The default 'timeout' value is 30 seconds when calling an mmcli action. That
is too long. For this reason, the mmcli 'timeout' option is specified for
calls and the value is set to 10 seconds.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* fixed a JSON reporting issue (when the map and NFT counters are disabled)
* optimized the getfetch function call within the reporting function
* removed the stale IPv6 links in the becyber feed
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added a geoIP Map to show home IPs and potential attacker IPs on a leafletjs based map
* significantly improved the reporting performance on multicore hardware
* removed aria2 support (it doesn't support post data requests)
* removed the following outbound feeds due to too many false positives:
adaway, adguard, adguardtrackers, antipopads, oisdbig, oisdnsfw, oisdsmall, stevenblack and yoyo
* renamed the banIP command "survey" to "content"
* various other small tweaks
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
This requires backporting two upstream commits to avoid a segfault
due to the /etc/iproute2/rt_addrprotos.d and
/usr/share/iproute2/rt_addrprotos.d directories not existing on OpenWrt,
and the following compile error:
In file included from /home/stijn/Development/OpenWrt/openwrt/staging_dir/toolchain-powerpc64_e5500_gcc-13.3.0_musl/include/net/ethernet.h:10,
from vrrp.c:44:
/home/stijn/Development/OpenWrt/openwrt/staging_dir/toolchain-powerpc64_e5500_gcc-13.3.0_musl/include/netinet/if_ether.h:115:8: error: redefinition of 'struct ethhdr'
115 | struct ethhdr {
| ^~~~~~
In file included from vrrp.c:43:
/home/stijn/Development/OpenWrt/openwrt/staging_dir/toolchain-powerpc64_e5500_gcc-13.3.0_musl/include/linux/if_ether.h:173:8: note: originally defined here
173 | struct ethhdr {
| ^~~~~~
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
1) Fixed a bug that not all routers were deleted.
2) Log updated.
3) The "output" option has been removed from the service, it is now /tmp/antiblock
Signed-off-by: Khachatryan Karen <karen0734@gmail.com>
Verbatim copy from upstream's release notes:
Notes for BIND 9.20.7
- New Features
- Implement the min-transfer-rate-in configuration option.
- A new option min-transfer-rate-in has been added to the view and zone configurations. It can abort incoming zone transfers that run very slowly due to network-related issues, for example. The default value is 10240 bytes in five minutes. [GL #3914]
- Add HTTPS record query to host command line tool.
- The host command was extended to also query for the HTTPS RR type by default.
- Implement sig0key-checks-limit and sig0message-checks-limit.
- Previously, a hard-coded limitation of a maximum of two key or message verification checks was introduced when checking a message’s SIG(0) signature, to protect against possible DoS attacks. Two as a maximum was chosen so that more than a single key should only be required during key rotations, and in that case two keys are enough. It later became apparent that there are other use cases where even more keys are required; see the related GitLab issue for examples.
- This change introduces two new configuration options for the views: sig0key-checks-limit and sig0message-checks-limit. They define how many keys can be checked to find a matching key, and how many message verifications are allowed to take place once a matching key has been found. The former provides slightly less “expensive” key parsing operations and defaults to 16. The latter protects against expensive cryptographic operations when there are keys with colliding tags and algorithm numbers; the default is 2. [GL #5050]
- Bug Fixes
- Fix dual-stack-servers configuration option.
- The dual-stack-servers configuration option was not working as expected; the specified servers were not being used when they should have been, leading to resolution failures. This has been fixed. [GL #5019]
- Fix a data race causing a permanent active client increase.
- Previously, a data race could cause a newly created fetch context for a new client to be used before it had been fully initialized, which would cause the query to become stuck; queries for the same data would be either paused indefinitely or dropped because of the clients-per-query limit. This has been fixed. [GL #5053]
- Fix deferred validation of unsigned DS and DNSKEY records.
- When processing a query with the “checking disabled” bit set (CD=1), named stores the invalidated result in the cache, marked “pending”. When the same query is sent with CD=0, the cached data is validated and either accepted as an answer, or ejected from the cache as invalid. This deferred validation was not attempted for DS and DNSKEY records if they had no cached signatures, causing spurious validation failures. The deferred validation is now completed in this scenario.
- Also, if deferred validation fails, the data is now re-queried to find out whether the zone has been corrected since the invalid data was cached. [GL #5066]
- Fix RPZ race condition during a reconfiguration.
- With RPZ in use, named could terminate unexpectedly because of a race condition when a reconfiguration command was received using rndc. This has been fixed. [GL #5146]
- “CNAME and other data check” not applied to all types.
- An incorrect optimization caused “CNAME and other data” errors not to be detected if certain types were at the same node as a CNAME. This has been fixed. [GL #5150]
- Relax private DNSKEY and RRSIG constraints.
- DNSKEY, KEY, RRSIG, and SIG constraints have been relaxed to allow empty key and signature material after the algorithm identifier for PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within the expected use of these types, as no key material is shared and the signatures are ineffective, but these are private algorithms and they can be totally insecure. [GL #5167]
- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse().
- Previously, when parsing responses, named incorrectly rejected responses without matching RRSIG records for NSEC/DS/NSEC3 records in the authority section. This rejection, if appropriate, should have been left for the validator to determine and has been fixed. [GL #5185]
- Fix TTL issue with ANY queries processed through RPZ “passthru”.
- Answers to an “ANY” query which were processed by the RPZ “passthru” policy had the response-policy’s max-policy-ttl value unexpectedly applied. This has been fixed. [GL #5187]
- dnssec-signzone needs to check for a NULL key when setting offline.
- dnssec-signzone could dereference a NULL key pointer when resigning a zone. This has been fixed. [GL #5192]
- Fix a bug in the statistics channel when querying zone transfer information.
- When querying zone transfer information from the statistics channel, there was a rare possibility that named could terminate unexpectedly if a zone transfer was in a state when transferring from all the available primary servers had failed earlier. This has been fixed. [GL #5198]
- Fix assertion failure when dumping recursing clients.
- Previously, if a new counter was added to the hash table while dumping recursing clients via the rndc recursing command, and fetches-per-zone was enabled, an assertion failure could occur. This has been fixed. [GL #5200]
- Dump the active resolver fetches from dns_resolver_dumpfetches()
- Previously, active resolver fetches were only dumped when the fetches-per-zone configuration option was enabled. Now, active resolver fetches are dumped along with the number of clients-per-query counters per resolver fetch.
Notes for BIND 9.20.6
- New Features
- Adds support for EDE code 1 and 2.
- Support was added for EDE codes 1 and 2, which might occur during DNSSEC validation in the case of an unsupported RRSIG algorithm or DNSKEY digest. [GL #2715]
- Add an rndc command to toggle jemalloc profiling.
- The new command is rndc memprof; the memory profiling status is also reported inside rndc status. The status shows whether named can toggle memory profiling, and whether the server is built with jemalloc. [GL #4759]
- Add support for multiple extended DNS errors.
- The Extended DNS Error (EDE) mechanism may raise errors during a DNS resolution. named is now able to add up to three EDE codes in a DNS response. If there are duplicate error codes, only the first one is part of the DNS response. [GL #5085]
- Print the expiration time of stale records.
- BIND now prints the expiration time of any stale RRsets in the cache dump.
- Bug Fixes
- Recently expired records could be returned with a timestamp in future.
- Under rare circumstances, an RRSet that expired at the time of the query could be returned with a TTL in the future. This has been fixed.
- As a side effect, the expiration time of expired RRSets is no longer returned in a cache dump. [GL #5094]
- YAML string not terminated in negative response in delv.
- [GL #5098]
- Fix a bug in dnssec-signzone related to keys being offline.
- When dnssec-signzone was called on an already-signed zone and the private key file was unavailable, a signature that needed to be refreshed was dropped without being able to generate a replacement. This has been fixed. [GL #5126]
- Apply the memory limit only to ADB database items.
- Under heavy load, a resolver could exhaust the memory available for storing the information in the Address Database (ADB), effectively discarding previously stored information in the ADB. The memory used to retrieve and provide information from the ADB is no longer subject to the same memory limits that are applied to the Address Database. [GL #5127]
- Avoid unnecessary locking in the zone/cache database.
- Lock contention among many worker threads referring to the same database node at the same time is now prevented. This improves zone and cache database performance for any heavily contended database nodes. [GL #5130]
- Fix reporting of Extended DNS Error 22 (No Reachable Authority).
- This error code was previously not reported in some applicable situations. This has been fixed. [GL #5137]
Compile tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09
Compile tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09
Compile tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09
Run tested: x86/64, QEMU Standard PC (Q35 + ICH9, 2009), r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: ath79/generic, TP-Link Archer C7 v4, r29064-696ad7b1aa09, booted and used for 7h without issues
Run tested: realtek/rtl838x, Netgear GS108T v3, r29064-696ad7b1aa09, booted and used for 7h without issues
Signed-off-by: Pascal Ernster <git@hardfalcon.net>
1) Added the ability to route different domains through different gateways, up to 32 routes.
2) The program has been switched from proxying mode to sniffer mode.
3) Blacklist has been added so that the specified subnets are not added to the routing table.
Signed-off-by: Khachatryan Karen <karen0734@gmail.com>
The '--enable-http-auth' compile option in cURL is used to enable support
for HTTP authentication methods. This option allows cURL to handle various
authentication schemes, such as Basic, Digest, NTLM, and others, which
are commonly used in HTTP requests to secure access to resources.
This cURL compile option is default disabled. This should at least be enabled
as a compile option in OpenWrt so that it can be switched on if needed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If you run the arp-scan tool cyclically, the kernel messages for
promiscuous mode are very annoying.
This backports an upstream patch to disable the unnecessary promiscuous
mode in arp-scan.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* fix a race condition in the process scheduler
* sync the banIP country file with ipdeny feed
* refine etag handling with country/asn feeds
* refine logging with country/asn feeds
* refine the banIP status output (incl. LuCI changes)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix an out of bound error reported in the forum
* set always a default for "adb_dnsdir" to prevent cornercase issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
Linking conserver with FreeIPMI enables it to manage
serial-over-LAN (SOL) consoles in addition to the already
supported tty and tcp/telnet consoles.
The FreeIPMI library is huge. Adding a separate package
variant for this feature.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
This reverts commit 7fdb92b59a.
Now that the actual issue has been found and fixed, this is incorrect
so revert it.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently, we are using Download recipes to download the various modules,
however we are using then with PROTO:=git but SOURCE_VERSION is not set,
only VERSION variable so thus the dl_github_archive.py scripts gets called
with --version="" instead of being actually passed the desired commit hash
and thus actually the git head is fetched.
This explains why currently buildbots are failling with
nginx-mod-njs/104-endianness_fix.patch failling to apply since buildbots
are using prepackaged tarballs which are different than what we get when
manually building.
So, lets set SOURCE_VERSION to make sure we actually fetch the desired
git commit hash.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Add "option tcp_ip '0.0.0.0'" to config.
Changelog:
62688e4 tcpsocket: add option to bind to specific ip
be63ed4 ubus: actually deny association when no probe entry is found
6361df6 datastorage: fix debug message regarding client kick condition
af593cc ci: fix and improve ci
Signed-off-by: Nick Hainke <vincent@systemli.org>
Script will exit when an error occurred.
Modify write_log 14 to write_log 4,
write_log 14 and write_log 4 can also print the same message,
but write_log 14 will exist script when printed.
Signed-off-by: Lehua Zhang <sxlehua@qq.com>
* optimized uci config processing (list options)
* optimized icmp rules in pre-routing (thanks @brada)
* set inbound marker in pre-routing only if inbound logging is enabled (fixes#26044)
* fix cornercase in Set removal function
* print chain-, set- and rules-counter in the banIP status
* clean up logging und download queue handling
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Currently, the 104-endianness_fix.patch does not apply, so lets manually
refresh it to apply and thus fix buildbot nginx builds.
Signed-off-by: Robert Marko <robimarko@gmail.com>
This change introduces an optional configuration
of the netifd integration in the ModemManager package.
When disabled, it removes the NETIFD dependency and
other unwanted components from the root filesystem
during the build phase.
Additionally, in the modemmanager.common the netifd-proto.sh
inclusion line can be savely removed as there is no usage
of it in its functions.
Signed-off-by: Gilles Lenaerts <gilles.lenaerts_ext@softathome.com>
* add memory measurements:
- free memory in MB (MemAvailable from /proc/meminfo)
- script run max. used RAM in MB (VmHWM from /proc/$$/status)
* removed the obsolete (domain) lookup command in init script
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
arp-scan v1.10.0 relocated mac-vendor.txt to $(sysconfdir)/$(PACKAGE)
which is /etc/arp-scan. This has been causing a file not found error.
Fixes: https://github.com/openwrt/packages/issues/26014
Signed-off-by: Chris Swan <chris@atsign.com>
This redirects the debug output to stderr, allowing `mwan3 use` to be used in
scripts without polluting stdout.
Before:
mwan3 use wan curl -fsSL https://ifconfig.co/json | jq -er '.country_iso'
jq: parse error: Invalid numeric literal at line 1, column 8
curl: (23) Failure writing output to destination, passed 389 returned 0
After:
mwan3 use wan curl -fsSL https://ifconfig.co/json | jq -er '.country_iso'
Running 'curl -fsSL https://ifconfig.co/json' with DEVICE=eth2 SRCIP=192.168.0.1 FWMARK=0x3f00 FAMILY=ipv4
DE
Signed-off-by: Philipp Schmitt <philipp@schmitt.co>
Updated and removed upstreamed patch.
Highlights relating to security:
* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by default.
* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service related
to the handling of SSH2_MSG_PING packets. This condition may be
mitigated using the existing PerSourcePenalties feature.
Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.
Full release notes: https://www.openssh.com/txt/release-9.9p2
Signed-off-by: John Audia <therealgraysky@proton.me>
This propagates the exit code of the command wrapped by `mwan3 use` and
allows for example to use `mwan3 use` in monitoring scripts.
Before change:
shell command:
mwan3 use wan false >/dev/null && echo ok || echo fail
result:
ok
After change:
shell command:
mwan3 use wan false >/dev/null && echo ok || echo fail
result:
fail
Signed-off-by: Philipp Schmitt <philipp@schmitt.co>
* No more `/sbin/uci: Invalid argument output` when set to not update
dnsmasq instances (thanks @tmcqueen-materials for investigation!)
* Do not wait for interface.up on boot, hopefully this resolves the
boot-up start for everyone
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Move working directory from `/var/adguardhome` to
`/var/lib/adguardhome`, according to Linux FHS.
Add option to store PID file, defaulting to `/run/adguardhome.pid`.
Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
* properly handle forced DNS ports <> 53,
no longer make bogus local redirects, reject them instead (fixed#25897)
* support the jail mode for smartdns
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized the f_nftload function
* reduced the prerouting priority to -175
* optimized the output of the f_survey function
* removed a needless fw4 call/check
* no longer skips regular blocklist feeds in "allowlist only" mode
* optimized init checks
* turris feed: enable IPv6 parsing, too (prvided by @curbengh)
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
If an interface that is being used (or tracked) by a VRRP instance goes to
down state, the VRRP instance(s) will, by default, immediately transition to
FAULT state, and when all relevant interfaces are back up again the VRRP
instance(s) will immediately transition to BACKUP state.
This can cause problems if interfaces are bouncing, and so delays can be
specified between the interface state change and the transition to
FAULT/BACKUP state. If the interface returns to its original state before
the delay expires, no associated VRRP instance state transition will occur.
New uci section 'interface_up_down_delay':
config interface_up_down_delays
option device <device>
option down_delay <number in seconds>
option up_delay <number in seconds>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Florian Eckert