Besides updating the package to 1.20.1, this commit removed two patches
that the new release made unnecessary.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
* Use Boolean true for enable inline mode which is more intuitive that older ''
* Add skeleton section for openappid since it has been merged[1]
1. 2d4e7d5fd3
Signed-off-by: John Audia <therealgraysky@proton.me>
Use UCI to add temporary incoming firewall rule to accept http traffic for
challenge verification.
This should make uacme compatible with OpenWrt's fw3/4 implementation.
Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
This prevents a forwarding server named like ::1@5453 from being added
to unbound.conf as a forward-host instead of the correct forward-addr.
forward-host requires the name to be resolved, which is impossible in
the absence of another nameserver. Thus, forwarding-only configurations
referencing only the IPv6 loopback address with a port number were
broken.
Signed-off-by: Mark Mentovai <mark@mentovai.com>
This is a fix for the the following change:
3d824ea288
Before the change, it was only possible to execute a shell script. To
remove this restriction, a binary or other script language can now also
be used for 'mwan3.user'. Unfortunately, the old shell script was not
executable for older mwan3 version. During a sysupgrade with config transfer,
this 'mwan3.user' script could not be executed for newer mwan3 versions.
To fix this, the calling script checks whether the 'mwan3.user' is executable,
and if not, this executable bit is now set.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Quoting the changelog:
Changes in version 0.4.7.12 - 2022-12-06
This version contains a major change that is a new key for moria1. Also, new
metrics are exported on the MetricsPort for the congestion control
subsystem.
o Directory authority changes (moria1):
- Rotate the relay identity key and v3 identity key for moria1. They
have been online for more than a decade and refreshing keys
periodically is good practice. Advertise new ports too, to avoid
confusion. Closes ticket 40722.
o Minor feature (Congestion control metrics):
- Add additional metricsport relay metrics for congestion control.
Closes ticket 40724.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on December 06, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/12/06.
o Minor bugfixes (cpuworker, relay):
- Fix an off by one overload calculation on the number of CPUs being
used by our thread pool. Fixes bug 40719; bugfix on 0.3.5.1-alpha.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Quoting the changelog:
Changes in version 0.4.7.11 - 2022-11-10
This version contains several major fixes aimed at helping defend against
network denial of service. It is also extending drastically the MetricsPort
for relays to help us gather more internal data to investigate performance
and attacks.
We strongly recommend to upgrade to this version especially for Exit relays
in order to help the network defend against this ongoing DDoS.
o Directory authority changes (dizum, Faravahar):
- Change dizum IP address. Closes ticket 40687.
- Remove Faravahar until its operator, Sina, set it back up online
outside of Team Cymru network. Closes ticket 40688.
o Major bugfixes (geoip data):
- IPFire informed us on August 12th that databases generated after
(including) August 10th did not have proper ARIN network
allocations. We are updating the database to use the one generated
on August 9th, 2022. Fixes bug 40658; bugfix on 0.4.5.13.
o Major bugfixes (onion service):
- Set a much higher circuit build timeout for opened client rendezvous
circuit. Before this, tor would time them out very quickly leading to
unnecessary retries meaning more load on the network. Fixes bug 40694;
bugfix on 0.3.5.1-alpha.
o Major bugfixes (OSX):
- Fix coarse-time computation on Apple platforms (like Mac M1) where
the Mach absolute time ticks do not correspond directly to
nanoseconds. Previously, we computed our shift value wrong, which
led us to give incorrect timing results. Fixes bug 40684; bugfix
on 0.3.3.1-alpha.
o Major bugfixes (relay):
- Improve security of our DNS cache by randomly clipping the TTL
value. TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha.
o Minor feature (Mac and iOS build):
- Change how combine_libs works on Darwin like platforms to make
sure we don't include any `__.SYMDEF` and `__.SYMDEF SORTED`
symbols on the archive before we repack and run ${RANLIB} on the
archive. This fixes a build issue with recent Xcode versions on
Mac Silicon and iOS. Closes ticket 40683.
o Minor feature (metrics):
- Add various congestion control counters to the MetricsPort. Closes
ticket 40708.
o Minor feature (performance):
- Bump the maximum amount of CPU that can be used from 16 to 128. Note
that NumCPUs torrc option overrides this hardcoded maximum. Fixes bug
40703; bugfix on 0.3.5.1-alpha.
o Minor feature (relay):
- Make an hardcoded value for the maximum of per CPU tasks into a
consensus parameter.
- Two new consensus parameters are added to control the wait time in
queue of the onionskins. One of them is the torrc
MaxOnionQueueDelay options which supersedes the consensus
parameter. Closes ticket 40704.
o Minor feature (relay, DoS):
- Apply circuit creation anti-DoS defenses if the outbound circuit
max cell queue size is reached too many times. This introduces two
new consensus parameters to control the queue size limit and
number of times allowed to go over that limit. Closes ticket 40680.
o Minor feature (relay, metrics):
- Add DoS defenses counter to MetricsPort.
- Add congestion control RTT reset counter to MetricsPort.
- Add counters to the MetricsPort how many connections, per type,
are currently opened and how many were created.
- Add relay flags from the consensus to the MetricsPort.
- Add total number of opened circuits to MetricsPort.
- Add total number of streams seen by an Exit to the MetricsPort.
- Add traffic stats as in number of read/written bytes in total.
- Related to ticket 40194.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 10, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/11/10.
o Minor bugfixes (authorities, sandbox):
- Allow to write file my-consensus-<flavor-name> to disk when
sandbox is activated. Fixes bug 40663; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (dirauth):
- Directory authorities stop voting a consensus "Measured" weight
for relays with the Authority flag. Now these relays will be
considered unmeasured, which should reserve their bandwidth for
their dir auth role and minimize distractions from other roles. In
place of the "Measured" weight, they now include a
"MeasuredButAuthority" weight (not used by anything) so the
bandwidth authority's opinion on this relay can be recorded for
posterity. Lastly, remove the AuthDirDontVoteOnDirAuthBandwidth
torrc option which never worked right. Fixes bugs 40698 and 40700;
bugfix on 0.4.7.2-alpha.
o Minor bugfixes (onion service client):
- A collapsing onion service circuit should be seen as an
"unreachable" error so it can be retried. Fixes bug 40692; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (onion service):
- Make the service retry a rendezvous if the circuit is being
repurposed for measurements. Fixes bug 40696; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (relay overload statistics):
- Count total create cells vs dropped create cells properly, when
assessing if our fraction of dropped cells is too high. We only
count non-client circuits in the denominator, but we would include
client circuits in the numerator, leading to surprising log lines
claiming that we had dropped more than 100% of incoming create
cells. Fixes bug 40673; bugfix on 0.4.7.1-alpha.
o Code simplification and refactoring (bridges):
- Remove unused code related to ExtPort connection ID. Fixes bug
40648; bugfix on 0.3.5.1-alpha.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Now that we're packaging flent itself, there's no reason to have a
completely separate flent-tools package. So integrate the flent-tools
package specification into the main flent package so it's always kept in
sync.
Also add a dependency from flent itself on flent-tools, as the shell
versions of those utilities that Flent uses when running tests doesn't work
on the busybox shell included with openwrt.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Update the Flent package and move it to net/, renaming it to just 'flent'
instead of python3-flent (it's not a library, having the python3- prefix
makes no sense). Also add python3-defusedxml as a dependency to protect
against XML bombs if using the one of the backends that use XML-RPC, and
trim the dependencies to those used directly by Flent.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Traditionally, Snort rules are based upon packet analysis. OpenAppID
enables detection of applications/cloud applications on the network.
This package provides OpenAppID and signature files used by OpenAppID to detect
network traffic from certain applications can be used to identify rogue
application use, detect malicious applications and implement various
application policies, such as application blacklisting, limiting application
usage, and enforcing conditional controls.
To use, for example, edit /etc/snort/local.lua and add the following section
at a minimum:
appid = {
app_detector_dir = '/usr/lib/openappid',
log_stats = true,
app_stats_period = 60,
}
Signed-off-by: John Audia <therealgraysky@proton.me>
The haproxy hotplug script creates a 'combined' certificate bundle that
contains both the certificate chain and the private key. However, having a
daemon hotplug script write into CERT_DIR is not great; so let's provide
the bundle as part of the main acme framework, keeping it in $domain_dir
and just linking it into CERT_DIR. That way we can keep CERT_DIR as just a
collection of links for everything, that no consumers should need to write
into.
Also make sure to set the umask correctly so the combined file is not
world-readable (since it contains the private key).
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The acme-acmesh package hardcoded the certificate path in its hook script.
Now that we export it as a variable we can avoid hard-coding and use the
variable version instead. Also factor out the linking of certificates into
a function so it's not repeated.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The contract between the acme-common framework and consumers and hook
scripts is that certificates can be consumed from /etc/ssl/acme and that
web challenges are stored in /var/run/acme/challenge. Make this explicit by
exporting $CERT_DIR and $CHALLENGE_DIR as environment variables as well,
instead of having knowledge of those paths depend on out-of-band
information. We already exported $challenge_dir, but let's change it to
upper-case to make it clear that it's not a user configuration variable.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
state_dir is actually a hardcoded value in conffiles. Allowing users to
customize it could result in losing certificates after upgrading if they
don't also specify the dir as being preserved. We shouldn't default to
this dangerous behavior.
With the new ACME package, certificates live in the standard location
/etc/ssl/acme, users who need to do certificate customizations should
look for them in that dir instead.
Signed-off-by: Glen Huang <i@glenhuang.com>
