filter
/etc/freeradius3/proxy.conf
/etc/freeradius3/sites-available/default
and link
/etc/freeradius3/sites-enabled/default
are in the freeradius3 package and are mentioned in the main config file
/etc/freeradius3/radiusd.conf
Thus, they must be explicitly specified in the Makefile.
File
/etc/freeradius3/sites/default
is not included in the package, is not created during installation,
is not mentioned in the main config file and should therefore be excluded
from the Makefile.
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
netifd is clever enough to handle the peerdns and default route
arguments, so we can just let them get passed along, and when
ppp-up invokes proto_send_update, netifd will only apply what
is needed
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Do not manually overwrite the paths of gdbus-codegen or glib-mkenums
in the ModemManager package build, as modifying the configure.ac ends
up requiring a full autoreconf.
Since MM 1.14, git builds or autoreconf-ed source package builds
require autoconf-archive installed in the build system, and so the
build would fail if this happens.
The update to overwrite the paths was to force using the gdbus-codegen
and glib-mkenums provided by the "host" glib2 package instead of the
"target" glib2 package (see fa8ad6e69c),
but these tools are really the same in both as they're python
programs, arch independent.
Tested in a local build where the setup detects and uses the correct
glib tool paths from the target:
/home/user/openwrt/staging_dir/target-mips_24kc_musl/usr/bin/gdbus-codegen
/home/user/openwrt/staging_dir/target-mips_24kc_musl/usr/bin/glib-mkenums
Fixes https://github.com/openwrt/packages/issues/12958
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
This is to make explicit the conditional select of libunwind is only
needed for libopenvswitch. If we spill it over other packages, the
generated kconfig will have recursive dependency issue. 2 new patches
were made for this goal
The other thing is that "+libunwind" will cause it to be built if any of the
packages defined in this Makefile is enabled (y or m). This is at the moment
by-design of the build system.
Libunwind does not support architectures like arc. Use conditional select To
avoid (libunwind) build failures like the following,
checking for ELF helper width... configure: error: Unknown ELF target: arc
make[3]: *** [Makefile:65: /data/openwrt/build_dir/target-arc_arc700_uClibc/
libunwind-1.3.1/.configured_68b329da9893e34099c7d8ad5cb9c940] Error 1
Things like "+PACKAGE_openvswitch-libopenvswitch:libunwind" will also result in
recursive deps error for chains of 3 nodes. Kconfig construct like the
following will be made
config A
tristate
select B
depends on !(C) || (x)
config B
tristate
select C
config C
tristate
config x
bool
Other changes include
- Shared use of variable ovs__common_depends was removed
- Ovn doc build was patched out
Link: https://github.com/openwrt/packages/pull/12959#issuecomment-665021413
Reported-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Simplified Makefile as a result of meson transition.
Fixed license information.
Updated URL.
Added patch to fix linking issue.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
If two openfortivpn scripts are started at the same time, a race
condition can occur where the conditional evaluates to true, but the
symlink exists by the time the other script tries to create it
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Block restart of the interface if the openfortivpn fails to authenticate.
Without this check, with a bad password, netifd will continually
hit the VPN endpoint with connection attempts
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Add a hotplug script to reload nlbwmon's config after interface
ifup actions.
That should improve the detection of the IPv6 LAN address
that can get enabled a bit later in the boot process.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
This reverts commit cde2a77ed3.
Applying this change has shown that it is even quicker to provoke the
race condtition on simultan mwan3 commands execution.
By reversing the change we have the same behaviour as before.
But the race condition on mwan3 execute at the same time still exists.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This adjustment of the locks fixes the race condition when a mwan3
hotplug script and a mwan3 command are running at the same time.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This new config section in package openvswitch
supports creating a named bridge, and setting
its' OpenFlow controller end-point.
An example config is included in /rom/etc/config/openvswitch
Signed-off-by: Simon Kinane <skinane@fb.com>
- New major version (LTS release)
- Update haproxy download URL and hash
- Remove obsolete dladdr1-dependency-patch as it has been upstreamed
- USE_REGPARM is obsolete and therefore removed from our Makefile
Signed-off-by: Christian Lachner <gladiac@gmail.com>
Make the plain nginx version the same as nginx-ssl.
In a further change we will replace nginx by a dummy package,
depending on +nginx-ssl instead. This allows a smooth upgrade.
For nginx-util leave the ssl and the ssl-nopcre versions only.
For nginx-mod-luci remove the duplicate ssl version.
Replace the removed packages by dummies for a smooth upgrade.
The dummy packages will be removed after a transition period.
Additionally, enable the http2 module for nginx-ssl by default
and cleanup the nginx.init file.
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
- Fixes CVEs:
CVE-2019-12519
CVE-2019-12520
CVE-2019-12521
CVE-2019-12523
CVE-2019-12524
CVE-2019-12525
CVE-2019-12526
CVE-2019-12527
CVE-2019-12528
CVE-2019-12529
CVE-2019-12824
CVE-2019-12854
CVE-2019-13345
CVE-2019-18676
CVE-2019-18677
CVE-2019-18678
CVE-2019-18679
CVE-2020-8449
CVE-2020-8450
CVE-2020-11945
CVE-2020-14058
CVE-2020-15049
- Remove patch for cross-compilation
The patch should not be included in the OpenWrt at all without any
commit message/description.
Is not needed and there should be used HOST variables instead of BUILD variables (e.g.
HOSTCXX)
However, the BUILDCXX is set in Makefile to HOSTCXX
- Renumber glibc patch and refresh it
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
If the uci option family is not set in the interface section, then there
is no default value set as in the `config_load / config_get` API.
The problem here is that if the family is not set, the default value ipv4
is normaly assumed. But the comparison fails here because the value is empty
and therefore the dedicated routing table for this interface is not compared
with the other routes from the main table and so not updated.
To fix this set the default value for this config option which is`false`
for enabled and `ipv4` for family.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This fixes routing handling. Introduced with the last version update.
The following message disappears on the shell
when mwan3 is called with 'mwna3 restart`.
`Error: Invalid gateway address.`
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[aaronjg@stanford.edu: fully unset variable and handle ipv4 as well]
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
default rule only applied to ipv4 with dest_ip 0.0.0.0/0
and error was hidden when trying to apply it in ip6table
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
allow use of curl rather than ping to test if a host
is up since a host may not respond to ping, but an
https request is part of the openfortivpn connection,
so this is a more reliable test
also clean up overly verbose logging
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Split musl patch into multiple small ones. Much easier to reason about.
Removed stack protector patch. This is not an issue anymore.
Removed NLS support. There seems to be a linking issue as
libiconv-stub does not have a shared library component.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Changed URL to new upstream.
Use PKG_INSTALL for consistency between packages.
Use PKG_BUILD_PARALLEL for faster compilation.
Remove outdated patch.
Minor cleanups.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- prevent rapid overlap in DHCP script updates
- check and allow localhost forwards with specific applications
- add option for rate limiting inbound queries
- change UCI list to table format with Unbound conf references
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
Includes:
- dawn_uci: no need uci_alloc_context on each uci_set_network call
- test_storage: extend test harness; datastorage: two bug fixes
- tcpsocket: free con after ustream write error and make list each safe
list_each is not safe against removal of list entry
Signed-off-by: Nick Hainke <vincent@systemli.org>
Simplifies the Makefile and allows faster compilation with Ninja.
Added patch to fix libmariadb dependency.
Added extra modules.
Speed Before:
time make package/lighttpd/compile -j 12
Executed in 47.91 secs fish external
usr time 41.83 secs 384.00 micros 41.83 secs
sys time 10.79 secs 37.00 micros 10.79 secs
Speed After:
time make package/lighttpd/compile -j 12
Executed in 19.67 secs fish external
usr time 42.79 secs 377.00 micros 42.79 secs
sys time 8.56 secs 37.00 micros 8.56 secs
Tested with fish shell.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Since we use now procd for xinetd, we have to start the service with the
option `-dontfork` to make procd happy.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
It seems even modern stuff doesn't support v2 correctly. The miniupnp
suite does but other stacks seem to lack support. Default to v1 to
avoid the headache.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
