Update the Flent package and move it to net/, renaming it to just 'flent'
instead of python3-flent (it's not a library, having the python3- prefix
makes no sense). Also add python3-defusedxml as a dependency to protect
against XML bombs if using the one of the backends that use XML-RPC, and
trim the dependencies to those used directly by Flent.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Traditionally, Snort rules are based upon packet analysis. OpenAppID
enables detection of applications/cloud applications on the network.
This package provides OpenAppID and signature files used by OpenAppID to detect
network traffic from certain applications can be used to identify rogue
application use, detect malicious applications and implement various
application policies, such as application blacklisting, limiting application
usage, and enforcing conditional controls.
To use, for example, edit /etc/snort/local.lua and add the following section
at a minimum:
appid = {
app_detector_dir = '/usr/lib/openappid',
log_stats = true,
app_stats_period = 60,
}
Signed-off-by: John Audia <therealgraysky@proton.me>
The haproxy hotplug script creates a 'combined' certificate bundle that
contains both the certificate chain and the private key. However, having a
daemon hotplug script write into CERT_DIR is not great; so let's provide
the bundle as part of the main acme framework, keeping it in $domain_dir
and just linking it into CERT_DIR. That way we can keep CERT_DIR as just a
collection of links for everything, that no consumers should need to write
into.
Also make sure to set the umask correctly so the combined file is not
world-readable (since it contains the private key).
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The acme-acmesh package hardcoded the certificate path in its hook script.
Now that we export it as a variable we can avoid hard-coding and use the
variable version instead. Also factor out the linking of certificates into
a function so it's not repeated.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
The contract between the acme-common framework and consumers and hook
scripts is that certificates can be consumed from /etc/ssl/acme and that
web challenges are stored in /var/run/acme/challenge. Make this explicit by
exporting $CERT_DIR and $CHALLENGE_DIR as environment variables as well,
instead of having knowledge of those paths depend on out-of-band
information. We already exported $challenge_dir, but let's change it to
upper-case to make it clear that it's not a user configuration variable.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
state_dir is actually a hardcoded value in conffiles. Allowing users to
customize it could result in losing certificates after upgrading if they
don't also specify the dir as being preserved. We shouldn't default to
this dangerous behavior.
With the new ACME package, certificates live in the standard location
/etc/ssl/acme, users who need to do certificate customizations should
look for them in that dir instead.
Signed-off-by: Glen Huang <i@glenhuang.com>
Replace my own patch with the upstream solution, which they issued
in response to my bug report.
(Two patches as they overlooked something on the first try.
Reference to https://savannah.gnu.org/bugs/index.php?63431 )
The nettle lib evaluation is now conditional to not having "--disable-ntlm".
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
- Improved logging
- Log the executed curl command to be able to rerun and test it manually
- Log the curl exit status
- Added 30 second timeout timeout for clear-cut detection of flaky connections.
Signed-off-by: Pyry Kontio <pyry.kontio@drasa.eu>
The implementation uses a GCP service account. The user is expected to
create and secure a service account and generate a private key. The
"password" field can contain the key inline or be a file path pointing
to the key file on the router.
The GCP project name and Cloud DNS ManagedZone must also be provided.
These are taken as form-urlencoded key-value pairs in param_enc. The TTL
can optionally be supplied in param_opt.
Signed-off-by: Chris Barrick <chrisbarrick@google.com>
Fix the indentation of the preinst/postinst scripts for the privoxy
package.
Because these scripts didn't start with `#!/bin/sh`
(they instead started with the TAB character), `/bin/sh` was not used
to start them.
On x86_64 and i386_pentium-mmx, this seems to be fine, but on
arm_cortex-a15_neon-vfpv4 and aarch64_cortex-a53, running these
scripts fails with a:
```
Installing privoxy (3.0.33-3) to root...
Collected errors:
* pkg_run_script: package "privoxy" preinst script returned status 1.
* preinst_configure: Aborting installation of privoxy.
* opkg_install_cmd: Cannot install package privoxy.
```
Reported-by: Marius Dinu <m95d+git@psihoexpert.ro>
Signed-off-by: Alois Klink <alois@aloisklink.com>
* add mdns records for started instances
* Makefile: use $(PKG_VERSION) as a value for PKG_SOURCE_DATE instead of
hard-coding it
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This commit adds /etc/snort/local.lua and /etc/snort/homenet.lua for user
defined config options which is more simplistic than modifying upstream
files directly. That can be tedious and decisive to maintain in sync with
upstream changes. The init script has been adjusted accordingly.
Acknowledgment to amish who maintains the Arch Linux snort-nfqueue package[1]
for these ideas and initial code.
Another modification is dropping the following args in the call to
/usr/bin/snort by the init system as these options are provided in
/etc/snort/local.lua:
* --daq-dir /usr/lib/daq/
* -A "$alert_module"
Instructions to configure snort3:
1. Edit /etc/snort/homenet.lua and redefine HOME_NET and EXTERNAL_NET, for example:
HOME_NET = [[ 10.9.8.0/24 192.168.1.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"
2. Edit /etc/snort/local.lua to setup options unique to your use case of snort.
The default ones I included should be sane for the role of IDS (alert only),
but users may easily uncomment some options therein to use IPS (drop) mode.
3. Install or symlink rules to /etc/snort/rules/snort.rules and optionally
edit /etc/snort/local.lua to define extra rules files if not using a unified
'snort.rules'
References:
1. https://aur.archlinux.org/packages/snort-nfqueue
Signed-off-by: John Audia <therealgraysky@proton.me>
The original idea of the extra namespace variable was to set up
bpfcountd from other daemons etc. independent of what a user configured
in /etc/config/bpfcountd for instance. Like:
$ UCI_CONFIG_DIR=/var/run/bpfcountd/gluon-config \
/etc/init.d/bpfcountd start "" gluon
However there are still issues with this approach:
1) Instance specific stop calls like:
$ /etc/init.d/bpfcountd stop <instance-name> <namespace>"
will not stop the according namespaced instance, as the stop() in
/etc/rc.common will call procd_kill() without the namespace prefix.
And we can't overwrite that behaviour. And asking a user to use
"... start <in> <ns>" and "... stop <ns>.<in>" is confusing.
(and currently "... stop <ns>.<in>" would not remove the correct
unix socket).
2) A stop call without an instance/config name would always stop all
instances. So the namespace variable would be ignored.
While start without an instance "works", but:
3) It would stop any process that is not in the currently selected
UCI_CONFIG_DIR.
As all this is not easily fixable without changing OpenWrt internals,
just remove the whole namespace idea for now.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Had to add a patch to allow builds of targets containing '+' in their dir name
Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B
Signed-off-by: John Audia <therealgraysky@proton.me>
NATMap is a program for opening port behind full cone NAT (NAT-1),
without the need for using UPnP or another port forward settings.
More details can be found at original repo: https://github.com/heiher/natmap
Signed-off-by: Richard Yu <yurichard3839@gmail.com>
Changes in version v2.4.1 - 2022-12-01
- Issue 40224: Bug fix in utls roundtripper
Changes in version v2.4.0 - 2022-11-29
- Fix proxy command line help output
- Issue 40123: Reduce multicast DNS candidates
- Add ICE ephemeral ports range setting
- Reformat using Go 1.19
- Update CI tests to include latest and minimum Go versions
- Issue 40184: Use fixed unit for bandwidth logging
- Update gorilla/websocket to v1.5.0
- Issue 40175: Server performance improvements
- Issue 40183: Change snowflake proxy log verbosity
- Issue 40117: Display proxy NAT type in logs
- Issue 40198: Add a `orport-srcaddr` server transport option
- Add gofmt output to CI test
- Issue 40185: Change bandwidth type from int to int64 to prevent overflow
- Add version output support to snowflake
- Issue 40229: Change regexes for ipv6 addresses to catch url-encoded addresses
- Issue 40220: Close stale connections in standalone proxy
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* The makefile produces the nft and iptables capable `pbr` package
and the `pbr-iptables` package for legacy setups
* This replaces `vpnbypass` and `vpn-policy-routing` packages
* I'm soliciting feedback on this package and my intention is to
update the version to 1.0.0 before this is merged, but I need the
feedback on this and luci-app-pbr before then.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
bpfcountd was created to obtain packet statistics in larger networks
without stressing the cpu resources. bpfcountd will count the amount
of packages and bytes over time (for each defined rule). The rules
are defined using the tcpdump filter syntax (bpf). The collected
data is provided on a unix socket in plaintext.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Maintainer: @neheb (find it by checking history of the package Makefile)
Compile tested: aarch64/ipq8074
Run tested: aarch64/ipq8074
Description: stubby: bump to latest 0.4.2
Signed-off-by: Rudy Andram <rmandrad@gmail.com>
* store all error/warning messages with the error text id so that
they can be made localizable for the luci app
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Update wget to 1.21.3
* Remove patch 100-fix-hsts-time.patch as upstream has issued
its own version on the fixes
* Add a hack (and fixup autoreconf) to fix an upstream bug that
forces the nettle library into nossl even if NTLM is disabled.
Upstream bug filed: https://savannah.gnu.org/bugs/?63431
* Remove old maintainer who has not been active
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* instead of doing stop/start which involves restarting dnsmasq twice,
kill the existing service instances on restart instead
Signed-off-by: Stan Grishin <stangri@melmac.ca>
It may take a long time waiting for a new tag, so backport these
important bug fixes for now.
While at it, added 3 new options provided by upstream, and deprecated
the usage of `$(AUTORELEASE)`.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
The github repository has been archived; the project is now hosted on
Codeberg. Update the PKG_SOURCE_URL accordingly.
Gitea doesn't seem to add a version suffix to the directory in the
tarball, so use a custom PKG_BUILD_DIR.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* introduce the new curl_max_file_size option
* prevent warnings/errors to be displayed each time the load_environment
is invoked
* better organize dl_command appendixes
* implement support for downloading/using external dnsmasq config file
* refactor adb_check and adb_allow for better readability
* update default values for some options in the uci_load_validate call
* update reload trigger to include curl options
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This adds the missing protocol (e.g. /tcp and /udp) to the entry in
/etc/services. If the entry already exists, it will add the /tcp to it.
Otherwise, it will look and add the tcp and udp entries if either is
missing.
fixes: openwrt#19665
Signed-off-by: Josh Powers <powersj@fastmail.com>
Switch to git tarball as the meson files did not get added to the
official one.
Backport busybox style binaries. Saves on size.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* update default config file to list options alphabetically
* rearrange some of the init script code to support transition
of WebUI to javascript
* rename wan6_trigger to procd_trigger_wan6 for readability
Signed-off-by: Stan Grishin <stangri@melmac.ca>
In some situations you need to set the compress param without an
algorithm. Compression will be turned off, but the packet framing for
compression will still be enabled, allowing a different setting to be
pushed later.
As it is not possible to have options with optional values at the
moment, I've introduced a pseudo value "frames_only" which will be
removed in the init script.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* update to 7.86.0: https://curl.se/changes.html#7_86_0
* remove 300-curl-wolfssl.m4-error-out-if-wolfSSL-is-not-usable.patch as
it was fixed upstream: https://github.com/curl/curl/pull/9682
* update configure options for OpenSSL as --without-ssl is breaking build
* remove --without-libidn configure arg as it's no longer recognized
Signed-off-by: Stan Grishin <stangri@melmac.ca>
