Adds failsafe support to the openssh package.
Roughly based on an earlier patch.
Ref: https://github.com/openwrt/openwrt/pull/865
Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
Removed patch as upstream fixed libtirpc support differently.
Switched to normal tarballs for simplicity.
Fixed license information.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Full changelog: https://mosquitto.org/blog/2020/12/version-2-0-2-released/
* Enables DHE ciphers
* Improved response time with http_dir and websockets
Drops a patch no longer required due to upstream fixes.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Along with the accompanying change to gpgme to install gpgme-config,
since libfko is what is actually linked to gpgme, and not
fwknop/fwknopd, an explicit dependency must be added to that package.
menuconfig now allows enabling gpg support if only fwknop is selected
without also selecting fwknopd.
Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
Enable the control port on named that rncd uses to talk to it. Use
rndc to allow for lightweight reloads of some (per-zone) or all of
the database without an interruption of service.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Commit ef388ff1f3 removed 'CMAKE_INSTALL:=1', and this makes the
development files to be not installed anymore on 'staging_dir'.
Being such, packages that needs to link against libminiupnpc fails
to build, because it cannot find the headers and the library.
Adding an InstallDev fixes this.
Build-tested on: ipq806x (R7800)
Run-tested on: ipq806x (R7800)
Signed-off-by: Daniel Bermond <danielbermond@gmail.com>
Some VPN providers require username and password for client to connect.
This commit adds an option to specify username, password and
cert_password directly in uci config which then gets expanded during
start of openpvn client.
Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
New easyrsa will look for missing vars and x509-types where easyrsa
is located (following symlink). /usr/bin/easyrsa is now a link
to /usr/lib/easyrsa/easyrsa and /usr/lib/easyrsa/{vars,x509-types} a
link to /etc/easyrsa/{vars,x509-types}. This keeps the same previous
OpenWrt easyrsa behavior which tries to use $PWD/pki and
/etc/easyrsa/{vars,x509-types}, but without patching it.
Easyrsa can also use env vars to set pki root path (instead of
/usr/lib/easyrsa), pki path (instead of $PWD/pki) and vars path.
Those variables are commented in /etc/profile.d/50-openvpn-easy-rsa.sh
as an example of how to make easyrsa run independent of $PWD. That
scriptlet also sets $EASYRSA_TEMP_DIR from $EASYRSA_PKI/tmp to /tmp
in order to avoid writing to persistent media (normally flash). However,
as a profile scriptlet, it will only be used after session is restarted.
The "build" tgz was replaced by the "source" tar. "build" version has a
different file structure, making any patch backports too complex.
I'm also putting myself as maintainer.
Closesopenwrt/openwrt#2926, since it moved to openwrt/packages.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Fix the prefix instead.
Replace custom Compile section with PKG_INSTALL.
Minor cleanups for consistency between packages.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Remove several configure options. apr-(utils) has been fixed, which
makes them useless. Also removed PKG_BUILD_DEPENDS for that reason.
Simplify NLS with autoreconf_bool.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved
Signed-off-by: Simon Day <email@simonday.info>
Added a patch to remove BUILDCXXFLAGS. For some reason, TARGET_CXXFLAGS
are leaking.
Removed custom Build/Compile section. There's already PKG_INSTALL.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Updating the system image or the package should not obliterate
the downloaded/unpacked geolocation database. If you use xt_geoip
in /etc/firewall.user you don't want the database disappearing
when sysupgrade runs and then reboots your system as you'll be
left exposed.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
specified for montioring
eg allows ipv4 and ipv6 forwarded traffic to be monitored from
both main network and dmz in single graph
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved
Signed-off-by: Simon Day <email@simonday.info>
specified for montioring
eg allows ipv4 and ipv6 forwarded traffic to be monitored from
both main network and dmz in single graph
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved
Signed-off-by: Simon Day <email@simonday.info>
Major change for version 3.3.1 are:
* Fix a segfault issue in ksmbd.mountd.
* Reorganize ndr write functions.
Major changes for version 3.3.0 are:
* Add samr and lsarpc RPC support.
* Generate subauth values for domain.
* Add Kerberos support.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Unlike ipv4, this option is supposed to be an IP address, otherwise, an
error occurs on startup:
can't parse "br-lan" as valid IPv6 listening address
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
OpenVPN recommends disabling compression, as it may weaken the security
of the connection. For users who need compression, we build with LZ4
support by default. LZO in OpenVPN pulls in liblzo at approx. 32 kB.
OpenWrt users will no longer be able to connect to OpenVPN peers that
require LZO compression, unless they build the OpenVPN package themselves.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
(unless iproute2 support is enabled).
* VLAN support when using a TAP device
Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
OpenVPN peers prior to 2.4, or peers with data cipher negotiation
disabled, will not be able to connect to a 2.5 peer unless
option data_fallback_ciphers is set on the 2.5 peer and it contains a
cipher supported by the client.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
reload_server() gracefully with SIGUSR1 to lighttpd
relog() to reopen log files with SIGHUP to lighttpd
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* update upstream version to lighttpd-1.4.56
* depend on Nettle for MD5, SHA1, SHA256
* multiple TLS options: gnutls, mbedtls, nss, openssl, wolfssl
* new module mod_authn_dbi
* mod_authn_* depend on mod_auth
* mod_authn_file is included if mod_auth is selected in build
* mod_vhostdb_* depend on mod_vhostdb
* mod_deflate subsumes mod_compress
* remove from Makefile the include of nls.mk (no longer needed)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
**tl;dr:** The functions `{add,del}_ssl` modify a server
section of the UCI config if there is no `.conf` file with
the same name in `/etc/nginx/conf.d/`.
Then `init_lan` creates `/var/lib/nginx/uci.conf` files by
copying the `/etc/nginx/uci.conf.template` and standard
options from the UCI config; additionally the special path
`logd` can be used in `{access,error}_log`.
The init does not change the configuration beside
re-creating self-signed certificates when needed. This is
also the only purpose of the new `check_ssl`, which is
installed as yearly cron job.
**Initialization:**
Invoking `nginx-util init_lan` parses the UCI configuration
for package `nginx`. It creates a server part in
`/var/lib/nginx/uci.conf` for each `section server '$name'`
by copying all UCI options but the following:
* `option uci_manage_ssl` is skipped. It is set to
'self-signed' by `nginx-util add_ssl $name`, removed by
`nginx-util del_ssl $name` and used by
`nginx-util check_ssl` (see below).
* `logd` as path in `error_log` or `access_log` writes them
to STDERR respective STDOUT, which are fowarded by Nginx's
init to the log daemon. Specifically:
`option error_log 'logd'` becomes `error_log stderr;` and
`option access_log 'logd openwrt'` becomes
`access_log /proc/self/fd/1 openwrt;`
Other `[option|list] key 'value'` entries just become
`key value;` directives.
The init.d calls internally also `check_ssl` for rebuilding
self-signed SSL certificates if needed (see below). And it
still sets up `/var/lib/nginx/lan{,_ssl}.listen` files as
it is doing in the current version (so they stay available).
**Defaults:**
The package installs the file `/etc/nginx/restrict_locally`
containing allow/deny directives for restricting the access
to LAN addresses by including it into a server part. The
default server '_lan' includes this file and listens on all
IPs (instead of only the local IPs as it did before; other
servers do not need to listen explicitly on the local IPs
anymore). The default server is contained together with a
server that redirects HTTP requests for inexistent URLs to
HTTPS in the UCI configuration file `/etc/config/nginx`.
Furthermore, the packages installs a
`/etc/nginx/uci.conf.template` containing the current setup
and a marker, which will be replaced by the created UCI
servers when calling `init_lan`.
**Other:**
If there is a file named `/etc/nginx/conf.d/$name.conf` the
functions `init_lan`, `add_ssl $name` and `del_ssl $name`
will use that file instead of a UCI server section (this is
similar to the current version).
Else it selects the UCI `section server $name`, or, when
there is no such section, it searches for the first one
having `option server_name '… $name …'`. For this section:
* `nginx-util add_ssl $name` will add to it:
`option uci_manage_ssl 'self-signed'`
`option ssl_certificate '/etc/nginx/conf.d/$name.crt'`
`option ssl_certificate_key '/etc/nginx/conf.d/$name.key'`
`option ssl_session_cache 'shared:SSL:32k'`
`option ssl_session_timeout '64m'`
If these options are already present, they will stay the
same; just the first option `uci_manage_ssl` will always be
changed to 'self-signed'. The command also changes all
`listen` list items to use port 443 and ssl instead of port
80 (without ssl). If they stated another port than 80
before, they are kept the same. Furthermore, it creates a
self-signed SSL certificate if necessary, i.e., if there is
no *valid* certificate and key at the locations given by
the options `ssl_certificate` and `ssl_certificate_key`.
* `nginx-util del_ssl $name` checks if `uci_manage_ssl` is
set 'self-signed' in the corresponding UCI section. Only
then it removes all of the above options regardless of the
value looking just at the key name. Then, it also changes
all `listen` list items to use port 80 (without ssl)
instead of port 443 with ssl. If stating another port than
443, they are kept the same. Furthermore, it removes the
SSL certificate and key that were indicated by
`ssl_certificate{,_key}`.
* `nginx-util check_ssl` looks through all server sections
of the UCI config for `uci_manage_ssl 'self-signed'`. On
every hit it checks if the SSL certificate-key-pair
indicated by the options `ssl_certificate{,_key}` is
expired. Then it re-creates a self-signed certificate.
If there exists at least one `section server` with
`uci_manage_ssl 'self-signed'`, it will try to install
itself as cron job. If there are no such sections, it
removes that cron job if possible.
For installing a ssl certificate and key managed by
another app, you can call:
`nginx-util add_ssl $name $manager $crtpath $keypath`
Hereby `$name` is as above, `$manager` is an arbitrary
string, and the the ssl certificate and its key are
indicated by their absolute path. If you want to remove
the directives again, then you can use:
`nginx-util del_ssl $name $manager`
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
It's useful to be able to dump sections of the database by country
for scripting or just plain sanity checking.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Snort 3.0.3-1 requires libdaq 3.0.0-beta1, but this version is no longer
compatible with Snort 2. Thus OpenWrt now provides both a libdaq and
libdaq3 package. This modifies the snort3 package to require the latter.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
procd-seccomp switched to OCI-compliant seccomp parser instead of our
(legacy, OpenWrt-specific) format. Convert ruleset to new format.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
iputils upstream changed build params with version s20200821
Latest OpenWRT iputils ping now appears to report the openwrt
version tag, rather than iputils date tag
This commit sends a test ping to localhost to evaluate the
capabilities of iputils ping.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Allow `mwan3 interfaces` to get uptime via an internal function and
thus remove the dependency on rpcd for `mwan3 interface` calls.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Upstream commit 90884c62 ("xl2tpd-control refactoring") introduced in
1.3.16 changed command names
The l2tp protocol handler part was from @danvd in pull request
openwrt/packages#13866
Fixes f07319d6 ("xl2tpd: bump to version 1.3.16")
Ref: https://github.com/openwrt/packages/pull/13866
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Maintainer: @codemarauder
Compile tested: Yes
Run tested: x86_64 PCEngines APU
Description:
A Tunnel which Improves your Network Quality on a High-latency Lossy Link by using Forward Error Correction,for All Traffics(TCP/UDP/ICMP)
It does it by sending redundant packets and re-arranging them to account for packet loss over the link. It uses Reed–Solomon code.
Signed-off-by: Nishant Sharma <codemarauder@gmail.com>
Signed-off-by: Andrew Mackintosh <amackint@waikato.ac.nz>
Maintainer: me / @null-cipher
Compile tested: Raspberry Pi 3 / brcm2708-bcm2710, OpenWrt 19.07.4
Hyper-V VM / x86_64, OpenWrt 19.07.4
Run tested: Raspberry Pi 3 / brcm2708-bcm2710, OpenWrt 19.07.4
Hyper-V VM / x86_64, OpenWrt 19.07.4
Description:
The NetStinky IDS is a component of the NetStinky suite of tools. It
monitors the traffic on the LAN interfaces of your router for
Indications of Compromise (IoCs), drawn from an auto-updating list of
definitions. IoCs are subsequently reported to the NetStinky smartphone
applications.
In recent commits, there were removed Transmission SSL variants and
there is just used one variant of transmission-daemon. Let's adjust it here as well.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
It was somewhat opaque how the variable a is questioned. To show this
better the variable is now a string and not a boolean. So you can see
directly what should happen. With a boolean you always have to think
about what it means when 0 or 1 is used.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Replace locks on /var/run/mwan3.lock with locks via procd.
This fixes a deadlock issue where mwan3 stop would have a procd
lock, but a hotplug script would have the /var/run/mwan3.lock
Locking can be removed from mwan3rtmon since:
1) procd will have sent the KILL signal to the process during
shutdown, so it will not add routes to already removed interfaces on
mwan3 shutdown and
2) mwan3rtmon checks if an interface is active based on the
mwan3_iface_in_<IFACE> entry in iptables, and the hotplug script
always adds this before creating the route table and removes it
before deleting the route table
Fixes github issue #13704
(https://github.com/openwrt/packages/issues/13704)
when the network procd service restarts, it flushes the ip rules. We
need to add these rules back. Since hotplug events are triggered when
the networks come back online, adding this call to the hotplug script
is the most convenient place to refresh the rules.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
he line is too long. For the future it is better to split it into
several lines and make it more clearly arranged. In case of a future
change, not the whole line will be marked as a change.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Will only run when no events are pending.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
[ Update description and split into own commit ]
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Initialize TRACK_OUTPUT has been set after INTERFACE variable initialization.
Move definition into main fixes this issue.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
In a recent commit, there was a fixed typo in config file of rp-ppoe
package. As there was no increased version in PKG_VERSION/PKG_RELEASE,
it means that fixed typo will be applied for users, who install
rp-pppoe now. Existing users will not be aware that there is an updated
package with fixed typo. They will need to do force overwrite/reinstall via opkg.
It makes a little bit complicated as we are fixing typo in conffile, but
this change will be applied to users who do not touch it. In any case,
there should be a bumped version.
Fixes: fe709078ff ("rp-pppoe: fix typo")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
DNS flag day 2020, software should reflect the minimum EDNS 1232 bytes.
Added iface_wan and iface_lan to control internal DNS assignemnts and
to control what is local service ACL. Interface wild cards are not
explicitly set so that they can be customized in extended conf.
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
* since openwrt master has merged the depending P/R, the old
extra_help/extra_commands syntax is no longer working, see #13798 for
reference
* removed test.sh script from package
Signed-off-by: Dirk Brenken <dev@brenken.org>
* since openwrt master has merged the depending P/R, the old
extra_help/extra_commands syntax is no longer working, see #13798 for
reference
* removed logd dependency, see #13820 for reference
Signed-off-by: Dirk Brenken <dev@brenken.org>
* since openwrt master has merged the depending P/R, the old
extra_help/extra_commands syntax is no longer working, see #13798 for
reference
Signed-off-by: Dirk Brenken <dev@brenken.org>
libudev-zero as well as libudev-fbsd have PROVIDES:=libudev . These
packages have nothing specific that requires one or the other.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
If procd relaunches the ModemManager daemon after e.g. a crash, we
also want it to notify all cached hotplug events, or otherwise we
would end up leaving the daemon running without the full initial
processing done.
This change modifies the init script to include all the required init
commands as part of the procd instance command, so that procd launches
all of them on every respawn.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Boost headers try to include experimental/string_view when std is less
than c++17. This does not work ith libcxx where this header is not
present.
Refreshed patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- DNS Flag Day 2020
(default EDNS buffer size changed from 4096 to 1232 bytes)
-- Added patch, which should be part of the next release
It fixes an issue while cross-compilation (I linked it in the commit
message with issue link)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
When the ModemManager daemon is started by the init script, we're
explicitly calling mm_report_events_from_cache() so that all the
hotplug events that happened before that moment are properly notified
to the newly launched daemon.
This initial reporting of events does a wait for the ModemManager
process to be available in DBus, and if the daemon isn't registered in
the bus in a given time, the process is considered failed:
Sun Sep 6 16:20:02 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:02 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:03 2020 [2180]: <info> ModemManager (version 1.14.6) starting in system bus...
Sun Sep 6 16:20:03 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:04 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:05 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:05 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:06 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:06 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:07 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:07 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:08 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:08 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:09 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:09 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:10 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:10 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:11 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:11 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:12 2020 ModemManager: hotplug: checking if ModemManager is available...
Sun Sep 6 16:20:12 2020 ModemManager: hotplug: ModemManager not yet available
Sun Sep 6 16:20:12 2020 ModemManager: hotplug: error: couldn't report initial kernel events: ModemManager not running
Update the default wait time for this initial event notification from
10s to 60s, because there are cases where the daemon is slower to
boot, e.g. during the first boot after a sysupgrade.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Extend configuration of NTP sources in UCI:
- Add nts option to enable NTS
- Add disabled option to allow inactive sources
Add nts section to UCI with:
- rtccheck option to disable certificate time checks on systems that
don't have an RTC to avoid the chicken-and-egg problem (it is less
secure, but still should be better than no NTS at all)
- systemcerts option to disable system certificates
- trustedcerts option to specify path to trusted certificates
Save NTS keys and cookies by default to avoid unnecessary NTS-KE
sessions when restarted or switching back to an already used NTS source.
Also, save the drift to stabilize the clock after chronyd restart.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
- Use the chronyc onoffline command to update state of all sources
per current routing configuration
- Don't ignore the "ifupdate" action
- Add NTP servers from DHCP for the interface that went up instead of
the wan4+wan6 interfaces
- Save the servers to files loaded by the sourcedir directive to not
lose them when chronyd is restarted, and remove them when the
interface goes down
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
Instead of loading /etc/chrony/chrony.conf from the file generated from
the chrony UCI configuration, use the confdir directive in the main
config to load the generated file. This should make it obvious that
chrony is configured in UCI and it can also be easily disabled.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
If relay/bridge support isn't required, this variant is about 300 kiB smaller
than the full tor daemon.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Extracted from:
http://deb.debian.org/debian/pool/main/i/ifstat/ifstat_1.1-8.1.diff.gz
Note that I also created a new git repository with these fixes:
https://github.com/matttbe/ifstat/
The original author of these modification is:
Goswin von Brederlow <goswin-v-b@web.de>
ChangeLog:
* snmp.c: fix 2 pointer targets differ in signedness warnings
* Adding upport for 64bit /proc/net/dev counters.
* Clean up compiler warnings.
More modifications are available in the patch from the Debian project
but mostly related to the "debian" dir, man page and debug mode. Here I
only took the modifications related to the .c and .h files.
The most important fix is related to the support for 64bit counters in
/proc/net/dev instead of displaying 0 after a while.
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
- support trailing route space from iproute2
- add routes even when iface is down
- fix source_routing argument check
- add quotes in logging to better detect issues with trailing spaces
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Contains following list of changes:
ab4c3471b261 tests: add cram based unit tests
7b4e3241e1bd tests: add cgi-io built with clang sanitizers
21831f45d16d Disable session ACLs during unit testing
2f525417b5df Add initial GitLab CI support
57f1c4f18cb6 Add .gitignore
09f9ac5066ee Fix off-by-one in postdecode_fields
ed8ce0d5d28b Add fuzzing of utility functions
a61581819800 Add fuzzing of multipart_parser
6b0615b728ed Refactor utility functions into static library
a0ed2c9a7a72 Fix clang compiler errors
232659da19a4 Fix possible NULL dereference
8e5719b37a67 Fix warnings reported by clang-10 static analyzer
b99aa8a64cca Remove Makefile
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Allows the Makefile to be cleaned up and to have fewer dependencies.
There's no need for multiple TLS libraries to be installed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
openconnect v8.10 supports 4 VPN protocols
--protocol=anyconnect Compatible with Cisco AnyConnect SSL VPN, as well as ocserv (default)
--protocol=nc Compatible with Juniper Network Connect
--protocol=gp Compatible with Palo Alto Networks (PAN) GlobalProtect SSL VPN
--protocol=pulse Compatible with Pulse Connect Secure SSL VPN
This patch allows user to specify protocol use the new "vpn_protocol"
option and deprecate the old option "juniper" which seems to be missing in
the current openconnect client.
Signed-off-by: Mengyang Li <mayli.he@gmail.com>
version 8.2.6 (October 19, 2020):
- try and address license concerns with LICENSE.md
- replace usleep with nanosleep (Rosen Penev <rosenp@gmail.com>)
- console: Add 'k' option to exit on console-down (Mylène Josserand <mylene.josserand@collabora.com>)
- Fix#48 - apply ipv4 CIDR access list when compiled with ipv6 support
Signed-off-by: Bjørn Mork <bjorn@mork.no>
The additional directory is created and can be used e.g. for configurations
which are created e.g. dynamically from an uci config.
Signed-off-by: Helge Mader <ma@dev.tdt.de>
For applications writing their own xinetd configuration to the /etc/xinetd.d
directory it would be necessary to save them (e.g. a user edits them manually)
Signed-off-by: Helge Mader <ma@dev.tdt.de>
When the interface section was changed, the changed configuration
options were not applied.
This commit adds the service reload handling again.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* switch all safesearch providers to dynamic ips (derived from cname)
* made the new safesearch approach compatible with bind-nslookup
* removed 3.x config compatibility code
Signed-off-by: Dirk Brenken <dev@brenken.org>
Django 3.1 supports relative paths for static_url.
Use it to make it more flexible.
Minor fixes for upgrade:
* ignore-fail-on-non-empty for rmdir /usr/share/etesync-server/etesync_server
* do not stop service (it is stopped already and init file is removed)
Signed-off-by: Peter Stadler <peter.stadler@student.uibk.ac.at>
The underlying `acme.sh` allows custom ACME server URLs (using `--server`). Adding the necessary field to specify a custom ACME server URL from UCI.
Signed-off-by: Jannis Pinter <jannis+openwrt@pinterjann.is>
Use "mwan3 use" to wrap a command with interface bindings so that you can
avoid the mwan3 rules and test behavior on a specific interface.
eg "mwan3 use wan ping -c1 1.1.1.1"
Additional binding arguments to the command will have their system
calls intercepted and ignored.
eg "mwan3 use wan ping -c1 -I tun0 1.1.1.1" will use the
device associated with "wan", rather than "tun0".
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Rather than using a special mwan3 user to manage mwan3track's tracking
packets, this commit implements a small helper library to bind to
device and to set a fwmark so that the tracking packets can be routed
out of the correct interface.
This provides a consistent method for binding to a device rather than
relying on various packages potentially buggy implementations. For
example: #8139 and #12836
This helper issue also allows for more tracking methods to be added
even if they do not have a command line option to bind to device,
such as iperf3 (eg #13050).
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
start all mwan3mon and mwan3track instances on mwan3 start
if an interface is down when mwan3track starts, it waits
for a signal from the hotplug script to start
procd can then handle stopping all of the scripts when mwan3
is halted
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
correctly terminate interface status checks with new lines so that
interface status does not get confused when one interface is a prefix
of another interface.
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
handle creation of routing tables in mwan3rtmon to avoid race
conditions and potentially missing routes
handle ipv6 routes that have expiry
update directly connected ipset when routes are added or deleted
add fall through rules so that the default routing table is not
used if no rule in the interface-specific routing table matches
add option to comply with mwan3 source based routing
get default route parameters from main routing table
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Remove paxctl stuff. pax is not packaged in OpenWrt.
Add reload support.
Install lua cfg file as 644. It's needed to be readable as prosody user
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* Change KEY/HMAC_KEY to __CHANGEME__, which is rejected by fwknopd
during start-up. The value CHANGEME is used only by LuCI package
luci-app-fwknopd - pull request for generating keys directly from
LuCI has been created already.
* Add sensible defaults for ENABLE_IPT_FORWARDING and ENABLE_NAT_DNS,
which both are/were set by luci-app-fwknopd. Move the defaults here.
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
The substring "release_" does not reflect the version number.
In addition, package names will be shorter.
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
mbedcrypto should be searched, not mbedtls. Also, there is no pkgconfig
file with mbedtls. Fixed that as well. Removed Makefile hacks.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
No functional changes, just moved the sources into out of tree
project[1] so it's going to be easier to do CI with unit testing,
fuzzing etc.
1. https://git.openwrt.org/?p=project/cgi-io.git;a=shortlog
Signed-off-by: Petr Štetiar <ynezz@true.cz>
AdGuardHome is a network-wide ads and trackers blocking DNS server.
After installing it with opkg, start it like every service:
/etc/init.d/adguardhome start
In order to complete the installation vist http://{YOUR_ROUTERS_IP}:3000.
Then you can setup dnsmasq to forward DNS traffic to AdGuardHome:
uci -q delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server=127.0.0.1#{PORT_SET_DURING_INSTALL}
uci set dhcp.@dnsmasq[0].noresolv=1
uci commit dhcp
/etc/init.d/dnsmasq restart
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
If lighttpd loads mod-auth, it also automatically tries to load
mod-authn_file, and fails if it's not available. That is a compatibility
feature of lighttpd after the funtionality was split into modules.
Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
* fix a vpn/iptables race condition
* remove needless dnsmasq dependency
* synchronize code-base of all auto-login scripts, due to
COVID-19 restrictions all of them are still untested/WIP
* various small cleanups
Signed-off-by: Dirk Brenken <dev@brenken.org>
This meta-package contains only dependencies for modules needed in
FreeRADIUS default configuration.
This commit adds missing description and install sections.
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
The provider could also be read from the custom directory. To get always
the latest version of the provider config json file, we read first the custom
directory and after that we also check the default directory, if we could not
find the provider file
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Since we can also install custom ddns services, the name for the default
services is not optimally chosen. To emphasize this the folder with the
standard services for the package feed will be renamed to default.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If we install ddns-scripts we also install the default
ddns-scripts-services package. So the behabviour for the user does not
change.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This package does not currently compile.
This is needed to do so that it compiles:
- fix emptying CXX variable in configure script
- fix automake not generating Makefile (remove doxygen definitions)
- force gnu++11 by patch, does not work with configure variable
Also because of changed API in libmicrohttpd:
- fix HttpServer
Moreover this package does not support --disable-slp configure option
anymore, remove it.
Signed-off-by: Marek Behún <kabel@blackhole.sk>
Note:
Fixes CVE-2020-1472 in case smb.conf
contains 'server schannel = no' or 'server schannel = auto'
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
Since we no longer need to edit the service and serive_ipv6 files during
installation, the preinst and postinst script can be removed. They are
not neede anymore.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
From my point of view there are several reasons why this uci default
script should be deleted.
- This script is no longer maintained and there was no significant
change since the old stable release openwrt-18.06.
- The script is installed with every additional package. Which is kind
of funny. It would be better to maintain a separate uci default upgrade
script for each package. So uci default tasks that are no longer needed
can simply be deleted without having to watch and test the whole scirpt.
- The script is also not so easy to maintain, because the code is not
easy to read.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Stan Grishin <stangri@melmac.net>
shellchecked
Signed-off-by: Stan Grishin <stangri@melmac.net>
shellchecked
Signed-off-by: Stan Grishin <stangri@melmac.net>
- new package dependency: curl (plus one of the wpad variants)
- optional package dependencies:
- 'msmtp' for email notification support
- 'wireguard' or 'openvpn' for vpn support
- removed WEP support, only WPA/WPA2/WPA3 are supported!
- new, more robust setup wizard (CLI and LuCI)
- more robust captive portal detection
- randomize mac addresses with every uplnk connect
- automatic vpn handling during uplink switch (only classic/simple
client-setups for wireguard or openvpn are supported)
- email notifications after successful uplink connections
- automatically disable uplinks after n minutes, e.g. for timed
connections
- automatically (re-)enable uplinks after n minutes, e.g. after failed
login attempts
- complete LuCI rewrite - migrated to client side JS (separate PR)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Don't build the sntp binary and libevent2-pthread dependency unless
ntp-utils is selected.
Re-add ntp-keygen dependency libevent2-core.
Fixes openwrt#10307
Signed-off-by: Kenneth J. Miller <ken@miller.ec>
With openwrt/openwrt@51ec51871f one can
now use user/group names instead of numeric uid/gid in FILE_MODES.
Make use of that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Apart from adapting to upstream changes also switch to use FILE_MODES
instead of chown/chmod in init-script.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* update to 4.12.6
* fix optional modules not included on module build (vfs_btrfs, vfs_linux_xfs_sgid)
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Change URL to codeload. It redirects to it anyway. I was getting a 404
error with the original. I couldn't figure it out.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- remove patch that has been included upstream
- remove dependence on resolveip
- remove hotplug script that is handled by "proto_add_host_dependency"
- use openfortivpn default tunnel ip if none specified
- add status checking with uclient-fetch
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
If a daemon listens on multiple addresses at once, it'll show up multiple
times in get_listeners() which will clobber the config for uhttpd. Fix this
by skipping subsequent handlings of the same daemon binary.
Fixes#13325.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Update to 40.89.244.237 which is the new IP address that duckduckgo.com is using for safe-search.
Signed-off-by: Greg Dietsche <gregory.dietsche@cuw.edu>
The creation of the dummy package nginx creates some problem with dependency detection for the all-module variant. Reorganize the dependency and compile nginx before the the sub-variant.
Fixes#13275
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Canonical radtest start results in an error:
$ radtest bob hello localhost 0 testing123
/usr/bin/radtest: line 1: hostname: not found
(0) Error parsing "stdin": Failed to get value
hostname command is not present in OpenWrt.
Instead, hostname can be obtained from file /proc/sys/kernel/hostname.
added: 004-get-hostname-from-proc-in-radtest.patch
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
