* update default config file to list options alphabetically
* rearrange some of the init script code to support transition
of WebUI to javascript
* rename wan6_trigger to procd_trigger_wan6 for readability
Signed-off-by: Stan Grishin <stangri@melmac.ca>
In some situations you need to set the compress param without an
algorithm. Compression will be turned off, but the packet framing for
compression will still be enabled, allowing a different setting to be
pushed later.
As it is not possible to have options with optional values at the
moment, I've introduced a pseudo value "frames_only" which will be
removed in the init script.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* update to 7.86.0: https://curl.se/changes.html#7_86_0
* remove 300-curl-wolfssl.m4-error-out-if-wolfSSL-is-not-usable.patch as
it was fixed upstream: https://github.com/curl/curl/pull/9682
* update configure options for OpenSSL as --without-ssl is breaking build
* remove --without-libidn configure arg as it's no longer recognized
Signed-off-by: Stan Grishin <stangri@melmac.ca>
The newest master branch has important fixes. However, no new release is
published [0]. Switch to git and update to latest master commit.
This introduces new version scheme by using YYYY-MM-DD of the commit.
In addition, add necessary "PKG_FIXUP" and "PKG_REMOVE_FILES" to allow
compile the new version. Also add enable "PKG_BUILD_PARALLEL".
Further, use a pidfile and remove outdated patches.
https://github.com/sleinen/samplicator/issues/73
Signed-off-by: Nick Hainke <vincent@systemli.org>
* rename wan6_trigger to procd_trigger_wan6
* rename update_dnsmasq_config to dnsmasq_config_update
* add the uci-defaults file to run sed on config file
* update Makefile to include uci-defaults file
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Changes to time_t cause SIGSEGV error on 32bit system and cause ripe
atlas malfunction. (registration successful but no traffic)
Also introduce minor patch to fix some compilation warning.
While at it move PKG_RELEASE to AUTORELEASE macro.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* add patches/020-cmakelists-add-version.patch (thanks @baranyaib90)
to add version information to the binary and fix https://github.com/aarond10/https_dns_proxy/issues/149
* modify Makefile to add version information for the binary
* rename patches/010-fix-cmakelists.patch for better readability
* revert back to service restart in WAN/WAN6 trigger
* update test.sh to test both init script and binary versions
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bugfix: properly restore empty server config for dnsmasq (to
address issue brought up in https://github.com/stangri/source.openwrt.melmac.net/pull/162)
* better handling of non-existant wan/wan6 interface for triggers
* add resolver url to ubus data for future-proofing WebUI js move
Signed-off-by: Stan Grishin <stangri@melmac.ca>
acme.sh by default use public DNS resolvers to check if TXT record was
correctly added when using DNS-01. This can be undesirable in a private
environment where the DNS server is not publicly accessible.
This option allows bypassing such check and simply waiting for a
specific length of time for the TXT record to take effect.
Signed-off-by: Glen Huang <i@glenhuang.com>
Directly calling `/etc/init.d/<service> reload` in a hotplug script can
inadvertently start a stopped service.
Signed-off-by: Glen Huang <i@glenhuang.com>
iputils-ping6 was a subpackage of the iputils package providing the
ping4 and ping6 command before iputils was moved from core to packages.
Currently ping4 and ping6 are replaced by ping -4/-6 and compatibility
symlinks are only installed when explicitly told so with an option, but
the functionality is always provided by iputils-ping.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
* When $wan/$wan6 are empty but double-quoted, it leads to creation
of an interface trigger with empty interface
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* fixed broken/blocked oisd download links (switched to the official github mirror)
* made sure that curl error out on http errors as well
* removed obsolete compatibility stuff from init script
Signed-off-by: Dirk Brenken <dev@brenken.org>
* bugfix: canary domains persistence (as described in
https://forum.openwrt.org/t/https-dns-proxy-canary-domain-persistance/139967)
* minor: remove global variables and make them local in
service_start/service_stop/service_triggers
* minor: split DEFAULT_BOOTSTRAP into BOOTSTRAP_CF and BOOTSTRAP_GOOGLE for
better code readability
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Exit directly will result procd service inactive and uci
configuration changes are no longer monitored.
Reported-by: Lvc Revincx <revincx233@gmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
So that the busybox configuration does not have to be adapted, the
dependency has been changed to coreutils-timeout, which provides the
same functionality.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* made the reporting/top statistics flexible, see "top_count" parm in CLI or in LuCI (default 10), fixes#19622
* added the new blocklist source cpbl (provided by PascalCoffeeLake@gmail.com)
* added/separated Easylist/Easyprivacy blocklist sources (provided by PascalCoffeeLake@gmail.com)
* added reg_jp blocklist_source (provided by PascalCoffeeLake@gmail.com)
* removed the easylist addons from the other regional lists
* removed the second/obsolete pl regional list and renamed the first one to "reg_pl"
* updated the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* make PKG_VERSION of the init script readonly to remove shellcheck
exception
* replace exit with return in the the procd scripts per:
https://github.com/openwrt/packages/pull/19617
* remove custom boot() function as it prevented creation of procd
firewall object on start on boot
* improve performance of allowing domains code
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Up to now on every interface down event a mwan3 disconnected event was
send. This is wrong because if the interface was never connected, then a
disconnected event should not get generated. This commit fixes this bug.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* upstream bugfix: Add a forgotten 'NULL' initialize for ca_info
if not manually set
* make init script PKG_VERSION variable readonly so that a
shellcheck excettion can be removed
* add procd interface trigger to 'wan6' if IPv6 wan interface name
cannot be obtained on start
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Adding perlbase-json-pp to samba4-libs dependencies was the wrong approach and caused
samba packages not to be offered by menuconfig. AFAIK perlbase-json-pp is a perl helper
to building samba4 and seems to be already included in perl/host so use that instead to
fix the menuconfig issues.
Signed-off-by: Andrew Sim <andrewsimz@gmail.com>
With the newer wget version, wget-nossl can not be compiled due to
missing library, so let's revert it.
Package wget-nossl is missing dependencies for the following libraries:
libnettle.so.8
This reverts commit 5075f5b701.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This commit contains the following:
* Update binary to version 1.6.1
* Update README URLs in the Makefile to link OpenWrt-specific info
* Separate the binary, the init script and netifd script into 3 packages:
nebula, nebula-service and nebula-proto accordingly
* implement yml parser for init script to fetch variables from it
* add the netifd script for nebula protocol
* update test file to address all built packages
* make the PKG_VERSION variable of init/proto scripts readonly
Signed-off-by: Stan Grishin <stangri@melmac.ca>
add new package keepalived-sync to synchronize files and data
between master and backup node. The master node uses SSH over rsync
to send and the backup node will use inotifywatch to watch received files.
The master node can track rsync.sh script to send configuration file on
a backup node based on the vrrp_script configuration of the same script.
The backup node will have a keepalived-inotify service, which would watch
for newly received files and it would call hotplug event. Each service
can keep its respective script under the keepalived hotplug directory and
executes commands to stop, start service or update any config in real-time.
Whenever a switchover will happen, the backup node would have the latest
config and data files from the master node.
Hotplug events can be used to apply config when files are received.
Signed-off-by: Jaymin Patel <jem.patel@gmail.com>
tailscale version, tailscaled -version and the web UI reported the wrong
version number which doesn't cause any issues, but it can be confusing.
This is fixed by specifying the version in go ldflags similar to how
it's done in many other go packages and the official tailscale Dockerfile.
version.Long version can not be specified in GO_PKG_LDFLAGS_X because it
contains a space and GO_PKG_LDFLAGS_X is always split at a space.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
* ddns-scripts-services: provide ddns-scripts_service
* ddns-scripts-cloudflare: provide ddns-scripts_digitalocean.com-v2
* ddns-scripts-freedns: provide ddns-scripts_freedns_42_pl
* ddns-scripts-godaddy: provide ddns-scripts_godaddy.com-v1
* ddns-scripts-noip: provide ddns-scripts_no-ip_com
* ddns-scripts-nsupdate: provide ddns-scripts_nsupdate
* ddns-scripts-route53: provide ddns-scripts_route53-v1
* ddns-scripts-cnkuai: provide ddns-scripts_cnkuai_cn
https://github.com/openwrt/packages/pull/13509 renamed many ddns-scripts
packages, but didn't include a PROVIDES for the old package names to
make updates work well.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
When we explicitly declare, that we would like to have curl built with
wolfSSL support using `--with-wolfssl` configure option, then we should
make sure, that we either endup with curl having that support, or it
shouldn't be available at all, otherwise we risk, that we end up with
regressions like following:
configure:25299: checking for wolfSSL_Init in -lwolfssl
configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33,
from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35,
from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
from conftest.c:47:
target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory
#include <wolfssl/wolfcrypt/sp_int.h>
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
and in the end thus produce curl without https support:
curl: (1) Protocol "https" not supported or disabled in libcurl
So fix it, by making the working wolfSSL mandatory and error out in
configure step when that's not the case:
checking for wolfSSL_Init in -lwolfssl... no
configure: error: --with-wolfssl but wolfSSL was not found or doesn't work
References: #19005, #19547
Upstream-Status: Accepted [https://github.com/curl/curl/pull/9682]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
* update to upstream version 2022-08-12
* add ca_certs_file option for CA certs file for curl
* add procd_add_interface_trigger for wan6 (hopefully fixes
https://github.com/openwrt/packages/issues/19531)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
There are many places in the packages' install recipes whith multiple
commands being executed in the same shell invocation, separated with a
semicolon (;). The return status will depend only on the last command
being run. The same thing happens in loops, where only the last file
will determine the result of the command.
Change the ';' to '&&', and exit the loop if any operation fails.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
There are six places pointing to files that do not exist any more:
- gns-import.sh in package gnunet-gns (dropped in v0.11.0)
- libgnunetdnsstub.so* in gnunet-vpn (integrated into util in v0.11.0)
- libgnunettun.so* in gnunet-vpn (integrated into util in v0.11.0)
- gnunet-service-ats-new in package gnunet (dropped in v0.12.0)
- libgnunetreclaimattribute.so.* (integrated into reclaim in v0.13.0)
- libgnunetabe.so.* in gnunet-reclaim (dropped in v0.17.2)
They were not noticed because their failing copy commands were part of
loops in which only the last operation had its exit status checked.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
According to the package's configure.ac, reclaimID OpenID Connect plugin
depends on jose. It is installed by the gnunet-rest plugin package:
libgnunnetrest_openid_connect.so.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* add setting to enable/disable blocking access to iCloud Private Relay resolvers
* add setting to enable/disable blocking access to Mozilla resolvers
* rename variables loaded from config in the init script
Signed-off-by: Stan Grishin <stangri@melmac.ca>
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
* fix bug in download_lists and adb_allow to prevent unintended exclisions from
the block-lists of domains containing allowed domain. Fixes issue:
https://github.com/stangri/source.openwrt.melmac.net/issues/160
* add support for returning NXDOMAIN/blocking iCloud & Mozilla canary domains,
disabled by default
Signed-off-by: Stan Grishin <stangri@melmac.ca>
It was a bit confusing to use *verbosity* level for Dry Run mode. Add
explicity switch for it and designed DRY_RUN variable to make code
easier to understand.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rename variable to make code easier to understand. This variable
specifies how many times in row ddns script tried to update IP without a
success.
Previous name ("ERR_UPDATE") didn't suggest it was for counting
anything. It also didn't specify was error was it related to.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Local suggests something related to the local network or available
locally only. All that code related to the "local" IP was actually
dealing with *current* device external IP address. Using name "current"
should make code a bit easier to understand.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Rename variable to make code easier to understand. This variable
specifies how many times ddns script should try to send a request.
Previous name ("retry_count") suggested it was for *counting* attempts.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Section 'Persistence' in 'luci-app-mosquitto' is unusable without 'persistence'
section in config file.
Signed-off-by: Ptilopsis Leucotis <PtilopsisLeucotis@yandex.com>
* remove obsolete block-lists from config
* add removal of obsolete lists to config-update
* add AdGuard team's block-list to config
* improve allow command
* improve nftset support
* move config load to uci_load_validate, which required some code refactoring which
looks dramatic, but isn't
* always use dnsmasq_restart instead of dnsmasq_hup for all dns resolution options
for dnsmasq
Signed-off-by: Stan Grishin <stangri@melmac.ca>
snowflake-proxy doesn't write any files
=> run in read-only rootfs environment
the process needs to read SSL certs but no other files
=> only exposed path is /etc/ssl/certificates (read-only)
running as unpriviledged user with no additional capabilities
=> set no-new-privs bit
By default procd-ujail also isolates the process by executing it in
a separate new IPC and PID namespace.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Package Tor's Snowflake system components so users can offer e.g.
a standalone Snowflake proxy on their routers or other devices.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Gatling is a high-performance webserver from fefe. It gives a
fairly decent feature-set at really small size. And its fast.
Co-authored-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Signed-off-by: Martin Hübner <martin.hubner@web.de>
mausezahn is a multicast traffic generator which is part of the
netsniff-ng sources. This utility is needed for the upcoming
kernel-selftests-net-forwarding package. Add a new package for it.
netsniff-ng will automatically detect all installed dependencies and
build only the utilities whose dependencies are installed (meaning:
mausezahn is not build when for example libcli is not installed and
other tools are not build if for example zlib is missing). Depending
on the selected packages (netsniff-ng or mausezahn) the OpenWrt build
system has to trigger netsniff-ng's configure script, which will then
pick up and automatically build the programs (mausezahn, netsniff-ng,
trafgen, ...) for which all dependencies are installed.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
The new package would help measuring one-way delays using ICMP type 13
packets. This is important for various scripts that automatically adjust
CAKE shaper bandwidth based on the observed bufferbloat. They need to
understand whether the delay is on the way up or on the way down, so
that they can adjust the bandwidth of the proper part of the shaper.
https://forum.openwrt.org/t/cake-w-adaptive-bandwidth-historic/108848https://forum.openwrt.org/t/cake-w-adaptive-bandwidth/135379
V2: refreshed patches
Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
Fixes multiple security issues:
CVE-2022-38178 - Fix memory leak in EdDSA verify processing
CVE-2022-3080 - Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query
CVE-2022-2906 - Fix memory leaks in the DH code when using OpenSSL 3.0.0
and later versions. The openssldh_compare(),
openssldh_paramcompare(), and openssldh_todns()
functions were affected
CVE-2022-2881 - When an HTTP connection was reused to get
statistics from the stats channel, and zlib
compression was in use, each successive
response sent larger and larger blocks of memory,
potentially reading past the end of the allocated
buffer
CVE-2022-2795 - Prevent excessive resource use while processing large
delegations
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This version better decodes SSID names which contain emoji, control
characters, and other non-ascii characters.
https://github.com/awilliams/wifi-presence/pull/8
Signed-off-by: Adam Williams <pwnfactory@gmail.com>
Update the mdio-netlink kmod and userspace mdio-tools to version 1.2.0.
This allows dropping the time64 musl patch which was upstreamed.
[v1.2.0] - 2022-09-15
---------------------
- mdio: A new addressing mode "mmd-c22": Used to access MMDs attached
to MDIO controllers without Clause 45 support by using registers 13
and 14 in the device's Clause 22 register space
- mdio: Pretty print gigabit link capability information from a PHY's
extended status register
- mdio: Pretty print lots of status information from MMDs (C45 PHYs)
- mvls: Decode priority override information of ATU entries
- mvls: Table listings now always prints out the device information,
even on single chip systems.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Use an upstream commit to ensure time_t is defined in upsclient.h,
fixing a compile failure in collectd.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add --without-linux-i2c to configure arguments to avoid using i2c if
found in the staging dir.
Switch to AUTORELEASE.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
- enable json by default to generate json stats
- add rpc to generate json status
- add kmod-nf-ipvs dependencies for virtual servers
- set default vip labels on virtual interfaces
- set process name for keepalived child processes
Signed-off-by: Jaymin Patel <jem.patel@gmail.com>
In the Makefile the library installation was accidentally called
"Package/iperf3/install" and not "Package/libiperf3/install". Fix this
typo. Thanks to Hartmut spotting this.
Also the iperf3-ssl does not need to depend on libiperf3.
Fixes ae48be8e21 ("iperf3: add shared libiperf library and link iperf3 dynamically")
Signed-off-by: Nick Hainke <vincent@systemli.org>
The metrics and weight need to be the same. A 50% balanced would be
require member policies of the same metric and weight value.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Add library for creating own functions with iperf3 functionality.
Example: https://github.com/esnet/iperf/blob/master/examples/mis.c
This library is needed by python3-iperf3.
Build iperf3 binary with dynamically linked libiperf3. However, still
build iperf3-ssl as static binary due to a lack of shipping two libiperf
versions.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Re-mount '$config_file' inside the '$config_dir' will cause aria2 process unable to start.
Signed-off-by: Naraku J <74468372+Narakuku@users.noreply.github.com>
* some more cleanups, forgotten with the last update
* optimized unbound syntax ('always_nxdomain' & 'always_transparent')
* optimized oisd download sources (use wilcard variants which are much smaller)
* removed superfluous version information/function
Signed-off-by: Dirk Brenken <dev@brenken.org>
-- Release Message Snippet https://networkupstools.org/ --
After a long and windy trip since the last official release v2.7.4 half
a dozen years ago ... NUT v2.8.0! ... the new release includes numerous
new drivers, sub-drivers, protocols and bug-fixes, with many companies
and individuals chipping in with contributions of code. ...
Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
* dnsmasq upstream has changed the code for domain handling
and recommends the 'local' syntax for large blocklists
* remove pipefail command, see #19043 for reference
* removed the unused 'adb_dnsinotify' parameter
* removed the 'adb_maxqueue' parameter,
the queue size will be automatically set by the number of cpu cores
* various cleanups, mostly shellcheck related
Signed-off-by: Dirk Brenken <dev@brenken.org>
This package uses the macro
AC_PROG_LEX(yywrap)
which in new versions of GNU Autoconf
specifically looks for the yywrap function in the libraries,
and considers lex/flex not present if the function is not found.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
