/etc/profile.d/50-openvpn-easy-rsa.sh was not listed as configfile
and changes were lost during upgrades.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
libseccomp can't be built on ARC, so we must disable the option here as
well. A different fix was first proposed by @zxlhhyccc in #15377.
Fixes: #15313
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add patch fixing compilation without deprecated OpenSSL APIs.
Fix installation. This never worked as the section was misnamed.
Updated tool names.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
chacha20policy1305 is also an AEAD cipher, and hence does not
permit a hash algorithm.
Fixes issue #15397.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This patch prevents multiple cron jobs from being created to run the
safe-search-maintenance script.
To reproduce this bug, perform the following:
- Install safe-search
- Perform an OpenWRT firmware upgrade (choose to preserve user settings)
- Install safe-search again
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
The strongswan-libnttfft package should not select the strongswan
package, but should depend on it instead. Otherwise a circular
dependency is created.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Rework the bonding.sh protocol handler to accept slave interface names
encoded in uci list notation. Also replace ifconfig up/down with ip
link calls while we're at it.
Fixes: #11455
Fixes: https://github.com/openwrt/luci/issues/4473
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
MacOS ignores Bonjour services for which TXT records are not returned. This changes forces umdns service to return a TXT record (`daemon=ksmbd`) for the ksmbd service. The exact content is unimportant and to the best of my knowledge nothing reads the `daemon` tag.
Symptoms of the problem (which are also debugging steps):
* Finder refuses to open the OpenWRT "computer" in the Network list.
* Discovery.app (Bonjour Browser) lists the _ssh._tcp service, but the submenu for it doesn't unfold and no address is shown.
* `dns-sd -L OpenWrt _smb._tcp` doesn't return any address.
Signed-off-by: Kirill Nikolaev <cyril7@gmail.com>
This is a security fix, affecting 2.0.0 through to 2.0.9. Mosquitto instances
could be remotely DoS'd by authenticated clients.
Release notes at: https://github.com/eclipse/mosquitto/blob/v2.0.10/ChangeLog.txt
CVE number has not yet been assigned.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Prior to this commit, the acme service attempted to obtain certificates
once and then terminated, regardless of whether the certificate could be
obtained or not. This commit introduces a new uci option "retries" to
the "certificate" section. If this option is set to N, the acme service
will attempt to obtain the certificate up to N times before terminating.
There is a waiting pause between the retries to comply with the rate
limits of Let'sEncrypt.
The waiting pause is:
- 2 minutes for staging certificates
- 24 minutes for production certificates
The current "Failed Validation" rate limits of Let'sEncrypt are:
- staging: 60 per hour -> 1 failure every 1 minute in avg.
- production: 5 per hour -> 1 failure every 12 minutes in avg.
This means that we are within rate limits by a factor of two.
By default the option "retries" is set to "1", which means that acme
behaves as before by default. If the variable is set to "0", infinite
retries are performed.
This feature is helpful, when you already want to initiate the
certificate request, but you are still waiting for your dns server to be
configured, your network to appear or other conditions.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
Before this commit, issue_cert always returned 1 no matter if uacme
returned 1, 2, 3, ... With this commit, the return code of the uacme
binary is propagated. Therefore the caller of issue_cert can
differentiate between "no renew necessary" and "an error occurred".
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
With this commit, the run-acme script can be included into other scripts
by setting INLCUDE_ONLY=1.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Derived from the ipsec initd script, with the following changes:
(1) various code improvements, corrections (get rid of left/right
updown scripts, since there's only one), etc;
(2) add reauth and fragmentation parameters;
(3) add x.509 certificate-based authentication;
and other minor changes.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
netifyd supports a '-F' filter option in 'bpf' notation to filter
packets from its consideration.
Add support for a uci 'filter' option. eg. filter to exclude SSDP
multicasts from a particularly noisy device:
option filter 'not (udp and dst 239.255.255.250 and dst port 1900 and src 192.168.1.5)'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Even it's only cosmetic and should not affect the function of regular system,
fix the name of the IPKG_INSTROOT variable.
Typo was added long ago with 8400c9a6ec.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Since v1.4.1, Xray has introduced a new feature to transfer data via
browsers, which can disguise itself as a normal browser to cheat
network censorship.
For more details, see https://github.com/XTLS/Xray-core/pull/421.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
If you shutdown ipsec service, and it doesn't clean up
/var/ipsec/ipsec.conf, then when you start swanctl service it
might see an incompatible file on startup. Remedy is to
remove unneeded files when shutting down the service. They
can always be regenerated when the service starts again.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This commit adds a number of fixes to the OpenVPN up/down hotplug command
wrapper which currently fails to actually invoke user defined up and down
commands for uci configurations not using external native configurations.
- Use the `--setenv` to pass the user configured `up` and `down` commands
as `user_up` and `user_down` environment variables respectively
- Instead of attempting to scrape the `up` and `down` settings from the
(possibly generated) native OpenVPN configuration in
`/etc/hotplug.d/openvpn/01-user`, read them from the respective
environment variables instead
- Fix parsing of native configuration values in `get_openvpn_option()`;
first try to parse a given setting as single quoted value, then as
double quoted and finally as non-quoted, potentially white-space
escaped one. This ensures that `up '/bin/foo'` is interpreted as
`/bin/foo` and not `'/bin/foo'`
Ref: https://forum.openwrt.org/t/openvpn-up-down-configuration-ignored/91126
Supersedes: #15121, #15284
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The `tmate` tool is a fork of `tmux` which allows remote access to a
device without setting up any port forwarding. This commits adds the
backend server which handles connections.
Signed-off-by: Paul Spooren <mail@aparcar.org>
These config files are only used by the ipsec interface to charon,
and shouldn't be part of the base package.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* rework the central iptables function to significantly
reduce the code complexity and the overall number of iptables calls
* check early and only once in the chain for ctstate NEW and
return otherwise (thanks @ldir-EDB0)
* made the whitelist ordering within the chain more flexible
Signed-off-by: Dirk Brenken <dev@brenken.org>
faster to compile.
A small selection of packages was tested going from:
Executed in 696.30 secs fish external
usr time 82.98 mins 395.00 micros 82.98 mins
sys time 9.02 mins 0.00 micros 9.02 mins
to:
Executed in 592.20 secs fish external
usr time 84.84 mins 361.00 micros 84.84 mins
sys time 8.85 mins 57.00 micros 8.85 mins
Tested by running make -j 12 and wiping staging/build_dir/target_x
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Having scripts diddle user written config files seems potentially
dangerous. Plus there's really no downside to including some
empty files. Best to just make the includes be permanent.
Additional feature suggested by Luiz: if a -opkg version of the
config file was created unnecessarily, remove it as part of the
upgrade process since changes won't be happening to that file
as an artifact of the service starting. The include lines are
now permanent, which means that (1) additional configuration
synthesized by UCI won't be anywhere that opkg (or sysupgrade,
for that matter) cares about since it won't be persistent, and
(2) if changes are being made, then they're being done by a
person with an editor and they really should be distinguished.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
It seems the command name output from netstat can be truncated in weird
ways, so let's get the binary name from /proc instead and use that for
matching which listener we have.
Fixes#15071.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* fix another IPv4/IPv6 related iptables chain creation problem
* fix counter during ipset creation
* fix regex for debug counters
* fix ipset housekeeping for local sources
Signed-off-by: Dirk Brenken <dev@brenken.org>
Reorganize Makefile for consistency between packages.
Switch to AUTORELEASE for simplicity.
Switch to building with Ninja for faster compilation.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* add a restrictive "jail mode only" variant, just point your
jail directory to your primary dns directory
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Occasionally, mostly at startup, miniupnpd reports "Another app is
currently holding the xtables lock. Perhaps you want to use the -w
option?"
Take iptables' advice and wait up to 1 second before giving up.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Tmate is a fork of tmux. It provides an instant pairing solution.
For more details, see https://tmate.io.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Neither the configure option nor configure variable to disable linking
against PCRE seem to work anymore, so simply drop both and add a
dependency on libpcre. As net-snmp is unlikely to fit on devices with
small flash anyway, the extra size requirement shouldn't be a problem.
If it is, feel free to submit a patch to fix the broken upstream
behaviour.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
If the interface goes into failure state (is disconnecting)
then with this change one hotplug.d event is generated.
The same is true for the recovery state (is connecting), when the interface
comes back from a failure state.
In both cases, a hotplug.d event for the iface is triggered. Once
with the $ACTION=disconnecting and once for the $ACTION=connecting.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* refine the new dns resolving process
* add a caching mechanism for the resolved IPs, the detached name
lookup takes place only during 'restart' or 'reload' action, 'start'
and 'refresh' actions are using an auto-generated backup instead.
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This is a bugfix release, with minor security fixes for outgoing bridge
connections and the client library.
Full details here: https://mosquitto.org/blog/2021/03/version-2-0-9-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
Add "wg_check_interfaces" and specify a timeout in the config file.
This allows to delete not used wireguard-interfaces automatically.
For example a cronjob can be installed that calls:
. /usr/share/wginstaller/wg_functions.sh && wg_check_interfaces
Signed-off-by: Nick Hainke <vincent@systemli.org>
* black- and whitelist now supporting domain names as well - the
corresponding IPs (IPv4 & IPv6) will be resolved in a detached
background process and added to the IPsets
Signed-off-by: Dirk Brenken <dev@brenken.org>
Major change are:
ksmbd.control -s terminate ksmbd.mountd as well as kernel server.
Update configuration.txt and README.
Turn off smb2 leases by default again.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
While searching for the boost_system library in boost.m4, configure
tries to find boost_system-mt before boost_system. The presence of
boost_system-mt in the staging dir depends on
CONFIG_boost-use-name-tags. If it is not defined (default), and there
is a boost_system-mt library in the host system, it will be used, and
the build will fail.
This adds a patch to remove the host paths from the search loop,
preserving the rest of the detection logic.
Alternatively, boost_cv_lib_context_LIBS could be used to avoid library
detection code entirely, but then the mt- variant would never be used.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The current default of hourly is too fast. Some services such as
DuckDuckGo return IPs from a pool based on the user's location instead
of a fixed IP address. This change prevents unnecessary writes to the
flash memory by only updating once per week.
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
* add adguard_tracking source (list with cname trackers)
* optimize/sort output of active sources in status
* optimize log output in EMails
Signed-off-by: Dirk Brenken <dev@brenken.org>
Switch to CMake + Ninja to fix parallel compilation.
Switched PKG_BUILD_DIR to use PKG_INSTALL_DIR for easier readability.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Wireguard has no link-local address on an interface automatically.
Add a link-local to the interface. The server has fe80::1/64 and
the client fe80::2/64.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Convert to using CMake in order to speed up compilation and to fix
compilation under glibc.
Add extra dependencies since they're now needed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
After d18692c, we need to include nls.mk to setup correct
environment variables so that linking succeeds.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
remove AVX patches as upstream has integrated and closed
all AVX issues
compiled on : x86-64, i386 generic
tested on : x86-64 VM, i386 VM
Signed-off-by: Dirk Neukirchen <plntyk.lede@plntyk.name>
After d18692c, we need to include nls.mk to setup correct
environment variables so that linking succeeds.
Reported-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
After d18692c, we need to include nls.mk to setup correct
environment variables so that linking succeeds.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
By default, ping does a reverse DNS of the IP that you are pinging.
When you have a network issue (such as when a link has just gone down
and you haven't yet marked it down), this lookup can cause failures on
tests for links that are still good.
This option only works for iputils ping.
For busybox the option is not evaluated, but it is accepted without
throwing an error.
Fixes: #14968Fixes: #14924
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Suggested-by: David Lang <david@lang.hm>
Add a missing dependency on Lua. Otherwise the script installing the
neighbor report can't be executed in case Lua is not installed on the
system.
Signed-off-by: David Bauer <mail@david-bauer.net>
* major source changes:
* split oisd.nl in basic and full variant
* add swedish regional list
* made archive categories for shallalist and utcapitole selectable
via LuCI
* made all list variants of energized and stevenblack selectable
via LuCI
* removed dns filereset mode
Signed-off-by: Dirk Brenken <dev@brenken.org>
If used with default paths, libdaq 2.x and libdaq 3.x will overwrite
some of the other version's files. Install them in different places to
avoid trouble.
Snort is the only package that uses libdaq, so update it at the same
time to avoid creating a failing commit.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
If used with default paths, libdaq 2.x and libdaq 3.x will overwrite
some of the other version's files. Install them in different places to
avoid trouble.
Snort is the only package that uses libdaq, so update it at the same
time to avoid creating a failing commit.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add GO111MODULE=auto to GO_PKG_BUILD_VARS to allow the package to be
built in non-module mode.
Module-aware mode will be mandatory in the next golang release.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add GO111MODULE=auto to GO_PKG_BUILD_VARS to allow the package to be
built in non-module mode.
Module-aware mode will be mandatory in the next golang release.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Quote NEWS item
> - Building the Linux kernel module from the OVS source tree is
> deprecated
> * Support for the Linux kernel is capped at version 5.8
> * Only bug fixes for the Linux OOT kernel module will be accepted.
> * The Linux kernel module will be fully removed from the OVS source
> tree
> in OVS branch 2.18
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Fixes spurious version bump done in 5c8fb42 and reported in #14815 and
switches source proto from git to codeload.
Upstream has changed daemon binary name to `/usr/sbin/mini-snmpd`.
Package and config/init script name stays unchanged.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Major changes for version 3.3.5 are:
- Rename "streams" parameter to "vfs objects = streams_xattr".
- Enable smb2 leases by default.
- Ignore ksmbd.subauth creation failure.
- Fix bugs that related to guest ok = yes.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
* fix search string/pipe preparation for the background service
* fix IPSet maxelem limitation, made it more flexible
* fix potential error during resume action
* add Cisco Talos IP blacklist
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add scanning for suspicious nginx events
* add a log counter to track the number of the failed requests
or login repetitions of the same ip in the log before banning,
defaults are: ssh (3), luci (3), nginx (5)
* optimize the background service handling
* add 'greensnow' as a new source
* update readme and LuCI frontend regarding the new log count options
Signed-off-by: Dirk Brenken <dev@brenken.org>
As suggested by others, I would like to take care of this tool. I am
developing certain tools that rely on the library and also owipcalc.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This has been observed by myself and @luizluca: ip route get is
appending uid0 to the output, as seen from:
root@OpenWrt2:~# ip route get 1.1.1.1
1.1.1.1 via 174.27.160.1 dev eth3 src 174.27.182.184 uid 0
cache
root@OpenWrt2:~#
so the fix is an anchored match, discarding all else. Also, using
ip -o means never having to do multiline matches...
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Separate owipcalc in client and lib part. Owipcalc brings a lot of nice
functionality with it, e.g. parsing and calculating prefixes.
Signed-off-by: Nick Hainke <vincent@systemli.org>
The second one was manually modified as quilt gets confused by the ***
and ends up removing the commit description.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The previous list was very out of date.
An always up-to-date v1-compatible list is available at:
https://download.dnscrypt.info/dnscrypt-resolvers/v1/
Also use different default resolvers since the previous ones don't
exist any longer.
Signed-off-by: Frank Denis <github@pureftpd.org>
Variable ICONV_DEPENDS is specified in nls.mk which can be found in
OpenWrt main repository.
This fixes issue:
/foo/build/staging_dir/toolchain-arm_cortex-a9+vfpv3-d16_gcc-8.4.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/8.4.0/../../../../arm-openwrt-linux-muslgnueabi/bin/ld: cannot find -liconv
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Previous code was downloading file v1.3.0, which is wrong, because in
the dl folder there might be some tarballs with that naming and they are
wrong as well.
This could lead to some issues like this:
Hash of the local file v1.3.0.tar.gz does not match (file: 87cf846b02dde6328b84832287d8725d91f12f41366eecb4d59eeda1d6c7efdf, requested: b94fba0251a4a436e25b127d0b9bc0181b991631f1dc8e344b1c8e895b55375d) - deleting download.
Even though, if you tried it on SDK or minimal build when there is a
small number of packages, you most likely don't encounter it.
The correct solution is to download files with their name and version.
E.g. nebula-version.tar.gz as it is in PKG_SOURCE variable now.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Latest version of xray-core made a change to support FullCone NAT,
which would break UDP connection from v2ray-core backend server.
So added the option for v2ray-core users, to make sure UDP works
as expected.
Signed-off-by: Tianling Shen <cnsztl@project-openwrt.eu.org>
The SVN-based version has not changed in years. Many distros use this
fork as evident here: https://github.com/streambinder/vpnc/issues/14
Compile tested against GnuTLS and OpenSSL on ramips target.
Fixes#14119.
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Add a hotplug.d-extension that automatically configures babeld for
meshing via wireguard interfaces.
It checks for "add" and "remove" of a wireguard interface with name
"wg_*". Depending on the action, it removes it from the babeld config
or adds the interface and reloads babeld.
Signed-off-by: Nick Hainke <vincent@systemli.org>
