From 9eb61fe02da9085f1c211919af38e3c504098f61 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Wed, 10 Apr 2024 23:56:43 +0000 Subject: [PATCH 001/106] adblock-fast: improve Makefile's prerm * improve output of Makefile's prerm routines Signed-off-by: Stan Grishin --- net/adblock-fast/Makefile | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/net/adblock-fast/Makefile b/net/adblock-fast/Makefile index c15f114e24..29aed18735 100644 --- a/net/adblock-fast/Makefile +++ b/net/adblock-fast/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=adblock-fast PKG_VERSION:=1.1.1 -PKG_RELEASE:=r7 +PKG_RELEASE:=r8 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=GPL-3.0-or-later @@ -69,10 +69,11 @@ define Package/adblock-fast/prerm #!/bin/sh # check if we are on real system if [ -z "$${IPKG_INSTROOT}" ]; then - echo "Stopping service and removing rc.d symlink for adblock-fast" - /etc/init.d/adblock-fast stop || true - /etc/init.d/adblock-fast killcache || true - /etc/init.d/adblock-fast disable || true + echo -n "Stopping adblock-fast service... " + { /etc/init.d/adblock-fast stop && \ + /etc/init.d/adblock-fast killcache; } >/dev/null 2>&1 && echo "OK" || echo "FAIL" + echo -n "Removing rc.d symlink for adblock-fast... " + /etc/init.d/adblock-fast disable >/dev/null 2>&1 && echo "OK" || echo "FAIL" fi exit 0 endef From b31d6da0a807893893915e07e051a21af54e5761 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 7 Apr 2024 01:24:13 +0200 Subject: [PATCH 002/106] devel: gcc: align patches structure to openwrt toolchain GCC Align patches structure to openwrt toolchain GCC to make it easier to maintain them and reduce patch delta on GCC update. Signed-off-by: Christian Marangi --- devel/gcc/Makefile | 3 ++- .../10.3.0 => patches-10.x}/002-case_insensitive.patch | 0 .../003-dont-choke-when-building-32bit-on-64bit.patch | 0 .../{patches/10.3.0 => patches-10.x}/010-documentation.patch | 0 .../10.3.0 => patches-10.x}/110-Fix-MIPS-PR-84790.patch | 0 .../gcc/{patches/10.3.0 => patches-10.x}/230-musl_libssp.patch | 0 .../300-mips_Os_cpu_rtx_cost_model.patch | 0 .../10.3.0 => patches-10.x}/810-arm-softfloat-libgcc.patch | 0 .../gcc/{patches/10.3.0 => patches-10.x}/820-libgcc_pic.patch | 0 .../840-armv4_pass_fix-v4bx_to_ld.patch | 0 .../10.3.0 => patches-10.x}/850-use_shared_libgcc.patch | 0 .../10.3.0 => patches-10.x}/851-libgcc_no_compat.patch | 0 .../10.3.0 => patches-10.x}/870-ppc_no_crtsavres.patch | 0 .../{patches/10.3.0 => patches-10.x}/881-no_tm_section.patch | 0 .../{patches/10.3.0 => patches-10.x}/900-bad-mips16-crt.patch | 0 .../gcc/{patches/10.3.0 => patches-10.x}/910-mbsd_multi.patch | 0 .../10.3.0 => patches-10.x}/920-specs_nonfatal_getenv.patch | 0 .../10.3.0 => patches-10.x}/930-fix-mips-noexecstack.patch | 0 .../931-libffi-fix-MIPS-softfloat-build-issue.patch | 0 ...60-gotools-fix-compilation-when-making-cross-compiler.patch | 0 .../11.3.0 => patches-11.x}/002-case_insensitive.patch | 0 .../003-dont-choke-when-building-32bit-on-64bit.patch | 0 .../{patches/11.3.0 => patches-11.x}/010-documentation.patch | 0 ...011-v12-configure-define-TARGET_LIBC_GNUSTACK-on-musl.patch | 0 .../11.3.0 => patches-11.x}/110-Fix-MIPS-PR-84790.patch | 0 .../gcc/{patches/11.3.0 => patches-11.x}/230-musl_libssp.patch | 0 .../300-mips_Os_cpu_rtx_cost_model.patch | 0 .../11.3.0 => patches-11.x}/810-arm-softfloat-libgcc.patch | 0 .../gcc/{patches/11.3.0 => patches-11.x}/820-libgcc_pic.patch | 0 .../840-armv4_pass_fix-v4bx_to_ld.patch | 0 .../11.3.0 => patches-11.x}/850-use_shared_libgcc.patch | 0 .../11.3.0 => patches-11.x}/851-libgcc_no_compat.patch | 0 .../11.3.0 => patches-11.x}/870-ppc_no_crtsavres.patch | 0 .../{patches/11.3.0 => patches-11.x}/881-no_tm_section.patch | 0 .../{patches/11.3.0 => patches-11.x}/900-bad-mips16-crt.patch | 0 .../gcc/{patches/11.3.0 => patches-11.x}/910-mbsd_multi.patch | 0 .../11.3.0 => patches-11.x}/920-specs_nonfatal_getenv.patch | 0 .../931-libffi-fix-MIPS-softfloat-build-issue.patch | 0 ...60-gotools-fix-compilation-when-making-cross-compiler.patch | 0 .../11.3.0 => patches-11.x}/970-macos_arm64-building-fix.patch | 0 .../12.3.0 => patches-12.x}/002-case_insensitive.patch | 0 .../003-dont-choke-when-building-32bit-on-64bit.patch | 0 .../{patches/12.3.0 => patches-12.x}/010-documentation.patch | 0 .../12.3.0 => patches-12.x}/110-Fix-MIPS-PR-84790.patch | 0 .../gcc/{patches/12.3.0 => patches-12.x}/230-musl_libssp.patch | 0 .../300-mips_Os_cpu_rtx_cost_model.patch | 0 .../12.3.0 => patches-12.x}/810-arm-softfloat-libgcc.patch | 0 .../gcc/{patches/12.3.0 => patches-12.x}/820-libgcc_pic.patch | 0 .../840-armv4_pass_fix-v4bx_to_ld.patch | 0 .../12.3.0 => patches-12.x}/850-use_shared_libgcc.patch | 0 .../12.3.0 => patches-12.x}/851-libgcc_no_compat.patch | 0 .../12.3.0 => patches-12.x}/870-ppc_no_crtsavres.patch | 0 .../{patches/12.3.0 => patches-12.x}/881-no_tm_section.patch | 0 .../{patches/12.3.0 => patches-12.x}/900-bad-mips16-crt.patch | 0 .../gcc/{patches/12.3.0 => patches-12.x}/910-mbsd_multi.patch | 0 .../12.3.0 => patches-12.x}/920-specs_nonfatal_getenv.patch | 0 ...60-gotools-fix-compilation-when-making-cross-compiler.patch | 0 .../12.3.0 => patches-12.x}/970-macos_arm64-building-fix.patch | 0 .../{patches/8.4.0 => patches-8.x}/002-case_insensitive.patch | 0 .../003-dont-choke-when-building-32bit-on-64bit.patch | 0 .../gcc/{patches/8.4.0 => patches-8.x}/010-documentation.patch | 0 .../{patches/8.4.0 => patches-8.x}/110-Fix-MIPS-PR-84790.patch | 0 devel/gcc/{patches/8.4.0 => patches-8.x}/230-musl_libssp.patch | 0 .../8.4.0 => patches-8.x}/300-mips_Os_cpu_rtx_cost_model.patch | 0 .../8.4.0 => patches-8.x}/800-arm_v5te_no_ldrd_strd.patch | 0 .../8.4.0 => patches-8.x}/810-arm-softfloat-libgcc.patch | 0 devel/gcc/{patches/8.4.0 => patches-8.x}/820-libgcc_pic.patch | 0 .../8.4.0 => patches-8.x}/840-armv4_pass_fix-v4bx_to_ld.patch | 0 .../{patches/8.4.0 => patches-8.x}/850-use_shared_libgcc.patch | 0 .../{patches/8.4.0 => patches-8.x}/851-libgcc_no_compat.patch | 0 .../{patches/8.4.0 => patches-8.x}/870-ppc_no_crtsavres.patch | 0 .../gcc/{patches/8.4.0 => patches-8.x}/881-no_tm_section.patch | 0 .../{patches/8.4.0 => patches-8.x}/900-bad-mips16-crt.patch | 0 devel/gcc/{patches/8.4.0 => patches-8.x}/910-mbsd_multi.patch | 0 .../8.4.0 => patches-8.x}/920-specs_nonfatal_getenv.patch | 0 .../8.4.0 => patches-8.x}/930-fix-mips-noexecstack.patch | 0 .../931-libffi-fix-MIPS-softfloat-build-issue.patch | 0 ...60-gotools-fix-compilation-when-making-cross-compiler.patch | 0 78 files changed, 2 insertions(+), 1 deletion(-) rename devel/gcc/{patches/10.3.0 => patches-10.x}/002-case_insensitive.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/003-dont-choke-when-building-32bit-on-64bit.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/010-documentation.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/110-Fix-MIPS-PR-84790.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/230-musl_libssp.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/300-mips_Os_cpu_rtx_cost_model.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/810-arm-softfloat-libgcc.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/820-libgcc_pic.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/840-armv4_pass_fix-v4bx_to_ld.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/850-use_shared_libgcc.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/851-libgcc_no_compat.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/870-ppc_no_crtsavres.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/881-no_tm_section.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/900-bad-mips16-crt.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/910-mbsd_multi.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/920-specs_nonfatal_getenv.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/930-fix-mips-noexecstack.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/931-libffi-fix-MIPS-softfloat-build-issue.patch (100%) rename devel/gcc/{patches/10.3.0 => patches-10.x}/960-gotools-fix-compilation-when-making-cross-compiler.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/002-case_insensitive.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/003-dont-choke-when-building-32bit-on-64bit.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/010-documentation.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/011-v12-configure-define-TARGET_LIBC_GNUSTACK-on-musl.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/110-Fix-MIPS-PR-84790.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/230-musl_libssp.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/300-mips_Os_cpu_rtx_cost_model.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/810-arm-softfloat-libgcc.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/820-libgcc_pic.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/840-armv4_pass_fix-v4bx_to_ld.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/850-use_shared_libgcc.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/851-libgcc_no_compat.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/870-ppc_no_crtsavres.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/881-no_tm_section.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/900-bad-mips16-crt.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/910-mbsd_multi.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/920-specs_nonfatal_getenv.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/931-libffi-fix-MIPS-softfloat-build-issue.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/960-gotools-fix-compilation-when-making-cross-compiler.patch (100%) rename devel/gcc/{patches/11.3.0 => patches-11.x}/970-macos_arm64-building-fix.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/002-case_insensitive.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/003-dont-choke-when-building-32bit-on-64bit.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/010-documentation.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/110-Fix-MIPS-PR-84790.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/230-musl_libssp.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/300-mips_Os_cpu_rtx_cost_model.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/810-arm-softfloat-libgcc.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/820-libgcc_pic.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/840-armv4_pass_fix-v4bx_to_ld.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/850-use_shared_libgcc.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/851-libgcc_no_compat.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/870-ppc_no_crtsavres.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/881-no_tm_section.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/900-bad-mips16-crt.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/910-mbsd_multi.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/920-specs_nonfatal_getenv.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/960-gotools-fix-compilation-when-making-cross-compiler.patch (100%) rename devel/gcc/{patches/12.3.0 => patches-12.x}/970-macos_arm64-building-fix.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/002-case_insensitive.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/003-dont-choke-when-building-32bit-on-64bit.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/010-documentation.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/110-Fix-MIPS-PR-84790.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/230-musl_libssp.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/300-mips_Os_cpu_rtx_cost_model.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/800-arm_v5te_no_ldrd_strd.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/810-arm-softfloat-libgcc.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/820-libgcc_pic.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/840-armv4_pass_fix-v4bx_to_ld.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/850-use_shared_libgcc.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/851-libgcc_no_compat.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/870-ppc_no_crtsavres.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/881-no_tm_section.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/900-bad-mips16-crt.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/910-mbsd_multi.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/920-specs_nonfatal_getenv.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/930-fix-mips-noexecstack.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/931-libffi-fix-MIPS-softfloat-build-issue.patch (100%) rename devel/gcc/{patches/8.4.0 => patches-8.x}/960-gotools-fix-compilation-when-making-cross-compiler.patch (100%) diff --git a/devel/gcc/Makefile b/devel/gcc/Makefile index e45372e4f8..583ce15bc4 100644 --- a/devel/gcc/Makefile +++ b/devel/gcc/Makefile @@ -23,6 +23,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gcc GCC_VERSION:=$(call qstrip,$(CONFIG_GCC_VERSION)) PKG_VERSION:=$(firstword $(subst +, ,$(GCC_VERSION))) +GCC_MAJOR_VERSION:=$(word 1,$(subst ., ,$(PKG_VERSION))) PKG_RELEASE:=5 GCC_DIR:=$(PKG_NAME)-$(PKG_VERSION) @@ -50,7 +51,7 @@ ifeq ($(PKG_VERSION),12.3.0) PKG_HASH:=949a5d4f99e786421a93b532b22ffab5578de7321369975b91aec97adfda8c3b endif -PATCH_DIR=./patches/$(GCC_VERSION) +PATCH_DIR:=patches-$(GCC_MAJOR_VERSION).x include $(INCLUDE_DIR)/package.mk diff --git a/devel/gcc/patches/10.3.0/002-case_insensitive.patch b/devel/gcc/patches-10.x/002-case_insensitive.patch similarity index 100% rename from devel/gcc/patches/10.3.0/002-case_insensitive.patch rename to devel/gcc/patches-10.x/002-case_insensitive.patch diff --git a/devel/gcc/patches/10.3.0/003-dont-choke-when-building-32bit-on-64bit.patch b/devel/gcc/patches-10.x/003-dont-choke-when-building-32bit-on-64bit.patch similarity index 100% rename from devel/gcc/patches/10.3.0/003-dont-choke-when-building-32bit-on-64bit.patch rename to devel/gcc/patches-10.x/003-dont-choke-when-building-32bit-on-64bit.patch diff --git a/devel/gcc/patches/10.3.0/010-documentation.patch b/devel/gcc/patches-10.x/010-documentation.patch similarity index 100% rename from devel/gcc/patches/10.3.0/010-documentation.patch rename to devel/gcc/patches-10.x/010-documentation.patch diff --git a/devel/gcc/patches/10.3.0/110-Fix-MIPS-PR-84790.patch b/devel/gcc/patches-10.x/110-Fix-MIPS-PR-84790.patch similarity index 100% rename from devel/gcc/patches/10.3.0/110-Fix-MIPS-PR-84790.patch rename to devel/gcc/patches-10.x/110-Fix-MIPS-PR-84790.patch diff --git a/devel/gcc/patches/10.3.0/230-musl_libssp.patch b/devel/gcc/patches-10.x/230-musl_libssp.patch similarity index 100% rename from devel/gcc/patches/10.3.0/230-musl_libssp.patch rename to devel/gcc/patches-10.x/230-musl_libssp.patch diff --git a/devel/gcc/patches/10.3.0/300-mips_Os_cpu_rtx_cost_model.patch b/devel/gcc/patches-10.x/300-mips_Os_cpu_rtx_cost_model.patch similarity index 100% rename from devel/gcc/patches/10.3.0/300-mips_Os_cpu_rtx_cost_model.patch rename to devel/gcc/patches-10.x/300-mips_Os_cpu_rtx_cost_model.patch diff --git a/devel/gcc/patches/10.3.0/810-arm-softfloat-libgcc.patch b/devel/gcc/patches-10.x/810-arm-softfloat-libgcc.patch similarity index 100% rename from devel/gcc/patches/10.3.0/810-arm-softfloat-libgcc.patch rename to devel/gcc/patches-10.x/810-arm-softfloat-libgcc.patch diff --git a/devel/gcc/patches/10.3.0/820-libgcc_pic.patch b/devel/gcc/patches-10.x/820-libgcc_pic.patch similarity index 100% rename from devel/gcc/patches/10.3.0/820-libgcc_pic.patch rename to devel/gcc/patches-10.x/820-libgcc_pic.patch diff --git a/devel/gcc/patches/10.3.0/840-armv4_pass_fix-v4bx_to_ld.patch b/devel/gcc/patches-10.x/840-armv4_pass_fix-v4bx_to_ld.patch similarity index 100% rename from devel/gcc/patches/10.3.0/840-armv4_pass_fix-v4bx_to_ld.patch rename to devel/gcc/patches-10.x/840-armv4_pass_fix-v4bx_to_ld.patch diff --git a/devel/gcc/patches/10.3.0/850-use_shared_libgcc.patch b/devel/gcc/patches-10.x/850-use_shared_libgcc.patch similarity index 100% rename from devel/gcc/patches/10.3.0/850-use_shared_libgcc.patch rename to devel/gcc/patches-10.x/850-use_shared_libgcc.patch diff --git a/devel/gcc/patches/10.3.0/851-libgcc_no_compat.patch b/devel/gcc/patches-10.x/851-libgcc_no_compat.patch similarity index 100% rename from devel/gcc/patches/10.3.0/851-libgcc_no_compat.patch rename to devel/gcc/patches-10.x/851-libgcc_no_compat.patch diff --git a/devel/gcc/patches/10.3.0/870-ppc_no_crtsavres.patch b/devel/gcc/patches-10.x/870-ppc_no_crtsavres.patch similarity index 100% rename from devel/gcc/patches/10.3.0/870-ppc_no_crtsavres.patch rename to devel/gcc/patches-10.x/870-ppc_no_crtsavres.patch diff --git a/devel/gcc/patches/10.3.0/881-no_tm_section.patch b/devel/gcc/patches-10.x/881-no_tm_section.patch similarity index 100% rename from devel/gcc/patches/10.3.0/881-no_tm_section.patch rename to devel/gcc/patches-10.x/881-no_tm_section.patch diff --git a/devel/gcc/patches/10.3.0/900-bad-mips16-crt.patch b/devel/gcc/patches-10.x/900-bad-mips16-crt.patch similarity index 100% rename from devel/gcc/patches/10.3.0/900-bad-mips16-crt.patch rename to devel/gcc/patches-10.x/900-bad-mips16-crt.patch diff --git a/devel/gcc/patches/10.3.0/910-mbsd_multi.patch b/devel/gcc/patches-10.x/910-mbsd_multi.patch similarity index 100% rename from devel/gcc/patches/10.3.0/910-mbsd_multi.patch rename to devel/gcc/patches-10.x/910-mbsd_multi.patch diff --git a/devel/gcc/patches/10.3.0/920-specs_nonfatal_getenv.patch b/devel/gcc/patches-10.x/920-specs_nonfatal_getenv.patch similarity index 100% rename from devel/gcc/patches/10.3.0/920-specs_nonfatal_getenv.patch rename to devel/gcc/patches-10.x/920-specs_nonfatal_getenv.patch diff --git a/devel/gcc/patches/10.3.0/930-fix-mips-noexecstack.patch b/devel/gcc/patches-10.x/930-fix-mips-noexecstack.patch similarity index 100% rename from devel/gcc/patches/10.3.0/930-fix-mips-noexecstack.patch rename to devel/gcc/patches-10.x/930-fix-mips-noexecstack.patch diff --git a/devel/gcc/patches/10.3.0/931-libffi-fix-MIPS-softfloat-build-issue.patch b/devel/gcc/patches-10.x/931-libffi-fix-MIPS-softfloat-build-issue.patch similarity index 100% rename from devel/gcc/patches/10.3.0/931-libffi-fix-MIPS-softfloat-build-issue.patch rename to devel/gcc/patches-10.x/931-libffi-fix-MIPS-softfloat-build-issue.patch diff --git a/devel/gcc/patches/10.3.0/960-gotools-fix-compilation-when-making-cross-compiler.patch b/devel/gcc/patches-10.x/960-gotools-fix-compilation-when-making-cross-compiler.patch similarity index 100% rename from devel/gcc/patches/10.3.0/960-gotools-fix-compilation-when-making-cross-compiler.patch rename to devel/gcc/patches-10.x/960-gotools-fix-compilation-when-making-cross-compiler.patch diff --git a/devel/gcc/patches/11.3.0/002-case_insensitive.patch b/devel/gcc/patches-11.x/002-case_insensitive.patch similarity index 100% rename from devel/gcc/patches/11.3.0/002-case_insensitive.patch rename to devel/gcc/patches-11.x/002-case_insensitive.patch diff --git a/devel/gcc/patches/11.3.0/003-dont-choke-when-building-32bit-on-64bit.patch b/devel/gcc/patches-11.x/003-dont-choke-when-building-32bit-on-64bit.patch similarity index 100% rename from devel/gcc/patches/11.3.0/003-dont-choke-when-building-32bit-on-64bit.patch rename to devel/gcc/patches-11.x/003-dont-choke-when-building-32bit-on-64bit.patch diff --git a/devel/gcc/patches/11.3.0/010-documentation.patch b/devel/gcc/patches-11.x/010-documentation.patch similarity index 100% rename from devel/gcc/patches/11.3.0/010-documentation.patch rename to devel/gcc/patches-11.x/010-documentation.patch diff --git a/devel/gcc/patches/11.3.0/011-v12-configure-define-TARGET_LIBC_GNUSTACK-on-musl.patch b/devel/gcc/patches-11.x/011-v12-configure-define-TARGET_LIBC_GNUSTACK-on-musl.patch similarity index 100% rename from devel/gcc/patches/11.3.0/011-v12-configure-define-TARGET_LIBC_GNUSTACK-on-musl.patch rename to devel/gcc/patches-11.x/011-v12-configure-define-TARGET_LIBC_GNUSTACK-on-musl.patch diff --git a/devel/gcc/patches/11.3.0/110-Fix-MIPS-PR-84790.patch b/devel/gcc/patches-11.x/110-Fix-MIPS-PR-84790.patch similarity index 100% rename from devel/gcc/patches/11.3.0/110-Fix-MIPS-PR-84790.patch rename to devel/gcc/patches-11.x/110-Fix-MIPS-PR-84790.patch diff --git a/devel/gcc/patches/11.3.0/230-musl_libssp.patch b/devel/gcc/patches-11.x/230-musl_libssp.patch similarity index 100% rename from devel/gcc/patches/11.3.0/230-musl_libssp.patch rename to devel/gcc/patches-11.x/230-musl_libssp.patch diff --git a/devel/gcc/patches/11.3.0/300-mips_Os_cpu_rtx_cost_model.patch b/devel/gcc/patches-11.x/300-mips_Os_cpu_rtx_cost_model.patch similarity index 100% rename from devel/gcc/patches/11.3.0/300-mips_Os_cpu_rtx_cost_model.patch rename to devel/gcc/patches-11.x/300-mips_Os_cpu_rtx_cost_model.patch diff --git a/devel/gcc/patches/11.3.0/810-arm-softfloat-libgcc.patch b/devel/gcc/patches-11.x/810-arm-softfloat-libgcc.patch similarity index 100% rename from devel/gcc/patches/11.3.0/810-arm-softfloat-libgcc.patch rename to devel/gcc/patches-11.x/810-arm-softfloat-libgcc.patch diff --git a/devel/gcc/patches/11.3.0/820-libgcc_pic.patch b/devel/gcc/patches-11.x/820-libgcc_pic.patch similarity index 100% rename from devel/gcc/patches/11.3.0/820-libgcc_pic.patch rename to devel/gcc/patches-11.x/820-libgcc_pic.patch diff --git a/devel/gcc/patches/11.3.0/840-armv4_pass_fix-v4bx_to_ld.patch b/devel/gcc/patches-11.x/840-armv4_pass_fix-v4bx_to_ld.patch similarity index 100% rename from devel/gcc/patches/11.3.0/840-armv4_pass_fix-v4bx_to_ld.patch rename to devel/gcc/patches-11.x/840-armv4_pass_fix-v4bx_to_ld.patch diff --git a/devel/gcc/patches/11.3.0/850-use_shared_libgcc.patch b/devel/gcc/patches-11.x/850-use_shared_libgcc.patch similarity index 100% rename from devel/gcc/patches/11.3.0/850-use_shared_libgcc.patch rename to devel/gcc/patches-11.x/850-use_shared_libgcc.patch diff --git a/devel/gcc/patches/11.3.0/851-libgcc_no_compat.patch b/devel/gcc/patches-11.x/851-libgcc_no_compat.patch similarity index 100% rename from devel/gcc/patches/11.3.0/851-libgcc_no_compat.patch rename to devel/gcc/patches-11.x/851-libgcc_no_compat.patch diff --git a/devel/gcc/patches/11.3.0/870-ppc_no_crtsavres.patch b/devel/gcc/patches-11.x/870-ppc_no_crtsavres.patch similarity index 100% rename from devel/gcc/patches/11.3.0/870-ppc_no_crtsavres.patch rename to devel/gcc/patches-11.x/870-ppc_no_crtsavres.patch diff --git a/devel/gcc/patches/11.3.0/881-no_tm_section.patch b/devel/gcc/patches-11.x/881-no_tm_section.patch similarity index 100% rename from devel/gcc/patches/11.3.0/881-no_tm_section.patch rename to devel/gcc/patches-11.x/881-no_tm_section.patch diff --git a/devel/gcc/patches/11.3.0/900-bad-mips16-crt.patch b/devel/gcc/patches-11.x/900-bad-mips16-crt.patch similarity index 100% rename from devel/gcc/patches/11.3.0/900-bad-mips16-crt.patch rename to devel/gcc/patches-11.x/900-bad-mips16-crt.patch diff --git a/devel/gcc/patches/11.3.0/910-mbsd_multi.patch b/devel/gcc/patches-11.x/910-mbsd_multi.patch similarity index 100% rename from devel/gcc/patches/11.3.0/910-mbsd_multi.patch rename to devel/gcc/patches-11.x/910-mbsd_multi.patch diff --git a/devel/gcc/patches/11.3.0/920-specs_nonfatal_getenv.patch b/devel/gcc/patches-11.x/920-specs_nonfatal_getenv.patch similarity index 100% rename from devel/gcc/patches/11.3.0/920-specs_nonfatal_getenv.patch rename to devel/gcc/patches-11.x/920-specs_nonfatal_getenv.patch diff --git a/devel/gcc/patches/11.3.0/931-libffi-fix-MIPS-softfloat-build-issue.patch b/devel/gcc/patches-11.x/931-libffi-fix-MIPS-softfloat-build-issue.patch similarity index 100% rename from devel/gcc/patches/11.3.0/931-libffi-fix-MIPS-softfloat-build-issue.patch rename to devel/gcc/patches-11.x/931-libffi-fix-MIPS-softfloat-build-issue.patch diff --git a/devel/gcc/patches/11.3.0/960-gotools-fix-compilation-when-making-cross-compiler.patch b/devel/gcc/patches-11.x/960-gotools-fix-compilation-when-making-cross-compiler.patch similarity index 100% rename from devel/gcc/patches/11.3.0/960-gotools-fix-compilation-when-making-cross-compiler.patch rename to devel/gcc/patches-11.x/960-gotools-fix-compilation-when-making-cross-compiler.patch diff --git a/devel/gcc/patches/11.3.0/970-macos_arm64-building-fix.patch b/devel/gcc/patches-11.x/970-macos_arm64-building-fix.patch similarity index 100% rename from devel/gcc/patches/11.3.0/970-macos_arm64-building-fix.patch rename to devel/gcc/patches-11.x/970-macos_arm64-building-fix.patch diff --git a/devel/gcc/patches/12.3.0/002-case_insensitive.patch b/devel/gcc/patches-12.x/002-case_insensitive.patch similarity index 100% rename from devel/gcc/patches/12.3.0/002-case_insensitive.patch rename to devel/gcc/patches-12.x/002-case_insensitive.patch diff --git a/devel/gcc/patches/12.3.0/003-dont-choke-when-building-32bit-on-64bit.patch b/devel/gcc/patches-12.x/003-dont-choke-when-building-32bit-on-64bit.patch similarity index 100% rename from devel/gcc/patches/12.3.0/003-dont-choke-when-building-32bit-on-64bit.patch rename to devel/gcc/patches-12.x/003-dont-choke-when-building-32bit-on-64bit.patch diff --git a/devel/gcc/patches/12.3.0/010-documentation.patch b/devel/gcc/patches-12.x/010-documentation.patch similarity index 100% rename from devel/gcc/patches/12.3.0/010-documentation.patch rename to devel/gcc/patches-12.x/010-documentation.patch diff --git a/devel/gcc/patches/12.3.0/110-Fix-MIPS-PR-84790.patch b/devel/gcc/patches-12.x/110-Fix-MIPS-PR-84790.patch similarity index 100% rename from devel/gcc/patches/12.3.0/110-Fix-MIPS-PR-84790.patch rename to devel/gcc/patches-12.x/110-Fix-MIPS-PR-84790.patch diff --git a/devel/gcc/patches/12.3.0/230-musl_libssp.patch b/devel/gcc/patches-12.x/230-musl_libssp.patch similarity index 100% rename from devel/gcc/patches/12.3.0/230-musl_libssp.patch rename to devel/gcc/patches-12.x/230-musl_libssp.patch diff --git a/devel/gcc/patches/12.3.0/300-mips_Os_cpu_rtx_cost_model.patch b/devel/gcc/patches-12.x/300-mips_Os_cpu_rtx_cost_model.patch similarity index 100% rename from devel/gcc/patches/12.3.0/300-mips_Os_cpu_rtx_cost_model.patch rename to devel/gcc/patches-12.x/300-mips_Os_cpu_rtx_cost_model.patch diff --git a/devel/gcc/patches/12.3.0/810-arm-softfloat-libgcc.patch b/devel/gcc/patches-12.x/810-arm-softfloat-libgcc.patch similarity index 100% rename from devel/gcc/patches/12.3.0/810-arm-softfloat-libgcc.patch rename to devel/gcc/patches-12.x/810-arm-softfloat-libgcc.patch diff --git a/devel/gcc/patches/12.3.0/820-libgcc_pic.patch b/devel/gcc/patches-12.x/820-libgcc_pic.patch similarity index 100% rename from devel/gcc/patches/12.3.0/820-libgcc_pic.patch rename to devel/gcc/patches-12.x/820-libgcc_pic.patch diff --git a/devel/gcc/patches/12.3.0/840-armv4_pass_fix-v4bx_to_ld.patch b/devel/gcc/patches-12.x/840-armv4_pass_fix-v4bx_to_ld.patch similarity index 100% rename from devel/gcc/patches/12.3.0/840-armv4_pass_fix-v4bx_to_ld.patch rename to devel/gcc/patches-12.x/840-armv4_pass_fix-v4bx_to_ld.patch diff --git a/devel/gcc/patches/12.3.0/850-use_shared_libgcc.patch b/devel/gcc/patches-12.x/850-use_shared_libgcc.patch similarity index 100% rename from devel/gcc/patches/12.3.0/850-use_shared_libgcc.patch rename to devel/gcc/patches-12.x/850-use_shared_libgcc.patch diff --git a/devel/gcc/patches/12.3.0/851-libgcc_no_compat.patch b/devel/gcc/patches-12.x/851-libgcc_no_compat.patch similarity index 100% rename from devel/gcc/patches/12.3.0/851-libgcc_no_compat.patch rename to devel/gcc/patches-12.x/851-libgcc_no_compat.patch diff --git a/devel/gcc/patches/12.3.0/870-ppc_no_crtsavres.patch b/devel/gcc/patches-12.x/870-ppc_no_crtsavres.patch similarity index 100% rename from devel/gcc/patches/12.3.0/870-ppc_no_crtsavres.patch rename to devel/gcc/patches-12.x/870-ppc_no_crtsavres.patch diff --git a/devel/gcc/patches/12.3.0/881-no_tm_section.patch b/devel/gcc/patches-12.x/881-no_tm_section.patch similarity index 100% rename from devel/gcc/patches/12.3.0/881-no_tm_section.patch rename to devel/gcc/patches-12.x/881-no_tm_section.patch diff --git a/devel/gcc/patches/12.3.0/900-bad-mips16-crt.patch b/devel/gcc/patches-12.x/900-bad-mips16-crt.patch similarity index 100% rename from devel/gcc/patches/12.3.0/900-bad-mips16-crt.patch rename to devel/gcc/patches-12.x/900-bad-mips16-crt.patch diff --git a/devel/gcc/patches/12.3.0/910-mbsd_multi.patch b/devel/gcc/patches-12.x/910-mbsd_multi.patch similarity index 100% rename from devel/gcc/patches/12.3.0/910-mbsd_multi.patch rename to devel/gcc/patches-12.x/910-mbsd_multi.patch diff --git a/devel/gcc/patches/12.3.0/920-specs_nonfatal_getenv.patch b/devel/gcc/patches-12.x/920-specs_nonfatal_getenv.patch similarity index 100% rename from devel/gcc/patches/12.3.0/920-specs_nonfatal_getenv.patch rename to devel/gcc/patches-12.x/920-specs_nonfatal_getenv.patch diff --git a/devel/gcc/patches/12.3.0/960-gotools-fix-compilation-when-making-cross-compiler.patch b/devel/gcc/patches-12.x/960-gotools-fix-compilation-when-making-cross-compiler.patch similarity index 100% rename from devel/gcc/patches/12.3.0/960-gotools-fix-compilation-when-making-cross-compiler.patch rename to devel/gcc/patches-12.x/960-gotools-fix-compilation-when-making-cross-compiler.patch diff --git a/devel/gcc/patches/12.3.0/970-macos_arm64-building-fix.patch b/devel/gcc/patches-12.x/970-macos_arm64-building-fix.patch similarity index 100% rename from devel/gcc/patches/12.3.0/970-macos_arm64-building-fix.patch rename to devel/gcc/patches-12.x/970-macos_arm64-building-fix.patch diff --git a/devel/gcc/patches/8.4.0/002-case_insensitive.patch b/devel/gcc/patches-8.x/002-case_insensitive.patch similarity index 100% rename from devel/gcc/patches/8.4.0/002-case_insensitive.patch rename to devel/gcc/patches-8.x/002-case_insensitive.patch diff --git a/devel/gcc/patches/8.4.0/003-dont-choke-when-building-32bit-on-64bit.patch b/devel/gcc/patches-8.x/003-dont-choke-when-building-32bit-on-64bit.patch similarity index 100% rename from devel/gcc/patches/8.4.0/003-dont-choke-when-building-32bit-on-64bit.patch rename to devel/gcc/patches-8.x/003-dont-choke-when-building-32bit-on-64bit.patch diff --git a/devel/gcc/patches/8.4.0/010-documentation.patch b/devel/gcc/patches-8.x/010-documentation.patch similarity index 100% rename from devel/gcc/patches/8.4.0/010-documentation.patch rename to devel/gcc/patches-8.x/010-documentation.patch diff --git a/devel/gcc/patches/8.4.0/110-Fix-MIPS-PR-84790.patch b/devel/gcc/patches-8.x/110-Fix-MIPS-PR-84790.patch similarity index 100% rename from devel/gcc/patches/8.4.0/110-Fix-MIPS-PR-84790.patch rename to devel/gcc/patches-8.x/110-Fix-MIPS-PR-84790.patch diff --git a/devel/gcc/patches/8.4.0/230-musl_libssp.patch b/devel/gcc/patches-8.x/230-musl_libssp.patch similarity index 100% rename from devel/gcc/patches/8.4.0/230-musl_libssp.patch rename to devel/gcc/patches-8.x/230-musl_libssp.patch diff --git a/devel/gcc/patches/8.4.0/300-mips_Os_cpu_rtx_cost_model.patch b/devel/gcc/patches-8.x/300-mips_Os_cpu_rtx_cost_model.patch similarity index 100% rename from devel/gcc/patches/8.4.0/300-mips_Os_cpu_rtx_cost_model.patch rename to devel/gcc/patches-8.x/300-mips_Os_cpu_rtx_cost_model.patch diff --git a/devel/gcc/patches/8.4.0/800-arm_v5te_no_ldrd_strd.patch b/devel/gcc/patches-8.x/800-arm_v5te_no_ldrd_strd.patch similarity index 100% rename from devel/gcc/patches/8.4.0/800-arm_v5te_no_ldrd_strd.patch rename to devel/gcc/patches-8.x/800-arm_v5te_no_ldrd_strd.patch diff --git a/devel/gcc/patches/8.4.0/810-arm-softfloat-libgcc.patch b/devel/gcc/patches-8.x/810-arm-softfloat-libgcc.patch similarity index 100% rename from devel/gcc/patches/8.4.0/810-arm-softfloat-libgcc.patch rename to devel/gcc/patches-8.x/810-arm-softfloat-libgcc.patch diff --git a/devel/gcc/patches/8.4.0/820-libgcc_pic.patch b/devel/gcc/patches-8.x/820-libgcc_pic.patch similarity index 100% rename from devel/gcc/patches/8.4.0/820-libgcc_pic.patch rename to devel/gcc/patches-8.x/820-libgcc_pic.patch diff --git a/devel/gcc/patches/8.4.0/840-armv4_pass_fix-v4bx_to_ld.patch b/devel/gcc/patches-8.x/840-armv4_pass_fix-v4bx_to_ld.patch similarity index 100% rename from devel/gcc/patches/8.4.0/840-armv4_pass_fix-v4bx_to_ld.patch rename to devel/gcc/patches-8.x/840-armv4_pass_fix-v4bx_to_ld.patch diff --git a/devel/gcc/patches/8.4.0/850-use_shared_libgcc.patch b/devel/gcc/patches-8.x/850-use_shared_libgcc.patch similarity index 100% rename from devel/gcc/patches/8.4.0/850-use_shared_libgcc.patch rename to devel/gcc/patches-8.x/850-use_shared_libgcc.patch diff --git a/devel/gcc/patches/8.4.0/851-libgcc_no_compat.patch b/devel/gcc/patches-8.x/851-libgcc_no_compat.patch similarity index 100% rename from devel/gcc/patches/8.4.0/851-libgcc_no_compat.patch rename to devel/gcc/patches-8.x/851-libgcc_no_compat.patch diff --git a/devel/gcc/patches/8.4.0/870-ppc_no_crtsavres.patch b/devel/gcc/patches-8.x/870-ppc_no_crtsavres.patch similarity index 100% rename from devel/gcc/patches/8.4.0/870-ppc_no_crtsavres.patch rename to devel/gcc/patches-8.x/870-ppc_no_crtsavres.patch diff --git a/devel/gcc/patches/8.4.0/881-no_tm_section.patch b/devel/gcc/patches-8.x/881-no_tm_section.patch similarity index 100% rename from devel/gcc/patches/8.4.0/881-no_tm_section.patch rename to devel/gcc/patches-8.x/881-no_tm_section.patch diff --git a/devel/gcc/patches/8.4.0/900-bad-mips16-crt.patch b/devel/gcc/patches-8.x/900-bad-mips16-crt.patch similarity index 100% rename from devel/gcc/patches/8.4.0/900-bad-mips16-crt.patch rename to devel/gcc/patches-8.x/900-bad-mips16-crt.patch diff --git a/devel/gcc/patches/8.4.0/910-mbsd_multi.patch b/devel/gcc/patches-8.x/910-mbsd_multi.patch similarity index 100% rename from devel/gcc/patches/8.4.0/910-mbsd_multi.patch rename to devel/gcc/patches-8.x/910-mbsd_multi.patch diff --git a/devel/gcc/patches/8.4.0/920-specs_nonfatal_getenv.patch b/devel/gcc/patches-8.x/920-specs_nonfatal_getenv.patch similarity index 100% rename from devel/gcc/patches/8.4.0/920-specs_nonfatal_getenv.patch rename to devel/gcc/patches-8.x/920-specs_nonfatal_getenv.patch diff --git a/devel/gcc/patches/8.4.0/930-fix-mips-noexecstack.patch b/devel/gcc/patches-8.x/930-fix-mips-noexecstack.patch similarity index 100% rename from devel/gcc/patches/8.4.0/930-fix-mips-noexecstack.patch rename to devel/gcc/patches-8.x/930-fix-mips-noexecstack.patch diff --git a/devel/gcc/patches/8.4.0/931-libffi-fix-MIPS-softfloat-build-issue.patch b/devel/gcc/patches-8.x/931-libffi-fix-MIPS-softfloat-build-issue.patch similarity index 100% rename from devel/gcc/patches/8.4.0/931-libffi-fix-MIPS-softfloat-build-issue.patch rename to devel/gcc/patches-8.x/931-libffi-fix-MIPS-softfloat-build-issue.patch diff --git a/devel/gcc/patches/8.4.0/960-gotools-fix-compilation-when-making-cross-compiler.patch b/devel/gcc/patches-8.x/960-gotools-fix-compilation-when-making-cross-compiler.patch similarity index 100% rename from devel/gcc/patches/8.4.0/960-gotools-fix-compilation-when-making-cross-compiler.patch rename to devel/gcc/patches-8.x/960-gotools-fix-compilation-when-making-cross-compiler.patch From a6934ed64ea6554e2806d87212cf87cfb22b7e17 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 7 Apr 2024 01:26:37 +0200 Subject: [PATCH 003/106] devel: gcc: add missing RISCV patches for GCC 12 Add missing RISCV patches for GCC 12 from openwrt toolchain GCC. Signed-off-by: Christian Marangi --- .../700-RISCV-Inline-subword-atomic-ops.patch | 2021 +++++++++++++++++ ...linux-Don-t-add-latomic-with-pthread.patch | 36 + 2 files changed, 2057 insertions(+) create mode 100644 devel/gcc/patches-12.x/700-RISCV-Inline-subword-atomic-ops.patch create mode 100644 devel/gcc/patches-12.x/701-riscv-linux-Don-t-add-latomic-with-pthread.patch diff --git a/devel/gcc/patches-12.x/700-RISCV-Inline-subword-atomic-ops.patch b/devel/gcc/patches-12.x/700-RISCV-Inline-subword-atomic-ops.patch new file mode 100644 index 0000000000..b164c76522 --- /dev/null +++ b/devel/gcc/patches-12.x/700-RISCV-Inline-subword-atomic-ops.patch @@ -0,0 +1,2021 @@ +From f797260adaf52bee0ec0e16190bbefbe1bfc3692 Mon Sep 17 00:00:00 2001 +From: Patrick O'Neill +Date: Tue, 18 Apr 2023 14:33:13 -0700 +Subject: [PATCH] RISCV: Inline subword atomic ops + +RISC-V has no support for subword atomic operations; code currently +generates libatomic library calls. + +This patch changes the default behavior to inline subword atomic calls +(using the same logic as the existing library call). +Behavior can be specified using the -minline-atomics and +-mno-inline-atomics command line flags. + +gcc/libgcc/config/riscv/atomic.c has the same logic implemented in asm. +This will need to stay for backwards compatibility and the +-mno-inline-atomics flag. + +2023-04-18 Patrick O'Neill + +gcc/ChangeLog: + PR target/104338 + * config/riscv/riscv-protos.h: Add helper function stubs. + * config/riscv/riscv.cc: Add helper functions for subword masking. + * config/riscv/riscv.opt: Add command-line flag. + * config/riscv/sync.md: Add masking logic and inline asm for fetch_and_op, + fetch_and_nand, CAS, and exchange ops. + * doc/invoke.texi: Add blurb regarding command-line flag. + +libgcc/ChangeLog: + PR target/104338 + * config/riscv/atomic.c: Add reference to duplicate logic. + +gcc/testsuite/ChangeLog: + PR target/104338 + * gcc.target/riscv/inline-atomics-1.c: New test. + * gcc.target/riscv/inline-atomics-2.c: New test. + * gcc.target/riscv/inline-atomics-3.c: New test. + * gcc.target/riscv/inline-atomics-4.c: New test. + * gcc.target/riscv/inline-atomics-5.c: New test. + * gcc.target/riscv/inline-atomics-6.c: New test. + * gcc.target/riscv/inline-atomics-7.c: New test. + * gcc.target/riscv/inline-atomics-8.c: New test. + +Signed-off-by: Patrick O'Neill +Signed-off-by: Palmer Dabbelt +--- + gcc/config/riscv/riscv-protos.h | 2 + + gcc/config/riscv/riscv.cc | 49 ++ + gcc/config/riscv/riscv.opt | 4 + + gcc/config/riscv/sync.md | 301 +++++++++ + gcc/doc/invoke.texi | 10 +- + .../gcc.target/riscv/inline-atomics-1.c | 18 + + .../gcc.target/riscv/inline-atomics-2.c | 9 + + .../gcc.target/riscv/inline-atomics-3.c | 569 ++++++++++++++++++ + .../gcc.target/riscv/inline-atomics-4.c | 566 +++++++++++++++++ + .../gcc.target/riscv/inline-atomics-5.c | 87 +++ + .../gcc.target/riscv/inline-atomics-6.c | 87 +++ + .../gcc.target/riscv/inline-atomics-7.c | 69 +++ + .../gcc.target/riscv/inline-atomics-8.c | 69 +++ + libgcc/config/riscv/atomic.c | 2 + + 14 files changed, 1841 insertions(+), 1 deletion(-) + create mode 100644 gcc/testsuite/gcc.target/riscv/inline-atomics-1.c + create mode 100644 gcc/testsuite/gcc.target/riscv/inline-atomics-2.c + create mode 100644 gcc/testsuite/gcc.target/riscv/inline-atomics-3.c + create mode 100644 gcc/testsuite/gcc.target/riscv/inline-atomics-4.c + create mode 100644 gcc/testsuite/gcc.target/riscv/inline-atomics-5.c + create mode 100644 gcc/testsuite/gcc.target/riscv/inline-atomics-6.c + create mode 100644 gcc/testsuite/gcc.target/riscv/inline-atomics-7.c + create mode 100644 gcc/testsuite/gcc.target/riscv/inline-atomics-8.c + +--- a/gcc/config/riscv/riscv-protos.h ++++ b/gcc/config/riscv/riscv-protos.h +@@ -74,6 +74,8 @@ extern bool riscv_expand_block_move (rtx + extern bool riscv_store_data_bypass_p (rtx_insn *, rtx_insn *); + extern rtx riscv_gen_gpr_save_insn (struct riscv_frame_info *); + extern bool riscv_gpr_save_operation_p (rtx); ++extern void riscv_subword_address (rtx, rtx *, rtx *, rtx *, rtx *); ++extern void riscv_lshift_subword (machine_mode, rtx, rtx, rtx *); + + /* Routines implemented in riscv-c.cc. */ + void riscv_cpu_cpp_builtins (cpp_reader *); +--- a/gcc/config/riscv/riscv.cc ++++ b/gcc/config/riscv/riscv.cc +@@ -5605,6 +5605,55 @@ riscv_asan_shadow_offset (void) + return TARGET_64BIT ? (HOST_WIDE_INT_1 << 29) : 0; + } + ++/* Given memory reference MEM, expand code to compute the aligned ++ memory address, shift and mask values and store them into ++ *ALIGNED_MEM, *SHIFT, *MASK and *NOT_MASK. */ ++ ++void ++riscv_subword_address (rtx mem, rtx *aligned_mem, rtx *shift, rtx *mask, ++ rtx *not_mask) ++{ ++ /* Align the memory address to a word. */ ++ rtx addr = force_reg (Pmode, XEXP (mem, 0)); ++ ++ rtx addr_mask = gen_int_mode (-4, Pmode); ++ ++ rtx aligned_addr = gen_reg_rtx (Pmode); ++ emit_move_insn (aligned_addr, gen_rtx_AND (Pmode, addr, addr_mask)); ++ ++ *aligned_mem = change_address (mem, SImode, aligned_addr); ++ ++ /* Calculate the shift amount. */ ++ emit_move_insn (*shift, gen_rtx_AND (SImode, gen_lowpart (SImode, addr), ++ gen_int_mode (3, SImode))); ++ emit_move_insn (*shift, gen_rtx_ASHIFT (SImode, *shift, ++ gen_int_mode (3, SImode))); ++ ++ /* Calculate the mask. */ ++ int unshifted_mask = GET_MODE_MASK (GET_MODE (mem)); ++ ++ emit_move_insn (*mask, gen_int_mode (unshifted_mask, SImode)); ++ ++ emit_move_insn (*mask, gen_rtx_ASHIFT (SImode, *mask, ++ gen_lowpart (QImode, *shift))); ++ ++ emit_move_insn (*not_mask, gen_rtx_NOT(SImode, *mask)); ++} ++ ++/* Leftshift a subword within an SImode register. */ ++ ++void ++riscv_lshift_subword (machine_mode mode, rtx value, rtx shift, ++ rtx *shifted_value) ++{ ++ rtx value_reg = gen_reg_rtx (SImode); ++ emit_move_insn (value_reg, simplify_gen_subreg (SImode, value, ++ mode, 0)); ++ ++ emit_move_insn(*shifted_value, gen_rtx_ASHIFT (SImode, value_reg, ++ gen_lowpart (QImode, shift))); ++} ++ + /* Initialize the GCC target structure. */ + #undef TARGET_ASM_ALIGNED_HI_OP + #define TARGET_ASM_ALIGNED_HI_OP "\t.half\t" +--- a/gcc/config/riscv/riscv.opt ++++ b/gcc/config/riscv/riscv.opt +@@ -209,6 +209,10 @@ int riscv_vector_elen_flags + TargetVariable + int riscv_zvl_flags + ++minline-atomics ++Target Var(TARGET_INLINE_SUBWORD_ATOMIC) Init(1) ++Always inline subword atomic operations. ++ + Enum + Name(isa_spec_class) Type(enum riscv_isa_spec_class) + Supported ISA specs (for use with the -misa-spec= option): +--- a/gcc/config/riscv/sync.md ++++ b/gcc/config/riscv/sync.md +@@ -21,8 +21,11 @@ + + (define_c_enum "unspec" [ + UNSPEC_COMPARE_AND_SWAP ++ UNSPEC_COMPARE_AND_SWAP_SUBWORD + UNSPEC_SYNC_OLD_OP ++ UNSPEC_SYNC_OLD_OP_SUBWORD + UNSPEC_SYNC_EXCHANGE ++ UNSPEC_SYNC_EXCHANGE_SUBWORD + UNSPEC_ATOMIC_STORE + UNSPEC_MEMORY_BARRIER + ]) +@@ -92,6 +95,135 @@ + "%F3amo.%A3 %0,%z2,%1" + [(set (attr "length") (const_int 8))]) + ++(define_insn "subword_atomic_fetch_strong_" ++ [(set (match_operand:SI 0 "register_operand" "=&r") ;; old value at mem ++ (match_operand:SI 1 "memory_operand" "+A")) ;; mem location ++ (set (match_dup 1) ++ (unspec_volatile:SI ++ [(any_atomic:SI (match_dup 1) ++ (match_operand:SI 2 "register_operand" "rI")) ;; value for op ++ (match_operand:SI 3 "register_operand" "rI")] ;; mask ++ UNSPEC_SYNC_OLD_OP_SUBWORD)) ++ (match_operand:SI 4 "register_operand" "rI") ;; not_mask ++ (clobber (match_scratch:SI 5 "=&r")) ;; tmp_1 ++ (clobber (match_scratch:SI 6 "=&r"))] ;; tmp_2 ++ "TARGET_ATOMIC && TARGET_INLINE_SUBWORD_ATOMIC" ++ { ++ return "1:\;" ++ "lr.w.aq\t%0, %1\;" ++ "\t%5, %0, %2\;" ++ "and\t%5, %5, %3\;" ++ "and\t%6, %0, %4\;" ++ "or\t%6, %6, %5\;" ++ "sc.w.rl\t%5, %6, %1\;" ++ "bnez\t%5, 1b"; ++ } ++ [(set (attr "length") (const_int 28))]) ++ ++(define_expand "atomic_fetch_nand" ++ [(match_operand:SHORT 0 "register_operand") ;; old value at mem ++ (not:SHORT (and:SHORT (match_operand:SHORT 1 "memory_operand") ;; mem location ++ (match_operand:SHORT 2 "reg_or_0_operand"))) ;; value for op ++ (match_operand:SI 3 "const_int_operand")] ;; model ++ "TARGET_ATOMIC && TARGET_INLINE_SUBWORD_ATOMIC" ++{ ++ /* We have no QImode/HImode atomics, so form a mask, then use ++ subword_atomic_fetch_strong_nand to implement a LR/SC version of the ++ operation. */ ++ ++ /* Logic duplicated in gcc/libgcc/config/riscv/atomic.c for use when inlining ++ is disabled */ ++ ++ rtx old = gen_reg_rtx (SImode); ++ rtx mem = operands[1]; ++ rtx value = operands[2]; ++ rtx aligned_mem = gen_reg_rtx (SImode); ++ rtx shift = gen_reg_rtx (SImode); ++ rtx mask = gen_reg_rtx (SImode); ++ rtx not_mask = gen_reg_rtx (SImode); ++ ++ riscv_subword_address (mem, &aligned_mem, &shift, &mask, ¬_mask); ++ ++ rtx shifted_value = gen_reg_rtx (SImode); ++ riscv_lshift_subword (mode, value, shift, &shifted_value); ++ ++ emit_insn (gen_subword_atomic_fetch_strong_nand (old, aligned_mem, ++ shifted_value, ++ mask, not_mask)); ++ ++ emit_move_insn (old, gen_rtx_ASHIFTRT (SImode, old, ++ gen_lowpart (QImode, shift))); ++ ++ emit_move_insn (operands[0], gen_lowpart (mode, old)); ++ ++ DONE; ++}) ++ ++(define_insn "subword_atomic_fetch_strong_nand" ++ [(set (match_operand:SI 0 "register_operand" "=&r") ;; old value at mem ++ (match_operand:SI 1 "memory_operand" "+A")) ;; mem location ++ (set (match_dup 1) ++ (unspec_volatile:SI ++ [(not:SI (and:SI (match_dup 1) ++ (match_operand:SI 2 "register_operand" "rI"))) ;; value for op ++ (match_operand:SI 3 "register_operand" "rI")] ;; mask ++ UNSPEC_SYNC_OLD_OP_SUBWORD)) ++ (match_operand:SI 4 "register_operand" "rI") ;; not_mask ++ (clobber (match_scratch:SI 5 "=&r")) ;; tmp_1 ++ (clobber (match_scratch:SI 6 "=&r"))] ;; tmp_2 ++ "TARGET_ATOMIC && TARGET_INLINE_SUBWORD_ATOMIC" ++ { ++ return "1:\;" ++ "lr.w.aq\t%0, %1\;" ++ "and\t%5, %0, %2\;" ++ "not\t%5, %5\;" ++ "and\t%5, %5, %3\;" ++ "and\t%6, %0, %4\;" ++ "or\t%6, %6, %5\;" ++ "sc.w.rl\t%5, %6, %1\;" ++ "bnez\t%5, 1b"; ++ } ++ [(set (attr "length") (const_int 32))]) ++ ++(define_expand "atomic_fetch_" ++ [(match_operand:SHORT 0 "register_operand") ;; old value at mem ++ (any_atomic:SHORT (match_operand:SHORT 1 "memory_operand") ;; mem location ++ (match_operand:SHORT 2 "reg_or_0_operand")) ;; value for op ++ (match_operand:SI 3 "const_int_operand")] ;; model ++ "TARGET_ATOMIC && TARGET_INLINE_SUBWORD_ATOMIC" ++{ ++ /* We have no QImode/HImode atomics, so form a mask, then use ++ subword_atomic_fetch_strong_ to implement a LR/SC version of the ++ operation. */ ++ ++ /* Logic duplicated in gcc/libgcc/config/riscv/atomic.c for use when inlining ++ is disabled */ ++ ++ rtx old = gen_reg_rtx (SImode); ++ rtx mem = operands[1]; ++ rtx value = operands[2]; ++ rtx aligned_mem = gen_reg_rtx (SImode); ++ rtx shift = gen_reg_rtx (SImode); ++ rtx mask = gen_reg_rtx (SImode); ++ rtx not_mask = gen_reg_rtx (SImode); ++ ++ riscv_subword_address (mem, &aligned_mem, &shift, &mask, ¬_mask); ++ ++ rtx shifted_value = gen_reg_rtx (SImode); ++ riscv_lshift_subword (mode, value, shift, &shifted_value); ++ ++ emit_insn (gen_subword_atomic_fetch_strong_ (old, aligned_mem, ++ shifted_value, ++ mask, not_mask)); ++ ++ emit_move_insn (old, gen_rtx_ASHIFTRT (SImode, old, ++ gen_lowpart (QImode, shift))); ++ ++ emit_move_insn (operands[0], gen_lowpart (mode, old)); ++ ++ DONE; ++}) ++ + (define_insn "atomic_exchange" + [(set (match_operand:GPR 0 "register_operand" "=&r") + (unspec_volatile:GPR +@@ -104,6 +236,56 @@ + "%F3amoswap.%A3 %0,%z2,%1" + [(set (attr "length") (const_int 8))]) + ++(define_expand "atomic_exchange" ++ [(match_operand:SHORT 0 "register_operand") ;; old value at mem ++ (match_operand:SHORT 1 "memory_operand") ;; mem location ++ (match_operand:SHORT 2 "register_operand") ;; value ++ (match_operand:SI 3 "const_int_operand")] ;; model ++ "TARGET_ATOMIC && TARGET_INLINE_SUBWORD_ATOMIC" ++{ ++ rtx old = gen_reg_rtx (SImode); ++ rtx mem = operands[1]; ++ rtx value = operands[2]; ++ rtx aligned_mem = gen_reg_rtx (SImode); ++ rtx shift = gen_reg_rtx (SImode); ++ rtx mask = gen_reg_rtx (SImode); ++ rtx not_mask = gen_reg_rtx (SImode); ++ ++ riscv_subword_address (mem, &aligned_mem, &shift, &mask, ¬_mask); ++ ++ rtx shifted_value = gen_reg_rtx (SImode); ++ riscv_lshift_subword (mode, value, shift, &shifted_value); ++ ++ emit_insn (gen_subword_atomic_exchange_strong (old, aligned_mem, ++ shifted_value, not_mask)); ++ ++ emit_move_insn (old, gen_rtx_ASHIFTRT (SImode, old, ++ gen_lowpart (QImode, shift))); ++ ++ emit_move_insn (operands[0], gen_lowpart (mode, old)); ++ DONE; ++}) ++ ++(define_insn "subword_atomic_exchange_strong" ++ [(set (match_operand:SI 0 "register_operand" "=&r") ;; old value at mem ++ (match_operand:SI 1 "memory_operand" "+A")) ;; mem location ++ (set (match_dup 1) ++ (unspec_volatile:SI ++ [(match_operand:SI 2 "reg_or_0_operand" "rI") ;; value ++ (match_operand:SI 3 "reg_or_0_operand" "rI")] ;; not_mask ++ UNSPEC_SYNC_EXCHANGE_SUBWORD)) ++ (clobber (match_scratch:SI 4 "=&r"))] ;; tmp_1 ++ "TARGET_ATOMIC && TARGET_INLINE_SUBWORD_ATOMIC" ++ { ++ return "1:\;" ++ "lr.w.aq\t%0, %1\;" ++ "and\t%4, %0, %3\;" ++ "or\t%4, %4, %2\;" ++ "sc.w.rl\t%4, %4, %1\;" ++ "bnez\t%4, 1b"; ++ } ++ [(set (attr "length") (const_int 20))]) ++ + (define_insn "atomic_cas_value_strong" + [(set (match_operand:GPR 0 "register_operand" "=&r") + (match_operand:GPR 1 "memory_operand" "+A")) +@@ -152,6 +334,125 @@ + DONE; + }) + ++(define_expand "atomic_compare_and_swap" ++ [(match_operand:SI 0 "register_operand") ;; bool output ++ (match_operand:SHORT 1 "register_operand") ;; val output ++ (match_operand:SHORT 2 "memory_operand") ;; memory ++ (match_operand:SHORT 3 "reg_or_0_operand") ;; expected value ++ (match_operand:SHORT 4 "reg_or_0_operand") ;; desired value ++ (match_operand:SI 5 "const_int_operand") ;; is_weak ++ (match_operand:SI 6 "const_int_operand") ;; mod_s ++ (match_operand:SI 7 "const_int_operand")] ;; mod_f ++ "TARGET_ATOMIC && TARGET_INLINE_SUBWORD_ATOMIC" ++{ ++ emit_insn (gen_atomic_cas_value_strong (operands[1], operands[2], ++ operands[3], operands[4], ++ operands[6], operands[7])); ++ ++ rtx val = gen_reg_rtx (SImode); ++ if (operands[1] != const0_rtx) ++ emit_move_insn (val, gen_rtx_SIGN_EXTEND (SImode, operands[1])); ++ else ++ emit_move_insn (val, const0_rtx); ++ ++ rtx exp = gen_reg_rtx (SImode); ++ if (operands[3] != const0_rtx) ++ emit_move_insn (exp, gen_rtx_SIGN_EXTEND (SImode, operands[3])); ++ else ++ emit_move_insn (exp, const0_rtx); ++ ++ rtx compare = val; ++ if (exp != const0_rtx) ++ { ++ rtx difference = gen_rtx_MINUS (SImode, val, exp); ++ compare = gen_reg_rtx (SImode); ++ emit_move_insn (compare, difference); ++ } ++ ++ if (word_mode != SImode) ++ { ++ rtx reg = gen_reg_rtx (word_mode); ++ emit_move_insn (reg, gen_rtx_SIGN_EXTEND (word_mode, compare)); ++ compare = reg; ++ } ++ ++ emit_move_insn (operands[0], gen_rtx_EQ (SImode, compare, const0_rtx)); ++ DONE; ++}) ++ ++(define_expand "atomic_cas_value_strong" ++ [(match_operand:SHORT 0 "register_operand") ;; val output ++ (match_operand:SHORT 1 "memory_operand") ;; memory ++ (match_operand:SHORT 2 "reg_or_0_operand") ;; expected value ++ (match_operand:SHORT 3 "reg_or_0_operand") ;; desired value ++ (match_operand:SI 4 "const_int_operand") ;; mod_s ++ (match_operand:SI 5 "const_int_operand") ;; mod_f ++ (match_scratch:SHORT 6)] ++ "TARGET_ATOMIC && TARGET_INLINE_SUBWORD_ATOMIC" ++{ ++ /* We have no QImode/HImode atomics, so form a mask, then use ++ subword_atomic_cas_strong to implement a LR/SC version of the ++ operation. */ ++ ++ /* Logic duplicated in gcc/libgcc/config/riscv/atomic.c for use when inlining ++ is disabled */ ++ ++ rtx old = gen_reg_rtx (SImode); ++ rtx mem = operands[1]; ++ rtx aligned_mem = gen_reg_rtx (SImode); ++ rtx shift = gen_reg_rtx (SImode); ++ rtx mask = gen_reg_rtx (SImode); ++ rtx not_mask = gen_reg_rtx (SImode); ++ ++ riscv_subword_address (mem, &aligned_mem, &shift, &mask, ¬_mask); ++ ++ rtx o = operands[2]; ++ rtx n = operands[3]; ++ rtx shifted_o = gen_reg_rtx (SImode); ++ rtx shifted_n = gen_reg_rtx (SImode); ++ ++ riscv_lshift_subword (mode, o, shift, &shifted_o); ++ riscv_lshift_subword (mode, n, shift, &shifted_n); ++ ++ emit_move_insn (shifted_o, gen_rtx_AND (SImode, shifted_o, mask)); ++ emit_move_insn (shifted_n, gen_rtx_AND (SImode, shifted_n, mask)); ++ ++ emit_insn (gen_subword_atomic_cas_strong (old, aligned_mem, ++ shifted_o, shifted_n, ++ mask, not_mask)); ++ ++ emit_move_insn (old, gen_rtx_ASHIFTRT (SImode, old, ++ gen_lowpart (QImode, shift))); ++ ++ emit_move_insn (operands[0], gen_lowpart (mode, old)); ++ ++ DONE; ++}) ++ ++(define_insn "subword_atomic_cas_strong" ++ [(set (match_operand:SI 0 "register_operand" "=&r") ;; old value at mem ++ (match_operand:SI 1 "memory_operand" "+A")) ;; mem location ++ (set (match_dup 1) ++ (unspec_volatile:SI [(match_operand:SI 2 "reg_or_0_operand" "rJ") ;; expected value ++ (match_operand:SI 3 "reg_or_0_operand" "rJ")] ;; desired value ++ UNSPEC_COMPARE_AND_SWAP_SUBWORD)) ++ (match_operand:SI 4 "register_operand" "rI") ;; mask ++ (match_operand:SI 5 "register_operand" "rI") ;; not_mask ++ (clobber (match_scratch:SI 6 "=&r"))] ;; tmp_1 ++ "TARGET_ATOMIC && TARGET_INLINE_SUBWORD_ATOMIC" ++ { ++ return "1:\;" ++ "lr.w.aq\t%0, %1\;" ++ "and\t%6, %0, %4\;" ++ "bne\t%6, %z2, 1f\;" ++ "and\t%6, %0, %5\;" ++ "or\t%6, %6, %3\;" ++ "sc.w.rl\t%6, %6, %1\;" ++ "bnez\t%6, 1b\;" ++ "1:"; ++ } ++ [(set (attr "length") (const_int 28))]) ++ + (define_expand "atomic_test_and_set" + [(match_operand:QI 0 "register_operand" "") ;; bool output + (match_operand:QI 1 "memory_operand" "+A") ;; memory +--- a/gcc/doc/invoke.texi ++++ b/gcc/doc/invoke.texi +@@ -753,7 +753,8 @@ Objective-C and Objective-C++ Dialects}. + -moverride=@var{string} -mverbose-cost-dump @gol + -mstack-protector-guard=@var{guard} -mstack-protector-guard-reg=@var{sysreg} @gol + -mstack-protector-guard-offset=@var{offset} -mtrack-speculation @gol +--moutline-atomics } ++-moutline-atomics ++-minline-atomics -mno-inline-atomics} + + @emph{Adapteva Epiphany Options} + @gccoptlist{-mhalf-reg-file -mprefer-short-insn-regs @gol +@@ -28035,6 +28036,13 @@ Do or don't use smaller but slower prolo + library function calls. The default is to use fast inline prologues and + epilogues. + ++@opindex minline-atomics ++@item -minline-atomics ++@itemx -mno-inline-atomics ++Do or don't use smaller but slower subword atomic emulation code that uses ++libatomic function calls. The default is to use fast inline subword atomics ++that do not require libatomic. ++ + @item -mshorten-memrefs + @itemx -mno-shorten-memrefs + @opindex mshorten-memrefs +--- /dev/null ++++ b/gcc/testsuite/gcc.target/riscv/inline-atomics-1.c +@@ -0,0 +1,18 @@ ++/* { dg-do compile } */ ++/* { dg-options "-mno-inline-atomics" } */ ++/* { dg-message "note: '__sync_fetch_and_nand' changed semantics in GCC 4.4" "fetch_and_nand" { target *-*-* } 0 } */ ++/* { dg-final { scan-assembler "\tcall\t__sync_fetch_and_add_1" } } */ ++/* { dg-final { scan-assembler "\tcall\t__sync_fetch_and_nand_1" } } */ ++/* { dg-final { scan-assembler "\tcall\t__sync_bool_compare_and_swap_1" } } */ ++ ++char foo; ++char bar; ++char baz; ++ ++int ++main () ++{ ++ __sync_fetch_and_add(&foo, 1); ++ __sync_fetch_and_nand(&bar, 1); ++ __sync_bool_compare_and_swap (&baz, 1, 2); ++} +--- /dev/null ++++ b/gcc/testsuite/gcc.target/riscv/inline-atomics-2.c +@@ -0,0 +1,9 @@ ++/* { dg-do compile } */ ++/* Verify that subword atomics do not generate calls. */ ++/* { dg-options "-minline-atomics" } */ ++/* { dg-message "note: '__sync_fetch_and_nand' changed semantics in GCC 4.4" "fetch_and_nand" { target *-*-* } 0 } */ ++/* { dg-final { scan-assembler-not "\tcall\t__sync_fetch_and_add_1" } } */ ++/* { dg-final { scan-assembler-not "\tcall\t__sync_fetch_and_nand_1" } } */ ++/* { dg-final { scan-assembler-not "\tcall\t__sync_bool_compare_and_swap_1" } } */ ++ ++#include "inline-atomics-1.c" +\ No newline at end of file +--- /dev/null ++++ b/gcc/testsuite/gcc.target/riscv/inline-atomics-3.c +@@ -0,0 +1,569 @@ ++/* Check all char alignments. */ ++/* Duplicate logic as libatomic/testsuite/libatomic.c/atomic-op-1.c */ ++/* Test __atomic routines for existence and proper execution on 1 byte ++ values with each valid memory model. */ ++/* { dg-do run } */ ++/* { dg-options "-minline-atomics -Wno-address-of-packed-member" } */ ++ ++/* Test the execution of the __atomic_*OP builtin routines for a char. */ ++ ++extern void abort(void); ++ ++char count, res; ++const char init = ~0; ++ ++struct A ++{ ++ char a; ++ char b; ++ char c; ++ char d; ++} __attribute__ ((packed)) A; ++ ++/* The fetch_op routines return the original value before the operation. */ ++ ++void ++test_fetch_add (char* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ if (__atomic_fetch_add (v, count, __ATOMIC_RELAXED) != 0) ++ abort (); ++ ++ if (__atomic_fetch_add (v, 1, __ATOMIC_CONSUME) != 1) ++ abort (); ++ ++ if (__atomic_fetch_add (v, count, __ATOMIC_ACQUIRE) != 2) ++ abort (); ++ ++ if (__atomic_fetch_add (v, 1, __ATOMIC_RELEASE) != 3) ++ abort (); ++ ++ if (__atomic_fetch_add (v, count, __ATOMIC_ACQ_REL) != 4) ++ abort (); ++ ++ if (__atomic_fetch_add (v, 1, __ATOMIC_SEQ_CST) != 5) ++ abort (); ++} ++ ++ ++void ++test_fetch_sub (char* v) ++{ ++ *v = res = 20; ++ count = 0; ++ ++ if (__atomic_fetch_sub (v, count + 1, __ATOMIC_RELAXED) != res--) ++ abort (); ++ ++ if (__atomic_fetch_sub (v, 1, __ATOMIC_CONSUME) != res--) ++ abort (); ++ ++ if (__atomic_fetch_sub (v, count + 1, __ATOMIC_ACQUIRE) != res--) ++ abort (); ++ ++ if (__atomic_fetch_sub (v, 1, __ATOMIC_RELEASE) != res--) ++ abort (); ++ ++ if (__atomic_fetch_sub (v, count + 1, __ATOMIC_ACQ_REL) != res--) ++ abort (); ++ ++ if (__atomic_fetch_sub (v, 1, __ATOMIC_SEQ_CST) != res--) ++ abort (); ++} ++ ++void ++test_fetch_and (char* v) ++{ ++ *v = init; ++ ++ if (__atomic_fetch_and (v, 0, __ATOMIC_RELAXED) != init) ++ abort (); ++ ++ if (__atomic_fetch_and (v, init, __ATOMIC_CONSUME) != 0) ++ abort (); ++ ++ if (__atomic_fetch_and (v, 0, __ATOMIC_ACQUIRE) != 0) ++ abort (); ++ ++ *v = ~*v; ++ if (__atomic_fetch_and (v, init, __ATOMIC_RELEASE) != init) ++ abort (); ++ ++ if (__atomic_fetch_and (v, 0, __ATOMIC_ACQ_REL) != init) ++ abort (); ++ ++ if (__atomic_fetch_and (v, 0, __ATOMIC_SEQ_CST) != 0) ++ abort (); ++} ++ ++void ++test_fetch_nand (char* v) ++{ ++ *v = init; ++ ++ if (__atomic_fetch_nand (v, 0, __ATOMIC_RELAXED) != init) ++ abort (); ++ ++ if (__atomic_fetch_nand (v, init, __ATOMIC_CONSUME) != init) ++ abort (); ++ ++ if (__atomic_fetch_nand (v, 0, __ATOMIC_ACQUIRE) != 0 ) ++ abort (); ++ ++ if (__atomic_fetch_nand (v, init, __ATOMIC_RELEASE) != init) ++ abort (); ++ ++ if (__atomic_fetch_nand (v, init, __ATOMIC_ACQ_REL) != 0) ++ abort (); ++ ++ if (__atomic_fetch_nand (v, 0, __ATOMIC_SEQ_CST) != init) ++ abort (); ++} ++ ++void ++test_fetch_xor (char* v) ++{ ++ *v = init; ++ count = 0; ++ ++ if (__atomic_fetch_xor (v, count, __ATOMIC_RELAXED) != init) ++ abort (); ++ ++ if (__atomic_fetch_xor (v, ~count, __ATOMIC_CONSUME) != init) ++ abort (); ++ ++ if (__atomic_fetch_xor (v, 0, __ATOMIC_ACQUIRE) != 0) ++ abort (); ++ ++ if (__atomic_fetch_xor (v, ~count, __ATOMIC_RELEASE) != 0) ++ abort (); ++ ++ if (__atomic_fetch_xor (v, 0, __ATOMIC_ACQ_REL) != init) ++ abort (); ++ ++ if (__atomic_fetch_xor (v, ~count, __ATOMIC_SEQ_CST) != init) ++ abort (); ++} ++ ++void ++test_fetch_or (char* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ if (__atomic_fetch_or (v, count, __ATOMIC_RELAXED) != 0) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_fetch_or (v, 2, __ATOMIC_CONSUME) != 1) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_fetch_or (v, count, __ATOMIC_ACQUIRE) != 3) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_fetch_or (v, 8, __ATOMIC_RELEASE) != 7) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_fetch_or (v, count, __ATOMIC_ACQ_REL) != 15) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_fetch_or (v, count, __ATOMIC_SEQ_CST) != 31) ++ abort (); ++} ++ ++/* The OP_fetch routines return the new value after the operation. */ ++ ++void ++test_add_fetch (char* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ if (__atomic_add_fetch (v, count, __ATOMIC_RELAXED) != 1) ++ abort (); ++ ++ if (__atomic_add_fetch (v, 1, __ATOMIC_CONSUME) != 2) ++ abort (); ++ ++ if (__atomic_add_fetch (v, count, __ATOMIC_ACQUIRE) != 3) ++ abort (); ++ ++ if (__atomic_add_fetch (v, 1, __ATOMIC_RELEASE) != 4) ++ abort (); ++ ++ if (__atomic_add_fetch (v, count, __ATOMIC_ACQ_REL) != 5) ++ abort (); ++ ++ if (__atomic_add_fetch (v, count, __ATOMIC_SEQ_CST) != 6) ++ abort (); ++} ++ ++ ++void ++test_sub_fetch (char* v) ++{ ++ *v = res = 20; ++ count = 0; ++ ++ if (__atomic_sub_fetch (v, count + 1, __ATOMIC_RELAXED) != --res) ++ abort (); ++ ++ if (__atomic_sub_fetch (v, 1, __ATOMIC_CONSUME) != --res) ++ abort (); ++ ++ if (__atomic_sub_fetch (v, count + 1, __ATOMIC_ACQUIRE) != --res) ++ abort (); ++ ++ if (__atomic_sub_fetch (v, 1, __ATOMIC_RELEASE) != --res) ++ abort (); ++ ++ if (__atomic_sub_fetch (v, count + 1, __ATOMIC_ACQ_REL) != --res) ++ abort (); ++ ++ if (__atomic_sub_fetch (v, count + 1, __ATOMIC_SEQ_CST) != --res) ++ abort (); ++} ++ ++void ++test_and_fetch (char* v) ++{ ++ *v = init; ++ ++ if (__atomic_and_fetch (v, 0, __ATOMIC_RELAXED) != 0) ++ abort (); ++ ++ *v = init; ++ if (__atomic_and_fetch (v, init, __ATOMIC_CONSUME) != init) ++ abort (); ++ ++ if (__atomic_and_fetch (v, 0, __ATOMIC_ACQUIRE) != 0) ++ abort (); ++ ++ *v = ~*v; ++ if (__atomic_and_fetch (v, init, __ATOMIC_RELEASE) != init) ++ abort (); ++ ++ if (__atomic_and_fetch (v, 0, __ATOMIC_ACQ_REL) != 0) ++ abort (); ++ ++ *v = ~*v; ++ if (__atomic_and_fetch (v, 0, __ATOMIC_SEQ_CST) != 0) ++ abort (); ++} ++ ++void ++test_nand_fetch (char* v) ++{ ++ *v = init; ++ ++ if (__atomic_nand_fetch (v, 0, __ATOMIC_RELAXED) != init) ++ abort (); ++ ++ if (__atomic_nand_fetch (v, init, __ATOMIC_CONSUME) != 0) ++ abort (); ++ ++ if (__atomic_nand_fetch (v, 0, __ATOMIC_ACQUIRE) != init) ++ abort (); ++ ++ if (__atomic_nand_fetch (v, init, __ATOMIC_RELEASE) != 0) ++ abort (); ++ ++ if (__atomic_nand_fetch (v, init, __ATOMIC_ACQ_REL) != init) ++ abort (); ++ ++ if (__atomic_nand_fetch (v, 0, __ATOMIC_SEQ_CST) != init) ++ abort (); ++} ++ ++ ++ ++void ++test_xor_fetch (char* v) ++{ ++ *v = init; ++ count = 0; ++ ++ if (__atomic_xor_fetch (v, count, __ATOMIC_RELAXED) != init) ++ abort (); ++ ++ if (__atomic_xor_fetch (v, ~count, __ATOMIC_CONSUME) != 0) ++ abort (); ++ ++ if (__atomic_xor_fetch (v, 0, __ATOMIC_ACQUIRE) != 0) ++ abort (); ++ ++ if (__atomic_xor_fetch (v, ~count, __ATOMIC_RELEASE) != init) ++ abort (); ++ ++ if (__atomic_xor_fetch (v, 0, __ATOMIC_ACQ_REL) != init) ++ abort (); ++ ++ if (__atomic_xor_fetch (v, ~count, __ATOMIC_SEQ_CST) != 0) ++ abort (); ++} ++ ++void ++test_or_fetch (char* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ if (__atomic_or_fetch (v, count, __ATOMIC_RELAXED) != 1) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_or_fetch (v, 2, __ATOMIC_CONSUME) != 3) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_or_fetch (v, count, __ATOMIC_ACQUIRE) != 7) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_or_fetch (v, 8, __ATOMIC_RELEASE) != 15) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_or_fetch (v, count, __ATOMIC_ACQ_REL) != 31) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_or_fetch (v, count, __ATOMIC_SEQ_CST) != 63) ++ abort (); ++} ++ ++ ++/* Test the OP routines with a result which isn't used. Use both variations ++ within each function. */ ++ ++void ++test_add (char* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ __atomic_add_fetch (v, count, __ATOMIC_RELAXED); ++ if (*v != 1) ++ abort (); ++ ++ __atomic_fetch_add (v, count, __ATOMIC_CONSUME); ++ if (*v != 2) ++ abort (); ++ ++ __atomic_add_fetch (v, 1 , __ATOMIC_ACQUIRE); ++ if (*v != 3) ++ abort (); ++ ++ __atomic_fetch_add (v, 1, __ATOMIC_RELEASE); ++ if (*v != 4) ++ abort (); ++ ++ __atomic_add_fetch (v, count, __ATOMIC_ACQ_REL); ++ if (*v != 5) ++ abort (); ++ ++ __atomic_fetch_add (v, count, __ATOMIC_SEQ_CST); ++ if (*v != 6) ++ abort (); ++} ++ ++ ++void ++test_sub (char* v) ++{ ++ *v = res = 20; ++ count = 0; ++ ++ __atomic_sub_fetch (v, count + 1, __ATOMIC_RELAXED); ++ if (*v != --res) ++ abort (); ++ ++ __atomic_fetch_sub (v, count + 1, __ATOMIC_CONSUME); ++ if (*v != --res) ++ abort (); ++ ++ __atomic_sub_fetch (v, 1, __ATOMIC_ACQUIRE); ++ if (*v != --res) ++ abort (); ++ ++ __atomic_fetch_sub (v, 1, __ATOMIC_RELEASE); ++ if (*v != --res) ++ abort (); ++ ++ __atomic_sub_fetch (v, count + 1, __ATOMIC_ACQ_REL); ++ if (*v != --res) ++ abort (); ++ ++ __atomic_fetch_sub (v, count + 1, __ATOMIC_SEQ_CST); ++ if (*v != --res) ++ abort (); ++} ++ ++void ++test_and (char* v) ++{ ++ *v = init; ++ ++ __atomic_and_fetch (v, 0, __ATOMIC_RELAXED); ++ if (*v != 0) ++ abort (); ++ ++ *v = init; ++ __atomic_fetch_and (v, init, __ATOMIC_CONSUME); ++ if (*v != init) ++ abort (); ++ ++ __atomic_and_fetch (v, 0, __ATOMIC_ACQUIRE); ++ if (*v != 0) ++ abort (); ++ ++ *v = ~*v; ++ __atomic_fetch_and (v, init, __ATOMIC_RELEASE); ++ if (*v != init) ++ abort (); ++ ++ __atomic_and_fetch (v, 0, __ATOMIC_ACQ_REL); ++ if (*v != 0) ++ abort (); ++ ++ *v = ~*v; ++ __atomic_fetch_and (v, 0, __ATOMIC_SEQ_CST); ++ if (*v != 0) ++ abort (); ++} ++ ++void ++test_nand (char* v) ++{ ++ *v = init; ++ ++ __atomic_fetch_nand (v, 0, __ATOMIC_RELAXED); ++ if (*v != init) ++ abort (); ++ ++ __atomic_fetch_nand (v, init, __ATOMIC_CONSUME); ++ if (*v != 0) ++ abort (); ++ ++ __atomic_nand_fetch (v, 0, __ATOMIC_ACQUIRE); ++ if (*v != init) ++ abort (); ++ ++ __atomic_nand_fetch (v, init, __ATOMIC_RELEASE); ++ if (*v != 0) ++ abort (); ++ ++ __atomic_fetch_nand (v, init, __ATOMIC_ACQ_REL); ++ if (*v != init) ++ abort (); ++ ++ __atomic_nand_fetch (v, 0, __ATOMIC_SEQ_CST); ++ if (*v != init) ++ abort (); ++} ++ ++ ++ ++void ++test_xor (char* v) ++{ ++ *v = init; ++ count = 0; ++ ++ __atomic_xor_fetch (v, count, __ATOMIC_RELAXED); ++ if (*v != init) ++ abort (); ++ ++ __atomic_fetch_xor (v, ~count, __ATOMIC_CONSUME); ++ if (*v != 0) ++ abort (); ++ ++ __atomic_xor_fetch (v, 0, __ATOMIC_ACQUIRE); ++ if (*v != 0) ++ abort (); ++ ++ __atomic_fetch_xor (v, ~count, __ATOMIC_RELEASE); ++ if (*v != init) ++ abort (); ++ ++ __atomic_fetch_xor (v, 0, __ATOMIC_ACQ_REL); ++ if (*v != init) ++ abort (); ++ ++ __atomic_xor_fetch (v, ~count, __ATOMIC_SEQ_CST); ++ if (*v != 0) ++ abort (); ++} ++ ++void ++test_or (char* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ __atomic_or_fetch (v, count, __ATOMIC_RELAXED); ++ if (*v != 1) ++ abort (); ++ ++ count *= 2; ++ __atomic_fetch_or (v, count, __ATOMIC_CONSUME); ++ if (*v != 3) ++ abort (); ++ ++ count *= 2; ++ __atomic_or_fetch (v, 4, __ATOMIC_ACQUIRE); ++ if (*v != 7) ++ abort (); ++ ++ count *= 2; ++ __atomic_fetch_or (v, 8, __ATOMIC_RELEASE); ++ if (*v != 15) ++ abort (); ++ ++ count *= 2; ++ __atomic_or_fetch (v, count, __ATOMIC_ACQ_REL); ++ if (*v != 31) ++ abort (); ++ ++ count *= 2; ++ __atomic_fetch_or (v, count, __ATOMIC_SEQ_CST); ++ if (*v != 63) ++ abort (); ++} ++ ++int ++main () ++{ ++ char* V[] = {&A.a, &A.b, &A.c, &A.d}; ++ ++ for (int i = 0; i < 4; i++) { ++ test_fetch_add (V[i]); ++ test_fetch_sub (V[i]); ++ test_fetch_and (V[i]); ++ test_fetch_nand (V[i]); ++ test_fetch_xor (V[i]); ++ test_fetch_or (V[i]); ++ ++ test_add_fetch (V[i]); ++ test_sub_fetch (V[i]); ++ test_and_fetch (V[i]); ++ test_nand_fetch (V[i]); ++ test_xor_fetch (V[i]); ++ test_or_fetch (V[i]); ++ ++ test_add (V[i]); ++ test_sub (V[i]); ++ test_and (V[i]); ++ test_nand (V[i]); ++ test_xor (V[i]); ++ test_or (V[i]); ++ } ++ ++ return 0; ++} +--- /dev/null ++++ b/gcc/testsuite/gcc.target/riscv/inline-atomics-4.c +@@ -0,0 +1,566 @@ ++/* Check all short alignments. */ ++/* Duplicate logic as libatomic/testsuite/libatomic.c/atomic-op-2.c */ ++/* Test __atomic routines for existence and proper execution on 2 byte ++ values with each valid memory model. */ ++/* { dg-do run } */ ++/* { dg-options "-minline-atomics -Wno-address-of-packed-member" } */ ++ ++/* Test the execution of the __atomic_*OP builtin routines for a short. */ ++ ++extern void abort(void); ++ ++short count, res; ++const short init = ~0; ++ ++struct A ++{ ++ short a; ++ short b; ++} __attribute__ ((packed)) A; ++ ++/* The fetch_op routines return the original value before the operation. */ ++ ++void ++test_fetch_add (short* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ if (__atomic_fetch_add (v, count, __ATOMIC_RELAXED) != 0) ++ abort (); ++ ++ if (__atomic_fetch_add (v, 1, __ATOMIC_CONSUME) != 1) ++ abort (); ++ ++ if (__atomic_fetch_add (v, count, __ATOMIC_ACQUIRE) != 2) ++ abort (); ++ ++ if (__atomic_fetch_add (v, 1, __ATOMIC_RELEASE) != 3) ++ abort (); ++ ++ if (__atomic_fetch_add (v, count, __ATOMIC_ACQ_REL) != 4) ++ abort (); ++ ++ if (__atomic_fetch_add (v, 1, __ATOMIC_SEQ_CST) != 5) ++ abort (); ++} ++ ++ ++void ++test_fetch_sub (short* v) ++{ ++ *v = res = 20; ++ count = 0; ++ ++ if (__atomic_fetch_sub (v, count + 1, __ATOMIC_RELAXED) != res--) ++ abort (); ++ ++ if (__atomic_fetch_sub (v, 1, __ATOMIC_CONSUME) != res--) ++ abort (); ++ ++ if (__atomic_fetch_sub (v, count + 1, __ATOMIC_ACQUIRE) != res--) ++ abort (); ++ ++ if (__atomic_fetch_sub (v, 1, __ATOMIC_RELEASE) != res--) ++ abort (); ++ ++ if (__atomic_fetch_sub (v, count + 1, __ATOMIC_ACQ_REL) != res--) ++ abort (); ++ ++ if (__atomic_fetch_sub (v, 1, __ATOMIC_SEQ_CST) != res--) ++ abort (); ++} ++ ++void ++test_fetch_and (short* v) ++{ ++ *v = init; ++ ++ if (__atomic_fetch_and (v, 0, __ATOMIC_RELAXED) != init) ++ abort (); ++ ++ if (__atomic_fetch_and (v, init, __ATOMIC_CONSUME) != 0) ++ abort (); ++ ++ if (__atomic_fetch_and (v, 0, __ATOMIC_ACQUIRE) != 0) ++ abort (); ++ ++ *v = ~*v; ++ if (__atomic_fetch_and (v, init, __ATOMIC_RELEASE) != init) ++ abort (); ++ ++ if (__atomic_fetch_and (v, 0, __ATOMIC_ACQ_REL) != init) ++ abort (); ++ ++ if (__atomic_fetch_and (v, 0, __ATOMIC_SEQ_CST) != 0) ++ abort (); ++} ++ ++void ++test_fetch_nand (short* v) ++{ ++ *v = init; ++ ++ if (__atomic_fetch_nand (v, 0, __ATOMIC_RELAXED) != init) ++ abort (); ++ ++ if (__atomic_fetch_nand (v, init, __ATOMIC_CONSUME) != init) ++ abort (); ++ ++ if (__atomic_fetch_nand (v, 0, __ATOMIC_ACQUIRE) != 0 ) ++ abort (); ++ ++ if (__atomic_fetch_nand (v, init, __ATOMIC_RELEASE) != init) ++ abort (); ++ ++ if (__atomic_fetch_nand (v, init, __ATOMIC_ACQ_REL) != 0) ++ abort (); ++ ++ if (__atomic_fetch_nand (v, 0, __ATOMIC_SEQ_CST) != init) ++ abort (); ++} ++ ++void ++test_fetch_xor (short* v) ++{ ++ *v = init; ++ count = 0; ++ ++ if (__atomic_fetch_xor (v, count, __ATOMIC_RELAXED) != init) ++ abort (); ++ ++ if (__atomic_fetch_xor (v, ~count, __ATOMIC_CONSUME) != init) ++ abort (); ++ ++ if (__atomic_fetch_xor (v, 0, __ATOMIC_ACQUIRE) != 0) ++ abort (); ++ ++ if (__atomic_fetch_xor (v, ~count, __ATOMIC_RELEASE) != 0) ++ abort (); ++ ++ if (__atomic_fetch_xor (v, 0, __ATOMIC_ACQ_REL) != init) ++ abort (); ++ ++ if (__atomic_fetch_xor (v, ~count, __ATOMIC_SEQ_CST) != init) ++ abort (); ++} ++ ++void ++test_fetch_or (short* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ if (__atomic_fetch_or (v, count, __ATOMIC_RELAXED) != 0) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_fetch_or (v, 2, __ATOMIC_CONSUME) != 1) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_fetch_or (v, count, __ATOMIC_ACQUIRE) != 3) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_fetch_or (v, 8, __ATOMIC_RELEASE) != 7) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_fetch_or (v, count, __ATOMIC_ACQ_REL) != 15) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_fetch_or (v, count, __ATOMIC_SEQ_CST) != 31) ++ abort (); ++} ++ ++/* The OP_fetch routines return the new value after the operation. */ ++ ++void ++test_add_fetch (short* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ if (__atomic_add_fetch (v, count, __ATOMIC_RELAXED) != 1) ++ abort (); ++ ++ if (__atomic_add_fetch (v, 1, __ATOMIC_CONSUME) != 2) ++ abort (); ++ ++ if (__atomic_add_fetch (v, count, __ATOMIC_ACQUIRE) != 3) ++ abort (); ++ ++ if (__atomic_add_fetch (v, 1, __ATOMIC_RELEASE) != 4) ++ abort (); ++ ++ if (__atomic_add_fetch (v, count, __ATOMIC_ACQ_REL) != 5) ++ abort (); ++ ++ if (__atomic_add_fetch (v, count, __ATOMIC_SEQ_CST) != 6) ++ abort (); ++} ++ ++ ++void ++test_sub_fetch (short* v) ++{ ++ *v = res = 20; ++ count = 0; ++ ++ if (__atomic_sub_fetch (v, count + 1, __ATOMIC_RELAXED) != --res) ++ abort (); ++ ++ if (__atomic_sub_fetch (v, 1, __ATOMIC_CONSUME) != --res) ++ abort (); ++ ++ if (__atomic_sub_fetch (v, count + 1, __ATOMIC_ACQUIRE) != --res) ++ abort (); ++ ++ if (__atomic_sub_fetch (v, 1, __ATOMIC_RELEASE) != --res) ++ abort (); ++ ++ if (__atomic_sub_fetch (v, count + 1, __ATOMIC_ACQ_REL) != --res) ++ abort (); ++ ++ if (__atomic_sub_fetch (v, count + 1, __ATOMIC_SEQ_CST) != --res) ++ abort (); ++} ++ ++void ++test_and_fetch (short* v) ++{ ++ *v = init; ++ ++ if (__atomic_and_fetch (v, 0, __ATOMIC_RELAXED) != 0) ++ abort (); ++ ++ *v = init; ++ if (__atomic_and_fetch (v, init, __ATOMIC_CONSUME) != init) ++ abort (); ++ ++ if (__atomic_and_fetch (v, 0, __ATOMIC_ACQUIRE) != 0) ++ abort (); ++ ++ *v = ~*v; ++ if (__atomic_and_fetch (v, init, __ATOMIC_RELEASE) != init) ++ abort (); ++ ++ if (__atomic_and_fetch (v, 0, __ATOMIC_ACQ_REL) != 0) ++ abort (); ++ ++ *v = ~*v; ++ if (__atomic_and_fetch (v, 0, __ATOMIC_SEQ_CST) != 0) ++ abort (); ++} ++ ++void ++test_nand_fetch (short* v) ++{ ++ *v = init; ++ ++ if (__atomic_nand_fetch (v, 0, __ATOMIC_RELAXED) != init) ++ abort (); ++ ++ if (__atomic_nand_fetch (v, init, __ATOMIC_CONSUME) != 0) ++ abort (); ++ ++ if (__atomic_nand_fetch (v, 0, __ATOMIC_ACQUIRE) != init) ++ abort (); ++ ++ if (__atomic_nand_fetch (v, init, __ATOMIC_RELEASE) != 0) ++ abort (); ++ ++ if (__atomic_nand_fetch (v, init, __ATOMIC_ACQ_REL) != init) ++ abort (); ++ ++ if (__atomic_nand_fetch (v, 0, __ATOMIC_SEQ_CST) != init) ++ abort (); ++} ++ ++ ++ ++void ++test_xor_fetch (short* v) ++{ ++ *v = init; ++ count = 0; ++ ++ if (__atomic_xor_fetch (v, count, __ATOMIC_RELAXED) != init) ++ abort (); ++ ++ if (__atomic_xor_fetch (v, ~count, __ATOMIC_CONSUME) != 0) ++ abort (); ++ ++ if (__atomic_xor_fetch (v, 0, __ATOMIC_ACQUIRE) != 0) ++ abort (); ++ ++ if (__atomic_xor_fetch (v, ~count, __ATOMIC_RELEASE) != init) ++ abort (); ++ ++ if (__atomic_xor_fetch (v, 0, __ATOMIC_ACQ_REL) != init) ++ abort (); ++ ++ if (__atomic_xor_fetch (v, ~count, __ATOMIC_SEQ_CST) != 0) ++ abort (); ++} ++ ++void ++test_or_fetch (short* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ if (__atomic_or_fetch (v, count, __ATOMIC_RELAXED) != 1) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_or_fetch (v, 2, __ATOMIC_CONSUME) != 3) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_or_fetch (v, count, __ATOMIC_ACQUIRE) != 7) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_or_fetch (v, 8, __ATOMIC_RELEASE) != 15) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_or_fetch (v, count, __ATOMIC_ACQ_REL) != 31) ++ abort (); ++ ++ count *= 2; ++ if (__atomic_or_fetch (v, count, __ATOMIC_SEQ_CST) != 63) ++ abort (); ++} ++ ++ ++/* Test the OP routines with a result which isn't used. Use both variations ++ within each function. */ ++ ++void ++test_add (short* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ __atomic_add_fetch (v, count, __ATOMIC_RELAXED); ++ if (*v != 1) ++ abort (); ++ ++ __atomic_fetch_add (v, count, __ATOMIC_CONSUME); ++ if (*v != 2) ++ abort (); ++ ++ __atomic_add_fetch (v, 1 , __ATOMIC_ACQUIRE); ++ if (*v != 3) ++ abort (); ++ ++ __atomic_fetch_add (v, 1, __ATOMIC_RELEASE); ++ if (*v != 4) ++ abort (); ++ ++ __atomic_add_fetch (v, count, __ATOMIC_ACQ_REL); ++ if (*v != 5) ++ abort (); ++ ++ __atomic_fetch_add (v, count, __ATOMIC_SEQ_CST); ++ if (*v != 6) ++ abort (); ++} ++ ++ ++void ++test_sub (short* v) ++{ ++ *v = res = 20; ++ count = 0; ++ ++ __atomic_sub_fetch (v, count + 1, __ATOMIC_RELAXED); ++ if (*v != --res) ++ abort (); ++ ++ __atomic_fetch_sub (v, count + 1, __ATOMIC_CONSUME); ++ if (*v != --res) ++ abort (); ++ ++ __atomic_sub_fetch (v, 1, __ATOMIC_ACQUIRE); ++ if (*v != --res) ++ abort (); ++ ++ __atomic_fetch_sub (v, 1, __ATOMIC_RELEASE); ++ if (*v != --res) ++ abort (); ++ ++ __atomic_sub_fetch (v, count + 1, __ATOMIC_ACQ_REL); ++ if (*v != --res) ++ abort (); ++ ++ __atomic_fetch_sub (v, count + 1, __ATOMIC_SEQ_CST); ++ if (*v != --res) ++ abort (); ++} ++ ++void ++test_and (short* v) ++{ ++ *v = init; ++ ++ __atomic_and_fetch (v, 0, __ATOMIC_RELAXED); ++ if (*v != 0) ++ abort (); ++ ++ *v = init; ++ __atomic_fetch_and (v, init, __ATOMIC_CONSUME); ++ if (*v != init) ++ abort (); ++ ++ __atomic_and_fetch (v, 0, __ATOMIC_ACQUIRE); ++ if (*v != 0) ++ abort (); ++ ++ *v = ~*v; ++ __atomic_fetch_and (v, init, __ATOMIC_RELEASE); ++ if (*v != init) ++ abort (); ++ ++ __atomic_and_fetch (v, 0, __ATOMIC_ACQ_REL); ++ if (*v != 0) ++ abort (); ++ ++ *v = ~*v; ++ __atomic_fetch_and (v, 0, __ATOMIC_SEQ_CST); ++ if (*v != 0) ++ abort (); ++} ++ ++void ++test_nand (short* v) ++{ ++ *v = init; ++ ++ __atomic_fetch_nand (v, 0, __ATOMIC_RELAXED); ++ if (*v != init) ++ abort (); ++ ++ __atomic_fetch_nand (v, init, __ATOMIC_CONSUME); ++ if (*v != 0) ++ abort (); ++ ++ __atomic_nand_fetch (v, 0, __ATOMIC_ACQUIRE); ++ if (*v != init) ++ abort (); ++ ++ __atomic_nand_fetch (v, init, __ATOMIC_RELEASE); ++ if (*v != 0) ++ abort (); ++ ++ __atomic_fetch_nand (v, init, __ATOMIC_ACQ_REL); ++ if (*v != init) ++ abort (); ++ ++ __atomic_nand_fetch (v, 0, __ATOMIC_SEQ_CST); ++ if (*v != init) ++ abort (); ++} ++ ++ ++ ++void ++test_xor (short* v) ++{ ++ *v = init; ++ count = 0; ++ ++ __atomic_xor_fetch (v, count, __ATOMIC_RELAXED); ++ if (*v != init) ++ abort (); ++ ++ __atomic_fetch_xor (v, ~count, __ATOMIC_CONSUME); ++ if (*v != 0) ++ abort (); ++ ++ __atomic_xor_fetch (v, 0, __ATOMIC_ACQUIRE); ++ if (*v != 0) ++ abort (); ++ ++ __atomic_fetch_xor (v, ~count, __ATOMIC_RELEASE); ++ if (*v != init) ++ abort (); ++ ++ __atomic_fetch_xor (v, 0, __ATOMIC_ACQ_REL); ++ if (*v != init) ++ abort (); ++ ++ __atomic_xor_fetch (v, ~count, __ATOMIC_SEQ_CST); ++ if (*v != 0) ++ abort (); ++} ++ ++void ++test_or (short* v) ++{ ++ *v = 0; ++ count = 1; ++ ++ __atomic_or_fetch (v, count, __ATOMIC_RELAXED); ++ if (*v != 1) ++ abort (); ++ ++ count *= 2; ++ __atomic_fetch_or (v, count, __ATOMIC_CONSUME); ++ if (*v != 3) ++ abort (); ++ ++ count *= 2; ++ __atomic_or_fetch (v, 4, __ATOMIC_ACQUIRE); ++ if (*v != 7) ++ abort (); ++ ++ count *= 2; ++ __atomic_fetch_or (v, 8, __ATOMIC_RELEASE); ++ if (*v != 15) ++ abort (); ++ ++ count *= 2; ++ __atomic_or_fetch (v, count, __ATOMIC_ACQ_REL); ++ if (*v != 31) ++ abort (); ++ ++ count *= 2; ++ __atomic_fetch_or (v, count, __ATOMIC_SEQ_CST); ++ if (*v != 63) ++ abort (); ++} ++ ++int ++main () { ++ short* V[] = {&A.a, &A.b}; ++ ++ for (int i = 0; i < 2; i++) { ++ test_fetch_add (V[i]); ++ test_fetch_sub (V[i]); ++ test_fetch_and (V[i]); ++ test_fetch_nand (V[i]); ++ test_fetch_xor (V[i]); ++ test_fetch_or (V[i]); ++ ++ test_add_fetch (V[i]); ++ test_sub_fetch (V[i]); ++ test_and_fetch (V[i]); ++ test_nand_fetch (V[i]); ++ test_xor_fetch (V[i]); ++ test_or_fetch (V[i]); ++ ++ test_add (V[i]); ++ test_sub (V[i]); ++ test_and (V[i]); ++ test_nand (V[i]); ++ test_xor (V[i]); ++ test_or (V[i]); ++ } ++ ++ return 0; ++} +--- /dev/null ++++ b/gcc/testsuite/gcc.target/riscv/inline-atomics-5.c +@@ -0,0 +1,87 @@ ++/* Test __atomic routines for existence and proper execution on 1 byte ++ values with each valid memory model. */ ++/* Duplicate logic as libatomic/testsuite/libatomic.c/atomic-compare-exchange-1.c */ ++/* { dg-do run } */ ++/* { dg-options "-minline-atomics" } */ ++ ++/* Test the execution of the __atomic_compare_exchange_n builtin for a char. */ ++ ++extern void abort(void); ++ ++char v = 0; ++char expected = 0; ++char max = ~0; ++char desired = ~0; ++char zero = 0; ++ ++#define STRONG 0 ++#define WEAK 1 ++ ++int ++main () ++{ ++ ++ if (!__atomic_compare_exchange_n (&v, &expected, max, STRONG , __ATOMIC_RELAXED, __ATOMIC_RELAXED)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ ++ if (__atomic_compare_exchange_n (&v, &expected, 0, STRONG , __ATOMIC_ACQUIRE, __ATOMIC_RELAXED)) ++ abort (); ++ if (expected != max) ++ abort (); ++ ++ if (!__atomic_compare_exchange_n (&v, &expected, 0, STRONG , __ATOMIC_RELEASE, __ATOMIC_ACQUIRE)) ++ abort (); ++ if (expected != max) ++ abort (); ++ if (v != 0) ++ abort (); ++ ++ if (__atomic_compare_exchange_n (&v, &expected, desired, WEAK, __ATOMIC_ACQ_REL, __ATOMIC_ACQUIRE)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ ++ if (!__atomic_compare_exchange_n (&v, &expected, desired, STRONG , __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ if (v != max) ++ abort (); ++ ++ /* Now test the generic version. */ ++ ++ v = 0; ++ ++ if (!__atomic_compare_exchange (&v, &expected, &max, STRONG, __ATOMIC_RELAXED, __ATOMIC_RELAXED)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ ++ if (__atomic_compare_exchange (&v, &expected, &zero, STRONG , __ATOMIC_ACQUIRE, __ATOMIC_RELAXED)) ++ abort (); ++ if (expected != max) ++ abort (); ++ ++ if (!__atomic_compare_exchange (&v, &expected, &zero, STRONG , __ATOMIC_RELEASE, __ATOMIC_ACQUIRE)) ++ abort (); ++ if (expected != max) ++ abort (); ++ if (v != 0) ++ abort (); ++ ++ if (__atomic_compare_exchange (&v, &expected, &desired, WEAK, __ATOMIC_ACQ_REL, __ATOMIC_ACQUIRE)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ ++ if (!__atomic_compare_exchange (&v, &expected, &desired, STRONG , __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ if (v != max) ++ abort (); ++ ++ return 0; ++} +--- /dev/null ++++ b/gcc/testsuite/gcc.target/riscv/inline-atomics-6.c +@@ -0,0 +1,87 @@ ++/* Test __atomic routines for existence and proper execution on 2 byte ++ values with each valid memory model. */ ++/* Duplicate logic as libatomic/testsuite/libatomic.c/atomic-compare-exchange-2.c */ ++/* { dg-do run } */ ++/* { dg-options "-minline-atomics" } */ ++ ++/* Test the execution of the __atomic_compare_exchange_n builtin for a short. */ ++ ++extern void abort(void); ++ ++short v = 0; ++short expected = 0; ++short max = ~0; ++short desired = ~0; ++short zero = 0; ++ ++#define STRONG 0 ++#define WEAK 1 ++ ++int ++main () ++{ ++ ++ if (!__atomic_compare_exchange_n (&v, &expected, max, STRONG , __ATOMIC_RELAXED, __ATOMIC_RELAXED)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ ++ if (__atomic_compare_exchange_n (&v, &expected, 0, STRONG , __ATOMIC_ACQUIRE, __ATOMIC_RELAXED)) ++ abort (); ++ if (expected != max) ++ abort (); ++ ++ if (!__atomic_compare_exchange_n (&v, &expected, 0, STRONG , __ATOMIC_RELEASE, __ATOMIC_ACQUIRE)) ++ abort (); ++ if (expected != max) ++ abort (); ++ if (v != 0) ++ abort (); ++ ++ if (__atomic_compare_exchange_n (&v, &expected, desired, WEAK, __ATOMIC_ACQ_REL, __ATOMIC_ACQUIRE)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ ++ if (!__atomic_compare_exchange_n (&v, &expected, desired, STRONG , __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ if (v != max) ++ abort (); ++ ++ /* Now test the generic version. */ ++ ++ v = 0; ++ ++ if (!__atomic_compare_exchange (&v, &expected, &max, STRONG, __ATOMIC_RELAXED, __ATOMIC_RELAXED)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ ++ if (__atomic_compare_exchange (&v, &expected, &zero, STRONG , __ATOMIC_ACQUIRE, __ATOMIC_RELAXED)) ++ abort (); ++ if (expected != max) ++ abort (); ++ ++ if (!__atomic_compare_exchange (&v, &expected, &zero, STRONG , __ATOMIC_RELEASE, __ATOMIC_ACQUIRE)) ++ abort (); ++ if (expected != max) ++ abort (); ++ if (v != 0) ++ abort (); ++ ++ if (__atomic_compare_exchange (&v, &expected, &desired, WEAK, __ATOMIC_ACQ_REL, __ATOMIC_ACQUIRE)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ ++ if (!__atomic_compare_exchange (&v, &expected, &desired, STRONG , __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST)) ++ abort (); ++ if (expected != 0) ++ abort (); ++ if (v != max) ++ abort (); ++ ++ return 0; ++} +--- /dev/null ++++ b/gcc/testsuite/gcc.target/riscv/inline-atomics-7.c +@@ -0,0 +1,69 @@ ++/* Test __atomic routines for existence and proper execution on 1 byte ++ values with each valid memory model. */ ++/* Duplicate logic as libatomic/testsuite/libatomic.c/atomic-exchange-1.c */ ++/* { dg-do run } */ ++/* { dg-options "-minline-atomics" } */ ++ ++/* Test the execution of the __atomic_exchange_n builtin for a char. */ ++ ++extern void abort(void); ++ ++char v, count, ret; ++ ++int ++main () ++{ ++ v = 0; ++ count = 0; ++ ++ if (__atomic_exchange_n (&v, count + 1, __ATOMIC_RELAXED) != count) ++ abort (); ++ count++; ++ ++ if (__atomic_exchange_n (&v, count + 1, __ATOMIC_ACQUIRE) != count) ++ abort (); ++ count++; ++ ++ if (__atomic_exchange_n (&v, count + 1, __ATOMIC_RELEASE) != count) ++ abort (); ++ count++; ++ ++ if (__atomic_exchange_n (&v, count + 1, __ATOMIC_ACQ_REL) != count) ++ abort (); ++ count++; ++ ++ if (__atomic_exchange_n (&v, count + 1, __ATOMIC_SEQ_CST) != count) ++ abort (); ++ count++; ++ ++ /* Now test the generic version. */ ++ ++ count++; ++ ++ __atomic_exchange (&v, &count, &ret, __ATOMIC_RELAXED); ++ if (ret != count - 1 || v != count) ++ abort (); ++ count++; ++ ++ __atomic_exchange (&v, &count, &ret, __ATOMIC_ACQUIRE); ++ if (ret != count - 1 || v != count) ++ abort (); ++ count++; ++ ++ __atomic_exchange (&v, &count, &ret, __ATOMIC_RELEASE); ++ if (ret != count - 1 || v != count) ++ abort (); ++ count++; ++ ++ __atomic_exchange (&v, &count, &ret, __ATOMIC_ACQ_REL); ++ if (ret != count - 1 || v != count) ++ abort (); ++ count++; ++ ++ __atomic_exchange (&v, &count, &ret, __ATOMIC_SEQ_CST); ++ if (ret != count - 1 || v != count) ++ abort (); ++ count++; ++ ++ return 0; ++} +--- /dev/null ++++ b/gcc/testsuite/gcc.target/riscv/inline-atomics-8.c +@@ -0,0 +1,69 @@ ++/* Test __atomic routines for existence and proper execution on 2 byte ++ values with each valid memory model. */ ++/* Duplicate logic as libatomic/testsuite/libatomic.c/atomic-exchange-2.c */ ++/* { dg-do run } */ ++/* { dg-options "-minline-atomics" } */ ++ ++/* Test the execution of the __atomic_X builtin for a short. */ ++ ++extern void abort(void); ++ ++short v, count, ret; ++ ++int ++main () ++{ ++ v = 0; ++ count = 0; ++ ++ if (__atomic_exchange_n (&v, count + 1, __ATOMIC_RELAXED) != count) ++ abort (); ++ count++; ++ ++ if (__atomic_exchange_n (&v, count + 1, __ATOMIC_ACQUIRE) != count) ++ abort (); ++ count++; ++ ++ if (__atomic_exchange_n (&v, count + 1, __ATOMIC_RELEASE) != count) ++ abort (); ++ count++; ++ ++ if (__atomic_exchange_n (&v, count + 1, __ATOMIC_ACQ_REL) != count) ++ abort (); ++ count++; ++ ++ if (__atomic_exchange_n (&v, count + 1, __ATOMIC_SEQ_CST) != count) ++ abort (); ++ count++; ++ ++ /* Now test the generic version. */ ++ ++ count++; ++ ++ __atomic_exchange (&v, &count, &ret, __ATOMIC_RELAXED); ++ if (ret != count - 1 || v != count) ++ abort (); ++ count++; ++ ++ __atomic_exchange (&v, &count, &ret, __ATOMIC_ACQUIRE); ++ if (ret != count - 1 || v != count) ++ abort (); ++ count++; ++ ++ __atomic_exchange (&v, &count, &ret, __ATOMIC_RELEASE); ++ if (ret != count - 1 || v != count) ++ abort (); ++ count++; ++ ++ __atomic_exchange (&v, &count, &ret, __ATOMIC_ACQ_REL); ++ if (ret != count - 1 || v != count) ++ abort (); ++ count++; ++ ++ __atomic_exchange (&v, &count, &ret, __ATOMIC_SEQ_CST); ++ if (ret != count - 1 || v != count) ++ abort (); ++ count++; ++ ++ return 0; ++} +--- a/libgcc/config/riscv/atomic.c ++++ b/libgcc/config/riscv/atomic.c +@@ -30,6 +30,8 @@ see the files COPYING3 and COPYING.RUNTI + #define INVERT "not %[tmp1], %[tmp1]\n\t" + #define DONT_INVERT "" + ++/* Logic duplicated in gcc/gcc/config/riscv/sync.md for use when inlining is enabled */ ++ + #define GENERATE_FETCH_AND_OP(type, size, opname, insn, invert, cop) \ + type __sync_fetch_and_ ## opname ## _ ## size (type *p, type v) \ + { \ diff --git a/devel/gcc/patches-12.x/701-riscv-linux-Don-t-add-latomic-with-pthread.patch b/devel/gcc/patches-12.x/701-riscv-linux-Don-t-add-latomic-with-pthread.patch new file mode 100644 index 0000000000..328c7be9ce --- /dev/null +++ b/devel/gcc/patches-12.x/701-riscv-linux-Don-t-add-latomic-with-pthread.patch @@ -0,0 +1,36 @@ +From 203f3060dd363361b172f7295f42bb6bf5ac0b3b Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Sat, 23 Apr 2022 15:48:42 +0200 +Subject: [PATCH] riscv/linux: Don't add -latomic with -pthread + +Now that we have support for inline subword atomic operations, it is no +longer necessary to link against libatomic. This also fixes testsuite +failures because the framework does not properly set up the linker flags +for finding libatomic. +The use of atomic operations is also independent of the use of libpthread. + +gcc/ + * config/riscv/linux.h (LIB_SPEC): Don't redefine. +--- + gcc/config/riscv/linux.h | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/gcc/config/riscv/linux.h ++++ b/gcc/config/riscv/linux.h +@@ -35,16 +35,6 @@ along with GCC; see the file COPYING3. + #undef MUSL_DYNAMIC_LINKER + #define MUSL_DYNAMIC_LINKER "/lib/ld-musl-riscv" XLEN_SPEC MUSL_ABI_SUFFIX ".so.1" + +-/* Because RISC-V only has word-sized atomics, it requries libatomic where +- others do not. So link libatomic by default, as needed. */ +-#undef LIB_SPEC +-#ifdef LD_AS_NEEDED_OPTION +-#define LIB_SPEC GNU_USER_TARGET_LIB_SPEC \ +- " %{pthread:" LD_AS_NEEDED_OPTION " -latomic " LD_NO_AS_NEEDED_OPTION "}" +-#else +-#define LIB_SPEC GNU_USER_TARGET_LIB_SPEC " -latomic " +-#endif +- + #define ICACHE_FLUSH_FUNC "__riscv_flush_icache" + + #define CPP_SPEC "%{pthread:-D_REENTRANT}" From da8303d430198dc09533920e05c3d2aa6596605e Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 7 Apr 2024 01:28:22 +0200 Subject: [PATCH 004/106] devel: gcc: add support for GCC 13 Add support for GCC 13 and take patches from openwrt main repo. Signed-off-by: Christian Marangi --- devel/gcc/Makefile | 6 +- .../patches-13.x/002-case_insensitive.patch | 24 +++ ...t-choke-when-building-32bit-on-64bit.patch | 13 ++ .../gcc/patches-13.x/010-documentation.patch | 35 +++++ ...pe.h-after-C-standard-headers-to-avo.patch | 139 +++++++++++++++++ .../021-libcc1-fix-vector-include.patch | 65 ++++++++ .../patches-13.x/110-Fix-MIPS-PR-84790.patch | 20 +++ devel/gcc/patches-13.x/230-musl_libssp.patch | 13 ++ .../300-mips_Os_cpu_rtx_cost_model.patch | 21 +++ .../810-arm-softfloat-libgcc.patch | 33 ++++ devel/gcc/patches-13.x/820-libgcc_pic.patch | 44 ++++++ .../840-armv4_pass_fix-v4bx_to_ld.patch | 28 ++++ .../patches-13.x/850-use_shared_libgcc.patch | 54 +++++++ .../patches-13.x/851-libgcc_no_compat.patch | 22 +++ .../patches-13.x/870-ppc_no_crtsavres.patch | 11 ++ .../gcc/patches-13.x/881-no_tm_section.patch | 11 ++ .../gcc/patches-13.x/900-bad-mips16-crt.patch | 9 ++ devel/gcc/patches-13.x/910-mbsd_multi.patch | 146 ++++++++++++++++++ .../920-specs_nonfatal_getenv.patch | 22 +++ ...mpilation-when-making-cross-compiler.patch | 67 ++++++++ .../970-macos_arm64-building-fix.patch | 45 ++++++ 21 files changed, 827 insertions(+), 1 deletion(-) create mode 100644 devel/gcc/patches-13.x/002-case_insensitive.patch create mode 100644 devel/gcc/patches-13.x/003-dont-choke-when-building-32bit-on-64bit.patch create mode 100644 devel/gcc/patches-13.x/010-documentation.patch create mode 100644 devel/gcc/patches-13.x/020-Include-safe-ctype.h-after-C-standard-headers-to-avo.patch create mode 100644 devel/gcc/patches-13.x/021-libcc1-fix-vector-include.patch create mode 100644 devel/gcc/patches-13.x/110-Fix-MIPS-PR-84790.patch create mode 100644 devel/gcc/patches-13.x/230-musl_libssp.patch create mode 100644 devel/gcc/patches-13.x/300-mips_Os_cpu_rtx_cost_model.patch create mode 100644 devel/gcc/patches-13.x/810-arm-softfloat-libgcc.patch create mode 100644 devel/gcc/patches-13.x/820-libgcc_pic.patch create mode 100644 devel/gcc/patches-13.x/840-armv4_pass_fix-v4bx_to_ld.patch create mode 100644 devel/gcc/patches-13.x/850-use_shared_libgcc.patch create mode 100644 devel/gcc/patches-13.x/851-libgcc_no_compat.patch create mode 100644 devel/gcc/patches-13.x/870-ppc_no_crtsavres.patch create mode 100644 devel/gcc/patches-13.x/881-no_tm_section.patch create mode 100644 devel/gcc/patches-13.x/900-bad-mips16-crt.patch create mode 100644 devel/gcc/patches-13.x/910-mbsd_multi.patch create mode 100644 devel/gcc/patches-13.x/920-specs_nonfatal_getenv.patch create mode 100644 devel/gcc/patches-13.x/960-gotools-fix-compilation-when-making-cross-compiler.patch create mode 100644 devel/gcc/patches-13.x/970-macos_arm64-building-fix.patch diff --git a/devel/gcc/Makefile b/devel/gcc/Makefile index 583ce15bc4..cf2178f2ff 100644 --- a/devel/gcc/Makefile +++ b/devel/gcc/Makefile @@ -24,7 +24,7 @@ PKG_NAME:=gcc GCC_VERSION:=$(call qstrip,$(CONFIG_GCC_VERSION)) PKG_VERSION:=$(firstword $(subst +, ,$(GCC_VERSION))) GCC_MAJOR_VERSION:=$(word 1,$(subst ., ,$(PKG_VERSION))) -PKG_RELEASE:=5 +PKG_RELEASE:=6 GCC_DIR:=$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE_URL:=@GNU/gcc/gcc-$(PKG_VERSION) @@ -51,6 +51,10 @@ ifeq ($(PKG_VERSION),12.3.0) PKG_HASH:=949a5d4f99e786421a93b532b22ffab5578de7321369975b91aec97adfda8c3b endif +ifeq ($(PKG_VERSION),13.2.0) + PKG_HASH:=e275e76442a6067341a27f04c5c6b83d8613144004c0413528863dc6b5c743da +endif + PATCH_DIR:=patches-$(GCC_MAJOR_VERSION).x include $(INCLUDE_DIR)/package.mk diff --git a/devel/gcc/patches-13.x/002-case_insensitive.patch b/devel/gcc/patches-13.x/002-case_insensitive.patch new file mode 100644 index 0000000000..409497e5a3 --- /dev/null +++ b/devel/gcc/patches-13.x/002-case_insensitive.patch @@ -0,0 +1,24 @@ +commit 81cc26c706b2bc8c8c1eb1a322e5c5157900836e +Author: Felix Fietkau +Date: Sun Oct 19 21:45:51 2014 +0000 + + gcc: do not assume that the Mac OS X filesystem is case insensitive + + Signed-off-by: Felix Fietkau + + SVN-Revision: 42973 + +--- a/include/filenames.h ++++ b/include/filenames.h +@@ -44,11 +44,6 @@ extern "C" { + # define IS_DIR_SEPARATOR(c) IS_DOS_DIR_SEPARATOR (c) + # define IS_ABSOLUTE_PATH(f) IS_DOS_ABSOLUTE_PATH (f) + #else /* not DOSish */ +-# if defined(__APPLE__) +-# ifndef HAVE_CASE_INSENSITIVE_FILE_SYSTEM +-# define HAVE_CASE_INSENSITIVE_FILE_SYSTEM 1 +-# endif +-# endif /* __APPLE__ */ + # define HAS_DRIVE_SPEC(f) (0) + # define IS_DIR_SEPARATOR(c) IS_UNIX_DIR_SEPARATOR (c) + # define IS_ABSOLUTE_PATH(f) IS_UNIX_ABSOLUTE_PATH (f) diff --git a/devel/gcc/patches-13.x/003-dont-choke-when-building-32bit-on-64bit.patch b/devel/gcc/patches-13.x/003-dont-choke-when-building-32bit-on-64bit.patch new file mode 100644 index 0000000000..c41f35e33b --- /dev/null +++ b/devel/gcc/patches-13.x/003-dont-choke-when-building-32bit-on-64bit.patch @@ -0,0 +1,13 @@ +--- a/gcc/real.h ++++ b/gcc/real.h +@@ -77,8 +77,10 @@ struct GTY(()) real_value { + + (REAL_VALUE_TYPE_SIZE%HOST_BITS_PER_WIDE_INT ? 1 : 0)) /* round up */ + + /* Verify the guess. */ ++#ifndef __LP64__ + extern char test_real_width + [sizeof (REAL_VALUE_TYPE) <= REAL_WIDTH * sizeof (HOST_WIDE_INT) ? 1 : -1]; ++#endif + + /* Calculate the format for CONST_DOUBLE. We need as many slots as + are necessary to overlay a REAL_VALUE_TYPE on them. This could be diff --git a/devel/gcc/patches-13.x/010-documentation.patch b/devel/gcc/patches-13.x/010-documentation.patch new file mode 100644 index 0000000000..9646568afe --- /dev/null +++ b/devel/gcc/patches-13.x/010-documentation.patch @@ -0,0 +1,35 @@ +commit 098bd91f5eae625c7d2ee621e10930fc4434e5e2 +Author: Luka Perkov +Date: Tue Feb 26 16:16:33 2013 +0000 + + gcc: don't build documentation + + This closes #13039. + + Signed-off-by: Luka Perkov + + SVN-Revision: 35807 + +--- a/gcc/Makefile.in ++++ b/gcc/Makefile.in +@@ -3397,18 +3397,10 @@ doc/gcc.info: $(TEXI_GCC_FILES) + doc/gccint.info: $(TEXI_GCCINT_FILES) + doc/cppinternals.info: $(TEXI_CPPINT_FILES) + +-doc/%.info: %.texi +- if [ x$(BUILD_INFO) = xinfo ]; then \ +- $(MAKEINFO) $(MAKEINFOFLAGS) -I . -I $(gcc_docdir) \ +- -I $(gcc_docdir)/include -o $@ $<; \ +- fi ++doc/%.info: + + # Duplicate entry to handle renaming of gccinstall.info +-doc/gccinstall.info: $(TEXI_GCCINSTALL_FILES) +- if [ x$(BUILD_INFO) = xinfo ]; then \ +- $(MAKEINFO) $(MAKEINFOFLAGS) -I $(gcc_docdir) \ +- -I $(gcc_docdir)/include -o $@ $<; \ +- fi ++doc/gccinstall.info: + + doc/cpp.dvi: $(TEXI_CPP_FILES) + doc/gcc.dvi: $(TEXI_GCC_FILES) diff --git a/devel/gcc/patches-13.x/020-Include-safe-ctype.h-after-C-standard-headers-to-avo.patch b/devel/gcc/patches-13.x/020-Include-safe-ctype.h-after-C-standard-headers-to-avo.patch new file mode 100644 index 0000000000..986d19057f --- /dev/null +++ b/devel/gcc/patches-13.x/020-Include-safe-ctype.h-after-C-standard-headers-to-avo.patch @@ -0,0 +1,139 @@ +From 9970b576b7e4ae337af1268395ff221348c4b34a Mon Sep 17 00:00:00 2001 +From: Francois-Xavier Coudert +Date: Thu, 7 Mar 2024 14:36:03 +0100 +Subject: [PATCH] Include safe-ctype.h after C++ standard headers, to avoid + over-poisoning + +When building gcc's C++ sources against recent libc++, the poisoning of +the ctype macros due to including safe-ctype.h before including C++ +standard headers such as , , etc, causes many compilation +errors, similar to: + + In file included from /home/dim/src/gcc/master/gcc/gensupport.cc:23: + In file included from /home/dim/src/gcc/master/gcc/system.h:233: + In file included from /usr/include/c++/v1/vector:321: + In file included from + /usr/include/c++/v1/__format/formatter_bool.h:20: + In file included from + /usr/include/c++/v1/__format/formatter_integral.h:32: + In file included from /usr/include/c++/v1/locale:202: + /usr/include/c++/v1/__locale:546:5: error: '__abi_tag__' attribute + only applies to structs, variables, functions, and namespaces + 546 | _LIBCPP_INLINE_VISIBILITY + | ^ + /usr/include/c++/v1/__config:813:37: note: expanded from macro + '_LIBCPP_INLINE_VISIBILITY' + 813 | # define _LIBCPP_INLINE_VISIBILITY _LIBCPP_HIDE_FROM_ABI + | ^ + /usr/include/c++/v1/__config:792:26: note: expanded from macro + '_LIBCPP_HIDE_FROM_ABI' + 792 | + __attribute__((__abi_tag__(_LIBCPP_TOSTRING( + _LIBCPP_VERSIONED_IDENTIFIER)))) + | ^ + In file included from /home/dim/src/gcc/master/gcc/gensupport.cc:23: + In file included from /home/dim/src/gcc/master/gcc/system.h:233: + In file included from /usr/include/c++/v1/vector:321: + In file included from + /usr/include/c++/v1/__format/formatter_bool.h:20: + In file included from + /usr/include/c++/v1/__format/formatter_integral.h:32: + In file included from /usr/include/c++/v1/locale:202: + /usr/include/c++/v1/__locale:547:37: error: expected ';' at end of + declaration list + 547 | char_type toupper(char_type __c) const + | ^ + /usr/include/c++/v1/__locale:553:48: error: too many arguments + provided to function-like macro invocation + 553 | const char_type* toupper(char_type* __low, const + char_type* __high) const + | ^ + /home/dim/src/gcc/master/gcc/../include/safe-ctype.h:146:9: note: + macro 'toupper' defined here + 146 | #define toupper(c) do_not_use_toupper_with_safe_ctype + | ^ + +This is because libc++ uses different transitive includes than +libstdc++, and some of those transitive includes pull in various ctype +declarations (typically via ). + +There was already a special case for including before +safe-ctype.h, so move the rest of the C++ standard header includes to +the same location, to fix the problem. + +gcc/ChangeLog: + + * system.h: Include safe-ctype.h after C++ standard headers. + +Signed-off-by: Dimitry Andric +--- + gcc/system.h | 39 ++++++++++++++++++--------------------- + 1 file changed, 18 insertions(+), 21 deletions(-) + +diff --git a/gcc/system.h b/gcc/system.h +index b0edab02885..ab29fc19776 100644 +--- a/gcc/system.h ++++ b/gcc/system.h +@@ -194,27 +194,8 @@ extern int fprintf_unlocked (FILE *, const char *, ...); + #undef fread_unlocked + #undef fwrite_unlocked + +-/* Include before "safe-ctype.h" to avoid GCC poisoning +- the ctype macros through safe-ctype.h */ +- +-#ifdef __cplusplus +-#ifdef INCLUDE_STRING +-# include +-#endif +-#endif +- +-/* There are an extraordinary number of issues with . +- The last straw is that it varies with the locale. Use libiberty's +- replacement instead. */ +-#include "safe-ctype.h" +- +-#include +- +-#include +- +-#if !defined (errno) && defined (HAVE_DECL_ERRNO) && !HAVE_DECL_ERRNO +-extern int errno; +-#endif ++/* Include C++ standard headers before "safe-ctype.h" to avoid GCC ++ poisoning the ctype macros through safe-ctype.h */ + + #ifdef __cplusplus + #if defined (INCLUDE_ALGORITHM) || !defined (HAVE_SWAP_IN_UTILITY) +@@ -229,6 +210,9 @@ extern int errno; + #ifdef INCLUDE_SET + # include + #endif ++#ifdef INCLUDE_STRING ++# include ++#endif + #ifdef INCLUDE_VECTOR + # include + #endif +@@ -245,6 +229,19 @@ extern int errno; + # include + #endif + ++/* There are an extraordinary number of issues with . ++ The last straw is that it varies with the locale. Use libiberty's ++ replacement instead. */ ++#include "safe-ctype.h" ++ ++#include ++ ++#include ++ ++#if !defined (errno) && defined (HAVE_DECL_ERRNO) && !HAVE_DECL_ERRNO ++extern int errno; ++#endif ++ + /* Some of glibc's string inlines cause warnings. Plus we'd rather + rely on (and therefore test) GCC's string builtins. */ + #define __NO_STRING_INLINES +-- +2.39.3 + diff --git a/devel/gcc/patches-13.x/021-libcc1-fix-vector-include.patch b/devel/gcc/patches-13.x/021-libcc1-fix-vector-include.patch new file mode 100644 index 0000000000..b6b15cd1c6 --- /dev/null +++ b/devel/gcc/patches-13.x/021-libcc1-fix-vector-include.patch @@ -0,0 +1,65 @@ +From 5213047b1d50af63dfabb5e5649821a6cb157e33 Mon Sep 17 00:00:00 2001 +From: Francois-Xavier Coudert +Date: Sat, 16 Mar 2024 09:50:00 +0100 +Subject: [PATCH] libcc1: fix include + +Use INCLUDE_VECTOR before including system.h, instead of directly +including , to avoid running into poisoned identifiers. + +Signed-off-by: Dimitry Andric + +libcc1/ChangeLog: + + PR middle-end/111632 + * libcc1plugin.cc: Fix include. + * libcp1plugin.cc: Fix include. +--- + libcc1/libcc1plugin.cc | 3 +-- + libcc1/libcp1plugin.cc | 3 +-- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/libcc1/libcc1plugin.cc b/libcc1/libcc1plugin.cc +index 72d17c3b81c..e64847466f4 100644 +--- a/libcc1/libcc1plugin.cc ++++ b/libcc1/libcc1plugin.cc +@@ -32,6 +32,7 @@ + #undef PACKAGE_VERSION + + #define INCLUDE_MEMORY ++#define INCLUDE_VECTOR + #include "gcc-plugin.h" + #include "system.h" + #include "coretypes.h" +@@ -69,8 +70,6 @@ + #include "gcc-c-interface.h" + #include "context.hh" + +-#include +- + using namespace cc1_plugin; + + +diff --git a/libcc1/libcp1plugin.cc b/libcc1/libcp1plugin.cc +index 0eff7c68d29..da68c5d0ac1 100644 +--- a/libcc1/libcp1plugin.cc ++++ b/libcc1/libcp1plugin.cc +@@ -33,6 +33,7 @@ + #undef PACKAGE_VERSION + + #define INCLUDE_MEMORY ++#define INCLUDE_VECTOR + #include "gcc-plugin.h" + #include "system.h" + #include "coretypes.h" +@@ -71,8 +72,6 @@ + #include "rpc.hh" + #include "context.hh" + +-#include +- + using namespace cc1_plugin; + + +-- +2.39.3 + diff --git a/devel/gcc/patches-13.x/110-Fix-MIPS-PR-84790.patch b/devel/gcc/patches-13.x/110-Fix-MIPS-PR-84790.patch new file mode 100644 index 0000000000..856fd6a46c --- /dev/null +++ b/devel/gcc/patches-13.x/110-Fix-MIPS-PR-84790.patch @@ -0,0 +1,20 @@ +Fix https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84790. +MIPS16 functions have a static assembler prologue which clobbers +registers v0 and v1. Add these register clobbers to function call +instructions. + +--- a/gcc/config/mips/mips.cc ++++ b/gcc/config/mips/mips.cc +@@ -3134,6 +3134,12 @@ mips_emit_call_insn (rtx pattern, rtx or + emit_insn (gen_update_got_version ()); + } + ++ if (TARGET_MIPS16 && TARGET_USE_GOT) ++ { ++ clobber_reg (&CALL_INSN_FUNCTION_USAGE (insn), MIPS16_PIC_TEMP); ++ clobber_reg (&CALL_INSN_FUNCTION_USAGE (insn), MIPS_PROLOGUE_TEMP (word_mode)); ++ } ++ + if (TARGET_MIPS16 + && TARGET_EXPLICIT_RELOCS + && TARGET_CALL_CLOBBERED_GP) diff --git a/devel/gcc/patches-13.x/230-musl_libssp.patch b/devel/gcc/patches-13.x/230-musl_libssp.patch new file mode 100644 index 0000000000..fee068e1d6 --- /dev/null +++ b/devel/gcc/patches-13.x/230-musl_libssp.patch @@ -0,0 +1,13 @@ +--- a/gcc/gcc.cc ++++ b/gcc/gcc.cc +@@ -972,7 +972,9 @@ proper position among the other output f + #endif + + #ifndef LINK_SSP_SPEC +-#ifdef TARGET_LIBC_PROVIDES_SSP ++#if DEFAULT_LIBC == LIBC_MUSL ++#define LINK_SSP_SPEC "-lssp_nonshared" ++#elif defined(TARGET_LIBC_PROVIDES_SSP) + #define LINK_SSP_SPEC "%{fstack-protector|fstack-protector-all" \ + "|fstack-protector-strong|fstack-protector-explicit:}" + #else diff --git a/devel/gcc/patches-13.x/300-mips_Os_cpu_rtx_cost_model.patch b/devel/gcc/patches-13.x/300-mips_Os_cpu_rtx_cost_model.patch new file mode 100644 index 0000000000..ce21e0433d --- /dev/null +++ b/devel/gcc/patches-13.x/300-mips_Os_cpu_rtx_cost_model.patch @@ -0,0 +1,21 @@ +commit ecf7671b769fe96f7b5134be442089f8bdba55d2 +Author: Felix Fietkau +Date: Thu Aug 4 20:29:45 2016 +0200 + +gcc: add a patch to generate better code with Os on mips + +Also happens to reduce compressed code size a bit + +Signed-off-by: Felix Fietkau + +--- a/gcc/config/mips/mips.cc ++++ b/gcc/config/mips/mips.cc +@@ -20213,7 +20213,7 @@ mips_option_override (void) + flag_pcc_struct_return = 0; + + /* Decide which rtx_costs structure to use. */ +- if (optimize_size) ++ if (0 && optimize_size) + mips_cost = &mips_rtx_cost_optimize_size; + else + mips_cost = &mips_rtx_cost_data[mips_tune]; diff --git a/devel/gcc/patches-13.x/810-arm-softfloat-libgcc.patch b/devel/gcc/patches-13.x/810-arm-softfloat-libgcc.patch new file mode 100644 index 0000000000..5c9d86aead --- /dev/null +++ b/devel/gcc/patches-13.x/810-arm-softfloat-libgcc.patch @@ -0,0 +1,33 @@ +commit 8570c4be394cff7282f332f97da2ff569a927ddb +Author: Imre Kaloz +Date: Wed Feb 2 20:06:12 2011 +0000 + + fixup arm soft-float symbols + + SVN-Revision: 25325 + +--- a/libgcc/config/arm/t-linux ++++ b/libgcc/config/arm/t-linux +@@ -1,6 +1,10 @@ + LIB1ASMSRC = arm/lib1funcs.S + LIB1ASMFUNCS = _udivsi3 _divsi3 _umodsi3 _modsi3 _dvmd_lnx _clzsi2 _clzdi2 \ +- _ctzsi2 _arm_addsubdf3 _arm_addsubsf3 ++ _ctzsi2 _arm_addsubdf3 _arm_addsubsf3 \ ++ _arm_negdf2 _arm_muldivdf3 _arm_cmpdf2 _arm_unorddf2 \ ++ _arm_fixdfsi _arm_fixunsdfsi _arm_truncdfsf2 \ ++ _arm_negsf2 _arm_muldivsf3 _arm_cmpsf2 _arm_unordsf2 \ ++ _arm_fixsfsi _arm_fixunssfsi + + # Just for these, we omit the frame pointer since it makes such a big + # difference. +--- a/gcc/config/arm/linux-elf.h ++++ b/gcc/config/arm/linux-elf.h +@@ -58,8 +58,6 @@ + %{shared:-lc} \ + %{!shared:%{profile:-lc_p}%{!profile:-lc}}" + +-#define LIBGCC_SPEC "%{mfloat-abi=soft*:-lfloat} -lgcc" +- + #define GLIBC_DYNAMIC_LINKER "/lib/ld-linux.so.2" + + #define LINUX_TARGET_LINK_SPEC "%{h*} \ diff --git a/devel/gcc/patches-13.x/820-libgcc_pic.patch b/devel/gcc/patches-13.x/820-libgcc_pic.patch new file mode 100644 index 0000000000..7d10298190 --- /dev/null +++ b/devel/gcc/patches-13.x/820-libgcc_pic.patch @@ -0,0 +1,44 @@ +commit c96312958c0621e72c9b32da5bc224ffe2161384 +Author: Felix Fietkau +Date: Mon Oct 19 23:26:09 2009 +0000 + + gcc: create a proper libgcc_pic.a static library for relinking (4.3.3+ for now, backport will follow) + + SVN-Revision: 18086 + +--- a/libgcc/Makefile.in ++++ b/libgcc/Makefile.in +@@ -933,11 +933,12 @@ $(libgcov-driver-objects): %$(objext): $ + + # Static libraries. + libgcc.a: $(libgcc-objects) ++libgcc_pic.a: $(libgcc-s-objects) + libgcov.a: $(libgcov-objects) + libunwind.a: $(libunwind-objects) + libgcc_eh.a: $(libgcc-eh-objects) + +-libgcc.a libgcov.a libunwind.a libgcc_eh.a: ++libgcc.a libgcov.a libunwind.a libgcc_eh.a libgcc_pic.a: + -rm -f $@ + + objects="$(objects)"; \ +@@ -961,7 +962,7 @@ all: libunwind.a + endif + + ifeq ($(enable_shared),yes) +-all: libgcc_eh.a libgcc_s$(SHLIB_EXT) ++all: libgcc_eh.a libgcc_pic.a libgcc_s$(SHLIB_EXT) + ifneq ($(LIBUNWIND),) + all: libunwind$(SHLIB_EXT) + libgcc_s$(SHLIB_EXT): libunwind$(SHLIB_EXT) +@@ -1167,6 +1168,10 @@ install-shared: + chmod 644 $(DESTDIR)$(inst_libdir)/libgcc_eh.a + $(RANLIB) $(DESTDIR)$(inst_libdir)/libgcc_eh.a + ++ $(INSTALL_DATA) libgcc_pic.a $(mapfile) $(DESTDIR)$(inst_libdir)/ ++ chmod 644 $(DESTDIR)$(inst_libdir)/libgcc_pic.a ++ $(RANLIB) $(DESTDIR)$(inst_libdir)/libgcc_pic.a ++ + $(subst @multilib_dir@,$(MULTIDIR),$(subst \ + @shlib_base_name@,libgcc_s,$(subst \ + @shlib_slibdir_qual@,$(MULTIOSSUBDIR),$(SHLIB_INSTALL)))) diff --git a/devel/gcc/patches-13.x/840-armv4_pass_fix-v4bx_to_ld.patch b/devel/gcc/patches-13.x/840-armv4_pass_fix-v4bx_to_ld.patch new file mode 100644 index 0000000000..82935f3d1d --- /dev/null +++ b/devel/gcc/patches-13.x/840-armv4_pass_fix-v4bx_to_ld.patch @@ -0,0 +1,28 @@ +commit 7edc8ca5456d9743dd0075eb3cc5b04f4f24c8cc +Author: Imre Kaloz +Date: Wed Feb 2 19:34:36 2011 +0000 + + add armv4 fixup patches + + SVN-Revision: 25322 + + +--- a/gcc/config/arm/linux-eabi.h ++++ b/gcc/config/arm/linux-eabi.h +@@ -88,10 +88,15 @@ + #define MUSL_DYNAMIC_LINKER \ + "/lib/ld-musl-arm" MUSL_DYNAMIC_LINKER_E "%{mfloat-abi=hard:hf}%{mfdpic:-fdpic}.so.1" + ++/* For armv4 we pass --fix-v4bx to linker to support EABI */ ++#undef TARGET_FIX_V4BX_SPEC ++#define TARGET_FIX_V4BX_SPEC " %{mcpu=arm8|mcpu=arm810|mcpu=strongarm*"\ ++ "|march=armv4|mcpu=fa526|mcpu=fa626:--fix-v4bx}" ++ + /* At this point, bpabi.h will have clobbered LINK_SPEC. We want to + use the GNU/Linux version, not the generic BPABI version. */ + #undef LINK_SPEC +-#define LINK_SPEC EABI_LINK_SPEC \ ++#define LINK_SPEC EABI_LINK_SPEC TARGET_FIX_V4BX_SPEC \ + LINUX_OR_ANDROID_LD (LINUX_TARGET_LINK_SPEC, \ + LINUX_TARGET_LINK_SPEC " " ANDROID_LINK_SPEC) + diff --git a/devel/gcc/patches-13.x/850-use_shared_libgcc.patch b/devel/gcc/patches-13.x/850-use_shared_libgcc.patch new file mode 100644 index 0000000000..f4505ee70f --- /dev/null +++ b/devel/gcc/patches-13.x/850-use_shared_libgcc.patch @@ -0,0 +1,54 @@ +commit dcfc40358b5a3cae7320c17f8d1cebd5ad5540cd +Author: Felix Fietkau +Date: Sun Feb 12 20:25:47 2012 +0000 + + gcc 4.6: port over the missing patch 850-use_shared_libgcc.patch to prevent libgcc crap from leaking into every single binary + + SVN-Revision: 30486 +--- a/gcc/config/arm/linux-eabi.h ++++ b/gcc/config/arm/linux-eabi.h +@@ -129,10 +129,6 @@ + "%{Ofast|ffast-math|funsafe-math-optimizations:%{!shared:crtfastmath.o%s}} " \ + LINUX_OR_ANDROID_LD (GNU_USER_TARGET_ENDFILE_SPEC, ANDROID_ENDFILE_SPEC) + +-/* Use the default LIBGCC_SPEC, not the version in linux-elf.h, as we +- do not use -lfloat. */ +-#undef LIBGCC_SPEC +- + /* Clear the instruction cache from `beg' to `end'. This is + implemented in lib1funcs.S, so ensure an error if this definition + is used. */ +--- a/gcc/config/linux.h ++++ b/gcc/config/linux.h +@@ -58,6 +58,10 @@ see the files COPYING3 and COPYING.RUNTI + builtin_assert ("system=posix"); \ + } while (0) + ++#ifndef LIBGCC_SPEC ++#define LIBGCC_SPEC "%{static|static-libgcc:-lgcc}%{!static:%{!static-libgcc:-lgcc_s}}" ++#endif ++ + /* Determine which dynamic linker to use depending on whether GLIBC or + uClibc or Bionic or musl is the default C library and whether + -muclibc or -mglibc or -mbionic or -mmusl has been passed to change +--- a/libgcc/mkmap-symver.awk ++++ b/libgcc/mkmap-symver.awk +@@ -136,5 +136,5 @@ function output(lib) { + else if (inherit[lib]) + printf("} %s;\n", inherit[lib]); + else +- printf ("\n local:\n\t*;\n};\n"); ++ printf ("\n\t*;\n};\n"); + } +--- a/gcc/config/rs6000/linux.h ++++ b/gcc/config/rs6000/linux.h +@@ -67,6 +67,9 @@ + #undef CPP_OS_DEFAULT_SPEC + #define CPP_OS_DEFAULT_SPEC "%(cpp_os_linux)" + ++#undef LIBGCC_SPEC ++#define LIBGCC_SPEC "%{!static:%{!static-libgcc:-lgcc_s}} -lgcc" ++ + #undef LINK_SHLIB_SPEC + #define LINK_SHLIB_SPEC "%{shared:-shared} %{!shared: %{static:-static}} \ + %{static-pie:-static -pie --no-dynamic-linker -z text}" diff --git a/devel/gcc/patches-13.x/851-libgcc_no_compat.patch b/devel/gcc/patches-13.x/851-libgcc_no_compat.patch new file mode 100644 index 0000000000..d710e40717 --- /dev/null +++ b/devel/gcc/patches-13.x/851-libgcc_no_compat.patch @@ -0,0 +1,22 @@ +commit 64661de100da1ec1061ef3e5e400285dce115e6b +Author: Felix Fietkau +Date: Sun May 10 13:16:35 2015 +0000 + + gcc: add some size optimization patches + + Signed-off-by: Felix Fietkau + + SVN-Revision: 45664 + +--- a/libgcc/config/t-libunwind ++++ b/libgcc/config/t-libunwind +@@ -2,8 +2,7 @@ + + HOST_LIBGCC2_CFLAGS += -DUSE_GAS_SYMVER + +-LIB2ADDEH = $(srcdir)/unwind-sjlj.c $(srcdir)/unwind-c.c \ +- $(srcdir)/unwind-compat.c $(srcdir)/unwind-dw2-fde-compat.c ++LIB2ADDEH = $(srcdir)/unwind-sjlj.c $(srcdir)/unwind-c.c + LIB2ADDEHSTATIC = $(srcdir)/unwind-sjlj.c $(srcdir)/unwind-c.c + + # Override the default value from t-slibgcc-elf-ver and mention -lunwind diff --git a/devel/gcc/patches-13.x/870-ppc_no_crtsavres.patch b/devel/gcc/patches-13.x/870-ppc_no_crtsavres.patch new file mode 100644 index 0000000000..0dca68899e --- /dev/null +++ b/devel/gcc/patches-13.x/870-ppc_no_crtsavres.patch @@ -0,0 +1,11 @@ +--- a/gcc/config/rs6000/rs6000-logue.cc ++++ b/gcc/config/rs6000/rs6000-logue.cc +@@ -344,7 +344,7 @@ rs6000_savres_strategy (rs6000_stack_t * + /* Define cutoff for using out-of-line functions to save registers. */ + if (DEFAULT_ABI == ABI_V4 || TARGET_ELF) + { +- if (!optimize_size) ++ if (1) + { + strategy |= SAVE_INLINE_FPRS | REST_INLINE_FPRS; + strategy |= SAVE_INLINE_GPRS | REST_INLINE_GPRS; diff --git a/devel/gcc/patches-13.x/881-no_tm_section.patch b/devel/gcc/patches-13.x/881-no_tm_section.patch new file mode 100644 index 0000000000..2029910fd0 --- /dev/null +++ b/devel/gcc/patches-13.x/881-no_tm_section.patch @@ -0,0 +1,11 @@ +--- a/libgcc/crtstuff.c ++++ b/libgcc/crtstuff.c +@@ -152,7 +152,7 @@ call_ ## FUNC (void) \ + #endif + + #if !defined(USE_TM_CLONE_REGISTRY) && defined(OBJECT_FORMAT_ELF) +-# define USE_TM_CLONE_REGISTRY 1 ++# define USE_TM_CLONE_REGISTRY 0 + #elif !defined(USE_TM_CLONE_REGISTRY) + # define USE_TM_CLONE_REGISTRY 0 + #endif diff --git a/devel/gcc/patches-13.x/900-bad-mips16-crt.patch b/devel/gcc/patches-13.x/900-bad-mips16-crt.patch new file mode 100644 index 0000000000..dd6e9dc889 --- /dev/null +++ b/devel/gcc/patches-13.x/900-bad-mips16-crt.patch @@ -0,0 +1,9 @@ +--- a/libgcc/config/mips/t-mips16 ++++ b/libgcc/config/mips/t-mips16 +@@ -43,3 +43,6 @@ SYNC_CFLAGS = -mno-mips16 + + # Version these symbols if building libgcc.so. + SHLIB_MAPFILES += $(srcdir)/config/mips/libgcc-mips16.ver ++ ++CRTSTUFF_T_CFLAGS += -mno-mips16 ++CRTSTUFF_T_CFLAGS_S += -mno-mips16 diff --git a/devel/gcc/patches-13.x/910-mbsd_multi.patch b/devel/gcc/patches-13.x/910-mbsd_multi.patch new file mode 100644 index 0000000000..4138e79bcc --- /dev/null +++ b/devel/gcc/patches-13.x/910-mbsd_multi.patch @@ -0,0 +1,146 @@ +commit 99368862e44740ff4fd33760893f04e14f9dbdf1 +Author: Felix Fietkau +Date: Tue Jul 31 00:52:27 2007 +0000 + + Port the mbsd_multi patch from freewrt, which adds -fhonour-copts. This will emit warnings in packages that don't use our target cflags properly + + SVN-Revision: 8256 + + This patch brings over a feature from MirBSD: + * -fhonour-copts + If this option is not given, it's warned (depending + on environment variables). This is to catch errors + of misbuilt packages which override CFLAGS themselves. + + This patch was authored by Thorsten Glaser + with copyright assignment to the FSF in effect. + +--- a/gcc/c-family/c-opts.cc ++++ b/gcc/c-family/c-opts.cc +@@ -104,6 +104,9 @@ static size_t include_cursor; + /* Whether any standard preincluded header has been preincluded. */ + static bool done_preinclude; + ++/* Check if a port honours COPTS. */ ++static int honour_copts = 0; ++ + static void handle_OPT_d (const char *); + static void set_std_cxx98 (int); + static void set_std_cxx11 (int); +@@ -475,6 +478,12 @@ c_common_handle_option (size_t scode, co + flag_no_builtin = !value; + break; + ++ case OPT_fhonour_copts: ++ if (c_language == clk_c) { ++ honour_copts++; ++ } ++ break; ++ + case OPT_fconstant_string_class_: + constant_string_class_name = arg; + break; +@@ -1228,6 +1237,47 @@ c_common_init (void) + return false; + } + ++ if (c_language == clk_c) { ++ char *ev = getenv ("GCC_HONOUR_COPTS"); ++ int evv; ++ if (ev == NULL) ++ evv = -1; ++ else if ((*ev == '0') || (*ev == '\0')) ++ evv = 0; ++ else if (*ev == '1') ++ evv = 1; ++ else if (*ev == '2') ++ evv = 2; ++ else if (*ev == 's') ++ evv = -1; ++ else { ++ warning (0, "unknown GCC_HONOUR_COPTS value, assuming 1"); ++ evv = 1; /* maybe depend this on something like MIRBSD_NATIVE? */ ++ } ++ if (evv == 1) { ++ if (honour_copts == 0) { ++ error ("someone does not honour COPTS at all in lenient mode"); ++ return false; ++ } else if (honour_copts != 1) { ++ warning (0, "someone does not honour COPTS correctly, passed %d times", ++ honour_copts); ++ } ++ } else if (evv == 2) { ++ if (honour_copts == 0) { ++ error ("someone does not honour COPTS at all in strict mode"); ++ return false; ++ } else if (honour_copts != 1) { ++ error ("someone does not honour COPTS correctly, passed %d times", ++ honour_copts); ++ return false; ++ } ++ } else if (evv == 0) { ++ if (honour_copts != 1) ++ inform (UNKNOWN_LOCATION, "someone does not honour COPTS correctly, passed %d times", ++ honour_copts); ++ } ++ } ++ + return true; + } + +--- a/gcc/c-family/c.opt ++++ b/gcc/c-family/c.opt +@@ -1837,6 +1837,9 @@ C++ ObjC++ Optimization Alias(fexception + fhonor-std + C++ ObjC++ WarnRemoved + ++fhonour-copts ++C ObjC C++ ObjC++ RejectNegative ++ + fhosted + C ObjC + Assume normal C execution environment. +--- a/gcc/common.opt ++++ b/gcc/common.opt +@@ -1801,6 +1801,9 @@ fharden-conditional-branches + Common Var(flag_harden_conditional_branches) Optimization + Harden conditional branches by checking reversed conditions. + ++fhonour-copts ++Common RejectNegative ++ + ; Nonzero means ignore `#ident' directives. 0 means handle them. + ; Generate position-independent code for executables if possible + ; On SVR4 targets, it also controls whether or not to emit a +--- a/gcc/doc/invoke.texi ++++ b/gcc/doc/invoke.texi +@@ -10065,6 +10065,17 @@ This option is only supported for C and + @option{-Wall} and by @option{-Wpedantic}, which can be disabled with + @option{-Wno-pointer-sign}. + ++@item -fhonour-copts ++@opindex fhonour-copts ++If @env{GCC_HONOUR_COPTS} is set to 1, abort if this option is not ++given at least once, and warn if it is given more than once. ++If @env{GCC_HONOUR_COPTS} is set to 2, abort if this option is not ++given exactly once. ++If @env{GCC_HONOUR_COPTS} is set to 0 or unset, warn if this option ++is not given exactly once. ++The warning is quelled if @env{GCC_HONOUR_COPTS} is set to @samp{s}. ++This flag and environment variable only affect the C language. ++ + @opindex Wstack-protector + @opindex Wno-stack-protector + @item -Wstack-protector +--- a/gcc/opts.cc ++++ b/gcc/opts.cc +@@ -2767,6 +2767,9 @@ common_handle_option (struct gcc_options + add_comma_separated_to_vector (&opts->x_flag_ignored_attributes, arg); + break; + ++ case OPT_fhonour_copts: ++ break; ++ + case OPT_Werror: + dc->warning_as_error_requested = value; + break; diff --git a/devel/gcc/patches-13.x/920-specs_nonfatal_getenv.patch b/devel/gcc/patches-13.x/920-specs_nonfatal_getenv.patch new file mode 100644 index 0000000000..265ca22c0c --- /dev/null +++ b/devel/gcc/patches-13.x/920-specs_nonfatal_getenv.patch @@ -0,0 +1,22 @@ +Author: Jo-Philipp Wich +Date: Sat Apr 21 03:02:39 2012 +0000 + + gcc: add patch to make the getenv() spec function nonfatal if requested environment variable is unset + + SVN-Revision: 31390 + +--- a/gcc/gcc.cc ++++ b/gcc/gcc.cc +@@ -10174,8 +10174,10 @@ getenv_spec_function (int argc, const ch + } + + if (!value) +- fatal_error (input_location, +- "environment variable %qs not defined", varname); ++ { ++ warning (input_location, "environment variable %qs not defined", varname); ++ value = ""; ++ } + + /* We have to escape every character of the environment variable so + they are not interpreted as active spec characters. A diff --git a/devel/gcc/patches-13.x/960-gotools-fix-compilation-when-making-cross-compiler.patch b/devel/gcc/patches-13.x/960-gotools-fix-compilation-when-making-cross-compiler.patch new file mode 100644 index 0000000000..b1d7576328 --- /dev/null +++ b/devel/gcc/patches-13.x/960-gotools-fix-compilation-when-making-cross-compiler.patch @@ -0,0 +1,67 @@ +From dda6b050cd74a352670787a294596a9c56c21327 Mon Sep 17 00:00:00 2001 +From: Yousong Zhou +Date: Fri, 4 May 2018 18:20:53 +0800 +Subject: [PATCH] gotools: fix compilation when making cross compiler + +libgo is "the runtime support library for the Go programming language. +This library is intended for use with the Go frontend." + +gccgo will link target files with libgo.so which depends on libgcc_s.so.1, but +the linker will complain that it cannot find it. That's because shared libgcc +is not present in the install directory yet. libgo.so was made without problem +because gcc will emit -lgcc_s when compiled with -shared option. When gotools +were being made, it was supplied with -static-libgcc thus no link option was +provided. Check LIBGO in gcc/go/gcc-spec.c for how gccgo make a builtin spec +for linking with libgo.so + +- GccgoCrossCompilation, https://github.com/golang/go/wiki/GccgoCrossCompilation +- Cross-building instructions, http://www.eglibc.org/archives/patches/msg00078.html + +When 3-pass GCC compilation is used, shared libgcc runtime libraries will be +available after gcc pass2 completed and will meet the gotools link requirement +at gcc pass3 +--- + gotools/Makefile.am | 4 +++- + gotools/Makefile.in | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/gotools/Makefile.am ++++ b/gotools/Makefile.am +@@ -26,6 +26,7 @@ PWD_COMMAND = $${PWDCMD-pwd} + STAMP = echo timestamp > + + libgodir = ../$(target_noncanonical)/libgo ++libgccdir = ../$(target_noncanonical)/libgcc + LIBGODEP = $(libgodir)/libgo.la + + LIBGOTOOL = $(libgodir)/libgotool.a +@@ -41,7 +42,8 @@ GOCFLAGS = $(CFLAGS_FOR_TARGET) + GOCOMPILE = $(GOCOMPILER) $(GOCFLAGS) + + AM_GOCFLAGS = -I $(libgodir) +-AM_LDFLAGS = -L $(libgodir) -L $(libgodir)/.libs ++AM_LDFLAGS = -L $(libgodir) -L $(libgodir)/.libs \ ++ -L $(libgccdir) -L $(libgccdir)/.libs -lgcc_s + GOLINK = $(GOCOMPILER) $(GOCFLAGS) $(AM_GOCFLAGS) $(LDFLAGS) $(AM_LDFLAGS) -o $@ + + libgosrcdir = $(srcdir)/../libgo/go +--- a/gotools/Makefile.in ++++ b/gotools/Makefile.in +@@ -337,6 +337,7 @@ mkinstalldirs = $(SHELL) $(toplevel_srcd + PWD_COMMAND = $${PWDCMD-pwd} + STAMP = echo timestamp > + libgodir = ../$(target_noncanonical)/libgo ++libgccdir = ../$(target_noncanonical)/libgcc + LIBGODEP = $(libgodir)/libgo.la + LIBGOTOOL = $(libgodir)/libgotool.a + @NATIVE_FALSE@GOCOMPILER = $(GOC) +@@ -346,7 +347,8 @@ LIBGOTOOL = $(libgodir)/libgotool.a + GOCFLAGS = $(CFLAGS_FOR_TARGET) + GOCOMPILE = $(GOCOMPILER) $(GOCFLAGS) + AM_GOCFLAGS = -I $(libgodir) +-AM_LDFLAGS = -L $(libgodir) -L $(libgodir)/.libs ++AM_LDFLAGS = -L $(libgodir) -L $(libgodir)/.libs \ ++ -L $(libgccdir) -L $(libgccdir)/.libs -lgcc_s + GOLINK = $(GOCOMPILER) $(GOCFLAGS) $(AM_GOCFLAGS) $(LDFLAGS) $(AM_LDFLAGS) -o $@ + libgosrcdir = $(srcdir)/../libgo/go + cmdsrcdir = $(libgosrcdir)/cmd diff --git a/devel/gcc/patches-13.x/970-macos_arm64-building-fix.patch b/devel/gcc/patches-13.x/970-macos_arm64-building-fix.patch new file mode 100644 index 0000000000..7844268e7e --- /dev/null +++ b/devel/gcc/patches-13.x/970-macos_arm64-building-fix.patch @@ -0,0 +1,45 @@ +commit 9c6e71079b46ad5433165feaa2001450f2017b56 +Author: Przemysław Buczkowski +Date: Mon Aug 16 13:16:21 2021 +0100 + + GCC: Patch for Apple Silicon compatibility + + This patch fixes a linker error occuring when compiling + the cross-compiler on macOS and ARM64 architecture. + + Adapted from: + https://github.com/richfelker/musl-cross-make/issues/116#issuecomment-823612404 + + Change-Id: Ia3ee98a163bbb62689f42e2da83a5ef36beb0913 + Reviewed-on: https://review.haiku-os.org/c/buildtools/+/4329 + Reviewed-by: John Scipione + Reviewed-by: Adrien Destugues + +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -1185,7 +1185,7 @@ extern enum aarch64_code_model aarch64_c + + /* Extra specs when building a native AArch64-hosted compiler. + Option rewriting rules based on host system. */ +-#if defined(__aarch64__) ++#if defined(__aarch64__) && ! defined(__APPLE__) + extern const char *host_detect_local_cpu (int argc, const char **argv); + #define HAVE_LOCAL_CPU_DETECT + # define EXTRA_SPEC_FUNCTIONS \ +--- a/gcc/config/host-darwin.cc ++++ b/gcc/config/host-darwin.cc +@@ -23,6 +23,8 @@ + #include "options.h" + #include "diagnostic-core.h" + #include "config/host-darwin.h" ++#include "hosthooks.h" ++#include "hosthooks-def.h" + #include + + /* For Darwin (macOS only) platforms, without ASLR (PIE) enabled on the +@@ -181,3 +183,5 @@ darwin_gt_pch_use_address (void *&addr, + + return 1; + } ++ ++const struct host_hooks host_hooks = HOST_HOOKS_INITIALIZER; From 4d9ec853bef7530cb97f23aa5b14c455e8f90d26 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Thu, 11 Apr 2024 12:54:28 +0200 Subject: [PATCH 005/106] devel: gcc: refresh patches Refresh patches with make package/gcc/refresh by tweaking the GCC_VERSION to refresh every supported version. Signed-off-by: Christian Marangi --- .../003-dont-choke-when-building-32bit-on-64bit.patch | 7 +++---- devel/gcc/patches-12.x/910-mbsd_multi.patch | 2 +- ...lude-safe-ctype.h-after-C-standard-headers-to-avo.patch | 7 +------ devel/gcc/patches-13.x/021-libcc1-fix-vector-include.patch | 7 ------- .../003-dont-choke-when-building-32bit-on-64bit.patch | 7 +++---- 5 files changed, 8 insertions(+), 22 deletions(-) diff --git a/devel/gcc/patches-10.x/003-dont-choke-when-building-32bit-on-64bit.patch b/devel/gcc/patches-10.x/003-dont-choke-when-building-32bit-on-64bit.patch index 4b91f49a00..c41f35e33b 100644 --- a/devel/gcc/patches-10.x/003-dont-choke-when-building-32bit-on-64bit.patch +++ b/devel/gcc/patches-10.x/003-dont-choke-when-building-32bit-on-64bit.patch @@ -1,7 +1,6 @@ -diff -u --recursive gcc-10.3.0-vanilla/gcc/real.h gcc-10.3.0/gcc/real.h ---- gcc-10.3.0-vanilla/gcc/real.h 2021-04-08 06:56:28.561746620 -0500 -+++ gcc-10.3.0/gcc/real.h 2022-05-18 17:04:32.076412174 -0500 -@@ -77,8 +77,10 @@ +--- a/gcc/real.h ++++ b/gcc/real.h +@@ -77,8 +77,10 @@ struct GTY(()) real_value { + (REAL_VALUE_TYPE_SIZE%HOST_BITS_PER_WIDE_INT ? 1 : 0)) /* round up */ /* Verify the guess. */ diff --git a/devel/gcc/patches-12.x/910-mbsd_multi.patch b/devel/gcc/patches-12.x/910-mbsd_multi.patch index 0f75d0ce0e..9233c6a1d7 100644 --- a/devel/gcc/patches-12.x/910-mbsd_multi.patch +++ b/devel/gcc/patches-12.x/910-mbsd_multi.patch @@ -114,7 +114,7 @@ Date: Tue Jul 31 00:52:27 2007 +0000 ; On SVR4 targets, it also controls whether or not to emit a --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi -@@ -9596,6 +9596,17 @@ This option is only supported for C and +@@ -9597,6 +9597,17 @@ This option is only supported for C and @option{-Wall} and by @option{-Wpedantic}, which can be disabled with @option{-Wno-pointer-sign}. diff --git a/devel/gcc/patches-13.x/020-Include-safe-ctype.h-after-C-standard-headers-to-avo.patch b/devel/gcc/patches-13.x/020-Include-safe-ctype.h-after-C-standard-headers-to-avo.patch index 986d19057f..7519e31d53 100644 --- a/devel/gcc/patches-13.x/020-Include-safe-ctype.h-after-C-standard-headers-to-avo.patch +++ b/devel/gcc/patches-13.x/020-Include-safe-ctype.h-after-C-standard-headers-to-avo.patch @@ -70,11 +70,9 @@ Signed-off-by: Dimitry Andric gcc/system.h | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) -diff --git a/gcc/system.h b/gcc/system.h -index b0edab02885..ab29fc19776 100644 --- a/gcc/system.h +++ b/gcc/system.h -@@ -194,27 +194,8 @@ extern int fprintf_unlocked (FILE *, const char *, ...); +@@ -194,27 +194,8 @@ extern int fprintf_unlocked (FILE *, con #undef fread_unlocked #undef fwrite_unlocked @@ -134,6 +132,3 @@ index b0edab02885..ab29fc19776 100644 /* Some of glibc's string inlines cause warnings. Plus we'd rather rely on (and therefore test) GCC's string builtins. */ #define __NO_STRING_INLINES --- -2.39.3 - diff --git a/devel/gcc/patches-13.x/021-libcc1-fix-vector-include.patch b/devel/gcc/patches-13.x/021-libcc1-fix-vector-include.patch index b6b15cd1c6..6d67292221 100644 --- a/devel/gcc/patches-13.x/021-libcc1-fix-vector-include.patch +++ b/devel/gcc/patches-13.x/021-libcc1-fix-vector-include.patch @@ -18,8 +18,6 @@ libcc1/ChangeLog: libcc1/libcp1plugin.cc | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) -diff --git a/libcc1/libcc1plugin.cc b/libcc1/libcc1plugin.cc -index 72d17c3b81c..e64847466f4 100644 --- a/libcc1/libcc1plugin.cc +++ b/libcc1/libcc1plugin.cc @@ -32,6 +32,7 @@ @@ -39,8 +37,6 @@ index 72d17c3b81c..e64847466f4 100644 using namespace cc1_plugin; -diff --git a/libcc1/libcp1plugin.cc b/libcc1/libcp1plugin.cc -index 0eff7c68d29..da68c5d0ac1 100644 --- a/libcc1/libcp1plugin.cc +++ b/libcc1/libcp1plugin.cc @@ -33,6 +33,7 @@ @@ -60,6 +56,3 @@ index 0eff7c68d29..da68c5d0ac1 100644 using namespace cc1_plugin; --- -2.39.3 - diff --git a/devel/gcc/patches-8.x/003-dont-choke-when-building-32bit-on-64bit.patch b/devel/gcc/patches-8.x/003-dont-choke-when-building-32bit-on-64bit.patch index 85b6744df7..39f06d8f9b 100644 --- a/devel/gcc/patches-8.x/003-dont-choke-when-building-32bit-on-64bit.patch +++ b/devel/gcc/patches-8.x/003-dont-choke-when-building-32bit-on-64bit.patch @@ -1,7 +1,6 @@ -diff -u --recursive gcc-8.4.0-vanilla/gcc/real.h gcc-8.4.0/gcc/real.h ---- gcc-8.4.0-vanilla/gcc/real.h 2020-03-04 02:30:01.000000000 -0600 -+++ gcc-8.4.0/gcc/real.h 2022-05-18 17:02:22.708820427 -0500 -@@ -70,8 +70,10 @@ +--- a/gcc/real.h ++++ b/gcc/real.h +@@ -70,8 +70,10 @@ struct GTY(()) real_value { + (REAL_VALUE_TYPE_SIZE%HOST_BITS_PER_WIDE_INT ? 1 : 0)) /* round up */ /* Verify the guess. */ From 80b15f0b9e6135978a7d17543d4be5fd13481b1a Mon Sep 17 00:00:00 2001 From: Rafal Macyszyn Date: Mon, 1 Apr 2024 20:50:49 +0200 Subject: [PATCH 006/106] softflowd: add '-b' option to config - add '-b' option to enable bidirectional flow probing Signed-off-by: Rafal Macyszyn --- net/softflowd/Makefile | 2 +- net/softflowd/files/softflowd.config | 1 + net/softflowd/files/softflowd.init | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/net/softflowd/Makefile b/net/softflowd/Makefile index 2a133b604a..7b4dfc10b8 100644 --- a/net/softflowd/Makefile +++ b/net/softflowd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=softflowd PKG_VERSION:=1.1.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/irino/softflowd/tar.gz/softflowd-v$(PKG_VERSION)? diff --git a/net/softflowd/files/softflowd.config b/net/softflowd/files/softflowd.config index 87dbf1369a..ee0634634b 100644 --- a/net/softflowd/files/softflowd.config +++ b/net/softflowd/files/softflowd.config @@ -11,5 +11,6 @@ config softflowd option hoplimit '' option tracking_level 'full' option track_ipv6 '0' + option bidirectional '0' option sampling_rate '100' option filter '' diff --git a/net/softflowd/files/softflowd.init b/net/softflowd/files/softflowd.init index 1fdd9ae303..5becd45146 100755 --- a/net/softflowd/files/softflowd.init +++ b/net/softflowd/files/softflowd.init @@ -44,6 +44,7 @@ start_instance() { append_string "$section" 'tracking_level' '-T' append_string "$section" 'sampling_rate' '-s' append_bool "$section" track_ipv6 '-6' + append_bool "$section" bidirectional '-b' procd_open_instance procd_set_param command /usr/sbin/softflowd -d $args${pid_file:+ -p $pid_file} "$filter" From 7e54b2b3fc0ff81dbd4768fba292fa39e61e72cb Mon Sep 17 00:00:00 2001 From: krant Date: Thu, 11 Apr 2024 22:13:44 +0300 Subject: [PATCH 007/106] libdeflate: update to 1.20 Signed-off-by: krant --- libs/libdeflate/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/libdeflate/Makefile b/libs/libdeflate/Makefile index 5d45ae0050..f2d664d87b 100644 --- a/libs/libdeflate/Makefile +++ b/libs/libdeflate/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libdeflate -PKG_VERSION:=1.19 +PKG_VERSION:=1.20 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/ebiggers/libdeflate/releases/download/v$(PKG_VERSION) -PKG_HASH:=d9bb9bdd8cc5a8c1f7f6226fa0053dd72861e15f366e7ff7d0d191eac16d66f3 +PKG_HASH:=c52cf0239fd644d71c9e88613dd7431a5306ebee1280c5791c71ca264869250a PKG_LICENSE:=COPYING PKG_LICENSE_FILES:=MIT From 1cdbbea0ac76012a8acb5c9f765eed84ffa9c094 Mon Sep 17 00:00:00 2001 From: krant Date: Thu, 11 Apr 2024 22:17:21 +0300 Subject: [PATCH 008/106] libevdev: update to 1.13.1 Signed-off-by: krant --- libs/libevdev/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/libevdev/Makefile b/libs/libevdev/Makefile index 8043681faf..df923710af 100644 --- a/libs/libevdev/Makefile +++ b/libs/libevdev/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libevdev -PKG_VERSION:=1.13.0 +PKG_VERSION:=1.13.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://www.freedesktop.org/software/libevdev/ -PKG_HASH:=9edf2006cc86a5055279647c38ec923d11a821ee4dc2c3033e8d20e8ee237cd9 +PKG_HASH:=06a77bf2ac5c993305882bc1641017f5bec1592d6d1b64787bad492ab34f2f36 PKG_MAINTAINER:=Daniel Golle PKG_LICENSE:=MIT From ecc4ecb9d52a959f5c8e1451105e66f44fb0704c Mon Sep 17 00:00:00 2001 From: krant Date: Fri, 12 Apr 2024 05:54:50 +0300 Subject: [PATCH 009/106] whois: update to 5.5.22 - Don't override PKG_BUILD_DIR since tarball is now properly constructed Signed-off-by: krant --- utils/whois/Makefile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/utils/whois/Makefile b/utils/whois/Makefile index d0f850a472..f16beb20e9 100644 --- a/utils/whois/Makefile +++ b/utils/whois/Makefile @@ -1,14 +1,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=whois -PKG_VERSION:=5.5.21 +PKG_VERSION:=5.5.22 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/main/w/whois -PKG_HASH:=760ab584beae76acdcc89c6aec2e91cff571185bccc2bee8e4412a3f8e70be77 +PKG_HASH:=03f12c27ae85870d7bcd95b14f3fb8b174532b2f2a59d8380c42ae436d0630d7 -PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) PKG_BUILD_DEPENDS:=perl/host PKG_MAINTAINER:=Paul Spooren From a9ae9bad0650c7b584c836c204d8882256454004 Mon Sep 17 00:00:00 2001 From: krant Date: Fri, 12 Apr 2024 06:54:15 +0300 Subject: [PATCH 010/106] minicom: update to 2.9 - Refresh the patch Signed-off-by: krant --- utils/minicom/Makefile | 6 +++--- utils/minicom/patches/110-reproducible-builds.patch | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/utils/minicom/Makefile b/utils/minicom/Makefile index 3891effd0b..0184c8923a 100644 --- a/utils/minicom/Makefile +++ b/utils/minicom/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=minicom -PKG_VERSION:=2.8 -PKG_RELEASE:=2 +PKG_VERSION:=2.9 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://salsa.debian.org/minicom-team/minicom/-/archive/$(PKG_VERSION) -PKG_HASH:=38cea30913a20349326ff3f1763ee1512b7b41601c24f065f365e18e9db0beba +PKG_HASH:=9efbb6458140e5a0de445613f0e76bcf12cbf7a9892b2f53e075c2e7beaba86c PKG_MAINTAINER:=Álvaro Fernández Rojas PKG_LICENSE:=GPL-2.0-or-later diff --git a/utils/minicom/patches/110-reproducible-builds.patch b/utils/minicom/patches/110-reproducible-builds.patch index 82aaa13556..b72d783efd 100644 --- a/utils/minicom/patches/110-reproducible-builds.patch +++ b/utils/minicom/patches/110-reproducible-builds.patch @@ -1,6 +1,6 @@ --- a/src/minicom.c +++ b/src/minicom.c -@@ -1248,7 +1248,7 @@ int main(int argc, char **argv) +@@ -1323,7 +1323,7 @@ int main(int argc, char **argv) switch(c) { case 'v': printf(_("%s version %s"), PACKAGE, VERSION); @@ -9,7 +9,7 @@ printf(_(" (compiled %s)"), __DATE__); #endif printf("\n"); -@@ -1580,7 +1580,7 @@ int main(int argc, char **argv) +@@ -1659,7 +1659,7 @@ int main(int argc, char **argv) mc_wprintf(us, "\n%s %s\r\n", _("Welcome to minicom"), VERSION); mc_wprintf(us, "\n%s: %s\r\n", _("OPTIONS"), option_string); From 43e924bacc2603e6c9b8e18afb306f6c41e6a2aa Mon Sep 17 00:00:00 2001 From: Sean Khan Date: Fri, 12 Apr 2024 12:09:59 -0400 Subject: [PATCH 011/106] ngtcp2: Use APK style release number Maintainer: Stan Grishin Run tested: aarch64, Dynalink DL-WRX36, Master Branch Signed-off-by: Sean Khan --- libs/ngtcp2/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/ngtcp2/Makefile b/libs/ngtcp2/Makefile index 5b902ca392..43c8055556 100644 --- a/libs/ngtcp2/Makefile +++ b/libs/ngtcp2/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ngtcp2 PKG_VERSION:=1.4.0 -PKG_RELEASE:=r1 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://github.com/ngtcp2/$(PKG_NAME)/releases/download/v$(PKG_VERSION)/ From fbf350d5e10d743b226ffd4c69cccc60b49cd03e Mon Sep 17 00:00:00 2001 From: Sean Khan Date: Fri, 12 Apr 2024 12:09:59 -0400 Subject: [PATCH 012/106] nghttp3: Use APK style release number Maintainer: Stan Grishin Run tested: aarch64, Dynalink DL-WRX36, Master Branch Signed-off-by: Sean Khan --- libs/nghttp3/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/nghttp3/Makefile b/libs/nghttp3/Makefile index 900b9cff60..2a3e35740f 100644 --- a/libs/nghttp3/Makefile +++ b/libs/nghttp3/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nghttp3 PKG_VERSION:=1.2.0 -PKG_RELEASE:=r1 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://github.com/ngtcp2/$(PKG_NAME)/releases/download/v$(PKG_VERSION)/ From 3cbb7474c3fad4b01f8ee065b1c045c4b7fb523f Mon Sep 17 00:00:00 2001 From: Sean Khan Date: Fri, 12 Apr 2024 12:09:59 -0400 Subject: [PATCH 013/106] nebula: Use APK style release number Maintainer: Stan Grishin Run tested: aarch64, Dynalink DL-WRX36, Master Branch Signed-off-by: Sean Khan --- net/nebula/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/nebula/Makefile b/net/nebula/Makefile index e93e7ce4ae..13747b599b 100644 --- a/net/nebula/Makefile +++ b/net/nebula/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nebula PKG_VERSION:=1.8.2 -PKG_RELEASE:=r2 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/slackhq/nebula/tar.gz/v$(PKG_VERSION)? From bb5de23743b46864ba6992ed130b2d2452df72db Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Thu, 11 Apr 2024 16:21:28 +0000 Subject: [PATCH 014/106] pbr: update to 1.1.4-r15 * delete obsolete files/etc/init.d/pbr.init * add files/etc/uci-defaults/91-pbr-iptables to help update from older OpenWrt * add files/etc/uci-defaults/91-pbr-nft to help update from older OpenWrt * update files/etc/uci-defaults/91-pbr-netifd to only add tables to supported ifaces * re-organize variants in the Makefile so that they hopefull work this time * update prerm for all variants for better user experience * update the -netifd prerm to remove leftofver entries from network and rt_tables file In the init script: * add decorations for netifd-interfaces related operations (blue ticks) * add rtTablesFile variables instead of hard-coding the rt_tables file * add function to check if the table is netifd-derived * add error messages/hints for failed interface setup and failed WAN discovery * make cleanup_rt_tables the netifd-compatible * streamline interface_process function with a clearer case statement * rename the interface_process `pre-init` option to `pre_init` to conform to the other functions options naming style Signed-off-by: Stan Grishin --- net/pbr/Makefile | 77 +- net/pbr/files/etc/init.d/pbr | 236 +- net/pbr/files/etc/init.d/pbr.init | 2528 ----------------- .../files/etc/uci-defaults/91-pbr-iptables | 27 + net/pbr/files/etc/uci-defaults/91-pbr-netifd | 38 + net/pbr/files/etc/uci-defaults/91-pbr-nft | 30 + 6 files changed, 300 insertions(+), 2636 deletions(-) delete mode 100755 net/pbr/files/etc/init.d/pbr.init create mode 100644 net/pbr/files/etc/uci-defaults/91-pbr-iptables create mode 100644 net/pbr/files/etc/uci-defaults/91-pbr-netifd create mode 100644 net/pbr/files/etc/uci-defaults/91-pbr-nft diff --git a/net/pbr/Makefile b/net/pbr/Makefile index ddc8537a7e..bbf588b489 100644 --- a/net/pbr/Makefile +++ b/net/pbr/Makefile @@ -5,13 +5,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pbr PKG_VERSION:=1.1.4 -PKG_RELEASE:=r7 +PKG_RELEASE:=r15 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Stan Grishin include $(INCLUDE_DIR)/package.mk -define Package/pbr-service/Default +define Package/pbr/default SECTION:=net CATEGORY:=Network SUBMENU:=Routing and Redirection @@ -21,60 +21,60 @@ define Package/pbr-service/Default DEPENDS+=+!BUSYBOX_DEFAULT_AWK:gawk DEPENDS+=+!BUSYBOX_DEFAULT_GREP:grep DEPENDS+=+!BUSYBOX_DEFAULT_SED:sed - PROVIDES:=pbr-service CONFLICTS:=vpnbypass vpn-policy-routing + PROVIDES:=pbr PKGARCH:=all endef define Package/pbr -$(call Package/pbr-service/Default) +$(call Package/pbr/default) TITLE+= with nft/nft set support DEPENDS+=+kmod-nft-core +kmod-nft-nat +nftables-json - DEFAULT_VARIANT:=1 VARIANT:=nftables - PROVIDES+=pbr vpnbypass vpn-policy-routing + DEFAULT_VARIANT:=1 + PROVIDES+=vpnbypass vpn-policy-routing endef define Package/pbr-iptables -$(call Package/pbr-service/Default) +$(call Package/pbr/default) TITLE+= with iptables/ipset support DEPENDS+=+ipset +iptables +kmod-ipt-ipset +iptables-mod-ipopt VARIANT:=iptables endef define Package/pbr-netifd -$(call Package/pbr-service/Default) +$(call Package/pbr/default) TITLE+= with netifd support VARIANT:=netifd endef -define Package/pbr-service/description +define Package/pbr/default/description This service enables policy-based routing for WAN interfaces and various VPN tunnels. endef define Package/pbr/description - $(call Package/pbr-service/description) + $(call Package/pbr/default/description) This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft. endef define Package/pbr-iptables/description - $(call Package/pbr-service/description) + $(call Package/pbr/default/description) This version supports OpenWrt with firewall3/ipset/iptables. endef define Package/pbr-netifd/description - $(call Package/pbr-service/description) + $(call Package/pbr/default/description) This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft. This version uses OpenWrt native netifd/tables to set up interfaces. This is WIP. endef -define Package/pbr-service/conffiles +define Package/pbr/default/conffiles /etc/config/pbr endef -Package/pbr/conffiles = $(Package/pbr-service/conffiles) -Package/pbr-iptables/conffiles = $(Package/pbr-service/conffiles) -Package/pbr-netifd/conffiles = $(Package/pbr-service/conffiles) +Package/pbr/conffiles = $(Package/pbr/default/conffiles) +Package/pbr-iptables/conffiles = $(Package/pbr/default/conffiles) +Package/pbr-netifd/conffiles = $(Package/pbr/default/conffiles) define Build/Configure endef @@ -82,7 +82,7 @@ endef define Build/Compile endef -define Package/pbr-service/install +define Package/pbr/default/install $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/etc/init.d/pbr $(1)/etc/init.d/pbr $(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr @@ -98,29 +98,33 @@ endef # $(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr define Package/pbr/install -$(call Package/pbr-service/install,$(1)) +$(call Package/pbr/default/install,$(1)) $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr $(INSTALL_DIR) $(1)/usr/share/pbr $(INSTALL_DATA) ./files/usr/share/pbr/firewall.include $(1)/usr/share/pbr/firewall.include $(INSTALL_DIR) $(1)/usr/share/nftables.d $(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/ + $(INSTALL_DIR) $(1)/etc/uci-defaults + $(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr-nft $(1)/etc/uci-defaults/91-pbr-nft endef define Package/pbr-iptables/install -$(call Package/pbr-service/install,$(1)) +$(call Package/pbr/default/install,$(1)) $(INSTALL_DIR) $(1)/etc/hotplug.d/firewall $(INSTALL_DATA) ./files/etc/hotplug.d/firewall/70-pbr $(1)/etc/hotplug.d/firewall/70-pbr $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr + $(INSTALL_DIR) $(1)/etc/uci-defaults + $(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr-iptables $(1)/etc/uci-defaults/91-pbr-iptables endef define Package/pbr-netifd/install -$(call Package/pbr-service/install,$(1)) +$(call Package/pbr/default/install,$(1)) $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr $(INSTALL_DIR) $(1)/etc/uci-defaults - $(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr $(1)/etc/uci-defaults/91-pbr + $(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr-netifd $(1)/etc/uci-defaults/91-pbr-netifd endef define Package/pbr/postinst @@ -141,8 +145,8 @@ define Package/pbr/prerm # check if we are on real system if [ -z "$${IPKG_INSTROOT}" ]; then uci -q delete firewall.pbr || true - echo "Stopping pbr service... " - /etc/init.d/pbr stop quiet && echo "OK" || echo "FAIL" + echo -n "Stopping pbr service... " + /etc/init.d/pbr stop quiet >/dev/null 2>&1 && echo "OK" || echo "FAIL" echo -n "Removing rc.d symlink for pbr... " /etc/init.d/pbr disable && echo "OK" || echo "FAIL" fi @@ -173,8 +177,8 @@ define Package/pbr-iptables/prerm # check if we are on real system if [ -z "$${IPKG_INSTROOT}" ]; then uci -q delete firewall.pbr || true - echo "Stopping pbr-iptables service... " - /etc/init.d/pbr stop quiet && echo "OK" || echo "FAIL" + echo -n "Stopping pbr-iptables service... " + /etc/init.d/pbr stop quiet >/dev/null 2>&1 && echo "OK" || echo "FAIL" echo -n "Removing rc.d symlink for pbr-iptables... " /etc/init.d/pbr disable && echo "OK" || echo "FAIL" fi @@ -196,10 +200,29 @@ define Package/pbr-netifd/prerm # check if we are on real system if [ -z "$${IPKG_INSTROOT}" ]; then uci -q delete firewall.pbr || true - echo "Stopping pbr-netifd service... " - /etc/init.d/pbr stop quiet && echo "OK" || echo "FAIL" + echo -n "Stopping pbr-netifd service... " + /etc/init.d/pbr stop quiet >/dev/null 2>&1 && echo "OK" || echo "FAIL" echo -n "Removing rc.d symlink for pbr... " /etc/init.d/pbr disable && echo "OK" || echo "FAIL" + echo -n "Cleaning up /etc/iproute2/rt_tables... " + if sed -i '/pbr_/d' /etc/iproute2/rt_tables; then + echo "OK" + else + echo "FAIL" + fi + echo -n "Cleaning up /etc/config/network... " + if sed -i '/ip.table.*pbr_/d' /etc/config/network; then + echo "OK" + else + echo "FAIL" + fi + echo -n "Restarting Network... " + if /etc/init.d/network restart >/dev/null 2>&1; then + echo "OK" + else + echo "FAIL" + fi + fi exit 0 endef diff --git a/net/pbr/files/etc/init.d/pbr b/net/pbr/files/etc/init.d/pbr index 067b45fe7a..84f6203ac2 100755 --- a/net/pbr/files/etc/init.d/pbr +++ b/net/pbr/files/etc/init.d/pbr @@ -22,8 +22,10 @@ readonly packageConfigFile="/etc/config/${packageName}" readonly packageLockFile="/var/run/${packageName}.lock" readonly dnsmasqFileDefault="/var/dnsmasq.d/${packageName}" readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m' -readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m' readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m' +readonly _OKB_='\033[1;34m\xe2\x9c\x93\033[0m' +readonly __OKB__='\033[1;34m[\xe2\x9c\x93]\033[0m' +readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m' readonly __FAIL__='\033[0;31m[\xe2\x9c\x97]\033[0m' readonly _ERROR_='\033[0;31mERROR\033[0m' readonly _WARNING_='\033[0;33mWARNING\033[0m' @@ -55,6 +57,7 @@ readonly chainsList='forward input output postrouting prerouting' readonly ssConfigFile='/etc/shadowsocks' readonly torConfigFile='/etc/tor/torrc' readonly xrayIfacePrefix='xray_' +readonly rtTablesFile='/etc/iproute2/rt_tables' # package config options procd_boot_timeout= @@ -124,6 +127,8 @@ torTrafficPort= output_ok() { output 1 "$_OK_"; output 2 "$__OK__\\n"; } output_okn() { output 1 "$_OK_\\n"; output 2 "$__OK__\\n"; } +output_okb() { output 1 "$_OKB_"; output 2 "$__OKB__\\n"; } +output_okbn() { output 1 "$_OKB_\\n"; output 2 "$__OKB__\\n"; } output_fail() { output 1 "$_FAIL_"; output 2 "$__FAIL__\\n"; } output_failn() { output 1 "$_FAIL_\\n"; output 2 "$__FAIL__\\n"; } # shellcheck disable=SC2317 @@ -236,7 +241,8 @@ is_ipv4_netmask() { local ip="${1%/*}"; [ "$ip" != "$1" ] && is_ipv4 "$ip"; } is_lan() { local d; network_get_device d "$1"; str_contains "$d" 'br-lan'; } is_l2tp() { local p; network_get_protocol p "$1"; [ "${p:0:4}" = "l2tp" ]; } is_mac_address() { expr "$1" : '[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]$' >/dev/null; } -is_netifd_table() { local iface="$1"; [ "$(uci_get 'network' "$iface" 'ip4table')" = "${packageName}_${iface%6}" ]; } +is_netifd_table() { grep -q "ip.table.*$1" /etc/config/network; } +is_netifd_table_interface() { local iface="$1"; [ "$(uci_get 'network' "$iface" 'ip4table')" = "${packageName}_${iface%6}" ]; } is_oc() { local p; network_get_protocol p "$1"; [ "${p:0:11}" = "openconnect" ]; } is_ovpn() { local d; uci_get_device d "$1"; [ "${d:0:3}" = "tun" ] || [ "${d:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${d}/tun_flags" ]; } is_ovpn_valid() { local dev_net dev_ovpn; uci_get_device dev_net "$1"; dev_ovpn="$(uci_get 'openvpn' "$1" 'dev')"; [ -n "$dev_net" ] && [ -n "$dev_ovpn" ] && [ "$dev_net" = "$dev_ovpn" ]; } @@ -284,9 +290,9 @@ get_tor_dns_port() { local i="$(grep -m1 DNSPort "$torConfigFile" | awk -F: '{pr # shellcheck disable=SC2155 get_tor_traffic_port() { local i="$(grep -m1 TransPort "$torConfigFile" | awk -F: '{print $2}')"; echo "${i:-9040}"; } get_xray_traffic_port() { local i="${1//$xrayIfacePrefix}"; [ "$i" = "$1" ] && unset i; echo "$i"; } -get_rt_tables_id() { local iface="$1"; grep "${ipTablePrefix}_${iface}\$" '/etc/iproute2/rt_tables' | awk '{print $1;}'; } -get_rt_tables_next_id() { echo "$(($(sort -r -n '/etc/iproute2/rt_tables' | grep -o -E -m 1 "^[0-9]+")+1))"; } -get_rt_tables_non_pbr_next_id() { echo "$(($(grep -v "${ipTablePrefix}_" '/etc/iproute2/rt_tables' | sort -r -n | grep -o -E -m 1 "^[0-9]+")+1))"; } +get_rt_tables_id() { local iface="$1"; grep "${ipTablePrefix}_${iface}\$" "$rtTablesFile" | awk '{print $1;}'; } +get_rt_tables_next_id() { echo "$(($(sort -r -n "$rtTablesFile" | grep -o -E -m 1 "^[0-9]+")+1))"; } +get_rt_tables_non_pbr_next_id() { echo "$(($(grep -v "${ipTablePrefix}_" "$rtTablesFile" | sort -r -n | grep -o -E -m 1 "^[0-9]+")+1))"; } # shellcheck disable=SC2016 resolveip_to_ipt() { resolveip "$@" | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d'; } resolveip_to_ipt4() { resolveip_to_ipt -4 "$@"; } @@ -386,6 +392,8 @@ get_text() { errorResolverNotSupported) r="Resolver set (${resolver_set}) is not supported on this system!";; errorServiceDisabled) r="The ${packageName} service is currently disabled!";; errorNoWanGateway) r="The ${serviceName} service failed to discover WAN gateway!";; + errorNoWanInterface) r="The %s inteface not found, you need to set the 'pbr.config.procd_wan_interface' option!";; + errorNoWanInterfaceHint) r="Refer to https://docs.openwrt.melmac.net/pbr/#procd_wan_interface.";; errorIpsetNameTooLong) r="The ipset name '%s' is longer than allowed 31 characters!";; errorNftsetNameTooLong) r="The nft set name '%s' is longer than allowed 255 characters!";; errorUnexpectedExit) r="Unexpected exit or service termination: '%s'!";; @@ -409,6 +417,7 @@ get_text() { errorPolicyProcessInsertionFailedIpv4) r="Insertion failed for IPv4 for policy '%s'!";; errorInterfaceRoutingEmptyValues) r="Received empty tid/mark or interface name when setting up routing!";; errorFailedToResolve) r="Failed to resolve '%s'!";; + errorTryFailed) r="Command failed: %s";; errorNftFileInstall) r="Failed to install fw4 nft file '%s'!";; errorDownloadUrlNoHttps) r="Failed to download '%s', HTTPS is not supported!";; errorDownloadUrl) r="Failed to download '%s'!";; @@ -630,6 +639,11 @@ is_wan_up() { load_network "$param" [ "$procd_wan_ignore_status" -eq '0' ] || return 0 [ "$param" = 'on_boot' ] || procd_boot_timeout='1' + if [ -z "$(uci_get network "$procd_wan_interface")" ]; then + state add 'errorSummary' 'errorNoWanInterface' "$procd_wan_interface" + state add 'errorSummary' 'errorNoWanInterfaceHint' + return 1 + fi while [ -z "$wanGW" ] ; do load_network "$param" if [ $((sleepCount)) -gt $((procd_boot_timeout)) ] || [ -n "$wanGW" ]; then break; fi @@ -959,7 +973,14 @@ nftset() { fi } -cleanup_rt_tables() { sed -i "/${ipTablePrefix}_/d" '/etc/iproute2/rt_tables'; sync; } +cleanup_rt_tables() { + local i +# shellcheck disable=SC2013 + for i in $(grep -oh "${ipTablePrefix}_.*" $rtTablesFile); do + ! is_netifd_table "$i" && sed -i "/${i}/d" "$rtTablesFile" + done + sync +} cleanup_main_chains() { local i @@ -1962,6 +1983,13 @@ policy_process() { fi } +try() { + if ! "$@"; then + state add 'errorSummary' 'errorTryFailed' "$*" + return 1 + fi +} + interface_routing() { local action="$1" tid="$2" mark="$3" iface="$4" gw4="$5" dev="$6" gw6="$7" dev6="$8" priority="$9" local dscp s=0 i ipv4_error=1 ipv6_error=1 @@ -1971,14 +1999,14 @@ interface_routing() { fi case "$action" in create) - if is_netifd_table "$iface"; then + if is_netifd_table_interface "$iface"; then ipv4_error=0 $ip_bin rule del table "$tid" >/dev/null 2>&1 - $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 + try "$ip_bin" -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 if is_nft_mode; then - nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 - nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1 - nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1 + try nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 + try nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1 + try nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1 else ipt -t mangle -N "${iptPrefix}_MARK_${mark}" || ipv4_error=1 ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j MARK --set-xmark "${mark}/${fw_mask}" || ipv4_error=1 @@ -1986,13 +2014,13 @@ interface_routing() { fi if [ -n "$ipv6_enabled" ]; then ipv6_error=0 - $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 + try "$ip_bin" -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 fi else - if ! grep -q "$tid ${ipTablePrefix}_${iface}" '/etc/iproute2/rt_tables'; then - sed -i "/${ipTablePrefix}_${iface}/d" '/etc/iproute2/rt_tables' + if ! grep -q "$tid ${ipTablePrefix}_${iface}" "$rtTablesFile"; then + sed -i "/${ipTablePrefix}_${iface}/d" "$rtTablesFile" sync - echo "$tid ${ipTablePrefix}_${iface}" >> '/etc/iproute2/rt_tables' + echo "$tid ${ipTablePrefix}_${iface}" >> "$rtTablesFile" sync fi $ip_bin rule del table "$tid" >/dev/null 2>&1 @@ -2000,9 +2028,9 @@ interface_routing() { if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then ipv4_error=0 if [ -z "$gw4" ]; then - $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 + try "$ip_bin" -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 else - $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 + try "$ip_bin" -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi # shellcheck disable=SC2086 while read -r i; do @@ -2010,16 +2038,16 @@ interface_routing() { i="$(echo "$i" | sed 's/ onlink$//')" idev="$(echo "$i" | grep -Eso 'dev [^ ]*' | awk '{print $2}')" if ! is_supported_iface_dev "$idev"; then - $ip_bin -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1 + try "$ip_bin" -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi done << EOF $($ip_bin -4 route list table main) EOF - $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 + try "$ip_bin" -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 if is_nft_mode; then - nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 - nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1 - nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1 + try nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 + try nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1 + try nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1 else ipt -t mangle -N "${iptPrefix}_MARK_${mark}" || ipv4_error=1 ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j MARK --set-xmark "${mark}/${fw_mask}" || ipv4_error=1 @@ -2030,38 +2058,38 @@ EOF ipv6_error=0 if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then - $ip_bin -6 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv6_error=1 - elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then - $ip_bin -6 route add default via "$gw6" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + try "$ip_bin" -6 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv6_error=1 + elif try "$ip_bin" -6 route list table main | grep -q " dev $dev6 "; then + try "$ip_bin" -6 route add default via "$gw6" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 while read -r i; do i="$(echo "$i" | sed 's/ linkdown$//')" i="$(echo "$i" | sed 's/ onlink$//')" # shellcheck disable=SC2086 - $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 + try "$ip_bin" -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 done << EOF $($ip_bin -6 route list table main | grep " dev $dev6 ") EOF else - $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 - $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + try "$ip_bin" -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + try "$ip_bin" -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 fi fi - $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" >/dev/null 2>&1 || ipv6_error=1 + try "$ip_bin" -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" >/dev/null 2>&1 || ipv6_error=1 fi fi if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then dscp="$(uci_get "$packageName" 'config' "${iface}_dscp")" if is_nft_mode; then if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then - nft add rule inet "$nftTable" "${nftPrefix}_prerouting ${nftIPv4Flag} dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s=1 + try nft add rule inet "$nftTable" "${nftPrefix}_prerouting ${nftIPv4Flag} dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s=1 if [ -n "$ipv6_enabled" ]; then - nft add rule inet "$nftTable" "${nftPrefix}_prerouting ${nftIPv6Flag} dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s=1 + try nft add rule inet "$nftTable" "${nftPrefix}_prerouting ${nftIPv6Flag} dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s=1 fi fi if [ "$iface" = "$icmp_interface" ]; then - nft add rule inet "$nftTable" "${nftPrefix}_output ${nftIPv4Flag} protocol icmp goto ${nftPrefix}_mark_${mark}" || s=1 + try nft add rule inet "$nftTable" "${nftPrefix}_output ${nftIPv4Flag} protocol icmp goto ${nftPrefix}_mark_${mark}" || s=1 if [ -n "$ipv6_enabled" ]; then - nft add rule inet "$nftTable" "${nftPrefix}_output ${nftIPv6Flag} protocol icmp goto ${nftPrefix}_mark_${mark}" || s=1 + try nft add rule inet "$nftTable" "${nftPrefix}_output ${nftIPv6Flag} protocol icmp goto ${nftPrefix}_mark_${mark}" || s=1 fi fi else @@ -2093,46 +2121,46 @@ EOF ;; delete|destroy) $ip_bin rule del table "$tid" >/dev/null 2>&1 - if ! is_netifd_table "$iface"; then + if ! is_netifd_table_interface "$iface"; then $ip_bin route flush table "$tid" >/dev/null 2>&1 - sed -i "/${ipTablePrefix}_${iface}\$/d" '/etc/iproute2/rt_tables' + sed -i "/${ipTablePrefix}_${iface}\$/d" "$rtTablesFile" sync fi return "$s" ;; reload_interface) - is_netifd_table "$iface" && return 0; + is_netifd_table_interface "$iface" && return 0; ipv4_error=0 $ip_bin rule del table "$tid" >/dev/null 2>&1 - if ! is_netifd_table "$iface"; then + if ! is_netifd_table_interface "$iface"; then $ip_bin route flush table "$tid" >/dev/null 2>&1 fi if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw4" ]; then - $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 + try "$ip_bin" -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 else - $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 + try "$ip_bin" -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 fi - $ip_bin rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 + try "$ip_bin" rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 fi if [ -n "$ipv6_enabled" ]; then ipv6_error=0 if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then - $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1 + try "$ip_bin" -6 route add unreachable default table "$tid" || ipv6_error=1 elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then while read -r i; do # shellcheck disable=SC2086 - $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 + try "$ip_bin" -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 done << EOF $($ip_bin -6 route list table main | grep " dev $dev6 ") EOF else - $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 - $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + try "$ip_bin" -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + try "$ip_bin" -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 fi fi - $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 + try "$ip_bin" -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 fi if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then s=0 @@ -2209,66 +2237,112 @@ interface_process() { [ -z "$ifaceMark" ] && ifaceMark="$(printf '0x%06x' "$wan_mark")" [ -z "$ifacePriority" ] && ifacePriority="$wan_ip_rules_priority" - if [ "$action" = 'pre-init' ]; then - pbr_get_gateway6 gw6 "$iface" "$dev6" - [ -n "$gw6" ] && ipv6_enabled=1 - [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_non_pbr_next_id)" - eval "pre_init_mark_${iface//-/_}"='$ifaceMark' - eval "pre_init_priority_${iface//-/_}"='$ifacePriority' - eval "pre_init_tid_${iface//-/_}"='$ifaceTableID' - ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))" - ifacePriority="$((ifacePriority + 1))" - ifaceTableID="$((ifaceTableID + 1))" - return 0 - fi - -# TODO: if interfaces are started out of order the rt_tables ID may be incorrect -# use the expected_tid_${iface} ??? - ifaceTableID="$(get_rt_tables_id "$iface")" - [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" - eval "mark_${iface//-/_}"='$ifaceMark' - eval "tid_${iface//-/_}"='$ifaceTableID' - pbr_get_gateway gw4 "$iface" "$dev" - pbr_get_gateway6 gw6 "$iface" "$dev6" - dispGw4="${gw4:-0.0.0.0}" - dispGw6="${gw6:-::/0}" - [ "$iface" != "$dev" ] && dispDev="$dev" - if is_default_dev "$dev"; then - [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__" - fi - displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}" - case "$action" in + pre_init) + [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_non_pbr_next_id)" + eval "pre_init_mark_${iface//-/_}"='$ifaceMark' + eval "pre_init_priority_${iface//-/_}"='$ifacePriority' + eval "pre_init_tid_${iface//-/_}"='$ifaceTableID' + ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))" + ifacePriority="$((ifacePriority - 1))" + ifaceTableID="$((ifaceTableID + 1))" + return 0 + ;; create) + ifaceTableID="$(get_rt_tables_id "$iface")" + [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" + eval "mark_${iface//-/_}"='$ifaceMark' + eval "tid_${iface//-/_}"='$ifaceTableID' + pbr_get_gateway gw4 "$iface" "$dev" + pbr_get_gateway6 gw6 "$iface" "$dev6" + dispGw4="${gw4:-0.0.0.0}" + dispGw6="${gw6:-::/0}" + [ "$iface" != "$dev" ] && dispDev="$dev" + if is_default_dev "$dev"; then + [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__" + fi + displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}" output 2 "Setting up routing for '$displayText' " if interface_routing 'create' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"; then json_add_gateway 'create' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" "$dispStatus" gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n" - output_ok + if is_netifd_table_interface "$iface"; then output_okb; else output_ok; fi else state add 'errorSummary' 'errorFailedSetup' "$displayText" output_fail fi ;; create_user_set) + ifaceTableID="$(get_rt_tables_id "$iface")" + [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" + eval "mark_${iface//-/_}"='$ifaceMark' + eval "tid_${iface//-/_}"='$ifaceTableID' + pbr_get_gateway gw4 "$iface" "$dev" + pbr_get_gateway6 gw6 "$iface" "$dev6" + dispGw4="${gw4:-0.0.0.0}" + dispGw6="${gw6:-::/0}" + [ "$iface" != "$dev" ] && dispDev="$dev" + if is_default_dev "$dev"; then + [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__" + fi + displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}" interface_routing 'create_user_set' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" ;; destroy) + ifaceTableID="$(get_rt_tables_id "$iface")" + [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" + eval "mark_${iface//-/_}"='$ifaceMark' + eval "tid_${iface//-/_}"='$ifaceTableID' + pbr_get_gateway gw4 "$iface" "$dev" + pbr_get_gateway6 gw6 "$iface" "$dev6" + dispGw4="${gw4:-0.0.0.0}" + dispGw6="${gw6:-::/0}" + [ "$iface" != "$dev" ] && dispDev="$dev" + if is_default_dev "$dev"; then + [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__" + fi + displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}" displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}" output 2 "Removing routing for '$displayText' " interface_routing 'destroy' "${ifaceTableID}" "${ifaceMark}" "${iface}" - output_ok + if is_netifd_table_interface "$iface"; then output_okb; else output_ok; fi ;; reload) + ifaceTableID="$(get_rt_tables_id "$iface")" + [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" + eval "mark_${iface//-/_}"='$ifaceMark' + eval "tid_${iface//-/_}"='$ifaceTableID' + pbr_get_gateway gw4 "$iface" "$dev" + pbr_get_gateway6 gw6 "$iface" "$dev6" + dispGw4="${gw4:-0.0.0.0}" + dispGw6="${gw6:-::/0}" + [ "$iface" != "$dev" ] && dispDev="$dev" + if is_default_dev "$dev"; then + [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__" + fi + displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}" gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n" ;; reload_interface) + ifaceTableID="$(get_rt_tables_id "$iface")" + [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" + eval "mark_${iface//-/_}"='$ifaceMark' + eval "tid_${iface//-/_}"='$ifaceTableID' + pbr_get_gateway gw4 "$iface" "$dev" + pbr_get_gateway6 gw6 "$iface" "$dev6" + dispGw4="${gw4:-0.0.0.0}" + dispGw6="${gw6:-::/0}" + [ "$iface" != "$dev" ] && dispDev="$dev" + if is_default_dev "$dev"; then + [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__" + fi + displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}" if [ "$iface" = "$reloadedIface" ]; then output 2 "Reloading routing for '$displayText' " if interface_routing 'reload_interface' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"; then json_add_gateway 'reload_interface' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" "$dispStatus" gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n" - output_ok + if is_netifd_table_interface "$iface"; then output_okb; else output_ok; fi else state add 'errorSummary' 'errorFailedReload' "$displayText" output_fail @@ -2280,7 +2354,7 @@ interface_process() { esac # ifaceTableID="$((ifaceTableID + 1))" ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))" - ifacePriority="$((ifacePriority + 1))" + ifacePriority="$((ifacePriority - 1))" return $s } @@ -2351,7 +2425,7 @@ start_service() { is_wan_up "$param" || return 1 interface_process 'all' 'prepare' - config_foreach interface_process 'interface' 'pre-init' + config_foreach interface_process 'interface' 'pre_init' case "$param" in on_boot) @@ -2682,7 +2756,7 @@ status_service_nft() { # echo "$_SEPARATOR_" # ip rule list | grep "${packageName}_" echo "$_SEPARATOR_" - tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0 + tableCount="$(grep -c "${packageName}_" $rtTablesFile)" || tableCount=0 wan_tid=$(($(get_rt_tables_next_id)-tableCount)) i=0; while [ $i -lt "$tableCount" ]; do echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)" @@ -2729,7 +2803,7 @@ status_service_iptables() { echo "$_SEPARATOR_" echo "Routes/IP Rules" - tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0 + tableCount="$(grep -c "${packageName}_" $rtTablesFile)" || tableCount=0 if [ -n "$set_d" ]; then route; else route | grep '^default'; fi if [ -n "$set_d" ]; then ip rule list; fi wan_tid=$(($(get_rt_tables_next_id)-tableCount)) diff --git a/net/pbr/files/etc/init.d/pbr.init b/net/pbr/files/etc/init.d/pbr.init deleted file mode 100755 index b8c9c3d823..0000000000 --- a/net/pbr/files/etc/init.d/pbr.init +++ /dev/null @@ -1,2528 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright 2020-2022 Stan Grishin (stangri@melmac.ca) -# shellcheck disable=SC1091,SC2018,SC2019,SC3043,SC3057,SC3060 - -# sysctl net.ipv4.conf.default.rp_filter=1 -# sysctl net.ipv4.conf.all.rp_filter=1 - -# shellcheck disable=SC2034 -START=94 -# shellcheck disable=SC2034 -USE_PROCD=1 - -if type extra_command >/dev/null 2>&1; then - extra_command 'status' "Generates output required to troubleshoot routing issues - Use '-d' option for more detailed output - Use '-p' option to automatically upload data under VPR paste.ee account - WARNING: while paste.ee uploads are unlisted, they are still publicly available - List domain names after options to include their lookup in report" - extra_command 'version' 'Show version information' - extra_command 'on_firewall_reload' ' Run service on firewall reload' - extra_command 'on_interface_reload' ' Run service on indicated interface reload' -else -# shellcheck disable=SC2034 - EXTRA_COMMANDS='on_firewall_reload on_interface_reload status version' -# shellcheck disable=SC2034 - EXTRA_HELP=" status Generates output required to troubleshoot routing issues - Use '-d' option for more detailed output - Use '-p' option to automatically upload data under VPR paste.ee account - WARNING: while paste.ee uploads are unlisted, they are still publicly available - List domain names after options to include their lookup in report" -fi - -readonly PKG_VERSION='dev-test' -readonly packageName='pbr' -readonly serviceName="$packageName $PKG_VERSION" -readonly serviceTrapSignals='exit SIGHUP SIGQUIT SIGKILL' -readonly packageConfigFile="/etc/config/${packageName}" -readonly packageLockFile="/var/run/${packageName}.lock" -readonly nftTempFile="/var/run/${packageName}.nft" -#readonly nftPermFile="/etc/nftables.d/table-post/30-pbr.nft" -readonly dnsmasqFile="/var/dnsmasq.d/${packageName}" -readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m' -readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m' -readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m' -readonly __FAIL__='\033[0;31m[\xe2\x9c\x97]\033[0m' -readonly _ERROR_='\033[0;31mERROR\033[0m' -readonly _WARNING_='\033[0;33mWARNING\033[0m' -readonly ip_full='/usr/libexec/ip-full' -# shellcheck disable=SC2155 -readonly ip_bin="$(command -v ip)" -readonly ipTablePrefix='pbr' -# shellcheck disable=SC2155 -readonly iptables="$(command -v iptables)" -# shellcheck disable=SC2155 -readonly ip6tables="$(command -v ip6tables)" -# shellcheck disable=SC2155 -readonly ipset="$(command -v ipset)" -readonly ipsPrefix='pbr' -readonly iptPrefix='PBR' -# shellcheck disable=SC2155 -readonly agh="$(command -v AdGuardHome)" -readonly aghConfigFile='/etc/adguardhome.yaml' -readonly aghIpsetFile="/var/run/${packageName}.adguardhome.ipsets" -# shellcheck disable=SC2155 -readonly nft="$(command -v nft)" -readonly nftTable="fw4" -readonly nftPrefix='pbr' -readonly chainsList='forward input output postrouting prerouting' - -# package config options -boot_timeout= -enabled= -fw_mask= -icmp_interface= -ignored_interface= -ipv6_enabled= -nft_user_set_policy= -nft_user_set_counter= -procd_boot_delay= -procd_reload_delay= -resolver_set= -rule_create_option= -secure_reload= -strict_enforcement= -supported_interface= -verbosity= -wan_ip_rules_priority= -wan_mark= - -# run-time -gatewaySummary= -errorSummary= -warningSummary= -wanIface4= -wanIface6= -ifaceMark= -ifaceTableID= -ifacePriority= -ifacesAll= -ifacesSupported= -firewallWanZone= -wanGW4= -wanGW6= -serviceStartTrigger= -processPolicyError= -processPolicyWarning= -resolver_set_supported= -nftPrevParam4= -nftPrevParam6= - -get_text() { - local r - case "$1" in - errorConfigValidation) r="Config ($packageConfigFile) validation failure!";; - errorNoIpFull) r="ip-full binary cannot be found!";; - errorNoIptables) r="iptables binary cannot be found!";; - errorNoIpset) r="Resolver set support (${resolver_set}) requires ipset, but ipset binary cannot be found!";; - errorNoNft) r="Resolver set support (${resolver_set}) requires nftables, but nft binary cannot be found!";; - errorResolverNotSupported) r="Resolver set (${resolver_set}) is not supported on this system!";; - errorServiceDisabled) r="The ${packageName} service is currently disabled!";; - errorNoWanGateway) r="The ${serviceName} service failed to discover WAN gateway!";; - errorIpsetNameTooLong) r="The ipset name '%s' is longer than allowed 31 characters!";; - errorNftsetNameTooLong) r="The nft set name '%s' is longer than allowed 31 characters!";; - errorUnexpectedExit) r="Unexpected exit or service termination: '%s'!";; - errorPolicyNoSrcDest) r="Policy '%s' has no source/destination parameters!";; - errorPolicyNoInterface) r="Policy '%s' has no assigned interface!";; - errorPolicyUnknownInterface) r="Policy '%s' has an unknown interface!";; - errorPolicyProcessCMD) r="'%s'!";; - errorFailedSetup) r="Failed to set up '%s'!";; - errorFailedReload) r="Failed to reload '%s'!";; - errorUserFileNotFound) r="Custom user file '%s' not found or empty!";; - errorUserFileSyntax) r="Syntax error in custom user file '%s'!";; - errorUserFileRunning) r="Error running custom user file '%s'!";; - errorUserFileNoCurl) r="Use of 'curl' is detected in custom user file '%s', but 'curl' isn't installed!";; - errorNoGateways) r="Failed to set up any gateway!";; - errorResolver) r="Resolver '%s'!";; - errorPolicyProcessNoIpv6) r="Skipping IPv6 policy '%s' as IPv6 support is disabled!";; - errorPolicyProcessUnknownFwmark) r="Unknown packet mark for interface '%s'!";; - errorPolicyProcessMismatchFamily) r="Mismatched IP family between in policy '%s'!";; - errorPolicyProcessUnknownProtocol) r="Unknown protocol in policy '%s'!";; - errorPolicyProcessInsertionFailed) r="Insertion failed for both IPv4 and IPv6 for policy '%s'!";; - errorPolicyProcessInsertionFailedIpv4) r="Insertion failed for IPv4 for policy '%s'!";; - errorInterfaceRoutingEmptyValues) r="Received empty tid/mark or interface name when setting up routing!";; - errorFailedToResolve) r="Failed to resolve '%s'!";; - warningInvalidOVPNConfig) r="Invalid OpenVPN config for '%s' interface.";; - warningResolverNotSupported) r="Resolver set (${resolver_set}) is not supported on this system.";; - warningAGHVersionTooLow) r="Installed AdGuardHome ('%s') doesn't support 'ipset_file' option.";; - warningPolicyProcessCMD) r="'%s'";; - warningTorUnsetParams) r="Please unset 'src_addr', 'src_port' and 'dest_port' for policy '%s'.";; - warningTorUnsetProto) r="Please unset 'proto' or set 'proto' to 'all' for policy '%s'.";; - warningTorUnsetChainIpt) r="Please unset 'chain' or set 'chain' to 'PREROUTING' for policy '%s'.";; - warningTorUnsetChainNft) r="Please unset 'chain' or set 'chain' to 'prerouting' for policy '%s'.";; - warningOutdatedWebUIApp) r="The WebUI application is outdated (version %s), please update it.";; - esac - echo "$r" -} - -version() { echo "$PKG_VERSION"; } -output_ok() { output 1 "$_OK_"; output 2 "$__OK__\\n"; } -output_okn() { output 1 "$_OK_\\n"; output 2 "$__OK__\\n"; } -output_fail() { s=1; output 1 "$_FAIL_"; output 2 "$__FAIL__\\n"; } -output_failn() { output 1 "$_FAIL_\\n"; output 2 "$__FAIL__\\n"; } -# shellcheck disable=SC2317 -str_replace() { printf "%b" "$1" | sed -e "s/$(printf "%b" "$2")/$(printf "%b" "$3")/g"; } -str_replace() { echo "${1//$2/$3}"; } -str_contains() { [ -n "$1" ] && [ -n "$2" ] && [ "${1//$2}" != "$1" ]; } -is_greater() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"; } -is_greater_or_equal() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" = "$2"; } -str_contains_word() { echo "$1" | grep -q -w "$2"; } -str_to_lower() { echo "$1" | tr 'A-Z' 'a-z'; } -str_to_upper() { echo "$1" | tr 'a-z' 'A-Z'; } -str_extras_to_underscore() { echo "$1" | tr '[\. ~`!@#$%^&*()\+/,<>?//;:]' '_'; } -str_extras_to_space() { echo "$1" | tr ';{}' ' '; } -debug() { local i j; for i in "$@"; do eval "j=\$$i"; echo "${i}: ${j} "; done; } -output() { -# Can take a single parameter (text) to be output at any verbosity -# Or target verbosity level and text to be output at specifc verbosity - local msg memmsg logmsg - local sharedMemoryOutput="/dev/shm/$packageName-output" - verbosity="${verbosity:-2}" - if [ "$#" -ne 1 ]; then - if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi - fi - [ -t 1 ] && printf "%b" "$1" - msg="${1//$serviceName /service }"; - if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then - [ -s "$sharedMemoryOutput" ] && memmsg="$(cat "$sharedMemoryOutput")" - logmsg="$(printf "%b" "${memmsg}${msg}" | sed 's/\x1b\[[0-9;]*m//g')" - logger -t "${packageName:-service}" "$(printf "%b" "$logmsg")" - rm -f "$sharedMemoryOutput" - else - printf "%b" "$msg" >> "$sharedMemoryOutput" - fi -} -is_present() { command -v "$1" >/dev/null 2>&1; } -is_installed() { [ -s "/usr/lib/opkg/info/${1}.control" ]; } -is_variant_installed() { [ "$(echo /usr/lib/opkg/info/"${1}"*.control)" != "/usr/lib/opkg/info/${1}*.control" ]; } -is_nft() { [ -x "$nft" ] && ! str_contains "$resolver_set" 'ipset' && "$nft" list chains inet | grep -q "${nftPrefix}_prerouting"; } -_find_firewall_wan_zone() { [ "$(uci -q get "firewall.${1}.name")" = "wan" ] && firewallWanZone="$1"; } -_build_ifaces_all() { ifacesAll="${ifacesAll}${1} "; } -_build_ifaces_supported() { is_supported_interface "$1" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${1} "; } -pbr_find_iface() { - local iface i param="$2" - [ "$param" = 'wan6' ] || param='wan' - "network_find_${param}" iface - is_tunnel "$iface" && unset iface - if [ -z "$iface" ]; then - for i in $ifacesAll; do - if "is_${param}" "$i"; then break; else unset i; fi - done - fi - eval "$1"='${iface:-$i}' -} -pbr_get_gateway() { - local iface="$2" dev="$3" gw - network_get_gateway gw "$iface" true - if [ -z "$gw" ] || [ "$gw" = '0.0.0.0' ]; then -# gw="$(ubus call "network.interface.${iface}" status | jsonfilter -e "@.route[0].nexthop")" - gw="$($ip_bin -4 a list dev "$dev" 2>/dev/null | grep inet | awk '{print $2}' | awk -F "/" '{print $1}')" - fi - eval "$1"='$gw' -} -pbr_get_gateway6() { - local iface="$2" dev="$3" gw - network_get_gateway6 gw "$iface" true - if [ -z "$gw" ] || [ "$gw" = '::/0' ] || [ "$gw" = '::0/0' ] || [ "$gw" = '::' ]; then - gw="$($ip_bin -6 a list dev "$dev" 2>/dev/null | grep inet6 | grep 'scope global' | awk '{print $2}')" - fi - eval "$1"='$gw' -} -is_dslite() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:6}" = "dslite" ]; } -is_l2tp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "l2tp" ]; } -is_oc() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:11}" = "openconnect" ]; } -# is_ovpn() { local dev; network_get_device dev "$1"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; } -is_ovpn() { local dev; dev="$(uci -q get "network.${1}.device")"; [ -z "$dev" ] && dev="$(uci -q get "network.${1}.dev")"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; } -is_valid_ovpn() { local dev_net dev_ovpn; dev_net="$(uci -q get "network.${1}.device")"; [ -z "$dev_net" ] && dev_net="$(uci -q get "network.${1}.dev")"; dev_ovpn="$(uci -q get "openvpn.${1}.dev")"; [ -n "$dev_net" ] && [ -n "$dev_ovpn" ] && [ "$dev_net" = "$dev_ovpn" ]; } -is_pptp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "pptp" ]; } -is_softether() { local dev; network_get_device dev "$1"; [ "${dev:0:4}" = "vpn_" ]; } -is_tor() { [ "$(str_to_lower "$1")" = "tor" ]; } -is_tor_running() { - local ret=0 - if [ -s "/etc/tor/torrc" ]; then - json_load "$(ubus call service list "{ 'name': 'tor' }")" - json_select 'tor'; json_select 'instances'; json_select 'instance1'; - json_get_var ret 'running'; json_cleanup - fi - if [ "$ret" = "0" ]; then return 1; else return 0; fi -} -is_wg() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:9}" = "wireguard" ]; } -is_tunnel() { is_dslite "$1" || is_l2tp "$1" || is_oc "$1" || is_ovpn "$1" || is_pptp "$1" || is_softether "$1" || is_tor "$1" || is_wg "$1"; } -is_wan() { [ "$1" = "$wanIface4" ] || { [ "${1##wan}" != "$1" ] && [ "${1##wan6}" = "$1" ]; } || [ "${1%%wan}" != "$1" ]; } -is_wan6() { [ -n "$wanIface6" ] && [ "$1" = "$wanIface6" ] || [ "${1/#wan6}" != "$1" ] || [ "${1/%wan6}" != "$1" ]; } -is_ignored_interface() { str_contains_word "$ignored_interface" "$1"; } -is_supported_interface() { str_contains_word "$supported_interface" "$1" || { ! is_ignored_interface "$1" && { is_wan "$1" || is_wan6 "$1" || is_tunnel "$1"; }; } || is_ignore_target "$1"; } -is_ignore_target() { [ "$(str_to_lower "$1")" = 'ignore' ]; } -is_mac_address() { expr "$1" : '[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]$' >/dev/null; } -is_ipv4() { expr "$1" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; } -is_ipv6() { ! is_mac_address "$1" && str_contains "$1" ":"; } -is_family_mismatch() { ( is_netmask "${1//!}" && is_ipv6 "${2//!}" ) || ( is_ipv6 "${1//!}" && is_netmask "${2//!}" ); } -is_ipv6_link_local() { [ "${1:0:4}" = "fe80" ]; } -is_ipv6_unique_local() { [ "${1:0:2}" = "fc" ] || [ "${1:0:2}" = "fd" ]; } -is_ipv6_global() { [ "${1:0:4}" = "2001" ]; } -# is_ipv6_global() { is_ipv6 "$1" && ! is_ipv6_link_local "$1" && ! is_ipv6_link_local "$1"; } -is_list() { str_contains "$1" "," || str_contains "$1" " "; } -is_netmask() { local ip="${1%/*}"; [ "$ip" != "$1" ] && is_ipv4 "$ip"; } -is_domain() { ! is_ipv6 "$1" && str_contains "$1" '[a-zA-Z]'; } -is_phys_dev() { [ "${1:0:1}" = "@" ] && ip l show | grep -E -q "^\\d+\\W+${1:1}"; } -dnsmasq_kill() { killall -q -s HUP dnsmasq; } -dnsmasq_restart() { output 3 'Restarting dnsmasq '; if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then output_okn; else output_failn; fi; } -is_default_dev() { [ "$1" = "$($ip_bin -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; } -is_supported_iface_dev() { local n dev; for n in $ifacesSupported; do network_get_device dev "$n"; [ "$1" = "$dev" ] && return 0; done; return 1; } -is_supported_protocol() { grep -o '^[^#]*' /etc/protocols | grep -w -v '0' | grep . | awk '{print $1}' | grep -q "$1"; } -is_service_running_iptables() { [ -x "$iptables" ] && "$iptables" -t mangle -L | grep -q "${iptPrefix}_PREROUTING" >/dev/null 2>&1; } -is_service_running_nft() { [ -x "$nft" ] && [ -n "$(get_mark_nft_chains)" ]; } -# atomic -# is_service_running_nft() { [ -x "$nft" ] && [ -s "$nftPermFile" ]; } -is_service_running() { if is_nft; then is_service_running_nft; else is_service_running_iptables; fi; } -is_netifd_table() { local iface="$1"; [ "$(uci -q get "network.${iface}.ip4table")" = "${packageName}_${iface%6}" ]; } -get_rt_tables_id() { local iface="$1"; grep "${ipTablePrefix}_${iface}\$" '/etc/iproute2/rt_tables' | awk '{print $1;}'; } -get_rt_tables_next_id() { echo "$(($(sort -r -n '/etc/iproute2/rt_tables' | grep -o -E -m 1 "^[0-9]+")+1))"; } -_check_config() { local en; config_get_bool en "$1" 'enabled' 1; [ "$en" -gt 0 ] && _cfg_enabled=0; } -is_config_enabled() { - local cfg="$1" _cfg_enabled=1 - [ -n "$1" ] || return 1 - config_load "$packageName" - config_foreach _check_config "$cfg" - return "$_cfg_enabled" -} -# shellcheck disable=SC2016 -resolveip_to_ipt() { resolveip "$@" | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d'; } -resolveip_to_ipt4() { resolveip_to_ipt -4 "$@"; } -resolveip_to_ipt6() { [ -n "$ipv6_enabled" ] && resolveip_to_ipt -6 "$@"; } -# shellcheck disable=SC2016 -resolveip_to_nftset() { resolveip "$@" | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d' | tr '\n' ' '; } -resolveip_to_nftset4() { resolveip_to_nftset -4 "$@"; } -resolveip_to_nftset6() { [ -n "$ipv6_enabled" ] && resolveip_to_nftset -6 "$@"; } -# shellcheck disable=SC2016 -ipv4_leases_to_nftset() { [ -s '/tmp/dhcp.leases' ] || return 1; grep "$1" '/tmp/dhcp.leases' | awk '{print $3}' | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d' | tr '\n' ' '; } -# shellcheck disable=SC2016 -ipv6_leases_to_nftset() { [ -s '/tmp/hosts/odhcpd' ] || return 1; grep -v '^\#' '/tmp/hosts/odhcpd' | grep "$1" | awk '{print $1}' | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d' | tr '\n' ' '; } -# shellcheck disable=SC3037 -ports_to_nftset() { echo -ne "$value"; } -get_mark_ipt_chains() { [ -n "$(command -v iptables-save)" ] && iptables-save | grep ":${iptPrefix}_MARK_" | awk '{ print $1 }' | sed 's/://'; } -get_mark_nft_chains() { [ -x "$nft" ] && "$nft" list table inet "$nftTable" 2>/dev/null | grep chain | grep "${nftPrefix}_mark_" | awk '{ print $2 }'; } -get_ipsets() { [ -x "$(command -v ipset)" ] && ipset list | grep "${ipsPrefix}_" | awk '{ print $2 }'; } -get_nft_sets() { [ -x "$nft" ] && "$nft" list table inet "$nftTable" 2>/dev/null | grep 'set' | grep "${nftPrefix}_" | awk '{ print $2 }'; } -is_ipset_type_supported() { ipset help hash:"$1" >/dev/null 2>&1; } -ubus_get_status() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.status.${1}"; } -ubus_get_iface() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.interfaces[@.name='${1}']${2:+.$2}"; } -opkg_get_version() { grep -m1 -A1 "Package: $1$" '/usr/lib/opkg/status' | grep -m1 'Version: ' | sed 's|Version: \(.*\)|\1|'; } - -load_package_config() { - config_load "$packageName" - config_get boot_timeout 'config' 'boot_timeout' '30' - config_get_bool enabled 'config' 'enabled' '0' - config_get fw_mask 'config' 'fw_mask' 'ff0000' - config_get icmp_interface 'config' 'icmp_interface' - config_get ignored_interface 'config' 'ignored_interface' - config_get_bool ipv6_enabled 'config' 'ipv6_enabled' '0' - config_get nft_user_set_policy 'config' 'nft_user_set_policy' 'memory' - config_get_bool nft_user_set_counter 'config' 'nft_user_set_counter' '0' - config_get procd_boot_delay 'config' 'procd_boot_delay' '0' - config_get resolver_set 'config' 'resolver_set' - config_get rule_create_option 'config' 'rule_create_option' 'add' - config_get_bool secure_reload 'config' 'secure_reload' '1' - config_get_bool strict_enforcement 'config' 'strict_enforcement' '0' - config_get supported_interface 'config' 'supported_interface' - config_get verbosity 'config' 'verbosity' '2' - config_get wan_ip_rules_priority 'config' 'wan_ip_rules_priority' '30000' - config_get wan_mark 'config' 'wan_mark' '010000' - fw_mask="0x${fw_mask}" - wan_mark="0x${wan_mark}" - [ -n "$ipv6_enabled" ] && [ "$ipv6_enabled" -eq 0 ] && unset ipv6_enabled - . /lib/functions/network.sh - . /usr/share/libubox/jshn.sh - mkdir -p "${dnsmasqFile%/*}" - if is_nft; then - fw_maskXor="$(printf '%#x' "$((fw_mask ^ 0xffffffff))")" - fw_maskXor="${fw_maskXor:-0xff00ffff}" - if [ "$nft_user_set_counter" -eq '0' ]; then - unset nft_user_set_counter - fi - else - case $rule_create_option in - insert|-i|-I) rule_create_option='-I';; - add|-a|-A|*) rule_create_option='-A';; - esac - fi -} - -load_environment() { - local param="$1" validation_result="$2" - load_package_config - case "$param" in - on_start) - if [ -n "$validation_result" ] && [ "$validation_result" != '0' ]; then - output "${_ERROR_}: The $packageName config validation failed!\\n" - output "Please check if the '$packageConfigFile' contains correct values for config options.\\n" - state add 'errorSummary' 'errorConfigValidation' - return 1 - fi - if [ "$enabled" -eq 0 ]; then - state add 'errorSummary' 'errorServiceDisabled' - return 1 - fi - if [ ! -x "$ip_bin" ]; then - state add 'errorSummary' 'errorNoIpFull' - return 1 - fi - if ! is_nft; then - if [ -z "$iptables" ] || [ ! -x "$iptables" ]; then - state add 'errorSummary' 'errorNoIptables' - return 1 - fi - fi - rm -f "$packageLockFile" - resolver 'check_support' - ;; - on_stop) - touch "$packageLockFile" - ;; - esac - load_network "$param" -} - -load_network() { - local i - config_load 'network' - [ -z "$ifacesAll" ] && config_foreach _build_ifaces_all 'interface' - if [ -z "$ifacesSupported" ]; then - config_load 'firewall' - config_foreach _find_firewall_wan_zone 'zone' - for i in $(uci -q get "firewall.${firewallWanZone}.network"); do - is_supported_interface "$i" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${i} " - done - config_load 'network' - config_foreach _build_ifaces_supported 'interface' - fi - pbr_find_iface wanIface4 'wan' - [ -n "$ipv6_enabled" ] && pbr_find_iface wanIface6 'wan6' - [ -n "$wanIface4" ] && network_get_gateway wanGW4 "$wanIface4" - [ -n "$wanIface6" ] && network_get_gateway6 wanGW6 "$wanIface6" - wanGW="${wanGW4:-$wanGW6}" -} - -is_wan_up() { - local sleepCount='1' - load_network - while [ -z "$wanGW" ] ; do - load_network - if [ $((sleepCount)) -gt $((boot_timeout)) ] || [ -n "$wanGW" ]; then break; fi - output "$serviceName waiting for wan gateway...\\n" - sleep 1 - network_flush_cache - sleepCount=$((sleepCount+1)) - done - if [ -n "$wanGW" ]; then - return 0 - else - state add 'errorSummary' 'errorNoWanGateway' - return 1 - fi -} - -# shellcheck disable=SC2086 -ipt4() { - local d - [ -x "$iptables" ] || return 1 - for d in "${*//-A/-D}" "${*//-I/-D}" "${*//-N/-F}" "${*//-N/-X}"; do - [ "$d" != "$*" ] && "$iptables" $d >/dev/null 2>&1 - done - d="$*"; "$iptables" $d >/dev/null 2>&1 -} - -# shellcheck disable=SC2086 -ipt6() { - local d - [ -n "$ipv6_enabled" ] || return 0 - [ -x "$ip6tables" ] || return 1 - for d in "${*//-A/-D}" "${*//-I/-D}" "${*//-N/-F}" "${*//-N/-X}"; do - [ "$d" != "$*" ] && "$ip6tables" $d >/dev/null 2>&1 - done - d="$*" - "$ip6tables" $d >/dev/null 2>&1 -} - -# shellcheck disable=SC2086 -ipt() { - local d failFlagIpv4=1 failFlagIpv6=1 - [ -x "$iptables" ] || return 1 - for d in "${*//-A/-D}" "${*//-I/-D}" "${*//-N/-F}" "${*//-N/-X}"; do - if [ "$d" != "$*" ]; then - "$iptables" $d >/dev/null 2>&1 - [ -x "$ip6tables" ] && "$ip6tables" $d >/dev/null 2>&1 - fi - done - d="$*"; "$iptables" $d >/dev/null 2>&1 && failFlagIpv4=0; - if [ -n "$ipv6_enabled" ] && [ -x "$ip6tables" ]; then - "$ip6tables" $d >/dev/null 2>&1 && failFlagIpv6=0 - fi - [ "$failFlagIpv4" -eq 0 ] || [ "$failFlagIpv6" -eq 0 ] -} - -# shellcheck disable=SC2086 -ips4() { [ -x "$ipset" ] && "$ipset" "$@" >/dev/null 2>&1; } -ips6() { [ -x "$ipset" ] && { if [ -n "$ipv6_enabled" ] && [ -n "$*" ]; then "$ipset" "$@" >/dev/null 2>&1; else return 1; fi; }; } -ips() { - local command="$1" iface="$2" target="${3:-dst}" type="${4:-ip}" uid="$5" comment="$6" param="$7" mark="$7" - local ipset4 ipset6 i - local ipv4_error=1 ipv6_error=1 - ipset4="${ipsPrefix}${iface:+_$iface}_4${target:+_$target}${type:+_$type}${uid:+_$uid}" - ipset6="${ipsPrefix}${iface:+_$iface}_6${target:+_$target}${type:+_$type}${uid:+_$uid}" - - [ -x "$ipset" ] || return 1 - - if [ "${#ipset4}" -gt 31 ]; then - state add 'errorSummary' 'errorIpsetNameTooLong' "$ipset4" - return 1 - fi - - case "$command" in - add) - ips4 -q -! add "$ipset4" ["$param"] comment "$comment" && ipv4_error=0 - ips6 -q -! add "$ipset6" ["$param"] comment "$comment" && ipv6_error=0 - ;; - add_agh_element) - [ -n "$ipv6_enabled" ] || unset ipset6 - echo "${param}/${ipset4}${ipset6:+,$ipset6}" >> "$aghIpsetFile" && ipv4_error=0 - ;; - add_dnsmasq_element) - [ -n "$ipv6_enabled" ] || unset ipset6 - echo "ipset=/${param}/${ipset4}${ipset6:+,$ipset6} # $comment" >> "$dnsmasqFile" && ipv4_error=0 - ;; - create) - ips4 -q -! create "$ipset4" "hash:$type" comment && ipv4_error=0 - ips6 -q -! create "$ipset6" "hash:$type" comment family inet6 && ipv6_error=0 - ;; - create_agh_set) - ips4 -q -! create "$ipset4" "hash:$type" comment && ipv4_error=0 - ips6 -q -! create "$ipset6" "hash:$type" comment family inet6 && ipv6_error=0 - ;; - create_dnsmasq_set) - ips4 -q -! create "$ipset4" "hash:$type" comment && ipv4_error=0 - ips6 -q -! create "$ipset6" "hash:$type" comment family inet6 && ipv6_error=0 - ;; - create_user_set) - case "$type" in - ip|net) - ips4 -q -! create "$ipset4" "hash:$type" comment && ipv4_error=0 - ips6 -q -! create "$ipset6" "hash:$type" comment family inet6 && ipv6_error=0 - case "$target" in - dst) - ipt4 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" dst -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0 - ipt6 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" dst -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0 - ;; - src) - ipt4 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0 - ipt6 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0 - ;; - esac - ;; - mac) - ips4 -q -! create "$ipset4" "hash:$type" comment && ipv4_error=0 - ips6 -q -! create "$ipset6" "hash:$type" comment family inet6 && ipv4_error=0 - ipt4 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0 - ipt6 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0 - ;; - esac - ;; - delete|destroy) - ips4 -q -! destroy "$ipset4" && ipv4_error=0 - ips6 -q -! destroy "$ipset6" && ipv6_error=0 - ;; - delete_user_set) - ips4 -q -! destroy "$ipset4" && ipv4_error=0 - ips6 -q -! destroy "$ipset6" family inet6 && ipv6_error=0 - case "$type" in - ip|net) - case "$target" in - dst) - ipt4 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" dst -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0 - ipt6 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" dst -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0 - ;; - src) - ipt4 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0 - ipt6 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0 - ;; - esac - ;; - mac) - ipt4 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0 - ipt6 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0 - ;; - esac - ;; - flush|flush_user_set) - ips4 -q -! flush "$ipset4" && ipv4_error=0 - ips6 -q -! flush "$ipset6" && ipv6_error=0 - ;; - esac - if [ "$ipv4_error" -eq '0' ] || [ "$ipv6_error" -eq '0' ]; then - return 0 - else - return 1 - fi -} - -# atomic -#nfta() { echo "$@" >> "$nftTempFile"; } -#nfta4() { echo "$@" >> "$nftTempFile"; } -#nfta6() { [ -z "$ipv6_enabled" ] || echo "$@" >> "$nftTempFile"; } -#nft() { nfta "$@"; [ -x "$nft" ] && "$nft" "$@" >/dev/null 2>&1; } -#nft4() { nfta "$@"; [ -x "$nft" ] && "$nft" "$@" >/dev/null 2>&1; } -#nft6() { nfta "$@"; [ -n "$ipv6_enabled" ] || return 0; [ -x "$nft" ] && [ -n "$*" ] && "$nft" "$@" >/dev/null 2>&1; } -nft() { [ -x "$nft" ] && "$nft" "$@" >/dev/null 2>&1; } -nft4() { [ -x "$nft" ] && "$nft" "$@" >/dev/null 2>&1; } -nft6() { [ -n "$ipv6_enabled" ] || return 0; [ -x "$nft" ] && [ -n "$*" ] && "$nft" "$@" >/dev/null 2>&1; } -nftset() { - local command="$1" iface="$2" target="${3:-dst}" type="${4:-ip}" uid="$5" comment="$6" param="$7" mark="$7" - local nftset4 nftset6 i param4 param6 - local ipv4_error=1 ipv6_error=1 - nftset4="${nftPrefix}${iface:+_$iface}_4${target:+_$target}${type:+_$type}${uid:+_$uid}" - nftset6="${nftPrefix}${iface:+_$iface}_6${target:+_$target}${type:+_$type}${uid:+_$uid}" - - [ -x "$nft" ] || return 1 - - if [ "${#nftset4}" -gt 255 ]; then - state add 'errorSummary' 'errorNftsetNameTooLong' "$nftset4" - return 1 - fi - - case "$command" in - add) - if is_netmask "$param" || is_ipv4 "$param" || is_ipv6 "$param" \ - || is_mac_address "$param" || is_list "$param"; then - nft4 add element inet "$nftTable" "$nftset4" "{ $param }" && ipv4_error=0 - nft6 add element inet "$nftTable" "$nftset6" "{ $param }" && ipv6_error=0 - else - if [ "$target" = 'src' ]; then - param4="$(ipv4_leases_to_nftset "$param")" - param6="$(ipv6_leases_to_nftset "$param")" - fi - [ -z "$param4" ] && param4="$(resolveip_to_nftset4 "$param")" - [ -z "$param6" ] && param6="$(resolveip_to_nftset6 "$param")" - if [ -z "$param4" ] && [ -z "$param6" ]; then - state add 'errorSummary' 'errorFailedToResolve' "$param" - else - nft4 add element inet "$nftTable" "$nftset4" "{ $param4 }" && ipv4_error=0 - nft6 add element inet "$nftTable" "$nftset6" "{ $param6 }" && ipv6_error=0 - fi - fi - ;; - add_dnsmasq_element) - [ -n "$ipv6_enabled" ] || unset nftset6 - echo "nftset=/${param}/4#inet#${nftTable}#${nftset4}${nftset6:+,6#inet#${nftTable}#$nftset6} # $comment" >> "$dnsmasqFile" && ipv4_error=0 - ;; - create) - case "$type" in - ip|net) - nft4 add set inet "$nftTable" "$nftset4" "{ type ipv4_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv4_error=0 - nft6 add set inet "$nftTable" "$nftset6" "{ type ipv6_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv6_error=0 - ;; - mac) - nft4 add set inet "$nftTable" "$nftset4" "{ type ether_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv4_error=0 - nft6 add set inet "$nftTable" "$nftset6" "{ type ether_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv6_error=0 - ;; - esac - ;; - create_dnsmasq_set) - nft4 add set inet "$nftTable" "$nftset4" "{ type ipv4_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv4_error=0 - nft6 add set inet "$nftTable" "$nftset6" "{ type ipv6_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv6_error=0 - ;; - create_user_set) - case "$type" in - ip|net) - nft4 add set inet "$nftTable" "$nftset4" "{ type ipv4_addr; ${nft_user_set_counter:+counter;} flags interval; auto-merge; policy $nft_user_set_policy; comment \"$comment\"; }" && ipv4_error=0 - nft6 add set inet "$nftTable" "$nftset6" "{ type ipv6_addr; ${nft_user_set_counter:+counter;} flags interval; auto-merge; policy $nft_user_set_policy; comment \"$comment\"; }" && ipv6_error=0 - case "$target" in - dst) - nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0 - nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0 - ;; - src) - nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0 - nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0 - ;; - esac - ;; - mac) - nft4 add set inet "$nftTable" "$nftset4" "{ type ether_addr; ${nft_user_set_counter:+counter;} flags interval; auto-merge; policy $nft_user_set_policy; comment \"$comment\"; }" && ipv4_error=0 - nft6 add set inet "$nftTable" "$nftset6" "{ type ether_addr; ${nft_user_set_counter:+counter;} flags interval; auto-merge; policy $nft_user_set_policy; comment \"$comment\"; }" && ipv6_error=0 - nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0 - nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0 - ;; - esac - ;; - delete|destroy) - nft delete set inet "$nftTable" "$nftset4" && ipv4_error=0 - nft delete set inet "$nftTable" "$nftset6" && ipv6_error=0 - ;; - delete_user_set) - nft delete set inet "$nftTable" "$nftset4" && ipv4_error=0 - nft delete set inet "$nftTable" "$nftset6" && ipv6_error=0 - case "$type" in - ip|net) - case "$target" in - dst) - nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0 - nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0 - ;; - src) - nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0 - nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0 - ;; - esac - ;; - mac) - nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0 - nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0 - ;; - esac - ;; - flush|flush_user_set) - nft flush set inet "$nftTable" "$nftset4" && ipv4_error=0 - nft flush set inet "$nftTable" "$nftset6" && ipv6_error=0 - ;; - esac -# nft6 returns true if IPv6 support is not enabled - [ -z "$ipv6_enabled" ] && ipv6_error='1' - if [ "$ipv4_error" -eq '0' ] || [ "$ipv6_error" -eq '0' ]; then - return 0 - else - return 1 - fi -} - -cleanup_rt_tables() { sed -i '/pbr_/d' '/etc/iproute2/rt_tables'; sync; } -cleanup_dnsmasq() { [ -s "$dnsmasqFile" ] && resolverStoredHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')" && rm "$dnsmasqFile" >/dev/null 2>&1; } - -cleanup_main_chains() { - local i - for i in $chainsList; do - i="$(str_to_lower "$i")" - nft flush chain inet "$nftTable" "${nftPrefix}_${i}" - done - for i in $chainsList; do - i="$(str_to_upper "$i")" - ipt -t mangle -D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}" - ipt -t mangle -F "${iptPrefix}_${i}" - ipt -t mangle -X "${iptPrefix}_${i}" - done -} - -cleanup_marking_chains() { - local i - for i in $(get_mark_nft_chains); do - nft flush chain inet "$nftTable" "$i" - nft delete chain inet "$nftTable" "$i" - done - for i in $(get_mark_ipt_chains); do - ipt -t mangle -F "$i" - ipt -t mangle -X "$i" - done -} - -cleanup_sets() { - local i - for i in $(get_nft_sets); do - nft flush set inet "$nftTable" "$i" - nft delete set inet "$nftTable" "$i" - done - for i in $(get_ipsets); do - ipset -q -! flush "$i" >/dev/null 2>&1 - ipset -q -! destroy "$i" >/dev/null 2>&1 - done -} - -state() { - local action="$1" param="$2" value="${3//#/_}" - shift 3 -# shellcheck disable=SC2124 - local extras="$@" - local line error_id error_extra label - case "$action" in - add) - line="$(eval echo "\$$param")" - eval "$param"='${line:+$line#}${value}${extras:+ $extras}' - ;; - json) - json_init - json_add_object "$packageName" - case "$param" in - errorSummary) - json_add_array 'errors';; - warningSummary) - json_add_array 'warnings';; - esac - if [ -n "$(eval echo "\$$param")" ]; then - while read -r line; do - if str_contains "$line" ' '; then - error_id="${line% *}" - error_extra="${line#* }" - else - error_id="$line" - fi - json_add_object - json_add_string 'id' "$error_id" - json_add_string 'extra' "$error_extra" - json_close_object - done </dev/null 2>&1 - rm -f "$aghIpsetFile" - rm -f "$dnsmasqFile" - return 0 - fi - - case "$resolver_set" in - ''|none) - case "$param" in - add_resolver_element) return 1;; - create_resolver_set) return 1;; - check_support) return 0;; - cleanup) return 0;; - configure) return 0;; - init) return 0;; - init_end) return 0;; - kill) return 0;; - reload) return 0;; - restart) return 0;; - compare_hash) return 0;; - store_hash) return 0;; - esac - ;; - adguardhome.ipset) - case "$param" in - add_resolver_element) - [ -n "$resolver_set_supported" ] && ips 'add_agh_element' "$@";; - create_resolver_set) - [ -n "$resolver_set_supported" ] && ips 'create_agh_set' "$@";; - check_support) - if [ ! -x "$ipset" ]; then - state add 'errorSummary' 'errorNoIpset' - return 1 - fi - if [ -n "$agh" ] && [ -s "$aghConfigFile" ]; then - agh_version="$($agh --version | sed 's|AdGuard Home, version v\(.*\)|\1|' | sed 's|-.*||')" - if is_greater_or_equal "$agh_version" '0.107.13'; then - resolver_set_supported='true' - return 0 - else - state add 'warningSummary' 'warningAGHVersionTooLow' "$agh_version" - return 1 - fi - else - state add 'warningSummary' 'warningResolverNotSupported' - return 1 - fi - ;; - cleanup) - [ -z "$resolver_set_supported" ] && return 0 - rm -f "$aghIpsetFile" - sed -i "/ipset_file: ${aghIpsetFile}/d" "$aghConfigFile" >/dev/null 2>&1 - ;; - configure) - [ -z "$resolver_set_supported" ] && return 1 - mkdir -p "${aghIpsetFile%/*}" - touch "$aghIpsetFile" - sed -i '/ipset_file/d' "$aghConfigFile" >/dev/null 2>&1 - sed -i "/ ipset:/a \ \ ipset_file: $aghIpsetFile" "$aghConfigFile" - ;; - init) :;; - init_end) :;; - kill) - [ -n "$resolver_set_supported" ] && [ -n "$agh" ] && killall -q -s HUP "$agh";; - reload) - [ -z "$resolver_set_supported" ] && return 1 - output 3 'Reloading adguardhome ' - if /etc/init.d/adguardhome reload >/dev/null 2>&1; then - output_okn - return 0 - else - output_failn - return 1 - fi - ;; - restart) - [ -z "$resolver_set_supported" ] && return 1 - output 3 'Restarting adguardhome ' - if /etc/init.d/adguardhome restart >/dev/null 2>&1; then - output_okn - return 0 - else - output_failn - return 1 - fi - ;; - compare_hash) - [ -z "$resolver_set_supported" ] && return 1 - local resolverNewHash - if [ -s "$aghIpsetFile" ]; then - resolverNewHash="$(md5sum $aghIpsetFile | awk '{ print $1; }')" - fi - [ "$resolverNewHash" != "$resolverStoredHash" ] - ;; - store_hash) - [ -s "$aghIpsetFile" ] && resolverStoredHash="$(md5sum $aghIpsetFile | awk '{ print $1; }')";; - esac - ;; - dnsmasq.ipset) - case "$param" in - add_resolver_element) - [ -n "$resolver_set_supported" ] && ips 'add_dnsmasq_element' "$@";; - create_resolver_set) - [ -n "$resolver_set_supported" ] && ips 'create_dnsmasq_set' "$@";; - check_support) - if [ ! -x "$ipset" ]; then - state add 'errorSummary' 'errorNoIpset' - return 1 - fi - if ! dnsmasq -v 2>/dev/null | grep -q 'no-ipset' && dnsmasq -v 2>/dev/null | grep -q 'ipset'; then - resolver_set_supported='true' - return 0 - else - state add 'warningSummary' 'warningResolverNotSupported' - return 1 - fi - ;; - cleanup) - [ -n "$resolver_set_supported" ] && rm -f "$dnsmasqFile";; - configure) - [ -n "$resolver_set_supported" ] && mkdir -p "${dnsmasqFile%/*}";; - init) :;; - init_end) :;; - kill) - [ -n "$resolver_set_supported" ] && killall -q -s HUP dnsmasq;; - reload) - [ -z "$resolver_set_supported" ] && return 1 - output 3 'Reloading dnsmasq ' - if /etc/init.d/dnsmasq reload >/dev/null 2>&1; then - output_okn - return 0 - else - output_failn - return 1 - fi - ;; - restart) - [ -z "$resolver_set_supported" ] && return 1 - output 3 'Restarting dnsmasq ' - if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then - output_okn - return 0 - else - output_failn - return 1 - fi - ;; - compare_hash) - [ -z "$resolver_set_supported" ] && return 1 - local resolverNewHash - if [ -s "$dnsmasqFile" ]; then - resolverNewHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')" - fi - [ "$resolverNewHash" != "$resolverStoredHash" ] - ;; - store_hash) - [ -s "$dnsmasqFile" ] && resolverStoredHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')";; - esac - ;; - dnsmasq.nftset) - case "$param" in - add_resolver_element) - [ -n "$resolver_set_supported" ] && nftset 'add_dnsmasq_element' "$@";; - create_resolver_set) - [ -n "$resolver_set_supported" ] && nftset 'create_dnsmasq_set' "$@";; - check_support) - if [ ! -x "$nft" ]; then - state add 'errorSummary' 'errorNoNft' - return 1 - fi - if ! dnsmasq -v 2>/dev/null | grep -q 'no-nftset' && dnsmasq -v 2>/dev/null | grep -q 'nftset'; then - resolver_set_supported='true' - return 0 - else - state add 'warningSummary' 'warningResolverNotSupported' - return 1 - fi - ;; - cleanup) - [ -n "$resolver_set_supported" ] && rm -f "$dnsmasqFile";; - configure) - [ -n "$resolver_set_supported" ] && mkdir -p "${dnsmasqFile%/*}";; - init) :;; - init_end) :;; - kill) - [ -n "$resolver_set_supported" ] && killall -q -s HUP dnsmasq;; - reload) - [ -z "$resolver_set_supported" ] && return 1 - output 3 'Reloading dnsmasq ' - if /etc/init.d/dnsmasq reload >/dev/null 2>&1; then - output_okn - return 0 - else - output_failn - return 1 - fi - ;; - restart) - [ -z "$resolver_set_supported" ] && return 1 - output 3 'Restarting dnsmasq ' - if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then - output_okn - return 0 - else - output_failn - return 1 - fi - ;; - compare_hash) - [ -z "$resolver_set_supported" ] && return 1 - local resolverNewHash - if [ -s "$dnsmasqFile" ]; then - resolverNewHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')" - fi - [ "$resolverNewHash" != "$resolverStoredHash" ] - ;; - store_hash) - [ -s "$dnsmasqFile" ] && resolverStoredHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')";; - esac - ;; - unbound.ipset) - case "$param" in - add_resolver_element) :;; - create_resolver_set) :;; - check_support) :;; - cleanup) :;; - configure) :;; - init) :;; - init_end) :;; - kill) :;; - reload) :;; - restart) :;; - compare_hash) :;; - store_hash) :;; - esac - ;; - unbound.nftset) - case "$param" in - add_resolver_element) :;; - create_resolver_set) :;; - check_support) :;; - cleanup) :;; - configure) :;; - init) :;; - init_end) :;; - kill) :;; - reload) :;; - restart) :;; - compare_hash) :;; - store_hash) :;; - esac - ;; - esac -} - -trap_process() { - output "\\n" - output "Unexpected exit or service termination: '${1}'!\\n" - state add 'errorSummary' 'errorUnexpectedExit' "$1" - traffic_killswitch 'remove' -} - -traffic_killswitch() { - local s=0 - case "$1" in - insert) - local lan_subnet wan_device - [ "$secure_reload" -ne 0 ] || return 0 - for i in $serviceTrapSignals; do -# shellcheck disable=SC2064 - trap "trap_process $i" "$i" - done - output 3 'Activating traffic killswitch ' - network_get_subnet lan_subnet 'lan' - network_get_physdev wan_device 'wan' - if is_nft; then - nft add chain inet "$nftTable" "${nftPrefix}_killswitch" '{ type filter hook forward priority 0; policy accept; }' || s=1 - nft add rule inet "$nftTable" "${nftPrefix}_killswitch" oifname "$wan_device" ip saddr "$lan_subnet" counter reject || s=1 - else - ipt -N "${iptPrefix}_KILLSWITCH" || s=1 - ipt -A "${iptPrefix}_KILLSWITCH" -s "$lan_subnet" -o "$wan_device" -j REJECT || s=1 - ipt -I FORWARD -j "${iptPrefix}_KILLSWITCH" || s=1 - fi - if [ "$s" -eq 0 ]; then - output_okn - else - output_failn - fi - ;; - remove) - if [ "$secure_reload" -ne 0 ]; then - output 3 'Deactivating traffic killswitch ' - fi - if is_nft; then - nft flush chain inet "$nftTable" "${nftPrefix}_killswitch" || s=1 - nft delete chain inet "$nftTable" "${nftPrefix}_killswitch" || s=1 - else - ipt -D FORWARD -j "${iptPrefix}_KILLSWITCH" || s=1 - ipt -F "${iptPrefix}_KILLSWITCH" || s=1 - ipt -X "${iptPrefix}_KILLSWITCH" || s=1 - fi - if [ "$secure_reload" -ne 0 ]; then - if [ "$s" -eq 0 ]; then - output_okn - else - output_failn - fi - fi -# shellcheck disable=SC2086 - trap - $serviceTrapSignals - ;; - esac -} - -policy_routing_tor() { if is_nft; then policy_routing_tor_nft "$@"; else policy_routing_tor_iptables "$@"; fi; } -policy_routing_tor_iptables() { - local comment="$1" iface="$2" src_addr="$3" src_port="$4" dest_addr="$5" dest_port="$6" proto chain uid="$9" - proto="$(str_to_lower "$7")" - chain="$(str_to_upper "$8")" - chain="${chain:-PREROUTING}" - if [ -n "${src_addr}${src_port}${dest_port}" ]; then - state add 'warningSummary' 'warningTorUnsetParams' "$comment" - fi - if [ -n "$proto" ] && [ "$proto" != "all" ]; then - state add 'warningSummary' 'warningTorUnsetProto' "$comment" - fi - if [ "$chain" != "PREROUTING" ]; then - state add 'warningSummary' 'warningTorUnsetChainIpt' "$comment" - fi - if ! resolver 'add_resolver_element' "$iface" 'dst' 'ip' '' "${comment}: $dest_addr" "$dest_addr"; then - processPolicyError='true' - state add 'errorSummary' 'errorResolver' "'add_resolver_element' '$iface' 'dst' 'ip' '${comment}: $dest_addr' '$dest_addr'" - return 1 - fi - return 0 -} -policy_routing_tor_nft() { - local comment="$1" iface="$2" src_addr="$3" src_port="$4" dest_addr="$5" dest_port="$6" proto chain uid="$9" - proto="$(str_to_lower "$7")" - chain="$(str_to_lower "$8")" - chain="${chain:-prerouting}" - if [ -n "${src_addr}${src_port}${dest_port}" ]; then - state add 'warningSummary' 'warningTorUnsetParams' "$comment" - fi - if [ -n "$proto" ] && [ "$proto" != "all" ]; then - state add 'warningSummary' 'warningTorUnsetProto' "$comment" - fi - if [ "$chain" != "prerouting" ]; then - state add 'warningSummary' 'warningTorUnsetChainNft' "$comment" - fi - if ! resolver 'add_resolver_element' "$iface" 'dst' 'ip' '' "${comment}: $dest_addr" "$dest_addr"; then - processPolicyError='true' - state add 'errorSummary' 'errorResolver' "'add_resolver_element' '$iface' 'dst' 'ip' '${comment}: $dest_addr' '$dest_addr'" - return 1 - fi - return 0 -} - -policy_routing() { if is_nft; then policy_routing_nft "$@"; else policy_routing_iptables "$@"; fi; } -policy_routing_iptables() { - local mark param4 param6 i negation value dest ipInsertOption="-A" - local ip4error='1' ip6error='1' - local name="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto chain uid="$9" - proto="$(str_to_lower "$7")" - chain="$(str_to_upper "$8")" - chain="${chain:-PREROUTING}" - mark=$(eval echo "\$mark_${iface//-/_}") - - if [ -n "$ipv6_enabled" ] && { is_ipv6 "$laddr" || is_ipv6 "$raddr"; }; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessNoIpv6' "$name" - return 1 - fi - - if [ -n "$mark" ]; then - dest="-g ${iptPrefix}_MARK_${mark}" - elif [ "$iface" = "ignore" ]; then - dest="-j RETURN" - else - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessUnknownFwmark' "$iface" - return 1 - fi - - if is_family_mismatch "$laddr" "$raddr"; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessMismatchFamily' "${name}: '$laddr' '$raddr'" - return 1 - fi - - if [ -z "$proto" ]; then - if [ -n "${lport}${rport}" ]; then - proto='tcp udp' - else - proto='all' - fi - fi - - for i in $proto; do - if [ "$i" = 'all' ]; then - param4="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest" - param6="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest" - elif ! is_supported_protocol "$i"; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessUnknownProtocol' "${name}: '$i'" - return 1 - else - param4="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest -p $i" - param6="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest -p $i" - fi - - if [ -n "$laddr" ]; then - if [ "${laddr:0:1}" = "!" ]; then - negation='!'; value="${laddr:1}" - else - unset negation; value="$laddr"; - fi - if is_phys_dev "$value"; then - param4="$param4 $negation -m physdev --physdev-in ${value:1}" - param6="$param6 $negation -m physdev --physdev-in ${value:1}" - elif is_netmask "$value"; then - local target='src' type='net' - if ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $laddr" && \ - ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $laddr" "$value"; then - param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target" - param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target" - else - param4="$param4 $negation -s $value" - param6="$param6 $negation -s $value" - fi - elif is_mac_address "$value"; then - local target='src' type='mac' - if ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $laddr" && \ - ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $laddr" "$value"; then - param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target" - param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target" - else - param4="$param4 -m mac $negation --mac-source $value" - param6="$param6 -m mac $negation --mac-source $value" - fi - else - local target='src' type='ip' - if ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $laddr" && \ - ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $laddr" "$value"; then - param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target" - param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target" - else - local resolvedIP4 resolvedIP6 - resolvedIP4="$(resolveip_to_ipt4 "$value")" - resolvedIP6="$(resolveip_to_ipt6 "$value")" - if [ -z "$resolvedIP4" ] && [ -z "$resolvedIP6" ]; then - state add 'errorSummary' 'errorFailedToResolve' "$value" - fi - param4="$param4 $negation -s $resolvedIP4" - param6="$param6 $negation -s $resolvedIP6" - fi - fi - fi - - if [ -n "$lport" ]; then - if [ "${lport:0:1}" = "!" ]; then - negation='!'; value="${lport:1}" - else - unset negation; value="$lport"; - fi - param4="$param4 -m multiport $negation --sport ${value//-/:}" - param6="$param6 -m multiport $negation --sport ${value//-/:}" - fi - - if [ -n "$raddr" ]; then - if [ "${raddr:0:1}" = "!" ]; then - negation='!'; value="${raddr:1}" - else - unset negation; value="$raddr"; - fi - if is_netmask "$value"; then - local target='dst' type='net' - if ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \ - ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then - param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target" - param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target" - else - param4="$param4 $negation -d $value" - param6="$param6 $negation -d $value" - fi - elif is_domain "$value"; then - local target='dst' type='ip' - if resolver 'create_resolver_set' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \ - resolver 'add_resolver_element' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then - param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target" - param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target" - elif ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \ - ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then - param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target" - param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target" - else - local resolvedIP4 resolvedIP6 - resolvedIP4="$(resolveip_to_ipt4 "$value")" - resolvedIP6="$(resolveip_to_ipt6 "$value")" - if [ -z "$resolvedIP4" ] && [ -z "$resolvedIP6" ]; then - state add 'errorSummary' 'errorFailedToResolve' "$value" - fi - param4="$param4 $negation -d $resolvedIP4" - param6="$param6 $negation -d $resolvedIP6" - fi - else - local target='dst' type='ip' - if ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \ - ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then - param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target" - param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target" - else - param4="$param4 $negation -d $value" - param6="$param6 $negation -d $value" - fi - fi - fi - - if [ -n "$rport" ]; then - if [ "${rport:0:1}" = "!" ]; then - negation='!'; value="${rport:1}" - else - unset negation; value="$rport"; - fi - param4="$param4 -m multiport $negation --dport ${value//-/:}" - param6="$param6 -m multiport $negation --dport ${value//-/:}" - fi - - if [ -n "$name" ]; then - param4="$param4 -m comment --comment $(str_extras_to_underscore "$name")" - param6="$param6 -m comment --comment $(str_extras_to_underscore "$name")" - fi - - local ipv4_error='0' ipv6_error='0' - if [ "$param4" = "$param6" ]; then - ipt4 "$param4" || ipv4_error='1' - else - ipt4 "$param4" || ipv4_error='1' - ipt6 "$param6" || ipv6_error='1' - fi - - if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4" - state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param6" - logger -t "$packageName" "ERROR: iptables $param4" - logger -t "$packageName" "ERROR: iptables $param6" - elif [ -z "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ]; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4" - logger -t "$packageName" "ERROR: iptables $param4" - fi - - done -} -policy_routing_nft() { - local mark i nftInsertOption='add' - local param4 param6 proto_i negation value dest - local ip4Flag='ip' ip6Flag='ip6' - local name="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto chain uid="$9" - proto="$(str_to_lower "$7")" - chain="$(str_to_lower "$8")" - chain="${chain:-prerouting}" - mark=$(eval echo "\$mark_${iface//-/_}") - - if [ -z "$ipv6_enabled" ] && { is_ipv6 "$src_addr" || is_ipv6 "$dest_addr"; }; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessNoIpv6' "$name" - return 1 - fi - - if [ -n "$mark" ]; then - dest="goto ${nftPrefix}_mark_${mark}" - elif [ "$iface" = "ignore" ]; then - dest="return" - else - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessUnknownFwmark' "$iface" - return 1 - fi - - if is_family_mismatch "$src_addr" "$dest_addr"; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessMismatchFamily' "${name}: '$laddr' '$raddr'" - return 1 - fi - - if [ -z "$proto" ]; then - if [ -n "${src_port}${dest_port}" ]; then - proto='tcp udp' - else - proto='all' - fi - fi - - for proto_i in $proto; do - unset param4 - unset param6 - if [ "$proto_i" = 'all' ]; then - unset proto_i - elif ! is_supported_protocol "$proto_i"; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessUnknownProtocol' "${name}: '$proto_i'" - return 1 - fi - - if [ -n "$src_addr" ]; then - if [ "${src_addr:0:1}" = "!" ]; then - negation='!='; value="${src_addr:1}" - else - unset negation; value="$src_addr"; - fi - if is_phys_dev "$value"; then - param4="$param4 iifname $negation ${value:1}" - param6="$param6 iifname $negation ${value:1}" - elif is_mac_address "$value"; then - local target='src' type='mac' - if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 ether saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 ether saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - else - param4="$param4 ether saddr $negation $value" - param6="$param6 ether saddr $negation $value" - fi - else - local target='src' type='ip' - if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - else - param4="$param4 $ip4Flag saddr $negation $value" - param6="$param6 $ip6Flag saddr $negation $value" - fi - fi - fi - - if [ -n "$dest_addr" ]; then - if [ "${dest_addr:0:1}" = "!" ]; then - negation='!='; value="${dest_addr:1}" - else - unset negation; value="$dest_addr"; - fi - if is_phys_dev "$value"; then - param4="$param4 oifname $negation ${value:1}" - param6="$param6 oifname $negation ${value:1}" - elif is_domain "$value"; then - local target='dst' type='ip' - if resolver 'create_resolver_set' "$iface" "$target" "$type" "$uid" "$name" && \ - resolver 'add_resolver_element' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - elif nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - else - local resolvedIP4 resolvedIP6 - resolvedIP4="$(resolveip_to_nftset4 "$value")" - resolvedIP6="$(resolveip_to_nftset6 "$value")" - if [ -z "$resolvedIP4" ] && [ -z "$resolvedIP6" ]; then - state add 'errorSummary' 'errorFailedToResolve' "$value" - fi - param4="$param4 $ip4Flag daddr $negation { $resolvedIP4 }" - param6="$param6 $ip6Flag daddr $negation { $resolvedIP6 }" - fi - else - local target='dst' type='ip' - if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \ - nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then - param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}" - param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}" - else - param4="$param4 $ip4Flag daddr $negation $value" - param6="$param6 $ip6Flag daddr $negation $value" - fi - fi - fi - - if [ -n "$src_port" ]; then - if [ "${src_port:0:1}" = "!" ]; then - negation='!='; value="${src_port:1}" - else - unset negation; value="$src_port"; - fi - param4="$param4 ${proto_i:+$proto_i }sport $negation {$(ports_to_nftset "$value")}" - param6="$param6 ${proto_i:+$proto_i }sport $negation {$(ports_to_nftset "$value")}" - fi - - if [ -n "$dest_port" ]; then - if [ "${dest_port:0:1}" = "!" ]; then - negation='!='; value="${dest_port:1}" - else - unset negation; value="$dest_port"; - fi - param4="$param4 ${proto_i:+$proto_i }dport $negation {$(ports_to_nftset "$value")}" - param6="$param6 ${proto_i:+$proto_i }dport $negation {$(ports_to_nftset "$value")}" - fi - - param4="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param4 $dest comment \"$name\"" - param6="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param6 $dest comment \"$name\"" - - local ipv4_error='0' ipv6_error='0' - if [ "$nftPrevParam4" != "$param4" ]; then - nft4 "$param4" || ipv4_error='1' - nftPrevParam4="$param4" - fi - if [ "$nftPrevParam6" != "$param6" ]; then - nft6 "$param6" || ipv6_error='1' - nftPrevParam6="$param6" - fi - - if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param4" - state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param6" - logger -t "$packageName" "ERROR: nft $param4" - logger -t "$packageName" "ERROR: nft $param6" - elif [ -z "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ]; then - processPolicyError='true' - state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name" - state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param4" - logger -t "$packageName" "ERROR: nft $param4" - fi - - done -} - -policy_process() { - local i j uid="$9" - if [ -z "$uid" ]; then # first non-recursive call - [ "$enabled" -gt 0 ] || return 0 - unset processPolicyError - uid="$1" - if is_nft; then - chain="$(str_to_lower "$chain")" - else - chain="$(str_to_upper "$chain")" - fi - proto="$(str_to_lower "$proto")" - [ "$proto" = 'auto' ] && unset proto - [ "$proto" = 'all' ] && unset proto - output 2 "Routing '$name' via $interface " - if [ -z "${src_addr}${src_port}${dest_addr}${dest_port}" ]; then - state add 'errorSummary' 'errorPolicyNoSrcDest' "$name" - output_fail; return 1; - fi - if [ -z "$interface" ]; then - state add 'errorSummary' 'errorPolicyNoInterface' "$name" - output_fail; return 1; - fi - if ! is_supported_interface "$interface"; then - state add 'errorSummary' 'errorPolicyUnknownInterface' "$name" - output_fail; return 1; - fi - src_port="${src_port// / }"; src_port="${src_port// /,}"; src_port="${src_port//,\!/ !}"; - dest_port="${dest_port// / }"; dest_port="${dest_port// /,}"; dest_port="${dest_port//,\!/ !}"; -# if is_nft; then -# nftset 'flush' "$interface" "dst" "ip" "$uid" -# nftset 'flush' "$interface" "src" "ip" "$uid" -# nftset 'flush' "$interface" "src" "mac" "$uid" -# else -# ips 'flush' "$interface" "dst" "ip" "$uid" -# ips 'flush' "$interface" "src" "ip" "$uid" -# ips 'flush' "$interface" "src" "mac" "$uid" -# fi - policy_process "$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid" - if [ -n "$processPolicyError" ]; then - output_fail - else - output_ok - fi - else # recursive call, get options from passed variables - local name="$1" interface="$2" src_addr="$3" src_port="$4" dest_addr="$5" dest_port="$6" proto="$7" chain="$8" - if str_contains "$src_addr" '[ ;\{\}]'; then - for i in $(str_extras_to_space "$src_addr"); do [ -n "$i" ] && policy_process "$name" "$interface" "$i" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"; done - elif str_contains "$src_port" '[ ;\{\}]'; then - for i in $(str_extras_to_space "$src_port"); do [ -n "$i" ] && policy_process "$name" "$interface" "$src_addr" "$i" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"; done - elif str_contains "$dest_addr" '[ ;\{\}]'; then - for i in $(str_extras_to_space "$dest_addr"); do [ -n "$i" ] && policy_process "$name" "$interface" "$src_addr" "$src_port" "$i" "$dest_port" "$proto" "$chain" "$uid"; done - elif str_contains "$dest_port" '[ ;\{\}]'; then - for i in $(str_extras_to_space "$dest_port"); do [ -n "$i" ] && policy_process "$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$i" "$proto" "$chain" "$uid"; done - elif str_contains "$proto" '[ ;\{\}]'; then - for i in $(str_extras_to_space "$proto"); do [ -n "$i" ] && policy_process "$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$i" "$chain" "$uid"; done - else - if is_tor "$interface"; then - policy_routing_tor "$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid" - else - policy_routing "$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid" - fi - fi - fi -} - -interface_process_tor() { if is_nft; then interface_process_tor_nft "$@"; else interface_process_tor_iptables "$@"; fi; } -interface_process_tor_iptables() { - local s=0 iface="$1" action="$2" - local displayText set_name4 set_name6 - local dnsPort trafficPort - case "$action" in - reload) - displayText="${iface}/53->${dnsPort}/80,443->${trafficPort}" - gatewaySummary="${gatewaySummary}${displayText}\\n" - ;; - destroy) - for i in $chainsList; do - i="$(str_to_upper "$i")" - ipt -t nat -D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}" - ipt -t nat -F "${iptPrefix}_${i}"; ipt -t nat -X "${iptPrefix}_${i}"; - done - ;; - create) - output 2 "Creating TOR redirects " - dnsPort="$(grep -m1 DNSPort /etc/tor/torrc | awk -F: '{print $2}')" - trafficPort="$(grep -m1 TransPort /etc/tor/torrc | awk -F: '{print $2}')" - dnsPort="${dnsPort:-9053}"; trafficPort="${trafficPort:-9040}"; - for i in $chainsList; do - i="$(str_to_upper "$i")" - ipt -t nat -N "${iptPrefix}_${i}" - ipt -t nat -A "$i" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}" - done - if resolver 'create_resolver_set' "$iface" 'dst' 'ip' && ips 'flush' "$iface" 'dst' 'ip'; then - set_name4="${ipsPrefix}_${iface}_4_dst_ip" - for i in $chainsList; do - i="$(str_to_upper "$i")" - ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 53 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$dnsPort" -m comment --comment "TorDNS-UDP" || s=1 - ipt -t nat -I "${iptPrefix}_${i}" -p tcp -m tcp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-TCP" || s=1 - ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-UDP" || s=1 - ipt -t nat -I "${iptPrefix}_${i}" -p tcp -m tcp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-TCP" || s=1 - ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-UDP" || s=1 - done - else - s=1 - fi - displayText="${iface}/53->${dnsPort}/80,443->${trafficPort}" - if [ "$s" -eq 0 ]; then - gatewaySummary="${gatewaySummary}${displayText}\\n" - output_ok - else - state add 'errorSummary' 'errorFailedSetup' "$displayText" - output_fail - fi - ;; - esac - return $s -} -interface_process_tor_nft() { - local s=0 iface="$1" action="$2" - local displayText set_name4 set_name6 - local dnsPort trafficPort - case "$action" in - reload) - displayText="${iface}/53->${dnsPort}/80,443->${trafficPort}" - gatewaySummary="${gatewaySummary}${displayText}\\n" - ;; - destroy) - ;; - create) - output 2 "Creating TOR redirects " - dnsPort="$(grep -m1 DNSPort /etc/tor/torrc | awk -F: '{print $2}')" - trafficPort="$(grep -m1 TransPort /etc/tor/torrc | awk -F: '{print $2}')" - dnsPort="${dnsPort:-9053}"; trafficPort="${trafficPort:-9040}"; - if resolver 'create_resolver_set' "$iface" 'dst' 'ip' && nftset 'flush' "$iface" 'dst' 'ip'; then - set_name4="${nftPrefix}_${iface}_4_dst_ip" - set_name6="${nftPrefix}_${iface}_6_dst_ip" - nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv4" || s=1 - nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" tcp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv4" || s=1 - nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv4" || s=1 - nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" tcp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv4" || s=1 - nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv4" || s=1 - nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv6" || s=1 - nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" tcp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv6" || s=1 - nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv6" || s=1 - nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" tcp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv6" || s=1 - nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv6" || s=1 - else - s=1 - fi - displayText="${iface}/53->${dnsPort}/80,443->${trafficPort}" - if [ "$s" -eq 0 ]; then - gatewaySummary="${gatewaySummary}${displayText}\\n" - output_ok - else - state add 'errorSummary' 'errorFailedSetup' "$displayText" - output_fail - fi - ;; - esac - return $s -} - -interface_routing() { - local action="$1" tid="$2" mark="$3" iface="$4" gw4="$5" dev="$6" gw6="$7" dev6="$8" priority="$9" - local dscp s=0 i ipv4_error=1 ipv6_error=1 - if [ -z "$tid" ] || [ -z "$mark" ] || [ -z "$iface" ]; then - state add 'errorSummary' 'errorInterfaceRoutingEmptyValues' - return 1 - fi - case "$action" in - create) - if is_netifd_table "$iface"; then - ipv4_error=0 - $ip_bin rule del table "$tid" >/dev/null 2>&1 - $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 - if is_nft; then - nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 - nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1 - nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1 - else - ipt -t mangle -N "${iptPrefix}_MARK_${mark}" || ipv4_error=1 - ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j MARK --set-xmark "${mark}/${fw_mask}" || ipv4_error=1 - ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j RETURN || ipv4_error=1 - fi - if [ -n "$ipv6_enabled" ]; then - ipv6_error=0 - $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 - fi - else - if ! grep -q "$tid ${ipTablePrefix}_${iface}" '/etc/iproute2/rt_tables'; then - sed -i "/${ipTablePrefix}_${iface}/d" '/etc/iproute2/rt_tables' - sync - echo "$tid ${ipTablePrefix}_${iface}" >> '/etc/iproute2/rt_tables' - sync - fi - $ip_bin rule del table "$tid" >/dev/null 2>&1 - $ip_bin route flush table "$tid" >/dev/null 2>&1 - if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then - ipv4_error=0 - if [ -z "$gw4" ]; then - $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 - else - $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 - fi -# shellcheck disable=SC2086 - while read -r i; do - i="$(echo "$i" | sed 's/ linkdown$//')" - i="$(echo "$i" | sed 's/ onlink$//')" - idev="$(echo "$i" | grep -Eso 'dev [^ ]*' | awk '{print $2}')" - if ! is_supported_iface_dev "$idev"; then - $ip_bin -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1 - fi - done << EOF - $($ip_bin -4 route list table main) -EOF - $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 - if is_nft; then - nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 - nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1 - nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1 - else - ipt -t mangle -N "${iptPrefix}_MARK_${mark}" || ipv4_error=1 - ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j MARK --set-xmark "${mark}/${fw_mask}" || ipv4_error=1 - ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j RETURN || ipv4_error=1 - fi - fi - if [ -n "$ipv6_enabled" ]; then - ipv6_error=0 - if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then - if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then - $ip_bin -6 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv6_error=1 - elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then - while read -r i; do - i="$(echo "$i" | sed 's/ linkdown$//')" - i="$(echo "$i" | sed 's/ onlink$//')" - # shellcheck disable=SC2086 - $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 - done << EOF - $($ip_bin -6 route list table main | grep " dev $dev6 ") -EOF - else - $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 - $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 - fi - fi - $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" >/dev/null 2>&1 || ipv6_error=1 - fi - fi - if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then - dscp="$(uci -q get "${packageName}".config."${iface}"_dscp)" - if is_nft; then - if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then - nft add rule inet "$nftTable" "${nftPrefix}_prerouting ip dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s=1 - fi - if [ "$iface" = "$icmp_interface" ]; then - nft add rule inet "$nftTable" "${nftPrefix}_output ip protocol icmp goto ${nftPrefix}_mark_${mark}" || s=1 - fi - else - if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then - ipt -t mangle -I "${iptPrefix}_PREROUTING" -m dscp --dscp "${dscp}" -g "${iptPrefix}_MARK_${mark}" || s=1 - fi - if [ "$iface" = "$icmp_interface" ]; then - ipt -t mangle -I "${iptPrefix}_OUTPUT" -p icmp -g "${iptPrefix}_MARK_${mark}" || s=1 - fi - fi - else - s=1 - fi - return "$s" - ;; - create_user_set) - if is_nft; then - nftset 'create_user_set' "$iface" 'dst' 'ip' 'user' '' "$mark" || s=1 - nftset 'create_user_set' "$iface" 'src' 'ip' 'user' '' "$mark" || s=1 - nftset 'create_user_set' "$iface" 'src' 'mac' 'user' '' "$mark" || s=1 - else - ips 'create_user_set' "$iface" 'dst' 'ip' 'user' '' "$mark" || s=1 - ips 'create_user_set' "$iface" 'src' 'ip' 'user' '' "$mark" || s=1 - ips 'create_user_set' "$iface" 'dst' 'net' 'user' '' "$mark" || s=1 - ips 'create_user_set' "$iface" 'src' 'net' 'user' '' "$mark" || s=1 - ips 'create_user_set' "$iface" 'src' 'mac' 'user' '' "$mark" || s=1 - fi - return "$s" - ;; - delete|destroy) - $ip_bin rule del table "$tid" >/dev/null 2>&1 - if ! is_netifd_table "$iface"; then - $ip_bin route flush table "$tid" >/dev/null 2>&1 - sed -i "/${ipTablePrefix}_${iface}\$/d" '/etc/iproute2/rt_tables' - sync - fi - return "$s" - ;; - reload_interface) - is_netifd_table "$iface" && return 0; - ipv4_error=0 - $ip_bin rule del table "$tid" >/dev/null 2>&1 - if ! is_netifd_table "$iface"; then - $ip_bin route flush table "$tid" >/dev/null 2>&1 - fi - if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then - if [ -z "$gw4" ]; then - $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1 - else - $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1 - fi - $ip_bin rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 - fi - if [ -n "$ipv6_enabled" ]; then - ipv6_error=0 - if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then - if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then - $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1 - elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then - while read -r i; do - # shellcheck disable=SC2086 - $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1 - done << EOF - $($ip_bin -6 route list table main | grep " dev $dev6 ") -EOF - else - $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 - $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 - fi - fi - $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 - fi - if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then - s=0 - else - s=1 - fi - return "$s" - ;; - esac -} - -json_add_gateway() { - local action="$1" tid="$2" mark="$3" iface="$4" gw4="$5" dev4="$6" gw6="$7" dev6="$8" priority="$9" default="${10}" - json_add_object '' - json_add_string name "$iface" - json_add_string device_ipv4 "$dev4" - json_add_string gateway_ipv4 "$gw4" - json_add_string device_ipv6 "$dev6" - json_add_string gateway_ipv6 "$gw6" - if [ -n "$default" ]; then - json_add_boolean default true - else - json_add_boolean default false - fi - json_add_string action "$action" - json_add_string table_id "$tid" - json_add_string mark "$mark" - json_add_string priority "$priority" - json_close_object -} - -interface_process() { - local gw4 gw6 dev dev6 s=0 dscp iface="$1" action="$2" reloadedIface="$3" - local displayText dispDev dispGw4 dispGw6 dispStatus - - if [ "$iface" = 'all' ] && [ "$action" = 'prepare' ]; then - config_load 'network' - ifaceMark="$(printf '0x%06x' "$wan_mark")" - ifacePriority="$wan_ip_rules_priority" - return 0 - fi - - is_supported_interface "$iface" || return 0 - is_wan6 "$iface" && return 0 - [ $((ifaceMark)) -gt $((fw_mask)) ] && return 1 - - if is_ovpn "$iface" && ! is_valid_ovpn "$iface"; then - : || state add 'warningSummary' 'warningInvalidOVPNConfig' "$iface" - fi - - network_get_device dev "$iface" - [ -z "$dev" ] && network_get_physdev dev "$iface" - if is_wan "$iface" && [ -n "$wanIface6" ] && str_contains "$wanIface6" "$iface"; then - network_get_device dev6 "$wanIface6" - [ -z "$dev6" ] && network_get_physdev dev6 "$wanIface6" - fi - - [ -z "$dev6" ] && dev6="$dev" - [ -z "$ifaceMark" ] && ifaceMark="$(printf '0x%06x' "$wan_mark")" - [ -z "$ifacePriority" ] && ifacePriority="$wan_ip_rules_priority" - - ifaceTableID="$(get_rt_tables_id "$iface")" - [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" - eval "mark_${iface//-/_}"='$ifaceMark' - eval "tid_${iface//-/_}"='$ifaceTableID' - pbr_get_gateway gw4 "$iface" "$dev" - pbr_get_gateway6 gw6 "$iface" "$dev6" - dispGw4="${gw4:-0.0.0.0}" - dispGw6="${gw6:-::/0}" - [ "$iface" != "$dev" ] && dispDev="$dev" - is_default_dev "$dev" && dispStatus="${__OK__}" - displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}" - - case "$action" in - create) - output 2 "Setting up routing for '$displayText' " - if interface_routing 'create' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"; then - json_add_gateway 'create' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" "$dispStatus" - gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n" - output_ok - else - state add 'errorSummary' 'errorFailedSetup' "$displayText" - output_fail - fi - ;; - create_user_set) - interface_routing 'create_user_set' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" - ;; - destroy) - displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}" - output 2 "Removing routing for '$displayText' " - interface_routing 'destroy' "${ifaceTableID}" "${ifaceMark}" "${iface}" - output_ok - ;; - reload) - gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n" - ;; - reload_interface) - if [ "$iface" = "$reloadedIface" ]; then - output 2 "Reloading routing for '$displayText' " - if interface_routing 'reload_interface' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"; then - json_add_gateway 'reload_interface' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" "$dispStatus" - gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n" - output_ok - else - state add 'errorSummary' 'errorFailedReload' "$displayText" - output_fail - fi - else - gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n" - fi - ;; - esac -# ifaceTableID="$((ifaceTableID + 1))" - ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))" - ifacePriority="$((ifacePriority + 1))" - return $s -} - -user_file_process() { - local shellBin="${SHELL:-/bin/ash}" - [ "$enabled" -gt 0 ] || return 0 - if [ ! -s "$path" ]; then - state add 'errorSummary' 'errorUserFileNotFound' "$path" - output_fail - return 1 - fi - if ! $shellBin -n "$path"; then - state add 'errorSummary' 'errorUserFileSyntax' "$path" - output_fail - return 1 - fi - output 2 "Running $path " -# shellcheck disable=SC1090 - if ! . "$path"; then - state add 'errorSummary' 'errorUserFileRunning' "$path" - if grep -q -w 'curl' "$path" && ! is_present 'curl'; then - state add 'errorSummary' 'errorUserFileNoCurl' "$path" - fi - output_fail - return 1 - else - output_ok - return 0 - fi -} - -boot() { - ubus -t 30 wait_for network.interface 2>/dev/null - rc_procd start_service 'on_boot' -} - -on_firewall_reload() { - if [ -e "$packageLockFile" ]; then # service is stopped, do not start it on firewall reload - logger -t "$packageName" "Reload on firewall action aborted: service is stopped." - return 0 - else - rc_procd start_service 'on_firewall_reload' "$1" - fi -} -on_interface_reload() { - if [ -e "$packageLockFile" ]; then # service is stopped, do not start it on interface change - logger -t "$packageName" "Reload on interface change aborted: service is stopped." - return 0 - else - rc_procd start_service 'on_interface_reload' "$1" - fi -} - -start_service() { - local resolverStoredHash resolverNewHash i param="$1" reloadedIface - - load_environment 'on_start' "$(load_validate_config)" || return 1 - is_wan_up || return 1 - rm -f "$nftTempFile" - - case "$param" in - on_boot) - serviceStartTrigger='on_start' - ;; - on_firewall_reload) - serviceStartTrigger='on_start' - ;; - on_interface_reload) - reloadedIface="$2" - if is_ovpn "$reloadedIface"; then - logger -t "$packageName" "Updated interface is an OpenVPN tunnel, restarting." - serviceStartTrigger='on_start' - unset reloadedIface - else - serviceStartTrigger='on_interface_reload' - fi - ;; - on_reload) - serviceStartTrigger='on_reload' - ;; - on_restart) - serviceStartTrigger='on_start' - ;; - esac - - if [ -n "$reloadedIface" ] && ! is_supported_interface "$reloadedIface"; then - return 0 - fi - - if [ -n "$(ubus_get_status error)" ] || [ -n "$(ubus_get_status warning)" ]; then - serviceStartTrigger='on_start' - unset reloadedIface - elif ! is_service_running; then - serviceStartTrigger='on_start' - unset reloadedIface - elif [ -z "$(ubus_get_status gateway)" ]; then - serviceStartTrigger='on_start' - unset reloadedIface - elif [ "$serviceStartTrigger" = 'on_interface_reload' ] && \ - [ -z "$(ubus_get_interface "$reloadedIface" 'gateway_4')" ] && \ - [ -z "$(ubus_get_interface "$reloadedIface" 'gateway_6')" ]; then - serviceStartTrigger='on_start' - unset reloadedIface - else - serviceStartTrigger="${serviceStartTrigger:-on_start}" - fi - - procd_open_instance "main" - procd_set_param command /bin/true - procd_set_param stdout 1 - procd_set_param stderr 1 - procd_open_data - - case $serviceStartTrigger in - on_interface_reload) - output 1 "Reloading Interface: $reloadedIface " - json_add_array 'gateways' - interface_process 'all' 'prepare' - config_foreach interface_process 'interface' 'reload_interface' "$reloadedIface" - json_close_array - output 1 '\n' - ;; - on_reload) - traffic_killswitch 'insert' - resolver 'store_hash' - resolver 'cleanup_all' - resolver 'configure' - resolver 'init' - cleanup_main_chains - cleanup_sets - if ! is_nft; then - for i in $chainsList; do - i="$(str_to_upper "$i")" - ipt -t mangle -N "${iptPrefix}_${i}" - ipt -t mangle "$rule_create_option" "$i" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}" - done - fi - json_add_array 'gateways' - interface_process 'all' 'prepare' - config_foreach interface_process 'interface' 'reload' - interface_process_tor 'tor' 'destroy' - is_tor_running && interface_process_tor 'tor' 'reload' - json_close_array - if is_config_enabled 'policy'; then - output 1 'Processing policies ' - config_load "$packageName" - config_foreach load_validate_policy 'policy' policy_process - output 1 '\n' - fi - if is_config_enabled 'include'; then - interface_process 'all' 'prepare' - config_foreach interface_process 'interface' 'create_user_set' - output 1 'Processing user file(s) ' - config_load "$packageName" - config_foreach load_validate_include 'include' user_file_process - output 1 '\n' - fi - resolver 'init_end' - resolver 'compare_hash' && resolver 'restart' - traffic_killswitch 'remove' - ;; - on_start|*) - traffic_killswitch 'insert' - resolver 'store_hash' - resolver 'cleanup_all' - resolver 'configure' - resolver 'init' - cleanup_main_chains - cleanup_sets - cleanup_marking_chains - cleanup_rt_tables - if ! is_nft; then - for i in $chainsList; do - i="$(str_to_upper "$i")" - ipt -t mangle -N "${iptPrefix}_${i}" - ipt -t mangle "$rule_create_option" "$i" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}" - done - fi - output 1 'Processing interfaces ' - json_add_array 'gateways' - interface_process 'all' 'prepare' - config_foreach interface_process 'interface' 'create' - interface_process_tor 'tor' 'destroy' - is_tor_running && interface_process_tor 'tor' 'create' - json_close_array - ip route flush cache - output 1 '\n' - if is_config_enabled 'policy'; then - output 1 'Processing policies ' - config_load "$packageName" - config_foreach load_validate_policy 'policy' policy_process - output 1 '\n' - fi - if is_config_enabled 'include'; then - interface_process 'all' 'prepare' - config_foreach interface_process 'interface' 'create_user_set' - output 1 'Processing user file(s) ' - config_load "$packageName" - config_foreach load_validate_include 'include' user_file_process - output 1 '\n' - fi - resolver 'init_end' - resolver 'compare_hash' && resolver 'restart' - traffic_killswitch 'remove' - ;; - esac - - if [ -z "$gatewaySummary" ]; then - state add 'errorSummary' 'errorNoGateways' - fi - json_add_object 'status' - [ -n "$gatewaySummary" ] && json_add_string 'gateways' "$gatewaySummary" - [ -n "$errorSummary" ] && json_add_string 'errors' "$errorSummary" - [ -n "$warningSummary" ] && json_add_string 'warnings' "$warningSummary" - if [ "$strict_enforcement" -ne 0 ] && str_contains "$gatewaySummary" '0.0.0.0'; then - json_add_string 'mode' "strict" - fi - json_close_object - procd_close_data - procd_close_instance -} - -service_started() { - if is_nft; then - [ -n "$gatewaySummary" ] && output "$serviceName (nft) started with gateways:\\n${gatewaySummary}" - else - [ -n "$gatewaySummary" ] && output "$serviceName (iptables) started with gateways:\\n${gatewaySummary}" - fi - state print 'errorSummary' - state print 'warningSummary' - if [ -n "$errorSummary" ]; then - return 2 - elif [ -n "$warningSummary" ]; then - return 1 - else - return 0 - fi -} - -service_triggers() { - local n - load_environment 'on_triggers' -# shellcheck disable=SC2034 - PROCD_RELOAD_DELAY=$(( procd_reload_delay * 1000 )) - procd_open_validate - load_validate_config - load_validate_policy - load_validate_include - procd_close_validate - procd_open_trigger - procd_add_reload_trigger 'openvpn' - procd_add_config_trigger "config.change" "${packageName}" /etc/init.d/${packageName} reload - for n in $ifacesSupported; do - procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} on_interface_reload "$n" - done - procd_close_trigger - if [ "$serviceStartTrigger" = 'on_start' ]; then - output 3 "$serviceName monitoring interfaces: ${ifacesSupported}\\n" - fi -} - -stop_service() { - local i - load_environment 'on_stop' - is_service_running || return 0 - traffic_killswitch 'insert' - cleanup_main_chains - cleanup_sets - cleanup_marking_chains - output 1 'Resetting interfaces ' - config_load 'network' - config_foreach interface_process 'interface' 'destroy' - interface_process_tor 'tor' 'destroy' - cleanup_rt_tables - output 1 "\\n" - ip route flush cache - unset ifaceMark - unset ifaceTableID - resolver 'store_hash' - resolver 'cleanup_all' - resolver 'compare_hash' && resolver 'restart' - traffic_killswitch 'remove' - if [ "$enabled" -ne 0 ]; then - if is_nft; then - output "$serviceName (nft) stopped "; output_okn; - else - output "$serviceName (iptables) stopped "; output_okn; - fi - fi -} - -status_service() { - local _SEPARATOR_='============================================================' - load_environment 'on_status' - if is_nft; then - status_service_nft "$@" - else - status_service_iptables "$@" - fi -} - -status_service_nft() { - local i dev dev6 wan_tid - - json_load "$(ubus call system board)"; json_select release; json_get_var dist distribution; json_get_var vers version - if [ -n "$wanIface4" ]; then - network_get_gateway wanGW4 "$wanIface4" - network_get_device dev "$wanIface4" - fi - if [ -n "$wanIface6" ]; then - network_get_device dev6 "$wanIface6" - wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') - [ "$wanGW6" = "default" ] && wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') - fi - while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; eval "set_$param=1"; shift; done - [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support" - status="$serviceName running on $dist $vers." - [ -n "$wanIface4" ] && status="$status WAN (IPv4): ${wanIface4}/${dev}/${wanGW4:-0.0.0.0}." - [ -n "$wanIface6" ] && status="$status WAN (IPv6): ${wanIface6}/${dev6}/${wanGW6:-::/0}." - - echo "$_SEPARATOR_" - echo "$packageName - environment" - echo "$status" - echo "$_SEPARATOR_" - dnsmasq --version 2>/dev/null | sed '/^$/,$d' - echo "$_SEPARATOR_" - echo "$packageName chains - policies" - for i in forward input output prerouting postrouting; do - "$nft" -a list table inet "$nftTable" | sed -n "/chain ${nftPrefix}_${i} {/,/\t}/p" - done - echo "$_SEPARATOR_" - echo "$packageName chains - marking" - for i in $(get_mark_nft_chains); do - "$nft" -a list table inet "$nftTable" | sed -n "/chain ${i} {/,/\t}/p" - done - echo "$_SEPARATOR_" - echo "$packageName nft sets" - for i in $(get_nft_sets); do - "$nft" -a list table inet "$nftTable" | sed -n "/set ${i} {/,/\t}/p" - done - if [ -s "$dnsmasqFile" ]; then - echo "$_SEPARATOR_" - echo "dnsmasq sets" - cat "$dnsmasqFile" - fi -# echo "$_SEPARATOR_" -# ip rule list | grep "${packageName}_" - echo "$_SEPARATOR_" - tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0 - wan_tid=$(($(get_rt_tables_next_id)-tableCount)) - i=0; while [ $i -lt "$tableCount" ]; do - echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)" - echo "IPv4 table $((wan_tid + i)) rule(s):" - $ip_bin -4 rule list table "$((wan_tid + i))" - if [ -n "$ipv6_enabled" ]; then - echo "IPv6 table $((wan_tid + i)) route: $($ip_bin -6 route show table $((wan_tid + i)) | grep default)" - echo "IPv6 table $((wan_tid + i)) rule(s):" - $ip_bin -6 route show table $((wan_tid + i)) - fi - i=$((i + 1)) - done -} - -status_service_iptables() { - local dist vers out id s param status set_d set_p tableCount i=0 dev dev6 j wan_tid - - json_load "$(ubus call system board)"; json_select release; json_get_var dist distribution; json_get_var vers version - if [ -n "$wanIface4" ]; then - network_get_gateway wanGW4 "$wanIface4" - network_get_device dev "$wanIface4" - fi - if [ -n "$wanIface6" ]; then - network_get_device dev6 "$wanIface6" - wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}') - [ "$wanGW6" = "default" ] && wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}') - fi - while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; eval "set_$param=1"; shift; done - [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support" - status="$serviceName running on $dist $vers." - [ -n "$wanIface4" ] && status="$status WAN (IPv4): ${wanIface4}/${dev}/${wanGW4:-0.0.0.0}." - [ -n "$wanIface6" ] && status="$status WAN (IPv6): ${wanIface6}/${dev6}/${wanGW6:-::/0}." - { - echo "$status" - echo "$_SEPARATOR_" - dnsmasq --version 2>/dev/null | sed '/^$/,$d' - if [ -n "$1" ]; then - echo "$_SEPARATOR_" - echo "Resolving domains" - for i in $1; do - echo "$i: $(resolveip "$i" | tr '\n' ' ')" - done - fi - - echo "$_SEPARATOR_" - echo "Routes/IP Rules" - tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0 - if [ -n "$set_d" ]; then route; else route | grep '^default'; fi - if [ -n "$set_d" ]; then ip rule list; fi - wan_tid=$(($(get_rt_tables_next_id)-tableCount)) - i=0; while [ $i -lt "$tableCount" ]; do - echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)" - echo "IPv4 table $((wan_tid + i)) rule(s):" - $ip_bin -4 rule list table "$((wan_tid + i))" - i=$((i + 1)) - done - - if [ -n "$ipv6_enabled" ]; then - i=0; while [ $i -lt "$tableCount" ]; do - $ip_bin -6 route show table $((wan_tid + i)) | while read -r param; do - echo "IPv6 Table $((wan_tid + i)): $param" - done - i=$((i + 1)) - done - fi - - for j in Mangle NAT; do - if [ -z "$set_d" ]; then - for i in $chainsList; do - i="$(str_to_upper "$i")" - if iptables -v -t "$(str_to_lower $j)" -S "${iptPrefix}_${i}" >/dev/null 2>&1; then - echo "$_SEPARATOR_" - echo "$j IP Table: $i" - iptables -v -t "$(str_to_lower $j)" -S "${iptPrefix}_${i}" - if [ -n "$ipv6_enabled" ]; then - echo "$_SEPARATOR_" - echo "$j IPv6 Table: $i" - iptables -v -t "$(str_to_lower $j)" -S "${iptPrefix}_${i}" - fi - fi - done - else - echo "$_SEPARATOR_" - echo "$j IP Table" - iptables -L -t "$(str_to_lower $j)" - if [ -n "$ipv6_enabled" ]; then - echo "$_SEPARATOR_" - echo "$j IPv6 Table" - iptables -L -t "$(str_to_lower $j)" - fi - fi - i=0; ifaceMark="$wan_mark"; - while [ $i -lt "$tableCount" ]; do - if iptables -v -t "$(str_to_lower $j)" -S "${iptPrefix}_MARK_${ifaceMark}" >/dev/null 2>&1; then - echo "$_SEPARATOR_" - echo "$j IP Table MARK Chain: ${iptPrefix}_MARK_${ifaceMark}" - iptables -v -t "$(str_to_lower $j)" -S "${iptPrefix}_MARK_${ifaceMark}" - ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))"; - fi - i=$((i + 1)) - done - done - - echo "$_SEPARATOR_" - echo "Current ipsets" - ipset save - if [ -s "$dnsmasqFile" ]; then - echo "$_SEPARATOR_" - echo "DNSMASQ sets" - cat "$dnsmasqFile" - fi - if [ -s "$aghIpsetFile" ]; then - echo "$_SEPARATOR_" - echo "AdGuardHome sets" - cat "$aghIpsetFile" - fi - echo "$_SEPARATOR_" - } | tee -a /var/${packageName}-support - if [ -n "$set_p" ]; then - printf "%b" "Pasting to paste.ee... " - if is_present 'curl' && is_variant_installed 'libopenssl' && is_installed 'ca-bundle'; then - json_init; json_add_string "description" "${packageName}-support" - json_add_array "sections"; json_add_object '0' - json_add_string "name" "$(uci -q get system.@system[0].hostname)" - json_add_string "contents" "$(cat /var/${packageName}-support)" - json_close_object; json_close_array; payload=$(json_dump) - out=$(curl -s -k "https://api.paste.ee/v1/pastes" -X "POST" -H "Content-Type: application/json" -H "X-Auth-Token:uVOJt6pNqjcEWu7qiuUuuxWQafpHhwMvNEBviRV2B" -d "$payload") - json_load "$out"; json_get_var id id; json_get_var s success - [ "$s" = "1" ] && printf "%b" "https://paste.ee/p/$id $__OK__\\n" || printf "%b" "$__FAIL__\\n" - [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support" - else - printf "%b" "${__FAIL__}\\n" - printf "%b" "${_ERROR_}: The curl, libopenssl or ca-bundle packages were not found!\\nRun 'opkg update; opkg install curl libopenssl ca-bundle' to install them.\\n" - fi - else - printf "%b" "Your support details have been logged to '/var/${packageName}-support'. $__OK__\\n" - fi -} - -# shellcheck disable=SC2120 -load_validate_config() { - uci_load_validate "$packageName" "$packageName" "$1" "${2}${3:+ $3}" \ - 'enabled:bool:0' \ - 'procd_boot_delay:integer:0' \ - 'strict_enforcement:bool:1' \ - 'secure_reload:bool:0' \ - 'ipv6_enabled:bool:0' \ - 'resolver_set:or("", "none", "dnsmasq.ipset", "dnsmasq.nftset")' \ - 'verbosity:range(0,2):1' \ - "wan_mark:regex('0x[A-Fa-f0-9]{8}'):0x010000" \ - "fw_mask:regex('0x[A-Fa-f0-9]{8}'):0xff0000" \ - 'icmp_interface:or("", "tor", uci("network", "@interface"))' \ - 'ignored_interface:list(or("tor", uci("network", "@interface")))' \ - 'supported_interface:list(or("tor", uci("network", "@interface")))' \ - 'boot_timeout:integer:30' \ - 'wan_ip_rules_priority:uinteger:30000' \ - 'rule_create_option:or("", "add", "insert"):add' \ - 'procd_reload_delay:integer:0' \ - 'webui_supported_protocol:list(string)' \ - 'nft_user_set_policy:or("", "memory", "performance")'\ - 'nft_user_set_counter:bool:0' -} - -# shellcheck disable=SC2120 -load_validate_policy() { - local name - local enabled - local interface - local proto - local chain - local src_addr - local src_port - local dest_addr - local dest_port - uci_load_validate "$packageName" 'policy' "$1" "${2}${3:+ $3}" \ - 'name:string:Untitled' \ - 'enabled:bool:1' \ - 'interface:or("ignore", "tor", uci("network", "@interface")):wan' \ - 'proto:or(string)' \ - 'chain:or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING"):prerouting' \ - 'src_addr:list(neg(or(host,network,macaddr,string)))' \ - 'src_port:list(neg(or(portrange,string)))' \ - 'dest_addr:list(neg(or(host,network,string)))' \ - 'dest_port:list(neg(or(portrange,string)))' -} - -# shellcheck disable=SC2120 -load_validate_include() { - local path= - local enabled= - uci_load_validate "$packageName" 'include' "$1" "${2}${3:+ $3}" \ - 'path:file' \ - 'enabled:bool:0' -} diff --git a/net/pbr/files/etc/uci-defaults/91-pbr-iptables b/net/pbr/files/etc/uci-defaults/91-pbr-iptables new file mode 100644 index 0000000000..3fa08e53d9 --- /dev/null +++ b/net/pbr/files/etc/uci-defaults/91-pbr-iptables @@ -0,0 +1,27 @@ +#!/bin/sh +# shellcheck disable=SC2015,SC3037,SC3043 + +readonly pbrFunctionsFile='/etc/init.d/pbr' +if [ -s "$pbrFunctionsFile" ]; then +# shellcheck source=../../etc/init.d/pbr + . "$pbrFunctionsFile" +else + printf "%b: pbr init.d file (%s) not found! \n" '\033[0;31mERROR\033[0m' "$pbrFunctionsFile" +fi + +# Transition resolver_set depending on dnsmasq support +if [ "$(uci_get pbr config resolver_set)" != 'dnsmasq.ipset' ] && [ "$(uci_get pbr config resolver_set)" != 'adguardhome.ipset' ]; then + if check_agh_ipset; then + output "Setting resolver_set to 'adguardhome.ipset'... " + uci_set pbr config resolver_set 'adguardhome.ipset' && output_okn || output_failn + elif check_dnsmasq_ipset; then + output "Setting resolver_set to 'dnsmasq.ipset'... " + uci_set pbr config resolver_set 'dnsmasq.ipset' && output_okn || output_failn + else + output "Setting resolver_set to 'none'... " + uci_set pbr config resolver_set 'none' && output_okn || output_failn + fi + uci_commit pbr +fi + +exit 0 diff --git a/net/pbr/files/etc/uci-defaults/91-pbr-netifd b/net/pbr/files/etc/uci-defaults/91-pbr-netifd new file mode 100644 index 0000000000..bea4a353d5 --- /dev/null +++ b/net/pbr/files/etc/uci-defaults/91-pbr-netifd @@ -0,0 +1,38 @@ +#!/bin/sh +# shellcheck disable=SC3037,SC3043 + +readonly pbrFunctionsFile='/etc/init.d/pbr' +if [ -s "$pbrFunctionsFile" ]; then +# shellcheck source=../../etc/init.d/pbr + . "$pbrFunctionsFile" +else + printf "%b: pbr init.d file (%s) not found! \n" '\033[0;31mERROR\033[0m' "$pbrFunctionsFile" +fi + +# shellcheck disable=SC2317 +pbr_iface_setup() { + local iface="${1}" + local proto + if is_supported_interface "${iface}"; then + output "Setting up ${packageName} routing tables for ${iface}... " + uci_set 'network' "${iface}" 'ip4table' "${ipTablePrefix}_${iface%6}" + uci_set 'network' "${iface}" 'ip6table' "${ipTablePrefix}_${iface%6}" + if ! grep -q -E -e "^[0-9]+\s+${ipTablePrefix}_${iface%6}$" "$rtTablesFile"; then + sed -i -e "\$a $(($(sort -r -n "$rtTablesFile" | grep -o -E -m 1 "^[0-9]+")+1))\t${ipTablePrefix}_${iface%6}" \ + "$rtTablesFile" + fi + output_okbn + fi +} + +sed -i "/${ipTablePrefix}_/d" "$rtTablesFile" +sync +config_load network +config_foreach pbr_iface_setup interface +uci_commit network +sync +output "Restarting network... " +/etc/init.d/network restart +output_okn + +exit 0 diff --git a/net/pbr/files/etc/uci-defaults/91-pbr-nft b/net/pbr/files/etc/uci-defaults/91-pbr-nft new file mode 100644 index 0000000000..0406e2a435 --- /dev/null +++ b/net/pbr/files/etc/uci-defaults/91-pbr-nft @@ -0,0 +1,30 @@ +#!/bin/sh +# shellcheck disable=SC2015,SC3037,SC3043 + +readonly pbrFunctionsFile='/etc/init.d/pbr' +if [ -s "$pbrFunctionsFile" ]; then +# shellcheck source=../../etc/init.d/pbr + . "$pbrFunctionsFile" +else + printf "%b: pbr init.d file (%s) not found! \n" '\033[0;31mERROR\033[0m' "$pbrFunctionsFile" +fi + +# Transition resolver_set depending on dnsmasq support +if [ "$(uci_get pbr config resolver_set)" != 'dnsmasq.nftset' ]; then + if check_dnsmasq_nftset; then + output "Setting resolver_set to 'dnsmasq.nftset'... " + uci_set pbr config resolver_set 'dnsmasq.nftset' && output_okn || output_failn + elif check_agh_ipset; then + output "Setting resolver_set to 'adguardhome.ipset'... " + uci_set pbr config resolver_set 'adguardhome.ipset' && output_okn || output_failn + elif check_dnsmasq_ipset; then + output "Setting resolver_set to 'dnsmasq.ipset'... " + uci_set pbr config resolver_set 'dnsmasq.ipset' && output_okn || output_failn + else + output "Setting resolver_set to 'none'... " + uci_set pbr config resolver_set 'none' && output_okn || output_failn + fi + uci_commit pbr +fi + +exit 0 From a5557a2a47f57c651dd5dc97eac40de26617de91 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Fri, 12 Apr 2024 23:06:24 -0400 Subject: [PATCH 015/106] lighttpd: update to lighttpd 1.4.76 release hash Signed-off-by: Glenn Strauss --- net/lighttpd/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index 23e5ff9dda..7c89a6d0af 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd -PKG_VERSION:=1.4.75 +PKG_VERSION:=1.4.76 PKG_RELEASE:=1 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x -PKG_HASH:=8b721ca939d312afaa6ef31dcbd6afb5161ed385ac828e6fccd4c5b76be189d6 +PKG_HASH:=8cbf4296e373cfd0cedfe9d978760b5b05c58fdc4048b4e2bcaf0a61ac8f5011 PKG_MAINTAINER:=Glenn Strauss PKG_LICENSE:=BSD-3-Clause From 50810923da4373c9a6e997e2c2ce7b1d453f5ac9 Mon Sep 17 00:00:00 2001 From: Hirokazu MORIKAWA Date: Wed, 10 Apr 2024 12:55:02 +0900 Subject: [PATCH 016/106] nghttp2: fix CVE-2024-28182 update to v1.61.0 CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage Signed-off-by: Hirokazu MORIKAWA --- libs/nghttp2/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libs/nghttp2/Makefile b/libs/nghttp2/Makefile index 19a4ab6c02..312835ba88 100644 --- a/libs/nghttp2/Makefile +++ b/libs/nghttp2/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nghttp2 -PKG_VERSION:=1.57.0 +PKG_VERSION:=1.61.0 PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/nghttp2/nghttp2/releases/download/v$(PKG_VERSION) -PKG_HASH:=9210b0113109f43be526ac5835d58a701411821a4d39e155c40d67c40f47a958 +PKG_HASH:=aa7594c846e56a22fbf3d6e260e472268808d3b49d5e0ed339f589e9cc9d484c PKG_MAINTAINER:=Hans Dedecker PKG_LICENSE:=MIT From 4ce2d741c6d7619cd66539668fa148bc16aa78d9 Mon Sep 17 00:00:00 2001 From: Eric Fahlgren Date: Fri, 12 Apr 2024 14:21:15 -0700 Subject: [PATCH 017/106] snort3: fix issue caused by ucode semantics change A recent change in the ucode interpeter caused a failure when using the 'in' operator. https://github.com/jow-/ucode/commit/be767ae197babd656d4f5d9c2d5013e39ddbe656 Reported in a forum post by @graysky2. https://forum.openwrt.org/t/194218/28 Signed-off-by: Eric Fahlgren --- net/snort3/Makefile | 2 +- net/snort3/files/main.uc | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/net/snort3/Makefile b/net/snort3/Makefile index e895399efb..907154464c 100644 --- a/net/snort3/Makefile +++ b/net/snort3/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=snort3 PKG_VERSION:=3.1.82.0 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/ diff --git a/net/snort3/files/main.uc b/net/snort3/files/main.uc index 8e33f9e5d2..33361f2b1d 100644 --- a/net/snort3/files/main.uc +++ b/net/snort3/files/main.uc @@ -76,6 +76,10 @@ function config_item(type, values, def) { wrn(`Invalid item type '${type}', must be one of "enum", "range", "path" or "str".`); return; } + if (type == "enum") { + // Convert values to strings, so 'in' works in 'contains'. + values = map(values, function(i) { return "" + i; }); + } if (type == "range" && (length(values) != 2 || values[0] > values[1])) { wrn(`A 'range' type item must have exactly 2 values in ascending order.`); return; From fa5057327c9e8406ffa69b90de2d6093eaeccb41 Mon Sep 17 00:00:00 2001 From: krant Date: Fri, 12 Apr 2024 05:41:08 +0300 Subject: [PATCH 018/106] wget: update to 1.24.5 Signed-off-by: krant --- net/wget/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/wget/Makefile b/net/wget/Makefile index aa06b4df17..afc0ba288f 100644 --- a/net/wget/Makefile +++ b/net/wget/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wget -PKG_VERSION:=1.21.4 +PKG_VERSION:=1.24.5 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=@GNU/$(PKG_NAME) -PKG_HASH:=81542f5cefb8faacc39bbbc6c82ded80e3e4a88505ae72ea51df27525bcde04c +PKG_HASH:=fa2dc35bab5184ecbc46a9ef83def2aaaa3f4c9f3c97d4bd19dcb07d4da637de PKG_MAINTAINER:= PKG_LICENSE:=GPL-3.0-or-later From 3efb231866ea696968772c8a8b947d1d7b6c965a Mon Sep 17 00:00:00 2001 From: krant Date: Thu, 11 Apr 2024 21:59:52 +0300 Subject: [PATCH 019/106] mpg123: update to 1.32.6 Signed-off-by: krant --- sound/mpg123/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/mpg123/Makefile b/sound/mpg123/Makefile index 4c899536fb..c189529b97 100644 --- a/sound/mpg123/Makefile +++ b/sound/mpg123/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mpg123 -PKG_VERSION:=1.32.5 +PKG_VERSION:=1.32.6 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@SF/mpg123 -PKG_HASH:=af908cdf6cdb6544b97bc706a799f79894e69468af5881bf454a0ebb9171ed63 +PKG_HASH:=ccdd1d0abc31d73d8b435fc658c79049d0a905b30669b6a42a03ad169dc609e6 PKG_MAINTAINER:=Zoltan HERPAI PKG_LICENSE_FILES:=COPYING From 607e681d8d78219ac43f0f940e1cb8fcf980fc9f Mon Sep 17 00:00:00 2001 From: krant Date: Thu, 11 Apr 2024 22:21:57 +0300 Subject: [PATCH 020/106] mc: update to 4.8.31 Signed-off-by: krant --- utils/mc/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/utils/mc/Makefile b/utils/mc/Makefile index 6d2caf9654..cab07d1cff 100644 --- a/utils/mc/Makefile +++ b/utils/mc/Makefile @@ -6,15 +6,15 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mc -PKG_VERSION:=4.8.30 -PKG_RELEASE:=2 +PKG_VERSION:=4.8.31 +PKG_RELEASE:=1 PKG_MAINTAINER:= PKG_LICENSE:=GPL-3.0-or-later PKG_CPE_ID:=cpe:/a:midnight_commander:midnight_commander PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://ftp.midnight-commander.org/ -PKG_HASH:=5ebc3cb2144b970c5149fda556c4ad50b78780494696cdf2d14a53204c95c7df +PKG_HASH:=24191cf8667675b8e31fc4a9d18a0a65bdc0598c2c5c4ea092494cd13ab4ab1a PKG_BUILD_PARALLEL:=1 PKG_FIXUP:=autoreconf gettext-version PKG_BUILD_DEPENDS:=MC_VFS:libtirpc From c22110929b1fd8ee12252bc5bab90ed6d96fe6d3 Mon Sep 17 00:00:00 2001 From: krant Date: Thu, 11 Apr 2024 22:33:53 +0300 Subject: [PATCH 021/106] moreutils: update to 0.69 - Refresh patch Signed-off-by: krant --- utils/moreutils/Makefile | 4 ++-- utils/moreutils/patches/001_disable-manuals.patch | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/utils/moreutils/Makefile b/utils/moreutils/Makefile index 822e568bf3..49e3a42fbf 100644 --- a/utils/moreutils/Makefile +++ b/utils/moreutils/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=moreutils -PKG_VERSION:=0.68 +PKG_VERSION:=0.69 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://git.kitenet.net/index.cgi/moreutils.git/snapshot -PKG_HASH:=5eb14bc7bc1407743478ebdbd83772bf3b927fd949136a2fbbde96fa6000b6e7 +PKG_HASH:=0f795d25356ca61544966646fb707d5be0b9864116be0269df5433f62d4e05d1 PKG_MAINTAINER:=Nikil Mehta PKG_LICENSE:=GPL-2.0-or-later diff --git a/utils/moreutils/patches/001_disable-manuals.patch b/utils/moreutils/patches/001_disable-manuals.patch index d5181a3047..99393af5c0 100644 --- a/utils/moreutils/patches/001_disable-manuals.patch +++ b/utils/moreutils/patches/001_disable-manuals.patch @@ -9,7 +9,7 @@ clean: rm -f $(BINS) $(MANS) dump.c errnos.h errno.o \ -@@ -28,9 +28,6 @@ install: +@@ -33,9 +33,6 @@ install: $(INSTALL_BIN) $(BINS) $(DESTDIR)$(PREFIX)/bin install $(PERLSCRIPTS) $(DESTDIR)$(PREFIX)/bin From fbe4b5f3592a2a6b674e7b05190a62df04d63f83 Mon Sep 17 00:00:00 2001 From: krant Date: Fri, 12 Apr 2024 06:01:01 +0300 Subject: [PATCH 022/106] stress-ng: update to 0.17.07 - Refresh the patch Signed-off-by: krant --- utils/stress-ng/Makefile | 4 ++-- utils/stress-ng/patches/001-disable-extra-stressors.patch | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/utils/stress-ng/Makefile b/utils/stress-ng/Makefile index 3e4436ee3f..fac22381d9 100644 --- a/utils/stress-ng/Makefile +++ b/utils/stress-ng/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=stress-ng -PKG_VERSION:=0.17.05 +PKG_VERSION:=0.17.07 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/ColinIanKing/stress-ng/tar.gz/refs/tags/V$(PKG_VERSION)? -PKG_HASH:=48964a0de5838acfed5c78d78d5f4a1d86974883d5537ccc55df019a0186a1b5 +PKG_HASH:=b0bc1495adce6c7a1f82d53f363682b243d6d7e93a06be7f94c9559c0a311a6f PKG_MAINTAINER:=Alexandru Ardelean PKG_LICENSE:=GPL-2.0-only diff --git a/utils/stress-ng/patches/001-disable-extra-stressors.patch b/utils/stress-ng/patches/001-disable-extra-stressors.patch index b233fe580f..d96c5eddfb 100644 --- a/utils/stress-ng/patches/001-disable-extra-stressors.patch +++ b/utils/stress-ng/patches/001-disable-extra-stressors.patch @@ -1,6 +1,6 @@ --- a/Makefile.config +++ b/Makefile.config -@@ -327,10 +327,10 @@ clean: +@@ -351,10 +351,10 @@ clean: .PHONY: libraries libraries: \ configdir \ From 5a06e3471ba0a4a49130b22f936c823142680fe1 Mon Sep 17 00:00:00 2001 From: krant Date: Fri, 12 Apr 2024 06:10:24 +0300 Subject: [PATCH 023/106] socat: update to 1.8.0.0 Signed-off-by: krant --- net/socat/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/socat/Makefile b/net/socat/Makefile index 2f3ca78f4f..6da3aee467 100644 --- a/net/socat/Makefile +++ b/net/socat/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=socat -PKG_VERSION:=1.7.4.4 +PKG_VERSION:=1.8.0.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.dest-unreach.org/socat/download -PKG_HASH:=fbd42bd2f0e54a3af6d01bdf15385384ab82dbc0e4f1a5e153b3e0be1b6380ac +PKG_HASH:=e1de683dd22ee0e3a6c6bbff269abe18ab0c9d7eb650204f125155b9005faca7 PKG_MAINTAINER:=Ted Hess PKG_LICENSE:=GPL-2.0-or-later OpenSSL From ad6344d0455038e374f57a7fb15d3d1ace8d889b Mon Sep 17 00:00:00 2001 From: krant Date: Thu, 11 Apr 2024 22:27:13 +0300 Subject: [PATCH 024/106] gptfdisk: update to 1.0.10 - Delete upstreamed patch Signed-off-by: krant --- utils/gptfdisk/Makefile | 4 +-- ...10-Use-64bit-time_t-on-linux-as-well.patch | 29 ------------------- 2 files changed, 2 insertions(+), 31 deletions(-) delete mode 100644 utils/gptfdisk/patches/010-Use-64bit-time_t-on-linux-as-well.patch diff --git a/utils/gptfdisk/Makefile b/utils/gptfdisk/Makefile index 4f667166e7..7f22033838 100644 --- a/utils/gptfdisk/Makefile +++ b/utils/gptfdisk/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gptfdisk -PKG_VERSION:=1.0.9 +PKG_VERSION:=1.0.10 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=@SF/$(PKG_NAME) -PKG_HASH:=dafead2693faeb8e8b97832b23407f6ed5b3219bc1784f482dd855774e2d50c2 +PKG_HASH:=2abed61bc6d2b9ec498973c0440b8b804b7a72d7144069b5a9209b2ad693a282 PKG_MAINTAINER:= PKG_LICENSE:=GPL-2.0-or-later diff --git a/utils/gptfdisk/patches/010-Use-64bit-time_t-on-linux-as-well.patch b/utils/gptfdisk/patches/010-Use-64bit-time_t-on-linux-as-well.patch deleted file mode 100644 index c000abc99f..0000000000 --- a/utils/gptfdisk/patches/010-Use-64bit-time_t-on-linux-as-well.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 7dfa8984f5a30f313d8675ff6097c8592d636d10 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Mon, 12 Dec 2022 12:50:07 -0800 -Subject: [PATCH] Use 64bit time_t on linux as well - -Alias 64bit version of stat functions to original functions -we are already passing -D_FILE_OFFSET_BITS=64 in linux Makefile - -Signed-off-by: Khem Raj ---- - diskio-unix.cc | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/diskio-unix.cc -+++ b/diskio-unix.cc -@@ -37,8 +37,12 @@ - - using namespace std; - --#ifdef __APPLE__ -+#if defined(__APPLE__) || defined(__linux__) - #define off64_t off_t -+#define stat64 stat -+#define fstat64 fstat -+#define lstat64 lstat -+#define lseek64 lseek - #endif - - // Returns the official "real" name for a shortened version of same. From 086bf6047d7efd280347922c167a13ebcf501703 Mon Sep 17 00:00:00 2001 From: Paul Spooren Date: Thu, 11 Apr 2024 15:03:43 +0200 Subject: [PATCH 025/106] macremapper: drop VERSION definition in Makefile By default Kernel modules follow the version schema from openwrt.git, which happens to be APK compatible. Instead of defining a entirely custom format, use what's already out there. This patch drops the individual VERSION definition. Right now, the version becomes 6.1.82.1.1.0-r2 Signed-off-by: Paul Spooren --- kernel/macremapper/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/kernel/macremapper/Makefile b/kernel/macremapper/Makefile index 79b892ffa2..0889805e7e 100644 --- a/kernel/macremapper/Makefile +++ b/kernel/macremapper/Makefile @@ -25,7 +25,6 @@ include $(INCLUDE_DIR)/package.mk define KernelPackage/macremapper SUBMENU:=Network Support URL:=https://www.edgewaterwireless.com - VERSION:=$(LINUX_VERSION)-$(BOARD)-$(PKG_RELEASE) TITLE:=Dual Channel Wi-Fi macremapper Module DEPENDS:= +kmod-cfg80211 +kmod-br-netfilter FILES:=$(PKG_BUILD_DIR)/kernelmod/$(PKG_NAME).$(LINUX_KMOD_SUFFIX) From 480ca13e286a04a1ef26f402741e4522181e2ba7 Mon Sep 17 00:00:00 2001 From: Wesley Gimenes Date: Thu, 11 Apr 2024 01:27:03 -0300 Subject: [PATCH 026/106] netbird: update to 0.27.3 Signed-off-by: Wesley Gimenes --- net/netbird/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netbird/Makefile b/net/netbird/Makefile index e97d514995..23b13cd2dc 100644 --- a/net/netbird/Makefile +++ b/net/netbird/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=netbird -PKG_VERSION:=0.26.6 +PKG_VERSION:=0.27.3 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/netbirdio/netbird/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=009656248dba9b0e9969c7658178c50ebef7866e96de75b79b9b15d8c2ba1a47 +PKG_HASH:=f172798f164b7484b231adc656eaf1090b6f7d9e7d7c3753f1e611bdf82ae738 PKG_MAINTAINER:=Oskari Rauta PKG_LICENSE:=BSD-3-Clause From 4751f66a32b154b75f191afff975d50812bd4f7a Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Thu, 11 Apr 2024 15:56:37 +0200 Subject: [PATCH 027/106] pdns: unbreak bigendian builds Signed-off-by: Peter van Dijk --- net/pdns/Makefile | 2 +- net/pdns/patches/200-dnsproxy-endian.patch | 24 ++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 net/pdns/patches/200-dnsproxy-endian.patch diff --git a/net/pdns/Makefile b/net/pdns/Makefile index 90a772e197..10ffc9d2ef 100644 --- a/net/pdns/Makefile +++ b/net/pdns/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pdns PKG_VERSION:=4.9.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://downloads.powerdns.com/releases/ diff --git a/net/pdns/patches/200-dnsproxy-endian.patch b/net/pdns/patches/200-dnsproxy-endian.patch new file mode 100644 index 0000000000..064a0b8ffa --- /dev/null +++ b/net/pdns/patches/200-dnsproxy-endian.patch @@ -0,0 +1,24 @@ +commit c6b1e59f3b413493551910a7d0a3e9206d488599 +Author: Chris Hofstaedtler +Date: Sat Apr 6 23:51:35 2024 +0200 + + auth dnsproxy: fix build on s390x + +--- a/pdns/dnsproxy.cc ++++ b/pdns/dnsproxy.cc +@@ -240,10 +240,11 @@ void DNSProxy::mainloop() + memcpy(&dHead, &buffer[0], sizeof(dHead)); + { + auto conntrack = d_conntrack.lock(); +-#if BYTE_ORDER == BIG_ENDIAN +- // this is needed because spoof ID down below does not respect the native byteorder +- d.id = (256 * (uint16_t)buffer[1]) + (uint16_t)buffer[0]; +-#endif ++ if (BYTE_ORDER == BIG_ENDIAN) { ++ // this is needed because spoof ID down below does not respect the native byteorder ++ dHead.id = (256 * (uint16_t)buffer[1]) + (uint16_t)buffer[0]; ++ } ++ + auto iter = conntrack->find(dHead.id ^ d_xor); + if (iter == conntrack->end()) { + g_log << Logger::Error << "Discarding untracked packet from recursor backend with id " << (dHead.id ^ d_xor) << ". Conntrack table size=" << conntrack->size() << endl; From 2c94c9133d2b75900c90195eed2435763811d1a8 Mon Sep 17 00:00:00 2001 From: krant Date: Fri, 12 Apr 2024 07:09:50 +0300 Subject: [PATCH 028/106] mtdev: update to 1.1.7 Signed-off-by: krant --- libs/mtdev/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libs/mtdev/Makefile b/libs/mtdev/Makefile index 3d49227cbe..586f47fa24 100644 --- a/libs/mtdev/Makefile +++ b/libs/mtdev/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mtdev -PKG_VERSION:=1.1.6 -PKG_RELEASE:=2 +PKG_VERSION:=1.1.7 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://bitmath.org/code/mtdev/ -PKG_HASH:=15d7b28da8ac71d8bc8c9287c2045fd174267bc740bec10cfda332dc1204e0e0 +PKG_HASH:=a107adad2101fecac54ac7f9f0e0a0dd155d954193da55c2340c97f2ff1d814e PKG_MAINTAINER:=Daniel Golle PKG_LICENSE:=MIT From 98aa6b8fde6a01c0a1338e7bfdf66b9fc3365a2e Mon Sep 17 00:00:00 2001 From: krant Date: Fri, 12 Apr 2024 07:26:06 +0300 Subject: [PATCH 029/106] fontconfig: update to 2.15.0 - Use up-to-date project URLs - Remove obsoleted patch Signed-off-by: krant --- utils/fontconfig/Makefile | 10 +++---- .../001-revert-upstream-meson-commit.patch | 26 ------------------- 2 files changed, 5 insertions(+), 31 deletions(-) delete mode 100644 utils/fontconfig/patches/001-revert-upstream-meson-commit.patch diff --git a/utils/fontconfig/Makefile b/utils/fontconfig/Makefile index 54d8f0e023..ca21c419d3 100644 --- a/utils/fontconfig/Makefile +++ b/utils/fontconfig/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fontconfig -PKG_VERSION:=2.13.94 -PKG_RELEASE:=3 +PKG_VERSION:=2.15.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=https://fontconfig.org/release/ -PKG_HASH:=a5f052cb73fd479ffb7b697980510903b563bbb55b8f7a2b001fcfb94026003c +PKG_SOURCE_URL:=https://www.freedesktop.org/software/fontconfig/release/ +PKG_HASH:=63a0658d0e06e0fa886106452b58ef04f21f58202ea02a94c39de0d3335d7c0e PKG_MAINTAINER:= PKG_LICENSE:= @@ -31,7 +31,7 @@ define Package/fontconfig SUBMENU:=Font-Utils TITLE:=fontconfig DEPENDS:=+libpthread +libexpat +libfreetype - URL:=http://fontconfig.org/ + URL:=https://www.freedesktop.org/wiki/Software/fontconfig/ endef MESON_ARGS += \ diff --git a/utils/fontconfig/patches/001-revert-upstream-meson-commit.patch b/utils/fontconfig/patches/001-revert-upstream-meson-commit.patch deleted file mode 100644 index bcd7ce8c8a..0000000000 --- a/utils/fontconfig/patches/001-revert-upstream-meson-commit.patch +++ /dev/null @@ -1,26 +0,0 @@ -Revert partially the upstream commit ae9ac2a1 - - Subject: [PATCH] meson: fix cross-compilation issues with gperf header file preprocessing - - Pass c_args to the compiler when preprocessing the gperf header file, - they might contain important bits without which compilation/preprocessing - might fail (e.g. with clang on Android). cc.cmd_array() does not include - the c_args and we can't easily look them up from the meson.build file, so - we have to retrieve from the introspection info. - - This is basically the Meson equivalent to commit 57103773. - -Revert the host_cargs related part of the patch - - ---- a/src/cutout.py -+++ b/src/cutout.py -@@ -24,7 +24,7 @@ if __name__== '__main__': - break - - cpp = args[1] -- ret = subprocess.run(cpp + host_cargs + [args[0].input], stdout=subprocess.PIPE, check=True) -+ ret = subprocess.run(cpp + [args[0].input], stdout=subprocess.PIPE, check=True) - - stdout = ret.stdout.decode('utf8') - From 51e5556ea41b3970db353ca093fdb3392ddeee45 Mon Sep 17 00:00:00 2001 From: David Andreoletti Date: Fri, 12 Apr 2024 17:39:53 +0800 Subject: [PATCH 030/106] mosquitto: bump PKG_RELEASE since missing in PR #23863 Signed-off-by: David Andreoletti --- net/mosquitto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mosquitto/Makefile b/net/mosquitto/Makefile index 62a2dd9dd7..a8bbfc7678 100644 --- a/net/mosquitto/Makefile +++ b/net/mosquitto/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mosquitto PKG_VERSION:=2.0.18 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://mosquitto.org/files/source/ From 4e770bf887b2bf2516a0891d3fef3c37eaf3612b Mon Sep 17 00:00:00 2001 From: John Audia Date: Mon, 8 Apr 2024 11:07:09 -0400 Subject: [PATCH 031/106] rsync: update to 3.3.0 Changelog: https://download.samba.org/pub/rsync/NEWS#3.3.0 $ rsync --version rsync version 3.3.0 protocol version 31 Copyright (C) 1996-2024 by Andrew Tridgell, Wayne Davison, and others. Web site: https://rsync.samba.org/ Capabilities: 64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints, no socketpairs, symlinks, symtimes, hardlinks, no hardlink-specials, no hardlink-symlinks, IPv6, atimes, batchfiles, inplace, append, no ACLs, no xattrs, optional secluded-args, no iconv, prealloc, stop-at, no crtimes Optimizations: no SIMD-roll, no asm-roll, no openssl-crypto, asm-MD5 Checksum list: md5 md4 none Compress list: zlibx zlib none Daemon auth list: md5 md4 Build system: x86/64 Build-tested: x86/64/AMD Cezanne Run-tested: x86/64/AMD Cezanne Signed-off-by: John Audia --- net/rsync/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/rsync/Makefile b/net/rsync/Makefile index 76a72b7dc5..e943ac8415 100644 --- a/net/rsync/Makefile +++ b/net/rsync/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=rsync -PKG_VERSION:=3.2.7 +PKG_VERSION:=3.3.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://download.samba.org/pub/$(PKG_NAME)/src -PKG_HASH:=4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb +PKG_HASH:=7399e9a6708c32d678a72a63219e96f23be0be2336e50fd1348498d07041df90 PKG_MAINTAINER:=Maxim Storchak PKG_LICENSE:=GPL-3.0-or-later From 65f6fee7c00a2afbe509247eb612f7d0c9afa16a Mon Sep 17 00:00:00 2001 From: John Audia Date: Fri, 12 Apr 2024 07:42:34 -0400 Subject: [PATCH 032/106] snort3: update to 3.1.84.0 1. Update to latest version 2. Remove redundant section in Makefile Changelog: https://github.com/snort3/snort3/releases/tag/3.1.84.0 ,,_ -*> Snort++ <*- o" )~ Version 3.1.84.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.14 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 3.0.13 30 Jan 2024 Using libpcap version 1.10.4 (with TPACKET_V3) Using PCRE version 8.45 2021-06-15 Using ZLIB version 1.3.1 Using Hyperscan version 5.4.2 2024-04-10 Using LZMA version 5.4.6 Build system: x86/64 Build-tested: x86/64/AMD Cezanne Run-tested: x86/64/AMD Cezanne Signed-off-by: John Audia --- net/snort3/Makefile | 11 +++-------- ...0-packet_capture-Fix-compilation-with-GCC-13.patch | 4 ++-- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/net/snort3/Makefile b/net/snort3/Makefile index 907154464c..9adb0c680b 100644 --- a/net/snort3/Makefile +++ b/net/snort3/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=snort3 -PKG_VERSION:=3.1.82.0 -PKG_RELEASE:=3 +PKG_VERSION:=3.1.84.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/ -PKG_HASH:=64304315e1c172b80cb9fef8c27fa457357329ecf02ee27a6604a79fd6cfa10f +PKG_HASH:=dca1707a66f6ca56ddd526163b2d951cefdb168bddc162c791adc74c0d226c7f PKG_MAINTAINER:=W. Michael Petullo , John Audia PKG_LICENSE:=GPL-2.0-only @@ -44,11 +44,6 @@ define Package/snort3/description attacks. endef -# Hyperscan and gperftools only builds for x86 -ifdef CONFIG_TARGET_x86_64 - CMAKE_OPTIONS += -DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs -endif - # Hyperscan and gperftools only builds for x86 ifdef CONFIG_TARGET_x86_64 CMAKE_OPTIONS += -DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs \ diff --git a/net/snort3/patches/110-packet_capture-Fix-compilation-with-GCC-13.patch b/net/snort3/patches/110-packet_capture-Fix-compilation-with-GCC-13.patch index a1b4eb5832..5d6fb79e34 100644 --- a/net/snort3/patches/110-packet_capture-Fix-compilation-with-GCC-13.patch +++ b/net/snort3/patches/110-packet_capture-Fix-compilation-with-GCC-13.patch @@ -12,9 +12,9 @@ src/network_inspectors/packet_capture/packet_capture.h:25:54: error: 'int16_t' d --- a/src/network_inspectors/packet_capture/packet_capture.h +++ b/src/network_inspectors/packet_capture/packet_capture.h -@@ -21,6 +21,7 @@ - #define PACKET_CAPTURE_H +@@ -22,6 +22,7 @@ + #include #include +#include From 68a30a5b7bf9b1be9ebf9598f7d6c04660a3f63f Mon Sep 17 00:00:00 2001 From: Shi JiaYang Date: Sat, 6 Apr 2024 10:38:58 +0800 Subject: [PATCH 033/106] adguardhome: update to 0.107.48 View the release notes for more information: https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.48 Signed-off-by: Shi JiaYang --- net/adguardhome/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/adguardhome/Makefile b/net/adguardhome/Makefile index 6985133855..4e59db217b 100644 --- a/net/adguardhome/Makefile +++ b/net/adguardhome/Makefile @@ -6,13 +6,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=adguardhome -PKG_VERSION:=0.107.42 +PKG_VERSION:=0.107.48 PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_VERSION:=v$(PKG_VERSION) PKG_SOURCE_URL:=https://github.com/AdguardTeam/AdGuardHome -PKG_MIRROR_HASH:=9bcca421f5069d73cf2b5b8b70b0f3768b8757de42dca461f9ea6f25d01b5c56 +PKG_MIRROR_HASH:=74d53a1fffeb5c24db536efadc92eeab2d8978277e513a98e630d2a3f7d142f6 PKG_LICENSE:=GPL-3.0-only PKG_LICENSE_FILES:=LICENSE.txt From 1cd17840a03c5bc8525222d365a75482fa360638 Mon Sep 17 00:00:00 2001 From: Paul Spooren Date: Thu, 11 Apr 2024 22:29:55 +0200 Subject: [PATCH 034/106] mtd-rw: drop PKG_VERSION definition in Makefile By default Kernel modules follow the version schema from openwrt.git, which happens to be APK compatible. Instead of defining a entirely custom format, use what's already out there. This patch drops the individual PKG_VERSION definition. Right now, the version becomes 6.1.82.0~7e856206-r2. Signed-off-by: Paul Spooren --- kernel/mtd-rw/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/kernel/mtd-rw/Makefile b/kernel/mtd-rw/Makefile index 5cf1e5f421..b18b91c221 100644 --- a/kernel/mtd-rw/Makefile +++ b/kernel/mtd-rw/Makefile @@ -9,7 +9,6 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=mtd-rw -PKG_VERSION:=git-20160214 PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz From f28c81bae20437ffb78eb161e098ac6ac4043b69 Mon Sep 17 00:00:00 2001 From: dracode Date: Wed, 3 Apr 2024 00:14:40 -0400 Subject: [PATCH 035/106] hcxdumptool: Update to 6.3.4 Version 6.3.4 has some important fixes for the OpenWrt community. This version properly supports Big-Endian systems (which are many); the previous OpenWrt packaged version crashed on such systems. Signed-off-by: dracode --- net/hcxdumptool/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/hcxdumptool/Makefile b/net/hcxdumptool/Makefile index c05bd5fda2..f29deceb9b 100644 --- a/net/hcxdumptool/Makefile +++ b/net/hcxdumptool/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=hcxdumptool -PKG_VERSION:=6.3.2 +PKG_VERSION:=6.3.4 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/zerbea/hcxdumptool/tar.gz/$(PKG_VERSION)? -PKG_HASH:=1f6fe2b4757a5f20adeb6cc469693b4d0e8c49ba290450e10a37699d9f9a2a42 +PKG_HASH:=a45140960bd5de28085d549e1a9ccf2c08af143984a138c28ac4092c6a52a5d2 PKG_MAINTAINER:=Andreas Nilsen PKG_LICENSE:=MIT From 2e8da16fb4c56cc5d2adf2cb404e2b8422f84c7f Mon Sep 17 00:00:00 2001 From: krant Date: Sun, 14 Apr 2024 10:03:37 +0300 Subject: [PATCH 036/106] erlang: update to 26.2.4 Signed-off-by: krant --- lang/erlang/Makefile | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lang/erlang/Makefile b/lang/erlang/Makefile index 73f98ebaba..5b238a7b1a 100644 --- a/lang/erlang/Makefile +++ b/lang/erlang/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=erlang -PKG_VERSION:=26.2.3 +PKG_VERSION:=26.2.4 PKG_RELEASE:=1 PKG_SOURCE:=otp_src_$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/erlang/otp/releases/download/OTP-$(PKG_VERSION) -PKG_HASH:=2c4e61b24fb1c131d9f30cfe2415320899180debdb71fb59195c72bd9a4ab625 +PKG_HASH:=b51ad69f57e2956dff4c893bcb09ad68fee23a7f8f6bba7d58449516b696de95 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE.txt @@ -46,7 +46,7 @@ endef define Package/erlang $(call Package/erlang/Default) DEPENDS+= +libncurses +librt +zlib +libstdcpp - PROVIDES:= erlang-erts=14.2.3 erlang-kernel=9.2.2 erlang-sasl=4.2.1 erlang-stdlib=5.2.1 + PROVIDES:= erlang-erts=14.2.4 erlang-kernel=9.2.3 erlang-sasl=4.2.1 erlang-stdlib=5.2.2 endef define Package/erlang/description @@ -60,7 +60,7 @@ endef define Package/erlang-asn1 $(call Package/erlang/Default) TITLE:=Abstract Syntax Notation One (ASN.1) support - VERSION:=5.2.1 + VERSION:=5.2.2 DEPENDS+= +erlang +erlang-syntax-tools endef @@ -75,7 +75,7 @@ endef define Package/erlang-compiler $(call Package/erlang/Default) TITLE:=Byte code compiler - VERSION:=8.4.2 + VERSION:=8.4.3 DEPENDS+= +erlang endef @@ -90,7 +90,7 @@ endef define Package/erlang-crypto $(call Package/erlang/Default) TITLE:=Cryptography support - VERSION:=5.4.1 + VERSION:=5.4.2 DEPENDS+= +erlang +libopenssl endef @@ -183,7 +183,7 @@ endef define Package/erlang-ssh $(call Package/erlang/Default) TITLE:=Secure Shell (SSH) support - VERSION:=5.1.3 + VERSION:=5.1.4 DEPENDS+= +erlang +erlang-crypto endef @@ -198,7 +198,7 @@ endef define Package/erlang-ssl $(call Package/erlang/Default) TITLE:=Secure Sockets Layer (SSL) support - VERSION:=11.1.2 + VERSION:=11.1.3 DEPENDS+= +erlang +erlang-crypto endef From 2439e8a8d8b9d1024b99c0a4e8c37f55e8f58cc8 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Mon, 15 Apr 2024 13:22:09 +0800 Subject: [PATCH 037/106] dnsproxy: Update to 0.69.2 Signed-off-by: Tianling Shen --- net/dnsproxy/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/dnsproxy/Makefile b/net/dnsproxy/Makefile index 6337503752..c4cd8968dc 100644 --- a/net/dnsproxy/Makefile +++ b/net/dnsproxy/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsproxy -PKG_VERSION:=0.66.0 +PKG_VERSION:=0.69.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=6928b109fb1080fec2aadc0cad20d0c08d13b5ff5db1a7c82ecfe200eec21326 +PKG_HASH:=aa1cea0eea683bde017acbb30c09c96b24b30133e157e743666be900ad7560ea PKG_MAINTAINER:=Tianling Shen PKG_LICENSE:=Apache-2.0 From d9419aeabd74f5d170483691d8a2ab0c68620fce Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Mon, 15 Apr 2024 13:22:56 +0800 Subject: [PATCH 038/106] cloudflared: Update to 2024.4.0 Signed-off-by: Tianling Shen --- net/cloudflared/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/cloudflared/Makefile b/net/cloudflared/Makefile index 461ec42503..f65f9eaa6b 100644 --- a/net/cloudflared/Makefile +++ b/net/cloudflared/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cloudflared -PKG_VERSION:=2024.3.0 +PKG_VERSION:=2024.4.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/cloudflare/cloudflared/tar.gz/$(PKG_VERSION)? -PKG_HASH:=6e5fda072d81b2d40208a0d244b44aaf607f26709711e157e23f44f812594e93 +PKG_HASH:=a68882beb5ec2855a17253a751295c4cc4f8f9ca3b49920ffa7e398995f85055 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE From 6a400cce62db170fd7e06179cf5a27eca482213f Mon Sep 17 00:00:00 2001 From: krant Date: Mon, 15 Apr 2024 08:05:24 +0300 Subject: [PATCH 039/106] squid: update to 6.9 Signed-off-by: krant --- net/squid/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/squid/Makefile b/net/squid/Makefile index 560f35ff81..45e1e49172 100644 --- a/net/squid/Makefile +++ b/net/squid/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=squid -PKG_VERSION:=6.8 +PKG_VERSION:=6.9 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://www2.pl.squid-cache.org/Versions/v6/ \ http://www.squid-cache.org/Versions/v6/ -PKG_HASH:=11cc5650b51809d99483ccfae24744a2e51cd16199f5ff0c917e84fce695870f +PKG_HASH:=1ad72d46e1cb556e9561214f0fb181adb87c7c47927ef69bc8acd68a03f61882 PKG_MAINTAINER:=Marko Ratkaj PKG_LICENSE:=GPL-2.0-or-later From 717a800ec519bd14458c4b5de0e8705eebc6071c Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Sat, 13 Apr 2024 22:31:52 +0000 Subject: [PATCH 040/106] pbr: bugfix: fix IPv6 interface errors * update license to AGPL-3.0-or-later * rename pbr_get_gateway to pbr_get_gateway4 for better readability * improve IPv6 "gateway" detection/display on start * prevent IPv6 interface errors on start * revert release format Signed-off-by: Stan Grishin --- net/pbr/Makefile | 4 ++-- net/pbr/files/etc/init.d/pbr | 41 ++++++++++++++++++++++-------------- 2 files changed, 27 insertions(+), 18 deletions(-) diff --git a/net/pbr/Makefile b/net/pbr/Makefile index bbf588b489..5014894d06 100644 --- a/net/pbr/Makefile +++ b/net/pbr/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pbr PKG_VERSION:=1.1.4 -PKG_RELEASE:=r15 -PKG_LICENSE:=GPL-3.0-or-later +PKG_RELEASE:=16 +PKG_LICENSE:=AGPL-3.0-or-later PKG_MAINTAINER:=Stan Grishin include $(INCLUDE_DIR)/package.mk diff --git a/net/pbr/files/etc/init.d/pbr b/net/pbr/files/etc/init.d/pbr index 84f6203ac2..ac7ad079b0 100755 --- a/net/pbr/files/etc/init.d/pbr +++ b/net/pbr/files/etc/init.d/pbr @@ -184,7 +184,7 @@ pbr_find_iface() { esac eval "$1"='${iface}' } -pbr_get_gateway() { +pbr_get_gateway4() { local iface="$2" dev="$3" gw network_get_gateway gw "$iface" true if [ -z "$gw" ] || [ "$gw" = '0.0.0.0' ]; then @@ -608,6 +608,7 @@ load_network() { _build_ifaces_supported() { is_supported_interface "$1" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${1} "; } _find_firewall_wan_zone() { [ "$(uci_get 'firewall' "$1" 'name')" = "wan" ] && firewallWanZone="$1"; } local i param="$1" + local dev4 dev6 if [ -z "$ifacesSupported" ]; then config_load 'firewall' config_foreach _find_firewall_wan_zone 'zone' @@ -618,11 +619,16 @@ load_network() { config_foreach _build_ifaces_supported 'interface' fi wanIface4="$procd_wan_interface" - [ -z "$wanGW4" ] && network_get_gateway wanGW4 "$wanIface4" + network_get_device dev4 "$wanIface4" + [ -z "$dev4" ] && network_get_physdev dev4 "$wanIface4" + [ -z "$wanGW4" ] && pbr_get_gateway4 wanGW4 "$wanIface4" "$dev4" if [ -n "$ipv6_enabled" ]; then wanIface6="$procd_wan6_interface" - [ -z "$wanGW6" ] && network_get_gateway6 wanGW6 "$wanIface6" + network_get_device dev6 "$wanIface6" + [ -z "$dev6" ] && network_get_physdev dev6 "$wanIface6" + [ -z "$wanGW6" ] && pbr_get_gateway6 wanGW6 "$wanIface6" "$dev6" fi + case "$param" in on_boot|on_start) [ -n "$wanIface4" ] && output 2 "Using wan interface (${param}): $wanIface4 \\n" @@ -2001,7 +2007,7 @@ interface_routing() { create) if is_netifd_table_interface "$iface"; then ipv4_error=0 - $ip_bin rule del table "$tid" >/dev/null 2>&1 + $ip_bin -4 rule del table "$tid" >/dev/null 2>&1 try "$ip_bin" -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1 if is_nft_mode; then try nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1 @@ -2014,7 +2020,8 @@ interface_routing() { fi if [ -n "$ipv6_enabled" ]; then ipv6_error=0 - try "$ip_bin" -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1 + $ip_bin -6 rule del table "$tid" >/dev/null 2>&1 + try "$ip_bin" -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$((priority-1))" || ipv6_error=1 fi else if ! grep -q "$tid ${ipTablePrefix}_${iface}" "$rtTablesFile"; then @@ -2023,8 +2030,8 @@ interface_routing() { echo "$tid ${ipTablePrefix}_${iface}" >> "$rtTablesFile" sync fi - $ip_bin rule del table "$tid" >/dev/null 2>&1 - $ip_bin route flush table "$tid" >/dev/null 2>&1 + $ip_bin -4 rule del table "$tid" >/dev/null 2>&1 + $ip_bin -4 route flush table "$tid" >/dev/null 2>&1 if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then ipv4_error=0 if [ -z "$gw4" ]; then @@ -2056,11 +2063,13 @@ EOF fi if [ -n "$ipv6_enabled" ]; then ipv6_error=0 + $ip_bin -6 rule del table "$tid" >/dev/null 2>&1 + $ip_bin -6 route flush table "$tid" >/dev/null 2>&1 if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then try "$ip_bin" -6 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv6_error=1 - elif try "$ip_bin" -6 route list table main | grep -q " dev $dev6 "; then - try "$ip_bin" -6 route add default via "$gw6" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 + elif "$ip_bin" -6 route list table main | grep -q " dev $dev6 "; then + "$ip_bin" -6 route add default via "$gw6" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 while read -r i; do i="$(echo "$i" | sed 's/ linkdown$//')" i="$(echo "$i" | sed 's/ onlink$//')" @@ -2074,7 +2083,7 @@ EOF try "$ip_bin" -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1 fi fi - try "$ip_bin" -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" >/dev/null 2>&1 || ipv6_error=1 + try "$ip_bin" -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$((priority-1))" >/dev/null 2>&1 || ipv6_error=1 fi fi if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then @@ -2253,7 +2262,7 @@ interface_process() { [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" eval "mark_${iface//-/_}"='$ifaceMark' eval "tid_${iface//-/_}"='$ifaceTableID' - pbr_get_gateway gw4 "$iface" "$dev" + pbr_get_gateway4 gw4 "$iface" "$dev" pbr_get_gateway6 gw6 "$iface" "$dev6" dispGw4="${gw4:-0.0.0.0}" dispGw6="${gw6:-::/0}" @@ -2277,7 +2286,7 @@ interface_process() { [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" eval "mark_${iface//-/_}"='$ifaceMark' eval "tid_${iface//-/_}"='$ifaceTableID' - pbr_get_gateway gw4 "$iface" "$dev" + pbr_get_gateway4 gw4 "$iface" "$dev" pbr_get_gateway6 gw6 "$iface" "$dev6" dispGw4="${gw4:-0.0.0.0}" dispGw6="${gw6:-::/0}" @@ -2293,7 +2302,7 @@ interface_process() { [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" eval "mark_${iface//-/_}"='$ifaceMark' eval "tid_${iface//-/_}"='$ifaceTableID' - pbr_get_gateway gw4 "$iface" "$dev" + pbr_get_gateway4 gw4 "$iface" "$dev" pbr_get_gateway6 gw6 "$iface" "$dev6" dispGw4="${gw4:-0.0.0.0}" dispGw6="${gw6:-::/0}" @@ -2312,7 +2321,7 @@ interface_process() { [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" eval "mark_${iface//-/_}"='$ifaceMark' eval "tid_${iface//-/_}"='$ifaceTableID' - pbr_get_gateway gw4 "$iface" "$dev" + pbr_get_gateway4 gw4 "$iface" "$dev" pbr_get_gateway6 gw6 "$iface" "$dev6" dispGw4="${gw4:-0.0.0.0}" dispGw6="${gw6:-::/0}" @@ -2328,7 +2337,7 @@ interface_process() { [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)" eval "mark_${iface//-/_}"='$ifaceMark' eval "tid_${iface//-/_}"='$ifaceTableID' - pbr_get_gateway gw4 "$iface" "$dev" + pbr_get_gateway4 gw4 "$iface" "$dev" pbr_get_gateway6 gw6 "$iface" "$dev6" dispGw4="${gw4:-0.0.0.0}" dispGw6="${gw6:-::/0}" @@ -2354,7 +2363,7 @@ interface_process() { esac # ifaceTableID="$((ifaceTableID + 1))" ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))" - ifacePriority="$((ifacePriority - 1))" + ifacePriority="$((ifacePriority - 2))" return $s } From 7889c520b7190a6d4db4d616ed94de417083848d Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Thu, 11 Apr 2024 16:18:51 +0200 Subject: [PATCH 041/106] keepalived: remove file sync handling for ucitrack The ucitrack file hanlding was converted to json. Therefore this is not needed anymore. Signed-off-by: Florian Eckert --- net/keepalived/Makefile | 2 +- .../files/etc/hotplug.d/keepalived/509-ucitrack | 12 ------------ 2 files changed, 1 insertion(+), 13 deletions(-) delete mode 100644 net/keepalived/files/etc/hotplug.d/keepalived/509-ucitrack diff --git a/net/keepalived/Makefile b/net/keepalived/Makefile index da44823c57..b04e45e935 100644 --- a/net/keepalived/Makefile +++ b/net/keepalived/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=keepalived PKG_VERSION:=2.2.8 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.keepalived.org/software diff --git a/net/keepalived/files/etc/hotplug.d/keepalived/509-ucitrack b/net/keepalived/files/etc/hotplug.d/keepalived/509-ucitrack deleted file mode 100644 index bacbf2597f..0000000000 --- a/net/keepalived/files/etc/hotplug.d/keepalived/509-ucitrack +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -# shellcheck source=/dev/null -. /lib/functions/keepalived/hotplug.sh - -set_service_name ucitrack - -set_reload_if_sync - -add_sync_file /etc/config/ucitrack - -keepalived_hotplug From 570ee10a13838fc9b19377d93e871291acceac65 Mon Sep 17 00:00:00 2001 From: Rui Salvaterra Date: Mon, 15 Apr 2024 13:45:27 +0100 Subject: [PATCH 042/106] tor: update to 0.4.8.11 stable Minor release, see the changelog [1] for what's new. [1] https://gitlab.torproject.org/tpo/core/tor/-/raw/tor-0.4.8.11/ChangeLog Signed-off-by: Rui Salvaterra --- net/tor/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/tor/Makefile b/net/tor/Makefile index b70605db70..38c2566084 100644 --- a/net/tor/Makefile +++ b/net/tor/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tor -PKG_VERSION:=0.4.8.10 +PKG_VERSION:=0.4.8.11 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://dist.torproject.org/ \ https://archive.torproject.org/tor-package-archive -PKG_HASH:=e628b4fab70edb4727715b23cf2931375a9f7685ac08f2c59ea498a178463a86 +PKG_HASH:=8f2bdf90e63380781235aa7d604e159570f283ecee674670873d8bb7052c8e07 PKG_MAINTAINER:=Hauke Mehrtens \ Peter Wagner PKG_LICENSE:=BSD-3-Clause From 1a51bd18ac05c73dd627e621a345effe544768f1 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Mon, 15 Apr 2024 19:41:54 +0300 Subject: [PATCH 043/106] django: bump to version 5.0.4 Signed-off-by: Alexandru Ardelean --- lang/python/django/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/python/django/Makefile b/lang/python/django/Makefile index 5f8a2923d4..f4c75ceaba 100644 --- a/lang/python/django/Makefile +++ b/lang/python/django/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=django -PKG_VERSION:=5.0.3 +PKG_VERSION:=5.0.4 PKG_RELEASE:=1 PYPI_NAME:=Django -PKG_HASH:=5fb37580dcf4a262f9258c1f4373819aacca906431f505e4688e37f3a99195df +PKG_HASH:=4bd01a8c830bb77a8a3b0e7d8b25b887e536ad17a81ba2dce5476135c73312bd PKG_MAINTAINER:=Alexandru Ardelean , Peter Stadler PKG_LICENSE:=BSD-3-Clause From 0592f27d998a8fad17fedb85847a01da82c4086f Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Mon, 15 Apr 2024 19:44:02 +0300 Subject: [PATCH 044/106] django-restframework: bump to version 3.15.1 Signed-off-by: Alexandru Ardelean --- lang/python/django-restframework/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/python/django-restframework/Makefile b/lang/python/django-restframework/Makefile index fd53be8e37..eb40c1f5d4 100644 --- a/lang/python/django-restframework/Makefile +++ b/lang/python/django-restframework/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=django-restframework -PKG_VERSION:=3.14.0 +PKG_VERSION:=3.15.1 PKG_RELEASE:=1 PYPI_NAME:=djangorestframework -PKG_HASH:=579a333e6256b09489cbe0a067e66abe55c6595d8926be6b99423786334350c8 +PKG_HASH:=f88fad74183dfc7144b2756d0d2ac716ea5b4c7c9840995ac3bfd8ec034333c1 PKG_MAINTAINER:=Alexandru Ardelean PKG_LICENSE:=BSD-3-Clause From fc3591802612bb16e2e384533fa1f5e0a2817d5d Mon Sep 17 00:00:00 2001 From: Anton Khazan Date: Tue, 16 Apr 2024 14:08:27 +0300 Subject: [PATCH 045/106] geoip-shell: add package Adds the geoip-shell package to OpenWrt. geoip-shell is a flexible geoip blocker for Linux with a user-friendly command-line interface. Signed-off-by: Anton Khazan --- net/geoip-shell/DETAILS.md | 147 +++++++++++++++++++++++++++ net/geoip-shell/Makefile | 162 ++++++++++++++++++++++++++++++ net/geoip-shell/NOTES.md | 108 ++++++++++++++++++++ net/geoip-shell/OpenWrt-README.md | 52 ++++++++++ net/geoip-shell/README.md | 144 ++++++++++++++++++++++++++ net/geoip-shell/SETUP.md | 67 ++++++++++++ 6 files changed, 680 insertions(+) create mode 100644 net/geoip-shell/DETAILS.md create mode 100644 net/geoip-shell/Makefile create mode 100644 net/geoip-shell/NOTES.md create mode 100644 net/geoip-shell/OpenWrt-README.md create mode 100644 net/geoip-shell/README.md create mode 100644 net/geoip-shell/SETUP.md diff --git a/net/geoip-shell/DETAILS.md b/net/geoip-shell/DETAILS.md new file mode 100644 index 0000000000..0061313e53 --- /dev/null +++ b/net/geoip-shell/DETAILS.md @@ -0,0 +1,147 @@ +## **Prelude** +- This document only covers scripts installed on OpenWrt systems and only options available on OpenWrt. +- geoip-shell supports a numer of different use cases, many different platforms, and 2 backend firewall utilities (nftables and iptables). For this reason I designed it to be modular rather than monolithic. In this design, the functionality is split between few main scripts. Each main script performs specific tasks and utilizes library scripts which are required for the task with the given platform and firewall utility. +- This document provides some info on the purpose and core options of the main scripts and how they work in tandem. +- The main scripts display "usage" when called with the "-h" option. You can find out about some additional options specific to each script by running it with that option. + +## **Overview** + +### Main Scripts +- geoip-shell-install.sh +- geoip-shell-uninstall.sh +- geoip-shell-manage.sh +- geoip-shell-run.sh +- geoip-shell-fetch.sh +- geoip-shell-apply.sh +- geoip-shell-backup.sh +- geoip-shell-cronsetup.sh + +### Helper Scripts +**geoip-shell-geoinit.sh** +- This script is sourced from all main scripts. It sets some essential variables, checks for compatible shell, then sources the -lib-common script, then sources the /etc/geoip-shell/geoip-shell.const file which stores some system-specific constants. + +**geoip-shell-detect-lan.sh** +This script is only used under specific conditions: +- During initial setup, with whitelist mode, and only if wan interfaces were set to 'all', and LAN subnets were not specified via command line args. geoip-shell then assumes that it is being installed on a machine belonging to a LAN, uses this script to detect the LAN subnets and offers the user to add them to the whitelist, and to enable automatic detection of LAN subnets in the future. +- At the time of creating/updating firewall rules, and only if LAN subnets automatic detection is enabled. geoip-shell then re-detects LAN subnets automatically. + +### Library Scripts +- lib/geoip-shell-lib-common.sh +- lib/geoip-shell-lib-setup.sh +- lib/geoip-shell-lib-ipt.sh +- lib/geoip-shell-lib-nft.sh +- lib/geoip-shell-lib-status.sh +- lib/geoip-shell-lib-arrays.sh +- lib/geoip-shell-lib-uninstall.sh + +The -lib-common script includes a large number of functions used throughout the suite, and assigns some essential variables. + +The lib-setup script implements CLI interactive and noninteractive setup and arguments parsing. It is used in the -manage script. + +The -lib-status script implements the status report which you can get by issuing the `geoip-shell status` command. + +The -ipt and -nft scripts implement support for iptables and nftables, respectively. They are sourced from other scripts which need to interact with the firewall utility directly. + + +The -lib-arrays script implements a minimal subset of functions emulating the functionality of associative arrays in POSIX-compliant shell. It is used in the -fetch script. It is a part of a larger project implementing much more of the arrays functionality. You can check my other repositories if you are interested. + +The -lib-uninstall script has some functions which are used both for uninstallation and for reset if required. + +### OpenWrt-specific scripts +- geoip-shell-lib-owrt-common.sh +- geoip-shell-init +- geoip-shell-mk-fw-include.sh +- geoip-shell-fw-include.sh +- geoip-shell-owrt-uninstall.sh + +For more information about integration with OpenWrt, read [OpenWrt-README.md](OpenWrt-README.md) + +### User interface +The scripts intended as user interface are **geoip-shell-install.sh**, **geoip-shell-uninstall.sh**, **geoip-shell-manage.sh** and **check-ip-in-source.sh**. All the other scripts are intended as a back-end. If you just want to install and move on, you only need to run the -install script. +After installation, the user interface is provided by running "geoip-shell", which is a symlink to the -manage script. + +## **Main scripts in detail** +**geoip-shell-manage.sh**: serves as the main user interface to configure geoip after installation. You can also call it by simply typing `geoip-shell`. As most scripts in this suite, it requires root privileges because it needs to interact with the netfilter kernel component and access the data folder which is only readable and writable by root. Since it serves as the main user interface, it contains a lot of logic to generate a report, parse, validate and initiate actions requested by the user (by calling other scripts as required), check for possible remote machine lockout and warn the user about it, check actions result, update the config and take corrective actions in case of an error. Describing all this is beyond the scope of this document but you can read the code. Sources the lib-status script when generating a status report. Sources lib-setup for some of the arguments parsing logic and interactive dialogs implementation. + +`geoip-shell [-c <"country_codes">]` : Enable or disable the geoip blocking chain (via a rule in the base geoip chain) + +`geoip-shell [-c <"country_codes">]` : +* Adds or removes the specified country codes to/from the config file. +* Calls the -run script to fetch the ip lists for specified countries and apply them to the firewall (or to remove them). + +`geoip-shell status` +* Displays information on the current state of geoip blocking +* For a list of all firewall rules in the geoip chain and for detailed count of ip ranges, run `geoip-shell status -v`. + +`geoip-shell restore` : re-fetches and re-applies geoip firewall rules and ip lists as per the config. + +`geoip-shell configure [options]` : changes geoip-shell configuration + +**Options for the `geoip-shell configure` command:** + +`-m [whitelist|blacklist]`: Change geoip blocking mode. + +`-c <"country codes">`: Change which country codes are included in the whitelist/blacklist (this command replaces all country codes with newly specified ones). + +`-f `: Families (defaults to 'ipv4 ipv6'). Use double quotes for multiple families. + +`-u [ripe|ipdeny]`: Change ip lists source. + +`-i <[ifaces]|auto|all>`: Change which network interfaces geoip firewall rules are applied to. `auto` will attempt to automatically detect WAN network interfaces. `auto` works correctly in **most** cases but not in **every** case. Don't use `auto` if the machine has no direct connection to WAN. The automatic detection occurs only when manually triggered by the user via this command. + +`-l <"[lan_ips]"|auto|none>`: Specify LAN ip's or subnets to exclude from blocking (both ipv4 and ipv6). `auto` will trigger LAN subnets re-detection at every update of the ip lists. When specifying custom ip's or subnets, automatic detection is disabled. This option is only avaiable when using geoip-shell in whitelist mode. + +`-t <"[trusted_ips]|none">`: Specify trusted ip's or subnets (anywhere on the Internet) to exclude from geoip blocking (both ipv4 and ipv6). + +`-p <[tcp|udp]:[allow|block]:[all|]>`: specify ports geoip blocking will apply (or not apply) to, for tcp or udp. To specify ports for both tcp and udp, use the `-p` option twice. For more details, read [NOTES.md](NOTES.md), sections 9-11. + +`-r <[user_country_code]|none>` : Specify user's country code. Used to prevent accidental lockout of a remote machine. `none` disables this feature. + +`-s <"schedule_expression"|disable>` : enables automatic ip lists updates and configures the schedule for the periodic cron job which implements this feature. `disable` disables automatic ip lists updates. + +`-o ` : No backup. If set to 'true', geoip-shell will not create a backup of ip lists and firewall rules after applying changes, and will automatically re-fetch ip lists after each reboot. Default is 'true' for OpenWrt, 'false' for all other systems. + +`-a ` : Set custom path to directory where backups and the status file will be stored. Default is '/tmp/geoip-shell-data' for OpenWrt, '/var/lib/geoip-shell' for all other systems. + + +`-O `: specify optimization policy for nftables sets. By default optimizes for low memory consumption if system RAM is less than 2GiB, otherwise optimizes for performance. This option doesn't work with iptables. + +`geoip-shell showconfig` : prints the contents of the config file. + + +**geoip-shell-run.sh**: Serves as a proxy to call the -fetch, -apply and -backup scripts with arguments required for each action. Executes the requested actions, depending on the config set by the -install and -manage scripts, and the command line options, and writes to system log when starting and on action completion (or if any errors encountered). If persistence or autoupdates are enabled, the cron jobs (or on OpenWrt, the firewall include script) call this script with the necessary options. If a non-fatal error is encountered during an automatic update function, the script enters sort of a temporary daemon mode where it will re-try the action (up to a certain number of retries) with increasing time intervals. It also implements some logic to account for unexpected issues encountered during the 'restore' action which runs after system reboot to impelement persistnece, such as a missing backup, and in this situation will automatically change its action from 'restore' to 'update' and try to re-fetch and re-apply the ip lists. + +`geoip-shell-run add -l <"list_id [list_id] ... [list_id]">` : Fetches ip lists, loads them into ip sets and applies firewall rules for specified list id's. +A list id has the format of `_`. For example, ****US_ipv4** and **GB_ipv6** are valid list id's. + +`geoip-shell-run remove -l <"list_ids">` : Removes iplists and firewall rules for specified list id's. + +`geoip-shell-run update` : Updates the ip sets for list id's that had been previously configured. Intended for triggering from periodic cron jobs. + +`geoip-shell-run restore` : Restore previously downloaded lists from backup (skip fetching). Used by the reboot cron job (or by the firewall include on OpenWrt) to implement persistence. + +**geoip-shell-fetch.sh** +- Fetches ip lists for given list id's from RIPE or from ipdeny. The source is selected during installation. If you want to change the default which is RIPE, install with the `-u ipdeny` option. +- Parses, validates, compiles the downloaded lists, and saves each one to a separate file. +- Implements extensive sanity checks at each stage (fetching, parsing, validating and saving) and handles errors if they occur. + +(for specifics on how to use the script, run it with the -h option) + +**geoip-shell-apply.sh**: directly interfaces with the firewall. Creates or removes ip sets and firewall rules for specified list id's. Sources the lib-apply-ipt or lib-apply-nft script which does most of the actual work. + +`geoip-shell-apply add -l <"list_ids">` : +- Loads ip list files for specified list id's into ip sets and applies firewall rules required for geoip blocking. + +List id has the format of `_`. For example, **US_ipv4** and **GB_ipv6** are valid list id's. + +`geoip-shell-apply remove -l <"list_ids">` : +- removes ip sets and geoip firewall rules for specified list id's. + +**geoip-shell-cronsetup.sh** manages all the cron-related logic and actions. Called by the -manage script. Cron jobs are created based on the settings stored in the config file. Also used to validate cron schedule provided by the user at the time of installation or later. + +**geoip-shell-backup.sh**: Creates a backup of current geoip-shell firewall rules and ip sets and current geoip-shell config, or restores them from backup. By default (if you didn't run the installation with the '-o' option), backup will be created after every change to ip sets in the firewall. Backups are automatically compressed and de-compressed with the best utility available to the system, in this order "bzip2, xz, gzip", or simply "cat" as a fallback if neither is available (which generally should never happen on Linux). Only one backup copy is kept. Sources the lib-backup-ipt or the lib-backup-nft script which does most of the actual work. + +`geoip-shell-backup create-backup` : Creates a backup of the current firewall state and geoip blocking config. + +`geoip-shell-backup restore` : Restores the firewall state and the config from backup. Used by the *run script to implement persistence. Can be manually used for recovery from fault conditions. + diff --git a/net/geoip-shell/Makefile b/net/geoip-shell/Makefile new file mode 100644 index 0000000000..12bc0eb6fe --- /dev/null +++ b/net/geoip-shell/Makefile @@ -0,0 +1,162 @@ +# Copyright 2024 friendly-bits, antonk (antonk.d3v@gmail.com) +# This is free software, licensed under the GNU General Public License v3. + +include $(TOPDIR)/rules.mk + +PKG_NAME:=geoip-shell +PKG_VERSION:=0.5 +PKG_RELEASE:=r2 +PKG_LICENSE:=GPL-3.0-or-later +PKG_MAINTAINER:=antonk +PKG_SOURCE_PROTO:=git +PKG_SOURCE_VERSION:=3b56796aea49d7ae1e5ce3de1f5ccfafd36c7f3f +PKG_SOURCE_URL:=https://github.com/friendly-bits/geoip-shell-openwrt.git +PKG_MIRROR_HASH:=2a6cb1996fc7c48f146267e193fe1812addeb228adc5fe16a55341509d4a5353 + +include $(INCLUDE_DIR)/package.mk + +define Package/geoip-shell/Default + CATEGORY:=Network + TITLE:=Flexible geoip blocker + URL:=https://github.com/friendly-bits/geoip-shell + MAINTAINER:=antonk + DEPENDS:=+ca-bundle + PROVIDES:=geoip-shell + PKGARCH:=all +endef + +define Package/geoip-shell +$(call Package/geoip-shell/Default) + TITLE+= with nftables support + DEPENDS+= +kmod-nft-core +nftables +firewall4 + DEFAULT_VARIANT:=1 + VARIANT:=nftables +endef + +define Package/geoip-shell-iptables +$(call Package/geoip-shell/Default) + TITLE+= with iptables support + DEPENDS+= +kmod-ipt-ipset +IPV6:ip6tables +iptables +ipset + VARIANT:=iptables + CONFLICTS:=geoip-shell firewall4 +endef + +define Package/geoip-shell/description/Default + Flexible geoip blocker with a user-friendly command line interface (currently no LuCi interface). + For readme, please see + https://github.com/openwrt/packages/blob/master/net/geoip-shell/OpenWrt-README.md +endef + +define Package/geoip-shell/description +$(call Package/geoip-shell/description/Default) +endef + +define Package/geoip-shell-iptables/description +$(call Package/geoip-shell/description/Default) +endef + +define Package/geoip-shell/postinst/Default + #!/bin/sh + rm "/usr/bin/geoip-shell" 2>/dev/null + ln -s "/usr/bin/geoip-shell-manage.sh" "/usr/bin/geoip-shell" + [ -s "/etc/geoip-shell/geoip-shell.conf" ] && /usr/bin/geoip-shell configure -z && exit 0 + logger -s -t "geoip-shell" "Please run 'geoip-shell configure' to complete the setup." + exit 0 +endef + +define Package/geoip-shell/postinst +$(call Package/geoip-shell/postinst/Default) +endef + +define Package/geoip-shell-iptables/postinst +$(call Package/geoip-shell/postinst/Default) +endef + +define Package/geoip-shell/prerm/Default + #!/bin/sh + sh /usr/lib/geoip-shell/geoip-shell-owrt-uninstall.sh + exit 0 +endef + +define Package/geoip-shell/prerm +$(call Package/geoip-shell/prerm/Default) +endef + +define Package/geoip-shell-iptables/prerm +$(call Package/geoip-shell/prerm/Default) +endef + +define Package/geoip-shell/postrm + #!/bin/sh + sleep 1 + echo "Reloading the firewall..." + fw4 -q reload + exit 0 +endef + +define Package/geoip-shell-iptables/postrm + #!/bin/sh + sleep 1 + echo "Reloading the firewall..." + fw3 -q reload + exit 0 +endef + +define Build/Configure +endef + +define Build/Compile +endef + +define Package/geoip-shell/install/Default + + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) $(PKG_BUILD_DIR)/etc/init.d/geoip-shell-init $(1)/etc/init.d + + $(INSTALL_DIR) $(1)/etc/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/etc/geoip-shell/cca2.list $(1)/etc/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/etc/geoip-shell/geoip-shell.const $(1)/etc/geoip-shell + + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-fetch.sh $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-fw-include.sh $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-backup.sh $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-geoinit.sh $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-run.sh $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-mk-fw-include.sh $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-manage.sh $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-apply.sh $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-detect-lan.sh $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-cronsetup.sh $(1)/usr/bin + + $(INSTALL_DIR) $(1)/usr/lib/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-status.sh $(1)/usr/lib/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-owrt-common.sh $(1)/usr/lib/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-common.sh $(1)/usr/lib/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-owrt-uninstall.sh $(1)/usr/lib/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-arrays.sh $(1)/usr/lib/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-setup.sh $(1)/usr/lib/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-uninstall.sh $(1)/usr/lib/geoip-shell + +endef + + +define Package/geoip-shell/install +$(call Package/geoip-shell/install/Default,$(1)) + $(INSTALL_DIR) $(1)/usr/lib/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-nft.sh $(1)/usr/lib/geoip-shell + +endef + + +define Package/geoip-shell-iptables/install +$(call Package/geoip-shell/install/Default,$(1)) + $(INSTALL_DIR) $(1)/usr/lib/geoip-shell + $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-ipt.sh $(1)/usr/lib/geoip-shell + +endef + +$(eval $(call BuildPackage,geoip-shell)) +$(eval $(call BuildPackage,geoip-shell-iptables)) + + diff --git a/net/geoip-shell/NOTES.md b/net/geoip-shell/NOTES.md new file mode 100644 index 0000000000..6bd0ebcbf4 --- /dev/null +++ b/net/geoip-shell/NOTES.md @@ -0,0 +1,108 @@ +## **Notes** +1) On OpenWrt, geoip-shell expects that the default shell (called by the `sh` command) is _ash_, and the automatic shell detection feature implemented for other platforms is disabled on OpenWrt. + +2) Firewall rules structure created by geoip-shell: +
Read more: + + ### **iptables** + - With **iptables**, all firewall rules created by geoip-shell are in the table `mangle`. The reason to use `mangle` is that this table has a built-in chain called `PREROUTING` which is attached to the `prerouting` hook in the netfilter kernel component. Via a rule in this chain, geoip-shell creates one set of rules which applies to all ingress traffic for a given ip family, rather than having to create and maintain separate rules for chains INPUT and FORWARDING which would be possible in the default `filter` table. + - This also means that any rules you might have in the `filter` table will only see traffic which is allowed by geoip-shell rules, which may reduce the CPU load as a side-effect. + - Note that **iptables** features separate tables for ipv4 and ipv6, hence geoip-shell creates separate rules for each family (unless the user restricts geoip-shell to a certain family during installation). + - Inside the table `mangle`, geoip-shell creates the custom chain `GEOIP-SHELL` and redirects traffic to it via a rule in the `PREROUTING` chain. geoip-shell calls that rule the "enable" rule which can be removed or re-added on-demand with the commands `geoip-shell on` and `geoip-shell off`. If the "enable" rule is not present, system firewall will act as if all other geoip-shell rules (for a given ip family) are not present. + - If specific network interfaces were set during installation, the "enable" rule directs traffic to a 2nd custom chain `GEOIP-SHELL_WAN` rather than to the `GEOIP-SHELL` chain. geoip-shell creates rules in the `GEOIP-SHELL_WAN` chain which selectively direct traffic only from the specified network interfaces to the `GEOIP-SHELL` chain. + - With iptables, geoip-shell removes the "enable" rule before making any changes to the ip sets and rules, and re-adds it once the changes have been successfully made. This is a precaution measure intended to minimize any chance of potential problems. Typically ip list updates do not take more than a few seconds, and on reasonably fast systems less than a second, so the time when geoip blocking is not enabled is typically very brief. + + ### **nftables** + - With **nftables**, all firewall rules created by geoip-shell are in the table named `geoip-shell`, family "inet", which is a term nftables uses for tables applying to both ip families. The `geoip-shell` table includes rules for both ip families and any nftables sets geoip-shell creates. geoip-shell creates 2 chains in that table: `GEOIP-BASE` and `GEOIP-SHELL`. The base chain attaches to netfilter's `prerouting` hook and has a rule which directs traffic to the `GEOIP-SHELL` chain. That rule is the geoip-shell "enable" rule for nftables-based systems which acts exactly like the "enable" rule in the iptables-based systems, except it applies to both ip families. + - **nftables** allows for more control over which network interfaces each rule applies to, so when certain network interfaces are specified during installation, geoip-shell specifies these interfaces directly in the rules inside the `GEOIP-SHELL` chain, and so (contrary to iptables-based systems) there is no need in an additional chain. + - **nftables** features atomic rules updates, meaning that when issuing multiple nftables commands at once, if any command fails, all changes get cancelled and the system remains in the same state as before. geoip-shell utilizes this feature for fault-tolerance and to completely eliminate time when geoip blocking is disabled during an update of the sets or rules. + - **nftables** current version (up to 1.0.8 and probably 1.0.9) has some bugs related to unnecessarily high transient memory consumption when performing certain actions, including adding new sets. These bugs are known and for the most part, already have patches implemented which should eventually roll out to the distributions. This mostly matters for embedded hardware with less than 512MB of memory. geoip-shell works around these bugs as much as possible. One of the workarounds is to avoid using the atomic replacement feature for nftables sets. Instead, when updating sets, geoip-shell first adds new sets one by one, then atomically applies all other changes, including rules changes and removing the old sets. In case of an error during any stage of this process, all changes get cancelled, old rules and sets remain in place and geoip-shell then destroys the new sets. This is less efficient but with current versions of nftables, this actually lowers the minimum memory bar for the embedded devices. Once a new version of nftables will be rolled out to the distros, geoip-shell will adapt the algorithm accordingly. + + ### **nftables and iptables** + - With both **nftables** and **iptables**, geoip-shell goes a long way to make sure that firewall rules and ip sets are correct and matching the user-defined config. Automatic corrective mechanisms are implemented which should restore geoip-shell firewall rules in case they do not match the config (which normally should never happen). + - geoip-shell implements rules and ip sets "tagging" to distinguish between its own rules and other rules and sets. This way, geoip-shell never makes any changes to any rules or sets which geoip-shell did not create. + - When uninstalling, geoip-shell removes all its rules, chains and ip sets. + +
+ +3) geoip-shell uses RIPE as the default source for ip lists. RIPE is a regional registry, and as such, is expected to stay online and free for the foreseeable future. However, RIPE may be fairly slow in some regions. For that reason, I implemented support for fetching ip lists from ipdeny. ipdeny provides aggregated ip lists, meaning in short that there are less entries for same effective geoip blocking, so the machine which these lists are installed on has to do less work when processing incoming connection requests. All ip lists the suite fetches from ipdeny are aggregated lists. + +4) The scripts intended as user interface are: **-install**, **-uninstall**, **-manage** (also called by running '**geoip-shell**' after installation) and **check-ip-in-registry.sh**. The -manage script saves the config to a file and implements coherence checks between that file and the actual firewall state. While you can run the other scripts individually, if you make changes to firewall geoip rules, next time you run the -manage script it may insist on reverting those changes since they are not reflected in the config file. The **-backup** script can be used individually. By default, it creates a backup of geoip-shell state after every successful action involving changes to or updates of the ip lists. If you encounter issues, you can use it with the 'restore' command to restore geoip-shell to its previous state. It also restores the config, so the -manage script will not mind. + +5) How to manually check firewall rules created by geoip-shell: + - With nftables: `nft -t list table inet geoip-shell`. This will display all geoip-shell rules and sets. + - With iptables: `iptables -vL -t mangle` and `ip6tables -vL -t mangle`. This will report all geoip-shell rules. To check ipsets created by geoip-shell, use `ipset list -n | grep geoip-shell`. For a more detailed view, use this command: `ipset list -t`. + +6) The run, fetch and apply scripts write to syslog in case an error occurs. The run and fetch scripts also write to syslog upon success. To verify that cron jobs ran successfully, on Debian and derivatives run `cat /var/log/syslog | grep geoip-shell`. On other distributions, you may need to figure out how to access the syslog. + +7) These scripts will not run in the background consuming resources (except for a short time when triggered by the cron jobs). All the actual blocking is done by the netfilter component in the kernel. The scripts offer an easy and relatively fool-proof interface with netfilter, config persistence, automated ip lists fetching and auto-update. + +8) Sometimes ip list source servers are temporarily unavailable and if you're unlucky enough to attempt installation during that time frame, the fetch script will fail which will cause the installation to fail as well. Try again after some time or use another source. Once the installation succeeds, an occasional fetch failure during autoupdate won't cause any issues as last successfully fetched ip list will be used until the next autoupdate cycle succeeds. + +9) How to geoblock or allow specific ports (applies to the _-install_ and _-manage_ scripts). + The general syntax is: `-p <[tcp|udp]:[allow|block]:[all|]>` + Where `ports` may be any combination of comma-separated individual ports or port ranges (for example: `125-130` or `5,6` or `3,140-145,8`). + You can use the `-p` option twice to cover both tcp and udp, for example: `-p tcp:allow:22,23 -p udp:block:128-256,3` + + Examples with the -install script: + + `sh geoip-shell-install -c de -m whitelist -p tcp:allow:125-135,7` - for tcp, allow incoming traffic on ports 125-135 and 7, geoblock incoming traffic on other tcp ports (doesn't affect UDP traffic) + + `sh geoip-shell-install -c de -m blacklist -p udp:allow:3,15-20,1024-2048` - for udp, allow incoming traffic on ports 15-20 and 3, geoblock all other incoming udp traffic (doesn't affect TCP traffic) + + Examples with the -manage script (also called via 'geoip-shell' after installation) : + + `geoip-shell configure -p tcp:block:all` - for tcp, geoblock all ports (default behavior) + + `geoip-shell configure -p udp:allow:all` - for udp, don't geoblock any ports (completely disables geoblocking for udp) + + `geoip-shell configure -p tcp:block:125-135,7` - for tcp, only geoblock incoming traffic on ports 125-135 and 7, allow incoming traffic on all other tcp ports + +10) How to remove specific ports assignment: + + use `-p [tcp|udp]:block:all`. + + Example: `geoip-shell configure -p tcp:block:all` will remove prior port-specific rules for the tcp protocol. All tcp packets on all ports will now go through geoip filter. + +11) How to make all packets for a specific protocol bypass geoip blocking: + + use `p [tcp|udp]:allow:all` + + Example: `geoip-shell configure -p udp:allow:all` will allow all udp packets on all ports to bypass the geoip filter. + +12) Firewall rules persistence, as well as automatic list updates, is implemented via cron jobs: a periodic job running by default on a daily schedule, and a job that runs at system reboot (after 30 seconds delay). Either or both cron jobs can be disabled (run the *install script with the -h option to find out how, or read [DETAILS.md](DETAILS.md)). On OpenWrt, persistence is implemented via an init script and a firewall include rather than via a cron job. + +13) You can specify a custom schedule for the periodic cron job by passing an argument to the install script. Run it with the '-h' option for more info. + +14) If you want to change the autoumatic update schedule but you don't know the crontab expression syntax, check out https://crontab.guru/ (no affiliation). geoip-shell includes a script which validates cron expressions you request, so don't worry about making a mistake. + +15) Note that cron jobs will be run as root. + +16) If you have nftables installed but for some reason you are using iptables rules (via the nft_compat kernel module which is provided by packages like nft-iptables etc), you can and probably should install geoip-shell with the option `-w ipt` which will force it to use iptables+ipset. For example: `geoip-shell install -w ipt`. + +17) If you upgrade your system from iptables to nftables, you can either re-install geoip-shell and it will then automatically use nftables, or you can use this command without reinstalling: `geoip-shell configure -w nft`, which will remove all iptables rules and ipsets and re-create nftables rules and sets based on your existing config. If you are on OpenWrt, this does not apply: instead, you will need to install the geoip-shell package for nftables-based OpenWrt. + +18) To test before deployment: +
Read more: + + - You can run the install script with the "-N true" (N stands for noblock) option to apply all actions and create all firewall rules except the geoip-shell "enable" rule. This way you can make sure that no errors are encountered and check the resulting firewall rules before committing to actual blocking. To enable blocking later, use the command `geoip-shell on`. + - You can run the install script with the "-n true" (n stands for nopersistence) option to skip creating the reboot cron job which implements persistence and with the '-s disable' option to skip creating the autoupdate cron job. This way, a simple machine restart should undo all changes made to the firewall (unless you have some software which restores firewall settings after reboot). For example: `sh geoip-shell-install -c -m whitelist -n true -s disable`. To enable persistence and automatic updates later, reinstall without both options. + +
+ +19) How to get yourself locked out of your remote server and how to prevent this: +
Read more: + + There are 4 scenarios where you can lock yourself out of your remote server with this suite: + - install in whitelist mode without including your country in the whitelist + - install in whitelist mode and later remove your country from the whitelist + - blacklist your country (either during installation or later) + - your remote machine has no dedicated WAN interfaces (it is behind a router) and you incorrectly specified LAN subnets the machine belongs to + + As to the first 3 scenarios, the -manage script will warn you in each of these situations and wait for your input (you can press Y and do it anyway), but that depends on you correctly specifying your country code during installation. The -install script will ask you about it. If you prefer, you can skip by pressing Enter - that will disable this feature. If you do provide the -install script your country code, it will be added to the config file on your machine and the -manage script will read the value and perform the necessary checks, during installation or later when you want to make changes to the blacklist/whitelist. + + As to the 4th scenario, geoip-shell implements LAN subnets automatic detection and asks you to verify that the detected LAN subnets are correct. If you are not sure how to verify this, reading the [SETUP.md](SETUP.md) file should help. Read the documentation, follow it and you should be fine. If you specify your own LAN ip addresses or subnets (rather than using the automatically detected ones), geoip-shell validates them, meaning it makes sure that they appear to be valid by checking them with regex, and asking the kernel. This does not prevent a situation where you provide technically valid ip's/subnets which however are not actually used in the LAN your machine belongs to. So double-check. Also note that LAN subnets **may** change in the future, for example if someone changes some config in the router or replaces the router etc. For this reason, when installing the suite for **all** network interfaces, the -install script offers to enable automatic detection of LAN subnets at each periodic update. If for some reason you do not enable this feature, you will need to make the necessary precautions when changing LAN subnets your remote machine belongs to. + + As an additional measure, during installation you can specify trusted ip addresses anywhere on the Internet which will not be geoblocked, so in case something goes very wrong, you will be able to regain access to the remote machine. This does require to have a known static public ip address or subnet. To specify ip's, call the install script with this option: `-t <"[trusted_ips]">`. + +
diff --git a/net/geoip-shell/OpenWrt-README.md b/net/geoip-shell/OpenWrt-README.md new file mode 100644 index 0000000000..5adcd8227e --- /dev/null +++ b/net/geoip-shell/OpenWrt-README.md @@ -0,0 +1,52 @@ +## geoip-shell on OpenWrt + +Currently geoip-shell fully supports OpenWrt, both with firewall3 + iptables and with firewall4 + nftables, while providing the same user interface and features as on any other Linux system. So usage is the same as described in the main [README.md](README.md) file, while some parts of the backend (namely persistence implementation), some defaults and the location of the data directory are different. + +The _geoip-shell-iptables_ package is for firewall3+iptables OpenWrt systems, while the _geoip-shell_ package is for firewall4+nftables OpenWrt systems. + +A LuCi interface has not been implemented (yet). As on any other Linux system, all user interface is via a command line (but my goal is to make this an easy experience regardless). If this discourages you from using geoip-shell, please let me know. A few people asking for this feature may motivate me to prioritize it. + +## Usage after installation via ipk +After installing the ipk package, geoip-shell will be inactive until you configure it. To do so, run `geoip-shell configure` and follow the interactive setup. You can also run `geoip-shell -h` before that to find out about configuration options and then append certain options after the `configure` action, for example: `geoip-shell configure -c "de nl" -m whitelist` to configure geoip-shell in whitelist mode for countries Germany and Netherlands. The interactive setup will ask you about all the important options but some niche options are only available non-interactively (for example if you want to configure geoblocking for certain selection of ports). You can always change these settings after initial configuration via the same `geoip-shell configure` command. + +## Uninstallation of geoip-shell if installed via ipk +- For nftables-based systems: `opkg remove geoip-shell` +- For iptables-based systems: `opkg remove geoip-shell-iptables` + +## Resources management on OpenWrt +Because OpenWrt typically runs on embedded devices with limited memory and very small flash storage, geoip-shell implements some techniques to conserve these resources as much as possible: +- During installation on OpenWrt, comments and the debug code are stripped from the scripts to reduce their size. +- Only the required modules are installed, depending on the system (iptables- or nftables- based). +- I've researched the most memory-efficient way for loading ip lists into nftables sets. Currently, nftables has some bugs related to this process which may cause unnecessarily high memory consumption. geoip-shell works around these bugs as much as possible. +- To avoid unnecessary flash storage wear, all filesystem-related tasks geoip-shell does which do not require permanent storage are done in the /tmp directory which in the typical OpenWrt installation is mounted on the ramdisk. +- Some defaults on OpenWrt are different to further minimize flash storage wear (read below). + +### Scripts size +Typical geoip-shell installation on an OpenWrt system currently consumes around 120kB. The distribution folder itself weighs quite a bit more (mainly because of documentation) but you can install via an ipk which doesn't remain in storage after installation, or if installing via the -install script, delete the distribution folder and free up space taken by it. geoip-shell does not install its documentation into the system. +I have some plans to reduce that size by compressing certain scripts which provide user interface and implementing automatic extraction to /tmp when the user wants to access them, but this is not yet implemented. + +To view all installed geoip-shell scripts in your system and their sizes, run `ls -lh /usr/bin/geoip-shell-* /usr/lib/geoip-shell/*`. + +## Persistence on OpenWrt +- Persistence of geoip firewall rules and ip sets works differenetly on OpenWrt than on other Linuxes, since geoip-shell has an OpenWrt-specific procd init script. +- The cron job which implements persistence on other Linuxes and runs at reboot is not created on OpenWrt. +- geoip-shell integrates into firewall3 or firewall4 via what's called a "firewall include". On OpenWrt, a firewall include is a setting which tells firewall3 or firewall4 to do something specific in response to certain events. +- The only task of the init script for geoip-shell is to call the geoip-shell-mk-fw-include.sh script, which makes sure that the firewall include exists and is correct, if not then creates the include. +- The firewall include is what does the actual persistence work. geoip-shell firewall include triggers on firewall reload (which happens either at reboot or when the system decides that a reload of the firewall is necessary, or when initiated by the user). +- When triggered, the include script calls the -run script with the "restore" action. +- The -run script verifies that geoip nftables/iptables rules and ip sets exist, and if not then it restores them from backup, or (if backup doesn't exist) initiates re-fetch of the ip lists and then re-creates the rules and the ip sets. +- By default, geoip-shell does not create backups on OpenWrt because typically the permanent storage is very small and prone to wear. +- Automatic updates of ip lists on OpenWrt are triggered from a cron job like on other Linuxes. + +## Defaults for OpenWrt +Generally the defaults are the same as for other systems, except: +- the data directory which geoip-shell uses to store the status file and the backups is by default in `/tmp/geoip-shell-data`, rather than in `/var/lib/geoip-shell` as on other Linux systems. This is to avoid flash wear. You can change this by running the install script with the `-a ` option, or after installation via the command `geoip-shell configure -a `. +- the 'nobackup' option is set to 'true', which configures geoip-shell to not create backups of the ip lists. With this option, geoip-shell will work as usual, except after reboot (and for iptables-based systems, after firewall restart) it will re-fetch the ip lists, rather than loading them from backup. You can change this by running the -install script with the `-o false` option (`-o` stands for nobackup), or after installation via the command `geoip-shell configure -o false`. To have persistent ip list backups, you will also need to change the data directory path as explained above. +- if using geoip-shell on a router with just a few MB of embedded flash storage, consider either leaving the nobackup and datadir path defaults as is, or connecting an external storage device to your router (preferably formatted to ext4) and configuring a directory on it as your geoip-shell data directory, then enabling automatic backups. For example, if your external storage device is mounted on _/mnt/somedevice_, you can do all this via this command: `geoip-shell configure -a /mnt/somedevice/geoip-shell-data -o false`. +- the default ip lists source for OpenWrt is ipdeny (rather than ripe). While ipdeny is a 3rd party, they provide aggregated lists which consume less memory (on nftables-based systems the ip lists are automatically optimized after loading into memory, so there the source does not matter, but a smaller initial ip lists size will cause a smaller memory consumption spike while loading the ip list). + +This is about it for this document. Much more information is available in the main [README.md](README.md) and in the extra _.md_ files inside the Documentation directory. If you have any questions, contact me in this thread: +https://forum.openwrt.org/t/geoip-shell-flexible-geoip-blocker-for-linux-now-supports-openwrt/189611 + +If you use this project, I will be happy to hear about your experience in the above thread. If for some reason geoip-shell is not working for you, I will want to know that as well so I can improve it. + diff --git a/net/geoip-shell/README.md b/net/geoip-shell/README.md new file mode 100644 index 0000000000..a9b3410932 --- /dev/null +++ b/net/geoip-shell/README.md @@ -0,0 +1,144 @@ +# **geoip-shell** +Geoip blocker for Linux. Supports both **nftables** and **iptables** firewall management utilities. + +The idea of this project is making geoip blocking easy on (almost) any Linux system, no matter which hardware, including desktop, server, VPS or router, while also being reliable and providing flexible configuration options for the advanced users. + +Supports running on OpenWrt. Supports ipv4 and ipv6. + +## Table of contents +- [Main Features](#main-features) +- [Usage](#usage) +- [Pre-requisites](#pre-requisites) +- [Notes](#notes) +- [In detail](#in-detail) +- [OpenWrt](#openwrt) +- [Privacy](#privacy) + +## **Main Features** +* Core functionality is creating either a whitelist or a blacklist in the firewall using automatically downloaded ip lists for user-specified countries. + +* ip lists are fetched either from **RIPE** (regional Internet registry for Europe, the Middle East and parts of Central Asia) or from **ipdeny**. Both sources provide updated ip lists for all regions. + +* All firewall rules and ip sets required for geoip blocking to work are created automatically during installation or setup. + +* Implements optional (enabled by default) persistence of geoip blocking across system reboots and automatic updates of the ip lists. + +* After installation, a utility is provided to check geoip status and firewall rules or change country codes and geoip-related config. + +### **Reliability**: +- Downloaded ip lists go through validation which safeguards against application of corrupted or incomplete lists to the firewall. + +
Read more: + +- With nftables, utilizes nftables atomic rules replacement to make the interaction with the system firewall fault-tolerant and to completely eliminate time when geoip is disabled during an automatic update. +- All scripts perform extensive error detection and handling. +- All user input is validated to reduce the chance of accidental mistakes. +- Verifies firewall rules coherence after each action. +- Automatic backup of geoip-shell state (optional, enabled by default except on OpenWrt). +- Automatic recovery of geoip-shell firewall rules after a reboot (a.k.a persistence) or in case of unexpected errors. +- Supports specifying trusted ip addresses anywhere on the Internet which will bypass geoip blocking to make it easier to regain access to the machine if something goes wrong. +
+ +### **Efficiency**: +- Utilizes the native nftables sets (or, with iptables, the ipset utility) which allows to create efficient firewall rules with thousands of ip ranges. + +
Read more: + +- With nftables, optimizes geoip blocking for low memory consumption or for performance, depending on the RAM capacity of the machine and on user preference. With iptables, automatic optimization is implemented. +- Ip list parsing and validation are implemented through efficient regex processing which is very quick even on slow embedded CPU's. +- Implements smart update of ip lists via data timestamp checks, which avoids unnecessary downloads and reconfiguration of the firewall. +- Uses the "prerouting" hook in kernel's netfilter component which shortens the path unwanted packets travel in the system and may reduce the CPU load if any additional firewall rules process incoming traffic down the line. +- Supports the 'ipdeny' source which provides aggregated ip lists (useful for embedded devices with limited memory). +- Scripts are only active for a short time when invoked either directly by the user or by the init script/reboot cron job/update cron job. + +
+ +### **User-friendliness**: +- Good command line interface and useful console messages. + +
Read more: + +- Extensive and (usually) up-to-date documentation. +- Sane settings are applied during installation by default, but also lots of command-line options for advanced users or for special corner cases are provided. +- Provides a utility (symlinked to _'geoip-shell'_) for the user to change geoip config (turn geoip on or off, change country codes, change geoip blocking mode, change ip lists source, change the cron schedule etc). +- Provides a command _('geoip-shell status')_ to check geoip blocking status, which also reports if there are any issues. +- In case of an error or invalid user input, provides useful error messages to help with troubleshooting. +- All main scripts display detailed 'usage' info when executed with the '-h' option. +- The code should be fairly easy to read and includes a healthy amount of comments. +
+ +### **Compatibility**: +- Since the project is written in POSIX-compliant shell code, it is compatible with virtually every Linux system (as long as it has the [pre-requisites](#pre-requisites)). It even works well on simple embedded routers with 8MB of flash storage and 128MB of memory (for nftables, 256MB is recommended if using large ip lists such as the one for US until the nftables team releases a fix reducing memory consumption). + +
Read more: + +- Supports running on OpenWrt. +- The project avoids using non-common utilities by implementing their functionality in custom shell code, which makes it faster and compatible with a wider range of systems. +
+ +## **Usage** + +If you want to change geoip blocking config or check geoip blocking status, you can do that via the provided utilities. +A selection of options is given here, for additional options run `geoip-shell -h` or read [NOTES.md](NOTES.md)and [DETAILS.md](DETAILS.md). + +**To check current geoip blocking status:** `geoip-shell status`. For a list of all firewall rules in the geoip chain and for a detailed count of ip ranges in each ip list: `geoip-shell status -v`. + +**To add or remove ip lists for countries:** `geoip-shell -c <"country_codes">` + +_
Examples:_ +- example (to add ip lists for Germany and Netherlands): `geoip-shell add -c "DE NL"` +- example (to remove the ip list for Germany): `geoip-shell remove -c DE` +
+ +**To enable or disable geoip blocking:** `geoip-shell ` + +**To change ip lists source:** `geoip-shell configure -u ` + +**To change geoip blocking mode:** `geoip-shell configure -m ` + +**To have certain trusted ip addresses or subnets bypass geoip blocking:** `geoip-shell configure -t <["ip_addresses"]|none>`. `none` removes previously set trusted ip addresses. + +**To have certain LAN ip addresses or subnets bypass geoip blocking:** `geoip-shell configure -l <["ip_addresses"]|auto|none>`. `auto` will automatically detect LAN subnets (only use this if the machine has no dedicated WAN interfaces). `none` removes previously set LAN ip addresses. This is only needed when using geoip-shell in whitelist mode, and typically only if the machine has no dedicated WAN network interfaces. Otherwise you should apply geoip blocking only to those WAN interfaces, so traffic from your LAN to the machine will bypass the geoip filter. + +**To change protocols and ports geoblocking applies to:** `geoip-shell configure -p <[tcp|udp]:[allow|block]:[all|]>` + +_(for detailed description of this feature, read [NOTES.md](NOTES.md), sections 9-11)_ + +**To enable or change the automatic update schedule:** `geoip-shell configure -s <"schedule_expression">` + +_
Example_ + +`geoip-shell configure -s "1 4 * * *"` + +
+ +**To disable automatic updates of ip lists:** `geoip-shell configure -s disable` + +**To update or re-install geoip-shell:** run the -install script from the (updated) distribution directory. It will first run the -uninstall script of the older/existing version, then install the new version. + +On OpenWrt, if installed via an ipk package: `opkg uninstall ` + +## **Pre-requisites** +- **Linux**. Tested on Debian-like systems and on OPENWRT, should work on any desktop/server distribution and possibly on some other embedded distributions. +- **POSIX-compliant shell**. Works on most relatively modern shells, including **bash**, **dash**, **ksh93**, **yash** and **ash** (including Busybox **ash**). Likely works on **mksh** and **lksh**. Other flavors of **ksh** may or may not work _(please let me know if you try them)_. Does **not** work on **tcsh** and **zsh**. + +- **nftables** - firewall management utility. Supports nftables 1.0.2 and higher (may work with earlier versions but I do not test with them). +- OR **iptables** - firewall management utility. Should work with any relatively modern version. +- for **iptables**, requires the **ipset** utility - install it using your distribution's package manager +- standard Unix utilities including **tr**, **cut**, **sort**, **wc**, **awk**, **sed**, **grep**, **pgrep**, **pidof** and **logger** which are included with every server/desktop linux distribution (and with OpenWrt). Both GNU and non-GNU versions are supported, including BusyBox implementation. +- **wget** or **curl** or **uclient-fetch** (OpenWRT-specific utility). +- for the autoupdate functionality, requires the **cron** service to be enabled. + +## **Notes** +For some helpful notes about using this suite, read [NOTES.md](NOTES.md). + +## **In detail** +For specifics about each script, read [DETAILS.md](DETAILS.md). + +## **OpenWrt** +For information about OpenWrt support, read the [OpenWrt README](OpenWrt-README.md). + +## **Privacy** +geoip-shell does not share your data with anyone. +If you are using the ipdeny source then note that they are a 3rd party which has its own data privacy policy. + diff --git a/net/geoip-shell/SETUP.md b/net/geoip-shell/SETUP.md new file mode 100644 index 0000000000..052f3b20d0 --- /dev/null +++ b/net/geoip-shell/SETUP.md @@ -0,0 +1,67 @@ +# Notes about questions asked during the initial setup + +## **'Your shell 'A' is supported by geoip-shell but a faster shell 'B' is available in this system, using it instead is recommended. Would you like to use 'B' with geoip-shell?'** + +geoip-shell will work with the shell A you ran it from, but it will work faster with a shell B which is also installed in your system. Your call - type in `y` or `n`. The recommendation is clear. If you type in `y`, geoip-shell installer will launch itself using shell B and configure geoip-shell to always use shell B. + +## **'I'm running under an unsupported/unknown shell shell 'A' but a supported shell 'B' is available in this system, using it instead is recommended. Would you like to use 'B' with geoip-shell?'** + +Whether geoip-shell will work correctly or at all with the shell A you ran it from is unknown, but a supported shell B is available in your system. You can try to run geoip-shell with A but the recommendation is clear. Generally, geoip-shell works best with shells `ash` and `dash`. If you type in `y`, geoip-shell installer will launch itself using shell B and configure geoip-shell to always use shell B. + +## **'Please enter your country code':** + +If you answer this question, the _-manage_ script will check that changes in ip lists which you request to make will not block your own country and warn you if they will. This applies both to the initial setup, and to any subsequent changes to the ip lists which you may want to make in the future. The idea behind this is to make this tool as fool-proof as possible. This information is written to the geoip-shell config file (only readable by root) on your device and geoip-shell does not send it anywhere. You can remove this config entry any time via the command `geoip-shell configure -r none`. You can skip the question by pressing Enter if you wish. + +## **'Does this machine have dedicated WAN interface(s)? [y|n]':** + +Answering this question is mandatory because the firewall is configured differently, depending on the answer. Answering it incorrectly may cause unexpected results, including having no geoip blocking or losing remote access to your machine. + +A machine may have dedicated WAN network interfaces if it's a router or in certain cases a VPS (virtual private server). When geoip-shell is configured to work with certain network interfaces, geoip firewall rules are applied only to traffic arriving from these interfaces, and all other traffic is left alone. + +Otherwise, geoip rules are applied to traffic arriving from all network interfaces, except the loopback interface. Besides that, when geoip-shell is installed in whitelist mode and you picked `n` in this question, additional firewall rules may be created which add LAN subnets or ip's to the whitelist in order to avoid blocking them (you can approve or configure that on the next step of the installation). This does not guarantee that your LAN subnets will not be blocked by another rule in another table, and in fact, if you prefer to block some of them then having them in whitelist will not matter. This is because while the 'drop' verdict is final, the 'accept' verdict is not. + +## **'Autodetected ipvX LAN subnets: ... [c]onfirm, c[h]ange, [s]kip or [a]bort installation?'** + +You will see this question if installing the suite in whitelist mode and you chose `n` in the previous question. The reason why under these conditions this question is asked is to avoid blocking your LAN from accessing your machine. + +If you are absolutely sure that you will not need to access the machine from the LAN then you can type in 's' to skip. +Otherwise I recommend to add LAN subnets to the whitelist. You can either confirm the automatically detected subnets, or specify any combination of ip's and subnets on your LAN which you wish to allow connections from. + +The autodetection code should, in most cases, detect correct LAN subnets. However, it is up to you to verify that it's done its job correctly. + +One way to do that is by typing in 'c' to confirm and once installation completes, verifying that you can still access the machine from LAN (note that if you have an active connection to that machine, for example through SSH, it will likely continue to work until disconnection even if autodetection of LAN subnets did not work out correctly). +Of course, this is risky in cases where you do not have physical access to the machine. + +Another way to do that is by checking which ip address you need to access the machine from, and then verifying that said ip address is included in one of the autodetected subnets. For example, if your other machine's ip is `192.168.1.5` and one of the autodetected subnets is `192.168.1.0/24` then you will want to check that `192.168.1.5` is included in subnet `192.168.1.0/24`. Provided you don't know how to make this calculation manually, you can use the `grepcidr` tool this way: +`echo "192.168.1.5" | grepcidr "192.168.1.0/24"` + +The syntax to check in multiple subnets (note the double quotes): +`echo "[ip]" | grepcidr "[subnet1] [subnet2] ... [subnetN]"` + +(also works for ipv6 addresses) + +If the ip address is in range, grepcidr will print it, otherwise it will not. You may need to install grepcidr using your distribution's package manager. + +Alternatively, you can use an online service which will do the same check for you. There are multiple services providing this functionality. To find them, look up 'IP Address In CIDR Range Check' in your preferred online search engine. + +A third way to do that is by examining your network configuration (in your router) and making sure that the autodetected subnets match those in the configuration. + +If you find out that the subnets were detected incorrectly, you can type in 'h' and manually enter the correct subnets or ip addresses which you want to allow connections from. + +## **'A[u]to-detect LAN subnets when updating ip lists or keep this config c[o]nstant?'** + +As the above question, you will see this one if installing the suite in whitelist mode and you answered `n` to the question about WAN interfaces. You will not see this question if you specified custom subnets or ips in the previous question. + +The rationale for this question is that network configuration may change, and if it does then previously correctly configured LAN subnets may become irrelevant. + +If you type in 'a', each time geoip firewall rules are initialized or updated, LAN subnets will be re-detected. + +If you type in 'c' then whatever subnets have been detected during installation will be kept forever (until you re-install geoip-shell). + +Generally if automatic detection worked as expected during initial setup, most likely it will work correctly every time, so it is a good idea to allow auto-detection with each update. If not then, well, not. + +## **Extra options** + +- geoip-shell supports an additional setting: trusted ip's or subnets. Currently this is only configurable by running the -install script with the option `-t <"[trusted_ips]">` (or after installation via the `geoip-shell configure -t <"[trusted_ips]">` command). You can specify trusted ip addresses or subnets anywhere on the LAN or on the Internet. To remove this setting later, run `geoip-shell configure -t none`. + +- geoip-shell supports lots of additional command-line options. You can find out more by running `sh geoip-shell-install.sh -h`, or after installation `geoip-shell -h`, or by reading [NOTES.md](NOTES.md) and [DETAILS.md](DETAILS.md). \ No newline at end of file From e3ed196f2022b1699e2f3e2f6d7544a35d4bd491 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Tue, 16 Apr 2024 10:31:53 +0300 Subject: [PATCH 046/106] python-cython: bump to version 3.0.10 Signed-off-by: Alexandru Ardelean --- lang/python/python-cython/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/python/python-cython/Makefile b/lang/python/python-cython/Makefile index 6a17e6dbe4..76b22f0ada 100644 --- a/lang/python/python-cython/Makefile +++ b/lang/python/python-cython/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-cython -PKG_VERSION:=3.0.7 +PKG_VERSION:=3.0.10 PKG_RELEASE:=1 PYPI_NAME:=Cython -PKG_HASH:=fb299acf3a578573c190c858d49e0cf9d75f4bc49c3f24c5a63804997ef09213 +PKG_HASH:=dcc96739331fb854dcf503f94607576cfe8488066c61ca50dfd55836f132de99 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE.txt From 2682b28cb31a30897058a466fafe242c815c590f Mon Sep 17 00:00:00 2001 From: Michael Heimpold Date: Mon, 15 Apr 2024 21:44:25 +0200 Subject: [PATCH 047/106] php8: update to 8.3.6 This fixes: - CVE-2024-1874 - CVE-2024-2756 - CVE-2024-2757 - CVE-2024-3096 Signed-off-by: Michael Heimpold --- lang/php8/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/php8/Makefile b/lang/php8/Makefile index 6f2188a16a..4cbf1116f0 100644 --- a/lang/php8/Makefile +++ b/lang/php8/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=php -PKG_VERSION:=8.3.4 +PKG_VERSION:=8.3.6 PKG_RELEASE:=1 PKG_MAINTAINER:=Michael Heimpold @@ -16,7 +16,7 @@ PKG_CPE_ID:=cpe:/a:php:php PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://www.php.net/distributions/ -PKG_HASH:=39a337036a546e5c28aea76cf424ac172db5156bd8a8fd85252e389409a5ba63 +PKG_HASH:=53c8386b2123af97626d3438b3e4058e0c5914cb74b048a6676c57ac647f5eae PKG_BUILD_PARALLEL:=1 PKG_BUILD_FLAGS:=no-mips16 From 4cc682c8a47172bd71f3065f0c078519529fa227 Mon Sep 17 00:00:00 2001 From: Sean Khan Date: Fri, 12 Apr 2024 18:40:13 -0400 Subject: [PATCH 048/106] nginx: fix geoip2 dependency on mod ngx_stream Since the geoip2 package contains both `http` and `stream` versions. It requires the module `ngx_stream` be installed and loaded and produces the error: ``` 2024/04/12 18:38:18 [emerg] 4402#0: dlopen() "/usr/lib/nginx/modules/ngx_stream_geoip2_module.so" failed (Error relocating /usr/lib/nginx/modules/ngx_stream_geoip2_module.so: ngx_stream_complex_value: symbol not found) in /etc/nginx/module.d/ngx_stream_geoip2.module:1 nginx: configuration file /etc/nginx/uci.conf test failed ``` Add dependency so it's built at build time and installed automatically by `opkg` Signed-off-by: Sean Khan --- net/nginx/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/nginx/Makefile b/net/nginx/Makefile index 7478078de3..b90cef9c10 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -477,7 +477,7 @@ $(eval $(call BuildModule,brotli,,ngx_http_brotli_filter ngx_http_brotli_static, Add support for brotli compression module.)) $(eval $(call BuildModule,naxsi,,ngx_http_naxsi, \ Enable NAXSI module.)) -$(eval $(call BuildModule,geoip2,+@NGINX_STREAM_CORE_MODULE +libmaxminddb,ngx_http_geoip2 ngx_stream_geoip2, \ +$(eval $(call BuildModule,geoip2,+@NGINX_STREAM_CORE_MODULE +nginx-mod-stream +libmaxminddb,ngx_http_geoip2 ngx_stream_geoip2, \ Enable MaxMind GeoIP2 module.)) # TODO: remove after a transition period (together with pkg nginx-util): From caffa410ed70285a4e48333209d673759846f989 Mon Sep 17 00:00:00 2001 From: Sean Khan Date: Fri, 12 Apr 2024 18:05:30 -0400 Subject: [PATCH 049/106] nginx: autoload dynamic modules In current setup, dynamic modules are not autoloaded, requiring users to create and load additional config files. We should assume that if a user installs additional modules, they want them 'on' by default. This commit does the following: 1.) generates a module load config in '/etc/nginx/modules.d' with the format '${module_name}'.module (i.e. /etc/nginx/modules.d/ngx_http_geoip2.module) 2.) deletes previous module conf for 'luci' /etc/nginx/modules.d/luci.module if it exists, this will prevent 'module already loaded' errors. The following is a portion of the final output when using the default uci template `/etc/nginx/uci.conf.template` (via nginx-util): ``` nginx -T -c '/etc/nginx/uci.conf' load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; load_module /usr/lib/nginx/modules/ngx_http_dav_ext_module.so; load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; load_module /usr/lib/nginx/modules/ngx_http_naxsi_module.so; load_module /usr/lib/nginx/modules/ngx_http_ts_module.so; load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so; load_module /usr/lib/nginx/modules/ngx_rtmp_module.so; load_module /usr/lib/nginx/modules/ngx_stream_module.so; load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so; ``` Signed-off-by: Sean Khan --- net/nginx/Makefile | 15 +++++++++++++-- .../files-luci-support/60_nginx-luci-support | 4 ++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/net/nginx/Makefile b/net/nginx/Makefile index b90cef9c10..c8bfe102b6 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx PKG_VERSION:=1.25.4 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nginx.org/download/ @@ -195,6 +195,15 @@ define Package/nginx-mod-luci/description Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi. endef +define Package/nginx-mod-luci/preinst +#!/bin/sh +grep -r -l ngx_http_ubus_module.so /etc/nginx/module.d | grep -v ngx_http_ubus.module | while read file; do + echo "Removing old LuCI module load file for 'ngx_http_ubus.so' in $$file." + rm -f $$file +done +exit 0 +endef + define Package/nginx-mod-luci/install $(INSTALL_DIR) $(1)/etc/nginx/conf.d $(INSTALL_CONF) ./files-luci-support/luci.locations $(1)/etc/nginx/conf.d/ @@ -375,8 +384,10 @@ define BuildModule define Package/nginx-mod-$(1)/install $(INSTALL_DIR) $$(1)/usr/lib/nginx/modules + $(INSTALL_DIR) $$(1)/etc/nginx/module.d $(foreach m,$(3), - $(CP) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(m)_module.so $$(1)/usr/lib/nginx/modules + $(CP) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(m)_module.so $$(1)/usr/lib/nginx/modules && \ + echo "load_module /usr/lib/nginx/modules/$(m)_module.so;" > $$(1)/etc/nginx/module.d/$(m).module ) $(call Module/nginx-mod-$(1)/install,$$(1)) endef diff --git a/net/nginx/files-luci-support/60_nginx-luci-support b/net/nginx/files-luci-support/60_nginx-luci-support index 22deb97a32..4967246eeb 100644 --- a/net/nginx/files-luci-support/60_nginx-luci-support +++ b/net/nginx/files-luci-support/60_nginx-luci-support @@ -12,8 +12,8 @@ location /ubus { EOT fi - if [ ! -f "/etc/nginx/module.d/luci.module" ]; then - cat <> /etc/nginx/module.d/luci.module + if [ ! -f "/etc/nginx/module.d/ngx_http_ubus.module" ]; then + cat < /etc/nginx/module.d/ngx_http_ubus.module load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so; EOT fi From 660aa8091f1551da5ee071a4f49e92cd3e73a4c4 Mon Sep 17 00:00:00 2001 From: Sean Khan Date: Fri, 12 Apr 2024 14:03:04 -0400 Subject: [PATCH 050/106] nginx: Use zst + APK style packaging for modules Generates git tarballs in the new APK style format: Note that `SOURCE_DATE` was added and need to be updated as the commit date of the commit hash Before: ``` nginx-mod-geoip2-1cabd8a1f68ea3998f94e9f3504431970f848fbf.tar.xz nginx-mod-headers-more-bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0.tar.xz nginx-mod-brotli-25f86f0bac1101b6512135eac5f93c49c63609e3.tar.xz nginx-mod-rtmp-f0ea62342a4eca504b311cd5df910d026c3ea4cf.tar.xz nginx-mod-ts-ef2f874d95cc75747eb625a292524a702aefb0fd.tar.xz nginx-mod-naxsi-d714f1636ea49a9a9f4f06dba14aee003e970834.tar.xz nginx-mod-lua-c89469e920713d17d703a5f3736c9335edac22bf.tar.xz nginx-mod-lua-resty-core-2e2b2adaa61719972fe4275fa4c3585daa0dcd84.tar.xz nginx-mod-lua-resty-lrucache-52f5d00403c8b7aa8a4d4f3779681976b10a18c1.tar.xz nginx-mod-dav-ext-f5e30888a256136d9c550bf1ada77d6ea78a48af.tar.xz nginx-mod-ubus-b2d7260dcb428b2fb65540edb28d7538602b4a26.tar.xz ``` After: ``` nginx-mod-geoip2-2020.01.22~1cabd8a1.tar.zst nginx-mod-headers-more-2022.07.17~bea1be3b.tar.zst nginx-mod-brotli-2020.04.23~25f86f0b.tar.zst nginx-mod-rtmp-2018.12.07~f0ea6234.tar.zst nginx-mod-ts-2017.12.04~ef2f874d.tar.zst nginx-mod-naxsi-2022.09.14~d714f163.tar.zst nginx-mod-lua-2023.08.19~c89469e9.tar.zst nginx-mod-lua-resty-core-2023.09.09~2e2b2ada.tar.zst nginx-mod-lua-resty-lrucache-2023.08.06~52f5d004.tar.zst nginx-mod-dav-ext-2018.12.17~f5e30888.tar.zst nginx-mod-ubus-2020.09.06~b2d7260d.tar.zst ``` Run tested: aarch64, Dynalink DL-WRX36, Master Branch Signed-off-by: Sean Khan --- net/nginx/Makefile | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/net/nginx/Makefile b/net/nginx/Makefile index c8bfe102b6..77134516db 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -212,9 +212,10 @@ define Package/nginx-mod-luci/install endef define Download/nginx-mod-geoip2 + SOURCE_DATE:=2020-01-22 VERSION:=1cabd8a1f68ea3998f94e9f3504431970f848fbf URL:=https://github.com/leev/ngx_http_geoip2_module.git - MIRROR_HASH:=b4bd8517f6595f28e9cea5370045df476e0f7fa9ca3611d71ba85c518f1a7eda + MIRROR_HASH:=f3d2a1af5c34812b5a34453457ba6a4d8093c92085aa7f76c46a1c4185c9735c PROTO:=git endef @@ -246,73 +247,83 @@ define Package/nginx-mod-lua-resty-core/install endef define Download/nginx-mod-headers-more + SOURCE_DATE:=2022-07-17 VERSION:=bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0 URL:=https://github.com/openresty/headers-more-nginx-module.git - MIRROR_HASH:=3617bbf7a935208a1d8d5f86a8f9b770f6987e4d2b5663a9ab1b777217e3066b + MIRROR_HASH:=569abadc137b5b52bdcc33b00aa21f6d266cb84fb891795da2c4e101c4898abe PROTO:=git endef define Download/nginx-mod-brotli + SOURCE_DATE:=2020-04-23 VERSION:=25f86f0bac1101b6512135eac5f93c49c63609e3 URL:=https://github.com/google/ngx_brotli.git - MIRROR_HASH:=c85cdcfd76703c95aa4204ee4c2e619aa5b075cac18f428202f65552104add3b + MIRROR_HASH:=680c56be79e7327cb8df271646119333d2f6965a3472bc7043721625fa4488f5 PROTO:=git endef define Download/nginx-mod-rtmp + SOURCE_DATE:=2018-12-07 VERSION:=f0ea62342a4eca504b311cd5df910d026c3ea4cf URL:=https://github.com/ut0mt8/nginx-rtmp-module.git - MIRROR_HASH:=d3f58066f0f858ed79f7f2b0c9b89de2ccc512c94ab3d0625f6dcff3df0b72c1 + MIRROR_HASH:=9c98d886ae4ea3708bb0bca55f8df803418a407e0ffc6df56341bd76ad39cba8 PROTO:=git endef define Download/nginx-mod-ts + SOURCE_DATE:=2017-12-04 VERSION:=ef2f874d95cc75747eb625a292524a702aefb0fd URL:=https://github.com/arut/nginx-ts-module.git - MIRROR_HASH:=73938950bb286d40d9e54b0994d1a63827340c1156c72eb04d7041b25b20ec18 + MIRROR_HASH:=3f144d4615a4aaa1215435cd06ae4054ea12206d5b38306321420f7acc62aca8 PROTO:=git endef define Download/nginx-mod-naxsi + SOURCE_DATE:=2022-09-14 VERSION:=d714f1636ea49a9a9f4f06dba14aee003e970834 URL:=https://github.com/nbs-system/naxsi.git - MIRROR_HASH:=bd006686721a68d43f052f0a4f00e9ff99fb2abfbc4dcf8194a3562fe4e5c08b + MIRROR_HASH:=b0cef5fbf842f283eb5f0686ddd1afcd07d83abd7027c8cfb3e84a2223a34797 PROTO:=git endef define Download/nginx-mod-lua + SOURCE_DATE:=2023-08-19 VERSION:=c89469e920713d17d703a5f3736c9335edac22bf URL:=https://github.com/openresty/lua-nginx-module.git - MIRROR_HASH:=dd66465f65c094a1ddfff2035bff4da870b7c6b7e033d307a9806a6df290a1a5 + MIRROR_HASH:=c3bdf1b23f0a63991b5dcbd1f8ee150e6f893b43278e8600e4e0bb42a6572db4 PROTO:=git endef define Download/nginx-mod-lua-resty-core + SOURCE_DATE:=2023-09-09 VERSION:=2e2b2adaa61719972fe4275fa4c3585daa0dcd84 URL:=https://github.com/openresty/lua-resty-core.git - MIRROR_HASH:=4bfc267fd027161f88fcbeacce38e6bd13ba894a581c2d6dfe78ee270b1a473c + MIRROR_HASH:=c5f3df92fd72eac5b54497c039aca0f0d9ea1d87223f1e3a54365ba565991874 PROTO:=git endef define Download/nginx-mod-lua-resty-lrucache + SOURCE_DATE:=2023-08-06 VERSION:=52f5d00403c8b7aa8a4d4f3779681976b10a18c1 URL:=https://github.com/openresty/lua-resty-lrucache.git - MIRROR_HASH:=618a972574b6b1db1eebf4046d9a471ac03ec092bb825136ba975928d4af2351 + MIRROR_HASH:=0833e0114948af4edb216c5c34b3f1919f534b298f4fa29739544f7c9bb8a08d PROTO:=git endef define Download/nginx-mod-dav-ext + SOURCE_DATE:=2018-12-17 VERSION:=f5e30888a256136d9c550bf1ada77d6ea78a48af URL:=https://github.com/arut/nginx-dav-ext-module.git - MIRROR_HASH:=70bb4c3907f4b783605500ba494e907aede11f8505702e370012abb3c177dc5b + MIRROR_HASH:=c574e60ffab5f6e5d8bea18aab0799c19cd9a84f3d819b787e9af4f0e7867b52 PROTO:=git endef define Download/nginx-mod-ubus + SOURCE_DATE:=2020-09-06 VERSION:=b2d7260dcb428b2fb65540edb28d7538602b4a26 URL:=https://github.com/Ansuel/nginx-ubus-module.git - MIRROR_HASH:=472cef416d25effcac66c85417ab6596e634a7a64d45b709bb090892d567553c + MIRROR_HASH:=515bb9d355ad80916f594046a45c190a68fb6554d6795a54ca15cab8bdd12fda PROTO:=git endef @@ -320,7 +331,7 @@ define Module/Download define Download/nginx-mod-$(1) += SUBDIR:=nginx-mod-$(1) - FILE:=nginx-mod-$(1)-$$$$(VERSION).tar.xz + FILE:=nginx-mod-$(1)-$$$$(subst -,.,$$$$(SOURCE_DATE))~$$$$(call version_abbrev,$$$$(VERSION)).tar.zst endef endef $(foreach m,$(PKG_MOD_EXTRA),$(eval $(call Module/Download,$(m)))) @@ -350,7 +361,7 @@ define Module/Build/Prepare $(eval $(call Download,nginx-mod-$(1))) $(eval $(Download/nginx-mod-$(1))) mkdir -p $(PKG_BUILD_DIR)/nginx-mod-$(1) - xzcat $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR)/nginx-mod-$(1) $(TAR_OPTIONS) --strip-components 1 + zstdcat $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR)/nginx-mod-$(1) $(TAR_OPTIONS) --strip-components 1 endef define Build/Prepare From 436e462c6405e9bcbdd2756b596d32c763fcd7ee Mon Sep 17 00:00:00 2001 From: Marcus Folkesson Date: Mon, 12 Feb 2024 16:04:09 +0100 Subject: [PATCH 051/106] python-yaml: create /host target Make the python-yaml/host target available for the build environment to be used with e.g. the PKG_BUILD_DEPENDS list. This is needed for an upcoming package (libcamera). Signed-off-by: Marcus Folkesson --- lang/python/python-yaml/Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lang/python/python-yaml/Makefile b/lang/python/python-yaml/Makefile index 92ac328415..8a62c7f36f 100644 --- a/lang/python/python-yaml/Makefile +++ b/lang/python/python-yaml/Makefile @@ -20,10 +20,13 @@ PKG_LICENSE_FILES:=LICENSE PKG_CPE_ID:=cpe:/a:pyyaml:pyyaml PKG_BUILD_DEPENDS:=python-cython/host +HOST_BUILD_DEPENDS:=python-cython/host include ../pypi.mk include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/host-build.mk include ../python3-package.mk +include ../python3-host-build.mk define Package/python3-yaml SECTION:=lang @@ -43,3 +46,4 @@ PYTHON3_PKG_BUILD_VARS:=PYYAML_FORCE_LIBYAML=1 $(eval $(call Py3Package,python3-yaml)) $(eval $(call BuildPackage,python3-yaml)) $(eval $(call BuildPackage,python3-yaml-src)) +$(eval $(call HostBuild)) From eb35a3be13d98f306454657b0326822cf3029b29 Mon Sep 17 00:00:00 2001 From: Marcus Folkesson Date: Mon, 12 Feb 2024 15:57:30 +0100 Subject: [PATCH 052/106] python-jinja2: create /host target Make the python-jinja2/host target available for the build environment to be used with e.g. the PKG_BUILD_DEPENDS list. This is needed for an upcoming package (libcamera). Signed-off-by: Marcus Folkesson --- lang/python/python-jinja2/Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lang/python/python-jinja2/Makefile b/lang/python/python-jinja2/Makefile index 76ebb2334d..e7514ff136 100644 --- a/lang/python/python-jinja2/Makefile +++ b/lang/python/python-jinja2/Makefile @@ -15,10 +15,13 @@ PKG_MAINTAINER:=Michal Vasilek PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE.rst PKG_CPE_ID:=cpe:/a:pocoo:jinja2 +HOST_BUILD_DEPENDS:= python-markupsafe/host include ../pypi.mk include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/host-build.mk include ../python3-package.mk +include ../python3-host-build.mk define Package/python3-jinja2 SECTION:=lang @@ -43,3 +46,4 @@ endef $(eval $(call Py3Package,python3-jinja2)) $(eval $(call BuildPackage,python3-jinja2)) $(eval $(call BuildPackage,python3-jinja2-src)) +$(eval $(call HostBuild)) From 23bd17806b7b687e6723e9239c50b4208e2bb7d6 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Thu, 18 Apr 2024 21:46:11 +0200 Subject: [PATCH 053/106] libssh: update to version 0.10.6, fix build with mbedtls 3.6 Signed-off-by: Felix Fietkau --- libs/libssh/Makefile | 6 +-- libs/libssh/patches/100-mbedtls_fix.patch | 53 +++++++++++++++++++++++ 2 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 libs/libssh/patches/100-mbedtls_fix.patch diff --git a/libs/libssh/Makefile b/libs/libssh/Makefile index 7cd1bd6b67..21d03c7fec 100644 --- a/libs/libssh/Makefile +++ b/libs/libssh/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libssh -PKG_VERSION:=0.10.4 -PKG_RELEASE:=2 +PKG_VERSION:=0.10.6 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://www.libssh.org/files/0.10/ -PKG_HASH:=07392c54ab61476288d1c1f0a7c557b50211797ad00c34c3af2bbc4dbc4bd97d +PKG_HASH:=1861d498f5b6f1741b6abc73e608478491edcf9c9d4b6630eef6e74596de9dc1 PKG_MAINTAINER:=Mislav Novakovic PKG_LICENSE:=LGPL-2.1-or-later BSD-2-Clause diff --git a/libs/libssh/patches/100-mbedtls_fix.patch b/libs/libssh/patches/100-mbedtls_fix.patch new file mode 100644 index 0000000000..4a6309c399 --- /dev/null +++ b/libs/libssh/patches/100-mbedtls_fix.patch @@ -0,0 +1,53 @@ +--- a/cmake/Modules/FindMbedTLS.cmake ++++ b/cmake/Modules/FindMbedTLS.cmake +@@ -34,7 +34,7 @@ set(_MBEDTLS_ROOT_HINTS_AND_PATHS + + find_path(MBEDTLS_INCLUDE_DIR + NAMES +- mbedtls/config.h ++ mbedtls/version.h + HINTS + ${_MBEDTLS_ROOT_HINTS_AND_PATHS} + PATH_SUFFIXES +@@ -72,7 +72,13 @@ find_library(MBEDTLS_X509_LIBRARY + set(MBEDTLS_LIBRARIES ${MBEDTLS_SSL_LIBRARY} ${MBEDTLS_CRYPTO_LIBRARY} + ${MBEDTLS_X509_LIBRARY}) + +-if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h") ++if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h") ++ file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h" _mbedtls_version_str REGEX ++ "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"") ++ ++ string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+.[0-9]+.[0-9]+).*" ++ "\\1" MBEDTLS_VERSION "${_mbedtls_version_str}") ++elseif (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h") + file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" _mbedtls_version_str REGEX + "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"") + +@@ -93,7 +99,7 @@ if (MBEDTLS_VERSION) + in the system variable MBEDTLS_ROOT_DIR" + ) + else (MBEDTLS_VERSION) +- find_package_handle_standard_args(MBedTLS ++ find_package_handle_standard_args(MbedTLS + "Could NOT find mbedTLS, try to set the path to mbedLS root folder in + the system variable MBEDTLS_ROOT_DIR" + MBEDTLS_INCLUDE_DIR +--- a/src/libmbedcrypto.c ++++ b/src/libmbedcrypto.c +@@ -118,8 +118,14 @@ int hmac_update(HMACCTX c, const void *d + + int hmac_final(HMACCTX c, unsigned char *hashmacbuf, size_t *len) + { ++ const mbedtls_md_info_t *md_info; + int rc; +- *len = (unsigned int)mbedtls_md_get_size(c->md_info); ++#if MBEDTLS_VERSION_MAJOR >= 3 ++ md_info = mbedtls_md_info_from_ctx(c); ++#else ++ md_info = c->md_info; ++#endif ++ *len = (unsigned int)mbedtls_md_get_size(md_info); + rc = !mbedtls_md_hmac_finish(c, hashmacbuf); + mbedtls_md_free(c); + SAFE_FREE(c); From de4ef9d169a182350796afca778742bf68052af4 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Thu, 18 Apr 2024 21:58:13 +0200 Subject: [PATCH 054/106] curl: fix SSL init with mbedtls 3.6 Signed-off-by: Felix Fietkau --- ...dtls_ssl_setup-after-RNG-callback-is.patch | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 net/curl/patches/100-mbedtls-call-mbedtls_ssl_setup-after-RNG-callback-is.patch diff --git a/net/curl/patches/100-mbedtls-call-mbedtls_ssl_setup-after-RNG-callback-is.patch b/net/curl/patches/100-mbedtls-call-mbedtls_ssl_setup-after-RNG-callback-is.patch new file mode 100644 index 0000000000..5f8dd940f3 --- /dev/null +++ b/net/curl/patches/100-mbedtls-call-mbedtls_ssl_setup-after-RNG-callback-is.patch @@ -0,0 +1,45 @@ +From: Kailun Qin +Date: Mon, 8 Apr 2024 05:13:56 -0400 +Subject: [PATCH] mbedtls: call mbedtls_ssl_setup() after RNG callback is set + +Since mbedTLS v3.6.0, the RNG check added in ssl_conf_check() will fail +if no RNG is provided when calling mbedtls_ssl_setup(). + +Therefore, mbedtls_ssl_conf_rng() needs to be called before the SSL +context is passed to mbedtls_ssl_setup(). + +Ref: https://github.com/Mbed-TLS/mbedtls/commit/b422cab052b51ec84758638d6783d6ba4fc60613 + +Signed-off-by: Kailun Qin +Closes #13314 +--- + +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -602,10 +602,6 @@ mbed_connect_step1(struct Curl_cfilter * + } + + mbedtls_ssl_init(&backend->ssl); +- if(mbedtls_ssl_setup(&backend->ssl, &backend->config)) { +- failf(data, "mbedTLS: ssl_init failed"); +- return CURLE_SSL_CONNECT_ERROR; +- } + + /* new profile with RSA min key len = 1024 ... */ + mbedtls_ssl_conf_cert_profile(&backend->config, +@@ -639,6 +635,15 @@ mbed_connect_step1(struct Curl_cfilter * + + mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random, + &backend->ctr_drbg); ++ ++ ret = mbedtls_ssl_setup(&backend->ssl, &backend->config); ++ if(ret) { ++ mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); ++ failf(data, "ssl_setup failed - mbedTLS: (-0x%04X) %s", ++ -ret, errorbuf); ++ return CURLE_SSL_CONNECT_ERROR; ++ } ++ + mbedtls_ssl_set_bio(&backend->ssl, cf, + mbedtls_bio_cf_write, + mbedtls_bio_cf_read, From d7e63d4e24599c66ae9e4c8984398f826108c5c5 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Mon, 15 Apr 2024 15:20:07 +0800 Subject: [PATCH 055/106] v2ray-geodata: make PKG_RELEASE numeric again According to the documentation[1] 'PKG_RELEASE' should be a number, so polulate the APK-style 'r' via 'VERSION' instead. 1. https://openwrt.org/docs/guide-developer/packages#buildpackage_variables Fixes: 30796c59485b ("v2ray-geodata: use APK compatible version schema") Reported-by: Sean Khan Signed-off-by: Tianling Shen --- net/v2ray-geodata/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/v2ray-geodata/Makefile b/net/v2ray-geodata/Makefile index c10eb41cb9..7329519f10 100644 --- a/net/v2ray-geodata/Makefile +++ b/net/v2ray-geodata/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=v2ray-geodata -PKG_RELEASE:=r1 +PKG_RELEASE:=1 PKG_LICENSE_FILES:=LICENSE PKG_MAINTAINER:=Tianling Shen @@ -51,7 +51,7 @@ define Package/v2ray-geoip $(call Package/v2ray-geodata/template) TITLE:=GeoIP List for V2Ray PROVIDES:=v2ray-geodata xray-geodata xray-geoip - VERSION:=$(GEOIP_VER)-$(PKG_RELEASE) + VERSION:=$(GEOIP_VER)-r$(PKG_RELEASE) LICENSE:=CC-BY-SA-4.0 endef @@ -59,7 +59,7 @@ define Package/v2ray-geosite $(call Package/v2ray-geodata/template) TITLE:=Geosite List for V2Ray PROVIDES:=v2ray-geodata xray-geodata xray-geosite - VERSION:=$(GEOSITE_VER)-$(PKG_RELEASE) + VERSION:=$(GEOSITE_VER)-r$(PKG_RELEASE) LICENSE:=MIT endef @@ -67,7 +67,7 @@ define Package/v2ray-geosite-ir $(call Package/v2ray-geodata/template) TITLE:=Iran Geosite List for V2Ray PROVIDES:=xray-geosite-ir - VERSION:=$(GEOSITE_IRAN_VER)-$(PKG_RELEASE) + VERSION:=$(GEOSITE_IRAN_VER)-r$(PKG_RELEASE) LICENSE:=MIT endef From c1e6fbbcb06786c7f78f7a12f9bf7337e94b2160 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Mon, 15 Apr 2024 15:18:04 +0800 Subject: [PATCH 056/106] v2ray-geodata: Update to latest version Signed-off-by: Tianling Shen --- net/v2ray-geodata/Makefile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/v2ray-geodata/Makefile b/net/v2ray-geodata/Makefile index 7329519f10..c87cbc4a22 100644 --- a/net/v2ray-geodata/Makefile +++ b/net/v2ray-geodata/Makefile @@ -12,31 +12,31 @@ PKG_MAINTAINER:=Tianling Shen include $(INCLUDE_DIR)/package.mk -GEOIP_VER:=202404040040 +GEOIP_VER:=202404110039 GEOIP_FILE:=geoip.dat.$(GEOIP_VER) define Download/geoip URL:=https://github.com/v2fly/geoip/releases/download/$(GEOIP_VER)/ URL_FILE:=geoip.dat FILE:=$(GEOIP_FILE) - HASH:=492a0af649accb4e9ae91f80a272e295ce6444489f6d85b389cdc635234c6ddf + HASH:=d4a2e3666139dc98b76f1b0bc7db6b9dd9b35a5d2b0aecb5943e4211c1ebd026 endef -GEOSITE_VER:=20240403140129 +GEOSITE_VER:=20240410101316 GEOSITE_FILE:=dlc.dat.$(GEOSITE_VER) define Download/geosite URL:=https://github.com/v2fly/domain-list-community/releases/download/$(GEOSITE_VER)/ URL_FILE:=dlc.dat FILE:=$(GEOSITE_FILE) - HASH:=bcae4b8ff409117b8f24e6c62c0d5c8c9d4dca75d335e12f8ac3a22331a81c52 + HASH:=e74d3da9d4db57fba399f9093ffabbc6630a7cf10965ebcde07725a0f00e24d7 endef -GEOSITE_IRAN_VER:=202404010028 +GEOSITE_IRAN_VER:=202404150255 GEOSITE_IRAN_FILE:=iran.dat.$(GEOSITE_IRAN_VER) define Download/geosite-ir URL:=https://github.com/bootmortis/iran-hosted-domains/releases/download/$(GEOSITE_IRAN_VER)/ URL_FILE:=iran.dat FILE:=$(GEOSITE_IRAN_FILE) - HASH:=322d972bfb3f6bb5d960c6d7e14a732d75f0a32ad59ce609a1a9843eef51e257 + HASH:=7b29fd53c2a25c6d79eeb6f76cc4b0a0770fe00eee1ea4d7a4a9f77d49ca44ad endef define Package/v2ray-geodata/template From 8951378aece0cd33e97d975c2232e66d040582c2 Mon Sep 17 00:00:00 2001 From: Maxim Storchak Date: Sun, 14 Apr 2024 15:27:28 +0300 Subject: [PATCH 057/106] rsync: support xxhash and lz4 Signed-off-by: Maxim Storchak --- net/rsync/Config.in | 10 ++++++++++ net/rsync/Makefile | 10 +++++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/net/rsync/Config.in b/net/rsync/Config.in index f5e3b67b13..30e86261fc 100644 --- a/net/rsync/Config.in +++ b/net/rsync/Config.in @@ -17,4 +17,14 @@ if PACKAGE_rsync prompt "Enable zstd stream compression" default n + config RSYNC_lz4 + bool + prompt "Enable lz4, extremely fast compression" + default n + + config RSYNC_xxhash + bool + prompt "Enable xxhash, extremely fast hash" + default n + endif diff --git a/net/rsync/Makefile b/net/rsync/Makefile index e943ac8415..723eaa348f 100644 --- a/net/rsync/Makefile +++ b/net/rsync/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=rsync PKG_VERSION:=3.3.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://download.samba.org/pub/$(PKG_NAME)/src @@ -30,8 +30,8 @@ define Package/rsync SECTION:=net CATEGORY:=Network SUBMENU:=File Transfer - TITLE:=Fast remote file copy program (like rcp) - DEPENDS:=+libpopt +zlib +RSYNC_xattr:libattr +RSYNC_acl:libacl +RSYNC_zstd:libzstd $(ICONV_DEPENDS) + TITLE:=an open source utility that provides fast incremental file transfer + DEPENDS:=+libpopt +zlib +RSYNC_xattr:libattr +RSYNC_acl:libacl +RSYNC_zstd:libzstd +RSYNC_xxhash:libxxhash +RSYNC_lz4:liblz4 $(ICONV_DEPENDS) URL:=https://rsync.samba.org/ MENU:=1 endef @@ -47,18 +47,18 @@ CONFIGURE_ARGS += \ --without-included-zlib \ --disable-debug \ --disable-asm \ - --disable-lz4 \ --disable-locale \ --disable-md2man \ --disable-openssl \ --disable-simd \ --disable-roll-simd \ - --disable-xxhash \ --$(if $(CONFIG_BUILD_NLS),en,dis)able-iconv \ --$(if $(CONFIG_BUILD_NLS),en,dis)able-iconv-open \ --$(if $(CONFIG_RSYNC_zstd),en,dis)able-zstd \ + --$(if $(CONFIG_RSYNC_lz4),en,dis)able-lz4 \ --$(if $(CONFIG_RSYNC_xattr),en,dis)able-xattr-support \ --$(if $(CONFIG_RSYNC_acl),en,dis)able-acl-support \ + --$(if $(CONFIG_RSYNC_xxhash),en,dis)able-xxhash \ $(if $(CONFIG_IPV6),,--disable-ipv6) define Package/rsyncd From bfb5d820bf3f7e50fdde9da759e7407b5d5763a2 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sun, 14 Apr 2024 16:44:08 -0700 Subject: [PATCH 058/106] ibrcommon: remove basename Can be replaced with regular C++. Signed-off-by: Rosen Penev --- libs/ibrcommon/Makefile | 2 +- .../patches/001-fix-build-with-musl.patch | 30 +++++++++++++------ 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/libs/ibrcommon/Makefile b/libs/ibrcommon/Makefile index b1adfd39fd..2b6f4c2ebe 100644 --- a/libs/ibrcommon/Makefile +++ b/libs/ibrcommon/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ibrcommon PKG_VERSION:=1.0.1 -PKG_RELEASE:=9 +PKG_RELEASE:=10 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.ibr.cs.tu-bs.de/projects/ibr-dtn/releases diff --git a/libs/ibrcommon/patches/001-fix-build-with-musl.patch b/libs/ibrcommon/patches/001-fix-build-with-musl.patch index c7b9a8c358..bee392d0d9 100644 --- a/libs/ibrcommon/patches/001-fix-build-with-musl.patch +++ b/libs/ibrcommon/patches/001-fix-build-with-musl.patch @@ -1,21 +1,33 @@ --- a/ibrcommon/data/File.cpp +++ b/ibrcommon/data/File.cpp -@@ -35,9 +35,7 @@ +@@ -35,10 +35,6 @@ #include #include -#if !defined(HAVE_FEATURES_H) || defined(ANDROID) - #include +-#include -#endif - +- #ifdef __WIN32__ #include -@@ -226,7 +224,7 @@ namespace ibrcommon + #define FILE_DELIMITER_CHAR '\\' +@@ -225,14 +221,11 @@ namespace ibrcommon + std::string File::getBasename() const { - #if !defined(ANDROID) && defined(HAVE_FEATURES_H) +-#if !defined(ANDROID) && defined(HAVE_FEATURES_H) - return std::string(basename(_path.c_str())); -+ return std::string(basename((char *)_path.c_str())); - #else - char path[_path.length()+1]; - ::memcpy(&path, _path.c_str(), _path.length()+1); +-#else +- char path[_path.length()+1]; +- ::memcpy(&path, _path.c_str(), _path.length()+1); +- +- return std::string(basename(path)); +-#endif ++ size_t found = _path.find_last_of('/'); ++ if (found != std::string::npos) ++ return _path.substr(found + 1); ++ else ++ return _path; + } + + File File::get(const std::string &filename) const From 2650de46866572f110c28b5a3ddff5ee86c59f45 Mon Sep 17 00:00:00 2001 From: krant Date: Fri, 19 Apr 2024 14:10:45 +0300 Subject: [PATCH 059/106] socat: fix compile error when ccache is enabled Signed-off-by: krant --- net/socat/Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/socat/Makefile b/net/socat/Makefile index 6da3aee467..4afaf7e784 100644 --- a/net/socat/Makefile +++ b/net/socat/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=socat PKG_VERSION:=1.8.0.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=http://www.dest-unreach.org/socat/download @@ -58,6 +58,9 @@ CONFIGURE_ARGS += \ --disable-readline \ --enable-termios +## procan.c fails to compile when ccache is enabled +MAKE_FLAGS += CC="$(TARGET_CC_NOCACHE)" + ifneq ($(CONFIG_SOCAT_SSL),y) CONFIGURE_ARGS+= --disable-openssl endif From 8982c3e61adc4595dc9955529c993347ca78c5f5 Mon Sep 17 00:00:00 2001 From: Zephyr Lykos Date: Wed, 17 Apr 2024 21:34:08 +0800 Subject: [PATCH 060/106] tailscale: Update to 1.64.1 Signed-off-by: Zephyr Lykos --- net/tailscale/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/tailscale/Makefile b/net/tailscale/Makefile index 2de831fcc5..7d73216da6 100644 --- a/net/tailscale/Makefile +++ b/net/tailscale/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tailscale -PKG_VERSION:=1.62.1 +PKG_VERSION:=1.64.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=22737fae37e971fecdf49d6b741b99988868aa3f1e683e67e14b872a2c49ca1c +PKG_HASH:=df6009abb4800a7e7681063c9d3f62da6850060e4949ca0bd1edad60781e9f03 PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=BSD-3-Clause From 55440f2ac7e79a24e9675ecf7d1f79b0b7bc0907 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sat, 13 Apr 2024 15:05:03 -0700 Subject: [PATCH 061/106] yara: update to 4.5.0 Move away from codeload for smaller and better tarballs. Signed-off-by: Rosen Penev --- utils/yara/Makefile | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/utils/yara/Makefile b/utils/yara/Makefile index 98bbc9233a..480d6f43d6 100644 --- a/utils/yara/Makefile +++ b/utils/yara/Makefile @@ -8,12 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=yara -PKG_VERSION:=4.2.0 +PKG_VERSION:=4.5.0 PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://codeload.github.com/VirusTotal/yara/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=6f567d4e4b79a210cd57a820f59f19ee69b024188ef4645b1fc11488a4660951 +PKG_SOURCE_PROTO:=git +PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_SOURCE_URL:=https://github.com/VirusTotal/yara +PKG_MIRROR_HASH:=1b549a5aa3320ed768398b0152cb194a7e30c24275fc054facdb4d41bf729cb4 PKG_MAINTAINER:=Marko Ratkaj PKG_LICENSE:=BSD-3-Clause @@ -48,6 +49,8 @@ CONFIGURE_ARGS += \ $(if $(CONFIG_YARA_module_magic),--enable,--disable)-magic \ $(if $(CONFIG_YARA_module_cuckoo),--enable,--disable)-cuckoo +TARGET_CFLAGS += -D_LARGEFILE64_SOURCE + define Package/yara/config source "$(SOURCE)/Config.in" endef From b20e69d765739c2134dae48bfc3f016c598bb8c2 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Sun, 14 Apr 2024 16:10:31 +0200 Subject: [PATCH 062/106] rtty: Fix compilation with musl libc 1.2.5 Support POSIX basename used in musl libc 1.2.5. Signed-off-by: Hauke Mehrtens --- ...upport-POSIX-basename-from-musl-libc.patch | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 utils/rtty/patches/0001-Support-POSIX-basename-from-musl-libc.patch diff --git a/utils/rtty/patches/0001-Support-POSIX-basename-from-musl-libc.patch b/utils/rtty/patches/0001-Support-POSIX-basename-from-musl-libc.patch new file mode 100644 index 0000000000..8493557e7c --- /dev/null +++ b/utils/rtty/patches/0001-Support-POSIX-basename-from-musl-libc.patch @@ -0,0 +1,91 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Sun, 14 Apr 2024 16:06:15 +0200 +Subject: Support POSIX basename() from musl libc + +Musl libc 1.2.5 removed the definition of the basename() function from +string.h and only provides it in libgen.h as the POSIX standard +defines it. + +This change fixes compilation with musl libc 1.2.5. +```` +build_dir/target-mips_24kc_musl/rtty-mbedtls/rtty-8.1.1/src/file.c:156:24: error: implicit declaration of function 'basename' [-Werror=implicit-function-declaration] + 156 | const char *name = basename(path); + | ^~~~~~~~ +```` + +basename() modifies the input string, copy it first with strdup(), If +strdup() returns NULL the code will handle it. + +Signed-off-by: Hauke Mehrtens +--- + src/file.c | 8 +++++++- + src/filectl.c | 6 +++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +--- a/src/file.c ++++ b/src/file.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -153,13 +154,17 @@ static int start_upload_file(struct file + { + struct tty *tty = container_of(ctx, struct tty, file); + struct rtty *rtty = tty->rtty; +- const char *name = basename(path); ++ const char *name; + struct stat st; + int fd; ++ char *dirc; + ++ dirc = strdup(path); ++ name = basename(dirc); + fd = open(path, O_RDONLY); + if (fd < 0) { + log_err("open '%s' fail: %s\n", path, strerror(errno)); ++ free(dirc); + return -1; + } + +@@ -177,6 +182,7 @@ static int start_upload_file(struct file + ctx->remain_size = st.st_size; + + log_info("upload file: %s, size: %" PRIu64 "\n", path, (uint64_t)st.st_size); ++ free(dirc); + + return 0; + } +--- a/src/filectl.c ++++ b/src/filectl.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include "utils.h" + #include "file.h" +@@ -75,6 +76,7 @@ static void handle_file_control_msg(int + { + struct file_control_msg msg; + struct buffer b = {}; ++ char *dirc; + + while (true) { + if (buffer_put_fd(&b, fd, -1, NULL) < 0) +@@ -90,7 +92,9 @@ static void handle_file_control_msg(int + if (sfd > -1) { + close(sfd); + gettimeofday(&start_time, NULL); +- printf("Transferring '%s'...Press Ctrl+C to cancel\n", basename(path)); ++ dirc = strdup(path); ++ printf("Transferring '%s'...Press Ctrl+C to cancel\n", basename(dirc)); ++ free(dirc); + + if (total_size == 0) { + printf(" 100%% 0 B 0s\n"); From 577259cfb94079a9962a8abec68a54626bdac5e5 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Sun, 14 Apr 2024 16:10:31 +0200 Subject: [PATCH 063/106] lua-eco: Fix compilation with musl libc 1.2.5 Support POSIX basename used in musl libc 1.2.5. Signed-off-by: Hauke Mehrtens --- ...upport-POSIX-basename-from-musl-libc.patch | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 lang/lua-eco/patches/0001-Support-POSIX-basename-from-musl-libc.patch diff --git a/lang/lua-eco/patches/0001-Support-POSIX-basename-from-musl-libc.patch b/lang/lua-eco/patches/0001-Support-POSIX-basename-from-musl-libc.patch new file mode 100644 index 0000000000..5c9b7bb967 --- /dev/null +++ b/lang/lua-eco/patches/0001-Support-POSIX-basename-from-musl-libc.patch @@ -0,0 +1,62 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Sun, 14 Apr 2024 17:13:17 +0200 +Subject: Support POSIX basename() from musl libc + +Musl libc 1.2.5 removed the definition of the basename() function from +string.h and only provides it in libgen.h as the POSIX standard +defines it. + +This change fixes compilation with musl libc 1.2.5. +```` +/build_dir/target-mips_24kc_musl/lua-eco-3.3.0/log/log.c: In function '___log': +/build_dir/target-mips_24kc_musl/lua-eco-3.3.0/log/log.c:76:24: error: implicit declaration of function 'basename' [-Werror=implicit-function-declaration] + 76 | filename = basename(filename); + | ^~~~~~~~ +/build_dir/target-mips_24kc_musl/lua-eco-3.3.0/log/log.c:76:22: error: assignment to 'const char *' from 'int' makes pointer from integer without a cast [-Werror=int-conversion] + 76 | filename = basename(filename); + | ^ +```` + +basename() modifies the input string, copy it first with strdup(), If +strdup() returns NULL the code will handle it. + +Signed-off-by: Hauke Mehrtens +--- + log/log.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/log/log.c ++++ b/log/log.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + #include "log.h" + +@@ -65,6 +66,7 @@ void ___log(const char *filename, int li + { + char new_fmt[256]; + va_list ap; ++ char *dirc = NULL; + + priority = LOG_PRI(priority); + +@@ -72,9 +74,13 @@ void ___log(const char *filename, int li + return; + + if (__log_flags__ & LOG_FLAG_FILE || __log_flags__ & LOG_FLAG_PATH) { +- if (!(__log_flags__ & LOG_FLAG_PATH)) +- filename = basename(filename); ++ if (!(__log_flags__ & LOG_FLAG_PATH)) { ++ dirc = strdup(filename); ++ filename = basename(dirc); ++ } + snprintf(new_fmt, sizeof(new_fmt), "(%s:%3d) %s", filename, line, fmt); ++ if (!(__log_flags__ & LOG_FLAG_PATH)) ++ free(dirc); + } else { + snprintf(new_fmt, sizeof(new_fmt), "%s", fmt); + } From 1bac5b386d0155ab9211cd710cded034b5dae988 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sat, 13 Apr 2024 14:44:40 -0700 Subject: [PATCH 064/106] udpspeeder: use local tarballs Simpler, smaller, and avoids PKG_UNPACK. Signed-off-by: Rosen Penev --- net/udpspeeder/Makefile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/udpspeeder/Makefile b/net/udpspeeder/Makefile index cfa6a7f19e..77b329146c 100644 --- a/net/udpspeeder/Makefile +++ b/net/udpspeeder/Makefile @@ -9,11 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=UDPspeeder PKG_VERSION:=20230206.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://codeload.github.com/wangyu-/$(PKG_NAME)/tar.gz/$(PKG_VERSION)? -PKG_HASH:=c6b0c45e971360b25cd49be0369e94b2fb12f649d39c7e60c172c14a9e3a4e0d +PKG_SOURCE_PROTO:=git +PKG_SOURCE_VERSION:=$(PKG_VERSION) +PKG_SOURCE_URL:=https://github.com/wangyu-/UDPspeeder +PKG_MIRROR_HASH:=8196a07089112a164ea07cc95806f79075bd1b12cc7af5316e2793421bb2cfbf PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE @@ -38,11 +39,10 @@ endef MAKE_FLAGS += cross define Build/Prepare - $(PKG_UNPACK) + $(Build/Prepare/Default) sed -i 's/cc_cross=.*/cc_cross=$(TARGET_CXX)/g' $(PKG_BUILD_DIR)/makefile sed -i '/\gitversion/d' $(PKG_BUILD_DIR)/makefile echo 'const char * const gitversion = "$(PKG_VERSION)";' > $(PKG_BUILD_DIR)/git_version.h - $(Build/Patch) endef define Package/UDPspeeder/install From b2742ed05d5404d1c2cada7c51607126d19fa3f6 Mon Sep 17 00:00:00 2001 From: Paul Donald Date: Fri, 1 Mar 2024 21:49:30 +0100 Subject: [PATCH 065/106] ntpd: update to version 4.2.8p17 Also some spell fixes for README.md Drop patch-0001 - ntpd >= 4.2.8p16 patched this behaviour. See: https://bugs.ntp.org/show_bug.cgi?id=3741 (and the linked diff there) https://git.nwtime.org/websites/ntpwww/commit/d2a7faef2fea5f10b28cc2ee1d842e4b241f414f Signed-off-by: Paul Donald --- net/ntpd/Makefile | 6 ++--- net/ntpd/README.md | 8 +++--- ...o-not-use-PTHREAD_STACK_MIN-on-glibc.patch | 27 ------------------- 3 files changed, 7 insertions(+), 34 deletions(-) delete mode 100644 net/ntpd/patches/0001-libntp-Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch diff --git a/net/ntpd/Makefile b/net/ntpd/Makefile index 44cdb25e8b..51a78403b8 100644 --- a/net/ntpd/Makefile +++ b/net/ntpd/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ntp -PKG_VERSION:=4.2.8p15 -PKG_RELEASE:=4 +PKG_VERSION:=4.2.8p17 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ -PKG_HASH:=f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19 +PKG_HASH:=103dd272e6a66c5b8df07dce5e9a02555fcd6f1397bdfb782237328e89d3a866 PKG_LICENSE:=NTP PKG_LICENSE_FILES:=COPYRIGHT html/copyright.html diff --git a/net/ntpd/README.md b/net/ntpd/README.md index 70e11a6e3e..40ef733197 100644 --- a/net/ntpd/README.md +++ b/net/ntpd/README.md @@ -36,7 +36,7 @@ The parameter(s) `server` enumerate a list of servers to be used for reference NTP servers by the local daemon. At least one is required, and two or more are recommended (unless you have an extremely available local server). They should be picked to be geographically divergent, -and preferrably reachable via different network carriers to protect +and preferably reachable via different network carriers to protect against network partitions, etc. They should also be high-quality time providers (i.e. having stable, accurate clock sources). @@ -71,10 +71,10 @@ As a result, the NTP servers that your ISP may point you at are often of unknown/unverified quality, and you use them at your own risk. -Early millenial versions of Windows (2000, XP, etc) used NTP only +Early millennial versions of Windows (2000, XP, etc) used NTP only to _initially set_ the clock to approximately 100ms accuracy (and -not maintain sychronization), so the bar wasn't set very high. -Since then, requirements for higher-qualty timekeeping have +not maintain synchronization), so the bar wasn't set very high. +Since then, requirements for higher-quality timekeeping have arisen (e.g. multi-master SQL database replication), but most ISPs have not kept up with the needs of their users. diff --git a/net/ntpd/patches/0001-libntp-Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch b/net/ntpd/patches/0001-libntp-Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch deleted file mode 100644 index 7db6eefcfb..0000000000 --- a/net/ntpd/patches/0001-libntp-Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 082a504cfcc046c3d8adaae1164268bc94e5108a Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Sat, 31 Jul 2021 10:51:41 -0700 -Subject: [PATCH] libntp: Do not use PTHREAD_STACK_MIN on glibc - -In glibc 2.34+ PTHREAD_STACK_MIN is not a compile-time constant which -could mean different stack sizes at runtime on different architectures -and it also causes compile failure. Default glibc thread stack size -or 64Kb set by ntp should be good in glibc these days. - -Upstream-Status: Pending -Signed-off-by: Khem Raj ---- - libntp/work_thread.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/libntp/work_thread.c -+++ b/libntp/work_thread.c -@@ -41,7 +41,7 @@ - #ifndef THREAD_MINSTACKSIZE - # define THREAD_MINSTACKSIZE (64U * 1024) - #endif --#ifndef __sun -+#if !defined(__sun) && !defined(__GLIBC__) - #if defined(PTHREAD_STACK_MIN) && THREAD_MINSTACKSIZE < PTHREAD_STACK_MIN - # undef THREAD_MINSTACKSIZE - # define THREAD_MINSTACKSIZE PTHREAD_STACK_MIN From afae2776e99fb00c4b113a0ecbcd8a28d1a9bdd0 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sat, 20 Apr 2024 07:41:20 +0200 Subject: [PATCH 066/106] curl: fix/bump PKG_RELEASE, remove maintainer * make PKG_RELEASE numeric again * made a release bump due to a newly added patch (see https://github.com/openwrt/packages/commit/de4ef9d169a182350796afca778742bf68052af4 for details) * remove maintainer (as requested in #23890 Signed-off-by: Dirk Brenken --- net/curl/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/curl/Makefile b/net/curl/Makefile index 5ad13c4c5c..5174e6c44e 100644 --- a/net/curl/Makefile +++ b/net/curl/Makefile @@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/nls.mk PKG_NAME:=curl PKG_VERSION:=8.7.1 -PKG_RELEASE:=r1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://github.com/curl/curl/releases/download/curl-$(subst .,_,$(PKG_VERSION))/ \ @@ -81,7 +81,7 @@ define Package/curl/Default SECTION:=net CATEGORY:=Network URL:=http://curl.se/ - MAINTAINER:=Stan Grishin + MAINTAINER:= endef define Package/curl From 767b3f2ea8d2d0fccab222c55750422b1de237cb Mon Sep 17 00:00:00 2001 From: Hannu Nyman Date: Sat, 20 Apr 2024 09:21:07 +0300 Subject: [PATCH 067/106] geoip-shell: remove extra r from PKG_RELEASE Remove the unnecessary 'r' from PKG_RELEASE as it is added automatically by the build system to the final versioning. (Current version leads into 'geoip-shell_0.5-rr2_all.ipk') Signed-off-by: Hannu Nyman --- net/geoip-shell/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/geoip-shell/Makefile b/net/geoip-shell/Makefile index 12bc0eb6fe..494ef9fdf4 100644 --- a/net/geoip-shell/Makefile +++ b/net/geoip-shell/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=geoip-shell PKG_VERSION:=0.5 -PKG_RELEASE:=r2 +PKG_RELEASE:=2 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=antonk PKG_SOURCE_PROTO:=git From fa80fefe22d0c7ca1c1e34deb52683b54af1ed17 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Fri, 19 Apr 2024 22:09:29 +0200 Subject: [PATCH 068/106] banip: release 0.9.5-1 * added a DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s) * the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly * block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly * it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445' * filter/convert possible windows line endings of external feeds during processing * the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation * set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150) * update readme * a couple of bugfixes & performance improvements * removed abandoned feeds: darklist, ipblackhole * added new feeds: becyber, ipsum, pallebone, debl (changed URL) * requires a LuCI frontend update as well (separate PR/commit) Signed-off-by: Dirk Brenken --- net/banip/Makefile | 4 +- net/banip/files/README.md | 113 ++++--- net/banip/files/banip-functions.sh | 293 ++++++++++------- net/banip/files/banip-service.sh | 15 +- net/banip/files/banip.countries | 498 ++++++++++++++--------------- net/banip/files/banip.feeds | 55 ++-- 6 files changed, 534 insertions(+), 444 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 64426e5907..e8ba7edc19 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.9.4 -PKG_RELEASE:=3 +PKG_VERSION:=0.9.5 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 9b21ba5189..a28067e84e 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -17,12 +17,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre | antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | asn | ASN segments | | | x | tcp: 80, 443 | [Link](https://asn.ipinfo.app) | | backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) | +| becyber | malicious attacker IPs | x | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) | | binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) | | bogon | bogon prefixes | x | x | | | [Link](https://team-cymru.com) | | bruteforceblock | bruteforceblocker IPs | x | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) | | country | country blocks | x | x | | | [Link](https://www.ipdeny.com/ipblocks) | | cinsscore | suspicious attacker IPs | x | x | | | [Link](https://cinsscore.com/#list) | -| darklist | blocks suspicious attacker IPs | x | x | | | [Link](https://darklist.de) | | debl | fail2ban IP blacklist | x | x | | | [Link](https://www.blocklist.de) | | doh | public DoH-Provider | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) | | drop | spamhaus drop compilation | x | x | | | [Link](https://www.spamhaus.org) | @@ -37,14 +37,15 @@ IP address blocking is commonly used to protect against brute force attacks, pre | greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) | | iblockads | Advertising IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) | | iblockspy | Malicious spyware IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) | -| ipblackhole | blackhole IPs | x | x | | | [Link](https://ip.blackhole.monster) | +| ipsum | malicious IPs | x | x | | | [Link](https://github.com/stamparm/ipsum) | | ipthreat | hacker and botnet TPs | x | x | | | [Link](https://ipthreat.net) | | myip | real-time IP blocklist | x | x | | | [Link](https://myip.ms) | | nixspam | iX spam protection | x | x | | | [Link](http://www.nixspam.org) | | oisdbig | OISD-big IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdnsfw | OISD-nsfw IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdsmall | OISD-small IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| proxy | open proxies | x | | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | +| pallebone | curated IP blocklist | x | x | | | [Link](https://github.com/pallebone/StrictBlockPAllebone) | +| proxy | open proxies | x | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | | ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) | | stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) | @@ -66,10 +67,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Full IPv4 and IPv6 support * Supports nft atomic Set loading * Supports blocking by ASN numbers and by iso country codes +* Block countries dynamically by Regional Internet Registry (RIR), e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE * Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names * Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments * All local input types support ranges in CIDR notation * Auto-add the uplink subnet or uplink IP to the local allowlist +* Prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets (DDoS attacks) in an additional prerouting chain * Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.) * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist * Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP @@ -80,6 +83,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith * Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds +* Optionally always allow certain protocols/destination ports in wan-input and wan-forward chains * Deduplicate IPs accross all Sets (single IPs only, no intervals) * Provides comprehensive runtime information * Provides a detailed Set report @@ -149,14 +153,19 @@ Available commands: | ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_debug | option | 0 | enable banIP related debug logging | -| ban_loginput | option | 1 | log drops in the wan-input chain | -| ban_logforwardwan | option | 1 | log drops in the wan-forward chain | -| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | +| ban_icmplimit | option | 10 | treshold in number of packets to detect icmp DDoS in prerouting chain | +| ban_synlimit | option | 10 | treshold in number of packets to detect syn DDoS in prerouting chain | +| ban_udplimit | option | 100 | treshold in number of packets to detect udp DDoS in prerouting chain | +| ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain | +| ban_loginput | option | 0 | log supsicious packets in the wan-input chain | +| ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain | +| ban_logforwardlan | option | 0 | log supsicious packets in the lan-forward chain | | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | | ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP | | ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all | | ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments | +| ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' | | ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists | | ban_basedir | option | /tmp | base working directory while banIP processing | | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | @@ -174,11 +183,12 @@ Available commands: | ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) | | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | | ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | -| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | +| ban_nftpriority | option | -100 | nft priority for the banIP table (the prerouting table is fixed to priority -150) | | ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance | | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | +| ban_region | list | - | Regional Internet Registry (RIR) country selection. Supported regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE | | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | | ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' | | ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic | @@ -206,39 +216,46 @@ Available commands: ::: ::: banIP Set Statistics ::: - Timestamp: 2024-03-02 07:38:28 + Timestamp: 2024-04-17 23:02:15 ------------------------------ - auto-added to allowlist today: 0 - auto-added to blocklist today: 0 + blocked syn-flood packets in prerouting : 5 + blocked udp-flood packets in prerouting : 11 + blocked icmp-flood packets in prerouting : 6 + blocked invalid ct packets in prerouting : 277 + blocked invalid tcp packets in prerouting: 0 + ---------- + auto-added IPs to allowlist today: 0 + auto-added IPs to blocklist today: 0 Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------ - allowlistv4MAC | 0 | - | - | OK: 0 | - - allowlistv6MAC | 0 | - | - | OK: 0 | - - allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0 | - - allowlistv6 | 2 | OK: 0 | OK: 0 | OK: 0 | - - adguardtrackersv6 | 74 | - | - | OK: 0 | tcp: 80, 443 - adguardtrackersv4 | 883 | - | - | OK: 0 | tcp: 80, 443 - cinsscorev4 | 12053 | OK: 25 | OK: 0 | - | - - countryv4 | 37026 | OK: 14 | OK: 0 | - | - - deblv4 | 13592 | OK: 0 | OK: 0 | - | - - countryv6 | 38139 | OK: 0 | OK: 0 | - | - - deblv6 | 82 | OK: 0 | OK: 0 | - | - - dohv6 | 837 | - | - | OK: 0 | tcp: 80, 443 - dohv4 | 1240 | - | - | OK: 0 | tcp: 80, 443 - dropv6 | 51 | OK: 0 | OK: 0 | - | - - dropv4 | 592 | OK: 0 | OK: 0 | - | - - firehol1v4 | 906 | OK: 1 | OK: 0 | - | - - firehol2v4 | 2105 | OK: 0 | OK: 0 | OK: 0 | - - threatv4 | 55 | OK: 0 | OK: 0 | - | - - ipthreatv4 | 2042 | OK: 0 | OK: 0 | - | - - turrisv4 | 6433 | OK: 0 | OK: 0 | - | - - blocklistv4MAC | 0 | - | - | OK: 0 | - - blocklistv6MAC | 0 | - | - | OK: 0 | - - blocklistv4 | 0 | OK: 0 | OK: 0 | OK: 0 | - - blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0 | - + allowlistv4MAC | 0 | - | - | ON: 0 | - + allowlistv6MAC | 0 | - | - | ON: 0 | - + allowlistv4 | 1 | ON: 0 | ON: 0 | ON: 0 | - + allowlistv6 | 2 | ON: 0 | ON: 0 | ON: 0 | - + adguardtrackersv6 | 105 | - | - | ON: 0 | tcp: 80, 443 + adguardtrackersv4 | 816 | - | - | ON: 0 | tcp: 80, 443 + becyberv4 | 229006 | ON: 2254 | ON: 0 | - | - + cinsscorev4 | 7135 | ON: 1630 | ON: 2 | - | - + deblv4 | 10191 | ON: 23 | ON: 0 | - | - + countryv6 | 38233 | ON: 7 | ON: 0 | - | - + countryv4 | 37169 | ON: 2323 | ON: 0 | - | - + deblv6 | 65 | ON: 0 | ON: 0 | - | - + dropv6 | 66 | ON: 0 | ON: 0 | - | - + dohv4 | 1219 | - | - | ON: 0 | tcp: 80, 443 + dropv4 | 895 | ON: 75 | ON: 0 | - | - + dohv6 | 832 | - | - | ON: 0 | tcp: 80, 443 + threatv4 | 20 | ON: 0 | ON: 0 | - | - + firehol1v4 | 753 | ON: 1 | ON: 0 | - | - + ipthreatv4 | 1369 | ON: 20 | ON: 0 | - | - + firehol2v4 | 2216 | ON: 1 | ON: 0 | - | - + turrisv4 | 5613 | ON: 179 | ON: 0 | - | - + blocklistv4MAC | 0 | - | - | ON: 0 | - + blocklistv6MAC | 0 | - | - | ON: 0 | - + blocklistv4 | 0 | ON: 0 | ON: 0 | ON: 0 | - + blocklistv6 | 0 | ON: 0 | ON: 0 | ON: 0 | - ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------ - 24 | 116113 | 16 (40) | 16 (0) | 13 (0) + 25 | 335706 | 17 (6513) | 17 (2) | 12 (0) ``` **banIP runtime information** @@ -246,16 +263,16 @@ Available commands: ~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) - + version : 0.9.4-1 - + element_count : 116113 - + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, cinsscorev4, countryv4, deblv4, countryv6, deblv6, dohv6, dohv4, dropv6, dropv4, firehol1v4, firehol2v4, threatv4, ipthreatv4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6 + + version : 0.9.5-r1 + + element_count : 335706 + + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, becyberv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dohv4, dropv4, dohv6, threatv4, firehol1v4, ipthreatv4, firehol2v4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6 + active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: - - + active_uplink : 217.89.211.113, fe80::2c35:fb80:e78c:cf71, 2003:ed:b5ff:2338:2c15:fb80:e78c:cf71 - + nft_info : priority: -200, policy: performance, loglevel: warn, expiry: 2h + + active_uplink : 217.83.205.130, fe80::9cd6:12e9:c4df:75d3, 2003:ed:b5ff:43bd:9cd5:12e7:c3ef:75d8 + + nft_info : priority: 0, policy: performance, loglevel: warn, expiry: 2h + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report - + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘ - + last_run : action: reload, log: logread, fetch: curl, duration: 0m 50s, date: 2024-03-02 07:35:01 - + system_info : cores: 4, memory: 1685, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25356-09be63de70 + + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/inp/fwd/lan): ✔/✘/✘/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘ + + last_run : action: reload, log: logread, fetch: curl, duration: 2m 33s, date: 2024-04-17 05:57:56 + + system_info : cores: 4, memory: 1573, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25932-338b463e1e ``` **banIP search information** @@ -315,11 +332,14 @@ Both local lists also accept domain names as input to allow IP filtering based o banIP supports an "allowlist only" mode. This option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments - and block access to the rest of the internet. All IPs which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked. **MAC/IP-binding** -banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed: +banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed: ``` MAC-address only: C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0 +MAC-address range: +C8:C2:9B:F7:80:12/24 => this populate the MAC-range C8:C2:9B:00:00:00", "C8:C2:9B:FF:FF:FF to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0 + MAC-address with IPv4 concatenation: C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set @@ -334,6 +354,7 @@ MAC-address with IPv4 and IPv6 wildcard concatenation: C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0 ``` + **enable the cgi interface to receive remote logging events** banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options: @@ -407,12 +428,12 @@ A valid JSON source object contains the following information, e.g.: "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "tor exit nodes", - "flag": "80-89 443 tcp" + "flag": "tcp 80-89 443" }, [...] ``` Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed. -Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, port numbers (plus ranges) for destination port limitations with 'tcp' (default) or 'udp' as protocol variants. +Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations. ## Support Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 5de6501716..1498c8cb0a 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -16,6 +16,7 @@ ban_basedir="/tmp" ban_backupdir="/tmp/banIP-backup" ban_reportdir="/tmp/banIP-report" ban_feedfile="/etc/banip/banip.feeds" +ban_countryfile="/etc/banip/banip.countries" ban_customfeedfile="/etc/banip/banip.custom.feeds" ban_allowlist="/etc/banip/banip.allowlist" ban_blocklist="/etc/banip/banip.blocklist" @@ -36,18 +37,24 @@ ban_reportelements="1" ban_remotelog="0" ban_remotetoken="" ban_nftloglevel="warn" -ban_nftpriority="-200" +ban_nftpriority="-100" ban_nftpolicy="memory" ban_nftexpiry="" ban_loglimit="100" +ban_icmplimit="10" +ban_synlimit="10" +ban_udplimit="100" ban_logcount="1" ban_logterm="" +ban_region="" ban_country="" ban_asn="" -ban_loginput="1" -ban_logforwardwan="1" +ban_logprerouting="0" +ban_loginput="0" +ban_logforwardwan="0" ban_logforwardlan="0" ban_allowurl="" +ban_allowflag="" ban_allowlistonly="0" ban_autoallowlist="1" ban_autoallowuplink="subnet" @@ -104,6 +111,7 @@ f_system() { [ "${cpu}" = "0" ] && cpu="1" [ "${core}" = "0" ] && core="1" ban_cores="$((cpu * core))" + [ "${ban_cores}" -gt "16" ] && ban_cores="16" fi } @@ -211,8 +219,7 @@ f_rmpid() { kill -INT "${pid}" >/dev/null 2>&1 done fi - : >"${ban_rdapfile}" - : >"${ban_pidfile}" + : >"${ban_rdapfile}" >"${ban_pidfile}" } # write log messages @@ -247,7 +254,9 @@ f_log() { # load config # f_conf() { - unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn + local rir ccode region country + + unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_region ban_country ban_asn config_cb() { option_cb() { local option="${1}" @@ -294,6 +303,9 @@ f_conf() { "ban_logterm") eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\"" ;; + "ban_region") + eval "${option}=\"$(printf "%s" "${ban_region}")${value} \"" + ;; "ban_country") eval "${option}=\"$(printf "%s" "${ban_country}")${value} \"" ;; @@ -305,6 +317,14 @@ f_conf() { } config_load banip [ -f "${ban_logreadfile}" ] && ban_logreadcmd="$(command -v tail)" || ban_logreadcmd="$(command -v logread)" + + for rir in ${ban_region}; do + while read -r ccode region country; do + if [ "${rir}" = "${region}" ] && ! printf "%s" "${ban_country}" | "${ban_grepcmd}" -qw "${ccode}"; then + ban_country="${ban_country} ${ccode}" + fi + done < "${ban_countryfile}" + done } # get nft/monitor actuals @@ -575,12 +595,33 @@ f_etag() { # build initial nft file with base table, chains and rules # f_nftinit() { - local wan_dev vlan_allow vlan_block feed_log feed_rc file="${1}" + local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc allow_proto allow_dport flag file="${1}" wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" [ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" [ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" + for flag in ${ban_allowflag}; do + if [ -z "${allow_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then + allow_proto="${flag}" + elif [ -n "${allow_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${allow_dport}" | "${ban_grepcmd}" -qw "${flag}"; then + if [ -z "${allow_dport}" ]; then + allow_dport="${flag}" + else + allow_dport="${allow_dport}, ${flag}" + fi + fi + done + [ -n "${allow_dport}" ] && allow_dport="${allow_proto} dport { ${allow_dport} }" + + if [ "${ban_logprerouting}" = "1" ]; then + log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \"" + log_syn="log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \"" + log_udp="log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \"" + log_tcp="log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \"" + log_ct="log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \"" + fi + { # nft header (tables and chains) # @@ -589,36 +630,55 @@ f_nftinit() { printf "%s\n" "delete table inet banIP" fi printf "%s\n" "add table inet banIP" + printf "%s\n" "add counter inet banIP cnt-icmpflood" + printf "%s\n" "add counter inet banIP cnt-udpflood" + printf "%s\n" "add counter inet banIP cnt-synflood" + printf "%s\n" "add counter inet banIP cnt-tcpinvalid" + printf "%s\n" "add counter inet banIP cnt-ctinvalid" + printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -150; policy accept; }" printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }" printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" printf "%s\n" "add chain inet banIP reject-chain" - # default reject rules + # default reject chain rules # printf "%s\n" "add rule inet banIP reject-chain meta l4proto tcp reject with tcp reset" printf "%s\n" "add rule inet banIP reject-chain reject" + # default pre-routing rules + # + printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept" + printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop" + printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop" + printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp} counter name cnt-tcpinvalid drop" + # default wan-input rules # - printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept" printf "%s\n" "add rule inet banIP wan-input iifname != { ${wan_dev} } counter accept" + printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept" - printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept" - printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept" - printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept" - printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept" + printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 1 counter accept" + printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 255 counter accept" + [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept" # default wan-forward rules # - printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept" printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept" + printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept" + [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-forward ${allow_dport} counter accept" # default lan-forward rules # - printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept" printf "%s\n" "add rule inet banIP lan-forward oifname != { ${wan_dev} } counter accept" + printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept" [ -n "${vlan_allow}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_allow} } counter accept" [ -n "${vlan_block}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_block} } counter goto reject-chain" } >"${file}" @@ -628,7 +688,8 @@ f_nftinit() { feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)" feed_rc="${?}" - f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, allowed_dports: ${allow_dport:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + : >"${file}" return "${feed_rc}" } @@ -636,7 +697,7 @@ f_nftinit() { # f_down() { local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc - local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport flag + local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport feed_target local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}" start_ts="$(date +%s)" @@ -653,6 +714,14 @@ f_down() { [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/${ban_blocktype}/${feed}: \"" [ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/reject/${feed}: \"" + # set feed target + # + if [ "${ban_blocktype}" = "reject" ]; then + feed_target="goto reject-chain" + else + feed_target="drop" + fi + # set feed block direction # if [ "${ban_blockpolicy}" = "input" ]; then @@ -689,9 +758,9 @@ f_down() { for flag in ${feed_flag}; do if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then feed_comp="${flag}" - elif { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; } && ! printf "%s" "${feed_proto}" | "${ban_grepcmd}" -qw "${flag}"; then + elif [ -z "${feed_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then feed_proto="${flag}" - elif [ -n "${flag//[![:digit]]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then + elif [ -n "${feed_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then if [ -z "${feed_dport}" ]; then feed_dport="${flag}" else @@ -699,7 +768,7 @@ f_down() { fi fi done - [ -n "${feed_dport}" ] && feed_dport="${feed_proto:-"tcp"} dport { ${feed_dport} }" + [ -n "${feed_dport}" ] && feed_dport="${feed_proto} dport { ${feed_dport} }" # chain/rule maintenance # @@ -732,7 +801,7 @@ f_down() { done elif [ "${feed%v*}" = "asn" ]; then for asn in ${ban_asn}; do - f_etag "${feed}" "${feed_url}AS${asn}" ".{asn}" + f_etag "${feed}" "${feed_url}AS${asn}" ".${asn}" rc="${?}" [ "${rc}" = "4" ] && break etag_rc="$((etag_rc + rc))" @@ -768,6 +837,7 @@ f_down() { break fi done + if [ "${feed_rc}" = "0" ]; then f_backup "allowlist" "${tmp_allow}" elif [ -z "${restore_rc}" ] && [ "${feed_rc}" != "0" ]; then @@ -795,22 +865,14 @@ f_down() { printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - if [ "${ban_blocktype}" = "reject" ]; then - printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter goto reject-chain" - else - printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop" - fi + printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter ${feed_target}" else printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept" fi fi if [ -z "${feed_direction##*forwardwan*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - if [ "${ban_blocktype}" = "reject" ]; then - printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter goto reject-chain" - else - printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop" - fi + printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter ${feed_target}" else printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept" fi @@ -828,35 +890,28 @@ f_down() { printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - if [ "${ban_blocktype}" = "reject" ]; then - printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter goto reject-chain" - else - printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop" - fi + printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter ${feed_target}" else printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept" fi fi if [ -z "${feed_direction##*forwardwan*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - if [ "${ban_blocktype}" = "reject" ]; then - printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter goto reject-chain" - else - printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop" - fi + printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter ${feed_target}" else printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept" fi fi if [ -z "${feed_direction##*forwardlan*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter goto reject-chain" + printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter ${feed_target}" else printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept" fi fi fi } >"${tmp_nft}" + : >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}" feed_rc="0" elif [ "${feed%v*}" = "blocklist" ]; then { @@ -881,13 +936,8 @@ f_down() { fi "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - if [ "${ban_blocktype}" = "reject" ]; then - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter goto reject-chain" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter goto reject-chain" - else - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop" - fi + [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter ${feed_target}" + [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter ${feed_target}" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter goto reject-chain" elif [ "${proto}" = "6" ]; then if [ "${ban_deduplicate}" = "1" ]; then @@ -902,16 +952,12 @@ f_down() { fi "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - if [ "${ban_blocktype}" = "reject" ]; then - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter goto reject-chain" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain" - else - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop" - fi + [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter ${feed_target}" + [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain" fi } >"${tmp_nft}" + : >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}" feed_rc="0" # handle external feeds @@ -925,7 +971,7 @@ f_down() { feed_rc="${?}" [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" done - rm -f "${tmp_raw}" + : >"${tmp_raw}" # handle asn downloads # @@ -935,7 +981,7 @@ f_down() { feed_rc="${?}" [ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" done - rm -f "${tmp_raw}" + : >"${tmp_raw}" # handle compressed downloads # @@ -943,7 +989,7 @@ f_down() { feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)" feed_rc="${?}" [ "${feed_rc}" = "0" ] && "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}" - rm -f "${tmp_raw}" + : >"${tmp_raw}" # handle normal downloads # @@ -970,27 +1016,28 @@ f_down() { # deduplicate Sets # if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then - "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}" + "${ban_awkcmd}" '{sub("\r$", ""); print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_raw}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}" else - "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}" + "${ban_awkcmd}" '{sub("\r$", ""); print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_split}" fi feed_rc="${?}" # split Sets # if [ "${feed_rc}" = "0" ]; then - if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then + if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "512" ]; then if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then - rm -f "${tmp_file}".* f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'" + rm -f "${tmp_file}".* fi else "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1" fi feed_rc="${?}" fi - rm -f "${tmp_raw}" "${tmp_load}" + : >"${tmp_raw}" >"${tmp_load}" + if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then { # nft header (IPv4 Set) @@ -1001,13 +1048,8 @@ f_down() { # input and forward rules # - if [ "${ban_blocktype}" = "reject" ]; then - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter goto reject-chain" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter goto reject-chain" - else - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter drop" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter drop" - fi + [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter ${feed_target}" + [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter ${feed_target}" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip daddr @${feed} ${log_forwardlan} counter goto reject-chain" } >"${tmp_nft}" elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then @@ -1020,16 +1062,12 @@ f_down() { # input and forward rules # - if [ "${ban_blocktype}" = "reject" ]; then - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter goto reject-chain" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain" - else - [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter drop" - [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter drop" - fi + [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter ${feed_target}" + [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain" } >"${tmp_nft}" fi + : >"${tmp_flush}" >"${tmp_file}.1" fi # load generated nft file in banIP table @@ -1039,6 +1077,7 @@ f_down() { cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_allow}" 2>/dev/null)" else cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_split}" 2>/dev/null)" + : >"${tmp_split}" fi if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)" @@ -1048,15 +1087,13 @@ f_down() { # if [ "${feed_rc}" = "0" ]; then for split_file in "${tmp_file}".*; do - [ ! -f "${split_file}" ] && break - if [ "${split_file##*.}" = "1" ]; then - rm -f "${split_file}" - continue - fi - if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $("${ban_catcmd}" "${split_file}") }" >/dev/null 2>&1; then + [ ! -s "${split_file}" ] && continue + "${ban_sedcmd}" -i "1 i #!/usr/sbin/nft -f\nadd element inet banIP "${feed}" { " "${split_file}" + printf "%s\n" "}" >> "${split_file}" + if ! "${ban_nftcmd}" -f "${split_file}" >/dev/null 2>&1; then f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'" fi - rm -f "${split_file}" + : >"${split_file}" done if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" @@ -1066,7 +1103,7 @@ f_down() { f_log "info" "skip empty feed '${feed}'" fi fi - rm -f "${tmp_split}" "${tmp_nft}" + : >"${tmp_nft}" end_ts="$(date +%s)" f_log "debug" "f_down ::: feed: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" @@ -1110,7 +1147,7 @@ f_rmset() { json_get_keys feedlist tmp_del="${ban_tmpfile}.final.delete" ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)" - table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')" + table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')" { printf "%s\n\n" "#!/usr/sbin/nft -f" for item in ${table_sets}; do @@ -1137,7 +1174,7 @@ f_rmset() { feed_log="$("${ban_nftcmd}" -f "${tmp_del}" 2>&1)" feed_rc="${?}" fi - rm -f "${tmp_del}" + : >"${tmp_del}" f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" } @@ -1153,7 +1190,7 @@ f_genstatus() { end_time="$(date "+%s")" duration="$(((end_time - ban_starttime) / 60))m $(((end_time - ban_starttime) % 60))s" fi - table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')" + table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')" if [ "${ban_reportelements}" = "1" ]; then for object in ${table_sets}; do cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" @@ -1202,7 +1239,7 @@ f_genstatus() { json_close_array json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}" json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}" - json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})" + json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (pre/inp/fwd/lan): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})" json_add_string "last_run" "${runtime:-"-"}" json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}" json_dump >"${ban_rtfile}" @@ -1284,12 +1321,12 @@ f_lookup() { cnt_domain="$((cnt_domain + 1))" done if [ -n "${elementsv4}" ]; then - if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then + if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" { ${elementsv4} } >/dev/null 2>&1; then f_log "info" "can't add lookup file to Set '${feed}v4'" fi fi if [ -n "${elementsv6}" ]; then - if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then + if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" { ${elementsv6} } >/dev/null 2>&1; then f_log "info" "can't add lookup file to Set '${feed}v6'" fi fi @@ -1303,8 +1340,8 @@ f_lookup() { # f_report() { local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan set_proto set_dport set_details - local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan output="${1}" - + local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan + local sum_synflood sum_udpflood sum_icmpflood sum_ctinvalid sum_tcpinvalid output="${1}" [ -z "${ban_dev}" ] && f_conf f_mkdir "${ban_reportdir}" report_jsn="${ban_reportdir}/ban_report.jsn" @@ -1313,7 +1350,7 @@ f_report() { # json output preparation # ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)" - table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')" + table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')" sum_sets="0" sum_setinput="0" sum_setforwardwan="0" @@ -1322,6 +1359,11 @@ f_report() { sum_cntinput="0" sum_cntforwardwan="0" sum_cntforwardlan="0" + sum_synflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-synflood"].*.packets')" + sum_udpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-udpflood"].*.packets')" + sum_icmpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-icmpflood"].*.packets')" + sum_ctinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-ctinvalid"].*.packets')" + sum_tcpinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-tcpinvalid"].*.packets')" timestamp="$(date "+%Y-%m-%d %H:%M:%S")" : >"${report_jsn}" { @@ -1344,12 +1386,6 @@ f_report() { [ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")" [ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")" done - if [ -n "${set_dport}" ]; then - set_dport="${set_dport//[\{\}\":]/}" - set_dport="${set_dport#\[ *}" - set_dport="${set_dport%* \]}" - set_dport="${set_proto}: $(f_trim "${set_dport}")" - fi if [ "${ban_reportelements}" = "1" ]; then set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" sum_setelements="$((sum_setelements + set_cnt))" @@ -1357,8 +1393,14 @@ f_report() { set_cnt="" sum_setelements="n/a" fi + if [ -n "${set_dport}" ]; then + set_dport="${set_dport//[\{\}\":]/}" + set_dport="${set_dport#\[ *}" + set_dport="${set_dport%* \]}" + set_dport="${set_proto}: $(f_trim "${set_dport}")" + fi if [ -n "${set_cntinput}" ]; then - set_input="OK" + set_input="ON" sum_setinput="$((sum_setinput + 1))" sum_cntinput="$((sum_cntinput + set_cntinput))" else @@ -1366,7 +1408,7 @@ f_report() { set_cntinput="" fi if [ -n "${set_cntforwardwan}" ]; then - set_forwardwan="OK" + set_forwardwan="ON" sum_setforwardwan="$((sum_setforwardwan + 1))" sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))" else @@ -1374,7 +1416,7 @@ f_report() { set_cntforwardwan="" fi if [ -n "${set_cntforwardlan}" ]; then - set_forwardlan="OK" + set_forwardlan="ON" sum_setforwardlan="$((sum_setforwardlan + 1))" sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))" else @@ -1398,6 +1440,11 @@ f_report() { printf "\t%s\n" "\"timestamp\": \"${timestamp}\"," printf "\t%s\n" "\"autoadd_allow\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_allowlist}")\"," printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\"," + printf "\t%s\n" "\"sum_synflood\": \"${sum_synflood}\"," + printf "\t%s\n" "\"sum_udpflood\": \"${sum_udpflood}\"," + printf "\t%s\n" "\"sum_icmpflood\": \"${sum_icmpflood}\"," + printf "\t%s\n" "\"sum_ctinvalid\": \"${sum_ctinvalid}\"," + printf "\t%s\n" "\"sum_tcpinvalid\": \"${sum_tcpinvalid}\"," printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\"," printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\"," printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\"," @@ -1418,6 +1465,11 @@ f_report() { json_get_var timestamp "timestamp" >/dev/null 2>&1 json_get_var autoadd_allow "autoadd_allow" >/dev/null 2>&1 json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1 + json_get_var sum_synflood "sum_synflood" >/dev/null 2>&1 + json_get_var sum_udpflood "sum_udpflood" >/dev/null 2>&1 + json_get_var sum_icmpflood "sum_icmpflood" >/dev/null 2>&1 + json_get_var sum_ctinvalid "sum_ctinvalid" >/dev/null 2>&1 + json_get_var sum_tcpinvalid "sum_tcpinvalid" >/dev/null 2>&1 json_get_var sum_sets "sum_sets" >/dev/null 2>&1 json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1 json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1 @@ -1430,8 +1482,14 @@ f_report() { printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::" printf "%s\n" " Timestamp: ${timestamp}" printf "%s\n" " ------------------------------" - printf "%s\n" " auto-added to allowlist today: ${autoadd_allow}" - printf "%s\n\n" " auto-added to blocklist today: ${autoadd_block}" + printf "%s\n" " blocked syn-flood packets : ${sum_synflood}" + printf "%s\n" " blocked udp-flood packets : ${sum_udpflood}" + printf "%s\n" " blocked icmp-flood packets : ${sum_icmpflood}" + printf "%s\n" " blocked invalid ct packets : ${sum_ctinvalid}" + printf "%s\n" " blocked invalid tcp packets: ${sum_tcpinvalid}" + printf "%s\n" " ----------" + printf "%s\n" " auto-added IPs to allowlist: ${autoadd_allow}" + printf "%s\n\n" " auto-added IPs to blocklist: ${autoadd_block}" json_select "sets" >/dev/null 2>&1 json_get_keys table_sets >/dev/null 2>&1 if [ -n "${table_sets}" ]; then @@ -1488,10 +1546,10 @@ f_search() { local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}" if [ -n "${input}" ]; then - ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')" + ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v4" if [ -z "${proto}" ]; then - ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')" + ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v6" fi fi @@ -1564,7 +1622,7 @@ f_mail() { # log monitor # f_monitor() { - local daemon logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info + local daemon logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_prefix rdap_length rdap_info if [ -f "${ban_logreadfile}" ]; then logread_cmd="${ban_logreadcmd} -qf ${ban_logreadfile} 2>/dev/null | ${ban_grepcmd} -e \"${ban_logterm%%??}\" 2>/dev/null" @@ -1609,19 +1667,22 @@ f_monitor() { rdap_log="$("${ban_fetchcmd}" ${ban_rdapparm} "${ban_rdapfile}" "${ban_rdapurl}${ip}" 2>&1)" rdap_rc="${?}" if [ "${rdap_rc}" = "0" ] && [ -s "${ban_rdapfile}" ]; then - rdap_elements="$(jsonfilter -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*' | awk 'BEGIN{FS="[\" ]"}{printf "%s/%s, ",$6,$11}')" - rdap_info="$(jsonfilter -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')" - if [ -n "${rdap_elements//\/*/}" ]; then - if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${rdap_elements%%??} ${nft_expiry} }" >/dev/null 2>&1; then - f_log "info" "add IP range '${rdap_elements%%??}' (source: ${rdap_info:-"-"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set" + [ "${proto}" = "v4" ] && rdap_prefix="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.v4prefix')" + [ "${proto}" = "v6" ] && rdap_prefix="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.v6prefix')" + rdap_length="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.length')" + rdap_info="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')" + [ -z "${rdap_info}" ] && rdap_info="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.notices[0].links[0].value' | awk 'BEGIN{FS="[/.]"}{printf"%s, %s","n/a",toupper($4)}')" + if [ -n "${rdap_prefix}" ] && [ -n "${rdap_length}" ]; then + if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${rdap_prefix}/${rdap_length} ${nft_expiry} } >/dev/null 2>&1; then + f_log "info" "add IP range '${rdap_prefix}/${rdap_length}' (source: ${rdap_info:-"n/a"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set" fi fi else f_log "info" "rdap request failed (rc: ${rdap_rc:-"-"}/log: ${rdap_log})" fi fi - if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_elements//\/*/}" ]; then - if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then + if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_prefix}" ] || [ -z "${rdap_length}" ]; then + if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${ip} ${nft_expiry} } >/dev/null 2>&1; then f_log "info" "add IP '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set" fi fi diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 3a40ab8696..fac3f15f4a 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -1,6 +1,6 @@ #!/bin/sh # banIP main service script - ban incoming and outgoing IPs via named nftables Sets -# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) +# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # (s)hellcheck exceptions @@ -24,8 +24,8 @@ f_getif f_getdev f_getuplink f_mkdir "${ban_backupdir}" -f_mkfile "${ban_blocklist}" f_mkfile "${ban_allowlist}" +f_mkfile "${ban_blocklist}" # firewall check # @@ -44,13 +44,13 @@ if [ "${ban_action}" != "reload" ]; then fi fi -# init nft namespace +# init banIP nftables namespace # if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then if f_nftinit "${ban_tmpfile}".init.nft; then - f_log "info" "initialize nft namespace" + f_log "info" "initialize banIP nftables namespace" else - f_log "err" "can't initialize nft namespace" + f_log "err" "can't initialize banIP nftables namespace" fi fi @@ -99,7 +99,7 @@ for feed in allowlist ${ban_feed} blocklist; do continue fi - # handle IPv4/IPv6 feeds with the same/single download URL + # handle IPv4/IPv6 feeds with a single download URL # if [ "${feed_url_4}" = "${feed_url_6}" ]; then if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then @@ -115,7 +115,8 @@ for feed in allowlist ${ban_feed} blocklist; do fi continue fi - # handle IPv4/IPv6 feeds with separated download URLs + + # handle IPv4/IPv6 feeds with separate download URLs # if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then (f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") & diff --git a/net/banip/files/banip.countries b/net/banip/files/banip.countries index 4238763029..5c0aa00b86 100644 --- a/net/banip/files/banip.countries +++ b/net/banip/files/banip.countries @@ -1,249 +1,249 @@ -af;Afghanistan -ax;Åland Islands -al;Albania -dz;Algeria -as;American Samoa -ad;Andorra -ao;Angola -ai;Anguilla -aq;Antarctica -ag;Antigua & Barbuda -ar;Argentina -am;Armenia -aw;Aruba -au;Australia -at;Austria -az;Azerbaijan -bs;Bahamas -bh;Bahrain -bd;Bangladesh -bb;Barbados -by;Belarus -be;Belgium -bz;Belize -bj;Benin -bm;Bermuda -bt;Bhutan -bo;Bolivia -ba;Bosnia -bw;Botswana -bv;Bouvet Island -br;Brazil -io;British Indian Ocean Territory -vg;British Virgin Islands -bn;Brunei -bg;Bulgaria -bf;Burkina Faso -bi;Burundi -kh;Cambodia -cm;Cameroon -ca;Canada -cv;Cape Verde -bq;Caribbean Netherlands -ky;Cayman Islands -cf;Central African Republic -td;Chad -cl;Chile -cn;China -cx;Christmas Island -cc;Cocos (Keeling) Islands -co;Colombia -km;Comoros -cg;Congo - Brazzaville -cd;Congo - Kinshasa -ck;Cook Islands -cr;Costa Rica -ci;Côte d’Ivoire -hr;Croatia -cu;Cuba -cw;Curaçao -cy;Cyprus -cz;Czechia -dk;Denmark -dj;Djibouti -dm;Dominica -do;Dominican Republic -ec;Ecuador -eg;Egypt -sv;El Salvador -gq;Equatorial Guinea -er;Eritrea -ee;Estonia -sz;Eswatini -et;Ethiopia -fk;Falkland Islands -fo;Faroe Islands -fj;Fiji -fi;Finland -fr;France -gf;French Guiana -pf;French Polynesia -tf;French Southern Territories -ga;Gabon -gm;Gambia -ge;Georgia -de;Germany -gh;Ghana -gi;Gibraltar -gr;Greece -gl;Greenland -gd;Grenada -gp;Guadeloupe -gu;Guam -gt;Guatemala -gg;Guernsey -gn;Guinea -gw;Guinea-Bissau -gy;Guyana -ht;Haiti -hm;Heard & McDonald Islands -hn;Honduras -hk;Hong Kong -hu;Hungary -is;Iceland -in;India -id;Indonesia -ir;Iran -iq;Iraq -ie;Ireland -im;Isle of Man -il;Israel -it;Italy -jm;Jamaica -jp;Japan -je;Jersey -jo;Jordan -kz;Kazakhstan -ke;Kenya -ki;Kiribati -kw;Kuwait -kg;Kyrgyzstan -la;Laos -lv;Latvia -lb;Lebanon -ls;Lesotho -lr;Liberia -ly;Libya -li;Liechtenstein -lt;Lithuania -lu;Luxembourg -mo;Macau -mg;Madagascar -mw;Malawi -my;Malaysia -mv;Maldives -ml;Mali -mt;Malta -mh;Marshall Islands -mq;Martinique -mr;Mauritania -mu;Mauritius -yt;Mayotte -mx;Mexico -fm;Micronesia -md;Moldova -mc;Monaco -mn;Mongolia -me;Montenegro -ms;Montserrat -ma;Morocco -mz;Mozambique -mm;Myanmar -na;Namibia -nr;Nauru -np;Nepal -nl;Netherlands -nc;New Caledonia -nz;New Zealand -ni;Nicaragua -ne;Niger -ng;Nigeria -nu;Niue -nf;Norfolk Island -mp;Northern Mariana Islands -kp;North Korea -mk;North Macedonia -no;Norway -om;Oman -pk;Pakistan -pw;Palau -ps;Palestine -pa;Panama -pg;Papua New Guinea -py;Paraguay -pe;Peru -ph;Philippines -pn;Pitcairn Islands -pl;Poland -pt;Portugal -pr;Puerto Rico -qa;Qatar -re;Réunion -ro;Romania -ru;Russia -rw;Rwanda -ws;Samoa -sm;San Marino -st;São Tomé & Príncipe -sa;Saudi Arabia -sn;Senegal -rs;Serbia -sc;Seychelles -sl;Sierra Leone -sg;Singapore -sx;Sint Maarten -sk;Slovakia -si;Slovenia -sb;Solomon Islands -so;Somalia -za;South Africa -gs;South Georgia & South Sandwich Islands -kr;South Korea -ss;South Sudan -es;Spain -lk;Sri Lanka -bl;St. Barthélemy -sh;St. Helena -kn;St. Kitts & Nevis -lc;St. Lucia -mf;St. Martin -pm;St. Pierre & Miquelon -vc;St. Vincent & Grenadines -sd;Sudan -sr;Suriname -sj;Svalbard & Jan Mayen -se;Sweden -ch;Switzerland -sy;Syria -tw;Taiwan -tj;Tajikistan -tz;Tanzania -th;Thailand -tl;Timor-Leste -tg;Togo -tk;Tokelau -to;Tonga -tt;Trinidad & Tobago -tn;Tunisia -tr;Turkey -tm;Turkmenistan -tc;Turks & Caicos Islands -tv;Tuvalu -ug;Uganda -ua;Ukraine -ae;United Arab Emirates -gb;United Kingdom -us;United States -uy;Uruguay -um;U.S. Outlying Islands -vi;U.S. Virgin Islands -uz;Uzbekistan -vu;Vanuatu -va;Vatican City -ve;Venezuela -vn;Vietnam -wf;Wallis & Futuna -eh;Western Sahara -ye;Yemen -zm;Zambia -zw;Zimbabwe +af APNIC Afghanistan +ax RIPE Åland Islands +al RIPE Albania +dz AFRINIC Algeria +as APNIC American Samoa +ad RIPE Andorra +ao AFRINIC Angola +ai ARIN Anguilla +aq ARIN Antarctica +ag ARIN Antigua & Barbuda +ar LACNIC Argentina +am RIPE Armenia +aw LACNIC Aruba +au APNIC Australia +at RIPE Austria +az RIPE Azerbaijan +bs ARIN Bahamas +bh RIPE Bahrain +bd APNIC Bangladesh +bb ARIN Barbados +by RIPE Belarus +be RIPE Belgium +bz LACNIC Belize +bj AFRINIC Benin +bm ARIN Bermuda +bt APNIC Bhutan +bo LACNIC Bolivia +bq LACNIC Bonaire +ba RIPE Bosnia & Herzegowina +bw AFRINIC Botswana +bv ARIN Bouvet Island +br LACNIC Brazil +io APNIC British Indian Ocean Territory +bn APNIC Brunei +bg RIPE Bulgaria +bf AFRINIC Burkina Faso +bi AFRINIC Burundi +kh APNIC Cambodia +cm AFRINIC Cameroon +ca ARIN Canada +cv AFRINIC Cape Verde +ky ARIN Cayman Islands +cf AFRINIC Central African Republic +td AFRINIC Chad +cl LACNIC Chile +cn APNIC China +cx APNIC Christmas Island +cc APNIC Cocos Islands +co LACNIC Colombia +km AFRINIC Comoros +cg AFRINIC Congo - Brazzaville +cd AFRINIC Congo - Kinshasa +ck APNIC Cook Islands +cr LACNIC Costa Rica +ci AFRINIC Côte D'ivoire +hr RIPE Croatia +cu LACNIC Cuba +cw LACNIC Curaçao +cy RIPE Cyprus +cz RIPE Czechia +dk RIPE Denmark +dj AFRINIC Djibouti +dm ARIN Dominica +do LACNIC Dominican Republic +ec LACNIC Ecuador +eg AFRINIC Egypt +sv LACNIC El Salvador +gq AFRINIC Equatorial Guinea +er AFRINIC Eritrea +ee RIPE Estonia +sz AFRINIC Eswatini +et AFRINIC Ethiopia +fk LACNIC Falkland Islands +fo RIPE Faroe Islands +fj APNIC Fiji +fi RIPE Finland +fr RIPE France +gf LACNIC French Guiana +pf APNIC French Polynesia +tf APNIC French Southern Territories +ga AFRINIC Gabon +gm AFRINIC Gambia +ge RIPE Georgia +de RIPE Germany +gh AFRINIC Ghana +gi RIPE Gibraltar +gr RIPE Greece +gl RIPE Greenland +gd ARIN Grenada +gp ARIN Guadeloupe +gu APNIC Guam +gt LACNIC Guatemala +gg RIPE Guernsey +gn AFRINIC Guinea +gw AFRINIC Guinea-Bissau +gy LACNIC Guyana +ht LACNIC Haiti +hm ARIN Heard & McDonald Islands +hn LACNIC Honduras +hk APNIC Hong Kong +hu RIPE Hungary +is RIPE Iceland +in APNIC India +id APNIC Indonesia +ir RIPE Iran +iq RIPE Iraq +ie RIPE Ireland +im RIPE Isle of Man +il RIPE Israel +it RIPE Italy +jm ARIN Jamaica +jp APNIC Japan +je RIPE Jersey +jo RIPE Jordan +kz RIPE Kazakhstan +ke AFRINIC Kenya +ki APNIC Kiribati +kw RIPE Kuwait +kg RIPE Kyrgyzstan +la APNIC Lao +lv RIPE Latvia +lb RIPE Lebanon +ls AFRINIC Lesotho +lr AFRINIC Liberia +ly AFRINIC Libya +li RIPE Liechtenstein +lt RIPE Lithuania +lu RIPE Luxembourg +mo APNIC Macao +mg AFRINIC Madagascar +mw AFRINIC Malawi +my APNIC Malaysia +mv APNIC Maldives +ml AFRINIC Mali +mt RIPE Malta +mh APNIC Marshall Islands +ma AFRINIC Marocco +mq ARIN Martinique +mr AFRINIC Mauritania +mu AFRINIC Mauritius +yt AFRINIC Mayotte +mx LACNIC Mexico +fm APNIC Micronesia +md RIPE Moldova +mc RIPE Monaco +mn APNIC Mongolia +me RIPE Montenegro +ms ARIN Montserrat +mz AFRINIC Mozambique +mm APNIC Myanmar +na AFRINIC Namibia +nr APNIC Nauru +np APNIC Nepal +nl RIPE Netherlands +nc APNIC New Caledonia +nz APNIC New Zealand +ni LACNIC Nicaragua +ne AFRINIC Niger +ng AFRINIC Nigeria +nu APNIC Niue +nf APNIC Norfolk Island +kp APNIC North Korea +mk RIPE North Macedonia +mp APNIC Northern Mariana Islands +no RIPE Norway +om RIPE Oman +pk APNIC Pakistan +pw APNIC Palau +ps RIPE Palestine +pa LACNIC Panama +pg APNIC Papua New Guinea +py LACNIC Paraguay +pe LACNIC Peru +ph APNIC Philippines +pn APNIC Pitcairn +pl RIPE Poland +pt RIPE Portugal +pr ARIN Puerto Rico +qa RIPE Qatar +re AFRINIC Reunion +ro RIPE Romania +ru RIPE Russian Federation +rw AFRINIC Rwanda +sh ARIN Saint Helena +bl ARIN Saint Barthélemy +kn ARIN Saint Kitts & Nevis +lc ARIN Saint Lucia +mf ARIN Saint Martin +pm ARIN Saint Pierre & Miquelon +vc ARIN Saint Vincent & the Grenadines +ws APNIC Samoa +sm RIPE San Marino +st AFRINIC Sao Tome & Principe +sa RIPE Saudi Arabia +sn AFRINIC Senegal +rs RIPE Serbia +sc AFRINIC Seychelles +sl AFRINIC Sierra Leone +sg APNIC Singapore +sx LACNIC Sint Maarten +sk RIPE Slovakia +si RIPE Slovenia +sb APNIC Solomon Islands +so AFRINIC Somalia +za AFRINIC South Africa +gs LACNIC South Georgia +kr APNIC South Korea +ss AFRINIC South Sudan +es RIPE Spain +lk APNIC Sri Lanka +sd AFRINIC Sudan +sr LACNIC Suriname +sj RIPE Svalbard & Jan Mayen Islands +se RIPE Sweden +ch RIPE Switzerland +sy RIPE Syrian +tw APNIC Taiwan +tj RIPE Tajikistan +tz AFRINIC Tanzania +th APNIC Thailand +tl APNIC Timor-Leste +tg AFRINIC Togo +tk APNIC Tokelau +to APNIC Tonga +tt LACNIC Trinidad & Tobago +tn AFRINIC Tunisia +tr RIPE Türkey +tm RIPE Turkmenistan +tc ARIN Turks & Caicos Islands +tv APNIC Tuvalu +ug AFRINIC Uganda +ua RIPE Ukraine +ae RIPE United Arab Emirates +gb RIPE United Kingdom +us ARIN United States +um ARIN United States Minor Outlying Islands +uy LACNIC Uruguay +uz RIPE Uzbekistan +vu APNIC Vanuatu +va RIPE Vatikan City +ve LACNIC Venezuela +vn APNIC Vietnam +vg ARIN Virgin Islands (British) +vi ARIN Virgin Islands (U.S.) +wf APNIC Wallis & Futuna Islands +eh AFRINIC Western Sahara +ye RIPE Yemen +zm AFRINIC Zambia +zw AFRINIC Zimbabwe diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index 325fc660e5..e5f817371a 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -5,7 +5,7 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "adaway IPs", - "flag": "80 443" + "flag": "tcp 80 443" }, "adguard":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt", @@ -13,7 +13,7 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "adguard IPs", - "flag": "80 443" + "flag": "tcp 80 443" }, "adguardtrackers":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt", @@ -21,7 +21,7 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "adguardtracker IPs", - "flag": "80 443" + "flag": "tcp 80 443" }, "antipopads":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt", @@ -29,7 +29,7 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "antipopads IPs", - "flag": "80 443" + "flag": "tcp 80 443" }, "asn":{ "url_4": "https://asn.ipinfo.app/api/text/list/", @@ -37,7 +37,7 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "ASN IP segments", - "flag": "80 443" + "flag": "tcp 80 443" }, "backscatterer":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz", @@ -45,6 +45,13 @@ "descr": "backscatterer IPs", "flag": "gz" }, + "becyber":{ + "url_4": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips.txt", + "url_6": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips_ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "descr": "malicious attacker IPs" + }, "binarydefense":{ "url_4": "https://iplists.firehol.org/files/bds_atif.ipset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", @@ -74,14 +81,9 @@ "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "country blocks" }, - "darklist":{ - "url_4": "https://darklist.de/raw.php", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", - "descr": "suspicious attacker IPs" - }, "debl":{ - "url_4": "https://www.blocklist.de/downloads/export-ips_all.txt", - "url_6": "https://www.blocklist.de/downloads/export-ips_all.txt", + "url_4": "https://lists.blocklist.de/lists/all.txt", + "url_6": "https://lists.blocklist.de/lists/all.txt", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "fail2ban IP blocklist" @@ -92,7 +94,7 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "public DoH-Provider", - "flag": "80 443" + "flag": "tcp 80 443" }, "drop":{ "url_4": "https://www.spamhaus.org/drop/drop.txt", @@ -150,18 +152,18 @@ "url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "advertising IPs", - "flag": "gz 80 443" + "flag": "gz tcp 80 443" }, "iblockspy":{ "url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "descr": "malicious spyware IPs", - "flag": "gz 80 443" + "flag": "gz tcp 80 443" }, - "ipblackhole":{ - "url_4": "https://ip.blackhole.monster/blackhole-today", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", - "descr": "blackhole IP blocklist" + "ipsum":{ + "url_4": "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}", + "descr": "malicious IPs" }, "ipthreat":{ "url_4": "https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-30.txt.gz", @@ -188,7 +190,7 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "OISD-big IPs", - "flag": "80 443" + "flag": "tcp 80 443" }, "oisdnsfw":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt", @@ -196,7 +198,7 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "OISD-nsfw IPs", - "flag": "80 443" + "flag": "tcp 80 443" }, "oisdsmall":{ "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt", @@ -204,7 +206,12 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "OISD-small IPs", - "flag": "80 443" + "flag": "tcp 80 443" + }, + "pallebone":{ + "url_4": "https://raw.githubusercontent.com/pallebone/StrictBlockPAllebone/master/BlockIP.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "descr": "curated IP blocklist" }, "proxy":{ "url_4": "https://iplists.firehol.org/files/proxylists.ipset", @@ -222,7 +229,7 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "stevenblack IPs", - "flag": "80 443" + "flag": "tcp 80 443" }, "talos":{ "url_4": "https://www.talosintelligence.com/documents/ip-blacklist", @@ -295,6 +302,6 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "descr": "yoyo IPs", - "flag": "80 443" + "flag": "tcp 80 443" } } From 116bbd93596a2837f37eb2b32b11ef0deab98dad Mon Sep 17 00:00:00 2001 From: krant Date: Sun, 21 Apr 2024 00:17:23 +0300 Subject: [PATCH 069/106] libwebp: update to 1.4.0 Signed-off-by: krant --- libs/libwebp/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/libwebp/Makefile b/libs/libwebp/Makefile index 7d413c1f18..a3f075558b 100644 --- a/libs/libwebp/Makefile +++ b/libs/libwebp/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libwebp -PKG_VERSION:=1.3.2 +PKG_VERSION:=1.4.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://storage.googleapis.com/downloads.webmproject.org/releases/webp -PKG_HASH:=2a499607df669e40258e53d0ade8035ba4ec0175244869d1025d460562aa09b4 +PKG_HASH:=61f873ec69e3be1b99535634340d5bde750b2e4447caa1db9f61be3fd49ab1e5 PKG_MAINTAINER:=Alexandru Ardelean PKG_LICENSE:=BSD-3-Clause From ddd379416ed01b541101644d3880dd9ece3de4d3 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Sun, 14 Apr 2024 15:43:23 +0200 Subject: [PATCH 070/106] tini: Fix compilation with musl libc 1.2.5 Support POSIX basename used in musl libc 1.2.5. This fixes compilation with musl libc 1.2.5. Signed-off-by: Hauke Mehrtens --- ...upport-POSIX-basename-from-musl-libc.patch | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 utils/tini/patches/002-Support-POSIX-basename-from-musl-libc.patch diff --git a/utils/tini/patches/002-Support-POSIX-basename-from-musl-libc.patch b/utils/tini/patches/002-Support-POSIX-basename-from-musl-libc.patch new file mode 100644 index 0000000000..3fce314a85 --- /dev/null +++ b/utils/tini/patches/002-Support-POSIX-basename-from-musl-libc.patch @@ -0,0 +1,72 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Hauke Mehrtens +Date: Sun, 14 Apr 2024 15:33:51 +0200 +Subject: Support POSIX basename() from musl libc + +Musl libc 1.2.5 removed the definition of the basename() function from +string.h and only provides it in libgen.h as the POSIX standard +defines it. + +This change fixes compilation with musl libc 1.2.5. +```` +build_dir/target-mips_24kc_musl/tini-0.19.0/src/tini.c:227:36: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration] + 227 | fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING); +build_dir/target-mips_24kc_musl/tini-0.19.0/src/tini.c:227:25: error: format '%s' expects argument of type 'char *', but argument 3 has type 'int' [-Werror=format=] + 227 | fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING); + | ~^ ~~~~~~~~~~~~~~ + | | | + | char * int + | %d + +```` + +basename() modifies the input string, copy it first with strdup(), If +strdup() returns NULL the code will handle it. + +Signed-off-by: Hauke Mehrtens +--- + src/tini.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/src/tini.c ++++ b/src/tini.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #include "tiniConfig.h" + #include "tiniLicense.h" +@@ -224,14 +225,19 @@ int spawn(const signal_configuration_t* + } + + void print_usage(char* const name, FILE* const file) { +- fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING); ++ char *dirc, *bname; ++ ++ dirc = strdup(name); ++ bname = basename(dirc); ++ ++ fprintf(file, "%s (%s)\n", bname, TINI_VERSION_STRING); + + #if TINI_MINIMAL +- fprintf(file, "Usage: %s PROGRAM [ARGS] | --version\n\n", basename(name)); ++ fprintf(file, "Usage: %s PROGRAM [ARGS] | --version\n\n", bname); + #else +- fprintf(file, "Usage: %s [OPTIONS] PROGRAM -- [ARGS] | --version\n\n", basename(name)); ++ fprintf(file, "Usage: %s [OPTIONS] PROGRAM -- [ARGS] | --version\n\n", bname); + #endif +- fprintf(file, "Execute a program under the supervision of a valid init process (%s)\n\n", basename(name)); ++ fprintf(file, "Execute a program under the supervision of a valid init process (%s)\n\n", bname); + + fprintf(file, "Command line options:\n\n"); + +@@ -261,6 +267,7 @@ void print_usage(char* const name, FILE* + fprintf(file, " %s: Send signals to the child's process group.\n", KILL_PROCESS_GROUP_GROUP_ENV_VAR); + + fprintf(file, "\n"); ++ free(dirc); + } + + void print_license(FILE* const file) { From db07f86c35f5a1ee6a441262119d0443ac40ee9b Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sat, 13 Apr 2024 14:33:22 -0700 Subject: [PATCH 071/106] xxhash: switch to local git tarballs Smaller and avoids having to use PKG_UNPACK. Signed-off-by: Rosen Penev --- utils/xxhash/Makefile | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/utils/xxhash/Makefile b/utils/xxhash/Makefile index 4b5598f413..510193338a 100644 --- a/utils/xxhash/Makefile +++ b/utils/xxhash/Makefile @@ -12,11 +12,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=xxhash PKG_VERSION:=0.8.2 -PKG_RELEASE:=1 +PKG_RELEASE:=2 -PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/Cyan4973/xxHash/archive/v$(PKG_VERSION) -PKG_HASH:=baee0c6afd4f03165de7a4e67988d16f0f2b257b51d0e3cb91909302a26a79c4 +PKG_SOURCE_PROTO:=git +PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_SOURCE_URL:=https://github.com/Cyan4973/xxHash +PKG_MIRROR_HASH:=0602a12e9ecd009f97a2a845fb5e46af69a60f96547952e5b00228f33bed5cdd # The source for the library (xxhash.c and xxhash.h) is BSD # The source for the command line tool (xxhsum.c) is GPLv2+ @@ -28,8 +29,6 @@ PKG_INSTALL:=1 include $(INCLUDE_DIR)/package.mk -PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)" - define Package/xxhash/Default TITLE:=Extremely fast hash algorithm URL:=https://xxhash.com/ From 72a6e17d49f07ae697d2fa33a08c02fee502f948 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sat, 13 Apr 2024 14:35:46 -0700 Subject: [PATCH 072/106] xxhash: build with cmake Faster. Signed-off-by: Rosen Penev --- utils/xxhash/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/utils/xxhash/Makefile b/utils/xxhash/Makefile index 510193338a..36f23732d7 100644 --- a/utils/xxhash/Makefile +++ b/utils/xxhash/Makefile @@ -25,9 +25,10 @@ PKG_LICENSE:=BSD-2-Clause GPL-2.0-or-later PKG_LICENSE_FILES:=LICENSE cli/COPYING PKG_MAINTAINER:=Julien Malik -PKG_INSTALL:=1 +CMAKE_SOURCE_SUBDIR:=cmake_unofficial include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk define Package/xxhash/Default TITLE:=Extremely fast hash algorithm @@ -73,7 +74,7 @@ define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include $(CP) $(PKG_INSTALL_DIR)/usr/include/*.h $(1)/usr/include/ $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxxhash.{a,so*} $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxxhash.so* $(1)/usr/lib/ $(INSTALL_DIR) $(1)/usr/lib/pkgconfig $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libxxhash.pc $(1)/usr/lib/pkgconfig/ endef From 9447654b6be3e65abac62735c1e66401c1c36cca Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Sun, 14 Apr 2024 15:43:23 +0200 Subject: [PATCH 073/106] libmraa: Fix compilation with musl libc 1.2.5 Support POSIX basename used in musl libc 1.2.5. This backports a patch from upstream git. Signed-off-by: Hauke Mehrtens --- .../patches/001-mraa-Use-posix-basename.patch | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 libs/libmraa/patches/001-mraa-Use-posix-basename.patch diff --git a/libs/libmraa/patches/001-mraa-Use-posix-basename.patch b/libs/libmraa/patches/001-mraa-Use-posix-basename.patch new file mode 100644 index 0000000000..97af1565ec --- /dev/null +++ b/libs/libmraa/patches/001-mraa-Use-posix-basename.patch @@ -0,0 +1,40 @@ +From 47c3850cddd63cebd9dc48e411963314449118f1 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Sun, 31 Dec 2023 19:16:35 -0800 +Subject: [PATCH] mraa: Use posix basename + +Musl has removed the declaration from string.h [1] which exposes the +problem especially with clang-17+ compiler where implicit function +declaration is flagged as error. Use posix basename and make a copy of +string to operate on to emulate GNU basename behaviour. + +[1] https://git.musl-libc.org/cgit/musl/commit/?id=725e17ed6dff4d0cd22487bb64470881e86a92e7 + +Signed-off-by: Khem Raj +--- + src/mraa.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/src/mraa.c ++++ b/src/mraa.c +@@ -12,6 +12,7 @@ + #endif + + #include ++#include + #include + #include + #include +@@ -338,9 +339,11 @@ static int + mraa_count_iio_devices(const char* path, const struct stat* sb, int flag, struct FTW* ftwb) + { + // we are only interested in files with specific names +- if (fnmatch(IIO_DEVICE_WILDCARD, basename(path), 0) == 0) { ++ char* tmp = strdup(path); ++ if (fnmatch(IIO_DEVICE_WILDCARD, basename(tmp), 0) == 0) { + num_iio_devices++; + } ++ free(tmp); + return 0; + } + From bf1b907d125e191984fb7bcf10107580878d81e1 Mon Sep 17 00:00:00 2001 From: Jonas Jelonek Date: Sat, 20 Apr 2024 18:10:46 +0200 Subject: [PATCH 074/106] eza: update to 0.18.11 changelogs: 0.18.10: https://github.com/eza-community/eza/releases/tag/v0.18.10 0.18.11: https://github.com/eza-community/eza/releases/tag/v0.18.11 Signed-off-by: Jonas Jelonek --- utils/eza/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/eza/Makefile b/utils/eza/Makefile index 9595e4fd11..e26e3e5de4 100644 --- a/utils/eza/Makefile +++ b/utils/eza/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=eza -PKG_VERSION:=0.18.9 +PKG_VERSION:=0.18.11 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/eza-community/eza/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=917736591429813ef4cfce47bb2d3d87e9f1e142b2a6ebf74a345c3a15894918 +PKG_HASH:=92d810c36ac67038e2ed3c421087de8793eb0b9de332c9239096df9d52eb30e3 PKG_MAINTAINER:=Jonas Jelonek PKG_LICENSE:=MIT From 75f971407d61c622f975605eacbc8b8d6e86232e Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Fri, 19 Apr 2024 14:36:01 -0700 Subject: [PATCH 075/106] gost_engine: switch to local tarballs Avoids PKG_UNPACK hacks. Added PKG_LICENSE_FILES. Reordered variables for consistency between packages. Signed-off-by: Rosen Penev --- libs/gost_engine/Makefile | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/libs/gost_engine/Makefile b/libs/gost_engine/Makefile index aac842a283..308b7e45b4 100644 --- a/libs/gost_engine/Makefile +++ b/libs/gost_engine/Makefile @@ -3,21 +3,20 @@ include $(INCLUDE_DIR)/openssl-module.mk PKG_NAME:=gost_engine PKG_VERSION:=3.0.3 -PKG_HASH:=8cf888333d08b8bbcc12e4e8c0d8b258c74dbd67941286ffbcc648c6d3d66735 -PKG_LICENSE:=Apache-2.0 -PKG_RELEASE:=9 +PKG_RELEASE:=10 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/gost-engine/engine/archive/v$(PKG_VERSION) +PKG_SOURCE_PROTO:=git +PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_SOURCE_URL:=https://github.com/gost-engine/engine +PKG_MIRROR_HASH:=ad88b0bc4ede265bc91757f0bb9777a381f8e271faa43992a054ddd5f435ad88 PKG_MAINTAINER:=Artur Petrov +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/cmake.mk -PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)" -PKG_INSTALL:= - define Package/gost_engine/Default $(call Package/openssl/engine/Default) TITLE:=GOST engine for OpenSSL @@ -49,7 +48,7 @@ define Package/gost_engine-util $(call Package/gost_engine/Default) SECTION:=utils CATEGORY:=Utilities - DEPENDS:=libopenssl-gost_engine + DEPENDS:=+libopenssl-gost_engine TITLE+= (utilities) endef @@ -61,15 +60,17 @@ endef CMAKE_OPTIONS += -DOPENSSL_ENGINES_DIR=/usr/lib/$(ENGINES_DIR) define Package/libopenssl-gost_engine/install - $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) $(1)/etc/ssl/engines.cnf.d - $(INSTALL_DATA) $(PKG_BUILD_DIR)/bin/gost.so \ + $(INSTALL_DIR) $(1)/usr/lib $(1)/usr/lib/$(ENGINES_DIR) $(1)/etc/ssl/engines.cnf.d + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libgost.so \ + $(1)/usr/lib/ + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/gost.so \ $(1)/usr/lib/$(ENGINES_DIR)/ $(INSTALL_DATA) ./files/gost.cnf $(1)/etc/ssl/engines.cnf.d/ endef define Package/gost_engine-util/install $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/bin/{gost12sum,gostsum} \ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/{gost12sum,gostsum} \ $(1)/usr/bin/ endef From 474587a1f44db8b66caca8bdde9c2dd64b480638 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Sun, 21 Apr 2024 14:06:52 +0000 Subject: [PATCH 076/106] adblock-fast: bugfix: unbound-related fixes * include `server:` directive at the top of unbound file * update unbound-related outputGzip variable to include full path * return always_nxdomain for blocked domains * also update copyright stamp/license Signed-off-by: Stan Grishin --- net/adblock-fast/Makefile | 10 ++++---- .../files/etc/init.d/adblock-fast | 23 +++++++++++-------- 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/net/adblock-fast/Makefile b/net/adblock-fast/Makefile index 29aed18735..9a9e5d6339 100644 --- a/net/adblock-fast/Makefile +++ b/net/adblock-fast/Makefile @@ -1,14 +1,14 @@ -# Copyright 2023 MOSSDeF, Stan Grishin (stangri@melmac.ca) -# TLD optimization written by Dirk Brenken (dev@brenken.org) -# This is free software, licensed under the GNU General Public License v3. +# Copyright 2023-2024 MOSSDeF, Stan Grishin (stangri@melmac.ca). +# TLD optimization written by Dirk Brenken (dev@brenken.org). +# This is free software, licensed under AGPL-3.0-or-later. include $(TOPDIR)/rules.mk PKG_NAME:=adblock-fast PKG_VERSION:=1.1.1 -PKG_RELEASE:=r8 +PKG_RELEASE:=11 PKG_MAINTAINER:=Stan Grishin -PKG_LICENSE:=GPL-3.0-or-later +PKG_LICENSE:=AGPL-3.0-or-later include $(INCLUDE_DIR)/package.mk diff --git a/net/adblock-fast/files/etc/init.d/adblock-fast b/net/adblock-fast/files/etc/init.d/adblock-fast index 61fc43a8d5..ccef67683b 100755 --- a/net/adblock-fast/files/etc/init.d/adblock-fast +++ b/net/adblock-fast/files/etc/init.d/adblock-fast @@ -52,7 +52,7 @@ readonly smartdnsNftsetFilter=';' readonly unboundFile="/var/lib/unbound/adb_list.${packageName}" readonly unboundCache="/var/run/${packageName}/unbound.cache" readonly unboundGzip="${packageName}.unbound.gz" -readonly unboundFilter='s|^|local-zone: "|;s|$|" static|' +readonly unboundFilter='s|^|local-zone: "|;s|$|." always_nxdomain|' readonly A_TMP="/var/${packageName}.a.tmp" readonly B_TMP="/var/${packageName}.b.tmp" readonly SED_TMP="/var/${packageName}.sed.tmp" @@ -267,7 +267,7 @@ dns_set_output_values() { outputFilter="$unboundFilter" outputFile="$unboundFile" outputCache="$unboundCache" - outputGzip="$unboundGzip" + outputGzip="${compressed_cache_dir}/${unboundGzip}" ;; esac } @@ -757,7 +757,7 @@ load_environment() { [ "$dns" = 'smartdns.domainset' ] || rm -f "$smartdnsDomainSetFile" "$smartdnsDomainSetCache" "${compressed_cache_dir}/${smartdnsDomainSetGzip}" "$smartdnsDomainSetConfig" [ "$dns" = 'smartdns.ipset' ] || rm -f "$smartdnsIpsetFile" "$smartdnsIpsetCache" "${compressed_cache_dir}/${smartdnsIpsetGzip}" "$smartdnsIpsetConfig" [ "$dns" = 'smartdns.nftset' ] || rm -f "$smartdnsNftsetFile" "$smartdnsNftsetCache" "${compressed_cache_dir}/${smartdnsNftsetGzip}" "$smartdnsNftsetConfig" - [ "$dns" = 'unbound.adb_list' ] || rm -f "$unboundFile" "$unboundCache" "$unboundGzip" + [ "$dns" = 'unbound.adb_list' ] || rm -f "$unboundFile" "$unboundCache" "${compressed_cache_dir}/${unboundGzip}" for i in "$runningConfigFile" "$runningErrorFile" "$runningStatusFile" "$outputFile" "$outputCache" "$outputGzip" "$outputConfig"; do [ -n "$i" ] || continue @@ -892,7 +892,7 @@ resolver() { rm -f "$smartdnsDomainSetFile" "$smartdnsDomainSetCache" "${compressed_cache_dir}/${smartdnsDomainSetGzip}" "$smartdnsDomainSetConfig" rm -f "$smartdnsIpsetFile" "$smartdnsIpsetCache" "${compressed_cache_dir}/${smartdnsIpsetGzip}" "$smartdnsIpsetConfig" rm -f "$smartdnsNftsetFile" "$smartdnsNftsetCache" "${compressed_cache_dir}/${smartdnsNftsetGzip}" "$smartdnsNftsetConfig" - rm -f "$unboundFile" "$unboundCache" "$unboundGzip" + rm -f "$unboundFile" "$unboundCache" "${compressed_cache_dir}/${unboundGzip}" if [ -s "/etc/config/dhcp" ]; then config_load 'dhcp' config_foreach _dnsmasq_instance_config 'dnsmasq' 'cleanup' @@ -932,19 +932,19 @@ resolver() { case "$dns" in dnsmasq.*) chmod 660 "$outputFile" - chown root:dnsmasq "$outputFile" + chown root:dnsmasq "$outputFile" >/dev/null 2>/dev/null param='dnsmasq_restart' output_text='Restarting dnsmasq' ;; smartdns.*) chmod 660 "$outputFile" "$outputConfig" - chown root:root "$outputFile" "$outputConfig" + chown root:root "$outputFile" "$outputConfig" >/dev/null 2>/dev/null param='smartdns_restart' output_text='Restarting SmartDNS' ;; unbound.*) chmod 660 "$outputFile" - chown root:unbound "$outputFile" + chown root:unbound "$outputFile" >/dev/null 2>/dev/null param='unbound_restart' output_text='Restarting Unbound' ;; @@ -1036,7 +1036,7 @@ cache() { return $? ;; test_gzip) - [ -s "$outputGzip" ] && gzip -t -c "$outputGzip" + [ -s "$outputGzip" ] && gzip -t -c "$outputGzip" >/dev/null 2>/dev/null return $? ;; create_gzip) @@ -1412,6 +1412,11 @@ $(sed '/^[[:space:]]*$/d' "$A_TMP")" output_failn json add error 'errorMovingDataFile' fi + case "$dns" in + unbound.adb_list) + sed -i '1 i\server:' "$outputFile" + ;; + esac if [ "$compressed_cache" -gt 0 ]; then output 2 'Creating compressed cache ' json set message "$(get_text 'statusProcessing'): creating compressed cache" @@ -1596,7 +1601,7 @@ adb_check() { smartdns.*) grep "$string" "$outputFile";; unbound.adb_list) - grep "$string" "$outputFile" | sed 's|^local-zone: "||;s|" static$||;';; + grep "$string" "$outputFile" | sed 's|^local-zone: "||;s|." always_nxdomain$||;';; esac fi else From a9371952c916423876d3d380837b7b47ef08eb69 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 21 Apr 2024 17:38:24 +0200 Subject: [PATCH 077/106] uwsgi: bump to latest 2.0.25.1 release Bump to latest 2.0.25.1 release Drop upstream PCRE2 patch and alarm memory leak fix. Rework and refresh patch due to release bump. Signed-off-by: Christian Marangi --- net/uwsgi/Makefile | 4 +- .../patches/001-dont-hardcode-zlib.patch | 2 +- ...dont-override-toolchain-optimization.patch | 13 +- ...03-hard-code-Linux-as-compilation-os.patch | 2 +- .../004-core-alarm_fix_memory_leak.patch | 20 - .../patches/005-ssl-option-can_t-be-set.patch | 2 +- net/uwsgi/patches/010-uclibc-ng.patch | 2 +- net/uwsgi/patches/020-add-pcre2-support.patch | 887 ------------------ 8 files changed, 12 insertions(+), 920 deletions(-) delete mode 100644 net/uwsgi/patches/004-core-alarm_fix_memory_leak.patch delete mode 100644 net/uwsgi/patches/020-add-pcre2-support.patch diff --git a/net/uwsgi/Makefile b/net/uwsgi/Makefile index 3938221c70..a5fbc59ba9 100644 --- a/net/uwsgi/Makefile +++ b/net/uwsgi/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=uwsgi -PKG_VERSION:=2.0.22 +PKG_VERSION:=2.0.25.1 PKG_RELEASE:=1 PYPI_NAME:=uWSGI PYPI_SOURCE_NAME:=uwsgi -PKG_HASH:=4cc4727258671ac5fa17ab422155e9aaef8a2008ebb86e4404b66deaae965db2 +PKG_HASH:=d653d2d804c194c8cbe2585fa56efa2650313ae75c686a9d7931374d4dfbfc6e PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=LICENSE diff --git a/net/uwsgi/patches/001-dont-hardcode-zlib.patch b/net/uwsgi/patches/001-dont-hardcode-zlib.patch index 38a42c0453..37a81e3baf 100644 --- a/net/uwsgi/patches/001-dont-hardcode-zlib.patch +++ b/net/uwsgi/patches/001-dont-hardcode-zlib.patch @@ -1,6 +1,6 @@ --- a/uwsgiconfig.py +++ b/uwsgiconfig.py -@@ -859,11 +859,11 @@ class uConf(object): +@@ -863,11 +863,11 @@ class uConf(object): self.cflags.append('-DUWSGI_HAS_EXECINFO') report['execinfo'] = True diff --git a/net/uwsgi/patches/002-dont-override-toolchain-optimization.patch b/net/uwsgi/patches/002-dont-override-toolchain-optimization.patch index a6c71e143e..55578a52ee 100644 --- a/net/uwsgi/patches/002-dont-override-toolchain-optimization.patch +++ b/net/uwsgi/patches/002-dont-override-toolchain-optimization.patch @@ -1,11 +1,10 @@ --- a/uwsgiconfig.py +++ b/uwsgiconfig.py -@@ -688,7 +688,7 @@ class uConf(object): +@@ -684,7 +684,6 @@ class uConf(object): self.include_path += os.environ['UWSGI_INCLUDES'].split(',') - -- self.cflags = ['-O2', '-I.', '-Wall', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64'] + os.environ.get("CFLAGS", "").split() + self.get('cflags','').split() -+ self.cflags = ['-I.', '-Wall', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64'] + os.environ.get("CFLAGS", "").split() + self.get('cflags','').split() - - report['kernel'] = uwsgi_os - + cflags = [ +- '-O2', + '-I.', + '-Wall', + '-D_LARGEFILE_SOURCE', diff --git a/net/uwsgi/patches/003-hard-code-Linux-as-compilation-os.patch b/net/uwsgi/patches/003-hard-code-Linux-as-compilation-os.patch index 02a5f3bdc0..4e18674d78 100644 --- a/net/uwsgi/patches/003-hard-code-Linux-as-compilation-os.patch +++ b/net/uwsgi/patches/003-hard-code-Linux-as-compilation-os.patch @@ -1,6 +1,6 @@ --- a/uwsgiconfig.py +++ b/uwsgiconfig.py -@@ -5,9 +5,9 @@ uwsgi_version = '2.0.22' +@@ -5,9 +5,9 @@ uwsgi_version = '2.0.25.1' import os import re import time diff --git a/net/uwsgi/patches/004-core-alarm_fix_memory_leak.patch b/net/uwsgi/patches/004-core-alarm_fix_memory_leak.patch deleted file mode 100644 index 990c7e6aac..0000000000 --- a/net/uwsgi/patches/004-core-alarm_fix_memory_leak.patch +++ /dev/null @@ -1,20 +0,0 @@ -From bad0edfc10a80de908a3d83c7f075eff8df3a691 Mon Sep 17 00:00:00 2001 -From: Riccardo Magliocchetti -Date: Wed, 14 Jan 2015 21:19:24 +0100 -Subject: [PATCH] core/alarm: fix memory leak - -Reported by Coverity as CID #971006 ---- - core/alarm.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/core/alarm.c -+++ b/core/alarm.c -@@ -171,6 +171,7 @@ static int uwsgi_alarm_log_add(char *ala - - ual = uwsgi_calloc(sizeof(struct uwsgi_alarm_log)); - if (uwsgi_regexp_build(regexp, &ual->pattern, &ual->pattern_extra)) { -+ free(ual); - return -1; - } - ual->negate = negate; diff --git a/net/uwsgi/patches/005-ssl-option-can_t-be-set.patch b/net/uwsgi/patches/005-ssl-option-can_t-be-set.patch index 4a478af52a..efdbd47e67 100644 --- a/net/uwsgi/patches/005-ssl-option-can_t-be-set.patch +++ b/net/uwsgi/patches/005-ssl-option-can_t-be-set.patch @@ -18,6 +18,6 @@ Given the changeset which introduced this option with the ssl-enable3 option whi {"ssl-enable-tlsv1", no_argument, 0, "enable TLSv1 (insecure)", uwsgi_opt_true, &uwsgi.tlsv1, 0}, - {"ssl-option", no_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0}, + {"ssl-option", required_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0}, - #ifdef UWSGI_PCRE + #if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) {"sni-regexp", required_argument, 0, "add an SNI-governed SSL context (the key is a regexp)", uwsgi_opt_sni, NULL, 0}, #endif diff --git a/net/uwsgi/patches/010-uclibc-ng.patch b/net/uwsgi/patches/010-uclibc-ng.patch index b3f1a66420..e98bab3e03 100644 --- a/net/uwsgi/patches/010-uclibc-ng.patch +++ b/net/uwsgi/patches/010-uclibc-ng.patch @@ -1,6 +1,6 @@ --- a/core/uwsgi.c +++ b/core/uwsgi.c -@@ -1825,7 +1825,7 @@ void uwsgi_plugins_atexit(void) { +@@ -1794,7 +1794,7 @@ void uwsgi_plugins_atexit(void) { void uwsgi_backtrace(int depth) { diff --git a/net/uwsgi/patches/020-add-pcre2-support.patch b/net/uwsgi/patches/020-add-pcre2-support.patch deleted file mode 100644 index 2f6db9f4c2..0000000000 --- a/net/uwsgi/patches/020-add-pcre2-support.patch +++ /dev/null @@ -1,887 +0,0 @@ -From 7835662f76831a76e4cc04791fcf2ee1ea725931 Mon Sep 17 00:00:00 2001 -From: Riccardo Magliocchetti -Date: Tue, 25 Jul 2023 16:17:52 +0200 -Subject: [PATCH 01/12] uwsgiconfig: prepare for pcre2 - ---- - uwsgiconfig.py | 45 ++++++++++++++++++++++----------------------- - 1 file changed, 22 insertions(+), 23 deletions(-) - ---- a/uwsgiconfig.py -+++ b/uwsgiconfig.py -@@ -1079,30 +1079,29 @@ class uConf(object): - - has_pcre = False - -- # re-enable after pcre fix -- if self.get('pcre'): -- if self.get('pcre') == 'auto': -- pcreconf = spcall('pcre-config --libs') -- if pcreconf: -- self.libs.append(pcreconf) -- pcreconf = spcall("pcre-config --cflags") -- self.cflags.append(pcreconf) -- self.gcc_list.append('core/regexp') -- self.cflags.append("-DUWSGI_PCRE") -- has_pcre = True -- -+ required_pcre = self.get('pcre') -+ if required_pcre: -+ pcre_libs = spcall('pcre2-config --libs8') -+ if pcre_libs: -+ pcre_cflags = spcall("pcre2-config --cflags") -+ pcre_define = "-DUWSGI_PCRE2" - else: -- pcreconf = spcall('pcre-config --libs') -- if pcreconf is None: -- print("*** libpcre headers unavailable. uWSGI build is interrupted. You have to install pcre development package or disable pcre") -- sys.exit(1) -- else: -- self.libs.append(pcreconf) -- pcreconf = spcall("pcre-config --cflags") -- self.cflags.append(pcreconf) -- self.gcc_list.append('core/regexp') -- self.cflags.append("-DUWSGI_PCRE") -- has_pcre = True -+ pcre_libs = spcall('pcre-config --libs') -+ pcre_cflags = spcall("pcre-config --cflags") -+ pcre_define = "-DUWSGI_PCRE" -+ else: -+ pcre_libs = None -+ -+ if required_pcre: -+ if required_pcre != 'auto' and pcre_libs is None: -+ print("*** libpcre headers unavailable. uWSGI build is interrupted. You have to install pcre development package or disable pcre") -+ sys.exit(1) -+ -+ self.libs.append(pcre_libs) -+ self.cflags.append(pcre_cflags) -+ self.gcc_list.append('core/regexp') -+ self.cflags.append(pcre_define) -+ has_pcre = True - - if has_pcre: - report['pcre'] = True ---- a/core/alarm.c -+++ b/core/alarm.c -@@ -160,7 +160,7 @@ static struct uwsgi_alarm_instance *uwsg - } - - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - static int uwsgi_alarm_log_add(char *alarms, char *regexp, int negate) { - - struct uwsgi_alarm_log *old_ual = NULL, *ual = uwsgi.alarm_logs; -@@ -170,7 +170,7 @@ static int uwsgi_alarm_log_add(char *ala - } - - ual = uwsgi_calloc(sizeof(struct uwsgi_alarm_log)); -- if (uwsgi_regexp_build(regexp, &ual->pattern, &ual->pattern_extra)) { -+ if (uwsgi_regexp_build(regexp, &ual->pattern)) { - free(ual); - return -1; - } -@@ -331,7 +331,7 @@ void uwsgi_alarms_init() { - usl = usl->next; - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - // then map log-alarm - usl = uwsgi.alarm_logs_list; - while (usl) { -@@ -377,14 +377,14 @@ void uwsgi_alarm_trigger_uai(struct uwsg - } - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - // check if a log should raise an alarm - void uwsgi_alarm_log_check(char *msg, size_t len) { - if (!uwsgi_strncmp(msg, len, "[uwsgi-alarm", 12)) - return; - struct uwsgi_alarm_log *ual = uwsgi.alarm_logs; - while (ual) { -- if (uwsgi_regexp_match(ual->pattern, ual->pattern_extra, msg, len) >= 0) { -+ if (uwsgi_regexp_match(ual->pattern, msg, len) >= 0) { - if (!ual->negate) { - struct uwsgi_alarm_ll *uall = ual->alarms; - while (uall) { ---- a/core/logging.c -+++ b/core/logging.c -@@ -414,7 +414,7 @@ void uwsgi_setup_log_master(void) { - usl = usl->next; - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - // set logger by its id - struct uwsgi_regexp_list *url = uwsgi.log_route; - while (url) { -@@ -1398,11 +1398,11 @@ int uwsgi_master_log(void) { - - ssize_t rlen = read(uwsgi.shared->worker_log_pipe[0], uwsgi.log_master_buf, uwsgi.log_master_bufsize); - if (rlen > 0) { --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - uwsgi_alarm_log_check(uwsgi.log_master_buf, rlen); - struct uwsgi_regexp_list *url = uwsgi.log_drain_rules; - while (url) { -- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) { -+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) { - return 0; - } - url = url->next; -@@ -1411,7 +1411,7 @@ int uwsgi_master_log(void) { - int show = 0; - url = uwsgi.log_filter_rules; - while (url) { -- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) { -+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) { - show = 1; - break; - } -@@ -1424,7 +1424,7 @@ int uwsgi_master_log(void) { - url = uwsgi.log_route; - int finish = 0; - while (url) { -- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) { -+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) { - struct uwsgi_logger *ul_route = (struct uwsgi_logger *) url->custom_ptr; - if (ul_route) { - uwsgi_log_func_do(uwsgi.requested_log_encoders, ul_route, uwsgi.log_master_buf, rlen); -@@ -1464,11 +1464,11 @@ int uwsgi_master_req_log(void) { - - ssize_t rlen = read(uwsgi.shared->worker_req_log_pipe[0], uwsgi.log_master_buf, uwsgi.log_master_bufsize); - if (rlen > 0) { --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - struct uwsgi_regexp_list *url = uwsgi.log_req_route; - int finish = 0; - while (url) { -- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) { -+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) { - struct uwsgi_logger *ul_route = (struct uwsgi_logger *) url->custom_ptr; - if (ul_route) { - uwsgi_log_func_do(uwsgi.requested_log_req_encoders, ul_route, uwsgi.log_master_buf, rlen); ---- a/core/regexp.c -+++ b/core/regexp.c -@@ -1,4 +1,4 @@ --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - #include "uwsgi.h" - - extern struct uwsgi_server uwsgi; -@@ -13,48 +13,110 @@ void uwsgi_opt_pcre_jit(char *opt, char - #endif - } - --int uwsgi_regexp_build(char *re, pcre ** pattern, pcre_extra ** pattern_extra) { -+int uwsgi_regexp_build(char *re, uwsgi_pcre ** pattern) { - -+#ifdef UWSGI_PCRE2 -+ int errnbr; -+ long unsigned int erroff; -+ -+ *pattern = pcre2_compile((const unsigned char *) re, PCRE2_ZERO_TERMINATED, 0, &errnbr, &erroff, NULL); -+#else - const char *errstr; - int erroff; - -- *pattern = pcre_compile((const char *) re, 0, &errstr, &erroff, NULL); -- if (!*pattern) { -+ *pattern = uwsgi_malloc(sizeof(uwsgi_pcre)); -+ (*pattern)->p = pcre_compile((const char *) re, 0, &errstr, &erroff, NULL); -+#endif -+#ifdef UWSGI_PCRE2 -+ if (!(*pattern)) { -+ uwsgi_log("pcre error: code %d at offset %d\n", errnbr, erroff); -+#else -+ if (!((*pattern)->p)) { - uwsgi_log("pcre error: %s at offset %d\n", errstr, erroff); -+#endif - return -1; - } - -+#ifdef UWSGI_PCRE2 -+ if (uwsgi.pcre_jit) { -+ errnbr = pcre2_jit_compile(*pattern, PCRE2_JIT_COMPLETE); -+ if (errnbr) { -+ pcre2_code_free(*pattern); -+ uwsgi_log("pcre JIT compile error code %d\n", errnbr); -+ return -1; -+ } -+#else - int opt = uwsgi.pcre_jit; - -- *pattern_extra = (pcre_extra *) pcre_study((const pcre *) *pattern, opt, &errstr); -- if (*pattern_extra == NULL && errstr != NULL) { -- pcre_free(*pattern); -+ (*pattern)->extra = (pcre_extra *) pcre_study((const pcre *) (*pattern)->p, opt, &errstr); -+ if ((*pattern)->extra == NULL && errstr != NULL) { -+ pcre_free((*pattern)->p); -+ free(*pattern); - uwsgi_log("pcre (study) error: %s\n", errstr); - return -1; -+#endif - } - - return 0; - - } - --int uwsgi_regexp_match(pcre * pattern, pcre_extra * pattern_extra, char *subject, int length) { -- -- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, NULL, 0); -+int uwsgi_regexp_match(uwsgi_pcre *pattern, const char *subject, int length) { -+#ifdef UWSGI_PCRE2 -+ return pcre2_match(pattern, (const unsigned char *)subject, length, 0, 0, NULL, NULL); -+#else -+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, NULL, 0); -+#endif - } - --int uwsgi_regexp_match_ovec(pcre * pattern, pcre_extra * pattern_extra, char *subject, int length, int *ovec, int n) { -+int uwsgi_regexp_match_ovec(uwsgi_pcre *pattern, const char *subject, int length, int *ovec, int n) { -+ -+#ifdef UWSGI_PCRE2 -+ int rc; -+ int i; -+ pcre2_match_data *match_data; -+ size_t *pcre2_ovec; -+ -+ match_data = pcre2_match_data_create_from_pattern(pattern, NULL); -+ rc = pcre2_match(pattern, (const unsigned char *)subject, length, 0, 0, match_data, NULL); - -+ /* -+ * Quoting PCRE{,2} spec, "The first pair of integers, ovector[0] -+ * and ovector[1], identify the portion of the subject string matched -+ * by the entire pattern. The next pair is used for the first capturing -+ * subpattern, and so on." Therefore, the ovector size is the number of -+ * capturing subpatterns (INFO_CAPTURECOUNT), from uwsgi_regexp_ovector(), -+ * as matching pairs, plus room for the first pair. -+ */ - if (n > 0) { -- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, ovec, (n + 1) * 3); -+ // copy pcre2 output vector to uwsgi output vector -+ pcre2_ovec = pcre2_get_ovector_pointer(match_data); -+ for (i=0;i<(n+1)*2;i++) { -+ ovec[i] = pcre2_ovec[i]; -+ } -+#else -+ if (n > 0) { -+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, ovec, PCRE_OVECTOR_BYTESIZE(n)); -+#endif - } -- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, NULL, 0); -+ -+#ifdef UWSGI_PCRE2 -+ pcre2_match_data_free(match_data); -+ -+ return rc; -+#else -+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, NULL, 0); -+#endif - } - --int uwsgi_regexp_ovector(pcre * pattern, pcre_extra * pattern_extra) { -+int uwsgi_regexp_ovector(const uwsgi_pcre *pattern) { - - int n; -- -- if (pcre_fullinfo((const pcre *) pattern, (const pcre_extra *) pattern_extra, PCRE_INFO_CAPTURECOUNT, &n)) -+#ifdef UWSGI_PCRE2 -+ if (pcre2_pattern_info(pattern, PCRE2_INFO_CAPTURECOUNT, &n)) -+#else -+ if (pcre_fullinfo((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, PCRE_INFO_CAPTURECOUNT, &n)) -+#endif - return 0; - - return n; -@@ -66,7 +128,7 @@ char *uwsgi_regexp_apply_ovec(char *src, - int dollar = 0; - - size_t dollars = n; -- -+ - for(i=0;ipattern, routes->pattern_extra, subject, subject_len, routes->ovector[wsgi_req->async_id], routes->ovn[wsgi_req->async_id]); -+ n = uwsgi_regexp_match_ovec(routes->pattern, subject, subject_len, routes->ovector[wsgi_req->async_id], routes->ovn[wsgi_req->async_id]); - } - else { - int ret = routes->if_func(wsgi_req, routes); -@@ -506,15 +506,15 @@ void uwsgi_fixup_routes(struct uwsgi_rou - - // fill them if needed... (this is an optimization for route with a static subject) - if (ur->subject && ur->subject_len) { -- if (uwsgi_regexp_build(ur->orig_route, &ur->pattern, &ur->pattern_extra)) { -+ if (uwsgi_regexp_build(ur->orig_route, &ur->pattern)) { - exit(1); - } - - int i; - for(i=0;iovn[i] = uwsgi_regexp_ovector(ur->pattern, ur->pattern_extra); -+ ur->ovn[i] = uwsgi_regexp_ovector(ur->pattern); - if (ur->ovn[i] > 0) { -- ur->ovector[i] = uwsgi_calloc(sizeof(int) * (3 * (ur->ovn[i] + 1))); -+ ur->ovector[i] = uwsgi_calloc(sizeof(int) * PCRE_OVECTOR_BYTESIZE(ur->ovn[i])); - } - } - } -@@ -1484,38 +1484,47 @@ static int uwsgi_route_condition_regexp( - ur->condition_ub[wsgi_req->async_id] = uwsgi_routing_translate(wsgi_req, ur, NULL, 0, ur->subject_str, semicolon - ur->subject_str); - if (!ur->condition_ub[wsgi_req->async_id]) return -1; - -- pcre *pattern; -- pcre_extra *pattern_extra; -+ uwsgi_pcre *pattern; - char *re = uwsgi_concat2n(semicolon+1, ur->subject_str_len - ((semicolon+1) - ur->subject_str), "", 0); -- if (uwsgi_regexp_build(re, &pattern, &pattern_extra)) { -+ if (uwsgi_regexp_build(re, &pattern)) { - free(re); - return -1; - } - free(re); - - // a condition has no initialized vectors, let's create them -- ur->ovn[wsgi_req->async_id] = uwsgi_regexp_ovector(pattern, pattern_extra); -+ ur->ovn[wsgi_req->async_id] = uwsgi_regexp_ovector(pattern); - if (ur->ovn[wsgi_req->async_id] > 0) { - ur->ovector[wsgi_req->async_id] = uwsgi_calloc(sizeof(int) * (3 * (ur->ovn[wsgi_req->async_id] + 1))); - } - -- if (uwsgi_regexp_match_ovec(pattern, pattern_extra, ur->condition_ub[wsgi_req->async_id]->buf, ur->condition_ub[wsgi_req->async_id]->pos, ur->ovector[wsgi_req->async_id], ur->ovn[wsgi_req->async_id] ) >= 0) { -- pcre_free(pattern); -+ if (uwsgi_regexp_match_ovec(pattern, ur->condition_ub[wsgi_req->async_id]->buf, ur->condition_ub[wsgi_req->async_id]->pos, ur->ovector[wsgi_req->async_id], ur->ovn[wsgi_req->async_id] ) >= 0) { -+#ifdef UWSGI_PCRE2 -+ pcre2_code_free(pattern); -+#else -+ pcre_free(pattern->p); - #ifdef PCRE_STUDY_JIT_COMPILE -- pcre_free_study(pattern_extra); -+ pcre_free_study(pattern->extra); - #else -- pcre_free(pattern_extra); -+ pcre_free(pattern->extra); -+#endif -+ free(pattern); - #endif - return 1; - } - -- pcre_free(pattern); -+#ifdef UWSGI_PCRE2 -+ pcre2_code_free(pattern); -+#else -+ pcre_free(pattern->p); - #ifdef PCRE_STUDY_JIT_COMPILE -- pcre_free_study(pattern_extra); -+ pcre_free_study(pattern->extra); - #else -- pcre_free(pattern_extra); -+ pcre_free(pattern->extra); - #endif -- return 0; -+ free(pattern); -+#endif -+ return 0; - } - - static int uwsgi_route_condition_empty(struct wsgi_request *wsgi_req, struct uwsgi_route *ur) { ---- a/core/ssl.c -+++ b/core/ssl.c -@@ -145,10 +145,10 @@ static int uwsgi_sni_cb(SSL *ssl, int *a - - if (uwsgi.subscription_dotsplit) goto end; - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - struct uwsgi_regexp_list *url = uwsgi.sni_regexp; - while(url) { -- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, (char *)servername, servername_len) >= 0) { -+ if (uwsgi_regexp_match(url->pattern, (char *)servername, servername_len) >= 0) { - SSL_set_SSL_CTX(ssl, url->custom_ptr); - return SSL_TLSEXT_ERR_OK; - } -@@ -621,7 +621,7 @@ void uwsgi_opt_sni(char *opt, char *valu - return; - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - if (!strcmp(opt, "sni-regexp")) { - struct uwsgi_regexp_list *url = uwsgi_regexp_new_list(&uwsgi.sni_regexp, v); - url->custom_ptr = ctx; -@@ -630,7 +630,7 @@ void uwsgi_opt_sni(char *opt, char *valu - #endif - struct uwsgi_string_list *usl = uwsgi_string_new_list(&uwsgi.sni, v); - usl->custom_ptr = ctx; --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - } - #endif - ---- a/core/static.c -+++ b/core/static.c -@@ -35,11 +35,11 @@ int uwsgi_static_want_gzip(struct wsgi_r - usl = usl->next; - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - // check for regexp - struct uwsgi_regexp_list *url = uwsgi.static_gzip; - while(url) { -- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, filename, *filename_len) >= 0) { -+ if (uwsgi_regexp_match(url->pattern, filename, *filename_len) >= 0) { - goto gzip; - } - url = url->next; -@@ -216,7 +216,7 @@ int uwsgi_add_expires_type(struct wsgi_r - return 0; - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - int uwsgi_add_expires(struct wsgi_request *wsgi_req, char *filename, int filename_len, struct stat *st) { - - struct uwsgi_dyn_dict *udd = uwsgi.static_expires; -@@ -225,7 +225,7 @@ int uwsgi_add_expires(struct wsgi_reques - char expires[31]; - - while (udd) { -- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, filename, filename_len) >= 0) { -+ if (uwsgi_regexp_match(udd->pattern, filename, filename_len) >= 0) { - int delta = uwsgi_str_num(udd->value, udd->vallen); - int size = uwsgi_http_date(now + delta, expires); - if (size > 0) { -@@ -238,7 +238,7 @@ int uwsgi_add_expires(struct wsgi_reques - - udd = uwsgi.static_expires_mtime; - while (udd) { -- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, filename, filename_len) >= 0) { -+ if (uwsgi_regexp_match(udd->pattern, filename, filename_len) >= 0) { - int delta = uwsgi_str_num(udd->value, udd->vallen); - int size = uwsgi_http_date(st->st_mtime + delta, expires); - if (size > 0) { -@@ -260,7 +260,7 @@ int uwsgi_add_expires_path_info(struct w - char expires[31]; - - while (udd) { -- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) { -+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) { - int delta = uwsgi_str_num(udd->value, udd->vallen); - int size = uwsgi_http_date(now + delta, expires); - if (size > 0) { -@@ -273,7 +273,7 @@ int uwsgi_add_expires_path_info(struct w - - udd = uwsgi.static_expires_path_info_mtime; - while (udd) { -- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) { -+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) { - int delta = uwsgi_str_num(udd->value, udd->vallen); - int size = uwsgi_http_date(st->st_mtime + delta, expires); - if (size > 0) { -@@ -295,7 +295,7 @@ int uwsgi_add_expires_uri(struct wsgi_re - char expires[31]; - - while (udd) { -- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) { -+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) { - int delta = uwsgi_str_num(udd->value, udd->vallen); - int size = uwsgi_http_date(now + delta, expires); - if (size > 0) { -@@ -308,7 +308,7 @@ int uwsgi_add_expires_uri(struct wsgi_re - - udd = uwsgi.static_expires_uri_mtime; - while (udd) { -- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) { -+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) { - int delta = uwsgi_str_num(udd->value, udd->vallen); - int size = uwsgi_http_date(st->st_mtime + delta, expires); - if (size > 0) { -@@ -507,7 +507,7 @@ int uwsgi_real_file_serve(struct wsgi_re - if (uwsgi_response_prepare_headers(wsgi_req, "200 OK", 6)) return -1; - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - uwsgi_add_expires(wsgi_req, real_filename, real_filename_len, st); - uwsgi_add_expires_path_info(wsgi_req, st); - uwsgi_add_expires_uri(wsgi_req, st); ---- a/core/utils.c -+++ b/core/utils.c -@@ -2301,7 +2301,7 @@ struct uwsgi_string_list *uwsgi_string_n - return uwsgi_string; - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - struct uwsgi_regexp_list *uwsgi_regexp_custom_new_list(struct uwsgi_regexp_list **list, char *value, char *custom) { - - struct uwsgi_regexp_list *url = *list, *old_url; -@@ -2320,7 +2320,7 @@ struct uwsgi_regexp_list *uwsgi_regexp_c - old_url->next = url; - } - -- if (uwsgi_regexp_build(value, &url->pattern, &url->pattern_extra)) { -+ if (uwsgi_regexp_build(value, &url->pattern)) { - exit(1); - } - url->next = NULL; -@@ -2333,14 +2333,13 @@ struct uwsgi_regexp_list *uwsgi_regexp_c - - int uwsgi_regexp_match_pattern(char *pattern, char *str) { - -- pcre *regexp; -- pcre_extra *regexp_extra; -+ uwsgi_pcre *regexp; - -- if (uwsgi_regexp_build(pattern, ®exp, ®exp_extra)) -+ if (uwsgi_regexp_build(pattern, ®exp)) - return 1; -- return !uwsgi_regexp_match(regexp, regexp_extra, str, strlen(str)); --} - -+ return !uwsgi_regexp_match(regexp, str, strlen(str)); -+} - - #endif - ---- a/core/uwsgi.c -+++ b/core/uwsgi.c -@@ -130,7 +130,7 @@ static struct uwsgi_option uwsgi_base_op - {"if-hostname", required_argument, 0, "(opt logic) check for hostname", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_hostname, UWSGI_OPT_IMMEDIATE}, - {"if-not-hostname", required_argument, 0, "(opt logic) check for hostname", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_not_hostname, UWSGI_OPT_IMMEDIATE}, - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - {"if-hostname-match", required_argument, 0, "(opt logic) try to match hostname against a regular expression", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_hostname_match, UWSGI_OPT_IMMEDIATE}, - {"if-not-hostname-match", required_argument, 0, "(opt logic) try to match hostname against a regular expression", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_not_hostname_match, UWSGI_OPT_IMMEDIATE}, - #endif -@@ -548,7 +548,7 @@ static struct uwsgi_option uwsgi_base_op - {"ksm", optional_argument, 0, "enable Linux KSM", uwsgi_opt_set_int, &uwsgi.linux_ksm, 0}, - #endif - #endif --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - {"pcre-jit", no_argument, 0, "enable pcre jit (if available)", uwsgi_opt_pcre_jit, NULL, UWSGI_OPT_IMMEDIATE}, - #endif - {"never-swap", no_argument, 0, "lock all memory pages avoiding swapping", uwsgi_opt_true, &uwsgi.never_swap, 0}, -@@ -679,7 +679,7 @@ static struct uwsgi_option uwsgi_base_op - {"ssl-enable-sslv3", no_argument, 0, "enable SSLv3 (insecure)", uwsgi_opt_true, &uwsgi.sslv3, 0}, - {"ssl-enable-tlsv1", no_argument, 0, "enable TLSv1 (insecure)", uwsgi_opt_true, &uwsgi.tlsv1, 0}, - {"ssl-option", required_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0}, --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - {"sni-regexp", required_argument, 0, "add an SNI-governed SSL context (the key is a regexp)", uwsgi_opt_sni, NULL, 0}, - #endif - {"ssl-tmp-dir", required_argument, 0, "store ssl-related temp files in the specified directory", uwsgi_opt_set_str, &uwsgi.ssl_tmp_dir, 0}, -@@ -715,7 +715,7 @@ static struct uwsgi_option uwsgi_base_op - {"log-req-encoder", required_argument, 0, "add an item in the log req encoder chain", uwsgi_opt_add_string_list, &uwsgi.requested_log_req_encoders, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER}, - - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - {"log-drain", required_argument, 0, "drain (do not show) log lines matching the specified regexp", uwsgi_opt_add_regexp_list, &uwsgi.log_drain_rules, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER}, - {"log-filter", required_argument, 0, "show only log lines matching the specified regexp", uwsgi_opt_add_regexp_list, &uwsgi.log_filter_rules, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER}, - {"log-route", required_argument, 0, "log to the specified named logger if regexp applied on logline matches", uwsgi_opt_add_regexp_custom_list, &uwsgi.log_route, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER}, -@@ -736,7 +736,7 @@ static struct uwsgi_option uwsgi_base_op - {"alarm-lq", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER}, - {"alarm-listen-queue", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER}, - {"listen-queue-alarm", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER}, --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - {"log-alarm", required_argument, 0, "raise the specified alarm when a log line matches the specified regexp, syntax: [,alarm...] ", uwsgi_opt_add_string_list, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER}, - {"alarm-log", required_argument, 0, "raise the specified alarm when a log line matches the specified regexp, syntax: [,alarm...] ", uwsgi_opt_add_string_list, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER}, - {"not-log-alarm", required_argument, 0, "skip the specified alarm when a log line matches the specified regexp, syntax: [,alarm...] ", uwsgi_opt_add_string_list_custom, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER}, -@@ -915,7 +915,7 @@ static struct uwsgi_option uwsgi_base_op - {"static-expires-type", required_argument, 0, "set the Expires header based on content type", uwsgi_opt_add_dyn_dict, &uwsgi.static_expires_type, UWSGI_OPT_MIME}, - {"static-expires-type-mtime", required_argument, 0, "set the Expires header based on content type and file mtime", uwsgi_opt_add_dyn_dict, &uwsgi.static_expires_type_mtime, UWSGI_OPT_MIME}, - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - {"static-expires", required_argument, 0, "set the Expires header based on filename regexp", uwsgi_opt_add_regexp_dyn_dict, &uwsgi.static_expires, UWSGI_OPT_MIME}, - {"static-expires-mtime", required_argument, 0, "set the Expires header based on filename regexp and file mtime", uwsgi_opt_add_regexp_dyn_dict, &uwsgi.static_expires_mtime, UWSGI_OPT_MIME}, - -@@ -2424,7 +2424,7 @@ void uwsgi_setup(int argc, char *argv[], - } - - uwsgi_log_initial("clock source: %s\n", uwsgi.clock->name); --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - if (uwsgi.pcre_jit) { - uwsgi_log_initial("pcre jit enabled\n"); - } -@@ -4186,7 +4186,7 @@ void uwsgi_opt_add_string_list_custom(ch - usl->custom = 1; - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - void uwsgi_opt_add_regexp_list(char *opt, char *value, void *list) { - struct uwsgi_regexp_list **ptr = (struct uwsgi_regexp_list **) list; - uwsgi_regexp_new_list(ptr, value); -@@ -4452,7 +4452,7 @@ void uwsgi_opt_add_dyn_dict(char *opt, c - - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - void uwsgi_opt_add_regexp_dyn_dict(char *opt, char *value, void *dict) { - - char *space = strchr(value, ' '); -@@ -4467,7 +4467,7 @@ void uwsgi_opt_add_regexp_dyn_dict(char - - char *regexp = uwsgi_concat2n(value, space - value, "", 0); - -- if (uwsgi_regexp_build(regexp, &new_udd->pattern, &new_udd->pattern_extra)) { -+ if (uwsgi_regexp_build(regexp, &new_udd->pattern)) { - exit(1); - } - ---- a/uwsgi.h -+++ b/uwsgi.h -@@ -438,8 +438,26 @@ struct uwsgi_lock_ops { - #define uwsgi_wait_read_req(x) uwsgi.wait_read_hook(x->fd, uwsgi.socket_timeout) ; x->switches++ - #define uwsgi_wait_write_req(x) uwsgi.wait_write_hook(x->fd, uwsgi.socket_timeout) ; x->switches++ - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) -+#ifdef UWSGI_PCRE2 -+ -+#define PCRE2_CODE_UNIT_WIDTH 8 -+#include -+#define PCRE_OVECTOR_BYTESIZE(n) (n+1)*2 -+ -+typedef pcre2_code uwsgi_pcre; -+ -+#else -+ - #include -+#define PCRE_OVECTOR_BYTESIZE(n) (n+1)*3 -+ -+typedef struct { -+ pcre *p; -+ pcre_extra *extra; -+} uwsgi_pcre; -+ -+#endif - #endif - - struct uwsgi_dyn_dict { -@@ -455,9 +473,8 @@ struct uwsgi_dyn_dict { - struct uwsgi_dyn_dict *prev; - struct uwsgi_dyn_dict *next; - --#ifdef UWSGI_PCRE -- pcre *pattern; -- pcre_extra *pattern_extra; -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) -+ uwsgi_pcre *pattern; - #endif - - }; -@@ -468,11 +485,10 @@ struct uwsgi_hook { - struct uwsgi_hook *next; - }; - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - struct uwsgi_regexp_list { - -- pcre *pattern; -- pcre_extra *pattern_extra; -+ uwsgi_pcre *pattern; - - uint64_t custom; - char *custom_str; -@@ -1089,11 +1105,11 @@ struct uwsgi_plugin { - void (*post_uwsgi_fork) (int); - }; - --#ifdef UWSGI_PCRE --int uwsgi_regexp_build(char *, pcre **, pcre_extra **); --int uwsgi_regexp_match(pcre *, pcre_extra *, char *, int); --int uwsgi_regexp_match_ovec(pcre *, pcre_extra *, char *, int, int *, int); --int uwsgi_regexp_ovector(pcre *, pcre_extra *); -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) -+int uwsgi_regexp_build(char *, uwsgi_pcre **); -+int uwsgi_regexp_match(uwsgi_pcre *, const char *, int); -+int uwsgi_regexp_match_ovec(uwsgi_pcre *, const char *, int, int *, int); -+int uwsgi_regexp_ovector(const uwsgi_pcre *); - char *uwsgi_regexp_apply_ovec(char *, int, char *, int, int *, int); - - int uwsgi_regexp_match_pattern(char *pattern, char *str); -@@ -1182,8 +1198,7 @@ struct uwsgi_spooler { - - struct uwsgi_route { - -- pcre *pattern; -- pcre_extra *pattern_extra; -+ uwsgi_pcre *pattern; - - char *orig_route; - -@@ -1292,15 +1307,14 @@ struct uwsgi_alarm_fd { - - struct uwsgi_alarm_fd *uwsgi_add_alarm_fd(int, char *, size_t, char *, size_t); - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - struct uwsgi_alarm_ll { - struct uwsgi_alarm_instance *alarm; - struct uwsgi_alarm_ll *next; - }; - - struct uwsgi_alarm_log { -- pcre *pattern; -- pcre_extra *pattern_extra; -+ uwsgi_pcre *pattern; - int negate; - struct uwsgi_alarm_ll *alarms; - struct uwsgi_alarm_log *next; -@@ -2234,7 +2248,7 @@ struct uwsgi_server { - struct uwsgi_string_list *requested_log_encoders; - struct uwsgi_string_list *requested_log_req_encoders; - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - int pcre_jit; - struct uwsgi_regexp_list *log_drain_rules; - struct uwsgi_regexp_list *log_filter_rules; -@@ -2316,7 +2330,7 @@ struct uwsgi_server { - int static_gzip_all; - struct uwsgi_string_list *static_gzip_dir; - struct uwsgi_string_list *static_gzip_ext; --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - struct uwsgi_regexp_list *static_gzip; - #endif - -@@ -2715,7 +2729,7 @@ struct uwsgi_server { - int ssl_sessions_timeout; - struct uwsgi_cache *ssl_sessions_cache; - char *ssl_tmp_dir; --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - struct uwsgi_regexp_list *sni_regexp; - #endif - struct uwsgi_string_list *sni; -@@ -3584,7 +3598,7 @@ void uwsgi_shutdown_all_sockets(void); - void uwsgi_close_all_unshared_sockets(void); - - struct uwsgi_string_list *uwsgi_string_new_list(struct uwsgi_string_list **, char *); --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - struct uwsgi_regexp_list *uwsgi_regexp_custom_new_list(struct uwsgi_regexp_list **, char *, char *); - #define uwsgi_regexp_new_list(x, y) uwsgi_regexp_custom_new_list(x, y, NULL); - #endif -@@ -3838,7 +3852,7 @@ void uwsgi_opt_add_addr_list(char *, cha - void uwsgi_opt_add_string_list_custom(char *, char *, void *); - void uwsgi_opt_add_dyn_dict(char *, char *, void *); - void uwsgi_opt_binary_append_data(char *, char *, void *); --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - void uwsgi_opt_pcre_jit(char *, char *, void *); - void uwsgi_opt_add_regexp_dyn_dict(char *, char *, void *); - void uwsgi_opt_add_regexp_list(char *, char *, void *); ---- a/.github/workflows/compile-test.yml -+++ b/.github/workflows/compile-test.yml -@@ -9,6 +9,10 @@ on: - jobs: - build: - -+ strategy: -+ matrix: -+ libpcre: [libpcre3-dev, libpcre2-dev] -+ - runs-on: ubuntu-20.04 - - steps: -@@ -20,7 +24,7 @@ jobs: - run: | - sudo apt update -qq - sudo apt install --no-install-recommends -qqyf python3.8-dev \ -- libxml2-dev libpcre3-dev libcap2-dev \ -+ libxml2-dev ${{ matrix.libpcre }} libcap2-dev \ - libargon2-0-dev libsodium-dev \ - php7.4-dev libphp7.4-embed \ - liblua5.1-0-dev ruby2.7-dev \ ---- a/.github/workflows/test.yml -+++ b/.github/workflows/test.yml -@@ -21,7 +21,7 @@ jobs: - run: | - sudo apt update -qq - sudo apt install --no-install-recommends -qqyf python${{ matrix.python-version }}-dev \ -- libpcre3-dev libjansson-dev libcap2-dev \ -+ libpcre2-dev libjansson-dev libcap2-dev \ - curl check - - name: Install distutils - if: contains(fromJson('["3.6","3.7","3.8","3.9","3.10","3.11"]'), matrix.python-version) ---- a/plugins/php/php_plugin.c -+++ b/plugins/php/php_plugin.c -@@ -16,7 +16,7 @@ struct uwsgi_php { - struct uwsgi_string_list *index; - struct uwsgi_string_list *set; - struct uwsgi_string_list *append_config; --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - struct uwsgi_regexp_list *app_bypass; - #endif - struct uwsgi_string_list *vars; -@@ -63,7 +63,7 @@ struct uwsgi_option uwsgi_php_options[] - {"php-fallback", required_argument, 0, "run the specified php script when the requested one does not exist", uwsgi_opt_set_str, &uphp.fallback, 0}, - {"php-fallback2", required_argument, 0, "run the specified php script relative to the document root when the requested one does not exist", uwsgi_opt_set_str, &uphp.fallback2, 0}, - {"php-fallback-qs", required_argument, 0, "php-fallback with QUERY_STRING set", uwsgi_opt_set_str, &uphp.fallback_qs, 0}, --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - {"php-app-bypass", required_argument, 0, "if the regexp matches the uri the --php-app is bypassed", uwsgi_opt_add_regexp_list, &uphp.app_bypass, 0}, - #endif - {"php-var", required_argument, 0, "add/overwrite a CGI variable at each request", uwsgi_opt_add_string_list, &uphp.vars, 0}, -@@ -810,10 +810,14 @@ int uwsgi_php_request(struct wsgi_reques - wsgi_req->document_root_len = strlen(wsgi_req->document_root); - - if (uphp.app) { --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - struct uwsgi_regexp_list *bypass = uphp.app_bypass; - while (bypass) { -+#ifdef UWSGI_PCRE2 -+ if (uwsgi_regexp_match(bypass->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) { -+#else - if (uwsgi_regexp_match(bypass->pattern, bypass->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) { -+#endif - goto oldstyle; - } - bypass = bypass->next; -@@ -849,7 +853,7 @@ appready: - goto secure2; - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - oldstyle: - #endif - ---- a/core/config.c -+++ b/core/config.c -@@ -314,7 +314,7 @@ int uwsgi_logic_opt_if_not_hostname(char - return 0; - } - --#ifdef UWSGI_PCRE -+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2) - int uwsgi_logic_opt_if_hostname_match(char *key, char *value) { - if (uwsgi_regexp_match_pattern(uwsgi.logic_opt_data, uwsgi.hostname)) { - add_exported_option(key, uwsgi_substitute(value, "%(_)", uwsgi.logic_opt_data), 0); From fbb7ad4d106e25b1482e4c657ae8038da6788ff0 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 21 Apr 2024 17:39:49 +0200 Subject: [PATCH 078/106] uwsgi: update Maintainer name Update maintainer name with real name for Christian Marangi. Signed-off-by: Christian Marangi --- net/uwsgi/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/uwsgi/Makefile b/net/uwsgi/Makefile index a5fbc59ba9..b2b54dd238 100644 --- a/net/uwsgi/Makefile +++ b/net/uwsgi/Makefile @@ -10,7 +10,7 @@ PKG_HASH:=d653d2d804c194c8cbe2585fa56efa2650313ae75c686a9d7931374d4dfbfc6e PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=LICENSE -PKG_MAINTAINER:=Ansuel Smith +PKG_MAINTAINER:=Christian Marangi PKG_BUILD_DEPENDS:=python3/host PYTHON3_PKG_BUILD:=0 From 2750b16b4747f0af03dafb7b1320fa4abc55e91f Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Sun, 21 Apr 2024 17:47:59 +0200 Subject: [PATCH 079/106] nginx: bump to 1.25.5 release Bump nginx to 1.25.5 release. Patch automatically refreshed with make package/nginx/refresh. Signed-off-by: Christian Marangi --- net/nginx/Makefile | 6 +++--- net/nginx/patches/nginx/201-ignore-invalid-options.patch | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/nginx/Makefile b/net/nginx/Makefile index 77134516db..9c7c36b8c4 100644 --- a/net/nginx/Makefile +++ b/net/nginx/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx -PKG_VERSION:=1.25.4 -PKG_RELEASE:=3 +PKG_VERSION:=1.25.5 +PKG_RELEASE:=1 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nginx.org/download/ -PKG_HASH:=760729901acbaa517996e681ee6ea259032985e37c2768beef80df3a877deed9 +PKG_HASH:=2fe2294f8af4144e7e842eaea884182a84ee7970e11046ba98194400902bbec0 PKG_MAINTAINER:=Thomas Heil \ Christian Marangi diff --git a/net/nginx/patches/nginx/201-ignore-invalid-options.patch b/net/nginx/patches/nginx/201-ignore-invalid-options.patch index af2bab15ed..8556ce5bf8 100644 --- a/net/nginx/patches/nginx/201-ignore-invalid-options.patch +++ b/net/nginx/patches/nginx/201-ignore-invalid-options.patch @@ -1,6 +1,6 @@ --- a/auto/options +++ b/auto/options -@@ -411,8 +411,7 @@ $0: warning: the \"--with-sha1-asm\" opt +@@ -413,8 +413,7 @@ $0: warning: the \"--with-sha1-asm\" opt --test-build-solaris-sendfilev) NGX_TEST_BUILD_SOLARIS_SENDFILEV=YES ;; *) From ad755e0c4ddb63f8b8ed2204043ce750a4d4b928 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sun, 21 Apr 2024 21:57:17 +0200 Subject: [PATCH 080/106] banip: update 0.9.5-2 * fixed possible Set search race condition (initiated from LuCI frontend) * fixed the "no result" Set search problem in LuCI * removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop) Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/banip-functions.sh | 15 +++++++++++---- net/banip/files/banip.feeds | 5 ----- net/banip/files/banip.init | 7 ++++--- 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index e8ba7edc19..14636f1b81 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.9.5 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 1498c8cb0a..50e805b5a4 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -1559,14 +1559,14 @@ f_search() { printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::" return fi - printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::" - printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")" - printf " %s\n" "---" cnt="1" for item in ${table_sets}; do [ -f "${result_flag}" ] && break ( if "${ban_nftcmd}" get element inet banIP "${item}" "{ ${ip} }" >/dev/null 2>&1; then + printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::" + printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")" + printf " %s\n" "---" printf " %s\n" "IP found in Set '${item}'" : >"${result_flag}" fi @@ -1576,7 +1576,14 @@ f_search() { cnt="$((cnt + 1))" done wait - [ -f "${result_flag}" ] && rm -f "${result_flag}" || printf " %s\n" "IP not found" + if [ -f "${result_flag}" ]; then + rm -f "${result_flag}" + else + printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::" + printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")" + printf " %s\n" "---" + printf " %s\n" "IP not found" + fi } # Set survey diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index e5f817371a..36982654ba 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -108,11 +108,6 @@ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}", "descr": "dshield IP blocklist" }, - "edrop":{ - "url_4": "https://www.spamhaus.org/drop/edrop.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", - "descr": "spamhaus edrop compilation" - }, "etcompromised":{ "url_4": "https://iplists.firehol.org/files/et_compromised.ipset", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 0aae3befab..2b6a526c88 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -23,10 +23,10 @@ ban_lock="/var/run/banip.lock" [ "${action}" = "boot" ] && "${ban_init}" running && exit 0 { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0 [ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1 -[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1 -[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && mkdir -p "${ban_lock}" +[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1 +[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && mkdir -p "${ban_lock}" { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}" -[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1 +[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1 boot() { : >"${ban_pidfile}" @@ -81,6 +81,7 @@ report() { search() { f_search "${1}" + rm -rf "${ban_lock}" } survey() { From 66c237a78fe1b8ad84c232ce050bedddd622e51b Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sat, 20 Apr 2024 19:32:43 -0700 Subject: [PATCH 081/106] mtd-rw: update version to latest master Remove local patch as upstream has a different solution applied. Use PKG_SOURCE_DATE to get rid of weird apk version. Remove various variables that are default anyway. Signed-off-by: Rosen Penev --- kernel/mtd-rw/Makefile | 11 ++++----- kernel/mtd-rw/patches/0001-mtd-disabled.patch | 24 ------------------- 2 files changed, 5 insertions(+), 30 deletions(-) delete mode 100644 kernel/mtd-rw/patches/0001-mtd-disabled.patch diff --git a/kernel/mtd-rw/Makefile b/kernel/mtd-rw/Makefile index b18b91c221..433f679e82 100644 --- a/kernel/mtd-rw/Makefile +++ b/kernel/mtd-rw/Makefile @@ -9,14 +9,13 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=mtd-rw -PKG_RELEASE:=2 +PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_MIRROR_HASH:=c44db17c3e05079116a1704f277642c9ce6f5ca4fa380c60f7e6d44509dc16be -PKG_SOURCE_URL:=https://github.com/jclehner/mtd-rw.git PKG_SOURCE_PROTO:=git -PKG_SOURCE_SUBDIR=$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE_VERSION:=7e8562067d6a366c8cbaa8084396c33b7e12986b +PKG_SOURCE_URL:=https://github.com/jclehner/mtd-rw +PKG_SOURCE_DATE:=2021-02-28 +PKG_SOURCE_VERSION:=e87767395a6d27380196702f5f7bf98e92774f3f +PKG_MIRROR_HASH:=984218d7a8e1252419c45ef313f23fb6e5edfa83088f68a4a356b795444ab381 PKG_MAINTAINER:=Joseph C. Lehner PKG_LICENSE=GPL-2.0 diff --git a/kernel/mtd-rw/patches/0001-mtd-disabled.patch b/kernel/mtd-rw/patches/0001-mtd-disabled.patch deleted file mode 100644 index b21d9562f8..0000000000 --- a/kernel/mtd-rw/patches/0001-mtd-disabled.patch +++ /dev/null @@ -1,24 +0,0 @@ ---- a/mtd-rw.c -+++ b/mtd-rw.c -@@ -54,7 +54,11 @@ MODULE_PARM_DESC(i_want_a_brick, "Make a - - static int set_writeable(unsigned n, bool w) - { -+#ifndef CONFIG_MTD -+ struct mtd_info *mtd = -ENOSYS; -+#else - struct mtd_info *mtd = get_mtd_device(NULL, n); -+#endif - int err; - - if (IS_ERR(mtd)) { -@@ -76,7 +80,9 @@ static int set_writeable(unsigned n, boo - err = 0; - } - -+#ifdef CONFIG_MTD - put_mtd_device(mtd); -+#endif - return err; - } - From a0c4d8a6fb975d00f3325ef22e1822682ee6bd17 Mon Sep 17 00:00:00 2001 From: Georgi Valkov Date: Sun, 21 Apr 2024 02:12:49 +0300 Subject: [PATCH 082/106] usbmuxd: fix tethering not working after iPhone restart If the iPhone restarts while the USB cable is still connected, tethering does not work. This can be fixed by reconnecting. Fix: if the hotplug.d script detects that carrier is disabled (no communication), the USB link is reset, and then the usbmuxd service is restarted. Tethering starts even before the iPhone is unlocked. As a side effect, if tethering is not enabled, the iPhone will ding a second time after 5 seconds. Add dependency on usbutils for usbreset, remove dependency on librt. [1] https://github.com/libimobiledevice/usbmuxd/issues/218 [2] https://github.com/openwrt/openwrt/issues/12566#issuecomment-2066305622 Signed-off-by: Georgi Valkov --- utils/usbmuxd/Makefile | 6 ++++-- utils/usbmuxd/files/usbmuxd.hotplug | 24 ++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 utils/usbmuxd/files/usbmuxd.hotplug diff --git a/utils/usbmuxd/Makefile b/utils/usbmuxd/Makefile index 32fbc6857f..e584d9106c 100644 --- a/utils/usbmuxd/Makefile +++ b/utils/usbmuxd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=usbmuxd PKG_VERSION:=1.1.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://www.libimobiledevice.org/downloads @@ -31,7 +31,7 @@ define Package/usbmuxd SUBMENU:=libimobiledevice TITLE:=USB multiplexing daemon URL:=https://www.libimobiledevice.org/ - DEPENDS:=+librt +libusb-1.0 +libusbmuxd +libopenssl +libimobiledevice + DEPENDS:=+libusb-1.0 +libusbmuxd +libopenssl +libimobiledevice +usbutils endef define Package/usbmuxd/description @@ -50,7 +50,9 @@ endef CONFIGURE_ARGS += --with-systemd define Package/usbmuxd/install + $(INSTALL_DIR) $(1)/etc/hotplug.d/usb $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/usbmuxd.hotplug $(1)/etc/hotplug.d/usb/40-usbmuxd $(INSTALL_BIN) ./files/usbmuxd.init $(1)/etc/init.d/usbmuxd $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/usbmuxd $(1)/usr/sbin/ diff --git a/utils/usbmuxd/files/usbmuxd.hotplug b/utils/usbmuxd/files/usbmuxd.hotplug new file mode 100644 index 0000000000..84986cc968 --- /dev/null +++ b/utils/usbmuxd/files/usbmuxd.hotplug @@ -0,0 +1,24 @@ +case "$ACTION" in + bind) + dev=/sys$DEVPATH + + [ ! -f /tmp/iPhone.lock ] && [ -d ${dev}/net ] && + { + readlink ${dev}/driver | grep -q ipheth && + { + sleep 5 + carrier_path=${dev}/net/*/carrier + carrier=`cat ${carrier_path}` + + [ "${carrier}" = "0" ] && + { + touch /tmp/iPhone.lock + logger -p daemon.error -t iPhone ${carrier_path} = ${carrier} + logger -p daemon.error -t iPhone `/usr/bin/usbreset iPhone` + /etc/init.d/usbmuxd restart + sleep 5 && rm -f /tmp/iPhone.lock & + } + } + } + ;; +esac From f5f0a4e8683fcf49319bd7172f0069417d71601d Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Mon, 15 Apr 2024 19:42:43 +0300 Subject: [PATCH 083/106] python-lxml: bump to version 5.2.1 Also added python-cython/host as a build dependency. Signed-off-by: Alexandru Ardelean --- lang/python/python-lxml/Makefile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lang/python/python-lxml/Makefile b/lang/python/python-lxml/Makefile index fd79396481..f15dcc481e 100644 --- a/lang/python/python-lxml/Makefile +++ b/lang/python/python-lxml/Makefile @@ -8,17 +8,19 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-lxml -PKG_VERSION:=5.1.0 +PKG_VERSION:=5.2.1 PKG_RELEASE:=1 PYPI_NAME:=lxml -PKG_HASH:=3eea6ed6e6c918e468e693c41ef07f3c3acc310b70ddd9cc72d9ef84bc9564ca +PKG_HASH:=3f7765e69bbce0906a7c74d5fe46d2c7a7596147318dbc08e4a2431f3060e306 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSES.txt PKG_MAINTAINER:=Alexandru Ardelean PKG_CPE_ID:=cpe:/a:lxml:lxml +PKG_BUILD_DEPENDS:=python-cython/host + include ../pypi.mk include $(INCLUDE_DIR)/package.mk include ../python3-package.mk From 8b100c8dd188081cc34f0f13d93a86adf4479d9c Mon Sep 17 00:00:00 2001 From: Zephyr Lykos Date: Sun, 21 Apr 2024 22:06:12 +0800 Subject: [PATCH 084/106] tailscale: Update to 1.64.2 Signed-off-by: Zephyr Lykos --- net/tailscale/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/tailscale/Makefile b/net/tailscale/Makefile index 7d73216da6..52076fe288 100644 --- a/net/tailscale/Makefile +++ b/net/tailscale/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tailscale -PKG_VERSION:=1.64.1 +PKG_VERSION:=1.64.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=df6009abb4800a7e7681063c9d3f62da6850060e4949ca0bd1edad60781e9f03 +PKG_HASH:=e5e46f6b6b716b2c4696dce0b92dc2e36f02b06b7ad9f055042a820ad61b2a47 PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=BSD-3-Clause From ebed42fcb0e7e9bffee3c47b93244494377595ee Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Mon, 22 Apr 2024 15:26:22 +0800 Subject: [PATCH 085/106] v2ray-core: Update to 5.15.3 Signed-off-by: Tianling Shen --- net/v2ray-core/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/v2ray-core/Makefile b/net/v2ray-core/Makefile index 20c9f7e0ed..1694e721c7 100644 --- a/net/v2ray-core/Makefile +++ b/net/v2ray-core/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=v2ray-core -PKG_VERSION:=5.15.1 +PKG_VERSION:=5.15.3 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/v2fly/v2ray-core/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=461a65a1675f17ad95a2a5ddf0b016247a34aa376ed1738c143e7c6603ab4abd +PKG_HASH:=32b325e54ee93fb3563c33d3c097592aa857370055d8ef1c50fd2387678843df PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE From e4e861e08d33dbba59af952dfb4e827db5caa989 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Mon, 22 Apr 2024 15:26:30 +0800 Subject: [PATCH 086/106] dnsproxy: Update to 0.70.0 Signed-off-by: Tianling Shen --- net/dnsproxy/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/dnsproxy/Makefile b/net/dnsproxy/Makefile index c4cd8968dc..cf5b46fcde 100644 --- a/net/dnsproxy/Makefile +++ b/net/dnsproxy/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsproxy -PKG_VERSION:=0.69.2 +PKG_VERSION:=0.70.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=aa1cea0eea683bde017acbb30c09c96b24b30133e157e743666be900ad7560ea +PKG_HASH:=a78ce398f2019e7a3a57e7ffcb06ecfb6d08e36e0a07c58ada4ac4871cecd677 PKG_MAINTAINER:=Tianling Shen PKG_LICENSE:=Apache-2.0 From 99bc6b2782cfff591b8f3651c799976b7dc99b34 Mon Sep 17 00:00:00 2001 From: Jianhui Zhao Date: Mon, 22 Apr 2024 09:18:26 +0800 Subject: [PATCH 087/106] lua-eco: update to 3.4.0 Signed-off-by: Jianhui Zhao --- lang/lua-eco/Makefile | 4 +- ...upport-POSIX-basename-from-musl-libc.patch | 62 ------------------- 2 files changed, 2 insertions(+), 64 deletions(-) delete mode 100644 lang/lua-eco/patches/0001-Support-POSIX-basename-from-musl-libc.patch diff --git a/lang/lua-eco/Makefile b/lang/lua-eco/Makefile index 6e4ca4a846..c5a6d9b215 100644 --- a/lang/lua-eco/Makefile +++ b/lang/lua-eco/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lua-eco -PKG_VERSION:=3.3.0 +PKG_VERSION:=3.4.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL=https://github.com/zhaojh329/lua-eco/releases/download/v$(PKG_VERSION) -PKG_HASH:=597c3edbb20c35f638b26b4fa7a02638c48f96f0330758a7ac1c44079b2170a3 +PKG_HASH:=c45c21c4531f6205f775865da1587fb6185705308b67834ac6f7990e83f482ec PKG_MAINTAINER:=Jianhui Zhao PKG_LICENSE:=MIT diff --git a/lang/lua-eco/patches/0001-Support-POSIX-basename-from-musl-libc.patch b/lang/lua-eco/patches/0001-Support-POSIX-basename-from-musl-libc.patch deleted file mode 100644 index 5c9b7bb967..0000000000 --- a/lang/lua-eco/patches/0001-Support-POSIX-basename-from-musl-libc.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Hauke Mehrtens -Date: Sun, 14 Apr 2024 17:13:17 +0200 -Subject: Support POSIX basename() from musl libc - -Musl libc 1.2.5 removed the definition of the basename() function from -string.h and only provides it in libgen.h as the POSIX standard -defines it. - -This change fixes compilation with musl libc 1.2.5. -```` -/build_dir/target-mips_24kc_musl/lua-eco-3.3.0/log/log.c: In function '___log': -/build_dir/target-mips_24kc_musl/lua-eco-3.3.0/log/log.c:76:24: error: implicit declaration of function 'basename' [-Werror=implicit-function-declaration] - 76 | filename = basename(filename); - | ^~~~~~~~ -/build_dir/target-mips_24kc_musl/lua-eco-3.3.0/log/log.c:76:22: error: assignment to 'const char *' from 'int' makes pointer from integer without a cast [-Werror=int-conversion] - 76 | filename = basename(filename); - | ^ -```` - -basename() modifies the input string, copy it first with strdup(), If -strdup() returns NULL the code will handle it. - -Signed-off-by: Hauke Mehrtens ---- - log/log.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - ---- a/log/log.c -+++ b/log/log.c -@@ -9,6 +9,7 @@ - #include - #include - #include -+#include - - #include "log.h" - -@@ -65,6 +66,7 @@ void ___log(const char *filename, int li - { - char new_fmt[256]; - va_list ap; -+ char *dirc = NULL; - - priority = LOG_PRI(priority); - -@@ -72,9 +74,13 @@ void ___log(const char *filename, int li - return; - - if (__log_flags__ & LOG_FLAG_FILE || __log_flags__ & LOG_FLAG_PATH) { -- if (!(__log_flags__ & LOG_FLAG_PATH)) -- filename = basename(filename); -+ if (!(__log_flags__ & LOG_FLAG_PATH)) { -+ dirc = strdup(filename); -+ filename = basename(dirc); -+ } - snprintf(new_fmt, sizeof(new_fmt), "(%s:%3d) %s", filename, line, fmt); -+ if (!(__log_flags__ & LOG_FLAG_PATH)) -+ free(dirc); - } else { - snprintf(new_fmt, sizeof(new_fmt), "%s", fmt); - } From 459fa7625cbc1c00c13d06e4414c88d4942db9be Mon Sep 17 00:00:00 2001 From: David Andreoletti Date: Sat, 9 Mar 2024 15:19:59 +0800 Subject: [PATCH 088/106] shairport-sync: support before/after entering active state, unfixable error detected, volume set events in UCI config - Add before/after active state event callbacks in UCI config. - Add volume change event callbacks in UCI config. - Add unfixable error event callbacks in UCI config. As of the current shairport-sync release, all event callbacks have been mapped to UCI config. Signed-off-by: David Andreoletti --- sound/shairport-sync/Makefile | 2 +- sound/shairport-sync/files/shairport-sync.config | 4 ++++ sound/shairport-sync/files/shairport-sync.init | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/sound/shairport-sync/Makefile b/sound/shairport-sync/Makefile index 4850713927..c176f01039 100644 --- a/sound/shairport-sync/Makefile +++ b/sound/shairport-sync/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=shairport-sync PKG_VERSION:=4.3.2 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/mikebrady/shairport-sync/tar.gz/$(PKG_VERSION)? diff --git a/sound/shairport-sync/files/shairport-sync.config b/sound/shairport-sync/files/shairport-sync.config index fa1a8dddc4..bb5423501a 100644 --- a/sound/shairport-sync/files/shairport-sync.config +++ b/sound/shairport-sync/files/shairport-sync.config @@ -37,6 +37,10 @@ config shairport-sync 'shairport_sync' # Session Control option sesctl_run_before_play_begins '' # /etc/shairport-sync-start.sh option sesctl_run_after_play_ends '' # /etc/shairport-sync-stop.sh + option sesctl_run_before_entering_active_state '' # /path/to/script.sh + option sesctl_run_after_exiting_active_state '' # /path/to/script.sh + option sesctl_run_if_an_unfixable_error_is_detected '' # /path/to/script.sh + option sesctl_run_when_volume_is_set '' # /path/to/script.sh option sesctl_wait_for_completion '' # no/yes option sesctl_session_interruption '' # no/yes option sesctl_session_timeout '' # 120 diff --git a/sound/shairport-sync/files/shairport-sync.init b/sound/shairport-sync/files/shairport-sync.init index 1f0877535e..f4e7f4464a 100644 --- a/sound/shairport-sync/files/shairport-sync.init +++ b/sound/shairport-sync/files/shairport-sync.init @@ -83,6 +83,10 @@ start_instance() { printf "{\n" append_str "$cfg" sesctl_run_before_play_begins "run_this_before_play_begins" append_str "$cfg" sesctl_run_after_play_ends "run_this_after_play_ends" + append_str "$cfg" sesctl_run_before_entering_active_state "run_this_before_entering_active_state" + append_str "$cfg" sesctl_run_after_exiting_active_state "run_this_after_exiting_active_state" + append_str "$cfg" sesctl_run_if_an_unfixable_error_is_detected "run_this_if_an_unfixable_error_is_detected" + append_str "$cfg" sesctl_run_when_volume_is_set "run_this_when_volume_is_set" append_str "$cfg" sesctl_wait_for_completion "wait_for_completion" append_str "$cfg" sesctl_session_interruption "allow_session_interruption" append_num "$cfg" sesctl_session_timeout "session_timeout" From 38560743c487b55b1319afcd2f41ecaf12ed749a Mon Sep 17 00:00:00 2001 From: krant Date: Mon, 22 Apr 2024 09:01:34 +0300 Subject: [PATCH 089/106] imagemagick: update to 7.1.1.31 Signed-off-by: krant --- multimedia/imagemagick/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/multimedia/imagemagick/Makefile b/multimedia/imagemagick/Makefile index 0740a211ec..fbedaa8c26 100644 --- a/multimedia/imagemagick/Makefile +++ b/multimedia/imagemagick/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=imagemagick -PKG_VERSION:=7.1.1.30 +PKG_VERSION:=7.1.1.31 PKG_RELEASE:=1 PKG_MAINTAINER:=Aleksey Vasilenko @@ -15,7 +15,7 @@ _PKGREV:=$(_PKGVER)-$(subst .,,$(suffix $(PKG_VERSION))) PKG_SOURCE:=ImageMagick-$(_PKGREV).tar.xz PKG_SOURCE_URL:=https://imagemagick.org/archive -PKG_HASH:=ec192780d09da7d7b1e7a374a19f97d69cceb4e5e83057515cd595eda233a891 +PKG_HASH:=7e5c8db53dd90a0cfc5cc7ca6d34728ed86054b4bc86e9787902285fec1107a8 PKG_BUILD_DIR:=$(BUILD_DIR)/ImageMagick-$(_PKGREV) PKG_FIXUP:=autoreconf From 466ed55d599c47a4f72cf6f96907fdfa5e9dcc79 Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Thu, 19 Oct 2023 15:29:05 +0200 Subject: [PATCH 090/106] xtables-addons: fix broken compile with external Toolchain Fix broken compile with external Toolchain. Commit 32aaaaa7d379 ("xtables-addons: pass correct flags to compile and install") simplified and dropped the custom Compile/Install in favor of the default one. Problem is that it dropped DESTDIR resulting in the package having problem on finishing install. The commit then was reworked with c83b8787a5f8 ("xtables-addons: adapt build to EXTERNAL_TOOLCHAIN" that reintroduced DESTDIR and also introduced a useless custom flag to fix wrong ARCH. ARCH is fixed by kernel.mk and doesn't depend on external Toolchain or not. For ARCH that require fixing, kernel.mk should be fixed instead of adding custom function to packages Makefile. Drop the custom ARCH handling and use Compile/Install everytime. Fixes: 32aaaaa7d379 ("xtables-addons: pass correct flags to compile and install") Fixes: c83b8787a5f8 ("xtables-addons: adapt build to EXTERNAL_TOOLCHAIN") Signed-off-by: Christian Marangi --- net/xtables-addons/Makefile | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/net/xtables-addons/Makefile b/net/xtables-addons/Makefile index 272e95917c..cc14794802 100644 --- a/net/xtables-addons/Makefile +++ b/net/xtables-addons/Makefile @@ -41,15 +41,6 @@ CONFIGURE_ARGS+= \ --with-kbuild="$(LINUX_DIR)" \ --with-xtlibdir="/usr/lib/iptables" -ifdef CONFIG_EXTERNAL_TOOLCHAIN -MAKE_FLAGS:= \ - $(patsubst ARCH=%,ARCH=$(LINUX_KARCH),$(MAKE_FLAGS)) \ - DEPMOD="/bin/true" - -MAKE_INSTALL_FLAGS:= \ - $(patsubst ARCH=%,ARCH=$(LINUX_KARCH),$(MAKE_FLAGS)) \ - DEPMOD="/bin/true" -else define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ $(KERNEL_MAKE_FLAGS) \ @@ -65,7 +56,6 @@ define Build/Install DEPMOD="/bin/true" \ install endef -endif # 1: extension/module suffix used in package name # 2: extension/module display name used in package title/description From 199bd03b332bfb47fd44fc1762d941875d99d4f2 Mon Sep 17 00:00:00 2001 From: Anton Khazan Date: Tue, 23 Apr 2024 09:19:24 +0300 Subject: [PATCH 091/106] geoip-shell: update to v0.5.2 Changes since v0.5: Bugfixes: - bugfix: 'geoip-shell on' command errors out on iptables-based systems - bugfix: when changing the update cron schedule, old cron job does not get removed - bugfix: in some edge cases, the update cron job may not be created - bugfix: incorrect mask bits used when creating a rule allowing ipv6 link-local connections (/8 instead of /10) - bugfix: geoip-shell-fetch.sh: fix running without root permissions Improvements: - nftables variant: attach the base chain to the prerouting netfilter hook with priority -141 (rather than -150) to make rules processing deterministic when other rules exist which have priority 'mangle' (-150), making it easier to create custom rules which will be processed before geoip-shell rules - include information on currently used firewall backend utility (nftables or iptables) in the status report - avoid unnecessary re-fetching of ip lists when running 'geoip-shell configure' - randomize the default update schedule's minute between 10 and 20 (previously was always 15) - randomize the automatic update second between 0 and 59 - improve console messages and the status report - update and improve the general documentation - improve OpenWrt-specific documentation Signed-off-by: Anton Khazan --- net/geoip-shell/DETAILS.md | 70 ++++++++++++++++++++++++-------------- net/geoip-shell/Makefile | 8 ++--- net/geoip-shell/NOTES.md | 4 +-- net/geoip-shell/SETUP.md | 21 ++++-------- 4 files changed, 57 insertions(+), 46 deletions(-) diff --git a/net/geoip-shell/DETAILS.md b/net/geoip-shell/DETAILS.md index 0061313e53..b57fc5bf89 100644 --- a/net/geoip-shell/DETAILS.md +++ b/net/geoip-shell/DETAILS.md @@ -7,8 +7,6 @@ ## **Overview** ### Main Scripts -- geoip-shell-install.sh -- geoip-shell-uninstall.sh - geoip-shell-manage.sh - geoip-shell-run.sh - geoip-shell-fetch.sh @@ -22,7 +20,7 @@ **geoip-shell-detect-lan.sh** This script is only used under specific conditions: -- During initial setup, with whitelist mode, and only if wan interfaces were set to 'all', and LAN subnets were not specified via command line args. geoip-shell then assumes that it is being installed on a machine belonging to a LAN, uses this script to detect the LAN subnets and offers the user to add them to the whitelist, and to enable automatic detection of LAN subnets in the future. +- During initial setup, with whitelist mode, and only if wan interfaces were set to 'all', and LAN subnets were not specified via command line args. geoip-shell then assumes that it is being configured on a host behind a router and firewall, uses this script to detect the LAN subnets and offers the user to add them to the whitelist, and to enable automatic detection of LAN subnets in the future. - At the time of creating/updating firewall rules, and only if LAN subnets automatic detection is enabled. geoip-shell then re-detects LAN subnets automatically. ### Library Scripts @@ -57,13 +55,12 @@ The -lib-uninstall script has some functions which are used both for uninstallat For more information about integration with OpenWrt, read [OpenWrt-README.md](OpenWrt-README.md) ### User interface -The scripts intended as user interface are **geoip-shell-install.sh**, **geoip-shell-uninstall.sh**, **geoip-shell-manage.sh** and **check-ip-in-source.sh**. All the other scripts are intended as a back-end. If you just want to install and move on, you only need to run the -install script. After installation, the user interface is provided by running "geoip-shell", which is a symlink to the -manage script. ## **Main scripts in detail** **geoip-shell-manage.sh**: serves as the main user interface to configure geoip after installation. You can also call it by simply typing `geoip-shell`. As most scripts in this suite, it requires root privileges because it needs to interact with the netfilter kernel component and access the data folder which is only readable and writable by root. Since it serves as the main user interface, it contains a lot of logic to generate a report, parse, validate and initiate actions requested by the user (by calling other scripts as required), check for possible remote machine lockout and warn the user about it, check actions result, update the config and take corrective actions in case of an error. Describing all this is beyond the scope of this document but you can read the code. Sources the lib-status script when generating a status report. Sources lib-setup for some of the arguments parsing logic and interactive dialogs implementation. -`geoip-shell [-c <"country_codes">]` : Enable or disable the geoip blocking chain (via a rule in the base geoip chain) +`geoip-shell ` : Enable or disable the geoip blocking chain (via a rule in the base geoip chain) `geoip-shell [-c <"country_codes">]` : * Adds or removes the specified country codes to/from the config file. @@ -75,7 +72,11 @@ After installation, the user interface is provided by running "geoip-shell", whi `geoip-shell restore` : re-fetches and re-applies geoip firewall rules and ip lists as per the config. -`geoip-shell configure [options]` : changes geoip-shell configuration +`geoip-shell showconfig` : prints the contents of the config file. + +`geoip-shell configure [options]` : changes geoip-shell configuration. + +Initial configuration is possible either fully interactively (the -manage script gathers all important config via dialog with the user), partially interactively (you provide some command line arguments, the -manage script processes them and if needed, asks you additional questions), or completely non-interactively by calling the -manage script with the `-z` option which will force setup to fail if any required options are missing or invalid. Any sensible combination of the following options is allowed in one command. **Options for the `geoip-shell configure` command:** @@ -87,61 +88,78 @@ After installation, the user interface is provided by running "geoip-shell", whi `-u [ripe|ipdeny]`: Change ip lists source. -`-i <[ifaces]|auto|all>`: Change which network interfaces geoip firewall rules are applied to. `auto` will attempt to automatically detect WAN network interfaces. `auto` works correctly in **most** cases but not in **every** case. Don't use `auto` if the machine has no direct connection to WAN. The automatic detection occurs only when manually triggered by the user via this command. +`-i <[ifaces]|auto|all>`: Change which network interfaces geoip firewall rules are applied to. `auto` will attempt to automatically detect WAN network interfaces. `auto` works correctly in **most** cases but not in **every** case. Don't use `auto` if the machine has no dedicated WAN network interfaces. The automatic detection occurs only when manually triggered by the user via this command. `-l <"[lan_ips]"|auto|none>`: Specify LAN ip's or subnets to exclude from blocking (both ipv4 and ipv6). `auto` will trigger LAN subnets re-detection at every update of the ip lists. When specifying custom ip's or subnets, automatic detection is disabled. This option is only avaiable when using geoip-shell in whitelist mode. `-t <"[trusted_ips]|none">`: Specify trusted ip's or subnets (anywhere on the Internet) to exclude from geoip blocking (both ipv4 and ipv6). -`-p <[tcp|udp]:[allow|block]:[all|]>`: specify ports geoip blocking will apply (or not apply) to, for tcp or udp. To specify ports for both tcp and udp, use the `-p` option twice. For more details, read [NOTES.md](NOTES.md), sections 9-11. +`-p <[tcp|udp]:[allow|block]:[all|]>`: Specify ports geoip blocking will apply (or not apply) to, for tcp or udp. To specify ports for both tcp and udp, use the `-p` option twice. For more details, read [NOTES.md](NOTES.md), sections 9-11. `-r <[user_country_code]|none>` : Specify user's country code. Used to prevent accidental lockout of a remote machine. `none` disables this feature. -`-s <"schedule_expression"|disable>` : enables automatic ip lists updates and configures the schedule for the periodic cron job which implements this feature. `disable` disables automatic ip lists updates. +`-s <"schedule_expression"|disable>` : Enables automatic ip lists updates and configures the schedule for the periodic cron job which implements this feature. `disable` disables automatic ip lists updates. `-o ` : No backup. If set to 'true', geoip-shell will not create a backup of ip lists and firewall rules after applying changes, and will automatically re-fetch ip lists after each reboot. Default is 'true' for OpenWrt, 'false' for all other systems. `-a ` : Set custom path to directory where backups and the status file will be stored. Default is '/tmp/geoip-shell-data' for OpenWrt, '/var/lib/geoip-shell' for all other systems. -`-O `: specify optimization policy for nftables sets. By default optimizes for low memory consumption if system RAM is less than 2GiB, otherwise optimizes for performance. This option doesn't work with iptables. +`-O `: Specify optimization policy for nftables sets. By default optimizes for low memory consumption if system RAM is less than 2GiB, otherwise optimizes for performance. This option doesn't work with iptables. -`geoip-shell showconfig` : prints the contents of the config file. +`-z`: Non-interactive setup. -**geoip-shell-run.sh**: Serves as a proxy to call the -fetch, -apply and -backup scripts with arguments required for each action. Executes the requested actions, depending on the config set by the -install and -manage scripts, and the command line options, and writes to system log when starting and on action completion (or if any errors encountered). If persistence or autoupdates are enabled, the cron jobs (or on OpenWrt, the firewall include script) call this script with the necessary options. If a non-fatal error is encountered during an automatic update function, the script enters sort of a temporary daemon mode where it will re-try the action (up to a certain number of retries) with increasing time intervals. It also implements some logic to account for unexpected issues encountered during the 'restore' action which runs after system reboot to impelement persistnece, such as a missing backup, and in this situation will automatically change its action from 'restore' to 'update' and try to re-fetch and re-apply the ip lists. +**geoip-shell-run.sh**: Serves as a proxy to call the -fetch, -apply and -backup scripts with arguments required for each action. Executes the requested actions, depending on the config and the command line options, and writes to system log when starting and on action completion (or if any errors encountered). If persistence or autoupdates are enabled, the cron jobs (or on OpenWrt, the firewall include script) call this script with the necessary options. If a non-fatal error is encountered during an automatic update function, the script enters sort of a temporary daemon mode where it will re-try the action (up to a certain number of retries) with increasing time intervals. It also implements some logic to account for unexpected issues encountered during the 'restore' action which runs after system reboot to impelement persistnece, such as a missing backup, and in this situation will automatically change its action from 'restore' to 'update' and try to re-fetch and re-apply the ip lists. -`geoip-shell-run add -l <"list_id [list_id] ... [list_id]">` : Fetches ip lists, loads them into ip sets and applies firewall rules for specified list id's. -A list id has the format of `_`. For example, ****US_ipv4** and **GB_ipv6** are valid list id's. +`geoip-shell-run.sh add -l <"list_id [list_id] ... [list_id]">` : Fetches ip lists, loads them into ip sets and applies firewall rules for specified list id's. +A list id has the format of `_`. For example, **US_ipv4** and **GB_ipv6** are valid list id's. -`geoip-shell-run remove -l <"list_ids">` : Removes iplists and firewall rules for specified list id's. +`geoip-shell-run.sh remove -l <"list_ids">` : Removes iplists and firewall rules for specified list id's. -`geoip-shell-run update` : Updates the ip sets for list id's that had been previously configured. Intended for triggering from periodic cron jobs. +`geoip-shell-run.sh update` : Updates the ip sets for list id's that had been previously configured. Intended for triggering from periodic cron jobs. -`geoip-shell-run restore` : Restore previously downloaded lists from backup (skip fetching). Used by the reboot cron job (or by the firewall include on OpenWrt) to implement persistence. +`geoip-shell-run.sh restore` : Restore previously downloaded lists from backup (skip fetching). Used by the reboot cron job (or by the firewall include on OpenWrt) to implement persistence. **geoip-shell-fetch.sh** -- Fetches ip lists for given list id's from RIPE or from ipdeny. The source is selected during installation. If you want to change the default which is RIPE, install with the `-u ipdeny` option. +- Fetches ip lists for given list id's from RIPE or from ipdeny. - Parses, validates, compiles the downloaded lists, and saves each one to a separate file. - Implements extensive sanity checks at each stage (fetching, parsing, validating and saving) and handles errors if they occur. -(for specifics on how to use the script, run it with the -h option) +Options: -**geoip-shell-apply.sh**: directly interfaces with the firewall. Creates or removes ip sets and firewall rules for specified list id's. Sources the lib-apply-ipt or lib-apply-nft script which does most of the actual work. +`-l <"list_ids">` : ip list id's in the format _ (if specifying multiple list id's, use double quotes) -`geoip-shell-apply add -l <"list_ids">` : +`-p ` : Path to directory where downloaded and compiled subnet lists will be stored. + +`-o ` : Path to output file where fetched list will be stored. + +`-s ` : Path to a status file to register fetch results in. + +`-u ` : Use this ip list source for download. Supported sources: ripe, ipdeny. + +Extra options: + +`-r` : Raw mode (outputs newline-delimited ip lists rather than nftables-ready ones). + +`-f` : Force using fetched lists even if list timestamp didn't change compared to existing list. + + +**geoip-shell-apply.sh**: directly interfaces with the firewall. Creates or removes ip sets and firewall rules for specified list id's. Sources the lib-ipt or lib-nft library script. + +`geoip-shell-apply.sh add -l <"list_ids">` : - Loads ip list files for specified list id's into ip sets and applies firewall rules required for geoip blocking. List id has the format of `_`. For example, **US_ipv4** and **GB_ipv6** are valid list id's. -`geoip-shell-apply remove -l <"list_ids">` : +`geoip-shell-apply.sh remove -l <"list_ids">` : - removes ip sets and geoip firewall rules for specified list id's. -**geoip-shell-cronsetup.sh** manages all the cron-related logic and actions. Called by the -manage script. Cron jobs are created based on the settings stored in the config file. Also used to validate cron schedule provided by the user at the time of installation or later. +**geoip-shell-cronsetup.sh** manages all the cron-related logic and actions. Called by the -manage script. Cron jobs are created based on the settings stored in the config file. Also used to validate cron schedule specified by the user. -**geoip-shell-backup.sh**: Creates a backup of current geoip-shell firewall rules and ip sets and current geoip-shell config, or restores them from backup. By default (if you didn't run the installation with the '-o' option), backup will be created after every change to ip sets in the firewall. Backups are automatically compressed and de-compressed with the best utility available to the system, in this order "bzip2, xz, gzip", or simply "cat" as a fallback if neither is available (which generally should never happen on Linux). Only one backup copy is kept. Sources the lib-backup-ipt or the lib-backup-nft script which does most of the actual work. +**geoip-shell-backup.sh**: Creates backup of current geoip-shell firewall rules and ip sets and current geoip-shell config, or restores them from backup. By default (if you didn't configure geoip-shell with the '-o' option), backup will be created after every change to ip sets in the firewall. Backups are automatically compressed and de-compressed with the best utility available to the system, in this order "bzip2, xz, gzip", or simply "cat" as a fallback if neither is available (which generally should never happen on Linux). Only one backup copy is kept. Sources the lib-ipt or the lib-nft library script. -`geoip-shell-backup create-backup` : Creates a backup of the current firewall state and geoip blocking config. +`geoip-shell-backup.sh create-backup` : Creates backup of geoip-shell ip sets and config. -`geoip-shell-backup restore` : Restores the firewall state and the config from backup. Used by the *run script to implement persistence. Can be manually used for recovery from fault conditions. +`geoip-shell-backup.sh restore` : Restores geoip-shell state and config from backup. Used by the *run script to implement persistence. Can be manually used for recovery from fault conditions. If run with option `-n`, does not restore the config and the status files. diff --git a/net/geoip-shell/Makefile b/net/geoip-shell/Makefile index 494ef9fdf4..c4385da8d7 100644 --- a/net/geoip-shell/Makefile +++ b/net/geoip-shell/Makefile @@ -4,14 +4,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=geoip-shell -PKG_VERSION:=0.5 -PKG_RELEASE:=2 +PKG_VERSION:=0.5.2 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=antonk PKG_SOURCE_PROTO:=git -PKG_SOURCE_VERSION:=3b56796aea49d7ae1e5ce3de1f5ccfafd36c7f3f +PKG_SOURCE_VERSION:=db8bbf4ce04094843beea1b1aa4fbceb0d35688d PKG_SOURCE_URL:=https://github.com/friendly-bits/geoip-shell-openwrt.git -PKG_MIRROR_HASH:=2a6cb1996fc7c48f146267e193fe1812addeb228adc5fe16a55341509d4a5353 +PKG_MIRROR_HASH:=4b0b90a936b8e9b476a0b85bd2100fcc4d1da25cd6929c0bcc282ae7ff137e9f include $(INCLUDE_DIR)/package.mk diff --git a/net/geoip-shell/NOTES.md b/net/geoip-shell/NOTES.md index 6bd0ebcbf4..e6f2c5cc32 100644 --- a/net/geoip-shell/NOTES.md +++ b/net/geoip-shell/NOTES.md @@ -14,7 +14,7 @@ ### **nftables** - With **nftables**, all firewall rules created by geoip-shell are in the table named `geoip-shell`, family "inet", which is a term nftables uses for tables applying to both ip families. The `geoip-shell` table includes rules for both ip families and any nftables sets geoip-shell creates. geoip-shell creates 2 chains in that table: `GEOIP-BASE` and `GEOIP-SHELL`. The base chain attaches to netfilter's `prerouting` hook and has a rule which directs traffic to the `GEOIP-SHELL` chain. That rule is the geoip-shell "enable" rule for nftables-based systems which acts exactly like the "enable" rule in the iptables-based systems, except it applies to both ip families. - - **nftables** allows for more control over which network interfaces each rule applies to, so when certain network interfaces are specified during installation, geoip-shell specifies these interfaces directly in the rules inside the `GEOIP-SHELL` chain, and so (contrary to iptables-based systems) there is no need in an additional chain. + - **nftables** allows for more control over which network interfaces each rule applies to, so when certain network interfaces are specified during initial setup, geoip-shell specifies these interfaces directly in the rules inside the `GEOIP-SHELL` chain, and so (contrary to iptables-based systems) there is no need in an additional chain. - **nftables** features atomic rules updates, meaning that when issuing multiple nftables commands at once, if any command fails, all changes get cancelled and the system remains in the same state as before. geoip-shell utilizes this feature for fault-tolerance and to completely eliminate time when geoip blocking is disabled during an update of the sets or rules. - **nftables** current version (up to 1.0.8 and probably 1.0.9) has some bugs related to unnecessarily high transient memory consumption when performing certain actions, including adding new sets. These bugs are known and for the most part, already have patches implemented which should eventually roll out to the distributions. This mostly matters for embedded hardware with less than 512MB of memory. geoip-shell works around these bugs as much as possible. One of the workarounds is to avoid using the atomic replacement feature for nftables sets. Instead, when updating sets, geoip-shell first adds new sets one by one, then atomically applies all other changes, including rules changes and removing the old sets. In case of an error during any stage of this process, all changes get cancelled, old rules and sets remain in place and geoip-shell then destroys the new sets. This is less efficient but with current versions of nftables, this actually lowers the minimum memory bar for the embedded devices. Once a new version of nftables will be rolled out to the distros, geoip-shell will adapt the algorithm accordingly. @@ -27,7 +27,7 @@ 3) geoip-shell uses RIPE as the default source for ip lists. RIPE is a regional registry, and as such, is expected to stay online and free for the foreseeable future. However, RIPE may be fairly slow in some regions. For that reason, I implemented support for fetching ip lists from ipdeny. ipdeny provides aggregated ip lists, meaning in short that there are less entries for same effective geoip blocking, so the machine which these lists are installed on has to do less work when processing incoming connection requests. All ip lists the suite fetches from ipdeny are aggregated lists. -4) The scripts intended as user interface are: **-install**, **-uninstall**, **-manage** (also called by running '**geoip-shell**' after installation) and **check-ip-in-registry.sh**. The -manage script saves the config to a file and implements coherence checks between that file and the actual firewall state. While you can run the other scripts individually, if you make changes to firewall geoip rules, next time you run the -manage script it may insist on reverting those changes since they are not reflected in the config file. The **-backup** script can be used individually. By default, it creates a backup of geoip-shell state after every successful action involving changes to or updates of the ip lists. If you encounter issues, you can use it with the 'restore' command to restore geoip-shell to its previous state. It also restores the config, so the -manage script will not mind. +4) The script intended as user interface is **geoip-shell-manage.sh** (also called by running **geoip-shell**). 5) How to manually check firewall rules created by geoip-shell: - With nftables: `nft -t list table inet geoip-shell`. This will display all geoip-shell rules and sets. diff --git a/net/geoip-shell/SETUP.md b/net/geoip-shell/SETUP.md index 052f3b20d0..20d37c5add 100644 --- a/net/geoip-shell/SETUP.md +++ b/net/geoip-shell/SETUP.md @@ -1,18 +1,11 @@ -# Notes about questions asked during the initial setup +## Notes about questions asked during the initial setup -## **'Your shell 'A' is supported by geoip-shell but a faster shell 'B' is available in this system, using it instead is recommended. Would you like to use 'B' with geoip-shell?'** -geoip-shell will work with the shell A you ran it from, but it will work faster with a shell B which is also installed in your system. Your call - type in `y` or `n`. The recommendation is clear. If you type in `y`, geoip-shell installer will launch itself using shell B and configure geoip-shell to always use shell B. - -## **'I'm running under an unsupported/unknown shell shell 'A' but a supported shell 'B' is available in this system, using it instead is recommended. Would you like to use 'B' with geoip-shell?'** - -Whether geoip-shell will work correctly or at all with the shell A you ran it from is unknown, but a supported shell B is available in your system. You can try to run geoip-shell with A but the recommendation is clear. Generally, geoip-shell works best with shells `ash` and `dash`. If you type in `y`, geoip-shell installer will launch itself using shell B and configure geoip-shell to always use shell B. - -## **'Please enter your country code':** +### **'Please enter your country code':** If you answer this question, the _-manage_ script will check that changes in ip lists which you request to make will not block your own country and warn you if they will. This applies both to the initial setup, and to any subsequent changes to the ip lists which you may want to make in the future. The idea behind this is to make this tool as fool-proof as possible. This information is written to the geoip-shell config file (only readable by root) on your device and geoip-shell does not send it anywhere. You can remove this config entry any time via the command `geoip-shell configure -r none`. You can skip the question by pressing Enter if you wish. -## **'Does this machine have dedicated WAN interface(s)? [y|n]':** +### **'Does this machine have dedicated WAN interface(s)? [y|n]':** Answering this question is mandatory because the firewall is configured differently, depending on the answer. Answering it incorrectly may cause unexpected results, including having no geoip blocking or losing remote access to your machine. @@ -20,7 +13,7 @@ A machine may have dedicated WAN network interfaces if it's a router or in certa Otherwise, geoip rules are applied to traffic arriving from all network interfaces, except the loopback interface. Besides that, when geoip-shell is installed in whitelist mode and you picked `n` in this question, additional firewall rules may be created which add LAN subnets or ip's to the whitelist in order to avoid blocking them (you can approve or configure that on the next step of the installation). This does not guarantee that your LAN subnets will not be blocked by another rule in another table, and in fact, if you prefer to block some of them then having them in whitelist will not matter. This is because while the 'drop' verdict is final, the 'accept' verdict is not. -## **'Autodetected ipvX LAN subnets: ... [c]onfirm, c[h]ange, [s]kip or [a]bort installation?'** +### **'Autodetected ipvX LAN subnets: ... [c]onfirm, c[h]ange, [s]kip or [a]bort?'** You will see this question if installing the suite in whitelist mode and you chose `n` in the previous question. The reason why under these conditions this question is asked is to avoid blocking your LAN from accessing your machine. @@ -48,7 +41,7 @@ A third way to do that is by examining your network configuration (in your route If you find out that the subnets were detected incorrectly, you can type in 'h' and manually enter the correct subnets or ip addresses which you want to allow connections from. -## **'A[u]to-detect LAN subnets when updating ip lists or keep this config c[o]nstant?'** +### **'A[u]to-detect LAN subnets when updating ip lists or keep this config c[o]nstant?'** As the above question, you will see this one if installing the suite in whitelist mode and you answered `n` to the question about WAN interfaces. You will not see this question if you specified custom subnets or ips in the previous question. @@ -60,8 +53,8 @@ If you type in 'c' then whatever subnets have been detected during installation Generally if automatic detection worked as expected during initial setup, most likely it will work correctly every time, so it is a good idea to allow auto-detection with each update. If not then, well, not. -## **Extra options** +### **Extra options** - geoip-shell supports an additional setting: trusted ip's or subnets. Currently this is only configurable by running the -install script with the option `-t <"[trusted_ips]">` (or after installation via the `geoip-shell configure -t <"[trusted_ips]">` command). You can specify trusted ip addresses or subnets anywhere on the LAN or on the Internet. To remove this setting later, run `geoip-shell configure -t none`. -- geoip-shell supports lots of additional command-line options. You can find out more by running `sh geoip-shell-install.sh -h`, or after installation `geoip-shell -h`, or by reading [NOTES.md](NOTES.md) and [DETAILS.md](DETAILS.md). \ No newline at end of file +- geoip-shell supports lots of additional command-line options. You can find out more by running `geoip-shell -h`, or by reading [NOTES.md](NOTES.md) and [DETAILS.md](DETAILS.md). \ No newline at end of file From 22f8fd5c5b2e366ac7ee203181100fe1bb2fa157 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Mon, 22 Apr 2024 10:26:15 +0200 Subject: [PATCH 092/106] modemmanager: add missing PKG_VERSION for APK The 'PKG_VERSION' string was missing and only 'PKG_SOURCE_VERSION' string was used. Signed-off-by: Florian Eckert --- net/modemmanager/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/modemmanager/Makefile b/net/modemmanager/Makefile index e4466aae9a..ec21b37f36 100644 --- a/net/modemmanager/Makefile +++ b/net/modemmanager/Makefile @@ -8,11 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=modemmanager -PKG_SOURCE_VERSION:=1.22.0 -PKG_RELEASE:=12 +PKG_VERSION:=1.22.0 +PKG_RELEASE:=13 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git +PKG_SOURCE_VERSION:=$(PKG_VERSION) PKG_MIRROR_HASH:=cd67d0833481146cc630299ffd2e7afdedb2c90f9d8ce3cc348af1fffacc87de PKG_MAINTAINER:=Nicholas Smith From 4f09c95ee2562ef21e3da7c9a61ac3635d875614 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sun, 21 Apr 2024 13:42:56 -0700 Subject: [PATCH 093/106] luaexpat: use local tarballs Smaller and avoids badly named tarball with just the version. Signed-off-by: Rosen Penev --- lang/luaexpat/Makefile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lang/luaexpat/Makefile b/lang/luaexpat/Makefile index 1a7b077dfc..d6d616a359 100644 --- a/lang/luaexpat/Makefile +++ b/lang/luaexpat/Makefile @@ -11,9 +11,10 @@ PKG_NAME:=luaexpat PKG_VERSION:=1.5.1 PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/lunarmodules/luaexpat/archive/refs/tags -PKG_HASH:=7d455f154de59eb0b073c3620bc8b873f7f697b3f21a112e6ff8dc9fca6d0826 +PKG_SOURCE_PROTO:=git +PKG_SOURCE_VERSION:=$(PKG_VERSION) +PKG_SOURCE_URL:=https://github.com/lunarmodules/luaexpat +PKG_MIRROR_HASH:=7e370d47e947a1acfeb4d00df012f47116fe7971f5b12033e92666e37a9312a1 PKG_CPE_ID:=cpe:/a:matthewwild:luaexpat From 2fa8485ed8a549b2e25739ef93b599d2833cd5df Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sun, 21 Apr 2024 13:48:53 -0700 Subject: [PATCH 094/106] luasocket: switch to local tarballs Signed-off-by: Rosen Penev --- lang/luasocket/Makefile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lang/luasocket/Makefile b/lang/luasocket/Makefile index 7125f78c1b..f5d458c28c 100644 --- a/lang/luasocket/Makefile +++ b/lang/luasocket/Makefile @@ -11,9 +11,10 @@ PKG_NAME:=luasocket PKG_VERSION:=3.1.0 PKG_RELEASE:=1 -PKG_SOURCE:=v$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/lunarmodules/luasocket/archive/refs/tags -PKG_HASH:=bf033aeb9e62bcaa8d007df68c119c966418e8c9ef7e4f2d7e96bddeca9cca6e +PKG_SOURCE_PROTO:=git +PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_SOURCE_URL:=https://github.com/lunarmodules/luasocket +PKG_MIRROR_HASH:=1ee81f1f5a63d0d14c8c8571e8940604cbf1443c3b18ee7d3d1bac6791f853fc PKG_MAINTAINER:=W. Michael Petullo PKG_LICENSE:=MIT From 7ee33e792ed9ab6e384b70ed529519d762443eee Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Tue, 23 Apr 2024 15:21:23 -0700 Subject: [PATCH 095/106] treewide: exclude mips64 These packages exclude mips but forget to exclude mips64. Signed-off-by: Rosen Penev --- libs/gperftools/Makefile | 4 ++-- utils/dockerd/Makefile | 2 +- utils/mstflint/Makefile | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/libs/gperftools/Makefile b/libs/gperftools/Makefile index 522b571e83..989efd4005 100644 --- a/libs/gperftools/Makefile +++ b/libs/gperftools/Makefile @@ -26,7 +26,7 @@ define Package/gperftools-headers SECTION:=libs TITLE:=Gperftools Headers URL:=https://github.com/gperftools/gperftools - DEPENDS:= @!mips @!mipsel @!powerpc + DEPENDS:= @!(mips||mips64||mipsel||powerpc) endef define Package/gperftools-runtime @@ -34,7 +34,7 @@ define Package/gperftools-runtime CATEGORY:=Libraries TITLE:=Gperftools Runtime URL:=https://github.com/gperftools/gperftools - DEPENDS:= +libunwind +libstdcpp @!mips @!mipsel @!powerpc + DEPENDS:= +libunwind +libstdcpp @!(mips||mips64||mipsel||powerpc) endef define Package/gperftools-headers/description diff --git a/utils/dockerd/Makefile b/utils/dockerd/Makefile index 5c2d545e9d..a41b2195e7 100644 --- a/utils/dockerd/Makefile +++ b/utils/dockerd/Makefile @@ -47,7 +47,7 @@ define Package/dockerd +kmod-veth \ +tini \ +uci-firewall \ - @!(mips||mipsel) + @!(mips||mips64||mipsel) USERID:=docker:docker MENU:=1 endef diff --git a/utils/mstflint/Makefile b/utils/mstflint/Makefile index af1611270c..e27aa9553e 100644 --- a/utils/mstflint/Makefile +++ b/utils/mstflint/Makefile @@ -31,7 +31,7 @@ define Package/mstflint CATEGORY:=Utilities TITLE:=Mellanox Firmware Burning and Diagnostics Tools URL:=https://github.com/Mellanox/mstflint - DEPENDS:=@!(mips||mipsel) \ + DEPENDS:=@!(mips||mips64||mipsel) \ +libcurl +liblzma +libopenssl +libsqlite3 \ +libstdcpp +libxml2 +python3-ctypes \ +python3-urllib +python3-xml +zlib From 47d91a4c0907c76d4df53d8a860c2b68dba3ae39 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sun, 21 Apr 2024 13:54:45 -0700 Subject: [PATCH 096/106] snort3: use local tarballs Avoids having a bad tarball name with just the version. Signed-off-by: Rosen Penev --- net/snort3/Makefile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/snort3/Makefile b/net/snort3/Makefile index 9adb0c680b..b9c85922b0 100644 --- a/net/snort3/Makefile +++ b/net/snort3/Makefile @@ -9,9 +9,10 @@ PKG_NAME:=snort3 PKG_VERSION:=3.1.84.0 PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/ -PKG_HASH:=dca1707a66f6ca56ddd526163b2d951cefdb168bddc162c791adc74c0d226c7f +PKG_SOURCE_PROTO:=git +PKG_SOURCE_VERSION:=$(PKG_VERSION) +PKG_SOURCE_URL:=https://github.com/snort3/snort3 +PKG_MIRROR_HASH:=ffa69fdd95c55a943ab4dd782923caf31937dd8ad29e202d7fe781373ed84444 PKG_MAINTAINER:=W. Michael Petullo , John Audia PKG_LICENSE:=GPL-2.0-only From ed50df97f70aba037018bfa54b3c678437c1d305 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Fri, 19 Apr 2024 16:17:56 -0700 Subject: [PATCH 097/106] cni-plugins: use local tarballs Avoids having to override PKG_UNPACK. Signed-off-by: Rosen Penev --- utils/cni-plugins/Makefile | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/utils/cni-plugins/Makefile b/utils/cni-plugins/Makefile index 3615de5f4e..b7e6d315fb 100644 --- a/utils/cni-plugins/Makefile +++ b/utils/cni-plugins/Makefile @@ -2,15 +2,16 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cni-plugins PKG_VERSION:=1.1.1 -PKG_RELEASE:=1 -PKG_LICENSE:=Apache-2.0 -PKG_LICENSE_FILES:=LICENSE +PKG_RELEASE:=2 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/containernetworking/plugins/archive/v$(PKG_VERSION) -PKG_HASH:=c86c44877c47f69cd23611e22029ab26b613f620195b76b3ec20f589367a7962 +PKG_SOURCE_PROTO:=git +PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_SOURCE_URL:=https://github.com/containernetworking/plugins +PKG_MIRROR_HASH:=4372700fa1fb159235586432800f228d92246d13571f5a29aa9bc58291eac6d9 PKG_MAINTAINER:=Daniel Golle , Paul Spooren +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE PKG_BUILD_DEPENDS:=golang/host PKG_BUILD_PARALLEL:=1 @@ -24,8 +25,6 @@ GO_PKG_BUILD_PKG:=github.com/containernetworking/plugins/plugins/main/... \ include $(INCLUDE_DIR)/package.mk include ../../lang/golang/golang-package.mk -PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)" - define Package/cni-plugins SECTION:=utils CATEGORY:=Utilities From 70a44730fdff32fc902ce5b6ba279cad5011a811 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Fri, 19 Apr 2024 16:13:45 -0700 Subject: [PATCH 098/106] cni-plugins-nft: use local tarballs Avoids having to override PKG_UNPACK. Signed-off-by: Rosen Penev --- utils/cni-plugins-nft/Makefile | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/utils/cni-plugins-nft/Makefile b/utils/cni-plugins-nft/Makefile index 771f728e8a..e34af737fd 100644 --- a/utils/cni-plugins-nft/Makefile +++ b/utils/cni-plugins-nft/Makefile @@ -2,11 +2,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cni-plugins-nft PKG_VERSION:=1.0.12 -PKG_RELEASE:=1 +PKG_RELEASE:=2 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/greenpau/cni-plugins/archive/v$(PKG_VERSION) -PKG_HASH:=51c4b41c61f46c7dfc691d52dba301e7d8189589e1a625772f761ea3ae804fb3 +PKG_SOURCE_PROTO:=git +PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_SOURCE_URL:=https://github.com/greenpau/cni-plugins +PKG_MIRROR_HASH:=3bb778c8f48261eaaee8b14b9219f1730967ef16158b5b540d45da54ef580e53 PKG_MAINTAINER:=Oskari Rauta PKG_LICENSE:=Apache-2.0 @@ -23,8 +24,6 @@ GO_PKG_BUILD_PKG:=github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap \ include $(INCLUDE_DIR)/package.mk include ../../lang/golang/golang-package.mk -PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)" - define Package/cni-plugins-nft SECTION:=utils CATEGORY:=Utilities From 847a535a3be1df80c528931dfdaf4c4107a0b21d Mon Sep 17 00:00:00 2001 From: Georgi Valkov Date: Sat, 20 Apr 2024 18:46:18 +0300 Subject: [PATCH 099/106] perl: fix not a Mach-O file on macOS Reverts [1] to resolve the following build error on macOS: /Volumes/wrt3200/openwrt/staging_dir/hostpkg/usr/bin/perl installperl --destdir=/Volumes/wrt3200/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/perl/perl-5.38.2/ipkg-install WARNING: You've never run 'make test' or some tests failed! (Installing anyway.) /usr/bin/perl5.38.2 error: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: input file: /Volumes/wrt3200/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/perl/perl-5.38.2/ipkg-install/usr/bin/perl5.38.2 is not a Mach-O file [1] https://github.com/Perl/perl5/commit/88efce38149481334db7ddb932f9b74eaaa9765b Signed-off-by: Georgi Valkov --- lang/perl/Makefile | 2 +- ...06-adjust-dependency-paths-on-instal.patch | 114 ++++++++++++++++++ 2 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 lang/perl/patches/920-Revert-perl-127606-adjust-dependency-paths-on-instal.patch diff --git a/lang/perl/Makefile b/lang/perl/Makefile index afd82997fe..6b748019bc 100644 --- a/lang/perl/Makefile +++ b/lang/perl/Makefile @@ -11,7 +11,7 @@ include perlver.mk PKG_NAME:=perl PKG_VERSION:=$(PERL_VERSION) -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_URL:=https://www.cpan.org/src/5.0 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz diff --git a/lang/perl/patches/920-Revert-perl-127606-adjust-dependency-paths-on-instal.patch b/lang/perl/patches/920-Revert-perl-127606-adjust-dependency-paths-on-instal.patch new file mode 100644 index 0000000000..cff268c3c0 --- /dev/null +++ b/lang/perl/patches/920-Revert-perl-127606-adjust-dependency-paths-on-instal.patch @@ -0,0 +1,114 @@ +From 002d6666a3ed5bc9c360c1f91116ebbf0c5ef57c Mon Sep 17 00:00:00 2001 +From: Georgi Valkov +Date: Sat, 20 Apr 2024 16:18:37 +0300 +Subject: [PATCH] revert 88efce38149481334db7ddb932f9b74eaaa9765b + +Signed-off-by: Georgi Valkov +--- + Makefile.SH | 35 ++--------------------------------- + installperl | 25 ------------------------- + 2 files changed, 2 insertions(+), 58 deletions(-) + +--- a/Makefile.SH ++++ b/Makefile.SH +@@ -61,16 +61,8 @@ true) + -compatibility_version \ + ${api_revision}.${api_version}.${api_subversion} \ + -current_version \ +- ${revision}.${patchlevel}.${subversion}" +- case "$osvers" in +- 1[5-9]*|[2-9]*) +- shrpldflags="$shrpldflags -install_name `pwd`/\$@ -Xlinker -headerpad_max_install_names" +- exeldflags="-Xlinker -headerpad_max_install_names" +- ;; +- *) +- shrpldflags="$shrpldflags -install_name \$(shrpdir)/\$@" +- ;; +- esac ++ ${revision}.${patchlevel}.${subversion} \ ++ -install_name \$(shrpdir)/\$@" + ;; + cygwin*) + shrpldflags="$shrpldflags -Wl,--out-implib=libperl.dll.a" +@@ -353,14 +345,6 @@ MANIFEST_SRT = MANIFEST.srt + + !GROK!THIS! + +-case "$useshrplib$osname" in +-truedarwin) +- $spitshell >>$Makefile <>$Makefile <>$Makefile <<'!NO!SUBS!' +- $(SHRPENV) $(CC) -o perl $(PERL_EXE_LDFLAGS) $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs) +-!NO!SUBS! +- ;; +- *) $spitshell >>$Makefile <<'!NO!SUBS!' +- $(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs) +-!NO!SUBS! +- ;; +- esac +- ;; +- + *) $spitshell >>$Makefile <<'!NO!SUBS!' + $(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs) + !NO!SUBS! +--- a/installperl ++++ b/installperl +@@ -282,7 +282,6 @@ else { + safe_unlink("$installbin/$perl_verbase$ver$exe_ext"); + copy("perl$exe_ext", "$installbin/$perl_verbase$ver$exe_ext"); + strip("$installbin/$perl_verbase$ver$exe_ext"); +- fix_dep_names("$installbin/$perl_verbase$ver$exe_ext"); + chmod(0755, "$installbin/$perl_verbase$ver$exe_ext"); + `chtag -r "$installbin/$perl_verbase$ver$exe_ext"` if ($^O eq 'os390'); + } +@@ -350,7 +349,6 @@ foreach my $file (@corefiles) { + if (copy_if_diff($file,"$installarchlib/CORE/$file")) { + if ($file =~ /\.(\Q$so\E|\Q$dlext\E)$/) { + strip("-S", "$installarchlib/CORE/$file") if $^O eq 'darwin'; +- fix_dep_names("$installarchlib/CORE/$file"); + chmod($SO_MODE, "$installarchlib/CORE/$file"); + } else { + chmod($NON_SO_MODE, "$installarchlib/CORE/$file"); +@@ -749,27 +747,4 @@ sub strip + } + } + +-sub fix_dep_names { +- my $file = shift; +- +- $^O eq "darwin" && $Config{osvers} =~ /^(1[5-9]|[2-9])/ +- && $Config{useshrplib} +- or return; +- +- my @opts; +- my $so = $Config{so}; +- my $libperl = "$Config{archlibexp}/CORE/libperl.$Config{so}"; +- if ($file =~ /\blibperl.\Q$Config{so}\E$/a) { +- push @opts, -id => $libperl; +- } +- else { +- push @opts, -change => getcwd . "/libperl.$so", $libperl; +- } +- push @opts, $file; +- +- $opts{verbose} and print " install_name_tool @opts\n"; +- system "install_name_tool", @opts +- and die "Cannot update $file dependency paths\n"; +-} +- + # ex: set ts=8 sts=4 sw=4 et: From de361e98d0565ae00ac75eec3b864c3cde433c19 Mon Sep 17 00:00:00 2001 From: Hirokazu MORIKAWA Date: Wed, 24 Apr 2024 10:38:27 +0900 Subject: [PATCH 100/106] node: bump to v20.12.2 This is a security release. Notable Changes * CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows Signed-off-by: Hirokazu MORIKAWA --- lang/node/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/node/Makefile b/lang/node/Makefile index 369f3bbe86..2f091a62fa 100644 --- a/lang/node/Makefile +++ b/lang/node/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=node -PKG_VERSION:=v20.12.1 +PKG_VERSION:=v20.12.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION) -PKG_HASH:=b9bef0314e12773ef004368ee56a2db509a948d4170b9efb07441bac1f1407a0 +PKG_HASH:=bc57ee721a12cc8be55bb90b4a9a2f598aed5581d5199ec3bd171a4781bfecda PKG_MAINTAINER:=Hirokazu MORIKAWA , Adrian Panella PKG_LICENSE:=MIT From 5abbd3bcb2362963a2cc49c0a9de78dd5c5af185 Mon Sep 17 00:00:00 2001 From: Ray Wang Date: Sat, 20 Apr 2024 22:53:03 +0800 Subject: [PATCH 101/106] natmap: add log_std{out,err} options Introduce `log_stdout` and `log_stderr` options for managing logging output. Signed-off-by: Ray Wang --- net/natmap/Makefile | 2 +- net/natmap/files/natmap.config | 2 ++ net/natmap/files/natmap.init | 8 +++++--- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/net/natmap/Makefile b/net/natmap/Makefile index 6e43a8f4e5..47809d46e1 100644 --- a/net/natmap/Makefile +++ b/net/natmap/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=natmap PKG_VERSION:=20240303 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/heiher/natmap/releases/download/$(PKG_VERSION) diff --git a/net/natmap/files/natmap.config b/net/natmap/files/natmap.config index 6e8862b334..c003fc59de 100644 --- a/net/natmap/files/natmap.config +++ b/net/natmap/files/natmap.config @@ -10,4 +10,6 @@ config natmap option forward_target '' option forward_port '' option notify_script '' + option log_stdout '1' + option log_stderr '1' diff --git a/net/natmap/files/natmap.init b/net/natmap/files/natmap.init index a0ec4b26df..bfead56f93 100644 --- a/net/natmap/files/natmap.init +++ b/net/natmap/files/natmap.init @@ -27,7 +27,9 @@ validate_section_natmap() { 'port:port' \ 'forward_target:host' \ 'forward_port:port' \ - 'notify_script:file' + 'notify_script:file' \ + 'log_stdout:bool:1' \ + 'log_stderr:bool:1' } natmap_instance() { @@ -63,8 +65,8 @@ natmap_instance() { procd_append_param command -e /usr/lib/natmap/update.sh procd_set_param respawn - procd_set_param stdout 1 - procd_set_param stderr 1 + procd_set_param stdout "${log_stdout}" + procd_set_param stderr "${log_stderr}" procd_close_instance } From 13bcb5287099fd77d844856bd8957be81ba5cf28 Mon Sep 17 00:00:00 2001 From: David Andreoletti Date: Sat, 9 Mar 2024 23:08:04 +0800 Subject: [PATCH 102/106] shairport-sync: support mqtt based remote control Enable MQTT support to control shairport-sync remotely Signed-off-by: David Andreoletti --- sound/shairport-sync/Makefile | 5 +++-- sound/shairport-sync/files/shairport-sync.config | 11 +++++++++++ sound/shairport-sync/files/shairport-sync.init | 15 +++++++++++++++ 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/sound/shairport-sync/Makefile b/sound/shairport-sync/Makefile index c176f01039..4106f5ad2f 100644 --- a/sound/shairport-sync/Makefile +++ b/sound/shairport-sync/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=shairport-sync PKG_VERSION:=4.3.2 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/mikebrady/shairport-sync/tar.gz/$(PKG_VERSION)? @@ -29,7 +29,7 @@ define Package/shairport-sync/default SECTION:=sound CATEGORY:=Sound TITLE:=AirPlay compatible audio player - DEPENDS:=@AUDIO_SUPPORT +libpthread +alsa-lib +libconfig +libdaemon +libpopt +libplist +libsodium +libgcrypt +libffmpeg-full +libuuid +nqptp + DEPENDS:=@AUDIO_SUPPORT +libpthread +alsa-lib +libconfig +libdaemon +libpopt +libplist +libsodium +libgcrypt +libffmpeg-full +libuuid +nqptp +libmosquitto PROVIDES:=shairport-sync URL:=https://github.com/mikebrady/shairport-sync endef @@ -80,6 +80,7 @@ CONFIGURE_ARGS += \ --with-libdaemon \ --with-airplay-2 \ --with-pipe \ + --with-mqtt-client \ --with-metadata ifeq ($(BUILD_VARIANT),openssl) diff --git a/sound/shairport-sync/files/shairport-sync.config b/sound/shairport-sync/files/shairport-sync.config index bb5423501a..42a4acf1d7 100644 --- a/sound/shairport-sync/files/shairport-sync.config +++ b/sound/shairport-sync/files/shairport-sync.config @@ -60,6 +60,17 @@ config shairport-sync 'shairport_sync' # Stdout option stdout_latency_offset '' # 0 option stdout_buffer_length '' # 44100 + # MQTT: https://github.com/mikebrady/shairport-sync/blob/master/MQTT.md + option mqtt_enabled 'no' + option mqtt_hostname '127.0.0.1' + option mqtt_port '1883' + option mqtt_username '' # empty = no authentication + option mqtt_password '' # empty = no authentication + option mqtt_topic 'shairport' + option mqtt_publish_raw 'no' + option mqtt_publish_parsed 'no' + option mqtt_publish_cover 'no' + option mqtt_enable_remote 'no' # AO option ao_latency_offset '' # 0 option ao_buffer_length '' # 44100 diff --git a/sound/shairport-sync/files/shairport-sync.init b/sound/shairport-sync/files/shairport-sync.init index f4e7f4464a..1533970405 100644 --- a/sound/shairport-sync/files/shairport-sync.init +++ b/sound/shairport-sync/files/shairport-sync.init @@ -120,6 +120,21 @@ start_instance() { append_num "$cfg" stdout_buffer_length "audio_backend_buffer_desired_length" printf "};\n\n" + # MQTT + printf "mqtt =\n" + printf "{\n" + append_str "$cfg" mqtt_enabled "enabled" + append_str "$cfg" mqtt_hostname "hostname" + append_num "$cfg" mqtt_port "port" + append_str "$cfg" mqtt_username "username" + append_str "$cfg" mqtt_password "password" + append_str "$cfg" mqtt_topic "topic" + append_str "$cfg" mqtt_publish_raw "publish_raw" + append_str "$cfg" mqtt_publish_parsed "publish_parsed" + append_str "$cfg" mqtt_publish_cover "publish_cover" + append_str "$cfg" mqtt_enable_remote "enable_remote" + printf "};\n\n" + # AO audio back end printf "ao =\n" printf "{\n" From e35b92835ed034ab1309c94b0602f64e4fb8ec67 Mon Sep 17 00:00:00 2001 From: Jianhui Zhao Date: Wed, 24 Apr 2024 17:55:40 +0800 Subject: [PATCH 103/106] lua-eco: update to 3.4.1 Signed-off-by: Jianhui Zhao --- lang/lua-eco/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/lua-eco/Makefile b/lang/lua-eco/Makefile index c5a6d9b215..078d48839b 100644 --- a/lang/lua-eco/Makefile +++ b/lang/lua-eco/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lua-eco -PKG_VERSION:=3.4.0 +PKG_VERSION:=3.4.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL=https://github.com/zhaojh329/lua-eco/releases/download/v$(PKG_VERSION) -PKG_HASH:=c45c21c4531f6205f775865da1587fb6185705308b67834ac6f7990e83f482ec +PKG_HASH:=6b28cf832d7427dd5106750814de65b2d9796669e6efacdfa14277c85fcb3b01 PKG_MAINTAINER:=Jianhui Zhao PKG_LICENSE:=MIT From 6efdaecf5b0b7aa2cd7828d5f8f4f96e1c903cf4 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Thu, 25 Apr 2024 16:35:01 +0200 Subject: [PATCH 104/106] libmbim: add missing PKG_VERSION for APK The 'PKG_VERSION' string was missing and only 'PKG_SOURCE_VERSION' string was used. Signed-off-by: Florian Eckert --- libs/libmbim/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libs/libmbim/Makefile b/libs/libmbim/Makefile index 8165bf8f85..dcbb4c36b4 100644 --- a/libs/libmbim/Makefile +++ b/libs/libmbim/Makefile @@ -8,11 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libmbim -PKG_SOURCE_VERSION:=1.30.0 -PKG_RELEASE:=1 +PKG_VERSION:=1.30.0 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libmbim.git +PKG_SOURCE_VERSION:=$(PKG_VERSION) PKG_MIRROR_HASH:=792c2310290ac3a2ee690e25eda7c79c1e982aa41b3bff2be7454f3505a09827 PKG_BUILD_FLAGS:=gc-sections From cb9fcdab8a30c4abcbc51b7a26dbc91df047e224 Mon Sep 17 00:00:00 2001 From: Florian Eckert Date: Thu, 25 Apr 2024 16:35:33 +0200 Subject: [PATCH 105/106] libqmi: add missing PKG_VERSION for APK The 'PKG_VERSION' string was missing and only 'PKG_SOURCE_VERSION' string was used. Signed-off-by: Florian Eckert --- libs/libqmi/Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libs/libqmi/Makefile b/libs/libqmi/Makefile index cd7e5e2be6..4e9af31dfa 100644 --- a/libs/libqmi/Makefile +++ b/libs/libqmi/Makefile @@ -8,11 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libqmi -PKG_SOURCE_VERSION:=1.34.0 -PKG_RELEASE:=1 +PKG_VERSION:=1.34.0 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libqmi.git +PKG_SOURCE_VERSION:=$(PKG_VERSION) PKG_MIRROR_HASH:=05211a43de53b7bf967fe29ca62dbe8332f42748dbfc8d32880cda765d00020c PKG_BUILD_FLAGS:=gc-sections From bb5e6e15ef9d285b6232ae25cd3736f829d4482e Mon Sep 17 00:00:00 2001 From: Javier Marcet Date: Thu, 25 Apr 2024 19:25:35 +0200 Subject: [PATCH 106/106] docker-compose: Update to version 2.27.0 Release notes: https://github.com/docker/compose/releases/tag/v2.27.0 Signed-off-by: Javier Marcet --- utils/docker-compose/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/utils/docker-compose/Makefile b/utils/docker-compose/Makefile index 621a6134a2..d14dc8fe89 100644 --- a/utils/docker-compose/Makefile +++ b/utils/docker-compose/Makefile @@ -1,14 +1,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=compose -PKG_VERSION:=2.26.1 -PKG_RELEASE:=2 +PKG_VERSION:=2.27.0 +PKG_RELEASE:=1 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/docker/compose/tar.gz/v${PKG_VERSION}? -PKG_HASH:=081ad40241f8e144cad088a65e6fd0ec588e3d36931e5baabb3dc5ab068ceb60 +PKG_HASH:=29b2232d1609dff03db74188a7944c85ba8b612f47a7e39938a43db8fb7d7067 PKG_MAINTAINER:=Javier Marcet