Avoid specifying variables that are not specificy set in order to avoid breaking
drivers for which those variables do not exist. Closes: #7096.
As part of these fixes make sure we have all the variables we need. Closes: #7001.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Various path and permissions fixes to properly allow nut-server and nut-monitor to
start properly.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Serial drivers don't add much to main NUT and appear to be common,
so make it possible for users to use NUT with serial UPS drivers without
a custom build.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
The mechanism for making sure hotplug doesn't execute during forced shutdown
was interfering with initial start of hotplug script due to checking for path
that doesn't exist at initial start. This fixes that and closes#6966.
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
Leading zeroes left in ProductId results in some UPS hardware not being matched
by the hotplug script lead to bad permissions and driver not starting.
Closes: #6966
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
This is the irssi-abi-8 branch that was not merged back to master but is
necessary for compilation. As it touches a submodule, I can't add a patch
for it. But I can backport all of the master commits.
Get rid of quasselc dependency as it's now a submodule.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* support multiple WAN interfaces in iptables rules,
set 'ban_iface' option accordingly (as space separated list)
or use the LuCI frontend
* add new "refresh" mode while triggered by fw changes (no download)
* add required ip dependency
* fix wrong 'settype' definition for firehol1 in config
Signed-off-by: Dirk Brenken <dev@brenken.org>
This is to change the init script to a procd init script
This also enable some additional parameters in the binary that
were present but not enabled:
The export file (option export_file)
The import file (option import_file)
The daylog (option daylog_file)
These are disabled by default. Also, the option to run as a daemon
is removed, as not compatible with procd.
There is no change in the binary.
Signed-off-by: Jean-Michel Lacroix <lacroix@lepine-lacroix.info>
Switch to codeload for simplicity and easier package bumping.
Added dependency on pytz on build time as django-admin requires it.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Add to ubus the missing output information "policies" which could already
be observed with the command "mwan3 status".
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The source download storage contains a 0 byte version
of the webui-aria2 sources, which breaks buildbot.
Trigger a new download by bumping the version by a date.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Using the input chain can only limit the upload rate in local network.
Since to do the limit rate on both native and remote, we have to
replace the input hook with prerouting.
Signed-off-by: Rosy Song <rosysong@rosinson.com>
(Added Makefile version bump)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Not all interfaces may have been allocated address at nlbwmon startup so
it may not collect statistics as expected/configured.
Add interface triggers to catch dhcp events and restart as required.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
a new script based package called "banIP" to block
incoming & outgoing ip adresses/subnets via ipset.
Features:
* a shell script which uses ipset and iptables
to ban a large number of IP addresses
published in various IP blacklists (bogon, firehol etc.)
* support blocking by ASN numbers
* support blocking by iso country codes
* support local white & blacklist (IPv4, IPv6 & CIDR notation)
* auto-add unsuccessful ssh login attempts to local blacklist
* auto-add the uplink subnet to local whitelist
* per source configuration of SRC (incoming) and DST (outgoing)
* supports IPv4 & IPv6
Strong LuCI support:
* easy interface to track & change all aspects of your ipset
configuration on the fly
* integrated IPSet-Lookup
* integrated RIPE-Lookup
* Log-Viewer & online configuration of white- & blacklist
LuCI-Screenshots will follow in the second post.
Forum discussion:
https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985
Signed-off-by: Dirk Brenken <dev@brenken.org>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[correct configure flag from enable-ssl to enable-openssl]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Simple bump from 4.3 to 4.4
Changelog since 4.3:
netdb not saving to disk (#311)
Fix memory leak when parsing SNMP packet (#313)
Fix several windows build issues (#309)
Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
Allow compilation with minimal OpenSSL (#281)
Fixed %USER_CA_CERT_xx and %USER_CERT_xx crashes (#301)
Improve const correctness for hash_link (#300)
Bug #4893: Malformed %>ru URIs for CONNECT requests (#299)
Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
tor-fw-helper is a helper to automatically configuring port forwarding
for tor, using UPnP or NAT-PMP NAT traversal.
This is a tor-fw-helper rewrite in Go that functions as a drop in
replacement for the original C code.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This is the nftables implementation for qos on OpenWrt,
Currently, it has below features:
* Static QoS : setting limit rate for devices or global network.
* Dynamic/Auto QoS : setting limit rate according to the network
bandwidth and adjust itself automatically (hotplug event).
* Traffic Priority : this feature is like traffic shaping under tc,
it uses ingress hook to handle to packets here.
Signed-off-by: Rosy Song <rosysong@rosinson.com>
All of these are either not needed or not valid.
Added a patch to remove the OPENSSL_WITH_DEPRECATED dependency.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* proactively scan and switch to a higher prioritized uplink,
despite of an already existing connection,
this is configurable via 'trm_proactive' option
(default '1', enabled)
* fix some minor list trim issues
* optimize wlan scanning behavior
* refine debug messages
Signed-off-by: Dirk Brenken <dev@brenken.org>
A multi-year DNSSEC root key update is in progress, as described at
https://www.isc.org/downloads/bind/bind-keys/. This change refreshes the
bind.keys file, ensuring that the new key, in place as of 2018-10-11,
will be recognized and trusted.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
delv is a tool for sending DNS queries and validating the results, using the
same internal resolver and validator logic as named.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This includes the fix for CVE-2018-5738: When recursion is enabled but the
allow-recursion and allow-query-cache ACLs are not specified, they should be
limited to local networks, but they were inadvertently set to match the default
allow-query, thus allowing remote queries.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
- fix AXFR zones to delay a potentially large download with ntp-hotplug
- fix odhcpd link script to properly delete expired lease data from DNS
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
If we set the option "local_source" in the globals mwan3 section to "none",
traffic generated by the router it self will always use the default route from
the wan interface with the lowest metric. If this interface is down
the router traffic still uses the connection with the lowest metric but
this is disconnected. Load balancing and failover from the lan site is
still possible. Only router generated traffic is not load balanced and
could not use failover.
To solve this issue with router initiated traffic add the additional
option "online_metric" to the mwan3 interface section.
If the interface is connected then this lower "online metric" is set in the
default routing table.
With this change we have at least a failover with router initiated
traffic.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
During runntime of mwan3 we could add dynamicly networks to this ipset
which would then treated as connected networks by mwan3.
This is also usefull for ipsec.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
With the list param "rt_table_lookup" in the mwan3 section globals,
it is now possible to add a additional routing table numbers which would get
also parsed and will be added to the connected network.
So mwan3 will treat them as they are directly connected to this device.
This could be usefull if we use ipsec.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The generation for reporting the policies uses the same code add a
common function to reduce duplication.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This adds a couple of patches when setting some openssl options:
* ECDSA code in openssh-compat.h and libressl-api-compat.c needs to be
be guarded by OPENSSL_HAS_ECC; otherwise, it will not build with
openssl compiled without ECC support.
* Fix openssl version number in openbsd-compat/openssl-compat.c which
failed to compile --with-ssl-engine; this option is used when
CONFIG_OPENSSL_ENGINE_CRYPTO=y
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Peter Wagner <tripolar@gmx.at>
This package forces the use of Google and Bing safe search by default.
It does this by adding hosts files for dnsmasq to use. These hosts replace the
normal IP addresses for Google and Bing with addresses that force safe
search to be turned on all the time.
Google and Bing Safe Search are suitable for most businesses, schools, and
families who wish to block adult content. This package also offers
YouTube's restricted and 'restricted moderate' via a configuration
option. The reason that this is not enabled is that it is probably more
suitable for children rather than a wide audience.
This package is designed so that other services that offer safe search can be
added easily in the future.
For more information about safe search please visit these URLs:
- https://support.google.com/websearch/answer/186669
- https://help.bing.microsoft.com/#apex/18/en-US/10003/0
- https://support.google.com/a/answer/6212415
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
Disable PCRE process searching to avoid linking against libprce, which
would cause the build to fail due to a missing dependency. With the
--without-pcre switch, build fails due to an undefined reference, so do
it via CONFIGURE_VARS instead.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[disable PCRE process searching]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
darkstat includes its own strlcat and strlcpy, making the dependency
somewhat pointless.
Fixes compilation ever since glibc dependency on libbsd was removed.
Also removed std=gnu99 as it's not needed with GCC7.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Switch to codeload for simplicity. Rearranged Makefile a bit for consistency between Makefiles.
Removed version dependency for seafile-server to avoid breaking builds.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This commit brings UCI support to the stubby package.
o All options are documented in the README.md file.
o The README.md file has been re-written to include a short usage
manual.
o The default configuration now includes more Cloudflare addresses.
o The stubby service is (re)started using procd triggers from a
specified interface with a configurable time delay.
o Round robin use of upstream resolvers is now activated by
default.
o Client privacy is now activated by default.
o Options are added for specifying the log level of the daemon and
command line options passed to the stubby command.
Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
Get downtime information for the tracked mwan3 wan interfaces.
The information shows how long this interface is in disconnected state.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Get uptime information for the tracked mwan3 wan interfaces.
The information shows how long this interface is in connected state.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If a interface is down, call ubus will return an null message which is
used to json_load, it causes json_get_vars gets value from last load and
l3_device various is nonzero.
Signed-off-by: Kyson Lok <kysonlok@gmail.com>
Added PKG_USE_MIPS16 as it seems not to build under mipsel.
Error: opcode not supported on this processor: mips32r2 (mips32r2) `sync'
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The first is needed for 4.14 (maybe the relevant parts got packported and
the second is for when OpenWrt migrates to 4.19.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
PR includes switch to codeload tarballs and rename from netopeer2 to
Netopeer2 for better codeload integration.
Signed-off-by: Mislav Novakovic <mislav.novakovic@sartura.hr>
Currently luci-app-sqm provided by sqm-scripts depends on luci-base instead
of selecting it, this leads to an indirect circular dependency in kconfig:
tmp/.config-package.in:34646:error: recursive dependency detected!
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
tmp/.config-package.in:34646: symbol PACKAGE_iptables is selected by PACKAGE_sqm-scripts
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
tmp/.config-package.in:961: symbol PACKAGE_sqm-scripts is selected by PACKAGE_luci-app-sqm
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
tmp/.config-package.in:22421: symbol PACKAGE_luci-app-sqm depends on PACKAGE_luci-base
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
tmp/.config-package.in:21387: symbol PACKAGE_luci-base is selected by PACKAGE_luci-lib-iptparser
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
tmp/.config-package.in:22899: symbol PACKAGE_luci-lib-iptparser is selected by PACKAGE_luci-app-splash
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
tmp/.config-package.in:22402: symbol PACKAGE_luci-app-splash is selected by PACKAGE_luci-mod-freifunk-community
For a resolution refer to Documentation/kbuild/kconfig-language.txt
subsection "Kconfig recursive dependency limitations"
tmp/.config-package.in:21552: symbol PACKAGE_luci-mod-freifunk-community depends on PACKAGE_iptables
Solve the issue by turning the dependencies into selecting ones which also
matches the behaviour of other LuCI applications.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This should fix compilation as wolfSSL currently does not define
wolfTLSv1_client_method. And as the comment suggests, this is only TLS 1,
not 1.0 and above.
SSLv23 is TLS 1.1 and above as currently configured in the wolfssl package
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Add the ipvsadm command line tool to set up, maintain or inspect the virtual
server table in the Linux kernel.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Added some help to the choice of TLS library in menuconfig, taken from
the squid release notes.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
When libnl is enabled and libnl-genl is disabled, libnl-genl-3.so.200 is
installed by InstallDev, and keepalived picks it up anyway.
This causes build to fail with the following error:
Package keepalived is missing dependencies for the following libraries:
libnl-genl-3.so.200
Instead of having a conditional dependency it is better to have a
consistent build. Disable libnl to enforce this.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* with the config option 'trm_radio' you can now restrict travelmate
to a single radio (e.g. 'radio1') or change the overall
scanning order (e.g. 'radio1 radio2 radio0')
* LuCI: show QR codes now inline on the overview page
(collapsed by default)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Building against libftdi1 can't be avoided in the presence of libftdi1
headers apparently. As it might be useful for some DMX adapters and
such, depend on libftdi1 from now on.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Five commits from upstream were applied to v. 7.8-p1:
482d23bc upstream: hold our collective noses and use the openssl-1.1.x
API in
48f54b9d adapt -portable to OpenSSL 1.1x API
86e0a9f3 upstream: use only openssl-1.1.x API here too
a3fd8074 upstream: missed a bit of openssl-1.0.x API in this unittest
d64e7852 add compat header
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* replace shell based urlencoder with an awk variant
* fix write_log function/syslog output in case of an error
* protect answer string with double quotes in update_route53
* remove bogus set/IFS options in update_route53
* clean-up update_route53 a little bit
This patchset finally fix#6977
Many thanks to @mark0n & @a-bali for testing & debugging
Signed-off-by: Dirk Brenken <dev@brenken.org>
This is a long overdue followup commit to openwrt/openwrt@5d9eeab
("build: remove obsolete references to cris and avr32")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Full changelog at https://github.com/eclipse/mosquitto/blob/v1.5.3/ChangeLog.txt
Primary change:
CVE fix for CVE-2018-12543 - prevent crash on topics that begin with $
but are not $SYS
Selected other fixes relevant to OpenWrt since 1.5.1:
- Fix retained messages not sent by bridges on outgoing topics at the first
connection. Closes#701.
- Fix duplicate clients being added to by_id hash before the old client was
removed. Closes#645.
- Fix excessive CPU usage when the number of sockets exceeds the system limit.
Closes#948.
- Fix for bridge connections when using WITH_ADNS=yes.
- Fix round_robin false behaviour. Closes#481.
- Fix segfault on HUP when bridges and security options are configured.
Closes#965.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Move setting global enabled flag from /etc/init.d/mwan3 to mwan3
command. So we could start mwan3 from the cmd mwan3 as well.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Remove the limit setting core="unlimited", since this shouldn't be needed
in production use (i.e. non-debug) and on an embedded platform, which is
why it's rarely used by any existing packages.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Add an SPKI pin for Cloudflare to help prevent MITM and downgrade attacks,
as described in RFC7858 (DNS over TLS). The setup of SPKI and the specific
SHA256 certificate hash are taken from Cloudflare's DoT configuration guide
published at https://developers.cloudflare.com/1.1.1.1/dns-over-tls/.
Note that the certificate is valid to March 25th 2020, 13:00 CET, which
provides ample time for issuance of a backup pin to support future key
rollover.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Retain the upstream value since privacy is usually the key user motivation
for using DNS-over-TLS, and simply note that those encountering sub-optimal
routing may consider disabling the setting.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The config file /etc/stubby/stubby.yml is not registered properly and any
local changes are being overwritten on upgrade or reinstall.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
- The original copy process is to delete all routing tables first,
then add new routing table. This process is too slow and very dirty.
- We use grep to identify the changes and apply them.
- ignore ipv6 unreachable routes
- update version number
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
This adds a metapakcge for acme luci ap without uhttpd dependency and adds entities and check to stop handle nginx server and modify the certificate set automatically.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Should be faster.
Rearranged Makefile slightly for consistency with other packages.
Version 3.5.6 and above are relicensed to GPL-2.0.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fix the init script to allow access from IPv6 subnets of the interface
specified in allow section in /etc/config/chrony.
Fixes issue #7039.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
- adjust a few UCI translations to coordinate with upstream defaults
- remove OpenSSL < 1.1.0 API log error patch which is included upstream
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
