Since we no longer need to edit the service and serive_ipv6 files during
installation, the preinst and postinst script can be removed. They are
not neede anymore.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
From my point of view there are several reasons why this uci default
script should be deleted.
- This script is no longer maintained and there was no significant
change since the old stable release openwrt-18.06.
- The script is installed with every additional package. Which is kind
of funny. It would be better to maintain a separate uci default upgrade
script for each package. So uci default tasks that are no longer needed
can simply be deleted without having to watch and test the whole scirpt.
- The script is also not so easy to maintain, because the code is not
easy to read.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Stan Grishin <stangri@melmac.net>
shellchecked
Signed-off-by: Stan Grishin <stangri@melmac.net>
shellchecked
Signed-off-by: Stan Grishin <stangri@melmac.net>
- new package dependency: curl (plus one of the wpad variants)
- optional package dependencies:
- 'msmtp' for email notification support
- 'wireguard' or 'openvpn' for vpn support
- removed WEP support, only WPA/WPA2/WPA3 are supported!
- new, more robust setup wizard (CLI and LuCI)
- more robust captive portal detection
- randomize mac addresses with every uplnk connect
- automatic vpn handling during uplink switch (only classic/simple
client-setups for wireguard or openvpn are supported)
- email notifications after successful uplink connections
- automatically disable uplinks after n minutes, e.g. for timed
connections
- automatically (re-)enable uplinks after n minutes, e.g. after failed
login attempts
- complete LuCI rewrite - migrated to client side JS (separate PR)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Don't build the sntp binary and libevent2-pthread dependency unless
ntp-utils is selected.
Re-add ntp-keygen dependency libevent2-core.
Fixes openwrt#10307
Signed-off-by: Kenneth J. Miller <ken@miller.ec>
With openwrt/openwrt@51ec51871f one can
now use user/group names instead of numeric uid/gid in FILE_MODES.
Make use of that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Apart from adapting to upstream changes also switch to use FILE_MODES
instead of chown/chmod in init-script.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* update to 4.12.6
* fix optional modules not included on module build (vfs_btrfs, vfs_linux_xfs_sgid)
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Change URL to codeload. It redirects to it anyway. I was getting a 404
error with the original. I couldn't figure it out.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- remove patch that has been included upstream
- remove dependence on resolveip
- remove hotplug script that is handled by "proto_add_host_dependency"
- use openfortivpn default tunnel ip if none specified
- add status checking with uclient-fetch
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
If a daemon listens on multiple addresses at once, it'll show up multiple
times in get_listeners() which will clobber the config for uhttpd. Fix this
by skipping subsequent handlings of the same daemon binary.
Fixes#13325.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Update to 40.89.244.237 which is the new IP address that duckduckgo.com is using for safe-search.
Signed-off-by: Greg Dietsche <gregory.dietsche@cuw.edu>
The creation of the dummy package nginx creates some problem with dependency detection for the all-module variant. Reorganize the dependency and compile nginx before the the sub-variant.
Fixes#13275
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Canonical radtest start results in an error:
$ radtest bob hello localhost 0 testing123
/usr/bin/radtest: line 1: hostname: not found
(0) Error parsing "stdin": Failed to get value
hostname command is not present in OpenWrt.
Instead, hostname can be obtained from file /proc/sys/kernel/hostname.
added: 004-get-hostname-from-proc-in-radtest.patch
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
radtest utility is used in many manuals to check the operation of
radius server.
At the moment all parameters must be specified at startup, for example:
$ radtest bob hello localhost 0 testing123 0 localhost
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
Support for kernel 4.14 has been removed in main repo, so drop the
dependencies here as well (and those for even older 4.9).
Also drop a patch that is required only for 4.14 and lower.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Since support for kernel 4.14 has been removed, kmod-sched-cake-oot
is gone, and the kmod-sched-cake-virtual package is not needed
anymore.
This effectively reverts 9114244fbd ("sqm-scripts: Switch sch_cake
dependency to new virtual package")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This also removes PKG_BUILD_PARALLEL:=0 that was added for packages that
use HOST_PYTHON3_PACKAGE_BUILD_DEPENDS.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This commit allows for UCI configuration of the "left=" and the
"mark=" values in a StrongSwan IPSec connection. This improves
VTI support and allows certain stricter connection scenarios.
Signed-off-by: Michael C. Bazarewsky <github@bazstuff.com>
openconnect may emit following error logs every minute when negotiating
with deployments forbidding usage of dtls
Thu Aug 27 04:11:59 2020 daemon.notice openconnect[12024]: DTLS handshake failed: Error in the push function.
Thu Aug 27 04:11:59 2020 daemon.notice openconnect[12024]: (Is a firewall preventing you from sending UDP packets?)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Required by ovn-ctl for stopping ovn ovsdb instances
This utility was introduced since 20.03.0 after the project was
maintained in its own repo
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Package libcurl is missing dependencies for the following libraries:
libzstd.so.1
Previous patch by Hans Dedecker <dedeckeh@gmail.com> took the easy way
out :)
Suggested-by: Syrone Wong <wong.syrone@gmail.com>
Signed-off-by: Tony Butler <spudz76@gmail.com>
[fixed title]
Signed-off-by: Paul Spooren <mail@aparcar.org>
Instead of using mbedtls by default use wolfssl. We now integrate
wolfssl in the default build so use it also as default ssl library for
curl.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Backport a commit from upstream curl to fix a problem in configure with
wolfssl.
checking size of time_t... configure: error: cannot determine a size for time_t
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Move package over from openwrt.git based on the Hamburg 2019 decision
that non essential packages should be maintained in packages.git
Signed-off-by: Paul Spooren <mail@aparcar.org>
Several security issures are addressed:
- CVE-2020-8620 It was possible to trigger an assertion failure by sending
a specially crafted large TCP DNS message.
- CVE-2020-8621 named could crash after failing an assertion check in
certain query resolution scenarios where QNAME minimization and
forwarding were both enabled. To prevent such crashes, QNAME minimization is
now always disabled for a given query resolution process, if forwarders are
used at any point.
- CVE-2020-8622 It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
- CVE-2020-8623 When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code determining the
number of bits in the PKCS#11 RSA public key with a specially crafted
packet.
- CVE-2020-8624 update-policy rules of type subdomain were incorrectly
treated as zonesub rules, which allowed keys used in subdomain rules to
update names outside of the specified subdomains. The problem was fixed by
making sure subdomain rules are again processed as described in the ARM.
Full release notes are available at
https://ftp.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Drops pid files, no longer needed with procd management.
Now properly reloads on reload_config after UCI changes.
Signed-off-by: Karl Palsson <karlp@etactica.com>
[ Fixed two shellcheck warnings and bump PKG_RELEASE ]
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
The openfortivpn routes are a bit different than the standard ppp
routes so we need to handle them with a custom ppp-up script.
Gateway should not be set, and src should be set to the PPP local ip
address.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
fakepop is a fake pop3 daemon. It returns always the same messages to all users, it does not care about usernames and passwords. All user/pass combinations are accepted.
Signed-off-by: Marc Egerton <foxtrot@realloc.me>
Includes:
- dawn_uci: fix crashing when uci config is received
- tcpsocket: add option to add server ip
A new config option allows to add a server ip
option server_ip '10.0.0.2'
However, this server does not send anything back. Therefore it is not
possible to change the node configuration. This will probably be added
soon. The main goal of this commit is to allow monitoring of all nodes
in a network with DAWN, e.g. clients, channel utilization, ...
Also a network option (3) has been added which allows to use TCP but
not to announce your daemon in the broadcast domain. This allows you to
create a monitor-only node that holds only the local information and
forwards it to the central server.
A monitor-only node could be configured like
option server_ip '10.0.0.1'
option tcp_port '1026'
option network_option '3'
Another possible config is
option server_ip '10.0.0.1'
option tcp_port '1026'
option network_option '2'
Here, the node shares information with a central server, which can be
located outside the broadcast domain. Nevertheless, it also shares
information within its broadcast domain and can therefore perform
client steering.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Security release. From the changelog:
- In some circumstances, Mosquitto could leak memory when handling PUBLISH
messages. This is limited to incoming QoS 2 messages, and is related
to the combination of the broker having persistence enabled, a clean
session=false client, which was connected prior to the broker restarting,
then has reconnected and has now sent messages at a sufficiently high rate
that the incoming queue at the broker has filled up and hence messages are
being dropped. This is more likely to have an effect where
max_queued_messages is a small value. This has now been fixed. Closes
https://github.com/eclipse/mosquitto/issues/1793
Changelog: https://mosquitto.org/blog/2020/08/version-1-6-12-released/
Signed-off-by: Karl Palsson <karlp@etactica.com>
This patch makes it possible to configure and limit per-client internet
speed based on MAC address and it can work with SQM.
This feature is what OpenWRT currently lacks. This patch is largely based
on static.sh and the configuration file is similar to original nft-qos.
New configuration options and examples are listed below
config default 'default'
option limit_mac_enable '1'
config client
option drunit 'kbytes'
option urunit 'kbytes'
option hostname 'tv-box'
option macaddr 'AB:CD:EF:01:23:45'
option drate '1000'
option urate '50'
config client
option drunit 'kbytes'
option urunit 'kbytes'
option hostname 'my-pc'
option macaddr 'AB:CD:EF:01:23:46'
option drate '3000'
option urate '2000'
limit_mac_enable - enable rate limit based on MAC address
drunit - download rate unit
urunit - upload rate unit
macaddr - client MAC address
drate - download rate
urate - upload rate
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
improve startup and runtime performance by
1) moving common startup procedures out of hotplug script when called
from mwan3 start
2) reducing calls to iptables to check status of rules
3) consolidating iptables updates and updating with iptables-restore
4) do not wait for kill if nothing was killed
5) running interface hotplug scripts in parallel
6) eliminate operations in hotplug script that check status on every
single interface unnecessarily
7) consolidate how mwan3track makes hotplug calls
8) do not restart mwan3track on connected events
This is a significant refactor, but should not result in any breaking
changes or require users to update their configurations.
version bump to 2.9.0
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
In hash-checking mode[1], pip will verify downloaded package archives
(source tarballs in our case) against known SHA256 hashes before
installing the packages.
As a consequence, this requires the use of requirements files[2] and
pinning packages to known versions.
The syntax for package Makefiles has changed slightly;
HOST_PYTHON3_PACKAGE_BUILD_DEPENDS no longer accepts requirement
specifiers like "foo>=1.0", only requirements file names (which are the
same as package names in the most common case).
This also updates affected packages, in particular:
* python-zipp: "setuptools_scm[toml]" has been split into
"setuptools-scm toml" to reuse the requirements file for
setuptools-scm (the extra depends installed by "setuptools_scm[toml]"
is toml).
* python-pycparser: This previously used ply 3.10, whereas the
requirements file will now install 3.11.
[1]: https://pip.pypa.io/en/stable/reference/pip_install/#hash-checking-mode
[2]: https://pip.pypa.io/en/stable/user_guide/#requirements-files
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Setup user database if non-existent, configure uhttpd .php interpreter
and patch php scripts to work out-of-the-box.
Also ship Hotspot 2.0 SPP and OMA DM XML schema/DTD files needed at
run-time for both client and server.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
use only committed uci changes for updating routing table
use functions.sh functions rather than uci command line tool
to find interfaces for routing table.
consolidate rtmon_ipv4 and rtmon_ipv6 functions into a single function
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Add hs20-server and hs20-client packages correspoding to the
hs20/client and hs20/server folder in hostap.git.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* remove 'dshield' and 'sysctl' (discontinued)
* switch 'malwaredomains', 'shallalist' and 'winhelp' to https
* add a second regional list for poland (provided by matx1002)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fix shellcheck SC2230
> which is non-standard. Use builtin 'command -v' instead.
Once applied to everything concerning OpenWrt we can disable the busybox
feature `which` and save 3.8kB.
Signed-off-by: Paul Spooren <mail@aparcar.org>
GCC10 defaults to -fno-common, which breaks compilation when there are
multiple definitions of implicit "extern" variables. Remove the extra
definitions.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
From CHANGES_2.4:
SECURITY: CVE-2020-11984 (cve.mitre.org)
mod_proxy_uwsgi: Malicious request may result in information disclosure
or RCE of existing file on the server running under a malicious process
environment. [Yann Ylavic]
SECURITY: CVE-2020-11993 (cve.mitre.org)
mod_http2: when throttling connection requests, log statements
where possibly made that result in concurrent, unsafe use of
a memory pool. [Stefan Eissing]
SECURITY:
mod_http2: a specially crafted value for the 'Cache-Digest' header
request would result in a crash when the server actually tries
to HTTP/2 PUSH a resource afterwards.
[Stefan Eissing, Eric Covener, Christophe Jaillet]
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
test_storage: fix compilation with musl 1.2.0
datastorage/test: improve scalability and performance
datastorage: fixed use of wrong client search
general: add memory auditing
memory auditing: bug fixes to memory auditing and hearing map
datastorage: fixes to linked list handling
tcpsocket: fix read callback function and arbitrary memory allocations
tcpsocket: leave loop if we read 0 byte
Furthermore, you can now dump the memory usage by sending a SIGHUP to
dawn process.
Signed-off-by: Nick Hainke <vincent@systemli.org>
This fixes misleading errors in the status file, and increases buffer
sizes to match the python implementation.
Signed-off-by: Karl Palsson <karlp@etactica.com>
At the moment ss-server seems to be the only component using these two
options. It also accepts "local_address" of either ip4 or ip6 address,
but the meaning is different from that of ss-local, ss-tunnel etc.
where it is for listen bind
With this commit, we start deprecation process of uci option
"bind_address". The name was replaced with "local_addr" in upstream
project commit 5fa98a66 ("Fix #1911") and available as json config
option "local_address". This upstream change was released in 3.2.0
Link: 4a42da641b
Link: https://github.com/openwrt/packages/issues/12931
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Config files
/etc/freeradius3/policy.d/accounting
/etc/freeradius3/policy.d/filter
/etc/freeradius3/proxy.conf
/etc/freeradius3/sites-available/default
and link
/etc/freeradius3/sites-enabled/default
are in the freeradius3 package and are mentioned in the main config file
/etc/freeradius3/radiusd.conf
Thus, they must be explicitly specified in the Makefile.
File
/etc/freeradius3/sites/default
is not included in the package, is not created during installation,
is not mentioned in the main config file and should therefore be excluded
from the Makefile.
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
netifd is clever enough to handle the peerdns and default route
arguments, so we can just let them get passed along, and when
ppp-up invokes proto_send_update, netifd will only apply what
is needed
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Do not manually overwrite the paths of gdbus-codegen or glib-mkenums
in the ModemManager package build, as modifying the configure.ac ends
up requiring a full autoreconf.
Since MM 1.14, git builds or autoreconf-ed source package builds
require autoconf-archive installed in the build system, and so the
build would fail if this happens.
The update to overwrite the paths was to force using the gdbus-codegen
and glib-mkenums provided by the "host" glib2 package instead of the
"target" glib2 package (see fa8ad6e69c),
but these tools are really the same in both as they're python
programs, arch independent.
Tested in a local build where the setup detects and uses the correct
glib tool paths from the target:
/home/user/openwrt/staging_dir/target-mips_24kc_musl/usr/bin/gdbus-codegen
/home/user/openwrt/staging_dir/target-mips_24kc_musl/usr/bin/glib-mkenums
Fixes https://github.com/openwrt/packages/issues/12958
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
