* fix a processing race condition
* it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.
Signed-off-by: Dirk Brenken <dev@brenken.org>
This should solve the issue found on the buildbots:
-snip-
...
checking consistency of all components of python development environment... yes
./configure: line 24172: test: =: unary operator expected
checking for pam_start in -lpam... (cached) no
...
-snap-
For still unknown reason, AX_PYTHON_DEVEL from the included
m4 file is not used which would set the variable the correct way.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
This is a Command Line Interface (CLI) and pure Go API to
test internet speed using speedtest.net. Its upstream is
https://github.com/showwin/speedtest-go
Signed-off-by: TeleostNaCl Dai <teleostnacl@gmail.com>
This commit adds the following features:
1. UCI support for local DNS over HTTPS/TLS/QUIC server.
2. UCI support for using private reverse DNS.
3. procd jail with CAP_NET_BIND_SERVICE, allowing
dnsproxy to serve on standard ports directly.
Signed-off-by: Emily H. <battery_tag708@simplelogin.com>
- Remove patch 010-Build-based-on-OpenSSL-version.patch
since it was backported and now it is included in 7.95 release
- Patch 030-ncat-drop-ca-bundle.patch was refreshed
Release notes:
https://nmap.org/changelog.html#7.95
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Use git as source and bump version to PCRE2 support commit.
Move nmap to PCRE2 library as PCRE is EOL and won't receive any security
update in the future.
Patch 001-Use-correct-HAVE_-macros-for-Lua-5.4.-Fixes-2648.patch has
been merged upstream and can be dropped.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Bump to version 7.94.
Nmap now require lua 5.4.
Patch 020-Python3-port-of-ndiff.patch has been merged upstream and can
be dropped.
Patch 001-Use-correct-HAVE_-macros-for-Lua-5.4.-Fixes-2648.patch is now
required to fix a problem with header inclusion for lua 5.4.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
- Parameter not set in two places:
/usr/bin/snort-mgr: eval: line 125: options: parameter not set
Reported-by: @klingon888
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Add experimental patch and move package to PCRE2 as PCRE is EOL and
won't receive any security updates anymore.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This swaps the order of the lines in the description so that when LuCI displays only the first line, it still offers some helpful information.
Signed-off-by: Nathan Friedly <nathan@nfriedly.com>
* corrected the documentation links for upstream
* fixed style to be correctly rendered
* add reference to OpenWrt tutorial
Signed-off-by: Goetz Goerisch <ggoerisch@gmail.com>
Changes since v0.5:
Bugfixes:
- bugfix: 'geoip-shell on' command errors out on iptables-based systems
- bugfix: when changing the update cron schedule, old cron job does not get removed
- bugfix: in some edge cases, the update cron job may not be created
- bugfix: incorrect mask bits used when creating a rule allowing ipv6 link-local connections (/8 instead of /10)
- bugfix: geoip-shell-fetch.sh: fix running without root permissions
Improvements:
- nftables variant: attach the base chain to the prerouting netfilter hook with priority -141 (rather than -150) to make rules processing deterministic when other rules exist which have priority 'mangle' (-150), making it easier to create custom rules which will be processed before geoip-shell rules
- include information on currently used firewall backend utility (nftables or iptables) in the status report
- avoid unnecessary re-fetching of ip lists when running 'geoip-shell configure'
- randomize the default update schedule's minute between 10 and 20 (previously was always 15)
- randomize the automatic update second between 0 and 59
- improve console messages and the status report
- update and improve the general documentation
- improve OpenWrt-specific documentation
Signed-off-by: Anton Khazan <antonk.d3v@gmail.com>
Fix broken compile with external Toolchain.
Commit 32aaaaa7d3 ("xtables-addons: pass correct flags to
compile and install") simplified and dropped the custom Compile/Install
in favor of the default one. Problem is that it dropped DESTDIR
resulting in the package having problem on finishing install.
The commit then was reworked with c83b8787a5 ("xtables-addons: adapt
build to EXTERNAL_TOOLCHAIN" that reintroduced DESTDIR and also
introduced a useless custom flag to fix wrong ARCH.
ARCH is fixed by kernel.mk and doesn't depend on external Toolchain or
not. For ARCH that require fixing, kernel.mk should be fixed instead of
adding custom function to packages Makefile.
Drop the custom ARCH handling and use Compile/Install everytime.
Fixes: 32aaaaa7d3 ("xtables-addons: pass correct flags to compile and install")
Fixes: c83b8787a5 ("xtables-addons: adapt build to EXTERNAL_TOOLCHAIN")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* fixed possible Set search race condition (initiated from LuCI frontend)
* fixed the "no result" Set search problem in LuCI
* removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Bump to latest 2.0.25.1 release
Drop upstream PCRE2 patch and alarm memory leak fix.
Rework and refresh patch due to release bump.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* include `server:` directive at the top of unbound file
* update unbound-related outputGzip variable to include full path
* return always_nxdomain for blocked domains
* also update copyright stamp/license
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* adblock-fast can generate the compatible adb_list-file, but it's
only pulled if net/adblock installed, this patch also pulls in the
adb_list file if net/adblock-fast is installed.
* also bump PKG_RELEASE
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* added a DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
* the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
* block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
* it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
* filter/convert possible windows line endings of external feeds during processing
* the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
* set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
* update readme
* a couple of bugfixes & performance improvements
* removed abandoned feeds: darklist, ipblackhole
* added new feeds: becyber, ipsum, pallebone, debl (changed URL)
* requires a LuCI frontend update as well (separate PR/commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Remove the unnecessary 'r' from PKG_RELEASE as it is
added automatically by the build system to the final versioning.
(Current version leads into 'geoip-shell_0.5-rr2_all.ipk')
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* make PKG_RELEASE numeric again
* made a release bump due to a newly added patch (see de4ef9d169 for details)
* remove maintainer (as requested in #23890
Signed-off-by: Dirk Brenken <dev@brenken.org>
Also some spell fixes for README.md
Drop patch-0001 - ntpd >= 4.2.8p16 patched this behaviour. See:
https://bugs.ntp.org/show_bug.cgi?id=3741 (and the linked diff there)
d2a7faef2f
Signed-off-by: Paul Donald <newtwen@gmail.com>
According to the documentation[1] 'PKG_RELEASE' should be a number,
so polulate the APK-style 'r' via 'VERSION' instead.
1. https://openwrt.org/docs/guide-developer/packages#buildpackage_variables
Fixes: 30796c5948 ("v2ray-geodata: use APK compatible version schema")
Reported-by: Sean Khan <datapronix@protonmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Generates git tarballs in the new APK style format:
Note that `SOURCE_DATE` was added and need to be updated
as the commit date of the commit hash
Before:
```
nginx-mod-geoip2-1cabd8a1f68ea3998f94e9f3504431970f848fbf.tar.xz
nginx-mod-headers-more-bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0.tar.xz
nginx-mod-brotli-25f86f0bac1101b6512135eac5f93c49c63609e3.tar.xz
nginx-mod-rtmp-f0ea62342a4eca504b311cd5df910d026c3ea4cf.tar.xz
nginx-mod-ts-ef2f874d95cc75747eb625a292524a702aefb0fd.tar.xz
nginx-mod-naxsi-d714f1636ea49a9a9f4f06dba14aee003e970834.tar.xz
nginx-mod-lua-c89469e920713d17d703a5f3736c9335edac22bf.tar.xz
nginx-mod-lua-resty-core-2e2b2adaa61719972fe4275fa4c3585daa0dcd84.tar.xz
nginx-mod-lua-resty-lrucache-52f5d00403c8b7aa8a4d4f3779681976b10a18c1.tar.xz
nginx-mod-dav-ext-f5e30888a256136d9c550bf1ada77d6ea78a48af.tar.xz
nginx-mod-ubus-b2d7260dcb428b2fb65540edb28d7538602b4a26.tar.xz
```
After:
```
nginx-mod-geoip2-2020.01.22~1cabd8a1.tar.zst
nginx-mod-headers-more-2022.07.17~bea1be3b.tar.zst
nginx-mod-brotli-2020.04.23~25f86f0b.tar.zst
nginx-mod-rtmp-2018.12.07~f0ea6234.tar.zst
nginx-mod-ts-2017.12.04~ef2f874d.tar.zst
nginx-mod-naxsi-2022.09.14~d714f163.tar.zst
nginx-mod-lua-2023.08.19~c89469e9.tar.zst
nginx-mod-lua-resty-core-2023.09.09~2e2b2ada.tar.zst
nginx-mod-lua-resty-lrucache-2023.08.06~52f5d004.tar.zst
nginx-mod-dav-ext-2018.12.17~f5e30888.tar.zst
nginx-mod-ubus-2020.09.06~b2d7260d.tar.zst
```
Run tested: aarch64, Dynalink DL-WRX36, Master Branch
Signed-off-by: Sean Khan <datapronix@protonmail.com>
In current setup, dynamic modules are not autoloaded, requiring users
to create and load additional config files.
We should assume that if a user installs additional modules, they want
them 'on' by default.
This commit does the following:
1.) generates a module load config in '/etc/nginx/modules.d' with the
format '${module_name}'.module
(i.e. /etc/nginx/modules.d/ngx_http_geoip2.module)
2.) deletes previous module conf for 'luci'
/etc/nginx/modules.d/luci.module if it exists, this will prevent
'module already loaded' errors.
The following is a portion of the final output when using the
default uci template `/etc/nginx/uci.conf.template` (via nginx-util):
```
nginx -T -c '/etc/nginx/uci.conf'
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
load_module /usr/lib/nginx/modules/ngx_http_dav_ext_module.so;
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
load_module /usr/lib/nginx/modules/ngx_http_naxsi_module.so;
load_module /usr/lib/nginx/modules/ngx_http_ts_module.so;
load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so;
load_module /usr/lib/nginx/modules/ngx_rtmp_module.so;
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Since the geoip2 package contains both `http` and `stream` versions. It
requires the module `ngx_stream` be installed and loaded and produces
the error:
```
2024/04/12 18:38:18 [emerg] 4402#0: dlopen()
"/usr/lib/nginx/modules/ngx_stream_geoip2_module.so" failed (Error
relocating /usr/lib/nginx/modules/ngx_stream_geoip2_module.so:
ngx_stream_complex_value: symbol not found) in
/etc/nginx/module.d/ngx_stream_geoip2.module:1 nginx: configuration file
/etc/nginx/uci.conf test failed
```
Add dependency so it's built at build time and installed automatically
by `opkg`
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Adds the geoip-shell package to OpenWrt.
geoip-shell is a flexible geoip blocker for Linux with a user-friendly command-line interface.
Signed-off-by: Anton Khazan <antonk.d3v@gmail.com>
* update license to AGPL-3.0-or-later
* rename pbr_get_gateway to pbr_get_gateway4 for better readability
* improve IPv6 "gateway" detection/display on start
* prevent IPv6 interface errors on start
* revert release format
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Version 6.3.4 has some important fixes for the OpenWrt community.
This version properly supports Big-Endian systems (which are many); the previous OpenWrt packaged version crashed on such systems.
Signed-off-by: dracode <github@dragonbyte.org>
1. Update to latest version
2. Remove redundant section in Makefile
Changelog: https://github.com/snort3/snort3/releases/tag/3.1.84.0
,,_ -*> Snort++ <*-
o" )~ Version 3.1.84.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.14
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.13 30 Jan 2024
Using libpcap version 1.10.4 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.3.1
Using Hyperscan version 5.4.2 2024-04-10
Using LZMA version 5.4.6
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
A recent change in the ucode interpeter caused a failure when using
the 'in' operator.
be767ae197
Reported in a forum post by @graysky2.
https://forum.openwrt.org/t/194218/28
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
* delete obsolete files/etc/init.d/pbr.init
* add files/etc/uci-defaults/91-pbr-iptables to help update from older OpenWrt
* add files/etc/uci-defaults/91-pbr-nft to help update from older OpenWrt
* update files/etc/uci-defaults/91-pbr-netifd to only add tables to supported ifaces
* re-organize variants in the Makefile so that they hopefull work this time
* update prerm for all variants for better user experience
* update the -netifd prerm to remove leftofver entries from network and rt_tables file
In the init script:
* add decorations for netifd-interfaces related operations (blue ticks)
* add rtTablesFile variables instead of hard-coding the rt_tables file
* add function to check if the table is netifd-derived
* add error messages/hints for failed interface setup and failed WAN discovery
* make cleanup_rt_tables the netifd-compatible
* streamline interface_process function with a clearer case statement
* rename the interface_process `pre-init` option to `pre_init` to conform to the other
functions options naming style
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: Stan Grishin <stangri@melmac.ca>
Run tested: aarch64, Dynalink DL-WRX36, Master Branch
Signed-off-by: Sean Khan <datapronix@protonmail.com>
This can be useful for things like making the interface on the peer side
fixed with value like `ifname xx`
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Use local tarballs instead of codeload. Smaller size.
Patch ola.m4 to support statically linked protobuf. Avoids rpath hacks.
Remove upstream backport.
Signed-off-by: Rosen Penev <rosenp@gmail.com>