It never works... And Xray-core needs root access to work.
Bump geodata to latest version while at it.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit ab540e6990)
The following CVE updates are included:
* CVE-2021-25219: The "lame-ttl" option is now forcibly set to 0. This
effectively disables the lame server cache, as it could previously be
abused by an attacker to significantly degrade resolver performance.
* CVE-2021-25218: An assertion failure occurred when named attempted
to send a UDP packet that exceeded the MTU size, if Response Rate
Limiting (RRL) was enabled.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry-picked from commit c2de702cbd)
User mpeleshenko reported that symm encryption breaks hearing map.
Set the default to 0.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 8b7fb614dd)
This uses some definitions from <sys/cdefs.h> in gcc 8.4.0, not present
in musl or gcc11.
Also use clock_gettime() instead of syscall(__NR_clock_gettime,...),
which is not currently defined.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 281df4bcf5)
* refresh patches
* disabling kres_gen_test is not required anymore for cross compilation, it was fixed upstream with the 5.4.1 release
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
(cherry picked from commit 2b3b2ffe42)
ddc007e32ced ubus: avoid use after free in handle_probe_req()
e1275713c057 github: fix workflow
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 2e02deb5a9)
Some users report that DAWN sometimes crashes after a while. Mostly
this happens after the new update has been rolled out.
Since I would not like to go back to the older version, I add as
a workaround for now that DAWN automatically respawned.
Workaround for:
https://github.com/berlin-open-wireless-lab/DAWN/issues/151
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit c1490175d3)
* c70773a - datastorage: use signal strength as a metric
* 14e0f83 - Don't display debugging output with DAWN_NO_OUTPUT
* 97e5de1 - uci: add neighbor list priority options
* 2b1a53c - dawn_uci: set default values
* 6eb747b - Use separate configs for 802.11g & 802.11a bands
* 1e34357 - Verify compatibility before parsing config message
* a7a8309 - List all neighbors with same score when kicking
* 3ba0fa4 - Change beacon request fields to appropriate values
* 009aab9 - Change mode config parameter from int to string
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 2039e3fce0)
* bugfix: change killall param from -HUP to -s HUP
* bugfix: change tmpfs param from status to gateway
Signed-off-by: Stan Grishin <stangri@melmac.net>
(cherry picked from commit 2b6c8d8273)
* there are reports that 0.3.5-x versions do not work on some configs
* the development of the new features moved to the new package (pbr)
* revert to the last known good version of vpn-policy-routing
Signed-off-by: Stan Grishin <stangri@melmac.net>
(cherry picked from commit 77514c10a7)
/net/crowdsec-firewall-bouncer/
crowdsec-firewall-bouncer will fetch new and old decisions from
a CrowdSec API to add them in a blocklist used by supported firewalls.
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
(cherry picked from commit 676a621647)
/net/crowdsec/
Crowdsec - An open-source, lightweight agent to detect
and respond to bad behaviours.
It also automatically benefits from a global community-wide
IP reputation database.
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
(cherry picked from commit 8903d1b7ca)
* update to [2021-09-27](da2501f542)
* fixes https://github.com/aarond10/https_dns_proxy/issues/125
* restart instead of reload on interface hotplug
* fixes https://github.com/openwrt/packages/issues/16794
* produce output and log entries on service start/stop
* prevent unnecessary dnsmasq restarts if service has previously updated dnsmasq settings
* allow both named and typed dnsmasq instance settings to be updated
* update 010-fix-cmakelists patch file
Signed-off-by: Stan Grishin <stangri@melmac.net>
(cherry picked from commit f8d16338da)
On September the 29th, the certificate for R3, the intermediate
CA of Let's Encrypt expired, followed by the root CA expiration
on September the 30th. Update the acme client to 3.0.1,
to make sure newly generated certificates are using the new CA.
This is a backport of 468fc5fca4.
https://github.com/openwrt/packages/pull/16801
Default to letsencrypt because the upstream default may change.
Passing --staging is no longer needed, since --serever will
select a staging server if needed.
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
Tested-by: Georgi Valkov <gvalkov@abv.bg>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
This commit fixes an issue where the `AUTOSSH_GATETIME` is not available in the `procd` environment which gets overwritten by the second `procd_set_param env` call.
It now calls the `procd_set_param env` once with the two variables, instead of twice.
Signed-off-by: Leo Soares <leo@hyper.ag>
(cherry picked from commit 9c4d79519c)
configure script looks for host ssh. Just pass the configure variable
directly. --with-ssh doesn't work.
Also get rid of custom Compile section. It's not needed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 63b7febf5f)
Currently `travelmate` only support `<meta` tag
if it contains `"`. This updates `travelmate.sh` to support
`'` as well.
```html
<meta...content='1; url=
```
Signed-off-by: Kamil Trzciński <ayufan@ayufan.eu>
(cherry picked from commit 2cbd9a2eb1)
* removed the newly introduced wpa-supplicant dependency as it makes trouble with a circular dependency
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 40f1071a39)
* Create working directory when it is not present. Apparently
some recent change made adguardhome fail to start when working
directory is missing.
* Full changelog available at:
* https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.106.1
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
(cherry picked from commit 350ba8cbbd)
* add wpa-supplicant package dependency
* removed no longer working 'db-bahn.login' and 'wifionice.login' auto-login scripts
* added the new 'wifibahn.login' script for auto-logins to captive portals WIFI@BAHN (DE),
run tested on a single ICE (station logins are currently unsupported!)
* vodafone.login prepared to support free/time limited logins (still WIP!)
* change return code handling in login scripts and travelmate
* refine f_wifi function
* fix a few conercase issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 3167e00aff)
Avoid restarting fail2ban by hotplug when the service is disabled.
Related issue: https://github.com/openwrt/packages/issues/16601
Signed-off-by: Vladislav Grigoryev <vg.aetera@gmail.com>
(cherry picked from commit 57aab9f1d1)
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
fail2ban v0.11.2 package version 2
Following PR #15098, add fixes to build fail2ban package:
- remove use of fail2ban-python (directly use python3 in script)
- remove link to python3 in /usr/bin (break the package build)
- remove python-tests (reduce the package size)
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
(cherry picked from commit 56a084d3922c84e936ef660a67a2156439223393)
python3-pyinotify: initial package version 0.9.6 of pyinotify for python3
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
(cherry picked from commit bcb8775e48eb8f99a76b05a8539a0140513e4158)
Currently there is a problem with log spam when ipv6 network
is dropped. Fix this by backporting a patch to silence these errors
when verbose logging is not enabled.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
(cherry picked from commit f2f05088a5a12bf9963b83d9613bb96335a27e66)
To allow the script to define what it should be run with.
This let's the user use bash if it's available, or python, or perl, etc.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
Update PKG_VERSION to 2.10.12
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 3d824ea288)
The "-s -w" flags in GO_PKG_LDFLAGS tells the Go compiler to strip the
binaries it produces. Since the default Go package build process will
strip binaries when CONFIG_USE_STRIP or CONFIG_USE_SSTRIP are selected,
these flags are unnecessary.
When CONFIG_NO_STRIP is selected, these flags override the user's
intention of building unstripped packages.
This removes these flags for all relevant packages.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This will allow the server to know more info about the client like
HWADDR, very useful for managing IoT devices.
See: https://www.mankier.com/8/openvpn#--push-peer-info
Signed-off-by: Nguyen Quang Minh <minhnq31@fpt.com.vn>
Recent versions of mosquitto have added a lot more fine grained control
of various options. Add UCI support for all of them, and fix a couple
of things that were configured as per listener, that are actually global
settings.
Signed-off-by: Karl Palsson <karlp@etactica.com>
26bd876 Switch from ifname to device
d8d3d5f Fix blog post link
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit ac2b796704e02a1332c468c9dd9354426142ab7d)
* replaced pipe input for a while/read-loop with a here document/variable as input
(fix various subshell related bugs and oddities)
* further improve abort and re-connection handling
* prevent alleged detected connection failures (false positives) with an additional gw check,
to stabilize VPN connections in particular
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 1c0fcbd28b)
* simplify the scan logic, to get rid of nifty IFS tricks
* limit the nearby scan results to process only the strongest uplinks, set 'trm_maxscan' accordingly (default '10')
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 58a3cf1f01)
This fixes compilation issues with ASLR PIE enabled
We were compiling with '-g -DDEBUG'
https-dns-proxy_2021-07-29-*_arm_cortex-a9_vfpv3-d16.ipk
shrink from 19514 to 19095
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 374e1dd56e)
There's no good way to get rid of these, so just delete the cmake files.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 4ebc879855)
* scan for open uplinks even if no other station has been added/configured
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit e6e3c9481d)
* support the new travelmate option 'macaddr' to use a pre-defined MAC address (per uplink)
* vpn connections are now handled separately for each uplink
* The autoadd-feature for adding open uplinks will now be limited by the 'trm_maxautoadd' option. The default is '5', '0' disables this limitation.
* more code cleanups und optimizations to reduce the repetitive connection handling workload
* bugfixes regarding multiple radio support
* refine cp detection (no longer write and parse an error file)
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit c6328bad6c)
- Fix copypaste error for PUB_KEY link creation
- Clean tmp dir on exit to clear any remaining data
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
(cherry picked from commit 842a9d399f)
* supports newer shellcheck
* restore EXTRA_COMMANDS compatibility with 19.07
* move status display from various functions to status_service
* bugfix: status_service line break after output
* minor arythmetic fix in status_service
Signed-off-by: Stan Grishin <stangri@melmac.net>
Description: Lack of support of HTTP/2 by default starts to hurt,
for example with https-dns-proxy package, some DoH resolvers (like mullvad)
no longer support HTTP/1 and are not usable.
This enables HTTP/2 support by default (which would bring ~68Kb libnghttp).
Signed-off-by: Stan Grishin <stangri@melmac.net>
* update binary to the latest commit (2021-07-29) to fix#16222 and #16239
* add hotplug.d/iface file and update Makefile to install it
* use Cloudflare's and Google's bootstrap DNS if bootstrap DNS is missing
* minor improvements in append_bool function
* add append_counter function for verbosity setting
* add append_bootstrap function (and supporting functions) to parse/sanitize bootstrap setting
* move firewall array from 'main' instance to the first proxy instance
* delete useless 'main' instace
Signed-off-by: Stan Grishin <stangri@melmac.net>
* code cleanup
* add auto login script for Julianahoeve beach resort (NL)
* add auto login script for Vodafone hotspots (DE)
* add auto login script for telekom hotspots (DE)
* enhance captive portal detection to support html redirects as well
* change default captive portal detection url to
'detectportal.firefox.com'
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 380a5110b4)
Include default configuration files to have something to start from.
Also include snort2lua to help convert snort2 rules to snort3 to also
help with bootstrapping the configuration.
Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
This matches an ipv4 change in 21f5cdd2fa and has the same rationale.
Google requires https for both ipv6 and ipv6.
Signed-off-by: Scott Lamb <slamb@slamb.org>
(cherry picked from commit e5f45b94c0)
- Bump yggdrasil-go version to v0.4.0
- Update ygguci tool for compatibility with the new yggdrasil-go version
- Yggdrasil's config file is now generated in a separate command before running the daemon
Signed-off-by: George Iv <zhoreeq@users.noreply.github.com>
(cherry picked from commit e135c4c867)
bugfix: domain names bypass
rename config file
update Makefile
updated README link
updated shellcheck compatibility
support for 21.02.0-rc2 and later
updated code for interface triggers
add newline to test.sh
Signed-off-by: Stan Grishin <stangri@melmac.net>
support for 21.02.0-rc2 and up
support for reloading a single interface on ifup/ifupdate
rename config file
updated shellcheck compatibility
remove obsolete create/remove_lock
interface processing optimizations to speed up reloads
drop dependency on curl in user scripts
uniform styling of functions
Signed-off-by: Stan Grishin <stangri@melmac.net>
ec9a3a9 fix GCC11 compilation
Thanks to neheb and cotequeiroz.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit ee4616fb43b489003cab957e3a2d6f5f14c6fb97)
555268b ubus: filter neighbors by SSID when preparing nr
3db9607 data storage: match SSID when searching ap entry
a22f5a7 storage: ensure SSID strings are NULL-terminated
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 163ccbf0236824b29fd2158d3a287dda5e427b00)
Makefile changes include:
* Remove USE_UCLIBC, as uclibc is no longer supported
* Package output modules
* Move main binary (back) to /usr/sbin, as it is system administration
related and requires superuser privileges
New patches:
* 003-add-space-for-null-byte.patch - from
374cfd2cab
* 004-more-specific-library-linking.patch - from
27b57d9da3
* 005-use-c99-format-macro-constants.patch - from
https://github.com/fln/addrwatch/pull/28
Init script changes include:
* Change from explicit disable to explicit enable, so that the service
is disabled by default and on first install
* Set config option default values to default values of the main binary
* Fix command-line option names and format (from
https://forum.openwrt.org/t/cant-start-addrwatch-service/60499/3)
* Always use the --quiet command-line option, as the procd instance is
not configured to capture stdout/stderr
* Change the syslog config option to start the syslog output module
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit 31ae85bca9)
User that don't control both OpenVPN client and server
might still need LZO support, so keep it enable by default for at least
OpenSSL variant.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 03c3c92496)
Testing showed that additional syscalls are needed on ARMv7.
Add "getegid32", "geteuid32", "getgid32" and "getrandom" as they are
all innocent.
Bump PKG_RELEASE.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 1141ee1e51
and commit a78e527012)
Until now the additional tables listed in gobal 'rt_table_lookup' were
not considered for interfaces.
In order to be able to also use interface-defined routes from tables
other than main, consider also tables listed in 'rt_table_lookup'.
Update version to 2.10.10 as requested by maintainer.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit cb02b42007)
* add a tcpdump option to resolve IPs in adblock reporting,
set 'adb_represolve' accordingly (disabled by default). If enabled
tcpdump will perform a reverse DNS (PTR) lookup for each IP address
* add 'stalkerware' source (provided by @astryzia)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit e5fd19d2e0)
* fix a possible race condition during boot
* use the new "device" syntax in the network wizard
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit e407566cce)
If pppoe is used for wan access. script set 'eth1' as interface for curl
call. The correct interface is however 'pppoe-wan'.
The script uses 'network_get_physdev' function to get real device for
bind_network but this is wrong. We need instead the l3_device of the the
logical interface.
In case if we don't use pppoe connection - 'l3_device' is equal to real device.
This was reported by the github user `welderpb` with P/R:
https://github.com/openwrt/packages/pull/14431
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 036079b308)
The chrony interface hotplug script reuses the handle_allow function
from the init script to allow NTP access on interfaces specified in uci.
The function requires /lib/functions/network.sh. Include the file in the
hotplug script to make the function work as expected.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
This should prevent some resolving issues by other router app.
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
(cherry picked from commit 1d1eca32db)
* fix issue with nginx search pattern reported in forum support thread
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 0c16840e26)
* fix a small json syntax issue in adblock.sources
* add easylist addon to reg_fr source
* add switch 'adb_fetchinsecure' to allow insecure downloads
without certificate check (disabled by default)
* better explain 'adb_fetchparm' in readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 74dec65b61)
This is a security and bugfix release.
Full release notes: https://mosquitto.org/blog/2021/06/version-2-0-11-released/
Fixes a remotely triggered memory leak
Fixes broker reconnections in certain failure situations
Fixes (non-standard) qos0 queuing
Signed-off-by: Karl Palsson <karlp@etactica.com>
Samplicator receives UDP datagrams on a given port and resends those
datagrams to a specified set of receivers.
Use Cases:
- replicate Flow Samples to multiple receivers
- use with conntrackd to synchronize via unicast to multiple targets
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 41534e5a19)
Rrsync is a perl script that is supplied as an extra with the rsync program.
It must be used in conjunction with openssh-server or openssh-server-pam
as it requires ~/.ssh/authorized_keys which is not supported by dropbear.
Rrsync allows selective access to subdirectories in either read-only, write-only or read-write mode,
depending on settings in authorized_keys. This allows for safer, restrictive access.
It's particularly useful for automated backup purposes.
An example usage would be this entry:
command="/usr/bin/rrsync -ro /home" <public key here>
This would allow a system connecting with this public key to be able to rsync FROM the
/home directory tree only. It could not write to this directory, nor read from any other directory.
Signed-off-by: Matt Reeve <matt@mreeve.com>
(cherry picked from commit 081229aa09)
Switch to CMake + Ninja to fix parallel compilation.
Switched PKG_BUILD_DIR to use PKG_INSTALL_DIR for easier readability.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit b92f2c2bee)
Recreate symbolic link if it's missing after a sysupgrade with a private and public key present in /etc/atlas/
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
(cherry picked from commit 6031330749)
- Exit start if a probe_key is not present
- Add create_key command to generate a private_key based on the provided username in the atlas config.
- Add registration instruction in /etc/atlas
- Rework script to save probe_key on sysupgrade (the key are now adviced to be placed in the /etc/atlas dir and a link is used to make them accessible in the atlas-sw-scripts etc dir)
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
(cherry picked from commit 0afe371bab)
