Even it's only cosmetic and should not affect the function of regular system,
fix the name of the IPKG_INSTROOT variable.
Typo was added long ago with 8400c9a6ec.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Since v1.4.1, Xray has introduced a new feature to transfer data via
browsers, which can disguise itself as a normal browser to cheat
network censorship.
For more details, see https://github.com/XTLS/Xray-core/pull/421.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
If you shutdown ipsec service, and it doesn't clean up
/var/ipsec/ipsec.conf, then when you start swanctl service it
might see an incompatible file on startup. Remedy is to
remove unneeded files when shutting down the service. They
can always be regenerated when the service starts again.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This commit adds a number of fixes to the OpenVPN up/down hotplug command
wrapper which currently fails to actually invoke user defined up and down
commands for uci configurations not using external native configurations.
- Use the `--setenv` to pass the user configured `up` and `down` commands
as `user_up` and `user_down` environment variables respectively
- Instead of attempting to scrape the `up` and `down` settings from the
(possibly generated) native OpenVPN configuration in
`/etc/hotplug.d/openvpn/01-user`, read them from the respective
environment variables instead
- Fix parsing of native configuration values in `get_openvpn_option()`;
first try to parse a given setting as single quoted value, then as
double quoted and finally as non-quoted, potentially white-space
escaped one. This ensures that `up '/bin/foo'` is interpreted as
`/bin/foo` and not `'/bin/foo'`
Ref: https://forum.openwrt.org/t/openvpn-up-down-configuration-ignored/91126
Supersedes: #15121, #15284
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The `tmate` tool is a fork of `tmux` which allows remote access to a
device without setting up any port forwarding. This commits adds the
backend server which handles connections.
Signed-off-by: Paul Spooren <mail@aparcar.org>
These config files are only used by the ipsec interface to charon,
and shouldn't be part of the base package.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* rework the central iptables function to significantly
reduce the code complexity and the overall number of iptables calls
* check early and only once in the chain for ctstate NEW and
return otherwise (thanks @ldir-EDB0)
* made the whitelist ordering within the chain more flexible
Signed-off-by: Dirk Brenken <dev@brenken.org>
faster to compile.
A small selection of packages was tested going from:
Executed in 696.30 secs fish external
usr time 82.98 mins 395.00 micros 82.98 mins
sys time 9.02 mins 0.00 micros 9.02 mins
to:
Executed in 592.20 secs fish external
usr time 84.84 mins 361.00 micros 84.84 mins
sys time 8.85 mins 57.00 micros 8.85 mins
Tested by running make -j 12 and wiping staging/build_dir/target_x
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Having scripts diddle user written config files seems potentially
dangerous. Plus there's really no downside to including some
empty files. Best to just make the includes be permanent.
Additional feature suggested by Luiz: if a -opkg version of the
config file was created unnecessarily, remove it as part of the
upgrade process since changes won't be happening to that file
as an artifact of the service starting. The include lines are
now permanent, which means that (1) additional configuration
synthesized by UCI won't be anywhere that opkg (or sysupgrade,
for that matter) cares about since it won't be persistent, and
(2) if changes are being made, then they're being done by a
person with an editor and they really should be distinguished.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
It seems the command name output from netstat can be truncated in weird
ways, so let's get the binary name from /proc instead and use that for
matching which listener we have.
Fixes#15071.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* fix another IPv4/IPv6 related iptables chain creation problem
* fix counter during ipset creation
* fix regex for debug counters
* fix ipset housekeeping for local sources
Signed-off-by: Dirk Brenken <dev@brenken.org>
Reorganize Makefile for consistency between packages.
Switch to AUTORELEASE for simplicity.
Switch to building with Ninja for faster compilation.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* add a restrictive "jail mode only" variant, just point your
jail directory to your primary dns directory
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Occasionally, mostly at startup, miniupnpd reports "Another app is
currently holding the xtables lock. Perhaps you want to use the -w
option?"
Take iptables' advice and wait up to 1 second before giving up.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Tmate is a fork of tmux. It provides an instant pairing solution.
For more details, see https://tmate.io.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Neither the configure option nor configure variable to disable linking
against PCRE seem to work anymore, so simply drop both and add a
dependency on libpcre. As net-snmp is unlikely to fit on devices with
small flash anyway, the extra size requirement shouldn't be a problem.
If it is, feel free to submit a patch to fix the broken upstream
behaviour.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
If the interface goes into failure state (is disconnecting)
then with this change one hotplug.d event is generated.
The same is true for the recovery state (is connecting), when the interface
comes back from a failure state.
In both cases, a hotplug.d event for the iface is triggered. Once
with the $ACTION=disconnecting and once for the $ACTION=connecting.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* refine the new dns resolving process
* add a caching mechanism for the resolved IPs, the detached name
lookup takes place only during 'restart' or 'reload' action, 'start'
and 'refresh' actions are using an auto-generated backup instead.
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This is a bugfix release, with minor security fixes for outgoing bridge
connections and the client library.
Full details here: https://mosquitto.org/blog/2021/03/version-2-0-9-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
Add "wg_check_interfaces" and specify a timeout in the config file.
This allows to delete not used wireguard-interfaces automatically.
For example a cronjob can be installed that calls:
. /usr/share/wginstaller/wg_functions.sh && wg_check_interfaces
Signed-off-by: Nick Hainke <vincent@systemli.org>
* black- and whitelist now supporting domain names as well - the
corresponding IPs (IPv4 & IPv6) will be resolved in a detached
background process and added to the IPsets
Signed-off-by: Dirk Brenken <dev@brenken.org>
Major change are:
ksmbd.control -s terminate ksmbd.mountd as well as kernel server.
Update configuration.txt and README.
Turn off smb2 leases by default again.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
While searching for the boost_system library in boost.m4, configure
tries to find boost_system-mt before boost_system. The presence of
boost_system-mt in the staging dir depends on
CONFIG_boost-use-name-tags. If it is not defined (default), and there
is a boost_system-mt library in the host system, it will be used, and
the build will fail.
This adds a patch to remove the host paths from the search loop,
preserving the rest of the detection logic.
Alternatively, boost_cv_lib_context_LIBS could be used to avoid library
detection code entirely, but then the mt- variant would never be used.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The current default of hourly is too fast. Some services such as
DuckDuckGo return IPs from a pool based on the user's location instead
of a fixed IP address. This change prevents unnecessary writes to the
flash memory by only updating once per week.
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
* add adguard_tracking source (list with cname trackers)
* optimize/sort output of active sources in status
* optimize log output in EMails
Signed-off-by: Dirk Brenken <dev@brenken.org>
Switch to CMake + Ninja to fix parallel compilation.
Switched PKG_BUILD_DIR to use PKG_INSTALL_DIR for easier readability.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Wireguard has no link-local address on an interface automatically.
Add a link-local to the interface. The server has fe80::1/64 and
the client fe80::2/64.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Convert to using CMake in order to speed up compilation and to fix
compilation under glibc.
Add extra dependencies since they're now needed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
After d18692c, we need to include nls.mk to setup correct
environment variables so that linking succeeds.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
remove AVX patches as upstream has integrated and closed
all AVX issues
compiled on : x86-64, i386 generic
tested on : x86-64 VM, i386 VM
Signed-off-by: Dirk Neukirchen <plntyk.lede@plntyk.name>
After d18692c, we need to include nls.mk to setup correct
environment variables so that linking succeeds.
Reported-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
After d18692c, we need to include nls.mk to setup correct
environment variables so that linking succeeds.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
By default, ping does a reverse DNS of the IP that you are pinging.
When you have a network issue (such as when a link has just gone down
and you haven't yet marked it down), this lookup can cause failures on
tests for links that are still good.
This option only works for iputils ping.
For busybox the option is not evaluated, but it is accepted without
throwing an error.
Fixes: #14968Fixes: #14924
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Suggested-by: David Lang <david@lang.hm>
Add a missing dependency on Lua. Otherwise the script installing the
neighbor report can't be executed in case Lua is not installed on the
system.
Signed-off-by: David Bauer <mail@david-bauer.net>
* major source changes:
* split oisd.nl in basic and full variant
* add swedish regional list
* made archive categories for shallalist and utcapitole selectable
via LuCI
* made all list variants of energized and stevenblack selectable
via LuCI
* removed dns filereset mode
Signed-off-by: Dirk Brenken <dev@brenken.org>
If used with default paths, libdaq 2.x and libdaq 3.x will overwrite
some of the other version's files. Install them in different places to
avoid trouble.
Snort is the only package that uses libdaq, so update it at the same
time to avoid creating a failing commit.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
If used with default paths, libdaq 2.x and libdaq 3.x will overwrite
some of the other version's files. Install them in different places to
avoid trouble.
Snort is the only package that uses libdaq, so update it at the same
time to avoid creating a failing commit.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add GO111MODULE=auto to GO_PKG_BUILD_VARS to allow the package to be
built in non-module mode.
Module-aware mode will be mandatory in the next golang release.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add GO111MODULE=auto to GO_PKG_BUILD_VARS to allow the package to be
built in non-module mode.
Module-aware mode will be mandatory in the next golang release.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Quote NEWS item
> - Building the Linux kernel module from the OVS source tree is
> deprecated
> * Support for the Linux kernel is capped at version 5.8
> * Only bug fixes for the Linux OOT kernel module will be accepted.
> * The Linux kernel module will be fully removed from the OVS source
> tree
> in OVS branch 2.18
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Fixes spurious version bump done in 5c8fb42 and reported in #14815 and
switches source proto from git to codeload.
Upstream has changed daemon binary name to `/usr/sbin/mini-snmpd`.
Package and config/init script name stays unchanged.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
The crude loop I wrote to come up with this changeset:
find -L package/feeds/packages/ -name patches | \
sed 's/patches$/refresh/' | sort | xargs make
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Major changes for version 3.3.5 are:
- Rename "streams" parameter to "vfs objects = streams_xattr".
- Enable smb2 leases by default.
- Ignore ksmbd.subauth creation failure.
- Fix bugs that related to guest ok = yes.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
* fix search string/pipe preparation for the background service
* fix IPSet maxelem limitation, made it more flexible
* fix potential error during resume action
* add Cisco Talos IP blacklist
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add scanning for suspicious nginx events
* add a log counter to track the number of the failed requests
or login repetitions of the same ip in the log before banning,
defaults are: ssh (3), luci (3), nginx (5)
* optimize the background service handling
* add 'greensnow' as a new source
* update readme and LuCI frontend regarding the new log count options
Signed-off-by: Dirk Brenken <dev@brenken.org>
As suggested by others, I would like to take care of this tool. I am
developing certain tools that rely on the library and also owipcalc.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This has been observed by myself and @luizluca: ip route get is
appending uid0 to the output, as seen from:
root@OpenWrt2:~# ip route get 1.1.1.1
1.1.1.1 via 174.27.160.1 dev eth3 src 174.27.182.184 uid 0
cache
root@OpenWrt2:~#
so the fix is an anchored match, discarding all else. Also, using
ip -o means never having to do multiline matches...
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Separate owipcalc in client and lib part. Owipcalc brings a lot of nice
functionality with it, e.g. parsing and calculating prefixes.
Signed-off-by: Nick Hainke <vincent@systemli.org>
The second one was manually modified as quilt gets confused by the ***
and ends up removing the commit description.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The previous list was very out of date.
An always up-to-date v1-compatible list is available at:
https://download.dnscrypt.info/dnscrypt-resolvers/v1/
Also use different default resolvers since the previous ones don't
exist any longer.
Signed-off-by: Frank Denis <github@pureftpd.org>
Variable ICONV_DEPENDS is specified in nls.mk which can be found in
OpenWrt main repository.
This fixes issue:
/foo/build/staging_dir/toolchain-arm_cortex-a9+vfpv3-d16_gcc-8.4.0_musl_eabi/lib/gcc/arm-openwrt-linux-muslgnueabi/8.4.0/../../../../arm-openwrt-linux-muslgnueabi/bin/ld: cannot find -liconv
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Previous code was downloading file v1.3.0, which is wrong, because in
the dl folder there might be some tarballs with that naming and they are
wrong as well.
This could lead to some issues like this:
Hash of the local file v1.3.0.tar.gz does not match (file: 87cf846b02dde6328b84832287d8725d91f12f41366eecb4d59eeda1d6c7efdf, requested: b94fba0251a4a436e25b127d0b9bc0181b991631f1dc8e344b1c8e895b55375d) - deleting download.
Even though, if you tried it on SDK or minimal build when there is a
small number of packages, you most likely don't encounter it.
The correct solution is to download files with their name and version.
E.g. nebula-version.tar.gz as it is in PKG_SOURCE variable now.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Latest version of xray-core made a change to support FullCone NAT,
which would break UDP connection from v2ray-core backend server.
So added the option for v2ray-core users, to make sure UDP works
as expected.
Signed-off-by: Tianling Shen <cnsztl@project-openwrt.eu.org>
The SVN-based version has not changed in years. Many distros use this
fork as evident here: https://github.com/streambinder/vpnc/issues/14
Compile tested against GnuTLS and OpenSSL on ramips target.
Fixes#14119.
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Add a hotplug.d-extension that automatically configures babeld for
meshing via wireguard interfaces.
It checks for "add" and "remove" of a wireguard interface with name
"wg_*". Depending on the action, it removes it from the babeld config
or adds the interface and reloads babeld.
Signed-off-by: Nick Hainke <vincent@systemli.org>
* add 'ban_extrasources' to handle banIP-unrelated sets for reporting
and queries
* add set timeouts for local sources (maclist, whitelist, blacklist)
Signed-off-by: Dirk Brenken <dev@brenken.org>
This tool can be used to automatically create wireguard tunnels. Using
rpcd a new wireguard interface is created on the server where the client
can connect to.
Wiregurad server automatically installs a user and associated ACL to use
the wireguard-installer-server features. The user is called wginstaller
and so is the password.
Get Usage:
wg-client-installer get_usage --ip 127.0.0.1 --user wginstaller
--password wginstaller
Register Interface:
wg-client-installer register --ip 127.0.0.1 --user wginstaller
--password wginstaller --bandwidth 10 --mtu 1400
Signed-off-by: Nick Hainke <vincent@systemli.org>
Not including an A record mapping will cause nsupdate to balk at
CNAME and MX records (and probably SRV as well) because the target
will be unknown at the time of parsing, until the lease gets
activated.
We need these RR's to be in place well before the servers even
come up.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Microsoft Windows, Xbox and possibly other operating systems do not
support IGDv2. With IGDv2 enabled, they send a HTTP GET request for
rootDesc.xml and WANIPCn.xml, and then nothing happens. The Microsoft
implementation probably doesn't like the WANIPCn.xml response and
decides UPnP is not available. When miniupnpd is built without IGDv2
support, after the 2 HTTP GET requests, there is a HTTP POST request to
/ctl/IPConn, and miniupnpd configures the port forward as expected.
The runtime option force_igd_desc_v1=yes (UCI: igvd1) does not solve
this problem. It's possible this was enough in earlier miniupnpd
versions, but it does not fix the problem the current version.
Since we are a modern distro, we want to support the latest and
greatest, so we should default to IGDv2 enabled. Introducing a
menuconfig option to disable IGDv2 would only help people who build
their own images, so offer a separate package variant for IGDv1.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* major rewrite
* add support for multiple chains
* add mac whitelisting
* add support for multiple ssh daemons in parallel
* add an ipset report engine
* add mail notifications
* add suspend/resume functions
* add a cron wrapper to set an ipset related auto-timer for
automatic blocklist updates
* add a list wrapper to add/remove blocklist sources
* add 19.x and Turris OS 5.x compatibility code
* sources stored in an external compressed json file
(/etc/banip/banip.sources.gz)
* change Country/ASN download sources (faster/more reliable)
* fix DHCPv6/icmpv6 issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fix starting problem:
Starting function should be named 'start_service' instead of 'start_instance'.
Fix reloading problem:
Register reload tigger for uci config itself.
And, xray does not support reload currently, so use legacy restart as reload.
Fixes: 6c9b96352f ("xray-core: add init script")
Signed-off-by: Tianling Shen <cnsztl@project-openwrt.eu.org>
Major changes are:
add "vfs objects = acl_xattr" parameter in configuration.
fix wrong group domain name in lsarpc response.
set to SID_TYPE_UNKNOWN if there is no domain sid in server.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The iputils build system embeds git tags into the generated binaries
for use by commands like ping -V. Since openwrt packaging is done in
a different repository from the upstream repo, the tags it finds
aren't particularly meaningful, and we get confusing results like
those described at https://github.com/openwrt/packages/issues/13920
This change removes the git tag inspection in favor of the static
version string that's already known to the upstream build system.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Drop obsolete patches
- 001-no-tests.patch
- 002-fix-cross-compilation.patch
Move several user-executable binaries from /usr/sbin to /usr/bin per
upstream.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Current implementation of socat's init service doesn't allow to run more
complex configurations. As an example there's no possibility to execute
following command:
socat TCP-LISTEN:8080,fork,reuseaddr,bind=192.168.1.1 \
EXEC:"/sbin/ip netns exec somenetns socat STDIO TCP:10.0.0.1:80"
In such command the first line is argv[1] and the second line is
argv[2]. SocatOptions config option is a string. As as a consequence of
this each word will be passed as a separate argv element. Socat won't be
able to parse arguments correctly.
In order to mitigate this issue, we can also accept SocatOptions as a
list of strings. Following config file will work correctly:
config socat 'tunnel_8080_into_somenetns'
option enable '1'
list SocatOptions 'TCP-LISTEN:8080,fork,reuseaddr,bind=192.168.1.1'
list SocatOptions 'EXEC:"/sbin/ip netns exec somenetns socat STDIO TCP:10.0.0.1:80"'
While we're at it, pass stdout and stderr into logread.
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
* The default local-adress makes Netopeer2-server listen on ipv4 only.
We change it to :: in order to listen on ipv6 as well as ipv4.
Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
* fix for possible exploit #13758
* sanetize all external template/config inputs
* fix some shellcheck warnings
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
I checked the hostname for existing DNS A and AAAA entries and these
ones didn't have an entry.
Signed-off-by: Gerald Hansen <gerald.hansen@cloud.ionos.com>
As the default uclient-fetch doesn't support authentication header
and the ddns provider myonlineportal.net support also username and
passwort as url parameter this can be changed.
Signed-off-by: Gerald Hansen <gerald.hansen@cloud.ionos.com>
add eoip package,this can create ethernet
tunnels compatible with Mikrotik EoIP tunnel.
At current moment it is easiest way
to create stateless tunnel with Mikrotik.
Signed-off-by: Bogdan Shatik <bogdikxxx@mail.ru>
In IPv4 the default route can be written as
0.0.0.0/0
In IPv6 the default route can be written as
::/0
If u try
owipcalc 0.0.0.0/0 contains 1.1.1.1
or
owipcalc ::/0 contains ::1
owipcalc will respond with 0 meaning that the "default prefixes" do not
contain the routes.
That is why we check now for 0 prefix.
Furthermore, if the prefix is 0, i will be 16. We will access a negative
array entry in the line:
uint8_t net1 = x->s6_addr[15-i] & m;
Divide by % 16 to prevent i becoming 16:
uint8_t i = ((128 - a->prefix) / 8) % 16;
Signed-off-by: Nick Hainke <vincent@systemli.org>
This is a helpful utility, but it does not have any dependencies
in base repository. Move it to packages feed.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This is a helpful utility, but it does not have any dependencies
in base repository. Move it to packages feed.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Some users have reported that reloading dnsmasq does not always work. It
sometimes stop responding to DNS lookup requests after being reloaded.
This patch changes "safe-search-maintenance" so that it restarts dnsmasq
instead of reloading it.
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
Ensure that the best available IP is always used for all supported
safe-search providers. This is accomplished by periodically checking
DNS for the most recent list of IP addresses associated with each
provider.
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
Start after named is running.
Add support for "cname", "domain", "mxhost", and "srvhost" configs.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* update to version 1.19.6
* remove default configuration files and documentation as
they are in the package `nginx-util`.
* do not install a `/etc/nginx/nginx.conf` file.
* use the dynamic `/etc/nginx/uci.conf` if the symlink (to
`/var/lib/nginx/uci.conf`) is not dead after calling
`nginx-util init_lan` (else try `/etc/nginx/nginx.conf`)
* replace nginx package by a dummy depending on `nginx-ssl`;
the dummies will be removed after a transition period.
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
