Maintainer: @neheb / @BKPepe / @zhanhb
Compile tested: ipq806x, generic, netgear_r7800, master
Run tested: ipq806x, generic, netgear_r7800, openwrt-19.07
Description:
Squid now only support HTTPS proxy in TCP tunnel mode (e.g. `ssl_bump splice all`):
https_port 3128 ssl-bump tls-cert=/etc/squid/squid.pem generate-host-certificates=on
ssl_bump splice all
In order to operate in SSL Bump mode, we need to compile with `--enable-ssl-crtd` for following configuration:
https_port 3128 ssl-bump tls-cert=/etc/squid/squid.pem generate-host-certificates=on
sslcrtd_program /usr/lib/squid/security_file_certgen -s /car/cache/squid/ssl_db -M 4MB
ssl_bump stare all
ssl_bump bump all
This PR switch the `SQUID_enable-ssl-crtd` into `default y`, therefore default enable SSL Bump mode.
Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
(cherry picked from commit dbda77686d)
From mosquitto 2.x, port became optional and deprecated in the config,
and it was recommended that listeners be used instead. Drop the hard
requirement in our config conversion script.
Reported in: https://github.com/openwrt/packages/issues/15506
Signed-off-by: <karlp@etactica.com>
- ignore Content-Length from backend if 101 Switching Protocols
- close HTTP/2 connection after bad password
- skip cert chain build for self-issued certs
- meson zstd fix
- ls-hpack upstream update
- discard some HTTP/2 DATA frames received after response
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
(cherry picked from commit 52f85a0e1f)
* fix whitelist housekeeping if you switch between normal- and
'whitelist only' mode
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 7cfb0f4657)
Fixes two related security vulnerabilities (CVE-2020-15078) which
under very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup. In combination with "--auth-gen-token" or
a user-specific token auth solution it can be possible to get access to
a VPN with an otherwise-invalid account.
OpenVPN 2.5.2 also includes other bug fixes and improvements.
Add CI build test script.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry-picked from 6186fe732b)
* add a "whitelist only" mode, this option allows to restrict Internet
access from/to a small number of secure websites/IPs, and block access
from/to the rest of the Internet.
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 515397b009)
* support the RPZ trigger 'RPZ-CLIENT-IP' to always allow/block certain
clients based on their IP (currently only supported by bind!)
* avoid promiscuous mode in tcpdump setup for adblock reporting
* speed up dns report preparation
* support dns report mailing (/etc/init.d/adblock report mail)
* fix bind autodetection
* update LuCI-frontend (separate PR)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit c531b6daea)
NLS means Native Language Support and when you have it enabled (it is
not default), clamav can not be compiled as it shows following error:
Package clamav is missing dependencies for the following libraries:
libiconv.so.2
Also, it is required that package libiconv-full is compiled first/before
than clamav and then try to compile clamav.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 87be6ffe60)
/etc/profile.d/50-openvpn-easy-rsa.sh was not listed as configfile
and changes were lost during upgrades.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit b0663e2959ff9dc37d0273aa3240a2ef0ed3c611)
Rework the bonding.sh protocol handler to accept slave interface names
encoded in uci list notation. Also replace ifconfig up/down with ip
link calls while we're at it.
Fixes: #11455
Fixes: https://github.com/openwrt/luci/issues/4473
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 57a77386de)
This patch prevents multiple cron jobs from being created to run the
safe-search-maintenance script.
To reproduce this bug, perform the following:
- Install safe-search
- Perform an OpenWRT firmware upgrade (choose to preserve user settings)
- Install safe-search again
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
(cherry picked from commit 49535edffd)
The current default of hourly is too fast. Some services such as
DuckDuckGo return IPs from a pool based on the user's location instead
of a fixed IP address. This change prevents unnecessary writes to the
flash memory by only updating once per week.
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
(cherry picked from commit 7164ccf155)
This commit adds a number of fixes to the OpenVPN up/down hotplug command
wrapper which currently fails to actually invoke user defined up and down
commands for uci configurations not using external native configurations.
- Use the `--setenv` to pass the user configured `up` and `down` commands
as `user_up` and `user_down` environment variables respectively
- Instead of attempting to scrape the `up` and `down` settings from the
(possibly generated) native OpenVPN configuration in
`/etc/hotplug.d/openvpn/01-user`, read them from the respective
environment variables instead
- Fix parsing of native configuration values in `get_openvpn_option()`;
first try to parse a given setting as single quoted value, then as
double quoted and finally as non-quoted, potentially white-space
escaped one. This ensures that `up '/bin/foo'` is interpreted as
`/bin/foo` and not `'/bin/foo'`
Ref: https://forum.openwrt.org/t/openvpn-up-down-configuration-ignored/91126
Supersedes: #15121, #15284
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry-picked from commit 7f065a94bb)
MacOS ignores Bonjour services for which TXT records are not returned. This changes forces umdns service to return a TXT record (`daemon=ksmbd`) for the ksmbd service. The exact content is unimportant and to the best of my knowledge nothing reads the `daemon` tag.
Symptoms of the problem (which are also debugging steps):
* Finder refuses to open the OpenWRT "computer" in the Network list.
* Discovery.app (Bonjour Browser) lists the _ssh._tcp service, but the submenu for it doesn't unfold and no address is shown.
* `dns-sd -L OpenWrt _smb._tcp` doesn't return any address.
Signed-off-by: Kirill Nikolaev <cyril7@gmail.com>
(cherry picked from commit 272b0a5c18)
Avoid "file not found"-error when embedding via Imagebuilder.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
(cherry picked from commit bdab7e6bfe)
Derived from the ipsec initd script, with the following changes:
(1) various code improvements, corrections (get rid of left/right
updown scripts, since there's only one), etc;
(2) add reauth and fragmentation parameters;
(3) add x.509 certificate-based authentication;
and other minor changes.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit f9d91f1f47)
If you shutdown ipsec service, and it doesn't clean up
/var/ipsec/ipsec.conf, then when you start swanctl service it
might see an incompatible file on startup. Remedy is to
remove unneeded files when shutting down the service. They
can always be regenerated when the service starts again.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit baa38a1420)
These config files are only used by the ipsec interface to charon,
and shouldn't be part of the base package.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit e626255b37)
Having scripts diddle user written config files seems potentially
dangerous. Plus there's really no downside to including some
empty files. Best to just make the includes be permanent.
Additional feature suggested by Luiz: if a -opkg version of the
config file was created unnecessarily, remove it as part of the
upgrade process since changes won't be happening to that file
as an artifact of the service starting. The include lines are
now permanent, which means that (1) additional configuration
synthesized by UCI won't be anywhere that opkg (or sysupgrade,
for that matter) cares about since it won't be persistent, and
(2) if changes are being made, then they're being done by a
person with an editor and they really should be distinguished.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit 643df01275)
This has been observed by myself and @luizluca: ip route get is
appending uid0 to the output, as seen from:
root@OpenWrt2:~# ip route get 1.1.1.1
1.1.1.1 via 174.27.160.1 dev eth3 src 174.27.182.184 uid 0
cache
root@OpenWrt2:~#
so the fix is an anchored match, discarding all else. Also, using
ip -o means never having to do multiline matches...
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
(cherry picked from commit ec72d3a9e4)
Convert to using CMake in order to speed up compilation and to fix
compilation under glibc.
Add extra dependencies since they're now needed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 7cd687cb7e)
Even it's only cosmetic and should not affect the function of regular system,
fix the name of the IPKG_INSTROOT variable.
Typo was added long ago with 8400c9a6ec.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
(cherry picked from commit f25f49a8b7)
This is a security fix, affecting 2.0.0 through to 2.0.9. Mosquitto instances
could be remotely DoS'd by authenticated clients.
Release notes at: https://github.com/eclipse/mosquitto/blob/v2.0.10/ChangeLog.txt
CVE number has not yet been assigned.
Signed-off-by: Karl Palsson <karlp@etactica.com>
