Without it, using uci to manipulate ipsec config can result in errors,
making it much difficult to use in uci-defaults for example.
Signed-off-by: Glen Huang <me@glenhuang.com>
Increases snort's IPS fast pattern matching by 2x (compared to
the ac_full engine) and 3x (compared to ac_bfna). This is most
noticeable for users of large rules sets and when doing deep flow
inspection.
For more see: https://blog.snort.org/2020/09/snort-3-hyperscan-.html
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
The recent upgrade of apr included a change with should fix the subversion build.
Unfortunately, this fix resulted in a build regression of apache-mod-php8.
The new approach is to pass the locations of the apr config helpers
to configure via parameter.
Fixes: 68dd7b7cf6 ("apr: update to 1.7.4")
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
changelog:
- Fix some FD leaks (#334, thanks to @giuseppe)
As package belongs to network category, I moved it from utils to network folder
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Fixes CVEs:
- CVE-2023-50387: Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service condition.
- CVE-2023-50868: Preparing an NSEC3 closest encloser proof could cause
excessive CPU load, leading to a denial-of-service condition.
- CVE-2023-4408: Parsing DNS messages with many different names could cause
excessive CPU load.
- CVE-2023-5517: Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled.
- CVE-2023-5679: A bad interaction between DNS64 and serve-stale could cause
named to crash with an assertion failure, when both of these features were
enabled.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
changelogs: https://github.com/containers/netavark/releases
wrapper script and config file removed as they have become obsolete,
firewall driver is now configured in containers.conf
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Retry when resolveip fails as it seems to be causing issues
on startup depending on various unpredictable parameters.
Resolves: #23185
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
softethervpn5: The softethervpn5 package is due for an update from recent source. This PR implements a Makefile update to pull December 2023 release, which includes fixes for recently-disclosed vulnerabilities. The build patches are also updated accordingly.
Signed-off-by: Thomas Winkler <tewinkler86@gmail.com>
Harmless to carry this fix until procd.sh adds the param
This parameter will mean umdns advertises not just "OpenWrt" but a more
appropriate string:
"Apple LaserWriter Pro 630"
Signed-off-by: Paul Donald <newtwen@gmail.com>
Commit driver_home defaults before continuing
Fix missing path for serial number acquisition
Store current device if no previously configured device had one.
Also set CHAR_DEV so the printer can get its driver sent on first run.
Signed-off-by: Paul Donald <newtwen@gmail.com>
The spec https://developer.apple.com/bonjour/printing-specification/bonjourprinting-1.2.1.pdf
notes:
... if the meaning of any of the TXT record keys is changed, the txtvers value
will be incremented. The current value of this key is “1”, and if this key does not exist in
the TXT record, the default value of “1” is assumed. The txtvers SHOULD be the first
key/value pair in the TXT record.
Signed-off-by: Paul Donald <newtwen@gmail.com>
Don't run procd with a name of p9100d or p9101d etc.
Use the original binary name: p910nd.
This way, all supplied parameters should be visible via e.g.:
ps
xargs -0 < /proc/{procid}/cmdline
Revise all p910nd strings to the variable DAEMON_NAME or CONFIG where
appropriate.
Signed-off-by: Paul Donald <newtwen@gmail.com>
Adjust patches for current version changes
Module "disk" renamed to "disk_hw"
Internal type "unknown" changed to "u_int32_t"
Add patch with removing macro syntax checking for successful build
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
- previously localport option was required, which broke older configs
- now in-config forwarding is only optional
- ssh option still can be used for forwarding as in sample config
Signed-off-by: kkubicki <krzysiek.kubicki@gmail.com>
- Enable missing variable checking by default
- Explicitly check variables are defined in all 'rm' commands
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
- Use git for sources since no proper tarball is available
- Switch package URL to HTTPS
- Refresh the patch
Signed-off-by: krant <aleksey.vasilenko@gmail.com>
This updates mwan3 to use network_get_preferred_ipaddr6 instead of
network_get_ipaddr6 if possible to determine a source ip for the
connectivity checks. This avoids issues where the first ip address
that is returned from network_get_ipaddr6 does not work anymore while
the preferred one returned from network_get_preferred_ipaddr6 works.
Signed-off-by: Jonas Lochmann <git@inkompetenz.org>
Reporting
- Use json alert data for 10x speed improvement in report generation
- Include both gid and sid, plus packet direction in report output
- Add by-date incident filtering
- Add verbose mode which displays actual rules triggered and their source
- Attempt to look up host names from IPs in verbose mode
- Clean up display of port number involved in incidents
Rules
- Complete downloader for subscription rules using oinkcode (only tested
with snort.org's "free" tier subscription)
- Auto-detect multiple rules files and include them in lua 'ips.rules'
- Add '--backup' option to copy out current rules before installing new
- Add '--persistent' option to 'snort-rules', storing in persistent location
CLI interface
- Completely rework command line option parsing in all user scripts
- Allow options and commands to be in any order on command line
- Add long-form names for all options ('--help' for '-h' and so on)
- Detect errors properly in options, enhance help pages
Bug fixes
- Use 'mkdir -p' on all directory creation
- Use proper tmp directory from 'snort.snort.temp_dir' everywhere
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
This version includes several new features that allow to simplify the
package significantly: The noexit patch and hotplug script are no longer
needed, and the init script doesn't have to check for legacy databases
anymore.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Update crowdsec to latest upstream release version 1.6.0
Signed-off-by: S. Brusch <ne20002@gmx.ch>
Maintainer: Kerma Gérald <gandalf@gk2.net>
Package tested: not able to test run due to limited space (package is big)
Description: update to latest version of upstream
The config.yml is an example of a tunnel local configuration.
But the cloudlfared treat it as a real config and fails to start.
So to avoid problems let's comment all the statements.
The `url: http://localhost:8000` is not a valid config option.
Additionally add a smale of configuring ingres rules.
The cloudflared.config has missing option token.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
The following fixes have been applied to Makefile:
* fix the nebula license type
* add PKG_CPE_ID
* remove unneeded call to Build/Compile
* add leading spaces to descriptions
* add Package/nebula/conffiles definition
* remove unneeded /lib/upgrade/keep.d files
* no longer install actual license file
* add the README file
Kudos to @BKPepe and @1715173329 for feedback which lead to these fixes
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: @mkrkn @neheb
Compile tested: armv7, cortexA15, OpenWRT 23.05
Run tested: Linksys EA8500
Compile tested: armv8, cortexA53, OpenWRT main
Run tested: Dynalink DL-WRX36
Description:
Script-security is always 2 and cannot be changed from the openvpn config file due to a missing rule in openvpn.init.
This is discussed in issue #23014
This patch adds the missing rule in openvpn.init to parse script-security from the openvpn config file.
Signed-off-by: Erik Conijn <egc112@msn.com>
also fix license variable
Co-authored-by: Tianling Shen <cnsztl@gmail.com>
Signed-off-by: Otto Moerbeek <otto@drijf.net>
Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
Upstream bump
,,_ -*> Snort++ <*-
o" )~ Version 3.1.78.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.14
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.12 24 Oct 2023
Using libpcap version 1.10.4 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.3
Using Hyperscan version 5.4.2 2024-01-15
Using LZMA version 5.4.4
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
The log is filled with 'debug' messages. This is not necessary and is
only normaly needed during development. To suppress this message, check
whether the level is 'debug' and if so, suppress it. If this message is
required again, the message can be generated by commenting out this line.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Before this change, the status of the sysfs paths from the kernel events
was cached with a cache file. This is necessary to mark configured modems
as available for the netifd.
Using the new monitor service via the mmcli command 'mmcli -M' simplifies
the whole process. There is no need to start sub shells in the background
anymore that monitors whether the modem has already been added to the
ModemManager.
For this purpose, a new service was added that reacts on add and remove
events for modems in the ModemManager and, if necessary, marks the logical
netifd interface as available.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
These moved functions are general functions. This is a preparatory
commit so that these moved functions can also be used in other
ModemManager scripts.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The modem saves the permitted technology configuration in the modem
itself. If the technology configuration is deleted in the uci, this is
not passed on to the modem. This means that the previously saved
technology configuration is remains in the modem and is therefore still
active. By setting the technology to 'any', if no option is set, all
technologies are allowed again.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Modify Makefile to combine tailscale and tailscaled according to
Tailscale documentatio (https://tailscale.com/kb/1207/small-tailscale)
This resulted for x86_64 in an exec of 31MB + the symlink. Before it
was 29MB (tailscaled) and 10MB (tailscale).
Signed-off-by: Thomas Kupper <thomas.kupper@gmail.com>
0cffba9458d3 treewide: add support for RADIUS Reply-Message
c9fb744fdee8 treewide: add support for 'lang=' & ChilliSpot-Lang
584a162cb19a handler-uam: ensure that 'seconds_remaining' is always set
bd1f7c5de1ae Makefile: align with packages feed one
0ea6ad3c4e54 Makefile: mark uspot-www and uspotfilter "PKGARCH:=all"
e6a286ccfdbf uspot/uspotfilter: use 'logger -t'
427ed16cfde5 uspot: expose ratelimits in client data
4ba1dd9c5135 uspot: don't send NAS-Port-Type
78a37ef49b85 templates: add id="replymsg" to reply msg header
e3f4e179fd17 templates: show remaining time in "connected"
398762dff711 radius-client: correctly use str_to_hex()
730ef800d9da templates: simplify HTML
6bb39282fd8f Documentation update
b6c802adac19 portal: handle_request() logic refactoring
1aa1a5eb28d7 uspotfilter: implement peer_lookup()
ba5547ec61f1 portal: speedup peer lookup by leveraging spotfilter
d551376c29bb templates: added html5 time tag to timeleft output
154c98e0b77b uspotfilter: mark client as active when set()
8dcb03a37a77 uspotfilter: rework neigh management
cfb2ce7909da uspotfilter: use client_remove() where applicable
8411314dbf90 Documentation update
8dacf3df9935 uspot: use a single operation for client removal
297b7857c1e0 uspotfilter: fix DELNEIGH processing
76003917c205 uspotfilter: client_set() only clear idle when allowing
f46a855c5085 uspotfilter: remove botched IPv6 "support"
4ff31cbf0e2b uspot: client_remove(): stay in sync with spotfilter
edc9ad7e60a3 uspot/uspotfilter: use ucode-mod-log for logging
52e24aecf2db uspotfilter: use ucode '??=' syntax
c4b6f2f0bb1e Update README
Update the package Makefile to reflect the changes from the following
above-listed commits:
0ea6ad3c4e54 Makefile: mark uspot-www and uspotfilter "PKGARCH:=all"
edc9ad7e60a3 uspot/uspotfilter: use ucode-mod-log for logging
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
New features for v1.8.0:
1. Migrate cache file from Clash API to independent options
2. Introducing Rule Set
3. Add `sing-box geoip`, `sing-box geosite` and `sing-box rule-set` commands
4. Allow nested logical rules
5. Independent `source_ip_is_private` and `ip_is_private` rules
6. Add context to JSON decode error message
7. Reject internal fake-ip queries
8. Add GSO support for TUN and WireGuard system interface
9. The legacy LWIP stack has been deprecated and removed
10. Add `idle_timeout` for URLTest outbound
11. Added some new uTLS fingerprints
...
Release notes: https://github.com/SagerNet/sing-box/releases/tag/v1.8.0
The new version has some breaking changes and may stop working after upgrading if use the original config.
Please see the migration manual to migrate the config: https://sing-box.sagernet.org/migration/
Signed-off-by: Anya Lin <hukk1996@gmail.com>
* fix a station scanning issue on single radio units (mainly a LuCI/JS issue) reported in the forum by multiple users
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fixes: e0d7181a6Closes: #22973Closes: #22988
1. Make the new `startup()` function in `/usr/bin/wifi_schedule.sh`
respect the global `enabled` config flag; in particular, make no
changes to `/etc/config/wireless` when wifi_schedule is disabled.
2. Make the new `/etc/init.d/wifi_schedule` service script executable.
Signed-off-by: Rani Hod <rani.hod@gmail.com>
Allow use of rules as-defined, and don't override their actions. This
is generally the best way to use the ruleset, and overriding their
actions should only be undertaken when you fully understand how it
affects their use.
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
This PR adds the ability of snort to process rules that target
swf and pdf files requiring lzma decompression to look for
malicious payloads therein. This change only increases the size
of the snort3 executable by a fraction of a KB and the added
dependency of liblzma (based on currently offered 5.4.4-1) is
only a 169 KB shared object. Based on CPU requirements of snort,
x86 users likely represent the majority user-base and space their
rootfs is not an issue as it may be for lower-powered SoCs.
Size of snort3-3.1.76.0-2: 7354403 bytes
Size of snort3-3.1.76.0-3: 7354435 bytes
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
Maintainer: @mkrkn @neheb
Compile tested: aarch64, cortex-a53, OpenWRT Master
Run tested: Dynalink DL-WRX36
Description:
[A previous commit](f8a8b71e26) has added more script event options.
However it looked like that commit was not complete as it stops the use of the script events route-up, route-pre-down, and ipchange when those are placed in the openvpn config file.
This PR fixes a regression that makes it problematic to specify certain event options in the OpenVPN configuration file.
Discussion in [this thread](https://forum.openwrt.org/t/openvpn-custom-route-up-script-in-23-05-rc2/167105/13) and [here](https://forum.openwrt.org/t/openvpn-route-up-and-route-pre-down-broken-in-23-05/176568)
Please have a look and consider implementing or make it possible to use all script event options in the openvpn config file in another way.
Pull request has been discussed and improved with the help of @AuthorReflex, see: https://github.com/openwrt/packages/pull/21732
Signed-off-by: Erik Conijn <egc112@msn.com>
* rework the device/interface auto-detection (only layer-3 network devices will be detetcted correctly), disable the auto-detection e.g. for special tunnel interfaces
* supports now full gawk (preferred, if installed) and busybox awk
* raise the default boot timeout to 20 seconds (if 'ban_triggerdelay' is not set)
* various small fixes and improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
Remove append_params and use shell expressions instead e.g. ${port:+-p $port}.
Note that we can't do that with ProxyCommand because it has to be quoted.
The order of options was changed from more important like hostname to just static -nN.
The CompressionLevel option is removed from SSH2.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
The ProxyCommand may have spaces so it must be quoted.
So we must use the procd_append_param.
Currently the option is not supported by Dropbear.
But it has -J instead which in OpenSSH means ProxyJump.
So we can't use it to avoid conflict.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
Changelog: https://github.com/snort3/snort3/releases/tag/3.1.77.0
,,_ -*> Snort++ <*-
o" )~ Version 3.1.77.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2023 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.13
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.12 24 Oct 2023
Using libpcap version 1.10.4 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.3
Using Hyperscan version 5.4.2 2023-12-20
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
v0.20.0:
- GNUNET_TESTING_get_testname_from_underscore renamed to GNUNET_STRINGS_get_suffix_from_binary_name and moved from libgnunettesting to libgnuneutil
- Move GNUNET_s into libgnunetutil.
- re-introduce compiler annotation for array size in signature
- function-signature adjustment due to compiler error
- GNUNET_PQ_get_oid removed, GNUNET_PQ_get_oid_by_name improved
- Added GNUNET_PQ_get_oid_by_name
- added GNUNET_PQ_get_oid()
- Added new CCA-secure KEM and use in IDENTITY encryption
- Add KEM API to avoid ephemeral private key management
- Add new GNUNET_PQ_event_do_poll() API to gnunet_pq_lib.h
- Added API to support arrays in query results
- Improve PQ API documentation.
- API for array types extended for times
- API extended for array query types
- relevant array-types in queries (not results) in postgresql added
- just style fixes, int to enum
- initial steps towards support of array-types in posgresql
- adds GNUNET_JSON_spec_object_const() and GNUNET_JSON_spec_array_const()
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Update the mdio-netlink kmod and userspace mdio-tools to version 1.3.1.
[v1.3.1] - 2023-12-02
---------------------
Fixes mvls to work with kernels 6.2 and onwards.
- mdio: Multiple registers can now be dumped at once, via the generic
dump operation.
- mvls: Relax the driver matching to accept the strings used in
kernels 6.2 and newer.
Signed-off-by: Robert Marko <robimarko@gmail.com>
OpenVPN configurations that have a uci entry, the enable/enabled option can
be used to control whether the OpenVPN connection should be started at
system startup or not.
OpenVPN configurations that are located under '/etc/openvpn/' are always
started at system boot. To ensure that these connections can also be
started later, they must 'not' be started automatically during system boot.
This can be prevented with the following entry in the OpenVPN configuration.
config globals 'globals'
option autostart '0'
These OpenVPN configurations can then be started later with the command.
'/etc/init.d/openvpn start <name>'
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This commit adds the possibility that an OpenVPN instance located under
'/etc/openvpn' can also be started with the command.
'/etc/init.d/openvpn start <name>'
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
https://curl.se/changes.html#8_5_0
Pick upstream patch to fix build with gnuTLS and verbose strings removed.
The patch should be removed with the next version bump.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
When the service is started, wait for the clock to be synchronized for
up to 5 minutes and provide the stratum action once for ntp hotplug
scripts.
Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
Fixes#20848
Add interface triggers if interfaces to listen to are specified in
`/etc/config/ipsec`. This fixes the "running with no instances" scenario
after rebooting a router.
Signed-off-by: Joel Low <joel@joelsplace.sg>
- Delete legacy configuration files homenet.lua and local.lua
- Add snort config 'include' to allow user customizations in the lua
- Enhance 'check' to test generated nftables file
- Suppress inclusion of rules file when doing silent config check
- Suppress warnings on configuration check unless '-v'erbose
- Replace text logging with json logging to reduce footprint and make reports easier
- Fix some typos in the snort.uc template
- Fix up some error messages suggesting solutions
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
* move reload/restart logic from json() to config_cache()
* improve fw4 restart decision logic
* no longer store reload/restart info in ubus/status json file
* rename variables pointing to run-time information
* create dns_set_output_values to reuse code in principal all and luci app
* improve append_url to store collected URLs in an alternative variable
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Recent version of WolfSSL dropped CyaSSL shims and made the package not
compilable. Converting it to the WolfSSL library is simple enough as the
API used are very basic and can be converted directly. Add patch that
fully convert the package to WolfSSL and doesn't use the compat shim
anymore.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Glen Huang