* made DNS restart conditional (compare list hash values),
to prevent needless restarts of the DNS backend
Signed-off-by: Dirk Brenken <dev@brenken.org>
Apparently, even if you don't select the `openvswitch-python` package,
Python still gets built (for the target build).
But, if the python dependencies are conditional on the
`PACKAGE_openvswitch-python` symbol then they aren't build.
This should improve build times, if you only want to build the
`openvswitch` package.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Seems it was not failing for me because it was probably
using my host Python, which may have the `six` package
available.
This patch enforces the use of the packaged Python.
That way, it's more consistent that the python-six
package is available.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The most important change is local redirects being disabled by default.
There is an option called cgi.local-redir that allows enabling this
optimization manually back if needed.
Local redirects were initially introduced in 1.4.40 but caused many
problems for *some* web services.
One of problems is breaking Post/Redirect/Get design pattern. With
redirects handled on server side there is no browser redirection making
it "lose" the POST data.
Another possible issue are HTML forms with action="". With CGI local
redirects browser may be sending form data to the wrong URL (the one
that was supposed to redirect the browser).
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
From upstream's changelog:
* main: annotate init/exit functions to save memory
* selftest: remove antique siphash self test
* haskell: re-add updated haskell example
* socket: use ip_rt_put instead of dst_release
* device: avoid double icmp send on routing loop
* compat: clean up cruft
* global: cleanup IP header checking
* compat: do not export symbols unnecessarily
Various cleanups and updates.
* device: netdevice destruction logic change for 4.12
When Linux 4.12 is released next week, we're good to go.
* device: only use one sleep notifier
Rather than have a separate sleep notification for every interface, we now
have a single notifier for every interface. This improves performance,
especially when creating many interfaces at once.
* device: remove icmp conntrack hacks
We're moving hacks upstream the proper way, and then backporting them to
compat.
* receive: extend rate limiting to 1 second after under load detection
After we determine that we're under load, we now wait 1 second before not
being under load again, a timer which is global across all interfaces on a
given system.
* curve25519: satisfy sparse and use short types
* curve25519: keep certain sandy2x functions in C
Certain functions have been made into C, which should improve stack frames and
reliability.
* ratelimiter: rewrite from scratch
This is a big change. We no longer rely on x_tables or xt_hashlimit, instead
using a super minimal and sleek token bucket ratelimiter. This works much
better than the old cruft and should allow us to run more places. It also has
the benefit of being global, so that it's possible to have thousands of
interfaces without killing the system with separate GCs and vmallocs, which is
what happened prior.
* socket: verify saddr belongs to interface
We now more quickly react to changes of the v4 routing table, by ensuring that
the sticky source address is actually still valid.
* wg-quick: properly match IPv6 endpoint
wg-quick now works better with IPv6.
* wg-quick: use printf -v instead of namerefs for bash 4.2
This adds support for old bash, which means wg-quick should be generically
"bash 4 and up". I'm not happy about this but EL7 uses old bash, so we're
stuck with it.
* compat: support EL7.3
Support for RHEL, CentOS, ScientificLinux, and so forth.
* compat: support Ubuntu 14.04
An old crufty Ubuntu is now supported, since it's LTS.
* add bind support (see readme)
* export all blocked domains in one central file (adb_list.overall)
* prerequisite for proper bind support
* much faster sort operation with less memory consumption
* backups are still handled per source separately,
to be more flexible in adding/removing block list sources
* add additional 'wan6' interface trigger in default configuration
* various small fixes & optimizations
Signed-off-by: Dirk Brenken <dev@brenken.org>
If more then one interface get up/down at once mwan3 could be in a
undefined state, because more then one mwan3 hotplug script are running
and editing the iptables.
Lock the critical section should solve this issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
A lot of autoconf-based scripts expect --with-foo-dir=$(STAGING_DIR)/usr
and break if they can't find bin/foo-config as a child of that path.
Putting things in $(STAGING_DIR)/host/bin seems to be suboptimal; I
could change the install path but there's no saying what that would
break.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
With this patch the unbound init routines manage resolv.conf if and only if
when unbound will listen on 127.0.0.1#53 and dnsmasq is not.
Also logs some cases where config values are overriden with sane defaults.
Fixes (partially) LEDE FS#785
Fixesopenwrt/packages#4487
Signed-off-by: Paul Oranje <por@xs4all.nl>
luci2-io-helper: bugfix buckup script read timeout
Reading files from stdin will block for ever. The uhttpd is killing the
backup process after script_timeout.
Switching read to non blocking mode and add a waitpid for the slave
process does not end in a script_timeout anymore.
Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* use iwinfo instead iw for wlan scanning,
scanning now works on radio-level
* enhance multiple radio support:
* support STA-only radio configurations,
e.g first radio with local AP, second radio
with a bunch of STAs (without APs)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Add config support which allow snmpd to take a more active role by sending
traps.
Following config options are supported which map directly on snmpd directives:
-trapcommunity
-trapsink
-trap2sink
-informsink
-authtrapenable
-v1trapaddress
-trapsess
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
- use exec directly to eliminate a level in the process tree
- use "$@" instead of "$*" to pass arguments to openconnect
According to openconnect(8), openconnect will call vpnc-script to
cleanup before quit when it received SIGINT(2) and will quit immediately
when it received SIGTERM (the default signal by kill command)
Before and after the change, openconnect process will be killed first
with SIGINT sent from netifd. This was decided by the
'proto_kill_command "$config" 2' notify call in the proto script.
SIGKILL is the only other signal that can be sent from netifd when the
process did not quit on SIGINT on time. There should be no need to trap
on signal 1 3 6 9 (HUP QUIT ABRT KILL)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Fixes build errors with external toolchains:
[ 33%] Building C object CMakeFiles/cgi-io.dir/main.c.o
/home/florian/dev/openwrt/trunk/build_dir/target-mipsel-unknown-linux-gnu_glibc/cgi-io/main.c:30:21:
fatal error: libubus.h: No such file or directory
#include <libubus.h>
^
compilation terminated.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
According to openconnect --help output:
-m, --mtu=MTU Request MTU from server
--base-mtu=MTU Indicate path MTU to/from server
Fixes#2099 by allowing setting tunnel mtu
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
It was introduced with 41f8d5465 ("openconnect: fix a couple of minor
things and add an interface option") and not needed since 4083de9d7
("openconnect: use proto_add_host_dependency")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
We would not be able to search for pcap.h because CFLAGS are not passed
from src/Makefile down to src/wps/Makefile:
make[4]: Entering directory
'/home/florian/dev/openwrt/trunk/build_dir/target-mipsel-unknown-linux-gnu_glibc/reaver-1.4/src/wps'
mipsel-linux-gnu-gcc -I../utils -I ../ wps_attr_build.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_attr_parse.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_attr_process.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_common.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_dev_attr.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_enrollee.c -c
mipsel-linux-gnu-gcc -I../utils -I ../ wps_registrar.c -c
In file included from ../misc.h:41:0,
from wps_registrar.c:27:
../defs.h:43:18: fatal error: pcap.h: No such file or directory
#include <pcap.h>
^
compilation terminated.
Makefile:28: recipe for target 'wps_registrar.o' failed
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
There are no other "echo" debug lines in this file, and it seems
clear that this one was accidentally left as a debugging line,
since it misspelled "dependency". So, we just remove this line.
We don't bump the package version, though, because this is
pretty inconsequential.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
From upstream's changelog:
* timers: queue up killing ephemerals only if not already
We fix up a small detail in the timer logic that changed during the last
snapshot.
* receive: trim incoming packets to IP header length
Packets are now trimmed to their actual length, not their length+padding,
before handing to the rest of the network subsystem, so that packets look
pretty in tcpdump. This doesn't actually affect what userspace sees, since the
kernel trims it at a later stage, but it does make pcaps a bit nicer to use.
* curve25519: use more standard label convention in asm
This ensures that perf(1) shows the function name instead of the label name.
* compat: remove padata hotplug code
Fixes building on kernels that have HOTPLUG enabled but no PADATA support.
* config: add new line for style
* device: do-while assignment style
* peer: explicitly initialize atomic
Style.
* noise: fix race when replacing handshake
Handle a situation in which three peers, all running on the same system, begin
a handshake with all three of each other, at exactly the same time, on a
multi-CPU system.
* random: wait for random bytes when generating nonces and ephemerals
We've been working with upstream to add a new API to the kernel for ensuring
that the RNG actually is seeded. Until they merge it for 4.13, we provide a
poly-fill to the compat code. This means that WireGuard will block during
handshakes until the RNG has enough entropy, so that it's never in a
circumstance in which ephemeral keys are generated from bad randomness.
* go test: properly pad message
* go test: correct tai64n and formatting
* external-tests: add keepalive packet
* go test: use x/crypto for blake2s now that we have 128-bit mac
* external-tests: trim the fat
Improvements for the external tests.
* wg-quick: make sure we have empty table for both v6 and v4
* wg-quick: match ipv6 default route more broadly
Tiny nits with wg-quick, one of which should now allow multiple v6-only
wg-quick instances running at the same time.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
backend:
* cosmetics
frontend:
* "Save & Reply" now distinguish between normal and manual/backup mode
and triggers an appropriate reload or a start action
Signed-off-by: Dirk Brenken <dev@brenken.org>
Script priority adjusted.
Custom memory management turned off to save some memory on low-end device.
Signed-off-by: Antonio Paunovic <antonio.paunovic@sartura.hr>
backend:
* add new 'manual mode' to re-use blocklist backups during startup,
get fresh lists only via manual reload or restart action
* additional free memory check during dns restart to prevent OOM errors
* removed palevo tracker from default config,
this tracker has been discontinued
* cosmetics
LuCI frontend (see luci repo):
* add new 'manual mode' under extra options
Signed-off-by: Dirk Brenken <dev@brenken.org>
The smartsnmpd SConstruct file only accepts setting CFLAGS and does not
use CPPFLAGS, so pass both down using CFLAGS.
This fixes build errors with external toolchains that don't
automatically search for headers in $(STAGING_DIR).
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Make sure we pass down TARGET_CPPFLAGS and TARGET_LDFLAGS to fix build
with external toolchains that don't automatically search for headers and
libraries in $(STAGING_DIR).
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This was removed in LEDE commit 0b7ed65cec8084bb98ae0e2758b7aca6c447cd4b
("kernel: remove out of tree direct-io disable hack")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
After checking in the ipkg-install dir of netatalk,
it seems that the permissions it sets to the conf-files
are 644.
# ls -la lede/build_dir/target-mips_24kc_musl/netatalk-3.1.11/ipkg-install/etc
-rw-r--r-- 1 sandu sandu 226 iun 5 20:53 afp.conf
-rw-r--r-- 1 sandu sandu 1948 iun 5 20:53 dbus-session.conf
-rw-r--r-- 1 sandu sandu 25037 iun 5 20:53 extmap.conf
While the Package/netatalk/install build rule overrides
them to 600.
According to
* https://github.com/openwrt/packages/issues/4318
* https://forum.lede-project.org/t/help-with-apple-filesharing-protocol-for-time-machine/3259/5
this is a problem in some setups.
So, this patch changes them to what the netatalk
package creators intended initially (i.e. 644).
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The earlier commit ea119211b2 removed 'dsa' as one of the ssh_host_*_key
types that got generated. Problem was that it didn't remove that key
as one of the paths that the server looks for by default. As a
consequence, your log file might fill up with messages like:
2017-06-01T15:43:07-06:00 openwrt sshd[31929]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
The patch is forunately trivial. Don't set the path for the dsa
key file in the server configuration.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The author (@pprindeville) of the original commit noted that the wrong
commit was picked, see
325b7d2cd2 (commitcomment-22387528)
"Err... looks like the wrong fix got committed. I was hoping that this
commit d902e5d would have gone in instead."
This reverts commit 325b7d2cd2.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes the following build error with an external toolchain:
./bld/sqlite3.o: In function `fts5Bm25Function':
sqlite3.c:(.text+0x27234): undefined reference to `log'
./bld/piechart.o: In function `piechart_render':
piechart_.c:(.text+0x430): undefined reference to `sincos'
piechart_.c:(.text+0x47c): undefined reference to `sincos'
piechart_.c:(.text+0x548): undefined reference to `sincos'
collect2: error: ld returned 1 exit status
src/main.mk:526: recipe for target 'fossil' failed
make[3]: *** [fossil] Error 1
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This backports a patch that has been accepted upstream in linuxptp:
8b61aa2c3f3103db1d4ca1d1e49bb4f8831c1abf ("udp: Avoid including
netdb.h") to fix build errors with external glibc toolchains that
provide rpc/types.h.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Conserver is an application that allows multiple users to use
serial consoles at the same time, with logging. It has a client-
server design which makes it easy to manage a distributed set
of serial consoles. Logging makes post-crash analyses easier.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Standard assignment is immediate expansion without any extraneous spacing, RFC822 compliant email addresses and consistent section assignments
Signed-off-by: Stephen Walker <stephendwalker+github@gmail.com>
types that got generated. Problem was that it didn't remove that key
as one of the paths that the server looks for by default. As a
consequence, your log file might fill up with messages like:
2017-06-01T15:43:07-06:00 openwrt sshd[31929]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
The patch is forunately trivial. Don't set the path for the dsa
key file in the server configuration.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Peter Wagner <tripolar@gmx.at>
From upstreams changelog:
This rather large snapshot touches quite a few sensitive areas, so I'm
releasing it now rather than later to receive feedback on any possible issues.
It also contains fixes, so everybody should upgrade.
* man: fix psk mention in wg-quick man page
* man: update wg-quick(8) to show Debian resolvconf braindamage
Documentation cleanups.
* wg-quick: use src routing for default routes in v6
ip-rule(8) doesn't do the right thing with source addresses, unless we
explicitly set it inside the route. This fixes wg-quick on IPv6 systems.
* curve25519: actually, do some things on heap sometimes
* curve25519: align the basepoint to 32 bytes
* curve25519: add NEON versions for ARM
* data: enable BH during parallel crypto on ARM/NEON
* chacha20poly1305: move constants to rodata
* chacha20poly1305: add NEON versions for ARM and ARM64
We now have faster primitives on ARM and ARM64 processors, which should
improve performance.
* handshake: process in parallel
Handshakes are now processed in parallel using all cores, which should improve
throughput during a storm.
* noise: no need to store ephemeral public key
* noise: precompute static-static ECDH operation
We can precompute the ECDH(s, s) calculation, which improves handshake
initiation message performance by double.
* style: spaces after for loops
* peer: use iterator macro instead of callback
The most unreadable C ever produced. It might be wise to find a sexier-looking
alternative at some point.
* compat: remove warning for < 4.1
* compat: ship padata if kernel doesn't have it
The usual array of annoying compat things.
* rust test: convert screech test to snow
* rust test: add icmp ping
We now use Jake's snow library for Noise in the test, which we've expanded to
complete a ping.
* config: do not error out when getting if no peers
* tools: allow creating device with no peers
Fixing some small things in the tool/config interaction.
* device: keep going when share_check fails
* routingtable: remove unnecessary check in node_placement()
* config: it's faster to memcpy than strncpy
* timers: fix typo in comment
Nits.
* debug: print interface name in dmesg
For those who compile with `make debug`, you'll be happy to see a bit better
information in dmesg.
* timers: rework handshake reply control flow
* timers: the completion of a handshake also is on key confirmation
* timers: reset retry-attempt counter when not retrying
Tightening up our timer implementation, which is quite important.
Signed-off-by: Dan Luedtke <mail@danrl.com>
Since we're using the kernel's module, this is
un-necessary.
Should speed up the build a bit.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Admittedly I never used those Python libs.
And the setup I was trying it on, did not have
the Python interpreter packaged, so these build failures
went un-noticed.
That's my fault for not trying it out properly on
a full LEDE repo, with all packages.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Add UCI section general which holds the uci parameter network defining on
which interface(s) the snmp agent is reachable for inbound snmp requests
in case the firewall zone does not allow INPUT traffic by default.
For the different zones to which the different interfaces belong firewall
procd input rules are created making the snmp agent reachable on udp port
161.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Base LEDE/OpenWrt UCI for dnsmasq provides for DNS override in
/etc/config/dhcp. It is desired to be able to use dnsmasq and
Unbound as transparently as possible. Option 'add_extra_dns'
will pull 'domain', 'mxhost', 'srvhost, and 'cname' from base.
netifd/procd have an interaction with DHCPv6/RA on WAN (FS#713).
Minor IP6 parameter updates can cause Unbound reload events every
few minutes. List option 'trigger' selects which interfaces may
cause reload. For example 'lan', 'wan' but not 'wan6'.
Squash other cosmetics.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Below are changes in the packaging method
- Use tarball provided by the upstream project maintainer instead of
cloning the whole git-repo
- Drop openssl variant as it was deprecated then removed by the
upstream project
- Add dependency on libev, libsodium, libudns as they are not bundled
with the source code anymore
Addresses issue #4191
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Convert init-script to procd and allow to configure
isc-dhcp-server via UCI. Allow most by-network and by-host options
supported by dnsmasq.
User-defined dhcp-options are not supported yet, neither are tags.
Existing configurations with use-edited /etc/dhcpd.conf are still
respected, hence to enjoy the new features you have to migrate
your configuration to UCI and delete /etc/dhcpd.conf.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* made wget default parms compatible with older program versions
* shift dns detection routine to simplify dns override,
just set 'adb_dnslist' to force a particular backend priority
(default: 'dnsmasq unbound')
* reduce ubus polling during dns detection
Signed-off-by: Dirk Brenken <dev@brenken.org>
* always update the connection status, even in case of an error
* merge multiple ubus network calls in central check routine
Signed-off-by: Dirk Brenken <dev@brenken.org>
* Update to 1.9.5
* Use PKG_HASH instead of PKG_MD5SUM
* Add dnscrypt-proxy github link in PKG_SOURCE_URL
Signed-off-by: Damiano Renfer <damiano.renfer@gmail.com>
If mwan3track will not stop immediately after sending the kill signal,
the clean_up handler will delete the pid file later while the new mwan3track is
already running.
This could result in a situation that mwan3track is running
more then once because the old mwan3track service could not be killed,
because the pid file is missing.
Using pgrep to kill all mwan3track for the tracked interface and not using
pid file should fix this issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This change includes fixes for several security issues:
* CVE-2017-3138: rndc "" could trigger an assertion failure in named.
* CVE-2017-3137: Some chaining (i.e., type CNAME or DNAME) responses to
upstream queries could trigger assertion failures.
* CVE-2017-3136: dns64 with break-dnssec yes; can result in an assertion
failure.
* CVE-2017-3135: If a server is configured with a response policy zone
(RPZ) that rewrites an answer with local data, and is also configured
for DNS64 address mapping, a NULL pointer can be read triggering a
server crash.
* CVE-2016-9444: named could mishandle authority sections with missing
RRSIGs, triggering an assertion failure.
* CVE-2016-9131: named mishandled some responses where covering RRSIG
records were returned without the requested data, resulting in an
assertion failure.
* CVE-2016-9131: named incorrectly tried to cache TKEY records which could
trigger an assertion failure when there was a class mismatch.
* CVE-2016-8864: It was possible to trigger assertions when processing
responses containing answers of type DNAME.
* CVE-2016-6170: Added the ability to specify the maximum number of
records permitted in a zone (max-records #;). This provides a mechanism
to block overly large zone transfers, which is a potential risk with
slave zones from other parties.
* CVE-2016-2776: It was possible to trigger an assertion when rendering a
message using a specially crafted request.
* CVE-2016-2775: Calling getrrsetbyname() with a non absolute name could
trigger an infinite recursion bug in lwresd or named with lwres
configured if, when combined with a search list entry from resolv.conf,
the resulting name is too long.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
fixes webroot to be defined as
_currentRoot='/www'
instead of being interpreted as
_currentRoot='"/www"'
Signed-off-by: Aleksei Nosachev <nos1609@hotmail.com>
* create /etc/vsftpd directory for extra config files
like userlist, certificate and key
* modify config file to use that directory
* include that directory in conffiles for backup
* use PKG_HASH
* update URL
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
backend:
* various small fixes & optimizations
LuCI frontend (see luci repo):
* Limit Blacklist/Whitelist Online editing to max. 512 KB, approx.
20.000 domains per list
* Automatically refresh the overview page after button onclick event,
e.g. 'Suspend/Resume' or 'Save & Apply'
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Notes:
- drop un-needed patches
- bump kernel support up to 4.9
- switch from git repo to release tarball
- use OVS intree kernel module ; seems that using the kernel module
from the package has certain issues due to the glue/backport code
that tries to adapt to many kernel versions and has a potential
to mess up ; not to mention, the glue code makes the kmod
a few times larger than it should be
- tested on x86_64 VM
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Full changelog available at:
https://mosquitto.org/2017/02/version-1-4-11-released/
Mostly ipv6 and websockets fixes, but requires a patch (submitted
upstream) to work around an accidental glibc dependency upstream.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Adds the "notifications" option which is important when connecting
mosquitto to rabbitmq for instance.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Earlier, PROVIDES handling was clarified for the broker and the library.
Use the same style to properly provide the -client-ssl and -client-nossl
packages.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Added a new config entry udp_port to split UDP port from TCP. This is
useful when particular port is blocked by the ISP.
udp_port falls back to port if not set to be compatible with current
config file.
Also fixed an ifname typo from the last commit.
Signed-off-by: Qian Sheng <billsq@billsq.me>
If netifd set an interface up/down which is not tracked by mwan3 the
connected network of that interface should regardless be added/removed to the
mwan3_connected ipset.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
For configurations where another web server is running on port 80, running
acme.sh in standalone mode fails. Try to detect this and refuse to run; and
allow the user to configure a webroot directory to use the running webserver for
certificate verification.
This also updates acme.sh to the latest version.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
- Moves /etc/freeradius3/sites-{enabled,available}/inner-tunnel to be part of
the freeradius3-mod-eap package. This prevents conflicts between
freeradius3-mod-eap-peap and freeradius3-mod-eap-ttls which both included the
file before. This fixes LEDE bug FS#678.
- Change the demo cert validity to be 1 year instead of 60 days. Should keep the
cert valid for the duration of the LEDE release cycle (with some slack). This
fixes#4239.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* add "adb_forcedns" to redirect all dns requests
to local resolver (disabled by default)
* add "adb_forcesrt" to enable overall sort / duplicate removal
on low memory devices with less than 64 MB RAM (disabled by default)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* no longer misuse ubus/procd service object for travelmate runtime
information, now save all required information directly
in a JSON file/format
* new 'status' init command to print runtime information
* add a configurable interface trigger timeout for
nested & slow modem/router setups, set 'trm_triggerdelay' accordingly
* change start priority & refine reload timings
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* change start priority to get all interface trigger events, even on
fast hardware
* made default trigger delay more conservative to fix possible start up
issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
As reported by @thornley-touchstar, there are some issues in the
showshortport and showport commands on the monitoring channel.
After short dicussion with upstream, the following patches were merged
upstream to fix the issue(s).
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
darkstat's configure script searches for libbsd for different routines,
so if it manages to pick it up, make sure the dependency is reflected.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Use newest acme.sh release (2.6.8).
Remove dependency on ca-certificates and add dependency on ca-bundle.
Update environment variable.
Signed-off-by: Daniel Halmschlager <da@halms.at>
* no longer misuse ubus/procd service object for adblock runtime
information, now save all required information directly
in a JSON file/format (/tmp/adb_runtime.json)
* new 'status' init command to print runtime information
* add a configurable interface trigger timeout for
nested or slow modem/router setups,
set 'adb_triggerdelay' accordingly (default 1 second)
* add support for pure http download utilities like wget-nossl
or uclient-fetch without libustream-ssl (http donwloads only!)
* fix stop action
* fix enabled/disabled action
* fix country code in regional list for china
* LuCI update to reflect all changes
Signed-off-by: Dirk Brenken <dev@brenken.org>
If interface is getting down by netifd (unplug ethernet cable)
mwan3track will not recognize this change. It will also generate an
additional down event when he notice does his tracking interface is offline.
Mwan3track will now be informed by a signal (trap) USR1 during down event
that the interface is already down. An additional down event will not be
generated.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Changelog:
* Fixed a regression of 1.6.4 which caused a crash in modperl/modpython
(not packaged)
* Fixed the behavior of verbose command in the sasl module.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
This commit fixes bugs, cleans and enhances init.d script:
1. The first disk and interface was passed to mini_snmpd with extra
leading space.
This bug caused the first monitored disk and interface to be
inaccessible by SNMP daemon.
2. Automatically reload deamon if one of monitored interfaces goes
up/down.
Since mini_snmpd reads interface list only at startup, it won't
detect any interface which appeared after the daemon was started.
Fortunately we can use procd interface triggers to automatically
restart the daemon.
3. Replace hand-written direct ubus calls and json data filtering with
standard network functions.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
* re-order all regional lists in adblocklist/easylist format
* add polish blocklist
* add chinese blocklist
* lists called now 'reg_<ch|pl|ro|ru>'
* changed interface trigger default in config to 'wan' only
* update / sync LuCI frontend (see luci repo for details)
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
[RELEASE] Released version 1.7.5 due to bug in compression
Released version 1.7.5 with the following main changes :
- BUG/MEDIUM: peers: fix buffer overflow control in intdecode.
- BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers
- BUG/MEDIUM: http: Fix blocked HTTP/1.0 responses when compression is enabled
- BUG/MINOR: filters: Don't force the stream's wakeup when we wait in flt_end_analyze
- DOC: fix parenthesis and add missing "Example" tags
- DOC: update the contributing file
- DOC: log-format/tcplog/httplog update
- MINOR: config parsing: add warning when log-format/tcplog/httplog is overriden in "defaults" sections
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
haproxy's Makefile already happens include/ after specifying PCRE_DIR
which would result in the following build errors on an external
toolchain that does not automatically search for headers in
$(STAGING_DIR):
mipsel-linux-gnu-gcc -Iinclude -Iebtree -Wall -O2 -g
-fno-strict-aliasing -Wdeclaration-after-statement -DBUFSIZE=16384
-DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530 -DCONFIG_HAP_LINUX_SPLICE
-DTPROXY -DCONFIG_HAP_LINUX_TPROXY -DCONFIG_HAP_CRYPT -DUSE_ZLIB
-DENABLE_POLL -DENABLE_EPOLL -DUSE_CPU_AFFINITY -DASSUME_SPLICE_WORKS
-DUSE_ACCEPT4 -DNETFILTER -DUSE_GETSOCKNAME -DCONFIG_REGPARM=3
-DUSE_OPENSSL -DUSE_SYSCALL_FUTEX -DUSE_LUA
-I/home/florian/dev/openwrt/trunk/staging_dir/target-mipsel-unknown-linux-gnu_glibc/lua-5.3.3/include
-DUSE_PCRE
-I/home/florian/dev/openwrt/trunk/staging_dir/target-mipsel-unknown-linux-gnu_glibc/usr/include/include
-DUSE_PCRE_JIT -DCONFIG_HAPROXY_VERSION=\"1.7.4-patch02\"
-DCONFIG_HAPROXY_DATE=\"2017/04/01\" \
-DBUILD_TARGET='"linux2628"' \
-DBUILD_ARCH='""' \
-DBUILD_CPU='"generic"' \
-DBUILD_CC='"mipsel-linux-gnu-gcc"' \
-DBUILD_CFLAGS='"-O2 -g -fno-strict-aliasing
-Wdeclaration-after-statement -DBUFSIZE=16384 -DMAXREWRITE=1030
-DSYSTEM_MAXCONN=165530"' \
-DBUILD_OPTIONS='"USE_LINUX_SPLICE=1 USE_LINUX_TPROXY=1
USE_ZLIB=yes USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1
USE_PCRE_JIT=1"' \
-c -o src/haproxy.o src/haproxy.c
In file included from include/types/proxy.h:33:0,
from include/proto/log.h:32,
from include/common/cfgparse.h:29,
from src/haproxy.c:65:
include/common/regex.h:31:18: fatal error: pcre.h: No such file or
directory
#include <pcre.h>
Fix this by stripping the additional include/ being added.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Some external toolchaind don't automatically search for headers in
$(STAGING_DIR), make sure we do pass TARGET_CPPFLAGS as appropriate.
This fixes build errors such as:
mipsel-linux-gnu-gcc -O2 -Wall -Wextra -DLUA_COMPAT_5_2 -DLUA_USE_LINUX
-c -o lua.o lua.c
lua.c:80:31: fatal error: readline/readline.h: No such file or directory
#include <readline/readline.h>
^
compilation terminated.
<builtin>: recipe for target 'lua.o' failed
make[6]: *** [lua.o] Error 1
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Fixes build errors with toolchains that don't automatically search for
headers in STAGING_DIR (such as external toolchains) resulting in the
following build failures:
mipsel-linux-gnu-gcc -Os -pipe -mno-branch-likely -mips32r2 -mtune=24kc
-fno-caller-saves -Wno-unused-result -D_FORTIFY_SOURCE=1 -Wl,-z,now
-Wl,-z,relro -DUSE_SSL_CRYPTO -c options.c
In file included from options.c:62:0:
auth_algo.h:53:26: fatal error: openssl/hmac.h: No such file or
directory
#include <openssl/hmac.h>
^
compilation terminated.
Makefile:95: recipe for target 'options.o' failed
make[4]: *** [options.o] Error 1
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
* rework automatic mode (active scan/re-connection handling):
* much more procd & resource friendly
* now enabled by default
* save runtime information in ubus service (data section)
* final backend preparation for new LuCI-GUI (still WIP!)
* documentation update
Signed-off-by: Dirk Brenken <dev@brenken.org>
Use CFLAGS_DEBUG which is already used for TARGET_CFLAGS to also pass
TARGET_CPPFLAGS.
This fixes build issues with toolchains that don't automatically search
for header files (e.g: sys/capability.h), such as stbgcc-4.8-1.5
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This allows users to use an external config file if required (for
example matching packets based on SNI hostname or REGEX patterns).
Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com>
Signed-off-by: Mircea Horea IONICĂ <mionica@gmail.com>
[RELEASE] Released version 1.7.4
Released version 1.7.4 with the following main changes :
- MINOR: config: warn when some HTTP rules are used in a TCP proxy
- BUG/MINOR: spoe: Fix soft stop handler using a specific id for spoe filters
- BUG/MINOR: spoe: Fix parsing of arguments in spoe-message section
- BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file
- BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup
- BUG/MINOR: Fix "get map <map> <value>" CLI command
- BUG/MAJOR: connection: update CO_FL_CONNECTED before calling the data layer
- BUG/MEDIUM: ssl: switchctx should not return SSL_TLSEXT_ERR_ALERT_WARNING
- BUG/MINOR: checks: attempt clean shutw for SSL check
- CONTRIB: tcploop: add limits.h to fix build issue with some compilers
- CONTRIB: tcploop: make it build on FreeBSD
- CONTRIB: tcploop: fix time format to silence build warnings
- CONTRIB: tcploop: report action 'K' (kill) in usage message
- CONTRIB: tcploop: fix connect's address length
- CONTRIB: tcploop: use the trash instead of NULL for recv()
- BUG/MEDIUM: listener: do not try to rebind another process' socket
- BUG/MEDIUM: filters: Fix channels synchronization in flt_end_analyze
- BUG/MAJOR: stream-int: do not depend on connection flags to detect connection
- BUG/MEDIUM: connection: ensure to always report the end of handshakes
- BUG: payload: fix payload not retrieving arbitrary lengths
- BUG/MAJOR: http: fix typo in http_apply_redirect_rule
- MINOR: doc: 2.4. Examples should be 2.5. Examples
- BUG/MEDIUM: stream: fix client-fin/server-fin handling
- MINOR: fd: add a new flag HAP_POLL_F_RDHUP to struct poller
- BUG/MINOR: raw_sock: always perfom the last recv if RDHUP is not available
- DOC/MINOR: Fix typos in proxy protocol doc
- DOC: Protocol doc: add checksum, TLV type ranges
- DOC: Protocol doc: add SSL TLVs, rename CHECKSUM
- DOC: Protocol doc: add noop TLV
- MEDIUM: global: add a 'hard-stop-after' option to cap the soft-stop time
- BUG/MINOR: cfgparse: loop in tracked servers lists not detected by check_config_validity().
- MINOR: server: irrelevant error message with 'default-server' config file keyword.
- MINOR: doc: fix use-server example (imap vs mail)
- BUG/MEDIUM: tcp: don't require privileges to bind to device
- BUILD: make the release script use shortlog for the final changelog
- BUILD: scripts: fix typo in announce-release error message
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
Update vnStat to 1.17 which fixes database issue.
Remove unecessary patch
Based on:
commit 79b6e9dc61 by
Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
If mwan3track detects a failure the interval check will change to
"failure_interval" value until this interface is declared "offline".
After interface gets "offline" normal "interval" value is used again.
If interface ping is successful again "recovery_interval" value is used until
interface is declared "online" again.
Using the different intervals will accelerate the wan line detections on
failure and recovery.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
procd interface triggers may be busy. Unbound hard restarts will
flush the cache. This might happen frequently depending on how
interface triggers occur.
Change the procd trigger to reduce occurences. Load this trigger
prior to netifd (START=20), but only truly start Unbound from
the trigger rather than immediately in init. Clean up log entries
in scripts after Unbound, NTP, and DNSSEC are established.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
* revamp LuCI GUI (see luci repo for details)
* integrated runtime statistics in normal adblock ubus service instance
(see readme)
* simplified boot/init
* no longer use raw interface trigger
* use only network interface trigger, pre-configured for
'wan/wwan/lan' interfaces (see readme)
* fixed a reload issue
* removed switch to disable tld compression (seems to be pretty stable)
* muted awk parser if source list contains incorrect records
* raise dns backend timeout to 20 seconds
* documentation update
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
The init script already supports four plugins: dns cache, dns/ip blocking,
ipv6 blocking and dns logging. If enabled this option installs these four
plugins and also adds libldns as a dependency. If enabled the total size
increase is around 125 kB.
Signed-off-by: Terry Stockert <stockert@inkblotadmirer.me>
On interfaces with interface proto "qmi|ncm" and option dhcp
enabled the interface will be changed to $iface_4 | $iface_6. The
interface mapping in mwan3 will not recognize this interface. To fix
this issue an ubus call will check if an upper interface exists.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
User scripts conversion from luci-app-wan3 will be simplified if the variables
are passed by env instead of arguments.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This commit modifies the dnscrypt-proxy plugin's `dnscrypt-proxy.init`
script to allow specifying a custom dnscrypt resolver. Prior to this
commit users of the dnscrypt-proxy plugin are only able to choose from
a dnscrypt resolver that is present in the packaged `ResolversList` CSV
file.
To specify a custom resolver three new configuration parameters are
required[0]: `ProviderName`, `ProviderKey` and `ResolverAddress`.
The `dnscrypt-proxy.init` script now maps `providername`, `providerkey`,
and `resolveraddress` values (if present) from a `dnscrypt-proxy.config`
file into the generated DNSCrypt configuration file.
`PKG_RELEASE` is increased from 1 to 2 to reflect the new functionality.
[0]: 9eee474770/dnscrypt-proxy.conf (L28):L32
Signed-off-by: Daniel McCarney <daniel@binaryparadox.net>
Unbound is configured to restart on hotplug/iface but this can result
in numerous restarts at boot. Unbound also has a restart for NTP.
This was observed to generate trouble and even with procd robustness
too many crashes might occur (rare). Unbound would not be running.
Give more care to /var/lib/unbound/root.key during restarts. Use procd
for iface restarts. Check pidof() to wait one more second for Unbound.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
The checks in the incdefs.sh script do not fully work when cross
compiling. It probably checks the hosts libc. Just provide the settings
manually, as our musl at least supports all these features.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
On dynamic interface proto (dhcp/pppoe) the hotplug will not execude (exit 9)
because the gateway is already released. The check will now only be made
on a ifup ACTION event.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Fortified headers don't seem to like _GNU_SOURCE in this case,
but we can remove that define since it's not needed. Add a patch
for LEDE until a new horst version is released.
Signed-off-by: Bruno Randolf <br1@einfach.org>
simple-adblock: version 1.5 introduces background processing of downloaded list while the next list is being downloaded
Signed-off-by: Stan Grishin <stangri@melmac.net>
remove answer checking for dnsexit as their API allows for too many return codes to handle them all.
Signed-off-by: Xavier Douville <zorxd@users.noreply.github.com>
options 'add_local_fqdn' and 'add_wan_fqdn' can be affected
by race conditions when they are at level 4. Interface name
may not be returned by network tools. The conf file has bad
record formats and Unbound just will not load. Detect this
and fall back to only the host FQDN (level 3).
squash: improve documentation wording and format codes.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Read UNBOUND_TXT_DOMAIN from main unbound configuration.
This prevents records to be added into Unbound in the default 'lan' zone.
Signed-off-by: Audric Schiltknecht <storm+github@chemicalstorm.org>
For consistency, use full name instead of $(PKG_NAME) in define and eval
lines for all packages.
I've seen reviews that asked to do this before, and I am asking the same
during reviews now. To avoid this in the future, fix this treewide so
when people use existing packages as example, we will not have to
request this change anymore.
This makes all packages consistent with both LEDE and OpenWrt base
repositories.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* optimized connection handling -
removed needless timeouts & wireless commits
* set the pre-configured reload timeout to
a more conservative/realistic value of 30 seconds
* further logging tweaks
Signed-off-by: Dirk Brenken <dev@brenken.org>
includes switch to new CADET implementation.
rps hasn't been ported yet, hence marked as @BROKEN for now.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
vpnbypass: No longer depends on hardcoded WAN interface name).
vpnbypass: Table ID, IPSET name and FW_MARK as well as FW_MASK can be defined in config file.
vpnbypass: Uses iptables, not ip rules for handling local IPs/ranges.
vpnbypass: More reliable creation/destruction of VPNBYPASS iptables chain.
vpnbypass: Updated Web UI enables/start and stops/disables service.
vpnbypass: Beautified output.
Signed-off-by: Stan Grishin <stangri@melmac.net>
* add an "active mode", where travelmate will be restarted
every n seconds (default 60) and checks existing uplink connection
regardless of ifdown event trigger (disabled by default)
* enhance multiple radio support
* fix the ap detection
* respect different radios during scanning & connection handling
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
The lack of LDAP support was one of the things which prevented users
from migrating from freeradius2 to freeradius3.
Enable LDAP in freeradius3 so we can finally burry freeradius2.
Reported-by: Martin Mueller <mm@sig21.net>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Unbound UCI tries to protect embedded flash from excess
use. Unbound RFC5011 KSK tracking can rewrite root.key
every few minutes to an hour. It also writes and destroys
files in the same directory during the process.
Recommended UCI delays for copying busy work in /var/
back to /etc/ may be too conservative. These are all
changed from 28 to 9 days.
The RFC5011 KSK results were also destroyed by an
init.d restart, even if /var/ is mounted on persistent
storage like USB drive. /var/lib/unbound/root.key is
now preserved during this process, unless a newer key
is installed in /etc/ manually or package update.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
* add tld compression,
this new "top level domain compression" removes up to 40 thousand
needless host entries from the block lists and
lowers the memory footprint for the dns backends by 8-10 MByte
* optimize restart behavior in case of an error
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Adds support for the fwmark option.
FwMark is a 32-bit fwmark for outgoing packets.
If set to 0 or "off", this option is disabled.
Signed-off-by: Dan Luedtke <mail@danrl.com>
Unbound 1.6.1 has a few bug fixes for resource leaks,
configuration robustness, compile environment interaction,
and maintaining the trust anchor. The 2017 trust anchor
(DS) is built into unbound and unbound-anchor.
File /etc/unbound/root.key holds 2010/2017 DS record until 2018
https://www.icann.org/resources/pages/ksk-rolloverhttps://www.iana.org/domains/root
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
To have service working nicely with procd it should be running in the
foreground. Otherwise it's not possible to e.g. stop it with the init.d
script. Luckily for us pptpd has a simple switch that allows it.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Fixes: 15e7f611af ("pptpd: convert init script to procd")
This fixes upstream regression introduced in 1.4.40. It was reported &
debugged in https://redmine.lighttpd.net/issues/2793
This fix is queued for 1.4.46 in the personal/gstrauss/master upstream
branch.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* optimize memory consumption &
enable overall sort only on devices with > 64MB RAM,
this prevents sort related kernel dumps
Signed-off-by: Dirk Brenken <dev@brenken.org>
Update to 1.4.42 introduced a problem with starting lighttpd as
OpenWrt/LEDE service. It was stopping whole init process at sth like:
783 root 1124 S {S50lighttpd} /bin/sh /etc/rc.common /etc/rc.d/S50lighttpd boot
799 root 1164 S /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
It was hanging until getting random pool:
[ 176.340007] random: nonblocking pool is initialized
and then immediately the rest of init process followed:
[ 176.423475] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[ 176.430754] jffs2_build_filesystem(): unlocking the mtd device... done.
[ 176.437615] jffs2_build_filesystem(): erasing all blocks after the end marker... done.
This was fixed in 1.4.44, but bump directly to 1.4.45 while at it.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* add 'enabled' check in init script
* support multiple radios (see online doc)
* fix race condition in ap check
Signed-off-by: Dirk Brenken <dev@brenken.org>
* various optimizations & corner case fixes
* removed no longer needed debug information
* polished up for forthcoming LEDE release ;-)
Signed-off-by: Dirk Brenken <dev@brenken.org>
This is a long-needed clean-up.
These applications are not gone! They live in the
luci repo now, where all their friends already are.
Signed-off-by: Dan Luedtke <mail@danrl.com>
Makefile had sed commands in "prepare" step that modified the
source files directly. That lead to feed update failure at the
buildbot.
Remove those commands as the first aid.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
According to the snmpd.conf man page, the engineID of an snmp agent
should be consistent through time. However, it seems that the engineID
changes every reboot. Add options to configure how the engineID is
generated. The default setting generates it based on the MAC address of
the eth0 interface.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
When for example 'package/net/adblock' and DNSSEC vs NTP robustness
is enabled, significant restart thrashing can occur at boot up. DHCP
lease triggers may be occuring at the same time. Unbounds DNS-DHCP
may be incomplete until new DHCP solicit events. Solve this by
leaving a passive but complete host conf file during lease trigger.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
This reverts commit 79b6e9dc61.
Undo the recent vnstat update due to upstream bugs preventing database
restoration.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Bug fix dhcp4_slaac6 option was adding to all IP6 routes.
Filtering was added to this process to only include addresses
served from "this dhcp interface."
adblock 2.3.0 file output is now detected and automatically
integrated into Unbound local-zones. adblock deposites its
block site zone-files into /var/lib/unbound. If this is not
desired, then disable adblock or reconfigure to avoid Unbound.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
* automatically selects dnsmasq or unbound as dns backend
* add the new 'adguard' source, a combined/quite effective block list
* remove needless dns backend restarts
* optimize adblock restart behavior
* optimize block list processing on inotify enabled filesystems
* better return code checking on block list download
* fix boot function/startup on Chaos Calmer
* fix a bug in blocklist removal function
* add more (optional) debug output
* move backup options to global config
* documentation update
Signed-off-by: Dirk Brenken <dev@brenken.org>
fixed: stop function used to kill the hotplug file
fixed: despite ubus wait_for network.interface.wan and WAN-IF hotplug, sometimes we'd get no WAN ip on start
Signed-off-by: Stan Grishin <stangri@melmac.net>
Update nginx to version 1.10.3.
Add new configuration options to enable the following optional
modules (disabled by default):
- http_auth_request_module
- http_v2_module
- http_realip_module
- http_secure_link_module
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
The needed shaper modules are now in kmod-sched-core, so we don't need
to depend on the full kmod-sched anymore.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
samba.org has apparently started to enforce https-only downloads,
so update the download links for rsync and cifs-utils.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Stan Grishin <stangri@melmac.net>
vpnbypass: fixed renamed option in stop_service
Signed-off-by: Stan Grishin <stangri@melmac.net>
vpnbypass: fixed typo in makefile, switch FW_MARK to 0x010000 to play nice with SQM/mwan (thanks Hannu)
Signed-off-by: Stan Grishin <stangri@melmac.net>
vpnbypass: proper masking in setting mark
Signed-off-by: Stan Grishin <stangri@melmac.net>
vpnbypass: separating luci-app-vpnbypass into different tree
Signed-off-by: Stan Grishin <stangri@melmac.net>
vpnbypass: fixed incorrect use of procd_add_reload_interface_trigger according to http://wiki.prplfoundation.org/wiki/Procd_reference
Signed-off-by: Stan Grishin <stangri@melmac.net>
Unbound+DHCP (server of your choice) should be able to replicate
a lot of what dnsmasq provides. With this change set Unbound
still works with dnsmasq, but also it can work with a plain
DHCP server. Features have been added within the UCI itself
to act like dnsmasq.
- alone: name each interface relative to router hostname
- alone: prevent upstream leakage of your domain and '.local'
- dnsmasq: use dnsmasq UCI to configure forwarding clauses
- dhcp: work with odhcpd as example of companion DHCP-DNS
- dhcp: convert DHCPv4 leases into EUI64 SLAAC for DNS records
- all: enable encrypted remote unbound-control using splice conf
- all: allow user spliced conf-files for hybrid UCI and manual conf
-- 'unbound_srv.conf' will be spliced into the 'server:' clause
-- 'unbound_ext.conf' will add clauses to the end, example 'forward:'
README HOW TO for dnsmasq-in-serial, dnsmasq-in-parallel, and
unbound-with-odhcpd have better/added UCI starters. HOW TO for
including unbound_srv.conf and unbound_ext.conf are added.
Document new UCI: add_local_fqdn, add_wan_fqdn, dhcp4_slaac6,
dhcp_link, domain, and domain_type
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
This is bare minimum change in 'unbound.sh' and
'dnsmasq.sh' to migrate the UCI option set for
more flexibility. The boolean(s) to link to
dnsmasq are being changed to a state to include
odhcpd. It is executable but a small step for
clear change management.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
The UCI for Unbound already links to dnsmasq, but what
if with Unbound, we want to configure a plain dhcp server.
Most servers can call a script for lease events. That
script can then formulate DNS records and load them
with unbound-control (dependency).
The files added here work with OpenWRT/LEDE odhcpd, such
that it can be run alone. They can be used as examples
for any dhcp server. 'odhcpd.sh' is to be called by
odhcpd when a lease event occurs. 'odhcpd.awk' is called
internal to the shell script. The awk script handles
any tricky reformating that may be required.
/etc/config/dhcp
config odhcpd 'odhcpd'
option leasetrigger '/usr/lib/unbound/odhcpd.sh'
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
If Unbound was disabled and at later time enabled, then it
would operate in DNSSEC less-secure mode. When NTP hotplug
was called, the timestamp file was not updated. This was
found testing Unbound vs other tools (bind, dnsmasq).
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
The virtual package declared by PROVIDES must not have the same name as the
variant declaring it, otherwise buildroot will fail with errors like:
cp: '.../pkginfo/mosquitto.provides' and '.../pkginfo/mosquitto.provides' are the same file
In order to fix the above error, rename the existing "mosquitto" and
"libmosquitto" packages into "mosquitto-ssl" and "libmosquitto-ssl"
respectively.
Also substitute use of $(PKG_NAME) with literal "mosquitto" in
Package/* defines to improve readability of the Makefile.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Compile tested: LEDE HEAD
If unixodbc package is present in the environment, subversion
fails to compile due to missing dependencies.
Fixes the dependency on unixodbc if unixodbc package is selected.
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
Update the pen package to upstream release v0.34.0 in order to fix the
following build error reported by the buildbot:
ssl.o: In function `ssl_create_context':
ssl.c:(.text+0x9c): undefined reference to `SSLv3_method'
collect2: error: ld returned 1 exit status
Also switch from PKG_MD5SUM to PKG_HASH with SHA256 while we're at it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The buildbots fail to build socat due to the following error:
nestlex.c:14:7: error: unknown type name 'ptrdiff_t'
It appears that certain source files do not include all required headers,
depending on the configure options passed to socat.
Work around the error by passing `-include stddef.h` via `TARGET_CFLAGS` to
forcibly inject this header file into all compilation units.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Adding PROVIDES to both the daemon and library and -nossl variants allow
downstream packages to simply declare a single dependency.
mosquitto-client however, still needs to explicitly depend on the ssl or
nossl variant however.
Signed-off-by: Karl Palsson <karlp@etactica.com>
use ntpq to check the status of the ntp server as all other status scripts included in the ntp tarball are
based on perl which would dramatically increase the footprint of ntpd
Signed-off-by: Peter Wagner <tripolar@gmx.at>
Wondershaper has been superseded by both qos-scripts and sqm-scripts, it's time to retire it for good.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Mark the directories containing the keys for hidden services as
conffiles to preserve them over sysupgrade.
Fixes: #2247
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In addition update some configure options and use EXTRA_CFLAGS.
Setting RunAsDaemon to 1 will be overwritten by the init script option
"--runasdaemon 0" anyway and we want it in foreground for procd.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Adds configuration option for NFQ capture, moves often written
configuration files to /var/etc.
Signed-off-by: Jonathan Bennett <JBennett@incomsystems.biz>
Released version 1.7.2 with the following main changes :
- BUG/MEDIUM: lua: In some case, the return of sample-fetches is ignored (2)
- SCRIPTS: git-show-backports: fix a harmless typo
- SCRIPTS: git-show-backports: add -H to use the hash of the commit message
- BUG/MINOR: stream-int: automatically release SI_FL_WAIT_DATA on SHUTW_NOW
- DOC: lua: documentation about time parser functions
- DOC: lua: section declared twice
- BUG/MINOR: lua/cli: bad error message
- DOC: fix small typo in fe_id (backend instead of frontend)
- BUG/MINOR: Fix the sending function in Lua's cosocket
- BUG/MINOR: lua: memory leak executing tasks
- BUG/MINOR: lua: bad return code
- BUG/MEDIUM: ssl: properly reset the reused_sess during a forced handshake
- BUG/MEDIUM: ssl: avoid double free when releasing bind_confs
- BUG/MINOR: stats: fix be/sessions/current out in typed stats
- BUG/MINOR: backend: nbsrv() should return 0 if backend is disabled
- BUG/MEDIUM: ssl: for a handshake when server-side SNI changes
- BUG/MINOR: systemd: potential zombie processes
- DOC: Add timings events schemas
- BUILD: lua: build failed on FreeBSD.
- BUG/MINOR: option prefer-last-server must be ignored in some case
- MINOR: stats: Support "select all" for backend actions
- BUG/MINOR: sample-fetches/stick-tables: bad type for the sample fetches sc*_get_gpt0
- BUG/MAJOR: channel: Fix the definition order of channel analyzers
- BUG/MINOR: http: report real parser state in error captures
- BUILD: scripts: automatically update the branch in version.h when releasing
- BUG/MAJOR: http: fix risk of getting invalid reports of bad requests
- MINOR: http: custom status reason.
- MINOR: connection: add sample fetch "fc_rcvd_proxy"
- BUG/MINOR: config: emit a warning if http-reuse is enabled with incompatible options
- BUG/MINOR: tools: fix off-by-one in port size check
- BUG/MEDIUM: server: consider AF_UNSPEC as a valid address family
- MEDIUM: server: split the address and the port into two different fields
- MINOR: tools: make str2sa_range() return the port in a separate argument
- MINOR: server: take the destination port from the port field, not the addr
- MEDIUM: server: disable protocol validations when the server doesn't resolve
- BUG/MEDIUM: tools: do not force an unresolved address to AF_INET:0.0.0.0
- BUG/MINOR: ssl: EVP_PKEY must be freed after X509_get_pubkey usage
- MINOR: proto_http.c 502 error txt typo.
- DOC: add deprecation notice to "block"
- BUG/MINOR: Reset errno variable before calling strtol(3)
Signed-off-by: heil <heil@terminal-consulting.de>
We believe snmpd-static isn't useful, but download stats show it's still
being downloaded. Instead of dropping it, make it a dummy package that
depends on snmpd.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
This fixes a bug when mosquitto is crosscompiled in LEDE on OS X.
UNAME is explicitly executed on the host, when we want it to be treated
as a regular linux build.
This patch passes the proper UNAME=Linux variable to the mosquitto
make file in order to respect linux as cross-compiler.
Signed-off-by: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
Reviewed-by: Karl Palsson <karlp@tweak.net.au>
This change fixes multiple denial-of-service vulnerabilities:
* CVE-2016-9131: A malformed response to an ANY query can cause an
assertion failure during recursion
* CVE-2016-9147: An error handling a query response containing
inconsistent DNSSEC information could cause an assertion failure
* CVE-2016-9444: An unusually-formed DS record response could cause
an assertion failure
* CVE-2016-9778: An error handling certain queries using the
nxdomain-redirect feature could cause a REQUIRE assertion failure
in db.c
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Per user request ship the sample upsset.conf file so that
upsset functionality can be used with nut-cgi
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
Current maintainer (Martin Rowe) offered to hand over
maintership because I'm interested in doing more with
the package than he requires for his own use, so he
felt it made sense for me to maintain the package.
I accepted, hence this commit.
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
Use /var/run/nut as statepath and set appropriate owner
and permissions on /var/run/nut in order to avoid pidfile
for nut being world-readable.
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
It looks like serial support was accidentally dropped due to missing
pieces on Config.in and Makefile. Add back serial support by fixing
that.
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
With a LuCI app (of which I have one written) ucification makes
sense (and is in fact needed), so ucify the initscripts.
Also, rather than making selection of things to include an image
a matter of selecting compile-time config options, make optional
things into seperate packages that are built in default builds,
and leave selection of what to include or not up to the user
(e.g. using ImageBuilder, or adding packages via opkg).
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
- fix ip extraction if knot host is used together with glue records
- fix ip extraction from nslookup if reverse dns record has ip with dot reported at http://forum.lede-project.org/t/ddns-scripts-error/909
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Add a few mirrors in-front of main site for offloading
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Peter Wagner <tripolar@gmx.at>
As both LEDE and OpenWrt have STAGING_DIR_HOSTPKG now, we can start to rely
on it. See 73b7f55424 for more information on
STAGING_DIR_HOSTPKG.
STAGING_DIR_HOSTPKG won't actually be changed before the first LEDE release
(it is equivalent to $(STAGING_DIR)/host), so this simple search/replace
cleanup is safe to apply. Doing this cleanup now will be useful for the
Gluon project (an OpenWrt/LEDE based firmware framework) for experimenting
with modifying STAGING_DIR_HOSTPKG before doing this in the LEDE upstream.
Also fixes a typo in the dbus Makefile ("STAGIND_DIR").
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Before this change logging was always activated and then IoTivity wrote
a lot of debug messages. Make it now configurable.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Install the header files needed to build something against IoTivity.
This will have it easier to build an application using IoTivity library.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
These patches are making it possible to provide the compiler settings
from the environment so LEDE can change them. This replaces the old
patches with the versions send for upstream inclusion.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This does the following changes:
* update to version 1.2.1
* add iotivity-resource-directory-lib, this is needed by most
applications now
* do not activate security support by default, this caused some
problems and needs some more settings to setup.
* use sqlite version from normal package feed instead of using an own
version
* build against LEDE version of mbedtls
* update example security configuration
* remove some patches that went upstream
* add some new patches fixing problems observed in my environment, most
of them are on their way upstream.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
- cloudflare v1 change syntax of option domain to "host.sub@example.com" like already cloudflare v4 and godaddy to prepare logterm remove of public_suffix_list.dat from package
- change Makefile to be backportable to CC15.05 and working on DD
- change ddns.defaults to prepare future releases of ddns-scripts
- minor fixes
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Talked it over with Ben (@scrpi).
He said he'd be fine with taking over maintainership of this.
@scrpi: please confirm this on PR.
Signed-off-by: Ben Kelly <ben@benjii.net>
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Copy mime.conf to temporary directory so squid process can properly read the file. Without it squid cannot access mime.conf and throws a warning during startup.
Signed-off by: Adam Gensler <openwrt@a.gnslr.us>
HTTP header content-disposition isn't honored resulting in source tarball name only containing version number.
Switch to GIT repo as workaround to avoid clashing filenames.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Version bumped to 4.3.5. Separated out compile/install steps since
compiling with $DESTDIR yields bogus results. Removed rfc-3527 patch
as something similar (better) is now upstream (well, more complete
error checking anyway). Change relay scripts from '-l ifname' to
'-U ifname' to correspond to upstream changes.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Instead of causing nondeterministing conditional compilation depending on
whether libnl-core happens to be present or not, fixup the net-snmp package
to link against libnl-tiny which is present by default on the majority of
systems.
In order to successfully build against libnl-tiny, a number of things had
to be fixed in both the upstream configure and the outer Makefile:
- Add a patch which fixes the upstream configure macros to properly handle
cases where the cache variables for nl_connect() and netlink.h tests are
predefined. Without this patch, all subsequent link tests in configure
will fail, causing the build system to assume functions like opendir() or
readdir() to be missing, leading to build failures later on due to
conflicting redefinitions of structures and function prototypes
- In the same patch, stop probing the host systems /usr/include/libnl-3 if
ac_cv_header_netlink_netlink_h is given. This brings the proprietary
configure bits in line with the behaviour expected from autoconfig in a
cross compile setting
- Explicitely request nl support by passing the --with-nl flag to configure
- Pass the required cache variables to skip the broken tests for
nl_connect() and netlink.h
- Amend TARGET_CPPFLAGS to let net-snmp's build system discover nl-tiny's
netlink/netlink.h and netlink/socket.h
- Enable the autoreconf fixup to regenerate the broken shipped configure
from patched macros
- Adjust the depends to unconditionally require libnl-tiny
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add support to configure strongswan via uci.
uci support is based on the following sections
-ipsec : Global config items belonging in the strongswan.conf file
-remote : Defines the remote peer(s)
-tunnel : Defines the IPSec connections in tunnel mode
-transport : Defines the IPSec connections in transport mode
-crypto_proposal : Defines the different crypto proposals
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
Signed-off-by: Gino Peeters <peeters.gino@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Commit e73964fa8f incorrectly dropped the
patch 101-update-struct-msghdr.patch. Add it again, and while add it
also add the follow-up patch that was added upstream.
Fixes#3757.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
When libnl-core is enabled, but libnl isn't, build fails because of a
missing dependency on libnl-3.so.200. Depending on libnl-core seems to
work for both cases.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Update to 5.7.3 by refreshing patches; remove 800-format-security
as upstream integrated.
Add libnl dependency in the package Makefile as net-snmp will check
if libnl is enabled in config_os_libs2.
Remove unneeded PKG_FIXUP build variable.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
this installs the default MIBS-files under /usr/share/snmp/mibs .
Also aligns the defines to the same sorting-scheme.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
change download link from git:// to https:// .
Git links are less safe (not encrypted) and, more importantly, they are blocked by company firewalls.
Https links do not have either issue.
Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
Move git hash to PKG_VERSION instead of PKG_RELEASE
Use xz git tarball instead of gz
Add dependency to ustream-mbedtls as mbed TLS 1.3 is deprecated.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
