Drops pid files, no longer needed with procd management.
Now properly reloads on reload_config after UCI changes.
Signed-off-by: Karl Palsson <karlp@etactica.com>
[ Fixed two shellcheck warnings and bump PKG_RELEASE ]
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Canonical radtest start results in an error:
$ radtest bob hello localhost 0 testing123
/usr/bin/radtest: line 1: hostname: not found
(0) Error parsing "stdin": Failed to get value
hostname command is not present in OpenWrt.
Instead, hostname can be obtained from file /proc/sys/kernel/hostname.
added: 005-get-hostname-from-proc-in-radtest.patch
(backported from commit 8b2792a)
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
radtest utility is used in many manuals to check the operation of
radius server.
At the moment all parameters must be specified at startup, for example:
$ radtest bob hello localhost 0 testing123 0 localhost
(backported from commit 6480acd)
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
* update to 4.11.12
* fix optional modules not included on module build (vfs_btrfs, vfs_linux_xfs_sgid)
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Several security issures are addressed:
- CVE-2020-8620 It was possible to trigger an assertion failure by sending
a specially crafted large TCP DNS message.
- CVE-2020-8621 named could crash after failing an assertion check in
certain query resolution scenarios where QNAME minimization and
forwarding were both enabled. To prevent such crashes, QNAME minimization is
now always disabled for a given query resolution process, if forwarders are
used at any point.
- CVE-2020-8622 It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
- CVE-2020-8623 When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code determining the
number of bits in the PKCS#11 RSA public key with a specially crafted
packet.
- CVE-2020-8624 update-policy rules of type subdomain were incorrectly
treated as zonesub rules, which allowed keys used in subdomain rules to
update names outside of the specified subdomains. The problem was fixed by
making sure subdomain rules are again processed as described in the ARM.
Full release notes are available at
https://ftp.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit cf61f7f8ef)
Security release. From the changelog:
- In some circumstances, Mosquitto could leak memory when handling PUBLISH
messages. This is limited to incoming QoS 2 messages, and is related
to the combination of the broker having persistence enabled, a clean
session=false client, which was connected prior to the broker restarting,
then has reconnected and has now sent messages at a sufficiently high rate
that the incoming queue at the broker has filled up and hence messages are
being dropped. This is more likely to have an effect where
max_queued_messages is a small value. This has now been fixed. Closes
https://github.com/eclipse/mosquitto/issues/1793
Changelog: https://mosquitto.org/blog/2020/08/version-1-6-12-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
* remove 'dshield' and 'sysctl' (discontinued)
* switch 'malwaredomains', 'shallalist' and 'winhelp' to https
* add a second regional list for poland (provided by matx1002)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 5ba498f7c8)
Add a hotplug script to reload nlbwmon's config after interface
ifup actions.
That should improve the detection of the IPv6 LAN address
that can get enabled a bit later in the boot process.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit 25dfa20780)
Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
Adapted from treewide commit 0ec746ccb6 for just nlbwmon.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Config files
/etc/freeradius3/policy.d/accounting
/etc/freeradius3/policy.d/filter
/etc/freeradius3/proxy.conf
/etc/freeradius3/sites-available/default
and link
/etc/freeradius3/sites-enabled/default
are in the freeradius3 package and are mentioned in the main config file
/etc/freeradius3/radiusd.conf
Thus, they must be explicitly specified in the Makefile.
File
/etc/freeradius3/sites/default
is not included in the package, is not created during installation,
is not mentioned in the main config file and should therefore be excluded
from the Makefile.
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
(cherry picked from commit f6974b8f3c)
From CHANGES_2.4:
SECURITY: CVE-2020-11984 (cve.mitre.org)
mod_proxy_uwsgi: Malicious request may result in information disclosure
or RCE of existing file on the server running under a malicious process
environment. [Yann Ylavic]
SECURITY: CVE-2020-11993 (cve.mitre.org)
mod_http2: when throttling connection requests, log statements
where possibly made that result in concurrent, unsafe use of
a memory pool. [Stefan Eissing]
SECURITY:
mod_http2: a specially crafted value for the 'Cache-Digest' header
request would result in a crash when the server actually tries
to HTTP/2 PUSH a resource afterwards.
[Stefan Eissing, Eric Covener, Christophe Jaillet]
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
When adding suEXEC to the apache package, Alpine's package [1] served as
a template. Not enough attention was paid to the details.
Alpine uses a different layout. So for OpenWrt to use /var/www as
DocumentRoot does not make sense. /var is also volatile on OpenWrt. This
commit removes the configure argument. The default is htdocsdir.
This also does away with uidmin/gidmin 99. The default is 100, which is
fine.
Finally, the suexec binary is moved from /usr/sbin to
/usr/lib/apache2/suexec_dir. Upstream recommends installing suexec with
"4750" (see [2]) and the group set to the user's group. While that would
be possible, it would cause a few headaches on OpenWrt. The group would
need to be changed first in a post-install script and a call to chmod
would need to be made afterward, to make the binary SUID again.
It's easier to hide the SUID binary away from others in a directory.
This way we don't need to use chmod in the post-install script.
[1] https://github.com/alpinelinux/aports/tree/master/main/apache2
[2] https://httpd.apache.org/docs/2.4/suexec.html
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
- prevent rapid overlap in DHCP script updates
- check and allow localhost forwards with specific applications
- add option for rate limiting inbound queries
- change UCI list to table format with Unbound conf references
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
This fixes misleading errors in the status file, and increases buffer
sizes to match the python implementation.
Signed-off-by: Karl Palsson <karlp@etactica.com>
This reverts commit cde2a77ed3.
Applying this change has shown that it is even quicker to provoke the
race condtition on simultan mwan3 commands execution.
By reversing the change we have the same behaviour as before.
But the race condition on mwan3 execute at the same time still exists.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit b5bd6d757b)
This adjustment of the locks fixes the race condition when a mwan3
hotplug script and a mwan3 command are running at the same time.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 2dac1bcdc9)
Add also online time value and uptime time value from netifd to the
detail output view.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit b0acbf057e)
If the uci option family is not set in the interface section, then there
is no default value set as in the `config_load / config_get` API.
The problem here is that if the family is not set, the default value ipv4
is normaly assumed. But the comparison fails here because the value is empty
and therefore the dedicated routing table for this interface is not compared
with the other routes from the main table and so not updated.
To fix this set the default value for this config option which is`false`
for enabled and `ipv4` for family.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit bcd13ba95c)
This fixes routing handling. Introduced with the last version update.
The following message disappears on the shell
when mwan3 is called with 'mwna3 restart`.
`Error: Invalid gateway address.`
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[aaronjg@stanford.edu: fully unset variable and handle ipv4 as well]
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
(cherry picked from commit 8e3e6f8dde)
default rule only applied to ipv4 with dest_ip 0.0.0.0/0
and error was hidden when trying to apply it in ip6table
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
(cherry picked from commit 2a5e9be83e)
Add double quote to prevent globbing and word splitting where there is
no regression.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit feae9e5742)
This suppress the following output on `mwan3 restart`:
> Dump terminated
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit facf8ea299)
All the computationally expensive stuff is in the libraries, not the
package itself.
Saves several kilobytes.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit a5e7d0a904)
- Fixes CVEs:
CVE-2019-12519
CVE-2019-12520
CVE-2019-12521
CVE-2019-12523
CVE-2019-12524
CVE-2019-12525
CVE-2019-12526
CVE-2019-12527
CVE-2019-12528
CVE-2019-12529
CVE-2019-12824
CVE-2019-12854
CVE-2019-13345
CVE-2019-18676
CVE-2019-18677
CVE-2019-18678
CVE-2019-18679
CVE-2020-8449
CVE-2020-8450
CVE-2020-11945
CVE-2020-14058
CVE-2020-15049
- Remove patch for cross-compilation
The patch should not be included in the OpenWrt at all without any
commit message/description.
Is not needed and there should be used HOST variables instead of BUILD variables (e.g.
HOSTCXX)
However, the BUILDCXX is set in Makefile to HOSTCXX
- Renumber glibc patch and refresh it
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 3401e29aa7)
Two patches were backported to fix issue openwrt/packages#12737
0002-compat-Fix-ipv6_dst_lookup-build-error.patch
0003-compat-Backport-ipv6_stub-change.patch
One was deleted as it is now part of 2.11.3
0005-datapath-conntrack-fix-include-for-IP6_DEFRAG_CONNTR.patch
Other patches refreshed
Reported-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
If the status file is not found then set then return the value unknown.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit e30f16beef)
Add an option for adding rules based on source interface.
The default 0.0.0.0/0 src and destination ip addresses has been removed. It is unclear
how the 'any' family of rules would have worked, as it appears each rule always required an
ipv4 or ipv6 address src and destination address. With this change, the any family will work
again.
I also cleaned up a bunch of repeated code around adding the iptables rules for
ipv4/ipv6/any in making the change.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
(cherry picked from commit 5147dfc73a)
An interface can have both a /64 and a /128 from a provider.
In such a case, use the address from the /64 to do the ping check, not
the /128.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
(cherry picked from commit 49cf5eac5c)
Add alternative to busybox nslookup. Busybox throws an error when
the host does not have an AAAA record.
Signed-off-by: Ian Cooper <iancooper@hotmail.com>
(cherry picked from commit 4cb5aa57fd)
As miniupnpd is running as root, libcap can be used to limit its
capabilities.
libcap is very small, so this isn't a problem.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit ba49c96808)
(switched to use libcap as -ng is not available)
Use the newly introduced configure script.
Use PKG_INSTALL for consistency between packages.
Use PKG_BUILD_PARALLEL for faster compilation.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 2b5028458e)
If miniupnpd is installed but disabled or not running, the hotplug
script will query uci for keys that don't exist and grep a temporary
config file that doesn't exist, resulting in the following errors:
uci: Entry not found
grep: /var/etc/miniupnd.conf: No such file or directory
These would arise when an interface is brought up or down, and are
more confusing than helpful, especially when miniupnpd is disabled.
Suppress these errors.
Signed-off-by: David Ehrmann <ehrmann@gmail.com>
(cherry picked from commit 6ef2b5400b)
The existing interface selection/detection code was incomprehensible at
worst and convoluted at best. The uci config file suggested it
understood an external ipv6 interface but in reality the init script
took no notice. Re-work it so it is at least comprehendible and takes
notice of ipv6 interface details if specified.
Update the hotplug script to use the same interface selection/detection
code as the init script and take note of ipv6 interface selection, only
restarting miniupnpd on interface up events and only if that interface
isn't already known (for that ip class) by miniupnpd.
For me this has solved numerous 'flaky' startup problems, especially
with regard to ipv6.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 295d77943c)
Error was:
The domain 'example.com' seems to have a ECC cert already, please add '--ecc' parameter if you want to use that cert.
Signed-off-by: David Yang <mmyangfl@gmail.com>
* update to git 2020-05-06
* run init script through shellcheck
* fix infinite loop when BI_PARM is never set
* Fix '-b' option parsing
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Unbound has a quirk and may reply on a different device address.
When Unbound answers with from-address different than it
received queries on, it may cause trouble for select VPN and
firewall configurations. Ensure Unbound replies with the same
address by changing this default.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
* add anti_ad blocklist source
* made SafeSearch provider configurable, you can limit
SafeSearch to certain providers
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit e5ab2de1ff)
* add regional list source for czech/slovak
* add regional list source for korea
* adapt oisd_nl changes, switch to adb-syntax domains
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 0a5e61ecb6)
Removed patch
`03-configure-allow-to-manually-disable-POSIX-capabiliti.patch` that has been backported into release.
Signed-off-by: Jan Hak <jan.hak@nic.cz>
(cherry picked from commit 9d81b6e4ca)
Recently, there was added libcap-ng to OpenWrt packages feed,
which is optional for Knot DNS. It enables POSIX 1003.1e capabilities.
This can restrict root (by default it runs as root) permissions and
might harm and as there isn't systemd on OpenWrt it can interfere.
There is an added patch, which introduced an option to disable libcap-ng.
This will be part of the next release.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 41957d6967)
Build is failing because HWTSTAMP_TX_ONESTEP_P2P is defined anymore on
linux net_tstamp.h.
Moreover, the usual way of linuxptp build is looking for system includes
unless user defines differently. That also was tried to fix.
PKG_RELEASE bumped to 3.
Signed-off-by: Paulo Machado <pffmachado@yahoo.com>
(cherry picked from commit 5f64b2d1e4)
Upstream will drop support for the ssl option in the next future version.
Signed-off-by: Gabor Seljan <sgabe@users.noreply.github.com>
(cherry picked from commit 46c253dfca)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[package bump]
This exposes the interface-auto option to UCI.
By default, interface-auto is disabled.
This leads to the DNS reply possibly originating from
a different address then the request was sent to.
Devices with a packet filter might not receive the reply in this case.
Enabling interface-auto ensures the reply is sent with the
source-address the request was sent to.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit da76aeb24c)
The configure script confusingly sets CXXFLAGS to gnu++11 but does
not use that to check the important stuff. Fix that.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 8f7687833e)
* remove dumb list cache
* start adblock processing after adding/removing
list sources via CLI
* add regional list source for france
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit ab44d8146a)
Refactor the package so init script is installed from the binary instead
of an init script embedded in the package.
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
This updates the include paths for python(3)-package.mk to be relative
to the package Makefile. If not, in certain cases this will print errors
like the following one:
ERROR: please fix feeds/openwrt/net/freeradius3/Makefile
- see logs/feeds/openwrt/net/freeradius3/dump.txt for details
In the dump.txt there is the following:
Makefile:42: /mylocalpath/feeds/packages/lang/python/python3-package.mk: No such file or directory
make[1]: *** No rule to make target '/mylocalpath/feeds/packages/lang/python/python3-package.mk'. Stop.
The relative path is used already in 19.07 for most of the packages, and
has been updated for the packages at hand in master as well:
302f4d17e3 ("libmraa,libupm: Disable default Python package build recipe")
1bc2f4f3c6 ("treewide: Remove Python variants for non-Python packages")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
OpenSSL is already built as part of tools (LibreSSL actually) and can be
used instead for the host build.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit c037c8d988)
Remove boost-python3 dependency and reduce file size of the compiled
kea-libs
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
(cherry picked from commit 74603fe5ea)
Fix kea-admin dependency where if procps-ng-ps wasn't available busybox
would output an error casuse it does't support showing a processe's PID
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
(cherry picked from commit 9314a96765)
Fix an issue where the Makefile wouldn't allow kea to show up in the
menuconfig Also added some description to the packages
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
(cherry picked from commit 95307f2a4b)
STAGING_DIR_HOST is for packages under tools/ , not host packages.
Reorganized Makefile for consistency between packages.
Added PKG/HOST_BUILD_PARALLEL for faster compilation.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit d93fd61d62)
The host build is not used by anything.
Added PKG_INSTALL for consistency between packages.
Added PKG_BUILD_PARALLEL for faster compilation.
Added missing protobuf/host build dependency. This was previously
specified as a host dependency, which is wrong.
Removed pointless std parameter. It's only useful for old G++ versions.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 63107fa8c0)
Needed for the new protobuf update.
Cleaned up Makefile.
Got rid of HOST_BUILD_DEPENDS. This package does not have a host build.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 4c42eb0b45)
* limit domain name length to max. 63 chars
to fix issues with energized sources
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 0b6ea12560)
To use eap tls, 'tmpdir' must be created before server starts.
This 'tmpdir' is used to store and verify client certificate,
and therefore radiusd do 'chmod go-rwx'.
If 'tmpdir' does NOT exists, server failed to start and default
'tmpdir' is '/tmp/radiusd'. So init script MUST create default
'tmpdir' like other directories.
Signed-off-by: Eiji MATSUMOTO <toudaiman@gmail.com>
hotplug scripts are sourced not exec'd so #!/bin/sh /etc/rc.common
doesn't pull in the functions defined in /etc/rc.common thus since
'enabled' isn't defined the following sequence always fails:
enabled miniupnpd || exit 0
Unfortunately sourcing /etc/rc.common doesn't appear to work so come up
with some alternatives.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
As wifidog-ng builds a kernel module, it must use a PKG_BUILD_DIR in
KERNEL_BUILD_DIR instead of BUILD_DIR, otherwise old build artifacts may
be incorrectly reused when switching between different targets of same
architecture without a full clean.
Instead of fixing up the override, just remove it and instead move the
kernel.mk include above package.mk, so PKG_BUILD_DIR is set up correctly
by default.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 25babf817f)
Related commit: 0080bb4b
Use `\s*` instead of ` \?` to match 0 or multiple spaces.
Signed-off-by: Zheng Luo <cherrotluo@gmail.com>
(cherry picked from commit 88b03577c4)
JSON response now has spaces between parameters. Accept this new format and the old one.
Signed-off-by: Michael Gray <michael.gray@lantisproject.com>
(cherry picked from commit 0080bb4bba)
Fixes issue #11282, this patch was provided by PaulFertser on the #openwrt
IRC.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit bf68826897)
HTTPS support is not provided by default.
Also fixed a mistakenly added ].
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit fdfe5a7607)
