This patch to remove PowerDNS' check for whether time_t is 64-bit is not needed anymore,
due to OpenWrt now having a more recent musl libc where time_t is 64-bit on all architectures.
Signed-off-by: Wout Bertrums <wout@wbnet.eu>
Switch to AUTORELEASE for simplicity.
Switch to normal tarballs.
Add license information.
Reorganize Makefile for consistency between packages.
Add libtool patch fixing compilation under some conditions.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Testing showed that additional syscalls are needed on ARMv7.
Add "clock_gettime64" and "statx" which seem to be used now instead
of "clock_gettime" and "stat" syscalls which are already listed.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
When Open vSwitch is configured to use a controller, but is unable to
connect to it, Open vSwitch will setup flows to allow all traffic, if
the failure mode is not configured, or set to standalone.
As this might be a security hazard, it is also possible to configure
Open vSwitch in a secure failure mode. Enabling this mode causes Open
vSwitch to drop all traffic if it is unable to connect to the
controller.
Redirect stderr of the command to /dev/null as it does not support the
--if-exists option.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Due to a copy-paste error, libopenvswitch is missing a dependency when
Open vSwitch is configured to use unbound:
Package openvswitch-libopenvswitch is missing dependencies for the following libraries:
libunbound.so.8
Use the correct config symbol to solve this.
Fixes: 45c8cc9d8a ("openvswitch: make libunbound optional")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The genhash binary is only built when IPVS is enabled, so make its
installation depend on IPVS being enabled.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Add a UCI config option to set the OpenFlow datapath description. This
allows setting a human readable description of the bridge, e.g.
"Building x, Floor y, AP z", which makes it easier to recognize the AP.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Upstream released 1.0.0, so change the package to the git tag 1.0.0
Mainly documentation and argument handling changes
Signed-off-by: Damien Mascord <tusker@tusker.org>
- Added missing conffiles
- Refreshed init srcipt to adapt the new arguments
- Renamed package name to lowercase (suggestion from upstream)
- Updated dependencies and license
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* add wpa-supplicant package dependency
* removed no longer working 'db-bahn.login' and 'wifionice.login' auto-login scripts
* added the new 'wifibahn.login' script for auto-logins to captive portals WIFI@BAHN (DE),
run tested on a single ICE (station logins are currently unsupported!)
* vodafone.login prepared to support free/time limited logins (still WIP!)
* change return code handling in login scripts and travelmate
* refine f_wifi function
* fix a few conercase issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
Some versions of killall do support the `killall -SIGNAL` syntax and
have only `-s SIGNAL` which should be supported everywhere.
I see the problem with *killall (PSmisc) 23.3* on latest TurrisOS 5.2
Signed-off-by: Jan Baier <jan.baier@amagical.net>
Some versions of killall do support the `killall -SIGNAL` syntax and
have only `-s SIGNAL` which should be supported everywhere.
I see the problem with *killall (PSmisc) 23.3* on latest TurrisOS 5.2
Signed-off-by: Jan Baier <jan.baier@amagical.net>
Currently there is a problem with log spam when ipv6 network
is dropped. Fix this by backporting a patch to silence these errors
when verbose logging is not enabled.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
fail2ban v0.11.2 package version 2
Following PR #15098, add fixes to build fail2ban package:
- remove use of fail2ban-python (directly use python3 in script)
- remove link to python3 in /usr/bin (break the package build)
- remove python-tests (reduce the package size)
Signed-off-by: Kerma Gérald <gandalf@gk2.net>
To allow the script to define what it should be run with.
This let's the user use bash if it's available, or python, or perl, etc.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
Update PKG_VERSION to 2.10.11
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The "-s -w" flags in GO_PKG_LDFLAGS tells the Go compiler to strip the
binaries it produces. Since the default Go package build process will
strip binaries when CONFIG_USE_STRIP or CONFIG_USE_SSTRIP are selected,
these flags are unnecessary.
When CONFIG_NO_STRIP is selected, these flags override the user's
intention of building unstripped packages.
This removes these flags for all relevant packages.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This will allow the server to know more info about the client like
HWADDR, very useful for managing IoT devices.
See: https://www.mankier.com/8/openvpn#--push-peer-info
Signed-off-by: Nguyen Quang Minh <minhnq31@fpt.com.vn>
Django 1.11 (host-build) is only needed for Seahub.
And won't ever be needed for anything else (hopefully).
This change moves it to the Seahub folder.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
v2rayA is a Linux web GUI client of Project V which supports V2Ray,
Xray, Shadowsocks, ShadowsocksR, Trojan and Pingtunnel.
Wiki: https://github.com/v2rayA/v2rayA/wiki
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
* switch to unencrypted http downloads for ipdeny.com due to persistant certificate issues
* compact json generator code (tested with report files > 2MB)
* various code cleanups and optimizations
Signed-off-by: Dirk Brenken <dev@brenken.org>
It has been updated to the latest version shipped by upstream.
This has not been done since v4.2.1, hence the big diff.
Signed-off-by: Wout Bertrums <wout@wbnet.eu>
Recent versions of mosquitto have added a lot more fine grained control
of various options. Add UCI support for all of them, and fix a couple
of things that were configured as per listener, that are actually global
settings.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Maintainer: me
Build system: Arch Linux x86_64
Build tested: ipq806x/R7800
Run tested : ipq806x/R7800
Signed-off-by: Daniel Bermond <danielbermond@gmail.com>
Change the interface protocol prefix from "bonding-" to "bond-".
This allows longer custom interface names and useful for VLANs.
Signed-off-by: Vladislav Grigoryev <vg.aetera@gmail.com>
On buildbots the build fails because git isn't finding any git repo and
then AC_INIT refuses to run:
fatal: not a git repository (or any parent up to mount point /)
Stopping at filesystem boundary (GIT_DISCOVERY_ACROSS_FILESYSTEM not set).
configure.ac:5: error: AC_INIT should be called with package and version arguments
Address this by substituting the git command with $(PKG_VERSION).
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
* replaced pipe input for a while/read-loop with a here document/variable as input
(fix various subshell related bugs and oddities)
* further improve abort and re-connection handling
* prevent alleged detected connection failures (false positives) with an additional gw check,
to stabilize VPN connections in particular
Signed-off-by: Dirk Brenken <dev@brenken.org>
This fixes compilation issues with ASLR PIE enabled
We were compiling with '-g -DDEBUG'
https-dns-proxy_2021-07-29-*_arm_cortex-a9_vfpv3-d16.ipk
shrink from 19514 to 19095
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This init script allows to start the Kea Control Agent, the DHCPv4
server, the DHCPv6 server, and the DHCP-DDNS server. It expects the
config files to be where the packages install them.
As this is a single init script that can start 4 different binaries that
are each in their own package, these files cannot be included in any of
these other package, so create a dedicated package for it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This allows running multiple kea instances in load balancing or
hot-standby mode, minimizing risk of downtime.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* simplify the scan logic, to get rid of nifty IFS tricks
* limit the nearby scan results to process only the strongest uplinks, set 'trm_maxscan' accordingly (default '10')
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
but keep it selected by default as before
so it could be selected if nmbd and/or wssd2
should be used
Signed-off-by: Fritz D. Ansel <fdansel@yandex.ru>
On hosts that have pcapnav-config installed, there is host lib leakage.
From config.log:
LNAVLIB='-L/usr/lib64 -lpcapnav -lpcap'
LNAV_CFLAGS='-I/usr/include'
Fix this by disabling pcapnav-config, which isn't available anyway.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* support the new travelmate option 'macaddr' to use a pre-defined MAC address (per uplink)
* vpn connections are now handled separately for each uplink
* The autoadd-feature for adding open uplinks will now be limited by the 'trm_maxautoadd' option. The default is '5', '0' disables this limitation.
* more code cleanups und optimizations to reduce the repetitive connection handling workload
* bugfixes regarding multiple radio support
* refine cp detection (no longer write and parse an error file)
Signed-off-by: Dirk Brenken <dev@brenken.org>
TARGET_CXX is added, because PowerDNS now uses C++17.
pdns.conf-dist is updated to the latest version shipped by PowerDNS.
010-time_t-check.patch, which is also used in pdns-recursor and dnsdist,
is added to patch out the check for 64-bit time_t,
because OpenWrt still supports 32-bit devices.
100-pdns-disable-pdns.conf-dist.patch is refreshed.
Signed-off-by: Wout Bertrums <wout@wbnet.eu>
* supports newer shellcheck
* restore EXTRA_COMMANDS compatibility with 19.07
* move status display from various functions to status_service
* bugfix: status_service line break after output
* minor arythmetic fix in status_service
Signed-off-by: Stan Grishin <stangri@melmac.net>
Backport a pending patch in order to DSCP-mark UDP traffic. This allows for
correct binning of traffic in diffserv-capable routers.
Additionally, remove Rosen Penev from the maintainers list, as per his request.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Description: Lack of support of HTTP/2 by default starts to hurt,
for example with https-dns-proxy package, some DoH resolvers (like mullvad)
no longer support HTTP/1 and are not usable.
This enables HTTP/2 support by default (which would bring ~68Kb libnghttp).
Signed-off-by: Stan Grishin <stangri@melmac.net>
* update binary to the latest commit (2021-07-29) to fix#16222 and #16239
* add hotplug.d/iface file and update Makefile to install it
* use Cloudflare's and Google's bootstrap DNS if bootstrap DNS is missing
* minor improvements in append_bool function
* add append_counter function for verbosity setting
* add append_bootstrap function (and supporting functions) to parse/sanitize bootstrap setting
* move firewall array from 'main' instance to the first proxy instance
* delete useless 'main' instace
Signed-off-by: Stan Grishin <stangri@melmac.net>
Open vSwitch supports SSL to connect to an OpenFlow controller. This is
recommended for security. Expand the UCI ovs config section to allow
configuring SSL CA, certificate and private key.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The Open vSwitch init script does not set USE_PROCD=1. Instead, it
defines most of the functions and variables that would be set when
USE_PROCD is set to 1, but with some minor changes.
The basescript variable however, which is used when calling
procd_open_service and procd_kill, is not set. As a result, basename of
the contents of the initscript variable is used as the service name. As
the service is automatically started via its symlink in /etc/rc.d,
S15openvswitch, the service name is S15openvswitch.
Set the basescript variable so that the service name is openvswitch.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
By default, Open vSwitch will generate the OpenFlow datapath ID of a
bridge based on the MAC address of one of its ports. Due to this, it's
possible that the datapath ID changes when new ports are added. When the
datapath ID changes, Open vSwitch disconnects from the controller, as
there is no way to notify the controller that the datapath ID has
changed.
Add an option to set the datapath ID so that the above situation can be
avoided. The option takes either exactly 16 hex characters, or when
prefixed with 0x, between 1 and 16 hex characters.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The config symbol is named CONFIG_OPENVSWITCH_WITH_LIBUNBOUND, so check
for that instead of the non-existent CONFIG_OPENVSWITCH_WITH_UNBOUND.
Fixes: 45c8cc9d8a ("openvswitch: make libunbound optional")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
support for 21.02.0-rc2 and up
support for reloading a single interface on ifup/ifupdate
rename config file
updated shellcheck compatibility
remove obsolete create/remove_lock
interface processing optimizations to speed up reloads
drop dependency on curl in user scripts
uniform styling of functions
Signed-off-by: Stan Grishin <stangri@melmac.net>
Installing openvswitch on an x86/64 snapshot image pulls in a bunch of
dependencies, good for a total size of 3648406 byte. Disabling
libunbound reduces that with 559941 byte, for a total of 3088465 byte.
This is quite a big reduction for a small tradeoff: without libunbound,
hostnames can not be used to specify OpenFlow managers or controllers.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* code cleanup
* add auto login script for Julianahoeve beach resort (NL)
* add auto login script for Vodafone hotspots (DE)
* add auto login script for telekom hotspots (DE)
* enhance captive portal detection to support html redirects as well
* change default captive portal detection url to
'detectportal.firefox.com'
Signed-off-by: Dirk Brenken <dev@brenken.org>
Building without the mirror-tarballs fails to PKG_SOURCE_SUBDIR not
matching the hostapd source subdir name. Fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The current way to add ports to an Open vSwitch bridge does not allow
complex port configurations. Use a dedicated uci config section per port
instead of the current port:type syntax. This way we can easily support
more features like setting the VLAN tag or the OpenFlow port number.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Calling the ovs_bridge_init function when stopping the service will
result in ovs-vsctl being called after ovsdb-server has been shut down.
This causes the following error:
ovs-vsctl: unix:/var/run/openvswitch/db.sock: database connection failed (No such file or directory)
Calling the ovs_bridge_init function when requesting the service status
has no added value.
Only call ovs_bridge_init during start or restart to fix this.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
CI run fails due to dirty patches, so refresh them.
Fixes: f4f1a25e80 ("openvswitch: bump to version 2.15.0")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Include default configuration files to have something to start from.
Also include snort2lua to help convert snort2 rules to snort3 to also
help with bootstrapping the configuration.
Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
bugfix: domain names bypass
rename config file
update Makefile
updated README link
updated shellcheck compatibility
support for 21.02.0-rc2 and later
updated code for interface triggers
add newline to test.sh
Signed-off-by: Stan Grishin <stangri@melmac.net>
- Bump yggdrasil-go version to v0.4.0
- Update ygguci tool for compatibility with the new yggdrasil-go version
- Yggdrasil's config file is now generated in a separate command before running the daemon
Signed-off-by: George Iv <zhoreeq@users.noreply.github.com>
This matches an ipv4 change in 21f5cdd2fa and has the same rationale.
Google requires https for both ipv6 and ipv6.
Signed-off-by: Scott Lamb <slamb@slamb.org>
A simple DNS proxy server that supports all existing DNS protocols
including DNS-over-TLS, DNS-over-HTTPS, DNSCrypt, and DNS-over-QUIC.
Moreover, it can work as a DNS-over-HTTPS, DNS-over-TLS or
DNS-over-QUIC server.
For documents, see https://github.com/AdguardTeam/dnsproxy.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
A simple command line utility to make DNS lookups. Supports all known
DNS protocols: plain DNS, DoH, DoT, DoQ, DNSCrypt.
For documents, see https://github.com/ameshkov/dnslookup.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
mdio is a low-level Linux debug tool for communicating with devices attached an MDIO bus. It improves on existing tools in this space in a few important ways:
MDIO buses are directly addressable. Previous solutions relied on at least one Ethernet PHY on the bus being attached to a net device, which is typically not the case when the device is an Ethernet switch for example.
Complex operations can be performed atomically. The old API only supported a single read or write of a single register. mdio sends byte code to the mdio-netlink kernel module that can perform multiple operations, store intermediate values, loop etc. As a result, things like read/mask/write operations and accesses to paged PHYs can be performed safely.
Signed-off-by: Damien Mascord <tusker@tusker.org>
User that don't control both OpenVPN client and server
might still need LZO support, so keep it enable by default for at least
OpenSSL variant.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
The commit updating the seccomp filter didn't bump PKG_RELEASE.
Do that now.
Fixes: 1141ee1e5 ("transmission: add new syscalls to seccomp filter)"
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Testing showed that additional syscalls are needed on ARMv7.
Add "getegid32", "geteuid32", "getgid32" and "getrandom" as they are
all innocent.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
555268b ubus: filter neighbors by SSID when preparing nr
3db9607 data storage: match SSID when searching ap entry
a22f5a7 storage: ensure SSID strings are NULL-terminated
Signed-off-by: Nick Hainke <vincent@systemli.org>
Makefile changes include:
* Remove USE_UCLIBC, as uclibc is no longer supported
* Package output modules
* Move main binary (back) to /usr/sbin, as it is system administration
related and requires superuser privileges
New patches:
* 003-add-space-for-null-byte.patch - from
374cfd2cab
* 004-more-specific-library-linking.patch - from
27b57d9da3
* 005-use-c99-format-macro-constants.patch - from
https://github.com/fln/addrwatch/pull/28
Init script changes include:
* Change from explicit disable to explicit enable, so that the service
is disabled by default and on first install
* Set config option default values to default values of the main binary
* Fix command-line option names and format (from
https://forum.openwrt.org/t/cant-start-addrwatch-service/60499/3)
* Always use the --quiet command-line option, as the procd instance is
not configured to capture stdout/stderr
* Change the syslog config option to start the syslog output module
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Until now the additional tables listed in gobal 'rt_table_lookup' were
not considered for interfaces.
In order to be able to also use interface-defined routes from tables
other than main, consider also tables listed in 'rt_table_lookup'.
Update version to 2.10.10 as requested by maintainer.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* add a tcpdump option to resolve IPs in adblock reporting,
set 'adb_represolve' accordingly (disabled by default). If enabled
tcpdump will perform a reverse DNS (PTR) lookup for each IP address
* add 'stalkerware' source (provided by @astryzia)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This option sets the interface of the policy.
Also from Vincent Wiemann <vincent.wiemann@ironai.com>.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Use list's where appropriate for multi-value config variables.
Forbid absolute/relative paths for certificate and key files.
Get rid of last remnants of left/right naming.
Factor invariant code paths.
Drop redundant secrets.rsa.filename section.
Thanks to Vincent Wiemann <vincent.wiemann@ironai.com> for calling
out many of these improvements.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
We enable the option by default, but do not depend on the kernel modules
required for L2TP offloading to avoid wasting space when the feature is
not needed. To use offloading, kmod-l2tp-eth must be installed.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The UMAC-based methods provide higher performance than GMAC and aren't
suspectible to timing attacks when implemented in software (which is
always the case on OpenWrt, as OpenSSL support is disabled). Disable
GMAC by default to save a few KiB.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Switch to AUTORELEASE to avoid bumping PKG_RELEASE all the time.
Run shell scripts through shfmt -w -ci -bn -sr -s in order to have a
standard style.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Give this package more love by adopting it :)
Changes since 1.4.1-4:
* change maintainer to me
* update to 1.4.3
+ add example config files sockd.conf and socks.conf
+ add service file for sockd
* update 200-fix-RTLD_NEXT.patch
- remove merged 210-deactivate-sched_setscheduler.patch
* fix Autoconf build file
Signed-off-by: David Yang <mmyangfl@gmail.com>
Add limited procd support to handle config reload
Option drop_unknown_ports can be used to ensure that only configured ports
are part of the bridge
Signed-off-by: Felix Fietkau <nbd@nbd.name>
As a daemon service, respawn is expected by default, and we have that
facility available via procd.
Suggested-in: https://github.com/openwrt/packages/pull/15272
Signed-off-by: Karl Palsson <karlp@etactica.com>
If pppoe is used for wan access. script set 'eth1' as interface for curl
call. The correct interface is however 'pppoe-wan'.
The script uses 'network_get_physdev' function to get real device for
bind_network but this is wrong. We need instead the l3_device of the the
logical interface.
In case if we don't use pppoe connection - 'l3_device' is equal to real device.
This was reported by the github user `welderpb` with P/R:
https://github.com/openwrt/packages/pull/14431
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The chrony interface hotplug script reuses the handle_allow function
from the init script to allow NTP access on interfaces specified in uci.
The function requires /lib/functions/network.sh. Include the file in the
hotplug script to make the function work as expected.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
Fix a possible security issue with OpenSSL config autoloading on Windows (CVE-2021-3606).
Include a number of small improvements and bug fixes.
remove upstreamed: 115-fix-mbedtls-without-renegotiation.patch
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
There were closing curly braces missing and it was checking for empty
strings while it should have been checking for non-empty strings.
Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
Variables set in config_ipsec() need to be shared with do_postamble()
function, so change scoping to parent (prepare_env()).
Also, remove unused settings like "remote_sourceip", "reqid", and
"packet_marker".
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Link to abandoned packages PR: https://github.com/openwrt/packages-abandoned/pull/18
AppleShare products have been unused for a while now (since Mac OS 9.2.2)
around 2002.
So, there should be fewer users requiring this package.
Last update of netatalk was in December 2018. Not sure if newer updates
will be created.
It's time to cut the cord on our end and move it to the abandoned packages.
Info: https://en.wikipedia.org/wiki/AppleShare
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Support for wolfSSL has been upstreamed to the master OpenVPN branch
in f6dca235ae560597a0763f0c98fcc9130b80ccf4 so we can use wolfSSL
directly in OpenVPN. So no more needed differnt SSL engine for OpenVPN
in systems based on wolfSSL library
Compiled && tested on ramips/mt7620, ramips/mt7621
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
configure script looks for host ssh. Just pass the configure variable
directly. --with-ssh doesn't work.
Also get rid of custom Compile section. It's not needed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* fix a small json syntax issue in adblock.sources
* add easylist addon to reg_fr source
* add switch 'adb_fetchinsecure' to allow insecure downloads
without certificate check (disabled by default)
* better explain 'adb_fetchparm' in readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This is a security and bugfix release.
Full release notes: https://mosquitto.org/blog/2021/06/version-2-0-11-released/
Fixes a remotely triggered memory leak
Fixes broker reconnections in certain failure situations
Fixes (non-standard) qos0 queuing
Signed-off-by: Karl Palsson <karlp@etactica.com>
Isochronous round trip time tool.
Useful for measuring one-way send or recv delay between hosts,
among other things.
Signed-off-by: Marcel Vital <ralmina@tuta.io>
Remove myself as maintainer from PowerDNS Related packages and add
Peter van Dijk from PowerDNS as the new maintainer
Signed-off-by: James Taylor <james@jtaylor.id.au>
ipsec uses starter, and reads /etc/ipsec.conf (which then includes
/var/ipsec/ipsec.conf, etc). This is overly complicated, and can
be problematic if you're using both swanctl and ipsec for migration.
Running charon directly from procd via the init.d script avoid
all of this.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Seeing the following error when running 'make defconfig':
tmp/.config-package.in:69874:warning: multi-line strings not supported
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Sierra Wireless modems need the string '$GPS_START' to be sent to the
GPS tty device as only then the modem firmware starts emitting
NMEA-0183 sentences.
Add an option 'sierragpsstart' to kplex' serial driver to support that
quirk as kplex can be very useful to spread GPS data over the network
while also supplying 'ugps' using a PTY, allowing for correct system
time to be set automatically on boot up from GPS.
This patch is also PR'ed at the upstream project:
https://github.com/stripydog/kplex/pull/54
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes the build problem below.
Package miniupnpd is missing dependencies for the following libraries:
libmnl.so.0
libnetfilter_conntrack.so.3
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
- New upstream major release with tons of new features and LTS (see: https://www.haproxy.com/blog/announcing-haproxy-2-4/)
- Update haproxy download URL and hash
- Activate promtheus exporter support the new way (using USE_PROMEX=1)
- Cleaned up haproxy-specific CFLAGS
- Changed the halog build to make use of the new Makefile target (admin/halog/halog)
Signed-off-by: Christian Lachner <gladiac@gmail.com>
Rrsync is a perl script that is supplied as an extra with the rsync program.
It must be used in conjunction with openssh-server or openssh-server-pam
as it requires ~/.ssh/authorized_keys which is not supported by dropbear.
Rrsync allows selective access to subdirectories in either read-only, write-only or read-write,
depending on settings in authorized_keys. This allows for safe, restrictive access.
It's particularly useful for automated backup purposes.
An example usage would be this entry:
command="/usr/bin/rrsync -ro /home" <public key here>
This would allow a system connecting with this public key to be able to rsync FROM the
/home directory tree only. It could not write to this directory, nor read from any other directory.
Signed-off-by: Matt Reeve <matt@mreeve.com>
Recreate symbolic link if it's missing after a sysupgrade with a private and public key present in /etc/atlas/
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* Create working directory when it is not present. Apparently
some recent change made adguardhome fail to start when working
directory is missing.
* Full changelog available at:
* https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.106.1
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
* fix pid file processing of the background monitor plus child
processes (bug reported in the forum)
* made the enabled/disabled switch of the background monitor functional
Signed-off-by: Dirk Brenken <dev@brenken.org>
Samplicator receives UDP datagrams on a given port and resends those
datagrams to a specified set of receivers.
Use Cases:
- replicate Flow Samples to multiple receivers
- use with conntrackd to synchronize via unicast to multiple targets
Signed-off-by: Nick Hainke <vincent@systemli.org>
In the procd refactor, support for interfaces with no tracking IPs was
inadvertentiy removed. This commit restores the previous behavior
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Fixes the following security issues:
* CVE-2021-25215 - named crashed when a DNAME record placed in the ANSWER
section during DNAME chasing turned out to be the final
answer to a client query.
* CVE-2021-25214 - Insufficient IXFR checks could result in named serving a
zone without an SOA record at the apex, leading to a
RUNTIME_CHECK assertion failure when the zone was
subsequently refreshed. This has been fixed by adding an
owner name check for all SOA records which are included
in a zone transfer.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Using `$(INSTALL_CONF)` will cause the program has no access to
configurations file when someone enabled the selinux support.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Xray now is no longer planning to keep compatibility with original
v2ray. Remove PROVIDES before it is totally broken.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
From mosquitto 2.x, port became optional and deprecated in the config,
and it was recommended that listeners be used instead. Drop the hard
requirement in our config conversion script.
Reported in: https://github.com/openwrt/packages/issues/15506
Signed-off-by: <karlp@etactica.com>
Maintainer: @neheb / @BKPepe / @zhanhb
Compile tested: ipq806x, generic, netgear_r7800, master
Run tested: ipq806x, generic, netgear_r7800, openwrt-19.07
Description:
Squid now only support HTTPS proxy in TCP tunnel mode (e.g. `ssl_bump splice all`):
https_port 3128 ssl-bump tls-cert=/etc/squid/squid.pem generate-host-certificates=on
ssl_bump splice all
In order to operate in SSL Bump mode, we need to compile with `--enable-ssl-crtd` for following configuration:
https_port 3128 ssl-bump tls-cert=/etc/squid/squid.pem generate-host-certificates=on
sslcrtd_program /usr/lib/squid/security_file_certgen -s /car/cache/squid/ssl_db -M 4MB
ssl_bump stare all
ssl_bump bump all
This PR switch the `SQUID_enable-ssl-crtd` into `default y`, therefore default enable SSL Bump mode.
Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
Staging certificates have the advantage that their retry limits are loose.
Therefore they can be obtained quickly when automatic retries are used.
Unfortunately they can not be used for deployments because their CA is not
accepted by clients. Production certificates do not have this limitation, but
their retry limits are strict. For production certificates, automatic retries
can only be performed a few times per hour. This makes automatic obtainment of
certificates tenacious.
With use_auto_staging=1, the advantages of the two certificate types are
combined. Uacme will first obtain a staging certificate. When the staging
certificate is successfully obtained, uacme will switch and obtain a production
certificate. Since the staging certificate has already been successfully
obtained, we can ensure that the production certificate is successfully
obtained in the first attempt. This means that "retries" are performed on the
staging certificate and the production certificate is obtained in the first
attempt.
In summary, this feature enables fast obtaining of production certificates when
automatic retries are used.
By default, this feature is set to use_auto_staging=0, which means that
uacme will behave as before by default.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
With this commit, issue_cert() can be called multiple times alternating
between staging and production certificates within a script.
Before this commit, the production state dir was stored in $STATE_DIR.
But in the case of $use_staging=1, this variable was overwritten in
issue_cert() with $STAGING_STATE_DIR. This made it impossible to call
issue_cert() with $use_staging=0 afterwards. Now the production state
dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden
anymore and issue_cert() can be called multiple times alternating with
production and staging.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
The get_bool() functionality was already merged to lib/functions.sh, so
it is redundant in the init script. Remove it.
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
- ignore Content-Length from backend if 101 Switching Protocols
- close HTTP/2 connection after bad password
- skip cert chain build for self-issued certs
- meson zstd fix
- ls-hpack upstream update
- discard some HTTP/2 DATA frames received after response
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
- Exit start if a probe_key is not present
- Add create_key command to generate a private_key based on the provided username in the atlas config.
- Add registration instruction in /etc/atlas
- Rework script to save probe_key on sysupgrade (the key are now adviced to be placed in the /etc/atlas dir and a link is used to make them accessible in the atlas-sw-scripts etc dir)
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* lots of fixes for many subsystems
* new messenger group chat service
* 'abd' temporarily removed due to upstream issue
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes two related security vulnerabilities (CVE-2020-15078) which
under very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup. In combination with "--auth-gen-token" or
a user-specific token auth solution it can be possible to get access to
a VPN with an otherwise-invalid account.
OpenVPN 2.5.2 also includes other bug fixes and improvements.
Add CI build test script.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* add a "whitelist only" mode, this option allows to restrict Internet
access from/to a small number of secure websites/IPs, and block access
from/to the rest of the Internet.
Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is largely based on the work from Daniel Dickinson in
PR #2096 which was never merged. I tweaked it in a number of ways.
All bugs with this package are mine, not his.
Signed-off-by: Aaron Curley <accwebs@gmail.com>
* support the RPZ trigger 'RPZ-CLIENT-IP' to always allow/block certain
clients based on their IP (currently only supported by bind!)
* avoid promiscuous mode in tcpdump setup for adblock reporting
* speed up dns report preparation
* support dns report mailing (/etc/init.d/adblock report mail)
* fix bind autodetection
* update LuCI-frontend (separate PR)
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
NLS means Native Language Support and when you have it enabled (it is
not default), clamav can not be compiled as it shows following error:
Package clamav is missing dependencies for the following libraries:
libiconv.so.2
Also, it is required that package libiconv-full is compiled first/before
than clamav and then try to compile clamav.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
/etc/profile.d/50-openvpn-easy-rsa.sh was not listed as configfile
and changes were lost during upgrades.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
libseccomp can't be built on ARC, so we must disable the option here as
well. A different fix was first proposed by @zxlhhyccc in #15377.
Fixes: #15313
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add patch fixing compilation without deprecated OpenSSL APIs.
Fix installation. This never worked as the section was misnamed.
Updated tool names.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
chacha20policy1305 is also an AEAD cipher, and hence does not
permit a hash algorithm.
Fixes issue #15397.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This patch prevents multiple cron jobs from being created to run the
safe-search-maintenance script.
To reproduce this bug, perform the following:
- Install safe-search
- Perform an OpenWRT firmware upgrade (choose to preserve user settings)
- Install safe-search again
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
The strongswan-libnttfft package should not select the strongswan
package, but should depend on it instead. Otherwise a circular
dependency is created.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Rework the bonding.sh protocol handler to accept slave interface names
encoded in uci list notation. Also replace ifconfig up/down with ip
link calls while we're at it.
Fixes: #11455
Fixes: https://github.com/openwrt/luci/issues/4473
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
MacOS ignores Bonjour services for which TXT records are not returned. This changes forces umdns service to return a TXT record (`daemon=ksmbd`) for the ksmbd service. The exact content is unimportant and to the best of my knowledge nothing reads the `daemon` tag.
Symptoms of the problem (which are also debugging steps):
* Finder refuses to open the OpenWRT "computer" in the Network list.
* Discovery.app (Bonjour Browser) lists the _ssh._tcp service, but the submenu for it doesn't unfold and no address is shown.
* `dns-sd -L OpenWrt _smb._tcp` doesn't return any address.
Signed-off-by: Kirill Nikolaev <cyril7@gmail.com>
This is a security fix, affecting 2.0.0 through to 2.0.9. Mosquitto instances
could be remotely DoS'd by authenticated clients.
Release notes at: https://github.com/eclipse/mosquitto/blob/v2.0.10/ChangeLog.txt
CVE number has not yet been assigned.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Prior to this commit, the acme service attempted to obtain certificates
once and then terminated, regardless of whether the certificate could be
obtained or not. This commit introduces a new uci option "retries" to
the "certificate" section. If this option is set to N, the acme service
will attempt to obtain the certificate up to N times before terminating.
There is a waiting pause between the retries to comply with the rate
limits of Let'sEncrypt.
The waiting pause is:
- 2 minutes for staging certificates
- 24 minutes for production certificates
The current "Failed Validation" rate limits of Let'sEncrypt are:
- staging: 60 per hour -> 1 failure every 1 minute in avg.
- production: 5 per hour -> 1 failure every 12 minutes in avg.
This means that we are within rate limits by a factor of two.
By default the option "retries" is set to "1", which means that acme
behaves as before by default. If the variable is set to "0", infinite
retries are performed.
This feature is helpful, when you already want to initiate the
certificate request, but you are still waiting for your dns server to be
configured, your network to appear or other conditions.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
Before this commit, issue_cert always returned 1 no matter if uacme
returned 1, 2, 3, ... With this commit, the return code of the uacme
binary is propagated. Therefore the caller of issue_cert can
differentiate between "no renew necessary" and "an error occurred".
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
With this commit, the run-acme script can be included into other scripts
by setting INLCUDE_ONLY=1.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Derived from the ipsec initd script, with the following changes:
(1) various code improvements, corrections (get rid of left/right
updown scripts, since there's only one), etc;
(2) add reauth and fragmentation parameters;
(3) add x.509 certificate-based authentication;
and other minor changes.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
netifyd supports a '-F' filter option in 'bpf' notation to filter
packets from its consideration.
Add support for a uci 'filter' option. eg. filter to exclude SSDP
multicasts from a particularly noisy device:
option filter 'not (udp and dst 239.255.255.250 and dst port 1900 and src 192.168.1.5)'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Even it's only cosmetic and should not affect the function of regular system,
fix the name of the IPKG_INSTROOT variable.
Typo was added long ago with 8400c9a6ec.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
