If enough tracking ip are pinged skip the reset. They are not needed
anymore to mark the interface as up.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
fix Makefile chmod (644)
replace MD5SUM with HASH
add PKG_MIRROR_HASH when PKG_SOURCE_PROTO:=git
(PKG_SOURCE_PROTO:=svn tarballs are not reproducible for now)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
ipset command line utility supports ranges of address: IP-IP, but the
dash character is also valid character in host names. If we have a
remote server ss-00.example.com, ipset may complain that
ipset v6.32: Syntax error: cannot parse ss: resolving to IPv4 address failed
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
ubox 'list' type is for validating multiple elements separated by
tabs/whitespaces in a single value. E.g. The following should not be
accepted
list src_ip_bypass '1.2.3.4 4.3.2.1'
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
======================== ========================================
features dependency
======================== ========================================
HTTPS OSX or GnuTLS or OpenSSL or Windows
SFTP libssh2
BitTorrent None. Optional: libnettle+libgmp or
libgcrypt or OpenSSL
Metalink libxml2 or Expat.
Checksum None. Optional: OSX or libnettle or
libgcrypt or OpenSSL or Windows
gzip, deflate in HTTP zlib
Async DNS C-Ares
Firefox3/Chromium cookie libsqlite3
XML-RPC libxml2 or Expat.
JSON-RPC over WebSocket libnettle or libgcrypt or OpenSSL
======================== ========================================
Add 'CONFIG_' to 'PKG_CONFIG_DEPENDS'.
Signed-off-by: Hsing-Wang Liao <kuoruan@gmail.com>
* Add aria2 user and group.
* Use procd to start service.
* Add more supported options.
Compatible with previous version.
Signed-off-by: Hsing-Wang Liao <kuoruan@gmail.com>
When building on hosts with lmdb installed, bind configure phase fails:
configure: error: found lmdb include but not library.
Solve this by disabling lmdb. Fixes#4748.
Fixes: eab56b6bee ("bind: version update to 9.11.2")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* backend/frontend: supports a Connection Limit ('trm_maxretry')
of '0', to disable this feature (unlimited retries)
Signed-off-by: Dirk Brenken <dev@brenken.org>
- New UCI options ifnames, dst_default
- UCI options src_ips_xxx now accept cidr as their values
- Export ipset names as part of the interface so that it can be
depended on and used by other programs
- Bypass only remote servers used ss-redir instances, so that it's
possible to let other servers to go through existing re-redir
instances
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Remove an improperly placed semicolon in order to solve the following
compiler error:
.../main.c:144:3: error: this 'if' clause does not guard... [-Werror=misleading-indentation]
if (execl("/bin/busybox", "/bin/busybox", "md5sum", file, NULL));
^~
.../main.c:145:4: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the 'if'
return NULL;
^~~~~~
cc1: all warnings being treated as errors
Fixes#4723.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fixes the following bugs introduced in commit 815e83d4:
- hotplug: invalid parameter order when initial interface state is "online",
mwan3track expects initial state to be the third argument
- hotplug: missing source ip address when initial interface state is "offline"
- mwan3track: source ip address should be the fourth argument
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
On some environments, connecting to localhost was resolving to ::1,
which didn't match the bind to the explicit 127.0.0.1.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Added many more UCI config options, particularly for bridge connections
The recently introduced username/password options for bridges are kept,
even though they have been deprecated upstream for a while. In keeping
with this, while support is kept in UCI, the generated mosquitto.conf
file will always generate the "modern" remote_username/remote_password
options preferred by mosquitto instead.
Likewise for bridge clientid and remote_clientid options.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Dynu.com already support IPV6 updates using the parameter myipv6, adding to services_ipv6 to enable support in OpenWRT/LEDE
Signed-off-by: Phil John <philjohn@gmail.com>
Define package config files to preserve
/usr/share/nlbwmon/protocols across sysupgrade
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
This is the default value taken by ss-server and ss-redir. After this
change ss_rules section can still use those ss-redir instances who do
not have mode explicitly specified.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Add new globals config section with option local_source.
With this config option the self interface generation will be done now
automatically on hotplug event. You can specify which interface (ip)
sould be used for router traffic. To replace the self intereface in the
config set local_source to "lan".
The default option is none, so it will not change default behavior if a
"self" interface is configured in the network section.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
To know how old the ubus output is, add an age parameter which indicats
how old the check informations on the interface are.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Add new interface config option "inital_state".
If interface comeing up the first time(mwan3 start, boot),
there are now two option for interface behaviour:
- online (default as is now)
Set up interface regardless wether tracking ip are reachable or not.
- offline
Set up interface first to ping tracking ip and if they are reachable set up
the interface completely.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Even though error was fixed the interface checks still fails, if last_resort
was set to blackhole or unreachable.
To fix this issue do not remove failure interface from iptables change on
down event.
Reported-by: Colby Whitney <colby.whitney@luxul.com>
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If two interface have the same prefix "wan" for example "wan" and "wan1"
pgrep returns the PID for wan1 also "pgrep -f mwan3track wan".
Before this fix "wan1" was also killed! This is not what we want.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* print only 'missing plugins support warning' if user really configured
'blacklist' or 'block_ipv6' parameter.
Signed-off-by: Dirk Brenken <dev@brenken.org>
When the strongswan service is running, `ipsec status` returns 0. Check
the return value instead of checking its output.
While at it, remove the [[ ]] bashism, use rereadall instead of
(reread)secrets, and move it inside the if statement.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
In commit 36e073d820, some checks were
added to see if the UCI config file exists and if there are any peers
configured in it. Due to these checks, if /etc/config/ipsec exists, but
contains no enabled peers, strongswan will not be started. This is not
ideal, as a user might want to experiment with the UCI config while
keeping existing connections in /etc/ipsec.conf operational.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Since the strongswan-utils package now only contains the aging ipsec
utility, rename it to strongswan-ipsec.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
We currently include the SCEP client in strongswan-utils, which is a
dependency of the strongswan-default meta-package. As it's generally not
recommended to generate keys on embedded devices due to lack of entropy,
move the SCEP client to a separate package, and only depend on it in the
strongswan-full meta-package.
While at it, add scepclient.conf to the package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
We currently include the PKI tool in strongswan-utils, which is a
dependency of the strongswan-default meta-package. As it's generally not
recommended to generate keys on embedded devices due to lack of entropy,
move the PKI tool to a separate package, and only depend on it in the
strongswan-full meta-package.
While at it, add pki.conf to the package.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* Update nmap-suite to 7.60
* Use PKG_HASH as PKG_MD5SUM is deprecated
* Switch download URL to HTTPS
* Add zlib as dependency and link libpcre dynamically
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* Start dnscrypt-proxy from procd interface trigger rather than
immediately in init, to fix a possible race condition during boot and
get rid of rc.local restarts. You can restrict trigger interface(s) by
'procd_trigger' in new global config section.
* tab/whitespace cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add preliminary kresd dns backend support for turris devices,
see readme (experimental / untested!)
* use tld compression for overall list, too
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
Adds support for interface tracking using either ping, arping or
httping. This allows to track interface status on networks with filtered
ICMP traffic or simply to monitor data link layer etc.
To facilitate binding to a specified interface its IP address is passed
as a new mwan3track parameter. It's currently required by httping
and possibly by other tools that may be added in the future.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
0.9.1
backend:
* load procd reload trigger only in 'manual' mode
* documentation update
frontend:
* further optimized Station Overview & Scan page,
especially for mobile devices
* add a "Rescan" button in manual mode on overview page
* XHTML fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
I do not use this software any more and due to lack of time, I give the
maintenance responsibility back to the community.
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
This commit introduces nlbwmon, the lightweight NetLink BandWidth Montor.
The nlbwmon daemon gathers per-host traffic statistics by querying netlink
accounting data. Due to this approach, the executable is very small and does
not rely on libpcap and CPU intensive raw sockets to monitor traffic.
Besides raw per-host traffic counters, nlbwmon also support rudimentary
traffic classification by observing IP protocols and used port numbers.
Gathered accounting data is stored into a series of database files which
are regularily committed to persistent storage.
Refresh, commit and accounting intervals are freely configurable as well
as the layer7 protocol mapping rules and observed source subnets.
This package also bundles a cli client which can be used to dump the
gathered traffic data as JSON, CSV or plaintext data. A pull request to
add a graphical LuCI frontend for nlbwmon is pending.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The softethervpn does not actually supported CCFLAGS, or other standard
variables, so we need to override CC to include all of those to fix
build errors with external toolchains.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
- It's a common practice that assert should be ignored in release build
- Whether to enable ssp should be decided by the config of build system
This was taken from Makefile in shadowsocks/openwrt-shadowsocks.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Package version upgraded to 2.5 with patches:
- Fixed compiler warnings
- Fixed miscalculated response time
- Reduced binary size by stripping unused code
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
Notable changes since 3.0.6
f308dde ss-server: fix a use-after-free bug
0b2dce5 ss-redir: fix a mem leak
b7bdb16 ss-local: SOCKS5 UDP associate terminates the connection prematurely
3f0d39a ss-local: use getsockname udp_fd where it applies (fixes local_port==0)
eb30a3d fix possible data loss with salsa20 cipher
0559d8c fix partial nonce data being overwritten
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The change is mainly for keeping compatibility with old validate_data
before ubox commit ac481cdd999ee84d3f115c33a56397237e95ec64 in Sat Jul
16 14:52:36 2016 +0200. The behaviour change comes with that commit can
be seen with the following command line session
root@LEDE:/usr/bin# validate_data network interface wan 'disabled:bool:false'
network.wan.disabled is unset and defaults to bool false
disabled=0; root@LEDE:/usr/bin#
root@OpenWrt:/# validate_data network interface lan 'disabled:bool:false'
disabled='false'; root@OpenWrt:/#
This will cause shadowsocks-libev in current master branch fail on OpenWrt
15.01 though they actually should only use packages from the 15.01 branch...
Fixesopenwrt/packages#4614
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
backend:
* handle errors due to misconfigured uplinks
* various bugfixes
luci frontend:
* add a powerful wireless station manager to edit and delete existing
interfaces or scan for new uplinks
Signed-off-by: Dirk Brenken <dev@brenken.org>
New upstream release includes fixes for the following security issues:
* CVE-2017-3140: With certain RPZ configurations, a response with TTL 0 could
cause named to go into an infinite query loop
* CVE-2017-3142: An error in TSIG handling could permit unauthorized zone
transfers or zone updates.
* CVE-2017-3143: An error in TSIG handling could permit unauthorized zone
transfers or zone updates.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
afraid.org has a new update API with better IPV6 support. It needs to be
specifically enabled for each domain, so the original v1 api has been
Signed-off-by: Thomas Guyot-Sionnest <dermoth@aei.ca>
