Until now unbound was always running as root by default. A DNS resolver can
easily run under a non-privileged user.
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
The commands aliased by $(INSTALL_BIN) and $(INSTALL_DATA) set good
permissions, unlike a raw file copy.
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
The custom list of DNS root servers provided with the package is not necessary.
Unbound ships with a built-in list.
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
* rework download/backup/restore handling
* rework firewall handling
* refine whitelist parsing
* changed default null-ip to 198.18.0.1 to prevent conflicts with bcp38
* spread traffic from ad servers (port 80/443) on two uhttpd instances,
this fixes timeouts on sites with many ssl ad server connections, i.e.
youtube.com
* provide statistics & last runtime for LuCI interface
* documentation update
Signed-off-by: Dirk Brenken <dev@brenken.org>
Enabling BCP38 causes an iptables rule to be inserted before this rule:
ACCEPT all -- anywhere anywhere ID:66773300 ctstate RELATED,ESTABLISHED
This makes all forwarded packets go through the BCP38 ipset match, which slows
down download speed from 440 Mbit/s to 340 Mbit/s.
Only apply BCP38 match rules if state is NEW.
Bump package version.
Signed-off-by: Török Edwin <edwin@skylable.com>
Bring back Subversion from oldpackages and update to the latest version.
Create prerm script to stop subversion server and remove init script
on uninstall.
Signed-off-by: Donald Rumata <donald.rumata@gmail.com>
Install more development files as those might be used by other software
depending on knot libraries. They are used for example by knot-resolver.
Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
Introduce package for additional experimental scripts for sqm-scripts.
The target is to provide an opportunity to test QoS scripts and qdiscs
still under development. E.g. cake related scripts can be placed here
for testing.
sqm-scripts and luci-app-sqm will pick up the new scripts automatically.
Initially the package contains five cake-related scripts.
The package depends on the main sqm-scripts package.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* new config option 'adb_restricted' to disable updates of the adblock
config during runtime (no flash writes, disabled by default)
* new update function, to apply latest configuration changes if needed
(/etc/init.d/adblock cfgup)
* fix dns redirect rule
* various optimizations
Signed-off-by: Dirk Brenken <dev@brenken.org>
If libuv is present within the build environment, aria2 will fail to build
with the following error:
LibuvEventPoll.cc: In member function 'virtual void aria2::LibuvEventPoll::poll(const timeval&)':
LibuvEventPoll.cc:144:59: error: invalid conversion from 'void (*)(uv_timer_t*, int) {aka void (*)(uv_timer_s*, int)}' to 'uv_timer_cb {aka void (*)(uv_timer_s*)}' [-fpermissive]
uv_timer_start(timer, timer_callback, timeout, timeout);
^
In file included from LibuvEventPoll.h:43:0,
from LibuvEventPoll.cc:44:
.../staging_dir/target-arm_xscale_musl-1.1.14_eabi/usr/include/uv.h:770:44: note: initializing argument 2 of 'int uv_timer_start(uv_timer_t*, uv_timer_cb, uint64_t, uint64_t)'
UV_EXTERN int uv_timer_start(uv_timer_t* handle,
^
Makefile:2271: recipe for target 'LibuvEventPoll.lo' failed
make[6]: *** [LibuvEventPoll.lo] Error 1
Explicitely disable the libuv support in `configure` to avoid picking up this
unwanted dependency.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Patch modified to resolve conflict caused by #2804
This closes#2776
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Assuming the following dns zone configuration for kresin.me:
. 1800 IN NS ns.inwx.de.
home.kresin.me. 1800 IN NS gw.home.kresin.me.
gw.home.kresin.me. 60 IN A 198.51.100.1
Using the example, gw.home.kresin.me is a glue record and used as DDNS
record as well. gw.home.kresin.me points to the OpenWrt installation
where the ddns-scripts are running.
Since ns.inwx.de isn't the authoritative server for home.kresin.me,
a query for the the A record of gw.home.kresin.me will be "forwarded"
to and replied by the authoritative server 198.51.100.1. If the
authoritative server can't be reached, the query times out without any
address returned.
The only way to get the A record of the glue record is to use bind
host in verbose output mode, query ns.inwx.de for gw.home.kresin.me and
evaluate the additional section of the response.
To my knowledge, only bind host in verbose output mode shows the
additional section of the response. Therefore, this features depends on
bind host.
It is not possible to use the bind host verbose mode for all queries.
In verbose mode the "has address" line isn't returned. Grepping for the
hostname might fail if the hostname is CNAME. Grepping for the first
occurrence of an ip-address is way to error prone, since it could
return the ip address of a different record type.
Signed-off-by: Mathias Kresin <dev@kresin.me>
ktutil_funcs.c: In function 'ktutil_delete':
ktutil_funcs.c:75:28: error: 'prev' may be used uninitialized in this function [-Werror=maybe-uninitialized]
Signed-off-by: John Crispin <john@phrozen.org>
If the liblz4 library exists within the build environment, the openconnect
configure will pick it up and start depending on it, leading to the following
build error:
Package openconnect is missing dependencies for the following libraries:
liblz4.so.1
Disable LZ4 support in configure in order to avoid this implicit,
nondeterministic dependency.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Mark the usbip package nonshared so that is built along with the target
specific binaries and not within the SDK environment.
This is needed since the usbip package draws its source files directly
from the kernel tree which is unavailable within the SDK.
Fixes the following build error encountered by the LEDE buildbots:
http://downloads.lede-project.org/snapshots/faillogs/mipsel_1004kc_dsp/packages/usbip/compile.txt
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The most recent developer of netdiscover had self-hosted downloads
but also put the project on SourceForge. The self-hosted site went
down but SourceForge is much more reliable so I have moved the
download URI to SourceForge (md5sum is the same).
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
- add DNS lookup support for "drill" and "khost" (Knot DNS) #2637
- new service nsupdate.info (IPv4 and IPv6) #2433
- new services dyndnss.net, dyns.net (IPv4 only)
- new services dnshome.de, goip.de, myonlineportal.net (IPv4 and IPv6)
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
* push gnurl, gnutls and libmicrohttpd dependencies down to modules
* use standard UID/GID for gnunet (958/958)
* use GID adjecent (452) to dnsmasq (453) for gnunetdns to allow
using the owner match with a range of GIDs (452-452)
* package new gnunet-social pub/sub CLI tool
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes the following CVEs:
Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering
Reported by Matt Street and others of Cisco ASIG
Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY
Reported by Matthew Van Gundy of Cisco ASIG
Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG
Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY
Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG
Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken
Reported by Michael Tatarinov, NTP Project Developer Volunteer
Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks
Reported by Jonathan Gardner of Cisco ASIG
Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing
Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
Signed-off-by: Peter Wagner <tripolar@gmx.at>
OpenWrt offers a special 'prelocal' routing table at priority 0.
Use it, so local-to-local DNS traffic also gets redirected properly.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
fwknop Makefile had two conffiles sections. Combine them.
Remove also the whitespace from conffiles section (see #2652)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
The conffiles definition in Makefile should not contain leading whitespace.
Remove whitespace from Makefile of motion, dnscrypt-proxy and sstp-client.
Reference to discussion at #2652
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* support more router modes, as long as the firewall and the DNS server
are enabled
* new source sites can be added & changed via awk ruleset in uci config
* source domain count, last update time & overall count will be stored
in uci config
* added 3 new source sites:
ransomware tracker
rolist/easylist
winspy
* switch to minimal inline base64 encoded 1×1 GIF for pixel server
(separate png image no longer needed)
* simplified uci parser
* source download & domain sort optimization
* add whitelist parser with wildcard support
* reduced code size & various cleanups
* updated documentation
Signed-off-by: Dirk Brenken <openwrt@brenken.org>
Create directory which was accidentally left-out during the previous
commit adding the proto handler.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
fixes bug in resolver logic which was exposed by recent fixes in
various C Standard libraries including musl.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
TARGET_CFLAGS was pointing to /usr/include/libnl3 instead
of $(STAGING_DIR)/usr/include/libnl3
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com>
[RELEASE] Released version 1.5.16
Released version 1.5.16 with the following main changes :
- BUG/BUILD: replace haproxy-systemd-wrapper with $(EXTRA) in install-bin.
- BUG/MINOR: acl: don't use record layer in req_ssl_ver
- BUG: http: do not abort keep-alive connections on server timeout
- BUG/MEDIUM: http: switch the request channel to no-delay once done.
- MINOR: config: extend the default max hostname length to 64 and beyond
- BUG/MEDIUM: http: don't enable auto-close on the response side
- BUG/MEDIUM: stream: fix half-closed timeout handling
- BUG/MEDIUM: cli: changing compression rate-limiting must require admin level
- BUILD: freebsd: double declaration
- BUG/MEDIUM: sample: urlp can't match an empty value
- BUG/MEDIUM: peers: table entries learned from a remote are pushed to others after a random delay.
- BUG/MEDIUM: peers: old stick table updates could be repushed.
- CLEANUP: haproxy: using _GNU_SOURCE instead of __USE_GNU macro.
- BUG/MINOR: chunk: make chunk_dup() always check and set dst->size
- MINOR: chunks: ensure that chunk_strcpy() adds a trailing zero
- MINOR: chunks: add chunk_strcat() and chunk_newstr()
- MINOR: chunk: make chunk_initstr() take a const string
- BUG/MEDIUM: config: Adding validation to stick-table expire value.
- BUG/MEDIUM: sample: http_date() doesn't provide the right day of the week
- BUG/MEDIUM: channel: fix miscalculation of available buffer space.
- BUG/MINOR: stream: don't force retries if the server is DOWN
- MINOR: unix: don't mention free ports on EAGAIN
- BUG/CLEANUP: CLI: report the proper field states in "show sess"
- MINOR: stats: send content-length with the redirect to allow keep-alive
- BUG: stream_interface: Reuse connection even if the output channel is empty
- DOC: remove old tunnel mode assumptions
- DOC: add server name at rate-limit sessions example
- BUG/MEDIUM: ssl: fix off-by-one in ALPN list allocation
- BUG/MEDIUM: ssl: fix off-by-one in NPN list allocation
- BUG/MEDIUM: stats: stats bind-process doesn't propagate the process mask correctly
- BUG/MINOR: http: Be sure to process all the data received from a server
- BUG/MEDIUM: chunks: always reject negative-length chunks
- BUG/MINOR: systemd: ensure we don't miss signals
- BUG/MINOR: systemd: report the correct signal in debug message output
- BUG/MINOR: systemd: propagate the correct signal to haproxy
- MINOR: systemd: ensure a reload doesn't mask a stop
- CLEANUP: stats: Avoid computation with uninitialized bits.
- CLEANUP: pattern: Ignore unknown samples in pat_match_ip().
- CLEANUP: map: Avoid memory leak in out-of-memory condition.
- BUG/MINOR: tcpcheck: conf parsing error when no port configured on server and last rule is a CONNECT with no port
- BUG/MINOR: tcpcheck: fix incorrect list usage resulting in failure to load certain configs
- MINOR: cfgparse: warn when uid parameter is not a number
- MINOR: cfgparse: warn when gid parameter is not a number
- BUG/MINOR: standard: Avoid free of non-allocated pointer
- BUG/MINOR: pattern: Avoid memory leak on out-of-memory condition
- CLEANUP: http: fix a build warning introduced by a recent fix
- BUG/MINOR: log: GMT offset not updated when entering/leaving DST
Signed-off-by: heil <heil@terminal-consulting.de>
On some systems too many retries with authentication failure results
in IP or username being locked out, so add option to prevent retries
in the event of authentication failure
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
The contents of the file "db.root" is very old (12 years).
Here's a new version downloaded from ftp://ftp.internic.net/domain/
Signed-off-by: DonkZZ <donk@evhr.net>
This adds one patch from the upcoming 0.10.2 release to exclude Avahi/DNS-SD from build time
detection and properly adds liblo as a dependency.
Signed-off-by: Christian Beier <dontmind@freeshell.org>
The "internal pure-C" tor-fw-helper was removed in 0.2.7.5. This removes
the tor-fw-helper package and references to its dependencies.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
$(CP) was defined as `cp -fpR' since the very begining of OpenWrt build
system (2006-06-22). The -R option should be enough and base packages
use only $(CP) for the same purposes just fine and BSD manual of cp also
discourages the use of `-r' option. So let's just tidy up the usage now.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* add sysctl.org as new adblock source
* add main debug switch (by default all stderr outputs are going to
/dev/null)
* small cleanups
* first 'stable' release! ;-)
Signed-off-by: Dirk Brenken <openwrt@brenken.org>
This should always have been available in the mosquitto package itself.
This file needs to exist in basic form to allow the init scripts to even check whether it exists.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Instead of manually copying files and renaming on install, use the nice
clean "files/<mirror>" structure and just $(CP) them into place.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Change the git repository url to use https. Because it's found that in
some network environments http doesn't work.
Signed-off-by: Zhao, Gang <gang.zhao.42@gmail.com>
