Maintainer: Florian Eckert @feckert
Compile tested: not needed
Run tested: x86_64
Description:
Only two of the four IPs defined for wan are found in wanb, adding it so it is the same.
Signed-off-by: Daniel A. Maierhofer <git@damadmai.at>
(cherry picked from commit 1e97156adc)
Sometimes the return value of `ubus -S call network.interface.wan status`
cause `json_load` to return `Failed to parse message data` error.
To avoid this, the JSON data always should be quoted with double quotes.
Signed-off-by: Evren Yurtesen <eyurtese@abo.fi>
Removed quoatation marks from commit heading
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Update the version string from 2.8.1 (master) to 2.7.15 (openwrt-19.07)
(cherry picked from commit 94e0c78826)
Add required libevent2-pthreads dependency for all ntpd
subpackages.
Remove keygen-specific libevent2-core support as it is
automatically selected by the libevent2-pthreads dependency.
nptd: Bump PKG_RELEASE
Fixes: openwrt/packages#10307
Signed-off-by: Kenneth J. Miller <ken@miller.ec>
(cherry picked from commit ded6468744)
* limit firewall hotplug trigger to certain wan 'INTERFACE' as well,
to prevent possible race conditions during boot
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 0dee2a92de)
Change deprecated options to a new one:
DetectBrokenExecutables to AlertBrokenExecutables
ArchiveBlockEncrypted to AlertEncrypted
Fixes: CVE-2019-12900 and CVE-2019-12625
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
- Migrated init-script to procd.
- Removed the old hotplug script as it is unnecessary and
caused long boot-times for r7800 and possibly others.
Signed-off-by: Christian Lachner <gladiac@gmail.com>
* fix a logical glitch in the hotplug event handler
* properly handle fatal iptables errors - even in subshells
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 49b43b81e8)
* more startup tweaks
* re-use f_log function in helper scripts
* small fixes / polish up for forthcoming 19.07 release
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 72fba3a17b)
* fix race condition in download utility detection during boot
* fix multiple possible bugs in ipset creation
* prevent parallel service starts
* refine service trigger handling
* add ssh daemon auto detection
* print to stdout if 'logger' is not available
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit fcea2f75c3)
* print to stdout if 'logger' is not available
* add support to set the service nice level (default is 0)
* small fixes / polish up for forthcoming 19.07 release
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 0d406b2a42)
* more startup tweaks
* re-use f_log function in helper scripts
* small fixes / polish up for forthcoming 19.07 release
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 2c3cb6f1d1)
This looks like something was not cherry-picked, or was cherry-picked
incorrectly. Those packages don't exist.
Warnings are:
```
WARNING: Makefile 'package/feeds/packages/seafile-seahub/Makefile' has a dependency on 'django-simple-captcha', which does not exist
WARNING: Makefile 'package/feeds/packages/seafile-seahub/Makefile' has a dependency on 'django-statici18n', which does not exist
WARNING: Makefile 'package/feeds/packages/seafile-seahub/Makefile' has a dependency on 'django-webpack-loader', which does not exist
```
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
- The old hotplug script caused long boot-times for r7800 and
possibly others. The new script is now only triggered by iface
changes for wan and lan interfaces.
Signed-off-by: Christian Lachner <gladiac@gmail.com>
This change also updates the maintainer email to cotequeiroz@gmail.com, as
requested on a different change.
Also, changing here is the download URL to github's codeload, since that
one offers .tar.gz archives.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry-picked from commit 545cff8b63)
The pillow package has been updated to the Python[3] packaging format, and
now the package names are `python-pillow` & `python3-pillow`.
This change updates seafile-seahub to use it.
Not updating other packages as they will be converted to Python[3]
packaging format.
And not bumping PKG_RELEASE here as it will be done in the last commit that
updates deps for seafile-seahub.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry-picked from commit cc33edc138)
This also updates all dependencies to use the new `python-django` package.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry-picked from commit f026dba26e)
seafile-seahub's build is a mess.
It hijacks some OpenWrt mk files into the build.
This can be avoided by provided some of the required parameters via
env-vars and patching the env-vars into the build.
Which is what this patch does.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry-picked from commit cf99755444)
The change is mostly organizational.
More packages will be moved to have python- or python3- prefixes.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
(cherry-picked from commit 1c5f5b61d3)
rtorrent is the only user of libtorrent. Statically link to save space.
Added usleep patch.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry-picked from 358495f118)
argp-standalone is only needed for non GLIBC targets.
Added PKG_BUILD_PARALLEL for faster compilation.
Removed unnecessary C/LDFLAGS.
Remove libstdcpp depends. It's included with libfmt.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry-picked from 5a7ac1d83b)
Fixes following errors:
main.c:458:37: error: comparison of integer expressions of different signedness: ‘int’ and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
main.c:463:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
main.c:518:35: error: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘long int’} and ‘size_t’ {aka ‘long unsigned int’} [-Werror=sign-compare]
main.c:157:3: error: ignoring return value of ‘read’, declared with attribute warn_unused_result [-Werror=unused-result]
main.c:763:3: error: ignoring return value of ‘chdir’, declared with attribute warn_unused_result [-Werror=unused-result]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit bb6cdb804c)
Currently cgi-io try to read data after the data ended.
- Adds "-" to whitelist char
- In main_upload is tried to consume the buffer while it's already readed by the while loop before
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
(cherry picked from commit 535b2b6bd8)
Instead of always replying with a generic 500 internal server error code,
use more appropriate codes such as 403 to indicate denied permissions.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 8c22db6531)
Add a new `cgi-download` applet which allows to retrieve the contents
of regular files or block devices.
In order to initiate a transfer, a POST request in x-www-form-urlencoded
format must be sent to the applet, with one field "sessionid" holding
the login session and another field "path" containing the file path to
download.
Further optional fields are "filename" which - if present - will cause
the download applet to set a Content-Dispostition header and "mimetype"
which allows to let the applet respond with a specific type instead of
the default "application/octet-stream".
Below is an example for the required acl rules to grant download access
to files or block devices:
ubus call session grant '{
"ubus_rpc_session": "...",
"scope": "cgi-io",
"objects": [
[ "download", "read" ]
]
}'
ubus call session grant '{
"ubus_rpc_session": "...",
"scope": "file",
"objects": [
[ "/etc/config/*", "read" ],
[ "/dev/mtdblock*", "read" ]
]
}'
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit ab2a2b080d)
Use the `cgi-io` scope to check for permission to execute the requested
command (`upload`, `backup`) and the `file` scope to check path
permissions.
The reasoning of this change is that `cgi-io` is usually used in
conjunction with `rpcd-mod-file` to transfer large file data out
of band and `rpcd-mod-file` already uses the `file` scope to manage
file path access permissions. After this change, both `rpc-mod-file`
and `cgi-io` can share the same path acl rules.
Write access to a path can be granted by using an ubus call in the
following form:
ubus call session grant '{
"ubus_rpc_session": "...",
"scope": "file",
"objects": [
[ "/var/lib/uploads/*", "write" ]
]
}'
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit c8a86c8c8e)
Introduce further ACL checks to verify that the request-supplied
upload location may be written to. This prevents overwriting things
like /bin/busybox and allows to confine uploads to specific directories.
To setup the required ACLs, the following ubus command may be used
on the command line:
ubus call session grant '{
"ubus_rpc_session": "d41d8cd98f00b204e9800998ecf8427e",
"scope": "cgi-io",
"objects": [
[ "/etc/certificates/*", "write" ],
[ "/var/uploads/*", "write" ]
]
}'
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 22be9a1c01)
* the WAN auto detection now supports multiple interfaces, too
* no longer filter out possible LAN devices
* add a new DoH (DNS over HTTPS) blocklist source with public
DoH DNS server addresses, to effectively block client side DoH
communication, e.g. via Firefox or Chrome
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 70ab67649b)
* new 'ca-bundle' dependency as all https connections
are now validated by default
* automatically select the download utility: 'aria2', 'curl',
'uclient-fetch' with libustream-* or wget are supported
* track & ban failed LuCI login attempts as well
* add a small log/banIP background monitor to block
SSH/LuCI brute force attacks in realtime (disabled by default)
* add a config version check (please update your default config!)
* made the automatic wan detection more stable
* fix the IPv6 logfile parser
* fix the service status message
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit ff8b853a6d)
Add code blocks for easier reading and change "dns" to "DNS".
Signed-off-by: Claudius Ellsel <claudius.ellsel@live.de>
(cherry picked from commit 088a14e5ce)
This can be helpful for example in hotels where you need to
enter a new user/password combination every week.
Signed-off-by: Johannes Rothe <mail@johannes-rothe.de>
(cherry picked from commit a7f87f939d)
The double quote thells the shell that the list returned from `pidof` is a
single argument, therefore, `renice` will cry about a malformed input.
With this commit, `renice` will be applied correctly to all the returned PIDs
from `pidof`.
The output of `renice` for the quoted list is as follows:
`renice: invalid number '6592 6587 6586 6574'`
`renice` does not show and does apply the nice value if the list is unquoted.
Signed-off-by: Oever González <notengobattery@gmail.com>
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
(cherry-picked from c45974d0a3)
* revert to 4.9.x series (4.10 needs too many unofficial patches and has weird waf bugs)
* cleanup patches
* enable AD_DC build option again
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
(cherry-picked from 2f2a4bccd9)
The CONTRIBUTING.md requests an (or multiple) SPDX identifier for GPL
licenses. But a lot of packages did use a different, non-SPDX style with a
"+" at the end instead of "-or-later".
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(cherry-picked from bbb1ea7345)
Fixes issue where CFLAGS were not being passed. This was breaking ASLR
builds.
Added PKG_BUILD_PARALLEL for faster compilation.
Added PKG_INSTALL. Changed install paths based on PKG_INSTALL paths.
Added --disable-debug to make sure debug code is disabled.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry-picked from 946dfed856)
On a Debian system without python3-distutils install, uwsgi-cgi was
failing to build because it couldn't import sysconfig from distutils.
OpenWrt packages should be using the OpenWrt python not the system
python. In addition we need to use python3 not python2, even when
both are available.
(cherry-pick c387d0923c from master)
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
We add the necessary Makefile, hotplug, config, and init bits
so that p910nd daemon runs as user:group p910nd:lp by default.
This eliminates an unnecessary root daemon.
The hotplug script sets the permissions of the USB lp
device(s) to read-write owner and group and no access to
anyone else, and sets owner root, group lp.
This is allows sufficient privileges to p910nd
to do it's job.
(cherry-pick 932c76fa74)
Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
* remove 'http-only' mode, all sources are now fetched from https sites
* the backup mode is now mandatory ('/tmp' is the default backup
directory), always create and re-use backups if available.
To force a re-download take the 'reload' action.
* support 'sshd' in addition to 'dropbear' for logfile parsing
to detect break-in events
* always update the black-/whitelist with logfile parsing results
in 'refresh' mode (no new downloads)
* rework the return code handling
* tweak procd trigger
* various small fixes
* (s)hellsheck cosmetics
* Change .*GPL.*+ licenses to SPDX compatible identifier
Signed-off-by: Dirk Brenken <dev@brenken.org>
* use raw procd interface trigger as last resort, if the
adblock config is not available during startup
* fix selective subdomain whitelisting for dnsmasq
* fix a kresd restart issue with 'DNS File Reset'
* fix a suspend/resume cornercase
* disable the tld compression, if the number of blocked domains
is greater than 'adb_maxtld' (default: 100000)
* made the fw portlist configurable (default '53 853 5353')
* preliminary support for inotify-like autoload features
of dns backends like kresd in future Turris OS. If 'adb_dnsinotify'
is set to 'true', all adblock related restarts and the
'DNS File Reset' will be disabled
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 45cb0e1023)
- Correct SPDX License Identifier
- Move MAINTAINER, SUBMENU to more appropriate place
- Use HTTPS in URL
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry-picked from commit e06086c4c)
* automatically add open uplinks to your wireless config,
e.g. hotel captive portals (disabled by default)
* shift net status check in a separate function
* (s)hellcheck cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 1d90509b03)
* fix the 'adb_sysver' output
* pass the adblock version information to the helper scripts correctly
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 161597f2fa)
* fix a dns restart issue if 'flush dns cache' is set
* fix a suspend/resume issue, the status wasn't properly updated
* fix a long standing query issue
* rework return code handling, mostly for debugging
* various cleanups & cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 95189994e7)
* background service: no longer miss "signal" events for the
dns backend (to trigger adblock)
* fix a dns backend reload issue during switch between
different blocking modes
* domain query: report found domains only once in
"null" blocking mode with IPv4 & IPv6 list entries
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 806f5ca9d8)
* fix a possible race condition during DNS file reset on slow hardware
* optimize DNS restart behaviour in 'null' blocking mode
* mute useless warnings
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 866878aa78)
* add support for 'DNS File Reset', where the final DNS blockfile
will be purged after DNS backend loading (save storage space).
A small background service will be started to trace/handle
dns backend reloads/restarts
* add support for the 'null' blocking variant in dnsmasq
(via addn-hosts), which may provide better response times
in dnsmasq
* enhance the report & search engine to support
the new blocking variants. Search now includes
backups & black-/whitelist as well
* compressed source list backups are now mandatory (default to '/tmp')
* speed up TLD compression
* E-Mail notification setup is now integrated in UCI/LuCI
* update the LuCI frontend to reflect all changes (separate PR)
* drop preliminary dnscrypt-proxy-support (use dnsmasq instead)
* drop additional 'dnsjail' blocklist support (not used by anyone)
* procd cleanups in init
* various shellcheck cleanups
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 504412ccdb)
This avoids copying /usr/include, unversioned *.so files, pkgconfig,
/usr/lib/*.la, and the build-time libs/cflags configuration utility
clamav-config.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry-picked from 815e05e38e)
If libxml2 is installed in the host, then the host library is used and
compilation fails.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry-picked from 199ccc9475)
