Linking conserver with FreeIPMI enables it to manage
serial-over-LAN (SOL) consoles in addition to the already
supported tty and tcp/telnet consoles.
The FreeIPMI library is huge. Adding a separate package
variant for this feature.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
This reverts commit 7fdb92b59a.
Now that the actual issue has been found and fixed, this is incorrect
so revert it.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently, we are using Download recipes to download the various modules,
however we are using then with PROTO:=git but SOURCE_VERSION is not set,
only VERSION variable so thus the dl_github_archive.py scripts gets called
with --version="" instead of being actually passed the desired commit hash
and thus actually the git head is fetched.
This explains why currently buildbots are failling with
nginx-mod-njs/104-endianness_fix.patch failling to apply since buildbots
are using prepackaged tarballs which are different than what we get when
manually building.
So, lets set SOURCE_VERSION to make sure we actually fetch the desired
git commit hash.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Add "option tcp_ip '0.0.0.0'" to config.
Changelog:
62688e4 tcpsocket: add option to bind to specific ip
be63ed4 ubus: actually deny association when no probe entry is found
6361df6 datastorage: fix debug message regarding client kick condition
af593cc ci: fix and improve ci
Signed-off-by: Nick Hainke <vincent@systemli.org>
Script will exit when an error occurred.
Modify write_log 14 to write_log 4,
write_log 14 and write_log 4 can also print the same message,
but write_log 14 will exist script when printed.
Signed-off-by: Lehua Zhang <sxlehua@qq.com>
* optimized uci config processing (list options)
* optimized icmp rules in pre-routing (thanks @brada)
* set inbound marker in pre-routing only if inbound logging is enabled (fixes#26044)
* fix cornercase in Set removal function
* print chain-, set- and rules-counter in the banIP status
* clean up logging und download queue handling
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Currently, the 104-endianness_fix.patch does not apply, so lets manually
refresh it to apply and thus fix buildbot nginx builds.
Signed-off-by: Robert Marko <robimarko@gmail.com>
This change introduces an optional configuration
of the netifd integration in the ModemManager package.
When disabled, it removes the NETIFD dependency and
other unwanted components from the root filesystem
during the build phase.
Additionally, in the modemmanager.common the netifd-proto.sh
inclusion line can be savely removed as there is no usage
of it in its functions.
Signed-off-by: Gilles Lenaerts <gilles.lenaerts_ext@softathome.com>
* add memory measurements:
- free memory in MB (MemAvailable from /proc/meminfo)
- script run max. used RAM in MB (VmHWM from /proc/$$/status)
* removed the obsolete (domain) lookup command in init script
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
arp-scan v1.10.0 relocated mac-vendor.txt to $(sysconfdir)/$(PACKAGE)
which is /etc/arp-scan. This has been causing a file not found error.
Fixes: https://github.com/openwrt/packages/issues/26014
Signed-off-by: Chris Swan <chris@atsign.com>
This redirects the debug output to stderr, allowing `mwan3 use` to be used in
scripts without polluting stdout.
Before:
mwan3 use wan curl -fsSL https://ifconfig.co/json | jq -er '.country_iso'
jq: parse error: Invalid numeric literal at line 1, column 8
curl: (23) Failure writing output to destination, passed 389 returned 0
After:
mwan3 use wan curl -fsSL https://ifconfig.co/json | jq -er '.country_iso'
Running 'curl -fsSL https://ifconfig.co/json' with DEVICE=eth2 SRCIP=192.168.0.1 FWMARK=0x3f00 FAMILY=ipv4
DE
Signed-off-by: Philipp Schmitt <philipp@schmitt.co>
Updated and removed upstreamed patch.
Highlights relating to security:
* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by default.
* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service related
to the handling of SSH2_MSG_PING packets. This condition may be
mitigated using the existing PerSourcePenalties feature.
Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.
Full release notes: https://www.openssh.com/txt/release-9.9p2
Signed-off-by: John Audia <therealgraysky@proton.me>
This propagates the exit code of the command wrapped by `mwan3 use` and
allows for example to use `mwan3 use` in monitoring scripts.
Before change:
shell command:
mwan3 use wan false >/dev/null && echo ok || echo fail
result:
ok
After change:
shell command:
mwan3 use wan false >/dev/null && echo ok || echo fail
result:
fail
Signed-off-by: Philipp Schmitt <philipp@schmitt.co>
* No more `/sbin/uci: Invalid argument output` when set to not update
dnsmasq instances (thanks @tmcqueen-materials for investigation!)
* Do not wait for interface.up on boot, hopefully this resolves the
boot-up start for everyone
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Move working directory from `/var/adguardhome` to
`/var/lib/adguardhome`, according to Linux FHS.
Add option to store PID file, defaulting to `/run/adguardhome.pid`.
Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
* properly handle forced DNS ports <> 53,
no longer make bogus local redirects, reject them instead (fixed#25897)
* support the jail mode for smartdns
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized the f_nftload function
* reduced the prerouting priority to -175
* optimized the output of the f_survey function
* removed a needless fw4 call/check
* no longer skips regular blocklist feeds in "allowlist only" mode
* optimized init checks
* turris feed: enable IPv6 parsing, too (prvided by @curbengh)
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
If an interface that is being used (or tracked) by a VRRP instance goes to
down state, the VRRP instance(s) will, by default, immediately transition to
FAULT state, and when all relevant interfaces are back up again the VRRP
instance(s) will immediately transition to BACKUP state.
This can cause problems if interfaces are bouncing, and so delays can be
specified between the interface state change and the transition to
FAULT/BACKUP state. If the interface returns to its original state before
the delay expires, no associated VRRP instance state transition will occur.
New uci section 'interface_up_down_delay':
config interface_up_down_delays
option device <device>
option down_delay <number in seconds>
option up_delay <number in seconds>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* Improve verbose output on start
* Allow to not create ip rule for WG server
* Improve boot up start (take 2)
* Improve verbose output when setting triggers
* Override DNS hijack with DNS policies from pbr
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bugfix: working start on boot when interfaces are up
(thanks @tmcqueen-materials and @b1ackbeat)
* improvement: better output when setting triggers on start
Signed-off-by: Stan Grishin <stangri@melmac.ca>
If the modem loses the connection, an attempt is made to re-establish the
connection via the report-down script.
Until now, the modem was disabled when the modem processed the teardown of
the modemmanager protohandler. The immediate up events of netifd renables
the modem right away. This takes time, which is not necessary.
This commit changes the behavior so that the modem is not disabled when
the modemmanager is disconnected via the report-down script.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
v0.23.0 (tagged as v0.23.1)
- Add GNUNET_CONFIGURATION_set_value_float
- util: Float configuration values are no longer locale-dependent, but instead must always be in LC_NUMERIC=C format
- GNUNET_DISK_internal_file_handle_ changed to always return int
- Reworkd ProjectData handling; Now required as input for various API calls.
v0.22.2:
- GNUNET_STRINGS_get_utf8_args removed.
- Removed unsafe and unused functions for 2d/3d array allocation.
v0.22.1:
- Update HELLO files for new bootstrap peer
- Fix regression in DHT Bloom filter
- Fix long-standing regression in HELLO URI expirations
v0.22.0:
- New logging API to print/parse hex bytes
- Added RFC9180 HPKE and associated KEMs
- Replace oneshot PKE and KEM APIs with HPKE
- New Elligator KEM
- Namestore API allows multiple records to be inserted in a single transaction (if plugin supports this)
- New ECDH API that uses KDFs instead of hash
- Renamed GNUNET_CRYPTO_hkdf to GNUNET_CRYPTO_hkdf_gnunet
- Added new standard SHA256-based HKDF APIs
- New hostlist bootstrap domain https://bootstrap.gnunet.org
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Updated hashmap version.
In the code, almost all the url words have been replaced with domain.
Fixed a bug in the service of getting gateway from VPN name.
Signed-off-by: Khachatryan Karen <karen0734@gmail.com>
This commit adds support for folder synchronization.
An example is in the 810-files file where it is explained how to
synchronize all hotplug files of keepalived.
Signed-off-by: Francesco Benini <francy.benini@gmail.com>
DigitalOcean API requires a "type" JSON field to update a DNS
record. This adds that while checking for IPv6 to change which
record type to use. Without it, the API call fails, making
the script unable to update the DNS records for DigitalOcean.
Signed-off-by: Adam Beck <subcursion@gmail.com>
The hotplug scripts are called with every state change. When called, the
scripts are processed under '/etc/hotplug.d/keepalived'. This change adds
the functionality that the last state change of the keepalived can be
queried via the ubus.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* fixed the incomplete rule maintainance during banIP reloads
* fixed the Set query function (if the Set counters are disabled)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Small version includes only AFP file sharing to minimize size.
Base version adds AppleTalk. This matches the contents of the
existing package.
Full version includes everything that OpenWrt can support and
configuration option for build system (menuconfig).
Signed-off-by: Antonio Pastor <antonio.pastor@gmail.com>
Changelog: https://github.com/snort3/snort3/releases/tag/3.6.2.0
% snort --version
,,_ -*> Snort++ <*-
o" )~ Version 3.6.2.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.18
Using Hyperscan version 5.4.2 2025-01-28
Using libpcap version 1.10.5 (with TPACKET_V3)
Using LuaJIT version 2.1.0-beta3
Using LZMA version 5.6.2
Using OpenSSL 3.0.15 3 Sep 2024
Using PCRE2 version 10.42 2022-12-11
Using ZLIB version 1.3.1
Signed-off-by: John Audia <therealgraysky@proton.me>
* improvement: Makefile: prepend `r` to PKG_RELEASE in binary and init script versions to match package version
* bugfix: init script: more reliable/robust start on boot
* improvement: init script: more compact output()
* improvement: init script: better DNS Hijack login
* improvement: init script: fold some dnsmasq-related functions into dhcp_backup()
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* support smartdns as dns backend
* support top level domains in local white- and blackklist,
e.g. a 'de' in the blacklist blocks all domains with a german tld
and the tld compression removes all subdomains from the final blocklist
Signed-off-by: Dirk Brenken <dev@brenken.org>
The -r option is not required here but should also not hurt,
since it was already tested, that $key is a file.
However, to express the intent of the command more clearly,
let's drop it.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Imitate dropbear init.d-script and make sure we
don't end up with corrupt keys.
This can happen if we use a caching filesystem,
like 'ubifs', and the DUT is powered off during
boot-up.
Signed-off-by: Markus Gothe <markus.gothe@genexis.eu>
If pppoe is used for wan access. script set 'eth1' as interface for curl
call. The correct interface is however 'pppoe-wan'.
These scripts use 'network_get_physdev' function to get real device for
bind_network but this is wrong. We need instead the l3_device of the the
logical interface.
In case if we don't use pppoe connection - 'l3_device' is equal to real device.
Follow P/R:
#14431
Signed-off-by: Coia Prant <coiaprant@gmail.com>
If PKG_FORTIFY_SOURCE is not 0 and lto is enabled for package git, it
will fail to compile with the following example error:
/openwrt/staging_dir/toolchain-aarch64_generic_gcc-14.1.0_musl/include/stdio.h: In function 'process_curl_messages': /openwrt/staging_dir/toolchain-aarch64_generic_gcc-14.1.0_musl/include/stdio.h:90:8: error: inlining failed in call to 'always_inline' 'fwrite': function body can be overwritten at link time
90 | size_t fwrite(const void *__restrict, size_t, size_t, FILE *__restrict);
| ^
http.c:355:33: note: called from here
355 | fprintf(stderr, "Received DONE message for unknown request!\n");
| ^
A related issue is #13016 .
This commit set PKG_FORTIFY_SOURCE to 0 if CONFIG_USE_LTO is y.
Close#24366
Link: https://lore.kernel.org/git/CAHfWF5mjquES-nocQaK+CAEsqWgdy-_OYdGtN82heYs0eJP3eQ@mail.gmail.com/T/#t
Link: https://github.com/openwrt/openwrt/issues/13016
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110834
Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
* I had wrongly used config_get_bool for the option, so fixed it
* this also fixes the issue of /etc/init.d/vsftpd stop not working
Signed-off-by: Mohd Husaam Mehdi <husaam.mehdi@iopsys.eu>
Summary of three PRs regarding new adblock sources with minor changes/additions:
- add new source reg_lithuania, PR provided by @Myginas
- add new source certpl, PR provided by @jkostorz
- add new source oisd_nsfw_small, PR provided by @Turjoy9
Signed-off-by: Dirk Brenken <dev@brenken.org>
AntiBlock program proxies DNS requests.
The IP addresses of the specified domains are added to
the routing table for routing through the specified interface.
Signed-off-by: Khachatryan Karen <karen0734@gmail.com>
* change the chain structure: only two regular chains contain the generated banIP sets.
“_inbound” covers the base chains WAN-Input and WAN-Forward, ‘_outbound’ covers the base chain LAN-Forward.
* pre-configure the default chains for every feed in the banip.feeds json file, no longer blocks
selected feeds in all chains by default
* it's now possible to split country and asn Sets by country or asn (disabled by default)
* support Set counters to report easily suspicious IPs per Set (disabled by default)
* make it possible, to opt out certain chains from the deduplication process
* the element search now returns all matches (and not only the first one)
* the report engine now includes statistics about the Inbound & Outbound chains and the Set counters (optional)
* save the temp. files of possible nft loading errors in "/tmp/banIP-errors" by default for easier debugging
* various code improvements
* remove ssbl feed (deprecated)
* add two new vpn feeds
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Feature changes:
- on non-windows clients (MacOS, Linux, Unix) send "release" string from uname() call as IV_PLAT_VER to server
- Windows: protect cached username, password and token in client memory
- Windows: use new API to get dco-win driver version from driver
- Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default timeout of 90 seconds
Security fixes:
- improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN
Notable bug fixes:
- FreeBSD DCO: fix memory leaks in nvlist handling
- purge proxy authentication credentials from memory after use
For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.13/Changes.rst
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Using the PUT method recreates the DNS record with and only with
the newly provided data. This seems unnecessary. In particular,
we don't need to hardcode a TTL of 120. Any existing comment
would be lost too.
The only detail we need to change is the IP address. Leave everything
else as it was.
Signed-off-by: Gedalya Nie <gedalya@gedalya.net>
Have no idea why such dependency was added.
No documentation from transmission that they need
such dependency on build time. On the other hand
saves vast of time during build
Signed-off-by: Serhii Ivanov <icegood1980@gmail.com>
* update UCI to use the traditional vsftpd.conf so
that people migrating from non-uci version do not face problems
* if secure_chroot_dir is not provided specifically, then create
an empty directory where vsftpd usually expects it
Signed-off-by: Mohd Husaam Mehdi <husaam.mehdi@iopsys.eu>
* update init script to validate and process UCI
* the option conf_file can be used to pass a conf file
instead of using UCI
Signed-off-by: Mohd Husaam Mehdi <husaam.mehdi@iopsys.eu>
Fsh helps you access local shell and TCP services behind a NAT or firewall.
More details: https://github.com/heiher/hev-fsh
Signed-off-by: Ray Wang <r@hev.cc>
Bjørn Mork