1. Switched to use prebuilt web files to get rid of massive Node.js.
2. Increased nofile limitation to avoid "too many open files" error.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
mdio-tools have a app dedicated to reading Marvell Link Street switch
properties which is really usefull to not have to manually do it via
MDIO.
So, install the mvls binary as well.
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Update the mdio-netlink kmod and userspace mdio-tools to version 1.1.1.
mdio-tools required a musl time64 compatibility fix that I have an PR
open for already.
Changelog:
[v1.1.1] - 2022-05-23
---------------------
Tiny bugfix release.
- mdio: The bench operation is now much more reliable when stacked on
other devices than regular PHYs (e.g. paged PHYs or Marvell
switches).
- mvls: The STU can now be dumped chips from the Peridot generation.
[v1.1.0] - 2022-05-04
---------------------
A sprawling release, adding various mvls related introspection
features. mvls also gains a JSON output format.
- mvls: The STU can now be dumped (requires Linux 5.17 or later). This
is useful now that mv88e6xxx supports offloading of MST states
- mvls: Output can now be formatted as JSON for easier scripting
- mdio: mvls: A subset of MIB counters can now be dumped. This let's
you get at counters for DSA ports, which are not reachable from
ethtool
- mdio: mvls: The LAG mask and LAG map tables can now be dumped
- mdio: Improve usage message by including the examples from the
manual
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
This fixes "too many open files" error caused by max-file limitation
when xray processes large traffic.
Reported-by: Terry Ding <terryding77@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Major changes are:
Add support for Heimdal as the Kerberos 5 implementation.
Add smbd max io size parameter.
Accept global share options.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Previously it was using killall with procd respand enabled
This was causing yggdrasil to restart after being killed
root@r3test-hap:/# service yggdrasil stop ; echo $? ; sleep 10s ; ps | grep yggdrasil
Terminated
143
6701 root 653m S /usr/sbin/yggdrasil -useconffile /tmp/yggdrasil.conf
6748 root 1308 S grep yggdrasil
Now it's just using whatever procd is using and see there, it actually stops
root@r3test-hap:/# service yggdrasil stop ; echo $? ; sleep 10s ; ps | grep yggdrasil
0
6802 root 1308 S grep yggdrasil
I assume there was some procd bug that kept it from being used properly
Signed-off-by: Maciej Krüger <mkg20001@gmail.com>
According to David Woodhouse, OpenConnect has no issues reconnecting on any
interface. Make the host dependency optional, as it can cause issues in multiple
WAN scenarios.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
The --juniper switch has been deprecated in favour of --protocol=nc. Fix the
proto script thusly, while keeping compatibility with existing configurations.
Note that, as far as UCI is concerned, if both options juniper and vpn_protocol
are specified, the latter takes precedence.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Using resolveip is more robust and predictable than depending on nslookup and
awk.
This reverts commit 131ec7b3bd.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
banIP 0.7.x is not compatible with new nft firewall (default in master and 22.03).
Mark the package as BROKEN for now.
Signed-off-by: Dirk Brenken <dev@brenken.org>
Force restart stubby if any of the trigger interfaces goes up or down.
Avoids DoT DNS lookup timeouts when default route changes, in case of multiple
upstream interfaces.
Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>
This commit fixes two issues on macos:
1. Added a patch to fix 'echo -n' issue with MacOS shell
(backported from upstream)
2. Redefined sys.platform='linux' for target build if build host is
MacOS (otherwise, build script tries to use MacOS logic for
OpenWrt(Linux) target build)
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
Use nft instead of iptables to open port 80 in the firewall when getting a
cert. Since nft doesn't allow deleting a rule by its contents, capture and
save the handle when creating the rule, and use that to delete.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Backport a patch in order to allow building OpenConnect against OpenSSL 1.1.x
without the need for deprecated API (further fixes will be required for OpenSSL
3.x, though).
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
On systems using seccomp, the hostapd socket files will be owned by the
'network' user/group ([source][0]). In this case, if wifi-presence is
run as root/root, then it does not have permissions to open the
hostapd socket files. This was discussed in awilliams/wifi-presence#3.
This change allows the process user/group to be specified in
/etc/config/wifi-presence. If no explicit user/group is set, then the
init script will use the owner of the socket files in /var/run/hostapd/
to determine the appropriate process user/group.
[0]: ec6293febc/package/network/services/hostapd/files/wpad.init (L35-L36)
Signed-off-by: Adam Williams <pwnfactory@gmail.com>
softflowd can filter the traffic with an optional bpf program,
specified on the command-line as a BPF expression
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
1. Fixed init script would kill itself when trying to stop a service.
2. Upgrade privoxy release to 3.0.33
3. Set PKG_RELEASE to AUTORELEASE
Signed-off-by: He Xian <hexian000@outlook.com>
at least driver apcsmart-old (maybe more) allow for specifying the
type of cable used. My old UPS does will not function when cable type
is not specified.
This will add support for configuration option 'cable'
Signed-off-by: Rob J. Epping <epping@renf.us>
Now with basic support for the Array Networks SSL VPN protocol.
Also fix the OpenSSL build. OpenConnect requires support for deprecated APIs,
for the time being, so select them if compiling against OpenSSL.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
This adds support for the child SA to be rekeyed through the byte/packet
threshold. The default is blank (which disables the byte/packet thresholds).
Signed-off-by: Joel Low <joel@joelsplace.sg>
Otherwise it will fail as follows:
failed to find a module named mdio-netlink
ERROR: mdio-netlink module not detected, and could not be loaded.
Run-tested on: ramips/mt7621
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
To fix the errors:
Sun Apr 10 14:19:41 2022 daemon.err transmission-daemon[29831]: [2022-04-10 14:19:41.098] watchdir Failed to open directory "/mnt/sda1/openwrt/transmission/watch" (2): No such file or directory (watchdir.c:358)
and
Sun Apr 10 14:20:18 2022 daemon.err transmission-daemon[30175]: [2022-04-10 14:20:18.641] Couldn't create "/mnt/sda1/openwrt/transmission/incomplete": Permission denied (file-posix.c:243)
References:
- https://github.com/openwrt/packages/issues/17674
Signed-off-by: Alexander Egorenkov <egorenar-dev@posteo.net>
* add new 'hblock' compilation source (XL, see https://hblock.molinero.dev for reference)
* print runtime/date information in ISO-8601 standard format
* minor cleanups
Signed-off-by: Dirk Brenken <dev@brenken.org>
The dependency has a PACKAGE_uacme-ualpn condition so that libev won't
be unnecessarily built if uacme-ualpn is not selected.
Remove PKG_USE_MIPS16:=0, as it is not necessary when not using the
libev that is bundled with uacme.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The default firewall is the fw4, which uses nft. In order to not
install the legacy implementation when installing strongswan, the build
system should decide which firewall backend to use.
While we are at it, I have also added the dependency packages for IPV6.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The host build is used to build kea-msg-compiler, which is only needed
when there are changes to .mes files. Since we're not making any changes
to such files, we do not need this.
As host build fails for Kea 2.0.2, and the git history for kea doesn't
contain any reasoning for enabling it, let's just drop it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Using https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git to download the source code.
Added compile option to compile qrtr support.
Enabled lto and additional gcc flags for perfomance and less size.
Modified to use meson as upstream has abandoned autotools.
Removed BUILD_PARALLEL options. These are default with ninja/meson.
Signed-off-by: Maxim Anisimov <maxim.anisimov.ua@gmail.com>
Adding libsctp adds IPV6 dependency to gensio, so this patch is
an attempt at working around that with the goal of getting rid of
the circular dependency error.
Signed-off-by: Nita Vesa <werecatf@outlook.com>
The updated version requires libgensio, libyaml and libpthread,
so those have been added accordingly to dependencies.
Also added arguments for the configure-script to always attempt
to build ser2net with the same settings, instead of leaving it
to guess, for consistency.
Signed-off-by: Nita Vesa <werecatf@outlook.com>
Let's move the iptables IPsec dependencies out of the strongswan package
and into the plugin package that actually depends on it,
strongswan-mod-updown. As the default updown script calls the iptables
binary, also add a dependency on the iptables-legacy package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Change notes:
Updated Makefile package version and hash.
Added libpcre2 dependency
Removed USELIBPCRE make flag (no longer optional within sslh)
Updated patch 001 to work with new sslh Makefile
Signed-off-by: Martin Moreno <fett3270@yahoo.com>
Make sure /etc/gnunet and all its files and sub-directories are owned
by gnunet:gnunet. This is somehow necessary as file ownership otherwise
doesn't survive sysupgrade.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Enable AUTORELEASE in a separate commit so that the next commit can be
reverted without having to manually re-introduce it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Only notable change since 0.14.0 is that pthread_mutexattr_setkind_np()
is now no longer used.
pthread_mutexattr_setkind_np() is deprecated and non-standard.
The standard version is called pthread_mutexattr_settype()
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This is a bugfix release for gnunet 0.16.1.
Noteworthy changes in 0.16.2 (since 0.16.1)
DHT: Fix path signature handling.
GNS: Fix BOX handling in zone apex.
NAMESTORE: Prevent storing under invalid labels.
Buildsystem: Fix build on *BSD and Guix.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes multiple security issues:
* CVE-2022-0667 -- An assertion could occur in resume_dslookup() if the
fetch had been shut down earlier
* CVE-2022-0635 -- Lookups involving a DNAME could trigger an INSIST when
"synth-from-dnssec" was enabled
* CVE-2022-0396 -- A synchronous call to closehandle_cb() caused
isc__nm_process_sock_buffer() to be called recursively,
which in turn left TCP connections hanging in the CLOSE_WAIT
state blocking indefinitely when out-of-order processing was
disabled.
* CVE-2021-25220 -- The rules for acceptance of records into the cache
have been tightened to prevent the possibility of
poisoning if forwarders send records outside the
configured bailiwick
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
As per the discussion in PR #18047, split the MTR package into
two, one with jansson enabled for JSON output, and one without.
This commit also bumps the version to 0.95. Since the MTR project
website does not seem to be updated with builds any longer, switch
to GitHub Codeload instead.
Also enable PKG_FIXUP:=autoreconf so that MTRs bootstrap.sh process
is executed properly.
Signed-off-by: Marc Egerton <marc@malloc.me>
* remove upstreamed gcc10 and cerrno patches
* disable SSO and OIDC as it needs Rust/Cargo support
Signed-off-by: Moritz Warning <moritzwarning@web.de>
Enable AUTORELEASE in a separate commit so that the next commit can be
reverted without having to manually re-introduce it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Note that on 32-bit ARM with MUSL we don't have Unwind_GetIP() so
we need to disable backtraces.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Unless we're using "mktemp -u ..." (not recommended), it will
create the temp file as part of its safety checking. Thus you
should only create the name (file) if you're going to use it,
and always remove it if you have created it.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
If named is configured to not listen on any IPv6 interfaces,
then we should run 'nsupdate' with the '-4' argument.
Also:
* cleanup RFC-1918 address detection;
* don't generate PTR records for domain entries that aren't
RFC-1918 addresses or these will generate NOTAUTH failures;
We're assuming that we're doing DNS split-horizon and that
internal addresses aren't routable.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
To allow using gnunet on systems with firewall4, add replace direct
dependency on 'firewall' with 'uci-firewall' which is satisfied by
either 'firewall' or 'firewall4'.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
It turns out that under high system load, ipsets cannot be deleted. This
is because there is still a reference in iptables. A short sleep should
give the system time to clean this up.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Nft does not directly support ipsets, nft sets must be used instead.
The mwan3 uses ipsets for certain tasks. They can be combinded. So called
an ipset of ipsets. This list type is not available in nft. So that
mwan3 could be ported to nft in the feature, the ipset handling should be
split. So we have for each ipset an iptables rule.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
ddns-confgen is a useful tool for generating partial zones for
transfer/update in dynamic DNS (ddns) scenarios.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* OPUS and Pulse can be configured nicely by default now, no longer
need a local patch for that
* mysql version checks fail when cross-compiling, add patch to remove
them and always assume MySQL >8.0.
* Package new services, communicators, ...
This is a new major release. It breaks protocol compatibility with the
0.15.x versions. Please be aware that Git master is thus henceforth
(and has been for a while) INCOMPATIBLE with the 0.15.x GNUnet network,
and interactions between old and new peers will result in issues.
0.15.x peers will be able to communicate with Git master or 0.16.x
peers, but some services - in particular GNS - will not be compatible.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
There is no reason for the kmod to depend on the binary package
itself, neither for building nor for installing.
That dependency prevents phase1 from building the kmod even though
support is enabled in the binary.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
It was leftover from the previous rewrite of ss-rules. The built
package has no ref to it so no need to update PKG_RELEASE
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
I believe these packages should be removed (and imported into the
abandoned packages repo[1]) as Seafile Server and Seahub have been
marked as broken for some time, and I do not believe I will have time to
fix or update these packages in the foreseeable future.
[1]: https://github.com/openwrt/packages-abandoned/pull/22
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Both packages provide the same packages and should conflict to each
other.
Fixes:
```
Packages 'haproxy' and 'haproxy-nossl' do not conflict while providing same file: /usr/sbin/haproxy
Packages 'haproxy' and 'haproxy-nossl' do not conflict while providing same file: /etc/haproxy.cfg
Packages 'haproxy' and 'haproxy-nossl' do not conflict while providing same file: /etc/init.d/haproxy
```
They should not be installed side by side.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
- There should be shorter TITLE in Package/haproxy/Default
otherwise it is not shown
- No need to call Build/Prepare/Default
- Remove twice TITLE in non-SSL variant
- Make conffiles more clear
- Remove empty menu for halog
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Both packages provide the same files:
/usr/bin/chronyc
/usr/sbin/chronyd
/etc/chrony/chrony.conf
/etc/hotplug.d/iface/20-chrony
/etc/init.d/chronyd
They should not be installed side by side.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Both packages provides the same files:
- /usr/bin/u2boat
- /usr/bin/u2spewfoo
- /usr/bin/snort
- /etc/init.d/snort
- /etc/config/snort
So they should be in conflict.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Fix the following build failures by adding the missing dependencies:
Package strongswan-mod-connmark is missing dependencies for the following libraries:
libip4tc.so.2
Package strongswan-mod-forecast is missing dependencies for the following libraries:
libip4tc.so.2
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Following recent dependency rework, we can switch
between iptables-legacy and iptables-nft, and they both
PROVIDES iptables. Make it easier for user that want/need to
stick to firewall3/iptables-legacy to do so.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
It will be mostly implemented with ucode templates installed at
/usr/share/ss-rules and called from init script. The generated nftables
rules will be stored at /etc/nftables.d/
Incompatible changes were introduced as described in the README.md file
- Netfilter ipset was replaced with nftables sets
- UCI options ipt_args and dst_forward_recentrst of section ss_rules
are now deprecated. The former does not apply to nftables. The
later not yet implemented with nftables.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
ss-rules with iptables needs presence of netfilter nat table to work.
ss-rules works before without explicitly requesting it as a dependency
because it's present by default on a pre-firewall4/nftables OpenWrt
install. We request it explicitly now to make life easier in case
people would like to try ss-rules/iptables on firewall4/nftables enabled
OpenWrt system
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
shorewall-core macos build fails due to:
1. MacOS bash is too old (3.x), but shorewall-core requires bash>4
This patch uses OpenWrt tools/bash built for macos (bash 5.x)
2. install.sh detects Darwin using uname and changes install logic,
but it fails in case of cross-platform build
This patch uses fakeuname/host tool to avoid Darwin detection
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
shorewall macos build fails due to:
1. MacOS bash is too old (3.x), but shorewall requires bash>4
This patch uses OpenWrt tools/bash built for macos (bash 5.x)
2. install.sh detects Darwin using uname and changes install logic,
but it fails in case of cross-platform build
This patch uses fakeuname/host tool to avoid Darwin detection
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
shorewall6-lite macos build fails due to:
1. MacOS bash is too old (3.x), but shorewall6-lite requires bash>4
This patch uses OpenWrt tools/bash built for macos (bash 5.x)
2. install.sh detects Darwin using uname and changes install logic,
but it fails in case of cross-platform build
This patch uses fakeuname/host tool to avoid Darwin detection
3. fakeuname does not work in install.sh because install.sh
redefines PATH.
This patch removes PATH=... from install.sh on macos
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
shorewall6 macos build fails due to:
1. MacOS bash is too old (3.x), but shorewall6 requires bash>4
This patch uses OpenWrt tools/bash built for macos (bash 5.x)
2. install.sh detects Darwin using uname and changes install logic,
but it fails in case of cross-platform build
This patch uses fakeuname/host tool to avoid Darwin detection
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
shorewall-lite macos build fails due to:
1. MacOS bash is too old (3.x), but shorewall-lite requires bash>4
This patch uses OpenWrt tools/bash built for macos (bash 5.x)
2. install.sh detects Darwin using uname and changes install logic,
but it fails in case of cross-platform build
This patch uses fakeuname/host tool to avoid Darwin detection
3. fakeuname does not work in install.sh because install.sh
redefines PATH.
This patch removes PATH=... from install.sh on macos
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
The FreeBSD project stopped publishing HTTP date headers and seeks to
limit further resource taxing by distributed htpdate clients using the
www.freebsd.org host as default time source.
Fixes: #17924
Reported-by: Allan Jude <allanjude@freebsd.org>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* include gnunet-service-zonemaster-monitor in gnunet-gns package
* rename namestore-heap back to namestore-flat
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The "build" script was replacing a ~DATE~ with current date.
Now it uses $(SOURCE_DATE_EPOCH).
Fixes#17848
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
ipvsadm build fails on macos due to libipvs Makefiles uses system
`ar` that is not compatible with the objectes generated by OpenWrt
GCC Toolchain.
This commit adds patch to allow ar redefining
This commit modifes an old patch (removing CC=gcc is not required
due to it is redefinable)
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
In the build environment the autotools finds the `passwd` binary in
/usr/bin. But in the target image it is available under /bin instead.
Manually set the path to `passwd` binary to `/bin/passwd`
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
There is no need to remove root password from /etc/shadow as the
password in the file is blank anyway in the failsafe mode.
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
DoH is enabled by default, but disabling it removes the need to link
against libnghttp2, which may be desirable more constrained
environments.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
* consolidate dnsmasq config manipulation into one function
* more elegant code for PROCD data processing (Thanks @jow-!)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Manually added new env variable `XDG_DATA_HOME` which won't be passed
by procd by default.
Removed upstreamed patch.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
This a virtual package that is satisfied by either
strongswan-mod-socket-default or strongswan-mod-socket-dynamic, and is
required by the charon daemon. When neither of these packages is
installed, charon will not function.
Closes#16261, #16263 and #16367.
Signed-off-by: Noel Kuntze <noel.kuntze@thermi.consulting>
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
There's only one of the shaper scripts (simple.qos) that uses iptables, and
it should be fine with iptables-nft for compatibility with the new default
nft-based firewall. Confusingly, we still need the iptables-mod-ipopt
package to get the DSCP match module; we never used CONNMARK, though, so
drop the iptables-mod-conntrack-extra dependency while we're at it.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
With commit 385200443554 ("babeld: add add_interface function") babeld
has a new ubus function allowing to dynamically add an interface.
Before the add_interface function, we were required to reload babeld.
The reload influenced the babeld routing. However, the remove part is
still missing and will be added at a later stage.
Signed-off-by: Nick Hainke <vincent@systemli.org>
