mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity

Compare commits

base: mirror:a32bdd33da2451fdbb26f454c640833637fae72b
Branches Tags
mirror:master
mirror:openwrt-23.05
mirror:openwrt-22.03
mirror:openwrt-21.02
mirror:openwrt-19.07
mirror:openwrt-18.06
mirror:lede-17.01
mirror:for-15.05
mirror:for-14.07
mirror:v14.07
...
compare: mirror:81adfd9ec396450bfd2a7bc8fc78dfb7d534bbfc
Branches Tags
mirror:master
mirror:openwrt-23.05
mirror:openwrt-22.03
mirror:openwrt-21.02
mirror:openwrt-19.07
mirror:openwrt-18.06
mirror:lede-17.01
mirror:for-15.05
mirror:for-14.07
mirror:v14.07

89 Commits
a32bdd33da ... 81adfd9ec3

Author SHA1 Message Date
Marius Dinu 81adfd9ec3
Merge e87d89da2e into 2c6d5adac0 2024-04-27 03:26:54 +08:00
Dirk Brenken 2c6d5adac0
banip: update 0.9.5-3 
* allow multiple protocol/port definitions per feed, e.g. 'tcp udp 80 443 50000'
* removed the default protocol/port limitation from asn feed

Signed-off-by: Dirk Brenken <dev@brenken.org>
 2024-04-26 17:03:33 +02:00
Josef Schlehofer 9d49df0dab syslog-ng: update to version 4.7.1 
Release notes:
- https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.7.0
- https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.7.1

Also bump version in the config file to avoid warning

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
 2024-04-26 13:41:49 +02:00
Josef Schlehofer 6d5e404a0c
Merge pull request #13619 from aparcar/no-circle 
CI: remove CircleCI for now
 2024-04-26 10:47:43 +02:00
Paul Spooren 26c101edc3 CI: remove CircleCI for now 
The GitHub CI offers currenlty more architecture and the Signed-of-by
test is covered via the DOC CI test. In case GitHub ever changes
policies, we can simply switch back.

Signed-off-by: Paul Spooren <mail@aparcar.org>
 2024-04-26 10:44:21 +02:00
Goetz Goerisch 8b08b29271 jool: update documentation 
* corrected the documentation links for upstream
* fixed style to be correctly rendered
* add reference to OpenWrt tutorial

Signed-off-by: Goetz Goerisch <ggoerisch@gmail.com>
 2024-04-26 15:46:37 +08:00
Stan Grishin f471b6b459
Merge pull request #23984 from stangri/master-adblock-fast 
adblock-fast: bugfix: unbound-related fixes
 2024-04-25 14:33:57 -07:00
Javier Marcet bb5e6e15ef docker-compose: Update to version 2.27.0 
Release notes:
https://github.com/docker/compose/releases/tag/v2.27.0

Signed-off-by: Javier Marcet <javier@marcet.info>
 2024-04-26 01:57:33 +08:00
Dirk Brenken 1721f4fb79
Merge pull request #23991 from friendly-bits/master-geoip-shell 
geoip-shell: update to v0.5.2
 2024-04-25 19:20:47 +02:00
Florian Eckert cb9fcdab8a libqmi: add missing PKG_VERSION for APK 
The 'PKG_VERSION' string was missing and only 'PKG_SOURCE_VERSION' string
was used.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
 2024-04-25 16:35:39 +02:00
Florian Eckert 6efdaecf5b libmbim: add missing PKG_VERSION for APK 
The 'PKG_VERSION' string was missing and only 'PKG_SOURCE_VERSION' string
was used.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
 2024-04-25 16:35:03 +02:00
Jianhui Zhao e35b92835e lua-eco: update to 3.4.1 
Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
 2024-04-24 19:23:21 -07:00
Stan Grishin 74ce7e5707
Merge pull request #23911 from qosmio/nebula-fix-release-number 
nebula: Use APK style release number
 2024-04-24 17:04:42 -07:00
Stan Grishin 22094a65b6
Merge pull request #23907 from qosmio/nghttp3-fix-release-number 
nghttp3: Use APK style release number
 2024-04-24 17:01:09 -07:00
Stan Grishin 988a533153
Merge pull request #23908 from qosmio/ngtcp2-fix-release-number 
ngtcp2: Use APK style release number
 2024-04-24 17:00:56 -07:00
David Andreoletti 13bcb52870 shairport-sync: support mqtt based remote control 
Enable MQTT support to control shairport-sync remotely

Signed-off-by: David Andreoletti <david@andreoletti.net>
 2024-04-24 12:23:38 -07:00
Ray Wang 5abbd3bcb2 natmap: add log_std{out,err} options 
Introduce `log_stdout` and `log_stderr` options for managing logging output.

Signed-off-by: Ray Wang <r@hev.cc>
 2024-04-24 17:54:03 +08:00
Hirokazu MORIKAWA de361e98d0 node: bump to v20.12.2 
This is a security release.

Notable Changes
* CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
 2024-04-24 17:53:22 +08:00
Georgi Valkov 847a535a3b perl: fix not a Mach-O file on macOS 
Reverts [1] to resolve the following build error on macOS:

/Volumes/wrt3200/openwrt/staging_dir/hostpkg/usr/bin/perl installperl --destdir=/Volumes/wrt3200/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/perl/perl-5.38.2/ipkg-install
WARNING: You've never run 'make test' or some tests failed! (Installing anyway.)
  /usr/bin/perl5.38.2
error: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: input file: /Volumes/wrt3200/openwrt/build_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/perl/perl-5.38.2/ipkg-install/usr/bin/perl5.38.2 is not a Mach-O file

[1] 88efce3814

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
 2024-04-23 19:00:11 -07:00
Rosen Penev 70a44730fd cni-plugins-nft: use local tarballs 
Avoids having to override PKG_UNPACK.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-23 18:59:51 -07:00
Rosen Penev ed50df97f7 cni-plugins: use local tarballs 
Avoids having to override PKG_UNPACK.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-23 18:59:37 -07:00
Rosen Penev 47d91a4c09 snort3: use local tarballs 
Avoids having a bad tarball name with just the version.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-23 18:59:19 -07:00
Rosen Penev 7ee33e792e treewide: exclude mips64 
These packages exclude mips but forget to exclude mips64.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-23 18:59:04 -07:00
Rosen Penev 2fa8485ed8 luasocket: switch to local tarballs 
Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-23 18:58:49 -07:00
Rosen Penev 4f09c95ee2 luaexpat: use local tarballs 
Smaller and avoids badly named tarball with just the version.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-23 18:58:31 -07:00
Florian Eckert 22f8fd5c5b modemmanager: add missing PKG_VERSION for APK 
The 'PKG_VERSION' string was missing and only 'PKG_SOURCE_VERSION' string
was used.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
 2024-04-23 09:39:32 +02:00
Anton Khazan 199bd03b33 geoip-shell: update to v0.5.2 
Changes since v0.5:

Bugfixes:
- bugfix: 'geoip-shell on' command errors out on iptables-based systems
- bugfix: when changing the update cron schedule, old cron job does not get removed
- bugfix: in some edge cases, the update cron job may not be created
- bugfix: incorrect mask bits used when creating a rule allowing ipv6 link-local connections (/8 instead of /10)
- bugfix: geoip-shell-fetch.sh: fix running without root permissions

Improvements:
- nftables variant: attach the base chain to the prerouting netfilter hook with priority -141 (rather than -150) to make rules processing deterministic when other rules exist which have priority 'mangle' (-150), making it easier to create custom rules which will be processed before geoip-shell rules
- include information on currently used firewall backend utility (nftables or iptables) in the status report
- avoid unnecessary re-fetching of ip lists when running 'geoip-shell configure'
- randomize the default update schedule's minute between 10 and 20 (previously was always 15)
- randomize the automatic update second between 0 and 59
- improve console messages and the status report
- update and improve the general documentation
- improve OpenWrt-specific documentation

Signed-off-by: Anton Khazan <antonk.d3v@gmail.com>
 2024-04-23 09:19:24 +03:00
Christian Marangi 466ed55d59 xtables-addons: fix broken compile with external Toolchain 
Fix broken compile with external Toolchain.

Commit 32aaaaa7d3 ("xtables-addons: pass correct flags to
compile and install") simplified and dropped the custom Compile/Install
in favor of the default one. Problem is that it dropped DESTDIR
resulting in the package having problem on finishing install.

The commit then was reworked with c83b8787a5 ("xtables-addons: adapt
build to EXTERNAL_TOOLCHAIN" that reintroduced DESTDIR and also
introduced a useless custom flag to fix wrong ARCH.

ARCH is fixed by kernel.mk and doesn't depend on external Toolchain or
not. For ARCH that require fixing, kernel.mk should be fixed instead of
adding custom function to packages Makefile.

Drop the custom ARCH handling and use Compile/Install everytime.

Fixes: 32aaaaa7d3 ("xtables-addons: pass correct flags to compile and install")
Fixes: c83b8787a5 ("xtables-addons: adapt build to EXTERNAL_TOOLCHAIN")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
 2024-04-22 22:13:33 +02:00
krant 38560743c4 imagemagick: update to 7.1.1.31 
Signed-off-by: krant <aleksey.vasilenko@gmail.com>
 2024-04-22 06:00:26 -07:00
David Andreoletti 459fa7625c shairport-sync: support before/after entering active state, unfixable error detected, volume set events in UCI config 
- Add before/after active state event callbacks in UCI config.
- Add volume change event callbacks in UCI config.
- Add unfixable error event callbacks in UCI config.

As of the current shairport-sync release, all event callbacks have been
mapped to UCI config.

Signed-off-by: David Andreoletti <david@andreoletti.net>
 2024-04-22 05:32:28 -07:00
Jianhui Zhao 99bc6b2782 lua-eco: update to 3.4.0 
Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
 2024-04-22 15:30:06 +08:00
Tianling Shen e4e861e08d
dnsproxy: Update to 0.70.0 
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
 2024-04-22 15:26:30 +08:00
Tianling Shen ebed42fcb0
v2ray-core: Update to 5.15.3 
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
 2024-04-22 15:26:22 +08:00
Alexandru Ardelean 2dc22d4a0c
Merge pull request #23975 from krant/libwebp 
libwebp: update to 1.4.0
 2024-04-22 10:11:45 +03:00
Zephyr Lykos 8b100c8dd1 tailscale: Update to 1.64.2 
<https://github.com/tailscale/tailscale/releases/v1.64.2>

Signed-off-by: Zephyr Lykos <git@mochaa.ws>
 2024-04-21 21:31:23 -07:00
Eneas U de Queiroz df6d6a4284
Merge pull request #23978 from neheb/o 
gost_engine: switch to local tarballs
 2024-04-21 22:44:20 -03:00
Alexandru Ardelean f5f0a4e868 python-lxml: bump to version 5.2.1 
Also added python-cython/host as a build dependency.

Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
 2024-04-21 13:46:24 -07:00
Georgi Valkov a0c4d8a6fb usbmuxd: fix tethering not working after iPhone restart 
If the iPhone restarts while the USB cable is still connected,
tethering does not work. This can be fixed by reconnecting.

Fix: if the hotplug.d script detects that carrier is disabled
(no communication), the USB link is reset, and then the
usbmuxd service is restarted. Tethering starts even before
the iPhone is unlocked. As a side effect, if tethering is not
enabled, the iPhone will ding a second time after 5 seconds.

Add dependency on usbutils for usbreset, remove dependency on librt.

[1] https://github.com/libimobiledevice/usbmuxd/issues/218
[2] https://github.com/openwrt/openwrt/issues/12566#issuecomment-2066305622

Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
 2024-04-21 13:45:57 -07:00
Rosen Penev 66c237a78f mtd-rw: update version to latest master 
Remove local patch as upstream has a different solution applied.

Use PKG_SOURCE_DATE to get rid of weird apk version.

Remove various variables that are default anyway.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-21 13:44:49 -07:00
Dirk Brenken ad755e0c4d
banip: update 0.9.5-2 
* fixed possible Set search race condition (initiated from LuCI frontend)
* fixed the "no result" Set search problem in LuCI
* removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)

Signed-off-by: Dirk Brenken <dev@brenken.org>
 2024-04-21 21:58:32 +02:00
Christian Marangi 2750b16b47
nginx: bump to 1.25.5 release 
Bump nginx to 1.25.5 release.

Patch automatically refreshed with make package/nginx/refresh.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
 2024-04-21 17:47:59 +02:00
Christian Marangi fbb7ad4d10
uwsgi: update Maintainer name 
Update maintainer name with real name for Christian Marangi.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
 2024-04-21 17:40:28 +02:00
Christian Marangi a9371952c9
uwsgi: bump to latest 2.0.25.1 release 
Bump to latest 2.0.25.1 release

Drop upstream PCRE2 patch and alarm memory leak fix.
Rework and refresh patch due to release bump.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
 2024-04-21 17:38:24 +02:00
Stan Grishin 474587a1f4 adblock-fast: bugfix: unbound-related fixes 
* include `server:` directive at the top of unbound file
* update unbound-related outputGzip variable to include full path
* return always_nxdomain for blocked domains
* also update copyright stamp/license

Signed-off-by: Stan Grishin <stangri@melmac.ca>
 2024-04-21 14:06:58 +00:00
Rosen Penev 75f971407d gost_engine: switch to local tarballs 
Avoids PKG_UNPACK hacks.

Added PKG_LICENSE_FILES.

Reordered variables for consistency between packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-20 19:47:54 -07:00
Jonas Jelonek bf1b907d12 eza: update to 0.18.11 
changelogs:
0.18.10: https://github.com/eza-community/eza/releases/tag/v0.18.10
0.18.11: https://github.com/eza-community/eza/releases/tag/v0.18.11

Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
 2024-04-20 18:09:45 -07:00
Hauke Mehrtens 9447654b6b libmraa: Fix compilation with musl libc 1.2.5 
Support POSIX basename used in musl libc 1.2.5.

This backports a patch from upstream git.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2024-04-20 18:07:19 -07:00
Rosen Penev 72a6e17d49 xxhash: build with cmake 
Faster.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-20 18:06:21 -07:00
Rosen Penev db07f86c35 xxhash: switch to local git tarballs 
Smaller and avoids having to use PKG_UNPACK.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-20 18:06:21 -07:00
Hauke Mehrtens ddd379416e tini: Fix compilation with musl libc 1.2.5 
Support POSIX basename used in musl libc 1.2.5.

This fixes compilation with musl libc 1.2.5.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2024-04-20 18:05:14 -07:00
krant 116bbd9359 libwebp: update to 1.4.0 
Signed-off-by: krant <aleksey.vasilenko@gmail.com>
 2024-04-21 00:17:23 +03:00
Josef Schlehofer 46c8b621b0
Merge pull request #23969 from dibdot/curl 
curl: fix/bump PKG_RELEASE, remove maintainer
 2024-04-20 19:03:20 +02:00
Dirk Brenken d5a13478eb
Merge pull request #23963 from dibdot/banIP 
banip: release 0.9.5-1
 2024-04-20 13:05:05 +02:00
Dirk Brenken fa80fefe22
banip: release 0.9.5-1 
* added a DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
* the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
* block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
* it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
* filter/convert possible windows line endings of external feeds during processing
* the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
* set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
* update readme
* a couple of bugfixes & performance improvements
* removed abandoned feeds: darklist, ipblackhole
* added new feeds: becyber, ipsum, pallebone, debl (changed URL)
* requires a LuCI frontend update as well (separate PR/commit)

Signed-off-by: Dirk Brenken <dev@brenken.org>
 2024-04-20 12:43:37 +02:00
Hannu Nyman 767b3f2ea8 geoip-shell: remove extra r from PKG_RELEASE 
Remove the unnecessary 'r' from PKG_RELEASE as it is
added automatically by the build system to the final versioning.

(Current version leads into  'geoip-shell_0.5-rr2_all.ipk')

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
 2024-04-20 09:21:07 +03:00
Dirk Brenken afae2776e9
curl: fix/bump PKG_RELEASE, remove maintainer 
* make PKG_RELEASE numeric again
* made a release bump due to  a newly added patch (see de4ef9d169 for details)
* remove maintainer (as requested in #23890

Signed-off-by: Dirk Brenken <dev@brenken.org>
 2024-04-20 07:41:20 +02:00
Paul Donald b2742ed05d ntpd: update to version 4.2.8p17 
Also some spell fixes for README.md

Drop patch-0001 - ntpd >= 4.2.8p16 patched this behaviour. See:

https://bugs.ntp.org/show_bug.cgi?id=3741 (and the linked diff there)
d2a7faef2f

Signed-off-by: Paul Donald <newtwen@gmail.com>
 2024-04-20 11:15:11 +08:00
Rosen Penev 1bac5b386d udpspeeder: use local tarballs 
Simpler, smaller, and avoids PKG_UNPACK.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-19 15:54:27 -07:00
Hauke Mehrtens 577259cfb9 lua-eco: Fix compilation with musl libc 1.2.5 
Support POSIX basename used in musl libc 1.2.5.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2024-04-19 14:24:43 -07:00
Hauke Mehrtens b20e69d765 rtty: Fix compilation with musl libc 1.2.5 
Support POSIX basename used in musl libc 1.2.5.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
 2024-04-19 14:23:51 -07:00
Rosen Penev 55440f2ac7 yara: update to 4.5.0 
Move away from codeload for smaller and better tarballs.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-19 14:20:13 -07:00
Zephyr Lykos 8982c3e61a tailscale: Update to 1.64.1 
<https://github.com/tailscale/tailscale/releases/v1.64.1>

Signed-off-by: Zephyr Lykos <git@mochaa.ws>
 2024-04-19 14:19:47 -07:00
krant 2650de4686 socat: fix compile error when ccache is enabled 
Signed-off-by: krant <aleksey.vasilenko@gmail.com>
 2024-04-19 14:19:25 -07:00
Rosen Penev bfb5d820bf ibrcommon: remove basename 
Can be replaced with regular C++.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
 2024-04-19 14:18:45 -07:00
Maxim Storchak 8951378aec rsync: support xxhash and lz4 
Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
 2024-04-19 21:51:40 +08:00
Rui Salvaterra a7172aec50
Merge pull request #23943 from rsalvaterra/tor-bump 
tor: update to 0.4.8.11 stable
 2024-04-19 12:36:32 +01:00
Jo-Philipp Wich 3d99f1d2f1
Merge pull request #23821 from friendly-bits/add_geoip-shell 
geoip-shell: add package
 2024-04-19 13:16:39 +02:00
Alexandru Ardelean c789bcefb1
Merge pull request #23939 from commodo/python-updates1 
django,django-restframework: bump versions
 2024-04-19 12:32:13 +03:00
Michael Heimpold b459d2e798
Merge pull request #23955 from mhei/php8-update-to-8.3.6 
php8: update to 8.3.6
 2024-04-19 06:27:36 +02:00
Tianling Shen c1e6fbbcb0 v2ray-geodata: Update to latest version 
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
 2024-04-19 10:56:03 +08:00
Tianling Shen d7e63d4e24 v2ray-geodata: make PKG_RELEASE numeric again 
According to the documentation[1] 'PKG_RELEASE' should be a number,
so polulate the APK-style 'r' via 'VERSION' instead.

1. https://openwrt.org/docs/guide-developer/packages#buildpackage_variables

Fixes: 30796c5948 ("v2ray-geodata: use APK compatible version schema")
Reported-by: Sean Khan <datapronix@protonmail.com>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
 2024-04-19 10:56:03 +08:00
Felix Fietkau de4ef9d169 curl: fix SSL init with mbedtls 3.6 
Signed-off-by: Felix Fietkau <nbd@nbd.name>
 2024-04-18 21:58:13 +02:00
Felix Fietkau 23bd17806b libssh: update to version 0.10.6, fix build with mbedtls 3.6 
Signed-off-by: Felix Fietkau <nbd@nbd.name>
 2024-04-18 21:46:20 +02:00
Josef Schlehofer 4e20600abf
Merge pull request #23953 from commodo/cython-update1 
python-cython: bump to version 3.0.10
 2024-04-18 19:38:19 +02:00
Marcus Folkesson eb35a3be13 python-jinja2: create /host target 
Make the python-jinja2/host target available for the build environment
to be used with e.g. the PKG_BUILD_DEPENDS list.

This is needed for an upcoming package (libcamera).

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
 2024-04-18 16:29:34 +02:00
Marcus Folkesson 436e462c64 python-yaml: create /host target 
Make the python-yaml/host target available for the build environment
to be used with e.g. the PKG_BUILD_DEPENDS list.

This is needed for an upcoming package (libcamera).

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
 2024-04-18 16:28:59 +02:00
Sean Khan 660aa8091f nginx: Use zst + APK style packaging for modules 
Generates git tarballs in the new APK style format:

Note that `SOURCE_DATE` was added and need to be updated
as the commit date of the commit hash

Before:
```
nginx-mod-geoip2-1cabd8a1f68ea3998f94e9f3504431970f848fbf.tar.xz
nginx-mod-headers-more-bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0.tar.xz
nginx-mod-brotli-25f86f0bac1101b6512135eac5f93c49c63609e3.tar.xz
nginx-mod-rtmp-f0ea62342a4eca504b311cd5df910d026c3ea4cf.tar.xz
nginx-mod-ts-ef2f874d95cc75747eb625a292524a702aefb0fd.tar.xz
nginx-mod-naxsi-d714f1636ea49a9a9f4f06dba14aee003e970834.tar.xz
nginx-mod-lua-c89469e920713d17d703a5f3736c9335edac22bf.tar.xz
nginx-mod-lua-resty-core-2e2b2adaa61719972fe4275fa4c3585daa0dcd84.tar.xz
nginx-mod-lua-resty-lrucache-52f5d00403c8b7aa8a4d4f3779681976b10a18c1.tar.xz
nginx-mod-dav-ext-f5e30888a256136d9c550bf1ada77d6ea78a48af.tar.xz
nginx-mod-ubus-b2d7260dcb428b2fb65540edb28d7538602b4a26.tar.xz
```

After:
```
nginx-mod-geoip2-2020.01.22~1cabd8a1.tar.zst
nginx-mod-headers-more-2022.07.17~bea1be3b.tar.zst
nginx-mod-brotli-2020.04.23~25f86f0b.tar.zst
nginx-mod-rtmp-2018.12.07~f0ea6234.tar.zst
nginx-mod-ts-2017.12.04~ef2f874d.tar.zst
nginx-mod-naxsi-2022.09.14~d714f163.tar.zst
nginx-mod-lua-2023.08.19~c89469e9.tar.zst
nginx-mod-lua-resty-core-2023.09.09~2e2b2ada.tar.zst
nginx-mod-lua-resty-lrucache-2023.08.06~52f5d004.tar.zst
nginx-mod-dav-ext-2018.12.17~f5e30888.tar.zst
nginx-mod-ubus-2020.09.06~b2d7260d.tar.zst
```

Run tested: aarch64, Dynalink DL-WRX36, Master Branch

Signed-off-by: Sean Khan <datapronix@protonmail.com>
 2024-04-18 13:11:31 +02:00
Sean Khan caffa410ed nginx: autoload dynamic modules 
In current setup, dynamic modules are not autoloaded, requiring users
to create and load additional config files.

We should assume that if a user installs additional modules, they want
them 'on' by default.

This commit does the following:

1.) generates a module load config in '/etc/nginx/modules.d' with the
    format '${module_name}'.module
    (i.e. /etc/nginx/modules.d/ngx_http_geoip2.module)
2.) deletes previous module conf for 'luci'
    /etc/nginx/modules.d/luci.module if it exists, this will prevent
    'module already loaded' errors.

The following is a portion of the final output when using the
default uci template `/etc/nginx/uci.conf.template` (via nginx-util):

```
nginx -T -c '/etc/nginx/uci.conf'

load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;

load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;

load_module /usr/lib/nginx/modules/ngx_http_dav_ext_module.so;

load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;

load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;

load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;

load_module /usr/lib/nginx/modules/ngx_http_naxsi_module.so;

load_module /usr/lib/nginx/modules/ngx_http_ts_module.so;

load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so;

load_module /usr/lib/nginx/modules/ngx_rtmp_module.so;

load_module /usr/lib/nginx/modules/ngx_stream_module.so;

load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
```

Signed-off-by: Sean Khan <datapronix@protonmail.com>
 2024-04-18 13:02:42 +02:00
Sean Khan 4cc682c8a4 nginx: fix geoip2 dependency on mod ngx_stream 
Since the geoip2 package contains both `http` and `stream` versions. It
requires the module `ngx_stream` be installed and loaded and produces
the error:

```
2024/04/12 18:38:18 [emerg] 4402#0: dlopen()
"/usr/lib/nginx/modules/ngx_stream_geoip2_module.so" failed (Error
relocating /usr/lib/nginx/modules/ngx_stream_geoip2_module.so:
ngx_stream_complex_value: symbol not found) in
/etc/nginx/module.d/ngx_stream_geoip2.module:1 nginx: configuration file
/etc/nginx/uci.conf test failed
```

Add dependency so it's built at build time and installed automatically
by `opkg`

Signed-off-by: Sean Khan <datapronix@protonmail.com>
 2024-04-18 13:00:20 +02:00
Michael Heimpold 2682b28cb3 php8: update to 8.3.6 
This fixes:
    - CVE-2024-1874
    - CVE-2024-2756
    - CVE-2024-2757
    - CVE-2024-3096

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
 2024-04-17 20:56:55 +02:00
Alexandru Ardelean e3ed196f20 python-cython: bump to version 3.0.10 
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
 2024-04-17 11:31:26 +03:00
Anton Khazan fc35918026 geoip-shell: add package 
Adds the geoip-shell package to OpenWrt.
geoip-shell is a flexible geoip blocker for Linux with a user-friendly command-line interface.

Signed-off-by: Anton Khazan <antonk.d3v@gmail.com>
 2024-04-16 13:45:05 +02:00
Alexandru Ardelean 0592f27d99 django-restframework: bump to version 3.15.1 
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
 2024-04-16 14:13:23 +03:00
Alexandru Ardelean 1a51bd18ac django: bump to version 5.0.4 
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
 2024-04-16 14:12:52 +03:00
Rui Salvaterra 570ee10a13 tor: update to 0.4.8.11 stable 
Minor release, see the changelog [1] for what's new.

[1] https://gitlab.torproject.org/tpo/core/tor/-/raw/tor-0.4.8.11/ChangeLog

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
 2024-04-16 09:28:27 +01:00
Sean Khan 3cbb7474c3 nebula: Use APK style release number 
Maintainer: Stan Grishin <stangri@melmac.ca>

Run tested: aarch64, Dynalink DL-WRX36, Master Branch

Signed-off-by: Sean Khan <datapronix@protonmail.com>
 2024-04-12 12:09:59 -04:00
Sean Khan fbf350d5e1 nghttp3: Use APK style release number 
Maintainer: Stan Grishin <stangri@melmac.ca>

Run tested: aarch64, Dynalink DL-WRX36, Master Branch

Signed-off-by: Sean Khan <datapronix@protonmail.com>
 2024-04-12 12:09:59 -04:00
Sean Khan 43e924bacc ngtcp2: Use APK style release number 
Maintainer: Stan Grishin <stangri@melmac.ca>

Run tested: aarch64, Dynalink DL-WRX36, Master Branch

Signed-off-by: Sean Khan <datapronix@protonmail.com>
 2024-04-12 12:09:59 -04:00
Marius Dinu e87d89da2e audit: move from packages to openwrt 
This package is joined with libaudit from openwrt base packages.

Signed-off-by: Marius Dinu <m95d+git@psihoexpert.ro>
 2024-04-12 12:23:46 +03:00
101 changed files with 2033 additions and 2286 deletions
Show Stats Expand all files Collapse all files

93
.circleci/Dockerfile
View File

@ -1,93 +0,0 @@
FROM debian:10
# Configuration version history
# v1.0 - Initial version by Etienne Champetier
# v1.0.1 - Run as non-root, add unzip, xz-utils
# v1.0.2 - Add bzr
# v1.0.3 - Verify usign signatures
# v1.0.4 - Add support for Python3
# v1.0.5 - Add 19.07 public keys, verify keys
# v1.0.6 - Add 21.02 public keys, update Debian image to version 10, add rsync
# v1.0.7 - Add 22.03 public keys, 18.06 v2 gpg key, 18.06 usign key
RUN apt update && apt install -y \
build-essential \
bzr \
curl \
jq \
gawk \
gettext \
git \
libncurses5-dev \
libssl-dev \
python \
python3 \
signify-openbsd \
subversion \
rsync \
time \
unzip \
wget \
xz-utils \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/*
RUN useradd -c "OpenWrt Builder" -m -d /home/build -s /bin/bash build
USER build
ENV HOME /home/build
# OpenWrt Build System (PGP key for unattended snapshot builds)
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/626471F1.asc' | gpg --import \
&& gpg --fingerprint --with-colons '<pgpsign-snapshots@openwrt.org>' | grep '^fpr:::::::::54CC74307A2C6DC9CE618269CD84BCED626471F1:$' \
&& echo '54CC74307A2C6DC9CE618269CD84BCED626471F1:6:' | gpg --import-ownertrust
# OpenWrt Build System (PGP key for 17.01 "Reboot" release builds)
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/D52BBB6B.asc' | gpg --import \
&& gpg --fingerprint --with-colons '<pgpsign-17.01@openwrt.org>' | grep '^fpr:::::::::B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:$' \
&& echo 'B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:6:' | gpg --import-ownertrust
# OpenWrt Release Builder (18.06 Signing Key)
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/17E1CE16.asc' | gpg --import \
&& gpg --fingerprint --with-colons '<openwrt-devel@lists.openwrt.org>' | grep '^fpr:::::::::6768C55E79B032D77A28DA5F0F20257417E1CE16:$' \
&& echo '6768C55E79B032D77A28DA5F0F20257417E1CE16:6:' | gpg --import-ownertrust
# OpenWrt Build System (PGP key for 18.06 release builds)
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/15807931.asc' | gpg --import \
&& gpg --fingerprint --with-colons '<pgpsign-18.06@openwrt.org>' | grep '^fpr:::::::::AD0507363D2BCE9C9E36CEC4FBCB78F015807931:$' \
&& echo 'AD0507363D2BCE9C9E36CEC4FBCB78F015807931:6:' | gpg --import-ownertrust
# OpenWrt Build System (PGP key for 19.07 release builds)
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/2074BE7A.asc' | gpg --import \
&& gpg --fingerprint --with-colons '<pgpsign-19.07@openwrt.org>' | grep '^fpr:::::::::D9C6901F45C9B86858687DFF28A39BC32074BE7A:$' \
&& echo 'D9C6901F45C9B86858687DFF28A39BC32074BE7A:6:' | gpg --import-ownertrust
# OpenWrt Build System (PGP key for 21.02 release builds)
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/88CA59E8.asc' | gpg --import \
&& gpg --fingerprint --with-colons '<pgpsign-21.02@openwrt.org>' | grep '^fpr:::::::::667205E379BAF348863A5C6688CA59E88F681580:$' \
&& echo '667205E379BAF348863A5C6688CA59E88F681580:6:' | gpg --import-ownertrust
# OpenWrt Build System (GnuPGP key for 22.03 release builds)
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CD54E82DADB3684D.asc' | gpg --import \
&& gpg --fingerprint --with-colons '<pgpsign-22.03@openwrt.org>' | grep '^fpr:::::::::BF856781A01293C8409ABE72CD54E82DADB3684D:$' \
&& echo 'BF856781A01293C8409ABE72CD54E82DADB3684D:6:' | gpg --import-ownertrust
# untrusted comment: Public usign key for unattended snapshot builds
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/b5043e70f9a75cde' --create-dirs -o /home/build/usign/b5043e70f9a75cde \
&& echo 'd7ac10f9ed1b38033855f3d27c9327d558444fca804c685b17d9dcfb0648228f */home/build/usign/b5043e70f9a75cde' | sha256sum --check
# untrusted comment: Public usign key for 18.06 release builds
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/1035ac73cc4e59e3' --create-dirs -o /home/build/usign/1035ac73cc4e59e3 \
&& echo '8dc2e7f5c4e634437e6641f4df77a18bf59f0c8e9016c8ba4be5d4a0111e68c2 */home/build/usign/1035ac73cc4e59e3' | sha256sum --check
# untrusted comment: Public usign key for 19.07 release builds
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/f94b9dd6febac963' --create-dirs -o /home/build/usign/f94b9dd6febac963 \
&& echo 'b1d09457cfbc36fccfe18382d65c54a2ade3e7fd3902da490a53aa517b512755 */home/build/usign/f94b9dd6febac963' | sha256sum --check
# untrusted comment: Public usign key for 21.02 release builds
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/2f8b0b98e08306bf' --create-dirs -o /home/build/usign/2f8b0b98e08306bf \
&& echo 'd102bdd75421c62490b97f520f9db06aadb44ad408b244755d26e96ea5cd3b7f */home/build/usign/2f8b0b98e08306bf' | sha256sum --check
# untrusted comment: Public usign key for 22.03 release builds
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/4d017e6f1ed5d616' --create-dirs -o /home/build/usign/4d017e6f1ed5d616 \
&& echo 'f3c5fdf447d7c2743442e68077d60acc7c3e91754849e1f4b6be837b4204b7e2 */home/build/usign/4d017e6f1ed5d616' | sha256sum --check

6
.circleci/README
View File

@ -1,6 +0,0 @@
# Build/update the docker image
docker pull debian:10
docker build --rm -t docker.io/openwrtorg/packages-cci:latest .
docker tag <IMAGE ID> docker.io/openwrtorg/packages-cci:<VERSION-TAG>
docker push docker.io/openwrtorg/packages-cci

182
.circleci/config.yml
View File

@ -1,182 +0,0 @@
version: 2.0
jobs:
build:
docker:
- image: docker.io/openwrtorg/packages-cci:v1.0.7
environment:
- SDK_HOST: "downloads.openwrt.org"
- SDK_PATH: "snapshots/targets/ath79/generic"
- SDK_FILE: "openwrt-sdk-ath79-generic_*.Linux-x86_64.tar.xz"
- BRANCH: "master"
steps:
- checkout:
path: ~/openwrt_packages
- run:
name: Check changes / verify commits
working_directory: ~/openwrt_packages
command: |
cat >> $BASH_ENV <<EOF
echo_red() { printf "\033[1;31m\$*\033[m\n"; }
echo_green() { printf "\033[1;32m\$*\033[m\n"; }
echo_blue() { printf "\033[1;34m\$*\033[m\n"; }
EOF
source $BASH_ENV
RET=0
for commit in $(git rev-list HEAD ^origin/$BRANCH); do
echo_blue "=== Checking commit '$commit'"
if git show --format='%P' -s $commit | grep -qF ' '; then
echo_red "Pull request should not include merge commits"
RET=1
fi
author="$(git show -s --format=%aN $commit)"
if echo $author | grep -q '\S\+\s\+\S\+'; then
echo_green "Author name ($author) seems ok"
else
echo_red "Author name ($author) need to be your real name 'firstname lastname'"
RET=1
fi
subject="$(git show -s --format=%s $commit)"
if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_-]\+: ' -e '^Revert '; then
echo_green "Commit subject line seems ok ($subject)"
else
echo_red "Commit subject line MUST start with '<package name>: ' ($subject)"
RET=1
fi
body="$(git show -s --format=%b $commit)"
sob="$(git show -s --format='Signed-off-by: %aN <%aE>' $commit)"
if echo "$body" | grep -qF "$sob"; then
echo_green "Signed-off-by match author"
else
echo_red "Signed-off-by is missing or doesn't match author (should be '$sob')"
RET=1
fi
done
exit $RET
- run:
name: Download the SDK
working_directory: ~/sdk
command: |
curl "https://$SDK_HOST/$SDK_PATH/sha256sums" -sS -o sha256sums
curl "https://$SDK_HOST/$SDK_PATH/sha256sums.asc" -fs -o sha256sums.asc || true
curl "https://$SDK_HOST/$SDK_PATH/sha256sums.sig" -fs -o sha256sums.sig || true
if [ ! -f sha256sums.asc ] && [ ! -f sha256sums.sig ]; then
echo_red "Missing sha256sums signature files"
exit 1
fi
[ ! -f sha256sums.asc ] || gpg --with-fingerprint --verify sha256sums.asc sha256sums
if [ -f sha256sums.sig ]; then
VERIFIED=
for KEY in ~/usign/*; do
echo "Trying $KEY..."
if signify-openbsd -V -q -p "$KEY" -x sha256sums.sig -m sha256sums; then
echo "...verified"
VERIFIED=1
break
fi
done
if [ -z "$VERIFIED" ]; then
echo_red "Could not verify usign signature"
exit 1
fi
fi
rsync -av "$SDK_HOST::downloads/$SDK_PATH/$SDK_FILE" .
sha256sum -c --ignore-missing sha256sums
- run:
name: Prepare build_dir
working_directory: ~/build_dir
command: |
tar Jxf ~/sdk/$SDK_FILE --strip=1
touch .config
make prepare-tmpinfo scripts/config/conf
./scripts/config/conf --defconfig=.config Config.in
make prereq
rm .config
cat > feeds.conf <<EOF
src-git base https://github.com/openwrt/openwrt.git;$BRANCH
src-link packages $HOME/openwrt_packages
src-git luci https://github.com/openwrt/luci.git;$BRANCH
EOF
cat feeds.conf
./scripts/feeds update -a > /dev/null
make defconfig > /dev/null
# enable BUILD_LOG
sed -i 's/# CONFIG_BUILD_LOG is not set/CONFIG_BUILD_LOG=y/' .config
- run:
name: Install & download source, check package, compile
working_directory: ~/build_dir
command: |
set +o pipefail
PKGS=$(cd ~/openwrt_packages; git diff --diff-filter=d --name-only "origin/$BRANCH..." | grep 'Makefile$' | grep -Ev '/files/|/src/' | awk -F/ '{ print $(NF-1) }')
if [ -z "$PKGS" ] ; then
echo_blue "WARNING: No new or modified packages found!"
exit 0
fi
echo_blue "=== Found new/modified packages: $PKGS"
for PKG in $PKGS ; do
echo_blue "===+ Install: $PKG"
./scripts/feeds install "$PKG"
echo_blue "===+ Download: $PKG"
make "package/$PKG/download" V=s
echo_blue "===+ Check package: $PKG"
make "package/$PKG/check" V=s 2>&1 | tee logtmp
RET=${PIPESTATUS[0]}
if [ $RET -ne 0 ]; then
echo_red "=> Package check failed: $RET)"
exit $RET
fi
badhash_msg="HASH does not match "
badhash_msg+="|HASH uses deprecated hash,"
badhash_msg+="|HASH is missing,"
if grep -qE "$badhash_msg" logtmp; then
echo_red "=> Package HASH check failed"
exit 1
fi
echo_green "=> Package check OK"
done
make \
-f .config \
-f tmp/.packagedeps \
-f <(echo '$(info $(sort $(package-y) $(package-m)))'; echo -en 'a:\n\t@:') \
| tr ' ' '\n' >enabled-package-subdirs.txt
for PKG in $PKGS ; do
if ! grep -m1 -qE "(^|/)$PKG$" enabled-package-subdirs.txt; then
echo_red "===+ Building: $PKG skipped. It cannot be enabled with $SDK_FILE"
continue
fi
echo_blue "===+ Building: $PKG"
make "package/$PKG/compile" -j3 V=s || {
RET=$?
echo_red "===+ Building: $PKG failed, rebuilding with -j1 for human readable error log"
make "package/$PKG/compile" -j1 V=s; exit $RET
}
done
- store_artifacts:
path: ~/build_dir/logs
- store_artifacts:
path: ~/build_dir/bin
workflows:
version: 2
buildpr:
jobs:
- build:
filters:
branches:
ignore: master

6
admin/syslog-ng/Makefile
View File

@ -1,8 +1,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=syslog-ng
PKG_VERSION:=4.6.0
PKG_RELEASE:=2
PKG_VERSION:=4.7.1
PKG_RELEASE:=1
PKG_MAINTAINER:=Josef Schlehofer <pepe.schlehofer@gmail.com>
PKG_LICENSE:=LGPL-2.1-or-later GPL-2.0-or-later
@ -11,7 +11,7 @@ PKG_CPE_ID:=cpe:/a:balabit:syslog-ng
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/syslog-ng/syslog-ng/releases/download/$(PKG_NAME)-$(PKG_VERSION)/
PKG_HASH:=b69e3360dfb96a754a4e1cbead4daef37128b1152a23572356db4ab64a475d4f
PKG_HASH:=5477189a2d12325aa4faebfcf59f5bdd9084234732f0c3ec16dd253847dacf1c
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1

2
admin/syslog-ng/files/syslog-ng.conf
View File

@ -1,7 +1,7 @@
# Collect all local logs into a single file /var/log/messages.
# See https://www.syslog-ng.com/technical-documents/list/syslog-ng-open-source-edition
@version: 4.6
@version: 4.7
@include "scl.conf"
options {

11
kernel/mtd-rw/Makefile
View File

@ -9,14 +9,13 @@ include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=mtd-rw
PKG_RELEASE:=2
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_MIRROR_HASH:=c44db17c3e05079116a1704f277642c9ce6f5ca4fa380c60f7e6d44509dc16be
PKG_SOURCE_URL:=https://github.com/jclehner/mtd-rw.git
PKG_SOURCE_PROTO:=git
PKG_SOURCE_SUBDIR=$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE_VERSION:=7e8562067d6a366c8cbaa8084396c33b7e12986b
PKG_SOURCE_URL:=https://github.com/jclehner/mtd-rw
PKG_SOURCE_DATE:=2021-02-28
PKG_SOURCE_VERSION:=e87767395a6d27380196702f5f7bf98e92774f3f
PKG_MIRROR_HASH:=984218d7a8e1252419c45ef313f23fb6e5edfa83088f68a4a356b795444ab381
PKG_MAINTAINER:=Joseph C. Lehner <joseph.c.lehner@gmail.com>
PKG_LICENSE=GPL-2.0

24
kernel/mtd-rw/patches/0001-mtd-disabled.patch
View File

@ -1,24 +0,0 @@
--- a/mtd-rw.c
+++ b/mtd-rw.c
@@ -54,7 +54,11 @@ MODULE_PARM_DESC(i_want_a_brick, "Make a
static int set_writeable(unsigned n, bool w)
{
+#ifndef CONFIG_MTD
+ struct mtd_info *mtd = -ENOSYS;
+#else
struct mtd_info *mtd = get_mtd_device(NULL, n);
+#endif
int err;
if (IS_ERR(mtd)) {
@@ -76,7 +80,9 @@ static int set_writeable(unsigned n, boo
err = 0;
}
+#ifdef CONFIG_MTD
put_mtd_device(mtd);
+#endif
return err;
}

4
lang/lua-eco/Makefile
View File

@ -1,12 +1,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=lua-eco
PKG_VERSION:=3.3.0
PKG_VERSION:=3.4.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL=https://github.com/zhaojh329/lua-eco/releases/download/v$(PKG_VERSION)
PKG_HASH:=597c3edbb20c35f638b26b4fa7a02638c48f96f0330758a7ac1c44079b2170a3
PKG_HASH:=6b28cf832d7427dd5106750814de65b2d9796669e6efacdfa14277c85fcb3b01
PKG_MAINTAINER:=Jianhui Zhao <zhaojh329@gmail.com>
PKG_LICENSE:=MIT

7
lang/luaexpat/Makefile
View File

@ -11,9 +11,10 @@ PKG_NAME:=luaexpat
PKG_VERSION:=1.5.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/lunarmodules/luaexpat/archive/refs/tags
PKG_HASH:=7d455f154de59eb0b073c3620bc8b873f7f697b3f21a112e6ff8dc9fca6d0826
PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=$(PKG_VERSION)
PKG_SOURCE_URL:=https://github.com/lunarmodules/luaexpat
PKG_MIRROR_HASH:=7e370d47e947a1acfeb4d00df012f47116fe7971f5b12033e92666e37a9312a1
PKG_CPE_ID:=cpe:/a:matthewwild:luaexpat

7
lang/luasocket/Makefile
View File

@ -11,9 +11,10 @@ PKG_NAME:=luasocket
PKG_VERSION:=3.1.0
PKG_RELEASE:=1
PKG_SOURCE:=v$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/lunarmodules/luasocket/archive/refs/tags
PKG_HASH:=bf033aeb9e62bcaa8d007df68c119c966418e8c9ef7e4f2d7e96bddeca9cca6e
PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
PKG_SOURCE_URL:=https://github.com/lunarmodules/luasocket
PKG_MIRROR_HASH:=1ee81f1f5a63d0d14c8c8571e8940604cbf1443c3b18ee7d3d1bac6791f853fc
PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>
PKG_LICENSE:=MIT

4
lang/node/Makefile
View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=node
PKG_VERSION:=v20.12.1
PKG_VERSION:=v20.12.2
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION)
PKG_HASH:=b9bef0314e12773ef004368ee56a2db509a948d4170b9efb07441bac1f1407a0
PKG_HASH:=bc57ee721a12cc8be55bb90b4a9a2f598aed5581d5199ec3bd171a4781bfecda
PKG_MAINTAINER:=Hirokazu MORIKAWA <morikw2@gmail.com>, Adrian Panella <ianchi74@outlook.com>
PKG_LICENSE:=MIT

2
lang/perl/Makefile
View File

@ -11,7 +11,7 @@ include perlver.mk
PKG_NAME:=perl
PKG_VERSION:=$(PERL_VERSION)
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE_URL:=https://www.cpan.org/src/5.0
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz

114
lang/perl/patches/920-Revert-perl-127606-adjust-dependency-paths-on-instal.patch Normal file
View File

@ -0,0 +1,114 @@
From 002d6666a3ed5bc9c360c1f91116ebbf0c5ef57c Mon Sep 17 00:00:00 2001
From: Georgi Valkov <gvalkov@gmail.com>
Date: Sat, 20 Apr 2024 16:18:37 +0300
Subject: [PATCH] revert 88efce38149481334db7ddb932f9b74eaaa9765b
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
---
Makefile.SH | 35 ++---------------------------------
installperl | 25 -------------------------
2 files changed, 2 insertions(+), 58 deletions(-)
--- a/Makefile.SH
+++ b/Makefile.SH
@@ -61,16 +61,8 @@ true)
-compatibility_version \
${api_revision}.${api_version}.${api_subversion} \
-current_version \
- ${revision}.${patchlevel}.${subversion}"
- case "$osvers" in
- 1[5-9]*|[2-9]*)
- shrpldflags="$shrpldflags -install_name `pwd`/\$@ -Xlinker -headerpad_max_install_names"
- exeldflags="-Xlinker -headerpad_max_install_names"
- ;;
- *)
- shrpldflags="$shrpldflags -install_name \$(shrpdir)/\$@"
- ;;
- esac
+ ${revision}.${patchlevel}.${subversion} \
+ -install_name \$(shrpdir)/\$@"
;;
cygwin*)
shrpldflags="$shrpldflags -Wl,--out-implib=libperl.dll.a"
@@ -353,14 +345,6 @@ MANIFEST_SRT = MANIFEST.srt
!GROK!THIS!
-case "$useshrplib$osname" in
-truedarwin)
- $spitshell >>$Makefile <<!GROK!THIS!
-PERL_EXE_LDFLAGS=$exeldflags
-!GROK!THIS!
- ;;
-esac
-
$spitshell >>$Makefile <<!GROK!THIS!
# Macros to invoke a copy of our fully operational perl during the build.
PERL_EXE = perl\$(EXE_EXT)
@@ -1040,20 +1024,6 @@ $(PERL_EXE): $& $(perlmain_dep) $(LIBPER
$(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(LLIBPERL) $(static_ext) `cat ext.libs` $(libs)
!NO!SUBS!
;;
-
- darwin)
- case "$useshrplib$osvers" in
- true1[5-9]*|true[2-9]*) $spitshell >>$Makefile <<'!NO!SUBS!'
- $(SHRPENV) $(CC) -o perl $(PERL_EXE_LDFLAGS) $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs)
-!NO!SUBS!
- ;;
- *) $spitshell >>$Makefile <<'!NO!SUBS!'
- $(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs)
-!NO!SUBS!
- ;;
- esac
- ;;
-
*) $spitshell >>$Makefile <<'!NO!SUBS!'
$(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs)
!NO!SUBS!
--- a/installperl
+++ b/installperl
@@ -282,7 +282,6 @@ else {
safe_unlink("$installbin/$perl_verbase$ver$exe_ext");
copy("perl$exe_ext", "$installbin/$perl_verbase$ver$exe_ext");
strip("$installbin/$perl_verbase$ver$exe_ext");
- fix_dep_names("$installbin/$perl_verbase$ver$exe_ext");
chmod(0755, "$installbin/$perl_verbase$ver$exe_ext");
`chtag -r "$installbin/$perl_verbase$ver$exe_ext"` if ($^O eq 'os390');
}
@@ -350,7 +349,6 @@ foreach my $file (@corefiles) {
if (copy_if_diff($file,"$installarchlib/CORE/$file")) {
if ($file =~ /\.(\Q$so\E|\Q$dlext\E)$/) {
strip("-S", "$installarchlib/CORE/$file") if $^O eq 'darwin';
- fix_dep_names("$installarchlib/CORE/$file");
chmod($SO_MODE, "$installarchlib/CORE/$file");
} else {
chmod($NON_SO_MODE, "$installarchlib/CORE/$file");
@@ -749,27 +747,4 @@ sub strip
}
}
-sub fix_dep_names {
- my $file = shift;
-
- $^O eq "darwin" && $Config{osvers} =~ /^(1[5-9]|[2-9])/
- && $Config{useshrplib}
- or return;
-
- my @opts;
- my $so = $Config{so};
- my $libperl = "$Config{archlibexp}/CORE/libperl.$Config{so}";
- if ($file =~ /\blibperl.\Q$Config{so}\E$/a) {
- push @opts, -id => $libperl;
- }
- else {
- push @opts, -change => getcwd . "/libperl.$so", $libperl;
- }
- push @opts, $file;
-
- $opts{verbose} and print " install_name_tool @opts\n";
- system "install_name_tool", @opts
- and die "Cannot update $file dependency paths\n";
-}
-
# ex: set ts=8 sts=4 sw=4 et:

4
lang/php8/Makefile
View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=php
PKG_VERSION:=8.3.4
PKG_VERSION:=8.3.6
PKG_RELEASE:=1
PKG_MAINTAINER:=Michael Heimpold <mhei@heimpold.de>
@ -16,7 +16,7 @@ PKG_CPE_ID:=cpe:/a:php:php
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://www.php.net/distributions/
PKG_HASH:=39a337036a546e5c28aea76cf424ac172db5156bd8a8fd85252e389409a5ba63
PKG_HASH:=53c8386b2123af97626d3438b3e4058e0c5914cb74b048a6676c57ac647f5eae
PKG_BUILD_PARALLEL:=1
PKG_BUILD_FLAGS:=no-mips16

4
lang/python/django-restframework/Makefile
View File

@ -8,11 +8,11 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=django-restframework
PKG_VERSION:=3.14.0
PKG_VERSION:=3.15.1
PKG_RELEASE:=1
PYPI_NAME:=djangorestframework
PKG_HASH:=579a333e6256b09489cbe0a067e66abe55c6595d8926be6b99423786334350c8
PKG_HASH:=f88fad74183dfc7144b2756d0d2ac716ea5b4c7c9840995ac3bfd8ec034333c1
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
PKG_LICENSE:=BSD-3-Clause

4
lang/python/django/Makefile
View File

@ -8,11 +8,11 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=django
PKG_VERSION:=5.0.3
PKG_VERSION:=5.0.4
PKG_RELEASE:=1
PYPI_NAME:=Django
PKG_HASH:=5fb37580dcf4a262f9258c1f4373819aacca906431f505e4688e37f3a99195df
PKG_HASH:=4bd01a8c830bb77a8a3b0e7d8b25b887e536ad17a81ba2dce5476135c73312bd
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>, Peter Stadler <peter.stadler@student.uibk.ac.at>
PKG_LICENSE:=BSD-3-Clause

4
lang/python/python-cython/Makefile
View File

@ -8,11 +8,11 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=python-cython
PKG_VERSION:=3.0.7
PKG_VERSION:=3.0.10
PKG_RELEASE:=1
PYPI_NAME:=Cython
PKG_HASH:=fb299acf3a578573c190c858d49e0cf9d75f4bc49c3f24c5a63804997ef09213
PKG_HASH:=dcc96739331fb854dcf503f94607576cfe8488066c61ca50dfd55836f132de99
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE.txt

4
lang/python/python-jinja2/Makefile
View File

@ -15,10 +15,13 @@ PKG_MAINTAINER:=Michal Vasilek <michal.vasilek@nic.cz>
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE.rst
PKG_CPE_ID:=cpe:/a:pocoo:jinja2
HOST_BUILD_DEPENDS:= python-markupsafe/host
include ../pypi.mk
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/host-build.mk
include ../python3-package.mk
include ../python3-host-build.mk
define Package/python3-jinja2
SECTION:=lang
@ -43,3 +46,4 @@ endef
$(eval $(call Py3Package,python3-jinja2))
$(eval $(call BuildPackage,python3-jinja2))
$(eval $(call BuildPackage,python3-jinja2-src))
$(eval $(call HostBuild))

6
lang/python/python-lxml/Makefile
View File

@ -8,17 +8,19 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=python-lxml
PKG_VERSION:=5.1.0
PKG_VERSION:=5.2.1
PKG_RELEASE:=1
PYPI_NAME:=lxml
PKG_HASH:=3eea6ed6e6c918e468e693c41ef07f3c3acc310b70ddd9cc72d9ef84bc9564ca
PKG_HASH:=3f7765e69bbce0906a7c74d5fe46d2c7a7596147318dbc08e4a2431f3060e306
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSES.txt
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
PKG_CPE_ID:=cpe:/a:lxml:lxml
PKG_BUILD_DEPENDS:=python-cython/host
include ../pypi.mk
include $(INCLUDE_DIR)/package.mk
include ../python3-package.mk

4
lang/python/python-yaml/Makefile
View File

@ -20,10 +20,13 @@ PKG_LICENSE_FILES:=LICENSE
PKG_CPE_ID:=cpe:/a:pyyaml:pyyaml
PKG_BUILD_DEPENDS:=python-cython/host
HOST_BUILD_DEPENDS:=python-cython/host
include ../pypi.mk
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/host-build.mk
include ../python3-package.mk
include ../python3-host-build.mk
define Package/python3-yaml
SECTION:=lang
@ -43,3 +46,4 @@ PYTHON3_PKG_BUILD_VARS:=PYYAML_FORCE_LIBYAML=1
$(eval $(call Py3Package,python3-yaml))
$(eval $(call BuildPackage,python3-yaml))
$(eval $(call BuildPackage,python3-yaml-src))
$(eval $(call HostBuild))

25
libs/gost_engine/Makefile
View File

@ -3,21 +3,20 @@ include $(INCLUDE_DIR)/openssl-module.mk
PKG_NAME:=gost_engine
PKG_VERSION:=3.0.3
PKG_HASH:=8cf888333d08b8bbcc12e4e8c0d8b258c74dbd67941286ffbcc648c6d3d66735
PKG_LICENSE:=Apache-2.0
PKG_RELEASE:=9
PKG_RELEASE:=10
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/gost-engine/engine/archive/v$(PKG_VERSION)
PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
PKG_SOURCE_URL:=https://github.com/gost-engine/engine
PKG_MIRROR_HASH:=ad88b0bc4ede265bc91757f0bb9777a381f8e271faa43992a054ddd5f435ad88
PKG_MAINTAINER:=Artur Petrov <github@phpchain.ru>
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
PKG_INSTALL:=
define Package/gost_engine/Default
$(call Package/openssl/engine/Default)
TITLE:=GOST engine for OpenSSL
@ -49,7 +48,7 @@ define Package/gost_engine-util
$(call Package/gost_engine/Default)
SECTION:=utils
CATEGORY:=Utilities
DEPENDS:=libopenssl-gost_engine
DEPENDS:=+libopenssl-gost_engine
TITLE+= (utilities)
endef
@ -61,15 +60,17 @@ endef
CMAKE_OPTIONS += -DOPENSSL_ENGINES_DIR=/usr/lib/$(ENGINES_DIR)
define Package/libopenssl-gost_engine/install
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) $(1)/etc/ssl/engines.cnf.d
$(INSTALL_DATA) $(PKG_BUILD_DIR)/bin/gost.so \
$(INSTALL_DIR) $(1)/usr/lib $(1)/usr/lib/$(ENGINES_DIR) $(1)/etc/ssl/engines.cnf.d
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libgost.so \
$(1)/usr/lib/
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/gost.so \
$(1)/usr/lib/$(ENGINES_DIR)/
$(INSTALL_DATA) ./files/gost.cnf $(1)/etc/ssl/engines.cnf.d/
endef
define Package/gost_engine-util/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/bin/{gost12sum,gostsum} \
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/{gost12sum,gostsum} \
$(1)/usr/bin/
endef

4
libs/gperftools/Makefile
View File

@ -26,7 +26,7 @@ define Package/gperftools-headers
SECTION:=libs
TITLE:=Gperftools Headers
URL:=https://github.com/gperftools/gperftools
DEPENDS:= @!mips @!mipsel @!powerpc
DEPENDS:= @!(mips||mips64||mipsel||powerpc)
endef
define Package/gperftools-runtime
@ -34,7 +34,7 @@ define Package/gperftools-runtime
CATEGORY:=Libraries
TITLE:=Gperftools Runtime
URL:=https://github.com/gperftools/gperftools
DEPENDS:= +libunwind +libstdcpp @!mips @!mipsel @!powerpc
DEPENDS:= +libunwind +libstdcpp @!(mips||mips64||mipsel||powerpc)
endef
define Package/gperftools-headers/description

2
libs/ibrcommon/Makefile
View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=ibrcommon
PKG_VERSION:=1.0.1
PKG_RELEASE:=9
PKG_RELEASE:=10
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.ibr.cs.tu-bs.de/projects/ibr-dtn/releases

30
libs/ibrcommon/patches/001-fix-build-with-musl.patch
View File

@ -1,21 +1,33 @@
--- a/ibrcommon/data/File.cpp
+++ b/ibrcommon/data/File.cpp
@@ -35,9 +35,7 @@
@@ -35,10 +35,6 @@
#include <cerrno>
#include <fstream>
-#if !defined(HAVE_FEATURES_H) || defined(ANDROID)
#include <libgen.h>
-#include <libgen.h>
-#endif
-
#ifdef __WIN32__
#include <io.h>
@@ -226,7 +224,7 @@ namespace ibrcommon
#define FILE_DELIMITER_CHAR '\\'
@@ -225,14 +221,11 @@ namespace ibrcommon
std::string File::getBasename() const
{
#if !defined(ANDROID) && defined(HAVE_FEATURES_H)
-#if !defined(ANDROID) && defined(HAVE_FEATURES_H)
- return std::string(basename(_path.c_str()));
+ return std::string(basename((char *)_path.c_str()));
#else
char path[_path.length()+1];
::memcpy(&path, _path.c_str(), _path.length()+1);
-#else
- char path[_path.length()+1];
- ::memcpy(&path, _path.c_str(), _path.length()+1);
-
- return std::string(basename(path));
-#endif
+ size_t found = _path.find_last_of('/');
+ if (found != std::string::npos)
+ return _path.substr(found + 1);
+ else
+ return _path;
}
File File::get(const std::string &filename) const

5
libs/libmbim/Makefile
View File

@ -8,11 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=libmbim
PKG_SOURCE_VERSION:=1.30.0
PKG_RELEASE:=1
PKG_VERSION:=1.30.0
PKG_RELEASE:=2
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libmbim.git
PKG_SOURCE_VERSION:=$(PKG_VERSION)
PKG_MIRROR_HASH:=792c2310290ac3a2ee690e25eda7c79c1e982aa41b3bff2be7454f3505a09827
PKG_BUILD_FLAGS:=gc-sections

40
libs/libmraa/patches/001-mraa-Use-posix-basename.patch Normal file
View File

@ -0,0 +1,40 @@
From 47c3850cddd63cebd9dc48e411963314449118f1 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Sun, 31 Dec 2023 19:16:35 -0800
Subject: [PATCH] mraa: Use posix basename
Musl has removed the declaration from string.h [1] which exposes the
problem especially with clang-17+ compiler where implicit function
declaration is flagged as error. Use posix basename and make a copy of
string to operate on to emulate GNU basename behaviour.
[1] https://git.musl-libc.org/cgit/musl/commit/?id=725e17ed6dff4d0cd22487bb64470881e86a92e7
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
src/mraa.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/src/mraa.c
+++ b/src/mraa.c
@@ -12,6 +12,7 @@
#endif
#include <dlfcn.h>
+#include <libgen.h>
#include <pwd.h>
#include <sched.h>
#include <stddef.h>
@@ -338,9 +339,11 @@ static int
mraa_count_iio_devices(const char* path, const struct stat* sb, int flag, struct FTW* ftwb)
{
// we are only interested in files with specific names
- if (fnmatch(IIO_DEVICE_WILDCARD, basename(path), 0) == 0) {
+ char* tmp = strdup(path);
+ if (fnmatch(IIO_DEVICE_WILDCARD, basename(tmp), 0) == 0) {
num_iio_devices++;
}
+ free(tmp);
return 0;
}

5
libs/libqmi/Makefile
View File

@ -8,11 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=libqmi
PKG_SOURCE_VERSION:=1.34.0
PKG_RELEASE:=1
PKG_VERSION:=1.34.0
PKG_RELEASE:=2
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libqmi.git
PKG_SOURCE_VERSION:=$(PKG_VERSION)
PKG_MIRROR_HASH:=05211a43de53b7bf967fe29ca62dbe8332f42748dbfc8d32880cda765d00020c
PKG_BUILD_FLAGS:=gc-sections

6
libs/libssh/Makefile
View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=libssh
PKG_VERSION:=0.10.4
PKG_RELEASE:=2
PKG_VERSION:=0.10.6
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://www.libssh.org/files/0.10/
PKG_HASH:=07392c54ab61476288d1c1f0a7c557b50211797ad00c34c3af2bbc4dbc4bd97d
PKG_HASH:=1861d498f5b6f1741b6abc73e608478491edcf9c9d4b6630eef6e74596de9dc1
PKG_MAINTAINER:=Mislav Novakovic <mislav.novakovic@sartura.hr>
PKG_LICENSE:=LGPL-2.1-or-later BSD-2-Clause

53
libs/libssh/patches/100-mbedtls_fix.patch Normal file
View File

@ -0,0 +1,53 @@
--- a/cmake/Modules/FindMbedTLS.cmake
+++ b/cmake/Modules/FindMbedTLS.cmake
@@ -34,7 +34,7 @@ set(_MBEDTLS_ROOT_HINTS_AND_PATHS
find_path(MBEDTLS_INCLUDE_DIR
NAMES
- mbedtls/config.h
+ mbedtls/version.h
HINTS
${_MBEDTLS_ROOT_HINTS_AND_PATHS}
PATH_SUFFIXES
@@ -72,7 +72,13 @@ find_library(MBEDTLS_X509_LIBRARY
set(MBEDTLS_LIBRARIES ${MBEDTLS_SSL_LIBRARY} ${MBEDTLS_CRYPTO_LIBRARY}
${MBEDTLS_X509_LIBRARY})
-if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
+if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")
+ file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h" _mbedtls_version_str REGEX
+ "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
+
+ string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+.[0-9]+.[0-9]+).*"
+ "\\1" MBEDTLS_VERSION "${_mbedtls_version_str}")
+elseif (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" _mbedtls_version_str REGEX
"^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
@@ -93,7 +99,7 @@ if (MBEDTLS_VERSION)
in the system variable MBEDTLS_ROOT_DIR"
)
else (MBEDTLS_VERSION)
- find_package_handle_standard_args(MBedTLS
+ find_package_handle_standard_args(MbedTLS
"Could NOT find mbedTLS, try to set the path to mbedLS root folder in
the system variable MBEDTLS_ROOT_DIR"
MBEDTLS_INCLUDE_DIR
--- a/src/libmbedcrypto.c
+++ b/src/libmbedcrypto.c
@@ -118,8 +118,14 @@ int hmac_update(HMACCTX c, const void *d
int hmac_final(HMACCTX c, unsigned char *hashmacbuf, size_t *len)
{
+ const mbedtls_md_info_t *md_info;
int rc;
- *len = (unsigned int)mbedtls_md_get_size(c->md_info);
+#if MBEDTLS_VERSION_MAJOR >= 3
+ md_info = mbedtls_md_info_from_ctx(c);
+#else
+ md_info = c->md_info;
+#endif
+ *len = (unsigned int)mbedtls_md_get_size(md_info);
rc = !mbedtls_md_hmac_finish(c, hashmacbuf);
mbedtls_md_free(c);
SAFE_FREE(c);

4
libs/libwebp/Makefile
View File

@ -1,12 +1,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=libwebp
PKG_VERSION:=1.3.2
PKG_VERSION:=1.4.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://storage.googleapis.com/downloads.webmproject.org/releases/webp
PKG_HASH:=2a499607df669e40258e53d0ade8035ba4ec0175244869d1025d460562aa09b4
PKG_HASH:=61f873ec69e3be1b99535634340d5bde750b2e4447caa1db9f61be3fd49ab1e5
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
PKG_LICENSE:=BSD-3-Clause

2
libs/nghttp3/Makefile
View File

@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=nghttp3
PKG_VERSION:=1.2.0
PKG_RELEASE:=r1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://github.com/ngtcp2/$(PKG_NAME)/releases/download/v$(PKG_VERSION)/

2
libs/ngtcp2/Makefile
View File

@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=ngtcp2
PKG_VERSION:=1.4.0
PKG_RELEASE:=r1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://github.com/ngtcp2/$(PKG_NAME)/releases/download/v$(PKG_VERSION)/

4
multimedia/imagemagick/Makefile
View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=imagemagick
PKG_VERSION:=7.1.1.30
PKG_VERSION:=7.1.1.31
PKG_RELEASE:=1
PKG_MAINTAINER:=Aleksey Vasilenko <aleksey.vasilenko@gmail.com>
@ -15,7 +15,7 @@ _PKGREV:=$(_PKGVER)-$(subst .,,$(suffix $(PKG_VERSION)))
PKG_SOURCE:=ImageMagick-$(_PKGREV).tar.xz
PKG_SOURCE_URL:=https://imagemagick.org/archive
PKG_HASH:=ec192780d09da7d7b1e7a374a19f97d69cceb4e5e83057515cd595eda233a891
PKG_HASH:=7e5c8db53dd90a0cfc5cc7ca6d34728ed86054b4bc86e9787902285fec1107a8
PKG_BUILD_DIR:=$(BUILD_DIR)/ImageMagick-$(_PKGREV)
PKG_FIXUP:=autoreconf

10
net/adblock-fast/Makefile
View File

@ -1,14 +1,14 @@
# Copyright 2023 MOSSDeF, Stan Grishin (stangri@melmac.ca)
# TLD optimization written by Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# Copyright 2023-2024 MOSSDeF, Stan Grishin (stangri@melmac.ca).
# TLD optimization written by Dirk Brenken (dev@brenken.org).
# This is free software, licensed under AGPL-3.0-or-later.
include $(TOPDIR)/rules.mk
PKG_NAME:=adblock-fast
PKG_VERSION:=1.1.1
PKG_RELEASE:=r8
PKG_RELEASE:=11
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
PKG_LICENSE:=GPL-3.0-or-later
PKG_LICENSE:=AGPL-3.0-or-later
include $(INCLUDE_DIR)/package.mk

23
net/adblock-fast/files/etc/init.d/adblock-fast
View File

@ -52,7 +52,7 @@ readonly smartdnsNftsetFilter=';'
readonly unboundFile="/var/lib/unbound/adb_list.${packageName}"
readonly unboundCache="/var/run/${packageName}/unbound.cache"
readonly unboundGzip="${packageName}.unbound.gz"
readonly unboundFilter='s|^|local-zone: "|;s|$|" static|'
readonly unboundFilter='s|^|local-zone: "|;s|$|." always_nxdomain|'
readonly A_TMP="/var/${packageName}.a.tmp"
readonly B_TMP="/var/${packageName}.b.tmp"
readonly SED_TMP="/var/${packageName}.sed.tmp"
@ -267,7 +267,7 @@ dns_set_output_values() {
outputFilter="$unboundFilter"
outputFile="$unboundFile"
outputCache="$unboundCache"
outputGzip="$unboundGzip"
outputGzip="${compressed_cache_dir}/${unboundGzip}"
;;
esac
}
@ -757,7 +757,7 @@ load_environment() {
[ "$dns" = 'smartdns.domainset' ] || rm -f "$smartdnsDomainSetFile" "$smartdnsDomainSetCache" "${compressed_cache_dir}/${smartdnsDomainSetGzip}" "$smartdnsDomainSetConfig"
[ "$dns" = 'smartdns.ipset' ] || rm -f "$smartdnsIpsetFile" "$smartdnsIpsetCache" "${compressed_cache_dir}/${smartdnsIpsetGzip}" "$smartdnsIpsetConfig"
[ "$dns" = 'smartdns.nftset' ] || rm -f "$smartdnsNftsetFile" "$smartdnsNftsetCache" "${compressed_cache_dir}/${smartdnsNftsetGzip}" "$smartdnsNftsetConfig"
[ "$dns" = 'unbound.adb_list' ] || rm -f "$unboundFile" "$unboundCache" "$unboundGzip"
[ "$dns" = 'unbound.adb_list' ] || rm -f "$unboundFile" "$unboundCache" "${compressed_cache_dir}/${unboundGzip}"
for i in "$runningConfigFile" "$runningErrorFile" "$runningStatusFile" "$outputFile" "$outputCache" "$outputGzip" "$outputConfig"; do
[ -n "$i" ] || continue
@ -892,7 +892,7 @@ resolver() {
rm -f "$smartdnsDomainSetFile" "$smartdnsDomainSetCache" "${compressed_cache_dir}/${smartdnsDomainSetGzip}" "$smartdnsDomainSetConfig"
rm -f "$smartdnsIpsetFile" "$smartdnsIpsetCache" "${compressed_cache_dir}/${smartdnsIpsetGzip}" "$smartdnsIpsetConfig"
rm -f "$smartdnsNftsetFile" "$smartdnsNftsetCache" "${compressed_cache_dir}/${smartdnsNftsetGzip}" "$smartdnsNftsetConfig"
rm -f "$unboundFile" "$unboundCache" "$unboundGzip"
rm -f "$unboundFile" "$unboundCache" "${compressed_cache_dir}/${unboundGzip}"
if [ -s "/etc/config/dhcp" ]; then
config_load 'dhcp'
config_foreach _dnsmasq_instance_config 'dnsmasq' 'cleanup'
@ -932,19 +932,19 @@ resolver() {
case "$dns" in
dnsmasq.*)
chmod 660 "$outputFile"
chown root:dnsmasq "$outputFile"
chown root:dnsmasq "$outputFile" >/dev/null 2>/dev/null
param='dnsmasq_restart'
output_text='Restarting dnsmasq'
;;
smartdns.*)
chmod 660 "$outputFile" "$outputConfig"
chown root:root "$outputFile" "$outputConfig"
chown root:root "$outputFile" "$outputConfig" >/dev/null 2>/dev/null
param='smartdns_restart'
output_text='Restarting SmartDNS'
;;
unbound.*)
chmod 660 "$outputFile"
chown root:unbound "$outputFile"
chown root:unbound "$outputFile" >/dev/null 2>/dev/null
param='unbound_restart'
output_text='Restarting Unbound'
;;
@ -1036,7 +1036,7 @@ cache() {
return $?
;;
test_gzip)
[ -s "$outputGzip" ] && gzip -t -c "$outputGzip"
[ -s "$outputGzip" ] && gzip -t -c "$outputGzip" >/dev/null 2>/dev/null
return $?
;;
create_gzip)
@ -1412,6 +1412,11 @@ $(sed '/^[[:space:]]*$/d' "$A_TMP")"
output_failn
json add error 'errorMovingDataFile'
fi
case "$dns" in
unbound.adb_list)
sed -i '1 i\server:' "$outputFile"
;;
esac
if [ "$compressed_cache" -gt 0 ]; then
output 2 'Creating compressed cache '
json set message "$(get_text 'statusProcessing'): creating compressed cache"
@ -1596,7 +1601,7 @@ adb_check() {
smartdns.*)
grep "$string" "$outputFile";;
unbound.adb_list)
grep "$string" "$outputFile" | sed 's|^local-zone: "||;s|" static$||;';;
grep "$string" "$outputFile" | sed 's|^local-zone: "||;s|." always_nxdomain$||;';;
esac
fi
else

2
net/banip/Makefile
View File

@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.9.4
PKG_VERSION:=0.9.5
PKG_RELEASE:=3
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

117
net/banip/files/README.md
View File

@ -15,14 +15,14 @@ IP address blocking is commonly used to protect against brute force attacks, pre
| adguard | adguard IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguardtrackers | adguardtracker IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| asn | ASN segments | | | x | tcp: 80, 443 | [Link](https://asn.ipinfo.app) |
| asn | ASN segments | x | x | x | | [Link](https://asn.ipinfo.app) |
| backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
| becyber | malicious attacker IPs | x | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) |
| binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
| bogon | bogon prefixes | x | x | | | [Link](https://team-cymru.com) |
| bruteforceblock | bruteforceblocker IPs | x | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
| country | country blocks | x | x | | | [Link](https://www.ipdeny.com/ipblocks) |
| cinsscore | suspicious attacker IPs | x | x | | | [Link](https://cinsscore.com/#list) |
| darklist | blocks suspicious attacker IPs | x | x | | | [Link](https://darklist.de) |
| debl | fail2ban IP blacklist | x | x | | | [Link](https://www.blocklist.de) |
| doh | public DoH-Provider | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | spamhaus drop compilation | x | x | | | [Link](https://www.spamhaus.org) |
@ -37,14 +37,15 @@ IP address blocking is commonly used to protect against brute force attacks, pre
| greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) |
| iblockads | Advertising IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
| ipblackhole | blackhole IPs | x | x | | | [Link](https://ip.blackhole.monster) |
| ipsum | malicious IPs | x | x | | | [Link](https://github.com/stamparm/ipsum) |
| ipthreat | hacker and botnet TPs | x | x | | | [Link](https://ipthreat.net) |
| myip | real-time IP blocklist | x | x | | | [Link](https://myip.ms) |
| nixspam | iX spam protection | x | x | | | [Link](http://www.nixspam.org) |
| oisdbig | OISD-big IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdnsfw | OISD-nsfw IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdsmall | OISD-small IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| proxy | open proxies | x | | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| pallebone | curated IP blocklist | x | x | | | [Link](https://github.com/pallebone/StrictBlockPAllebone) |
| proxy | open proxies | x | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) |
| stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) |
@ -66,10 +67,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* Full IPv4 and IPv6 support
* Supports nft atomic Set loading
* Supports blocking by ASN numbers and by iso country codes
* Block countries dynamically by Regional Internet Registry (RIR), e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE
* Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names
* Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments
* All local input types support ranges in CIDR notation
* Auto-add the uplink subnet or uplink IP to the local allowlist
* Prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets (DDoS attacks) in an additional prerouting chain
* Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.)
* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
* Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
@ -80,6 +83,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
* Optionally always allow certain protocols/destination ports in wan-input and wan-forward chains
* Deduplicate IPs accross all Sets (single IPs only, no intervals)
* Provides comprehensive runtime information
* Provides a detailed Set report
@ -110,7 +114,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
* If you're using a complex network setup, e.g. special tunnel interfaces, than untick the 'Auto Detection' option under the 'General Settings' tab and set the required options manually
* Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status' and also check the 'Firewall Log' and 'Processing Log' tabs
* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs, see the options reference table below
## banIP CLI interface
* All important banIP functions are accessible via CLI.
@ -149,14 +153,19 @@ Available commands:
| ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_debug | option | 0 | enable banIP related debug logging |
| ban_loginput | option | 1 | log drops in the wan-input chain |
| ban_logforwardwan | option | 1 | log drops in the wan-forward chain |
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
| ban_icmplimit | option | 10 | treshold in number of packets to detect icmp DDoS in prerouting chain |
| ban_synlimit | option | 10 | treshold in number of packets to detect syn DDoS in prerouting chain |
| ban_udplimit | option | 100 | treshold in number of packets to detect udp DDoS in prerouting chain |
| ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain |
| ban_loginput | option | 0 | log supsicious packets in the wan-input chain |
| ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain |
| ban_logforwardlan | option | 0 | log supsicious packets in the lan-forward chain |
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
| ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments |
| ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' |
| ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists |
| ban_basedir | option | /tmp | base working directory while banIP processing |
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
@ -174,11 +183,12 @@ Available commands:
| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
| ban_nftpriority | option | -100 | nft priority for the banIP table (the prerouting table is fixed to priority -150) |
| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_region | list | - | Regional Internet Registry (RIR) country selection. Supported regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE |
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' |
| ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic |
@ -206,39 +216,46 @@ Available commands:
:::
::: banIP Set Statistics
:::
Timestamp: 2024-03-02 07:38:28
Timestamp: 2024-04-17 23:02:15
------------------------------
auto-added to allowlist today: 0
auto-added to blocklist today: 0
blocked syn-flood packets in prerouting : 5
blocked udp-flood packets in prerouting : 11
blocked icmp-flood packets in prerouting : 6
blocked invalid ct packets in prerouting : 277
blocked invalid tcp packets in prerouting: 0
----------
auto-added IPs to allowlist today: 0
auto-added IPs to blocklist today: 0
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
allowlistv4MAC | 0 | - | - | OK: 0 | -
allowlistv6MAC | 0 | - | - | OK: 0 | -
allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0 | -
allowlistv6 | 2 | OK: 0 | OK: 0 | OK: 0 | -
adguardtrackersv6 | 74 | - | - | OK: 0 | tcp: 80, 443
adguardtrackersv4 | 883 | - | - | OK: 0 | tcp: 80, 443
cinsscorev4 | 12053 | OK: 25 | OK: 0 | - | -
countryv4 | 37026 | OK: 14 | OK: 0 | - | -
deblv4 | 13592 | OK: 0 | OK: 0 | - | -
countryv6 | 38139 | OK: 0 | OK: 0 | - | -
deblv6 | 82 | OK: 0 | OK: 0 | - | -
dohv6 | 837 | - | - | OK: 0 | tcp: 80, 443
dohv4 | 1240 | - | - | OK: 0 | tcp: 80, 443
dropv6 | 51 | OK: 0 | OK: 0 | - | -
dropv4 | 592 | OK: 0 | OK: 0 | - | -
firehol1v4 | 906 | OK: 1 | OK: 0 | - | -
firehol2v4 | 2105 | OK: 0 | OK: 0 | OK: 0 | -
threatv4 | 55 | OK: 0 | OK: 0 | - | -
ipthreatv4 | 2042 | OK: 0 | OK: 0 | - | -
turrisv4 | 6433 | OK: 0 | OK: 0 | - | -
blocklistv4MAC | 0 | - | - | OK: 0 | -
blocklistv6MAC | 0 | - | - | OK: 0 | -
blocklistv4 | 0 | OK: 0 | OK: 0 | OK: 0 | -
blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0 | -
allowlistv4MAC | 0 | - | - | ON: 0 | -
allowlistv6MAC | 0 | - | - | ON: 0 | -
allowlistv4 | 1 | ON: 0 | ON: 0 | ON: 0 | -
allowlistv6 | 2 | ON: 0 | ON: 0 | ON: 0 | -
adguardtrackersv6 | 105 | - | - | ON: 0 | tcp: 80, 443
adguardtrackersv4 | 816 | - | - | ON: 0 | tcp: 80, 443
becyberv4 | 229006 | ON: 2254 | ON: 0 | - | -
cinsscorev4 | 7135 | ON: 1630 | ON: 2 | - | -
deblv4 | 10191 | ON: 23 | ON: 0 | - | -
countryv6 | 38233 | ON: 7 | ON: 0 | - | -
countryv4 | 37169 | ON: 2323 | ON: 0 | - | -
deblv6 | 65 | ON: 0 | ON: 0 | - | -
dropv6 | 66 | ON: 0 | ON: 0 | - | -
dohv4 | 1219 | - | - | ON: 0 | tcp: 80, 443
dropv4 | 895 | ON: 75 | ON: 0 | - | -
dohv6 | 832 | - | - | ON: 0 | tcp: 80, 443
threatv4 | 20 | ON: 0 | ON: 0 | - | -
firehol1v4 | 753 | ON: 1 | ON: 0 | - | -
ipthreatv4 | 1369 | ON: 20 | ON: 0 | - | -
firehol2v4 | 2216 | ON: 1 | ON: 0 | - | -
turrisv4 | 5613 | ON: 179 | ON: 0 | - | -
blocklistv4MAC | 0 | - | - | ON: 0 | -
blocklistv6MAC | 0 | - | - | ON: 0 | -
blocklistv4 | 0 | ON: 0 | ON: 0 | ON: 0 | -
blocklistv6 | 0 | ON: 0 | ON: 0 | ON: 0 | -
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
24 | 116113 | 16 (40) | 16 (0) | 13 (0)
25 | 335706 | 17 (6513) | 17 (2) | 12 (0)
```
**banIP runtime information**
@ -246,16 +263,16 @@ Available commands:
~# /etc/init.d/banip status
::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔)
+ version : 0.9.4-1
+ element_count : 116113
+ active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, cinsscorev4, countryv4, deblv4, countryv6, deblv6, dohv6, dohv4, dropv6, dropv4, firehol1v4, firehol2v4, threatv4, ipthreatv4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
+ version : 0.9.5-r1
+ element_count : 335706
+ active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, becyberv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dohv4, dropv4, dohv6, threatv4, firehol1v4, ipthreatv4, firehol2v4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
+ active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: -
+ active_uplink : 217.89.211.113, fe80::2c35:fb80:e78c:cf71, 2003:ed:b5ff:2338:2c15:fb80:e78c:cf71
+ nft_info : priority: -200, policy: performance, loglevel: warn, expiry: 2h
+ active_uplink : 217.83.205.130, fe80::9cd6:12e9:c4df:75d3, 2003:ed:b5ff:43bd:9cd5:12e7:c3ef:75d8
+ nft_info : priority: 0, policy: performance, loglevel: warn, expiry: 2h
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
+ last_run : action: reload, log: logread, fetch: curl, duration: 0m 50s, date: 2024-03-02 07:35:01
+ system_info : cores: 4, memory: 1685, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25356-09be63de70
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/inp/fwd/lan): ✔/✘/✘/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
+ last_run : action: reload, log: logread, fetch: curl, duration: 2m 33s, date: 2024-04-17 05:57:56
+ system_info : cores: 4, memory: 1573, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25932-338b463e1e
```
**banIP search information**
@ -315,11 +332,14 @@ Both local lists also accept domain names as input to allow IP filtering based o
banIP supports an "allowlist only" mode. This option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments - and block access to the rest of the internet. All IPs which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
**MAC/IP-binding**
banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
```
MAC-address only:
C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
MAC-address range:
C8:C2:9B:F7:80:12/24 => this populate the MAC-range C8:C2:9B:00:00:00", "C8:C2:9B:FF:FF:FF to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
MAC-address with IPv4 concatenation:
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set
@ -334,6 +354,7 @@ MAC-address with IPv4 and IPv6 wildcard concatenation:
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
```
**enable the cgi interface to receive remote logging events**
banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options:
@ -407,12 +428,12 @@ A valid JSON source object contains the following information, e.g.:
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "tor exit nodes",
"flag": "80-89 443 tcp"
"flag": "gz tcp 80-88 udp 50000"
},
[...]
```
Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.
Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, port numbers (plus ranges) for destination port limitations with 'tcp' (default) or 'udp' as protocol variants.
Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations - multiple definitions are possible.
## Support
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>

332
net/banip/files/banip-functions.sh
View File

@ -16,6 +16,7 @@ ban_basedir="/tmp"
ban_backupdir="/tmp/banIP-backup"
ban_reportdir="/tmp/banIP-report"
ban_feedfile="/etc/banip/banip.feeds"
ban_countryfile="/etc/banip/banip.countries"
ban_customfeedfile="/etc/banip/banip.custom.feeds"
ban_allowlist="/etc/banip/banip.allowlist"
ban_blocklist="/etc/banip/banip.blocklist"
@ -36,18 +37,24 @@ ban_reportelements="1"
ban_remotelog="0"
ban_remotetoken=""
ban_nftloglevel="warn"
ban_nftpriority="-200"
ban_nftpriority="-100"
ban_nftpolicy="memory"
ban_nftexpiry=""
ban_loglimit="100"
ban_icmplimit="10"
ban_synlimit="10"
ban_udplimit="100"
ban_logcount="1"
ban_logterm=""
ban_region=""
ban_country=""
ban_asn=""
ban_loginput="1"
ban_logforwardwan="1"
ban_logprerouting="0"
ban_loginput="0"
ban_logforwardwan="0"
ban_logforwardlan="0"
ban_allowurl=""
ban_allowflag=""
ban_allowlistonly="0"
ban_autoallowlist="1"
ban_autoallowuplink="subnet"
@ -104,6 +111,7 @@ f_system() {
[ "${cpu}" = "0" ] && cpu="1"
[ "${core}" = "0" ] && core="1"
ban_cores="$((cpu * core))"
[ "${ban_cores}" -gt "16" ] && ban_cores="16"
fi
}
@ -211,8 +219,7 @@ f_rmpid() {
kill -INT "${pid}" >/dev/null 2>&1
done
fi
: >"${ban_rdapfile}"
: >"${ban_pidfile}"
: >"${ban_rdapfile}" >"${ban_pidfile}"
}
# write log messages
@ -247,7 +254,9 @@ f_log() {
# load config
#
f_conf() {
unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
local rir ccode region country
unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_region ban_country ban_asn
config_cb() {
option_cb() {
local option="${1}"
@ -294,6 +303,9 @@ f_conf() {
"ban_logterm")
eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\""
;;
"ban_region")
eval "${option}=\"$(printf "%s" "${ban_region}")${value} \""
;;
"ban_country")
eval "${option}=\"$(printf "%s" "${ban_country}")${value} \""
;;
@ -305,6 +317,14 @@ f_conf() {
}
config_load banip
[ -f "${ban_logreadfile}" ] && ban_logreadcmd="$(command -v tail)" || ban_logreadcmd="$(command -v logread)"
for rir in ${ban_region}; do
while read -r ccode region country; do
if [ "${rir}" = "${region}" ] && ! printf "%s" "${ban_country}" | "${ban_grepcmd}" -qw "${ccode}"; then
ban_country="${ban_country} ${ccode}"
fi
done < "${ban_countryfile}"
done
}
# get nft/monitor actuals
@ -575,12 +595,39 @@ f_etag() {
# build initial nft file with base table, chains and rules
#
f_nftinit() {
local wan_dev vlan_allow vlan_block feed_log feed_rc file="${1}"
local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc flag tmp_proto tmp_port allow_dport file="${1}"
wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
[ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
[ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
for flag in ${ban_allowflag}; do
if [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then
if [ -z "${tmp_proto}" ]; then
tmp_proto="${flag}"
elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
tmp_proto="${tmp_proto}, ${flag}"
fi
elif [ -n "${flag//[![:digit]-]/}" ]; then
if [ -z "${tmp_port}" ]; then
tmp_port="${flag}"
elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
tmp_port="${tmp_port}, ${flag}"
fi
fi
done
if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then
allow_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }"
fi
if [ "${ban_logprerouting}" = "1" ]; then
log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \""
log_syn="log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \""
log_udp="log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \""
log_tcp="log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \""
log_ct="log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \""
fi
{
# nft header (tables and chains)
#
@ -589,36 +636,55 @@ f_nftinit() {
printf "%s\n" "delete table inet banIP"
fi
printf "%s\n" "add table inet banIP"
printf "%s\n" "add counter inet banIP cnt-icmpflood"
printf "%s\n" "add counter inet banIP cnt-udpflood"
printf "%s\n" "add counter inet banIP cnt-synflood"
printf "%s\n" "add counter inet banIP cnt-tcpinvalid"
printf "%s\n" "add counter inet banIP cnt-ctinvalid"
printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -150; policy accept; }"
printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP reject-chain"
# default reject rules
# default reject chain rules
#
printf "%s\n" "add rule inet banIP reject-chain meta l4proto tcp reject with tcp reset"
printf "%s\n" "add rule inet banIP reject-chain reject"
# default pre-routing rules
#
printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept"
printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp} counter name cnt-tcpinvalid drop"
# default wan-input rules
#
printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
printf "%s\n" "add rule inet banIP wan-input iifname != { ${wan_dev} } counter accept"
printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 1 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 255 counter accept"
[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept"
# default wan-forward rules
#
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept"
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-forward ${allow_dport} counter accept"
# default lan-forward rules
#
printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
printf "%s\n" "add rule inet banIP lan-forward oifname != { ${wan_dev} } counter accept"
printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
[ -n "${vlan_allow}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_allow} } counter accept"
[ -n "${vlan_block}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_block} } counter goto reject-chain"
} >"${file}"
@ -628,7 +694,8 @@ f_nftinit() {
feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
feed_rc="${?}"
f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, allowed_dports: ${allow_dport:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
: >"${file}"
return "${feed_rc}"
}
@ -636,7 +703,7 @@ f_nftinit() {
#
f_down() {
local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc
local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport flag
local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_target feed_dport tmp_proto tmp_port flag
local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
start_ts="$(date +%s)"
@ -653,6 +720,14 @@ f_down() {
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/${ban_blocktype}/${feed}: \""
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/reject/${feed}: \""
# set feed target
#
if [ "${ban_blocktype}" = "reject" ]; then
feed_target="goto reject-chain"
else
feed_target="drop"
fi
# set feed block direction
#
if [ "${ban_blockpolicy}" = "input" ]; then
@ -687,19 +762,25 @@ f_down() {
# prepare feed flags
#
for flag in ${feed_flag}; do
if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then
if [ "${flag}" = "gz" ]; then
feed_comp="${flag}"
elif { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; } && ! printf "%s" "${feed_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
feed_proto="${flag}"
elif [ -n "${flag//[![:digit]]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
if [ -z "${feed_dport}" ]; then
feed_dport="${flag}"
else
feed_dport="${feed_dport}, ${flag}"
elif [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then
if [ -z "${tmp_proto}" ]; then
tmp_proto="${flag}"
elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
tmp_proto="${tmp_proto}, ${flag}"
fi
elif [ -n "${flag//[![:digit]-]/}" ]; then
if [ -z "${tmp_port}" ]; then
tmp_port="${flag}"
elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
tmp_port="${tmp_port}, ${flag}"
fi
fi
done
[ -n "${feed_dport}" ] && feed_dport="${feed_proto:-"tcp"} dport { ${feed_dport} }"
if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then
feed_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }"
fi
# chain/rule maintenance
#
@ -732,7 +813,7 @@ f_down() {
done
elif [ "${feed%v*}" = "asn" ]; then
for asn in ${ban_asn}; do
f_etag "${feed}" "${feed_url}AS${asn}" ".{asn}"
f_etag "${feed}" "${feed_url}AS${asn}" ".${asn}"
rc="${?}"
[ "${rc}" = "4" ] && break
etag_rc="$((etag_rc + rc))"
@ -768,6 +849,7 @@ f_down() {
break
fi
done
if [ "${feed_rc}" = "0" ]; then
f_backup "allowlist" "${tmp_allow}"
elif [ -z "${restore_rc}" ] && [ "${feed_rc}" != "0" ]; then
@ -795,22 +877,14 @@ f_down() {
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
if [ "${ban_blocktype}" = "reject" ]; then
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter goto reject-chain"
else
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
fi
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardwan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
if [ "${ban_blocktype}" = "reject" ]; then
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter goto reject-chain"
else
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop"
fi
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept"
fi
@ -828,35 +902,28 @@ f_down() {
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
if [ "${ban_blocktype}" = "reject" ]; then
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter goto reject-chain"
else
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
fi
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardwan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
if [ "${ban_blocktype}" = "reject" ]; then
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter goto reject-chain"
else
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop"
fi
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardlan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter goto reject-chain"
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept"
fi
fi
fi
} >"${tmp_nft}"
: >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}"
feed_rc="0"
elif [ "${feed%v*}" = "blocklist" ]; then
{
@ -881,13 +948,8 @@ f_down() {
fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ "${ban_blocktype}" = "reject" ]; then
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter goto reject-chain"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
else
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
fi
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter ${feed_target}"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter ${feed_target}"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
elif [ "${proto}" = "6" ]; then
if [ "${ban_deduplicate}" = "1" ]; then
@ -902,16 +964,12 @@ f_down() {
fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ "${ban_blocktype}" = "reject" ]; then
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter goto reject-chain"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
else
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
fi
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter ${feed_target}"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
fi
} >"${tmp_nft}"
: >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}"
feed_rc="0"
# handle external feeds
@ -925,7 +983,7 @@ f_down() {
feed_rc="${?}"
[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
done
rm -f "${tmp_raw}"
: >"${tmp_raw}"
# handle asn downloads
#
@ -935,7 +993,7 @@ f_down() {
feed_rc="${?}"
[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
done
rm -f "${tmp_raw}"
: >"${tmp_raw}"
# handle compressed downloads
#
@ -943,7 +1001,7 @@ f_down() {
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)"
feed_rc="${?}"
[ "${feed_rc}" = "0" ] && "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}"
rm -f "${tmp_raw}"
: >"${tmp_raw}"
# handle normal downloads
#
@ -970,27 +1028,28 @@ f_down() {
# deduplicate Sets
#
if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}"
"${ban_awkcmd}" '{sub("\r$", ""); print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_raw}"
"${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}"
else
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}"
"${ban_awkcmd}" '{sub("\r$", ""); print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_split}"
fi
feed_rc="${?}"
# split Sets
#
if [ "${feed_rc}" = "0" ]; then
if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then
if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "512" ]; then
if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then
rm -f "${tmp_file}".*
f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'"
rm -f "${tmp_file}".*
fi
else
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
fi
feed_rc="${?}"
fi
rm -f "${tmp_raw}" "${tmp_load}"
: >"${tmp_raw}" >"${tmp_load}"
if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then
{
# nft header (IPv4 Set)
@ -1001,13 +1060,8 @@ f_down() {
# input and forward rules
#
if [ "${ban_blocktype}" = "reject" ]; then
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter goto reject-chain"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
else
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter drop"
fi
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter ${feed_target}"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter ${feed_target}"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
} >"${tmp_nft}"
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
@ -1020,16 +1074,12 @@ f_down() {
# input and forward rules
#
if [ "${ban_blocktype}" = "reject" ]; then
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter goto reject-chain"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
else
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter drop"
fi
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter ${feed_target}"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
} >"${tmp_nft}"
fi
: >"${tmp_flush}" >"${tmp_file}.1"
fi
# load generated nft file in banIP table
@ -1039,6 +1089,7 @@ f_down() {
cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_allow}" 2>/dev/null)"
else
cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_split}" 2>/dev/null)"
: >"${tmp_split}"
fi
if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then
feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)"
@ -1048,15 +1099,13 @@ f_down() {
#
if [ "${feed_rc}" = "0" ]; then
for split_file in "${tmp_file}".*; do
[ ! -f "${split_file}" ] && break
if [ "${split_file##*.}" = "1" ]; then
rm -f "${split_file}"
continue
fi
if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $("${ban_catcmd}" "${split_file}") }" >/dev/null 2>&1; then
[ ! -s "${split_file}" ] && continue
"${ban_sedcmd}" -i "1 i #!/usr/sbin/nft -f\nadd element inet banIP "${feed}" { " "${split_file}"
printf "%s\n" "}" >> "${split_file}"
if ! "${ban_nftcmd}" -f "${split_file}" >/dev/null 2>&1; then
f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'"
fi
rm -f "${split_file}"
: >"${split_file}"
done
if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
@ -1066,7 +1115,7 @@ f_down() {
f_log "info" "skip empty feed '${feed}'"
fi
fi
rm -f "${tmp_split}" "${tmp_nft}"
: >"${tmp_nft}"
end_ts="$(date +%s)"
f_log "debug" "f_down ::: feed: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
@ -1110,7 +1159,7 @@ f_rmset() {
json_get_keys feedlist
tmp_del="${ban_tmpfile}.final.delete"
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
{
printf "%s\n\n" "#!/usr/sbin/nft -f"
for item in ${table_sets}; do
@ -1137,7 +1186,7 @@ f_rmset() {
feed_log="$("${ban_nftcmd}" -f "${tmp_del}" 2>&1)"
feed_rc="${?}"
fi
rm -f "${tmp_del}"
: >"${tmp_del}"
f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
}
@ -1153,7 +1202,7 @@ f_genstatus() {
end_time="$(date "+%s")"
duration="$(((end_time - ban_starttime) / 60))m $(((end_time - ban_starttime) % 60))s"
fi
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
if [ "${ban_reportelements}" = "1" ]; then
for object in ${table_sets}; do
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
@ -1202,7 +1251,7 @@ f_genstatus() {
json_close_array
json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}"
json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}"
json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})"
json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (pre/inp/fwd/lan): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})"
json_add_string "last_run" "${runtime:-"-"}"
json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
json_dump >"${ban_rtfile}"
@ -1284,12 +1333,12 @@ f_lookup() {
cnt_domain="$((cnt_domain + 1))"
done
if [ -n "${elementsv4}" ]; then
if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then
if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" { ${elementsv4} } >/dev/null 2>&1; then
f_log "info" "can't add lookup file to Set '${feed}v4'"
fi
fi
if [ -n "${elementsv6}" ]; then
if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then
if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" { ${elementsv6} } >/dev/null 2>&1; then
f_log "info" "can't add lookup file to Set '${feed}v6'"
fi
fi
@ -1303,8 +1352,8 @@ f_lookup() {
#
f_report() {
local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan set_proto set_dport set_details
local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan output="${1}"
local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
local sum_synflood sum_udpflood sum_icmpflood sum_ctinvalid sum_tcpinvalid output="${1}"
[ -z "${ban_dev}" ] && f_conf
f_mkdir "${ban_reportdir}"
report_jsn="${ban_reportdir}/ban_report.jsn"
@ -1313,7 +1362,7 @@ f_report() {
# json output preparation
#
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
sum_sets="0"
sum_setinput="0"
sum_setforwardwan="0"
@ -1322,6 +1371,11 @@ f_report() {
sum_cntinput="0"
sum_cntforwardwan="0"
sum_cntforwardlan="0"
sum_synflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-synflood"].*.packets')"
sum_udpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-udpflood"].*.packets')"
sum_icmpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-icmpflood"].*.packets')"
sum_ctinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-ctinvalid"].*.packets')"
sum_tcpinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-tcpinvalid"].*.packets')"
timestamp="$(date "+%Y-%m-%d %H:%M:%S")"
: >"${report_jsn}"
{
@ -1344,12 +1398,6 @@ f_report() {
[ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")"
[ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")"
done
if [ -n "${set_dport}" ]; then
set_dport="${set_dport//[\{\}\":]/}"
set_dport="${set_dport#\[ *}"
set_dport="${set_dport%* \]}"
set_dport="${set_proto}: $(f_trim "${set_dport}")"
fi
if [ "${ban_reportelements}" = "1" ]; then
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
sum_setelements="$((sum_setelements + set_cnt))"
@ -1357,8 +1405,14 @@ f_report() {
set_cnt=""
sum_setelements="n/a"
fi
if [ -n "${set_dport}" ]; then
set_dport="${set_dport//[\{\}\":]/}"
set_dport="${set_dport#\[ *}"
set_dport="${set_dport%* \]}"
set_dport="${set_proto}: $(f_trim "${set_dport}")"
fi
if [ -n "${set_cntinput}" ]; then
set_input="OK"
set_input="ON"
sum_setinput="$((sum_setinput + 1))"
sum_cntinput="$((sum_cntinput + set_cntinput))"
else
@ -1366,7 +1420,7 @@ f_report() {
set_cntinput=""
fi
if [ -n "${set_cntforwardwan}" ]; then
set_forwardwan="OK"
set_forwardwan="ON"
sum_setforwardwan="$((sum_setforwardwan + 1))"
sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))"
else
@ -1374,7 +1428,7 @@ f_report() {
set_cntforwardwan=""
fi
if [ -n "${set_cntforwardlan}" ]; then
set_forwardlan="OK"
set_forwardlan="ON"
sum_setforwardlan="$((sum_setforwardlan + 1))"
sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))"
else
@ -1398,6 +1452,11 @@ f_report() {
printf "\t%s\n" "\"timestamp\": \"${timestamp}\","
printf "\t%s\n" "\"autoadd_allow\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_allowlist}")\","
printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\","
printf "\t%s\n" "\"sum_synflood\": \"${sum_synflood}\","
printf "\t%s\n" "\"sum_udpflood\": \"${sum_udpflood}\","
printf "\t%s\n" "\"sum_icmpflood\": \"${sum_icmpflood}\","
printf "\t%s\n" "\"sum_ctinvalid\": \"${sum_ctinvalid}\","
printf "\t%s\n" "\"sum_tcpinvalid\": \"${sum_tcpinvalid}\","
printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\","
printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\","
printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\","
@ -1418,6 +1477,11 @@ f_report() {
json_get_var timestamp "timestamp" >/dev/null 2>&1
json_get_var autoadd_allow "autoadd_allow" >/dev/null 2>&1
json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1
json_get_var sum_synflood "sum_synflood" >/dev/null 2>&1
json_get_var sum_udpflood "sum_udpflood" >/dev/null 2>&1
json_get_var sum_icmpflood "sum_icmpflood" >/dev/null 2>&1
json_get_var sum_ctinvalid "sum_ctinvalid" >/dev/null 2>&1
json_get_var sum_tcpinvalid "sum_tcpinvalid" >/dev/null 2>&1
json_get_var sum_sets "sum_sets" >/dev/null 2>&1
json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1
json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1
@ -1430,8 +1494,14 @@ f_report() {
printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::"
printf "%s\n" " Timestamp: ${timestamp}"
printf "%s\n" " ------------------------------"
printf "%s\n" " auto-added to allowlist today: ${autoadd_allow}"
printf "%s\n\n" " auto-added to blocklist today: ${autoadd_block}"
printf "%s\n" " blocked syn-flood packets : ${sum_synflood}"
printf "%s\n" " blocked udp-flood packets : ${sum_udpflood}"
printf "%s\n" " blocked icmp-flood packets : ${sum_icmpflood}"
printf "%s\n" " blocked invalid ct packets : ${sum_ctinvalid}"
printf "%s\n" " blocked invalid tcp packets: ${sum_tcpinvalid}"
printf "%s\n" " ----------"
printf "%s\n" " auto-added IPs to allowlist: ${autoadd_allow}"
printf "%s\n\n" " auto-added IPs to blocklist: ${autoadd_block}"
json_select "sets" >/dev/null 2>&1
json_get_keys table_sets >/dev/null 2>&1
if [ -n "${table_sets}" ]; then
@ -1488,10 +1558,10 @@ f_search() {
local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}"
if [ -n "${input}" ]; then
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')"
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')"
[ -n "${ip}" ] && proto="v4"
if [ -z "${proto}" ]; then
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')"
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')"
[ -n "${ip}" ] && proto="v6"
fi
fi
@ -1501,14 +1571,14 @@ f_search() {
printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::"
return
fi
printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
printf " %s\n" "---"
cnt="1"
for item in ${table_sets}; do
[ -f "${result_flag}" ] && break
(
if "${ban_nftcmd}" get element inet banIP "${item}" "{ ${ip} }" >/dev/null 2>&1; then
printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
printf " %s\n" "---"
printf " %s\n" "IP found in Set '${item}'"
: >"${result_flag}"
fi
@ -1518,7 +1588,14 @@ f_search() {
cnt="$((cnt + 1))"
done
wait
[ -f "${result_flag}" ] && rm -f "${result_flag}" || printf " %s\n" "IP not found"
if [ -f "${result_flag}" ]; then
rm -f "${result_flag}"
else
printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
printf " %s\n" "---"
printf " %s\n" "IP not found"
fi
}
# Set survey
@ -1564,7 +1641,7 @@ f_mail() {
# log monitor
#
f_monitor() {
local daemon logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info
local daemon logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_prefix rdap_length rdap_info
if [ -f "${ban_logreadfile}" ]; then
logread_cmd="${ban_logreadcmd} -qf ${ban_logreadfile} 2>/dev/null | ${ban_grepcmd} -e \"${ban_logterm%%??}\" 2>/dev/null"
@ -1609,19 +1686,22 @@ f_monitor() {
rdap_log="$("${ban_fetchcmd}" ${ban_rdapparm} "${ban_rdapfile}" "${ban_rdapurl}${ip}" 2>&1)"
rdap_rc="${?}"
if [ "${rdap_rc}" = "0" ] && [ -s "${ban_rdapfile}" ]; then
rdap_elements="$(jsonfilter -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*' | awk 'BEGIN{FS="[\" ]"}{printf "%s/%s, ",$6,$11}')"
rdap_info="$(jsonfilter -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
if [ -n "${rdap_elements//\/*/}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${rdap_elements%%??} ${nft_expiry} }" >/dev/null 2>&1; then
f_log "info" "add IP range '${rdap_elements%%??}' (source: ${rdap_info:-"-"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
[ "${proto}" = "v4" ] && rdap_prefix="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.v4prefix')"
[ "${proto}" = "v6" ] && rdap_prefix="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.v6prefix')"
rdap_length="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.length')"
rdap_info="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
[ -z "${rdap_info}" ] && rdap_info="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.notices[0].links[0].value' | awk 'BEGIN{FS="[/.]"}{printf"%s, %s","n/a",toupper($4)}')"
if [ -n "${rdap_prefix}" ] && [ -n "${rdap_length}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${rdap_prefix}/${rdap_length} ${nft_expiry} } >/dev/null 2>&1; then
f_log "info" "add IP range '${rdap_prefix}/${rdap_length}' (source: ${rdap_info:-"n/a"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
fi
fi
else
f_log "info" "rdap request failed (rc: ${rdap_rc:-"-"}/log: ${rdap_log})"
fi
fi
if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_elements//\/*/}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_prefix}" ] || [ -z "${rdap_length}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${ip} ${nft_expiry} } >/dev/null 2>&1; then
f_log "info" "add IP '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
fi
fi

15
net/banip/files/banip-service.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh
# banIP main service script - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
@ -24,8 +24,8 @@ f_getif
f_getdev
f_getuplink
f_mkdir "${ban_backupdir}"
f_mkfile "${ban_blocklist}"
f_mkfile "${ban_allowlist}"
f_mkfile "${ban_blocklist}"
# firewall check
#
@ -44,13 +44,13 @@ if [ "${ban_action}" != "reload" ]; then
fi
fi
# init nft namespace
# init banIP nftables namespace
#
if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then
if f_nftinit "${ban_tmpfile}".init.nft; then
f_log "info" "initialize nft namespace"
f_log "info" "initialize banIP nftables namespace"
else
f_log "err" "can't initialize nft namespace"
f_log "err" "can't initialize banIP nftables namespace"
fi
fi
@ -99,7 +99,7 @@ for feed in allowlist ${ban_feed} blocklist; do
continue
fi
# handle IPv4/IPv6 feeds with the same/single download URL
# handle IPv4/IPv6 feeds with a single download URL
#
if [ "${feed_url_4}" = "${feed_url_6}" ]; then
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
@ -115,7 +115,8 @@ for feed in allowlist ${ban_feed} blocklist; do
fi
continue
fi
# handle IPv4/IPv6 feeds with separated download URLs
# handle IPv4/IPv6 feeds with separate download URLs
#
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &

498
net/banip/files/banip.countries
View File

@ -1,249 +1,249 @@
af;Afghanistan
ax;Åland Islands
al;Albania
dz;Algeria
as;American Samoa
ad;Andorra
ao;Angola
ai;Anguilla
aq;Antarctica
ag;Antigua & Barbuda
ar;Argentina
am;Armenia
aw;Aruba
au;Australia
at;Austria
az;Azerbaijan
bs;Bahamas
bh;Bahrain
bd;Bangladesh
bb;Barbados
by;Belarus
be;Belgium
bz;Belize
bj;Benin
bm;Bermuda
bt;Bhutan
bo;Bolivia
ba;Bosnia
bw;Botswana
bv;Bouvet Island
br;Brazil
io;British Indian Ocean Territory
vg;British Virgin Islands
bn;Brunei
bg;Bulgaria
bf;Burkina Faso
bi;Burundi
kh;Cambodia
cm;Cameroon
ca;Canada
cv;Cape Verde
bq;Caribbean Netherlands
ky;Cayman Islands
cf;Central African Republic
td;Chad
cl;Chile
cn;China
cx;Christmas Island
cc;Cocos (Keeling) Islands
co;Colombia
km;Comoros
cg;Congo - Brazzaville
cd;Congo - Kinshasa
ck;Cook Islands
cr;Costa Rica
ci;Côte dIvoire
hr;Croatia
cu;Cuba
cw;Curaçao
cy;Cyprus
cz;Czechia
dk;Denmark
dj;Djibouti
dm;Dominica
do;Dominican Republic
ec;Ecuador
eg;Egypt
sv;El Salvador
gq;Equatorial Guinea
er;Eritrea
ee;Estonia
sz;Eswatini
et;Ethiopia
fk;Falkland Islands
fo;Faroe Islands
fj;Fiji
fi;Finland
fr;France
gf;French Guiana
pf;French Polynesia
tf;French Southern Territories
ga;Gabon
gm;Gambia
ge;Georgia
de;Germany
gh;Ghana
gi;Gibraltar
gr;Greece
gl;Greenland
gd;Grenada
gp;Guadeloupe
gu;Guam
gt;Guatemala
gg;Guernsey
gn;Guinea
gw;Guinea-Bissau
gy;Guyana
ht;Haiti
hm;Heard & McDonald Islands
hn;Honduras
hk;Hong Kong
hu;Hungary
is;Iceland
in;India
id;Indonesia
ir;Iran
iq;Iraq
ie;Ireland
im;Isle of Man
il;Israel
it;Italy
jm;Jamaica
jp;Japan
je;Jersey
jo;Jordan
kz;Kazakhstan
ke;Kenya
ki;Kiribati
kw;Kuwait
kg;Kyrgyzstan
la;Laos
lv;Latvia
lb;Lebanon
ls;Lesotho
lr;Liberia
ly;Libya
li;Liechtenstein
lt;Lithuania
lu;Luxembourg
mo;Macau
mg;Madagascar
mw;Malawi
my;Malaysia
mv;Maldives
ml;Mali
mt;Malta
mh;Marshall Islands
mq;Martinique
mr;Mauritania
mu;Mauritius
yt;Mayotte
mx;Mexico
fm;Micronesia
md;Moldova
mc;Monaco
mn;Mongolia
me;Montenegro
ms;Montserrat
ma;Morocco
mz;Mozambique
mm;Myanmar
na;Namibia
nr;Nauru
np;Nepal
nl;Netherlands
nc;New Caledonia
nz;New Zealand
ni;Nicaragua
ne;Niger
ng;Nigeria
nu;Niue
nf;Norfolk Island
mp;Northern Mariana Islands
kp;North Korea
mk;North Macedonia
no;Norway
om;Oman
pk;Pakistan
pw;Palau
ps;Palestine
pa;Panama
pg;Papua New Guinea
py;Paraguay
pe;Peru
ph;Philippines
pn;Pitcairn Islands
pl;Poland
pt;Portugal
pr;Puerto Rico
qa;Qatar
re;Réunion
ro;Romania
ru;Russia
rw;Rwanda
ws;Samoa
sm;San Marino
st;São Tomé & Príncipe
sa;Saudi Arabia
sn;Senegal
rs;Serbia
sc;Seychelles
sl;Sierra Leone
sg;Singapore
sx;Sint Maarten
sk;Slovakia
si;Slovenia
sb;Solomon Islands
so;Somalia
za;South Africa
gs;South Georgia & South Sandwich Islands
kr;South Korea
ss;South Sudan
es;Spain
lk;Sri Lanka
bl;St. Barthélemy
sh;St. Helena
kn;St. Kitts & Nevis
lc;St. Lucia
mf;St. Martin
pm;St. Pierre & Miquelon
vc;St. Vincent & Grenadines
sd;Sudan
sr;Suriname
sj;Svalbard & Jan Mayen
se;Sweden
ch;Switzerland
sy;Syria
tw;Taiwan
tj;Tajikistan
tz;Tanzania
th;Thailand
tl;Timor-Leste
tg;Togo
tk;Tokelau
to;Tonga
tt;Trinidad & Tobago
tn;Tunisia
tr;Turkey
tm;Turkmenistan
tc;Turks & Caicos Islands
tv;Tuvalu
ug;Uganda
ua;Ukraine
ae;United Arab Emirates
gb;United Kingdom
us;United States
uy;Uruguay
um;U.S. Outlying Islands
vi;U.S. Virgin Islands
uz;Uzbekistan
vu;Vanuatu
va;Vatican City
ve;Venezuela
vn;Vietnam
wf;Wallis & Futuna
eh;Western Sahara
ye;Yemen
zm;Zambia
zw;Zimbabwe
af APNIC Afghanistan
ax RIPE Åland Islands
al RIPE Albania
dz AFRINIC Algeria
as APNIC American Samoa
ad RIPE Andorra
ao AFRINIC Angola
ai ARIN Anguilla
aq ARIN Antarctica
ag ARIN Antigua & Barbuda
ar LACNIC Argentina
am RIPE Armenia
aw LACNIC Aruba
au APNIC Australia
at RIPE Austria
az RIPE Azerbaijan
bs ARIN Bahamas
bh RIPE Bahrain
bd APNIC Bangladesh
bb ARIN Barbados
by RIPE Belarus
be RIPE Belgium
bz LACNIC Belize
bj AFRINIC Benin
bm ARIN Bermuda
bt APNIC Bhutan
bo LACNIC Bolivia
bq LACNIC Bonaire
ba RIPE Bosnia & Herzegowina
bw AFRINIC Botswana
bv ARIN Bouvet Island
br LACNIC Brazil
io APNIC British Indian Ocean Territory
bn APNIC Brunei
bg RIPE Bulgaria
bf AFRINIC Burkina Faso
bi AFRINIC Burundi
kh APNIC Cambodia
cm AFRINIC Cameroon
ca ARIN Canada
cv AFRINIC Cape Verde
ky ARIN Cayman Islands
cf AFRINIC Central African Republic
td AFRINIC Chad
cl LACNIC Chile
cn APNIC China
cx APNIC Christmas Island
cc APNIC Cocos Islands
co LACNIC Colombia
km AFRINIC Comoros
cg AFRINIC Congo - Brazzaville
cd AFRINIC Congo - Kinshasa
ck APNIC Cook Islands
cr LACNIC Costa Rica
ci AFRINIC Côte D'ivoire
hr RIPE Croatia
cu LACNIC Cuba
cw LACNIC Curaçao
cy RIPE Cyprus
cz RIPE Czechia
dk RIPE Denmark
dj AFRINIC Djibouti
dm ARIN Dominica
do LACNIC Dominican Republic
ec LACNIC Ecuador
eg AFRINIC Egypt
sv LACNIC El Salvador
gq AFRINIC Equatorial Guinea
er AFRINIC Eritrea
ee RIPE Estonia
sz AFRINIC Eswatini
et AFRINIC Ethiopia
fk LACNIC Falkland Islands
fo RIPE Faroe Islands
fj APNIC Fiji
fi RIPE Finland
fr RIPE France
gf LACNIC French Guiana
pf APNIC French Polynesia
tf APNIC French Southern Territories
ga AFRINIC Gabon
gm AFRINIC Gambia
ge RIPE Georgia
de RIPE Germany
gh AFRINIC Ghana
gi RIPE Gibraltar
gr RIPE Greece
gl RIPE Greenland
gd ARIN Grenada
gp ARIN Guadeloupe
gu APNIC Guam
gt LACNIC Guatemala
gg RIPE Guernsey
gn AFRINIC Guinea
gw AFRINIC Guinea-Bissau
gy LACNIC Guyana
ht LACNIC Haiti
hm ARIN Heard & McDonald Islands
hn LACNIC Honduras
hk APNIC Hong Kong
hu RIPE Hungary
is RIPE Iceland
in APNIC India
id APNIC Indonesia
ir RIPE Iran
iq RIPE Iraq
ie RIPE Ireland
im RIPE Isle of Man
il RIPE Israel
it RIPE Italy
jm ARIN Jamaica
jp APNIC Japan
je RIPE Jersey
jo RIPE Jordan
kz RIPE Kazakhstan
ke AFRINIC Kenya
ki APNIC Kiribati
kw RIPE Kuwait
kg RIPE Kyrgyzstan
la APNIC Lao
lv RIPE Latvia
lb RIPE Lebanon
ls AFRINIC Lesotho
lr AFRINIC Liberia
ly AFRINIC Libya
li RIPE Liechtenstein
lt RIPE Lithuania
lu RIPE Luxembourg
mo APNIC Macao
mg AFRINIC Madagascar
mw AFRINIC Malawi
my APNIC Malaysia
mv APNIC Maldives
ml AFRINIC Mali
mt RIPE Malta
mh APNIC Marshall Islands
ma AFRINIC Marocco
mq ARIN Martinique
mr AFRINIC Mauritania
mu AFRINIC Mauritius
yt AFRINIC Mayotte
mx LACNIC Mexico
fm APNIC Micronesia
md RIPE Moldova
mc RIPE Monaco
mn APNIC Mongolia
me RIPE Montenegro
ms ARIN Montserrat
mz AFRINIC Mozambique
mm APNIC Myanmar
na AFRINIC Namibia
nr APNIC Nauru
np APNIC Nepal
nl RIPE Netherlands
nc APNIC New Caledonia
nz APNIC New Zealand
ni LACNIC Nicaragua
ne AFRINIC Niger
ng AFRINIC Nigeria
nu APNIC Niue
nf APNIC Norfolk Island
kp APNIC North Korea
mk RIPE North Macedonia
mp APNIC Northern Mariana Islands
no RIPE Norway
om RIPE Oman
pk APNIC Pakistan
pw APNIC Palau
ps RIPE Palestine
pa LACNIC Panama
pg APNIC Papua New Guinea
py LACNIC Paraguay
pe LACNIC Peru
ph APNIC Philippines
pn APNIC Pitcairn
pl RIPE Poland
pt RIPE Portugal
pr ARIN Puerto Rico
qa RIPE Qatar
re AFRINIC Reunion
ro RIPE Romania
ru RIPE Russian Federation
rw AFRINIC Rwanda
sh ARIN Saint Helena
bl ARIN Saint Barthélemy
kn ARIN Saint Kitts & Nevis
lc ARIN Saint Lucia
mf ARIN Saint Martin
pm ARIN Saint Pierre & Miquelon
vc ARIN Saint Vincent & the Grenadines
ws APNIC Samoa
sm RIPE San Marino
st AFRINIC Sao Tome & Principe
sa RIPE Saudi Arabia
sn AFRINIC Senegal
rs RIPE Serbia
sc AFRINIC Seychelles
sl AFRINIC Sierra Leone
sg APNIC Singapore
sx LACNIC Sint Maarten
sk RIPE Slovakia
si RIPE Slovenia
sb APNIC Solomon Islands
so AFRINIC Somalia
za AFRINIC South Africa
gs LACNIC South Georgia
kr APNIC South Korea
ss AFRINIC South Sudan
es RIPE Spain
lk APNIC Sri Lanka
sd AFRINIC Sudan
sr LACNIC Suriname
sj RIPE Svalbard & Jan Mayen Islands
se RIPE Sweden
ch RIPE Switzerland
sy RIPE Syrian
tw APNIC Taiwan
tj RIPE Tajikistan
tz AFRINIC Tanzania
th APNIC Thailand
tl APNIC Timor-Leste
tg AFRINIC Togo
tk APNIC Tokelau
to APNIC Tonga
tt LACNIC Trinidad & Tobago
tn AFRINIC Tunisia
tr RIPE Türkey
tm RIPE Turkmenistan
tc ARIN Turks & Caicos Islands
tv APNIC Tuvalu
ug AFRINIC Uganda
ua RIPE Ukraine
ae RIPE United Arab Emirates
gb RIPE United Kingdom
us ARIN United States
um ARIN United States Minor Outlying Islands
uy LACNIC Uruguay
uz RIPE Uzbekistan
vu APNIC Vanuatu
va RIPE Vatikan City
ve LACNIC Venezuela
vn APNIC Vietnam
vg ARIN Virgin Islands (British)
vi ARIN Virgin Islands (U.S.)
wf APNIC Wallis & Futuna Islands
eh AFRINIC Western Sahara
ye RIPE Yemen
zm AFRINIC Zambia
zw AFRINIC Zimbabwe

61
net/banip/files/banip.feeds
View File

@ -5,7 +5,7 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "adaway IPs",
"flag": "80 443"
"flag": "tcp 80 443"
},
"adguard":{
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt",
@ -13,7 +13,7 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "adguard IPs",
"flag": "80 443"
"flag": "tcp 80 443"
},
"adguardtrackers":{
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt",
@ -21,7 +21,7 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "adguardtracker IPs",
"flag": "80 443"
"flag": "tcp 80 443"
},
"antipopads":{
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt",
@ -29,15 +29,14 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "antipopads IPs",
"flag": "80 443"
"flag": "tcp 80 443"
},
"asn":{
"url_4": "https://asn.ipinfo.app/api/text/list/",
"url_6": "https://asn.ipinfo.app/api/text/list/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "ASN IP segments",
"flag": "80 443"
"descr": "ASN IP segments"
},
"backscatterer":{
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",
@ -45,6 +44,13 @@
"descr": "backscatterer IPs",
"flag": "gz"
},
"becyber":{
"url_4": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips.txt",
"url_6": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips_ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "malicious attacker IPs"
},
"binarydefense":{
"url_4": "https://iplists.firehol.org/files/bds_atif.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
@ -74,14 +80,9 @@
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "country blocks"
},
"darklist":{
"url_4": "https://darklist.de/raw.php",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"descr": "suspicious attacker IPs"
},
"debl":{
"url_4": "https://www.blocklist.de/downloads/export-ips_all.txt",
"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
"url_4": "https://lists.blocklist.de/lists/all.txt",
"url_6": "https://lists.blocklist.de/lists/all.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "fail2ban IP blocklist"
@ -92,7 +93,7 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "public DoH-Provider",
"flag": "80 443"
"flag": "tcp 80 443"
},
"drop":{
"url_4": "https://www.spamhaus.org/drop/drop.txt",
@ -106,11 +107,6 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}",
"descr": "dshield IP blocklist"
},
"edrop":{
"url_4": "https://www.spamhaus.org/drop/edrop.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "spamhaus edrop compilation"
},
"etcompromised":{
"url_4": "https://iplists.firehol.org/files/et_compromised.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
@ -150,18 +146,18 @@
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"descr": "advertising IPs",
"flag": "gz 80 443"
"flag": "gz tcp 80 443"
},
"iblockspy":{
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"descr": "malicious spyware IPs",
"flag": "gz 80 443"
"flag": "gz tcp 80 443"
},
"ipblackhole":{
"url_4": "https://ip.blackhole.monster/blackhole-today",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"descr": "blackhole IP blocklist"
"ipsum":{
"url_4": "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}",
"descr": "malicious IPs"
},
"ipthreat":{
"url_4": "https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-30.txt.gz",
@ -188,7 +184,7 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "OISD-big IPs",
"flag": "80 443"
"flag": "tcp 80 443"
},
"oisdnsfw":{
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt",
@ -196,7 +192,7 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "OISD-nsfw IPs",
"flag": "80 443"
"flag": "tcp 80 443"
},
"oisdsmall":{
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt",
@ -204,7 +200,12 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "OISD-small IPs",
"flag": "80 443"
"flag": "tcp 80 443"
},
"pallebone":{
"url_4": "https://raw.githubusercontent.com/pallebone/StrictBlockPAllebone/master/BlockIP.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"descr": "curated IP blocklist"
},
"proxy":{
"url_4": "https://iplists.firehol.org/files/proxylists.ipset",
@ -222,7 +223,7 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "stevenblack IPs",
"flag": "80 443"
"flag": "tcp 80 443"
},
"talos":{
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
@ -295,6 +296,6 @@
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "yoyo IPs",
"flag": "80 443"
"flag": "tcp 80 443"
}
}

7
net/banip/files/banip.init
View File

@ -23,10 +23,10 @@ ban_lock="/var/run/banip.lock"
[ "${action}" = "boot" ] && "${ban_init}" running && exit 0
{ [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
[ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && mkdir -p "${ban_lock}"
[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && mkdir -p "${ban_lock}"
{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}"
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
boot() {
: >"${ban_pidfile}"
@ -81,6 +81,7 @@ report() {
search() {
f_search "${1}"
rm -rf "${ban_lock}"
}
survey() {

4
net/curl/Makefile
View File

@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/nls.mk
PKG_NAME:=curl
PKG_VERSION:=8.7.1
PKG_RELEASE:=r1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://github.com/curl/curl/releases/download/curl-$(subst .,_,$(PKG_VERSION))/ \
@ -81,7 +81,7 @@ define Package/curl/Default
SECTION:=net
CATEGORY:=Network
URL:=http://curl.se/
MAINTAINER:=Stan Grishin <stangri@melmac.ca>
MAINTAINER:=
endef
define Package/curl

45
net/curl/patches/100-mbedtls-call-mbedtls_ssl_setup-after-RNG-callback-is.patch Normal file
View File

@ -0,0 +1,45 @@
From: Kailun Qin <kailun.qin@intel.com>
Date: Mon, 8 Apr 2024 05:13:56 -0400
Subject: [PATCH] mbedtls: call mbedtls_ssl_setup() after RNG callback is set
Since mbedTLS v3.6.0, the RNG check added in ssl_conf_check() will fail
if no RNG is provided when calling mbedtls_ssl_setup().
Therefore, mbedtls_ssl_conf_rng() needs to be called before the SSL
context is passed to mbedtls_ssl_setup().
Ref: https://github.com/Mbed-TLS/mbedtls/commit/b422cab052b51ec84758638d6783d6ba4fc60613
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
Closes #13314
---
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -602,10 +602,6 @@ mbed_connect_step1(struct Curl_cfilter *
}
mbedtls_ssl_init(&backend->ssl);
- if(mbedtls_ssl_setup(&backend->ssl, &backend->config)) {
- failf(data, "mbedTLS: ssl_init failed");
- return CURLE_SSL_CONNECT_ERROR;
- }
/* new profile with RSA min key len = 1024 ... */
mbedtls_ssl_conf_cert_profile(&backend->config,
@@ -639,6 +635,15 @@ mbed_connect_step1(struct Curl_cfilter *
mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random,
&backend->ctr_drbg);
+
+ ret = mbedtls_ssl_setup(&backend->ssl, &backend->config);
+ if(ret) {
+ mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
+ failf(data, "ssl_setup failed - mbedTLS: (-0x%04X) %s",
+ -ret, errorbuf);
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
mbedtls_ssl_set_bio(&backend->ssl, cf,
mbedtls_bio_cf_write,
mbedtls_bio_cf_read,

4
net/dnsproxy/Makefile
View File

@ -5,12 +5,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsproxy
PKG_VERSION:=0.69.2
PKG_VERSION:=0.70.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=aa1cea0eea683bde017acbb30c09c96b24b30133e157e743666be900ad7560ea
PKG_HASH:=a78ce398f2019e7a3a57e7ffcb06ecfb6d08e36e0a07c58ada4ac4871cecd677
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
PKG_LICENSE:=Apache-2.0

165
net/geoip-shell/DETAILS.md Normal file
View File

@ -0,0 +1,165 @@
## **Prelude**
- This document only covers scripts installed on OpenWrt systems and only options available on OpenWrt.
- geoip-shell supports a numer of different use cases, many different platforms, and 2 backend firewall utilities (nftables and iptables). For this reason I designed it to be modular rather than monolithic. In this design, the functionality is split between few main scripts. Each main script performs specific tasks and utilizes library scripts which are required for the task with the given platform and firewall utility.
- This document provides some info on the purpose and core options of the main scripts and how they work in tandem.
- The main scripts display "usage" when called with the "-h" option. You can find out about some additional options specific to each script by running it with that option.
## **Overview**
### Main Scripts
- geoip-shell-manage.sh
- geoip-shell-run.sh
- geoip-shell-fetch.sh
- geoip-shell-apply.sh
- geoip-shell-backup.sh
- geoip-shell-cronsetup.sh
### Helper Scripts
**geoip-shell-geoinit.sh**
- This script is sourced from all main scripts. It sets some essential variables, checks for compatible shell, then sources the -lib-common script, then sources the /etc/geoip-shell/geoip-shell.const file which stores some system-specific constants.
**geoip-shell-detect-lan.sh**
This script is only used under specific conditions:
- During initial setup, with whitelist mode, and only if wan interfaces were set to 'all', and LAN subnets were not specified via command line args. geoip-shell then assumes that it is being configured on a host behind a router and firewall, uses this script to detect the LAN subnets and offers the user to add them to the whitelist, and to enable automatic detection of LAN subnets in the future.
- At the time of creating/updating firewall rules, and only if LAN subnets automatic detection is enabled. geoip-shell then re-detects LAN subnets automatically.
### Library Scripts
- lib/geoip-shell-lib-common.sh
- lib/geoip-shell-lib-setup.sh
- lib/geoip-shell-lib-ipt.sh
- lib/geoip-shell-lib-nft.sh
- lib/geoip-shell-lib-status.sh
- lib/geoip-shell-lib-arrays.sh
- lib/geoip-shell-lib-uninstall.sh
The -lib-common script includes a large number of functions used throughout the suite, and assigns some essential variables.
The lib-setup script implements CLI interactive and noninteractive setup and arguments parsing. It is used in the -manage script.
The -lib-status script implements the status report which you can get by issuing the `geoip-shell status` command.
The -ipt and -nft scripts implement support for iptables and nftables, respectively. They are sourced from other scripts which need to interact with the firewall utility directly.
The -lib-arrays script implements a minimal subset of functions emulating the functionality of associative arrays in POSIX-compliant shell. It is used in the -fetch script. It is a part of a larger project implementing much more of the arrays functionality. You can check my other repositories if you are interested.
The -lib-uninstall script has some functions which are used both for uninstallation and for reset if required.
### OpenWrt-specific scripts
- geoip-shell-lib-owrt-common.sh
- geoip-shell-init
- geoip-shell-mk-fw-include.sh
- geoip-shell-fw-include.sh
- geoip-shell-owrt-uninstall.sh
For more information about integration with OpenWrt, read [OpenWrt-README.md](OpenWrt-README.md)
### User interface
After installation, the user interface is provided by running "geoip-shell", which is a symlink to the -manage script.
## **Main scripts in detail**
**geoip-shell-manage.sh**: serves as the main user interface to configure geoip after installation. You can also call it by simply typing `geoip-shell`. As most scripts in this suite, it requires root privileges because it needs to interact with the netfilter kernel component and access the data folder which is only readable and writable by root. Since it serves as the main user interface, it contains a lot of logic to generate a report, parse, validate and initiate actions requested by the user (by calling other scripts as required), check for possible remote machine lockout and warn the user about it, check actions result, update the config and take corrective actions in case of an error. Describing all this is beyond the scope of this document but you can read the code. Sources the lib-status script when generating a status report. Sources lib-setup for some of the arguments parsing logic and interactive dialogs implementation.
`geoip-shell <on|off>` : Enable or disable the geoip blocking chain (via a rule in the base geoip chain)
`geoip-shell <add|remove> [-c <"country_codes">]` :
* Adds or removes the specified country codes to/from the config file.
* Calls the -run script to fetch the ip lists for specified countries and apply them to the firewall (or to remove them).
`geoip-shell status`
* Displays information on the current state of geoip blocking
* For a list of all firewall rules in the geoip chain and for detailed count of ip ranges, run `geoip-shell status -v`.
`geoip-shell restore` : re-fetches and re-applies geoip firewall rules and ip lists as per the config.
`geoip-shell showconfig` : prints the contents of the config file.
`geoip-shell configure [options]` : changes geoip-shell configuration.
Initial configuration is possible either fully interactively (the -manage script gathers all important config via dialog with the user), partially interactively (you provide some command line arguments, the -manage script processes them and if needed, asks you additional questions), or completely non-interactively by calling the -manage script with the `-z` option which will force setup to fail if any required options are missing or invalid. Any sensible combination of the following options is allowed in one command.
**Options for the `geoip-shell configure` command:**
`-m [whitelist|blacklist]`: Change geoip blocking mode.
`-c <"country codes">`: Change which country codes are included in the whitelist/blacklist (this command replaces all country codes with newly specified ones).
`-f <ipv4|ipv6|"ipv4 ipv6">`: Families (defaults to 'ipv4 ipv6'). Use double quotes for multiple families.
`-u [ripe|ipdeny]`: Change ip lists source.
`-i <[ifaces]|auto|all>`: Change which network interfaces geoip firewall rules are applied to. `auto` will attempt to automatically detect WAN network interfaces. `auto` works correctly in **most** cases but not in **every** case. Don't use `auto` if the machine has no dedicated WAN network interfaces. The automatic detection occurs only when manually triggered by the user via this command.
`-l <"[lan_ips]"|auto|none>`: Specify LAN ip's or subnets to exclude from blocking (both ipv4 and ipv6). `auto` will trigger LAN subnets re-detection at every update of the ip lists. When specifying custom ip's or subnets, automatic detection is disabled. This option is only avaiable when using geoip-shell in whitelist mode.
`-t <"[trusted_ips]|none">`: Specify trusted ip's or subnets (anywhere on the Internet) to exclude from geoip blocking (both ipv4 and ipv6).
`-p <[tcp|udp]:[allow|block]:[all|<ports>]>`: Specify ports geoip blocking will apply (or not apply) to, for tcp or udp. To specify ports for both tcp and udp, use the `-p` option twice. For more details, read [NOTES.md](NOTES.md), sections 9-11.
`-r <[user_country_code]|none>` : Specify user's country code. Used to prevent accidental lockout of a remote machine. `none` disables this feature.
`-s <"schedule_expression"|disable>` : Enables automatic ip lists updates and configures the schedule for the periodic cron job which implements this feature. `disable` disables automatic ip lists updates.
`-o <true|false>` : No backup. If set to 'true', geoip-shell will not create a backup of ip lists and firewall rules after applying changes, and will automatically re-fetch ip lists after each reboot. Default is 'true' for OpenWrt, 'false' for all other systems.
`-a <path>` : Set custom path to directory where backups and the status file will be stored. Default is '/tmp/geoip-shell-data' for OpenWrt, '/var/lib/geoip-shell' for all other systems.
`-O <memory|performance>`: Specify optimization policy for nftables sets. By default optimizes for low memory consumption if system RAM is less than 2GiB, otherwise optimizes for performance. This option doesn't work with iptables.
`-z`: Non-interactive setup.
**geoip-shell-run.sh**: Serves as a proxy to call the -fetch, -apply and -backup scripts with arguments required for each action. Executes the requested actions, depending on the config and the command line options, and writes to system log when starting and on action completion (or if any errors encountered). If persistence or autoupdates are enabled, the cron jobs (or on OpenWrt, the firewall include script) call this script with the necessary options. If a non-fatal error is encountered during an automatic update function, the script enters sort of a temporary daemon mode where it will re-try the action (up to a certain number of retries) with increasing time intervals. It also implements some logic to account for unexpected issues encountered during the 'restore' action which runs after system reboot to impelement persistnece, such as a missing backup, and in this situation will automatically change its action from 'restore' to 'update' and try to re-fetch and re-apply the ip lists.
`geoip-shell-run.sh add -l <"list_id [list_id] ... [list_id]">` : Fetches ip lists, loads them into ip sets and applies firewall rules for specified list id's.
A list id has the format of `<country_code>_<family>`. For example, **US_ipv4** and **GB_ipv6** are valid list id's.
`geoip-shell-run.sh remove -l <"list_ids">` : Removes iplists and firewall rules for specified list id's.
`geoip-shell-run.sh update` : Updates the ip sets for list id's that had been previously configured. Intended for triggering from periodic cron jobs.
`geoip-shell-run.sh restore` : Restore previously downloaded lists from backup (skip fetching). Used by the reboot cron job (or by the firewall include on OpenWrt) to implement persistence.
**geoip-shell-fetch.sh**
- Fetches ip lists for given list id's from RIPE or from ipdeny.
- Parses, validates, compiles the downloaded lists, and saves each one to a separate file.
- Implements extensive sanity checks at each stage (fetching, parsing, validating and saving) and handles errors if they occur.
Options:
`-l <"list_ids">` : ip list id's in the format <country_code>_<family> (if specifying multiple list id's, use double quotes)
`-p <path>` : Path to directory where downloaded and compiled subnet lists will be stored.
`-o <output_file>` : Path to output file where fetched list will be stored.
`-s <status_file>` : Path to a status file to register fetch results in.
`-u <ripe|ipdeny>` : Use this ip list source for download. Supported sources: ripe, ipdeny.
Extra options:
`-r` : Raw mode (outputs newline-delimited ip lists rather than nftables-ready ones).
`-f` : Force using fetched lists even if list timestamp didn't change compared to existing list.
**geoip-shell-apply.sh**: directly interfaces with the firewall. Creates or removes ip sets and firewall rules for specified list id's. Sources the lib-ipt or lib-nft library script.
`geoip-shell-apply.sh add -l <"list_ids">` :
- Loads ip list files for specified list id's into ip sets and applies firewall rules required for geoip blocking.
List id has the format of `<country_code>_<family>`. For example, **US_ipv4** and **GB_ipv6** are valid list id's.
`geoip-shell-apply.sh remove -l <"list_ids">` :
- removes ip sets and geoip firewall rules for specified list id's.
**geoip-shell-cronsetup.sh** manages all the cron-related logic and actions. Called by the -manage script. Cron jobs are created based on the settings stored in the config file. Also used to validate cron schedule specified by the user.
**geoip-shell-backup.sh**: Creates backup of current geoip-shell firewall rules and ip sets and current geoip-shell config, or restores them from backup. By default (if you didn't configure geoip-shell with the '-o' option), backup will be created after every change to ip sets in the firewall. Backups are automatically compressed and de-compressed with the best utility available to the system, in this order "bzip2, xz, gzip", or simply "cat" as a fallback if neither is available (which generally should never happen on Linux). Only one backup copy is kept. Sources the lib-ipt or the lib-nft library script.
`geoip-shell-backup.sh create-backup` : Creates backup of geoip-shell ip sets and config.
`geoip-shell-backup.sh restore` : Restores geoip-shell state and config from backup. Used by the *run script to implement persistence. Can be manually used for recovery from fault conditions. If run with option `-n`, does not restore the config and the status files.

162
net/geoip-shell/Makefile Normal file
View File

@ -0,0 +1,162 @@
# Copyright 2024 friendly-bits, antonk (antonk.d3v@gmail.com)
# This is free software, licensed under the GNU General Public License v3.
include $(TOPDIR)/rules.mk
PKG_NAME:=geoip-shell
PKG_VERSION:=0.5.2
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=antonk <antonk.d3v@gmail.com>
PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=db8bbf4ce04094843beea1b1aa4fbceb0d35688d
PKG_SOURCE_URL:=https://github.com/friendly-bits/geoip-shell-openwrt.git
PKG_MIRROR_HASH:=4b0b90a936b8e9b476a0b85bd2100fcc4d1da25cd6929c0bcc282ae7ff137e9f
include $(INCLUDE_DIR)/package.mk
define Package/geoip-shell/Default
CATEGORY:=Network
TITLE:=Flexible geoip blocker
URL:=https://github.com/friendly-bits/geoip-shell
MAINTAINER:=antonk <antonk.d3v@gmail.com>
DEPENDS:=+ca-bundle
PROVIDES:=geoip-shell
PKGARCH:=all
endef
define Package/geoip-shell
$(call Package/geoip-shell/Default)
TITLE+= with nftables support
DEPENDS+= +kmod-nft-core +nftables +firewall4
DEFAULT_VARIANT:=1
VARIANT:=nftables
endef
define Package/geoip-shell-iptables
$(call Package/geoip-shell/Default)
TITLE+= with iptables support
DEPENDS+= +kmod-ipt-ipset +IPV6:ip6tables +iptables +ipset
VARIANT:=iptables
CONFLICTS:=geoip-shell firewall4
endef
define Package/geoip-shell/description/Default
Flexible geoip blocker with a user-friendly command line interface (currently no LuCi interface).
For readme, please see
https://github.com/openwrt/packages/blob/master/net/geoip-shell/OpenWrt-README.md
endef
define Package/geoip-shell/description
$(call Package/geoip-shell/description/Default)
endef
define Package/geoip-shell-iptables/description
$(call Package/geoip-shell/description/Default)
endef
define Package/geoip-shell/postinst/Default
#!/bin/sh
rm "/usr/bin/geoip-shell" 2>/dev/null
ln -s "/usr/bin/geoip-shell-manage.sh" "/usr/bin/geoip-shell"
[ -s "/etc/geoip-shell/geoip-shell.conf" ] && /usr/bin/geoip-shell configure -z && exit 0
logger -s -t "geoip-shell" "Please run 'geoip-shell configure' to complete the setup."
exit 0
endef
define Package/geoip-shell/postinst
$(call Package/geoip-shell/postinst/Default)
endef
define Package/geoip-shell-iptables/postinst
$(call Package/geoip-shell/postinst/Default)
endef
define Package/geoip-shell/prerm/Default
#!/bin/sh
sh /usr/lib/geoip-shell/geoip-shell-owrt-uninstall.sh
exit 0
endef
define Package/geoip-shell/prerm
$(call Package/geoip-shell/prerm/Default)
endef
define Package/geoip-shell-iptables/prerm
$(call Package/geoip-shell/prerm/Default)
endef
define Package/geoip-shell/postrm
#!/bin/sh
sleep 1
echo "Reloading the firewall..."
fw4 -q reload
exit 0
endef
define Package/geoip-shell-iptables/postrm
#!/bin/sh
sleep 1
echo "Reloading the firewall..."
fw3 -q reload
exit 0
endef
define Build/Configure
endef
define Build/Compile
endef
define Package/geoip-shell/install/Default
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) $(PKG_BUILD_DIR)/etc/init.d/geoip-shell-init $(1)/etc/init.d
$(INSTALL_DIR) $(1)/etc/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/etc/geoip-shell/cca2.list $(1)/etc/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/etc/geoip-shell/geoip-shell.const $(1)/etc/geoip-shell
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-fetch.sh $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-fw-include.sh $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-backup.sh $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-geoinit.sh $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-run.sh $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-mk-fw-include.sh $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-manage.sh $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-apply.sh $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-detect-lan.sh $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-cronsetup.sh $(1)/usr/bin
$(INSTALL_DIR) $(1)/usr/lib/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-status.sh $(1)/usr/lib/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-owrt-common.sh $(1)/usr/lib/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-common.sh $(1)/usr/lib/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-owrt-uninstall.sh $(1)/usr/lib/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-arrays.sh $(1)/usr/lib/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-setup.sh $(1)/usr/lib/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-uninstall.sh $(1)/usr/lib/geoip-shell
endef
define Package/geoip-shell/install
$(call Package/geoip-shell/install/Default,$(1))
$(INSTALL_DIR) $(1)/usr/lib/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-nft.sh $(1)/usr/lib/geoip-shell
endef
define Package/geoip-shell-iptables/install
$(call Package/geoip-shell/install/Default,$(1))
$(INSTALL_DIR) $(1)/usr/lib/geoip-shell
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-ipt.sh $(1)/usr/lib/geoip-shell
endef
$(eval $(call BuildPackage,geoip-shell))
$(eval $(call BuildPackage,geoip-shell-iptables))

108
net/geoip-shell/NOTES.md Normal file
View File

@ -0,0 +1,108 @@
## **Notes**
1) On OpenWrt, geoip-shell expects that the default shell (called by the `sh` command) is _ash_, and the automatic shell detection feature implemented for other platforms is disabled on OpenWrt.
2) Firewall rules structure created by geoip-shell:
<details> <summary>Read more:</summary>
### **iptables**
- With **iptables**, all firewall rules created by geoip-shell are in the table `mangle`. The reason to use `mangle` is that this table has a built-in chain called `PREROUTING` which is attached to the `prerouting` hook in the netfilter kernel component. Via a rule in this chain, geoip-shell creates one set of rules which applies to all ingress traffic for a given ip family, rather than having to create and maintain separate rules for chains INPUT and FORWARDING which would be possible in the default `filter` table.
- This also means that any rules you might have in the `filter` table will only see traffic which is allowed by geoip-shell rules, which may reduce the CPU load as a side-effect.
- Note that **iptables** features separate tables for ipv4 and ipv6, hence geoip-shell creates separate rules for each family (unless the user restricts geoip-shell to a certain family during installation).
- Inside the table `mangle`, geoip-shell creates the custom chain `GEOIP-SHELL` and redirects traffic to it via a rule in the `PREROUTING` chain. geoip-shell calls that rule the "enable" rule which can be removed or re-added on-demand with the commands `geoip-shell on` and `geoip-shell off`. If the "enable" rule is not present, system firewall will act as if all other geoip-shell rules (for a given ip family) are not present.
- If specific network interfaces were set during installation, the "enable" rule directs traffic to a 2nd custom chain `GEOIP-SHELL_WAN` rather than to the `GEOIP-SHELL` chain. geoip-shell creates rules in the `GEOIP-SHELL_WAN` chain which selectively direct traffic only from the specified network interfaces to the `GEOIP-SHELL` chain.
- With iptables, geoip-shell removes the "enable" rule before making any changes to the ip sets and rules, and re-adds it once the changes have been successfully made. This is a precaution measure intended to minimize any chance of potential problems. Typically ip list updates do not take more than a few seconds, and on reasonably fast systems less than a second, so the time when geoip blocking is not enabled is typically very brief.
### **nftables**
- With **nftables**, all firewall rules created by geoip-shell are in the table named `geoip-shell`, family "inet", which is a term nftables uses for tables applying to both ip families. The `geoip-shell` table includes rules for both ip families and any nftables sets geoip-shell creates. geoip-shell creates 2 chains in that table: `GEOIP-BASE` and `GEOIP-SHELL`. The base chain attaches to netfilter's `prerouting` hook and has a rule which directs traffic to the `GEOIP-SHELL` chain. That rule is the geoip-shell "enable" rule for nftables-based systems which acts exactly like the "enable" rule in the iptables-based systems, except it applies to both ip families.
- **nftables** allows for more control over which network interfaces each rule applies to, so when certain network interfaces are specified during initial setup, geoip-shell specifies these interfaces directly in the rules inside the `GEOIP-SHELL` chain, and so (contrary to iptables-based systems) there is no need in an additional chain.
- **nftables** features atomic rules updates, meaning that when issuing multiple nftables commands at once, if any command fails, all changes get cancelled and the system remains in the same state as before. geoip-shell utilizes this feature for fault-tolerance and to completely eliminate time when geoip blocking is disabled during an update of the sets or rules.
- **nftables** current version (up to 1.0.8 and probably 1.0.9) has some bugs related to unnecessarily high transient memory consumption when performing certain actions, including adding new sets. These bugs are known and for the most part, already have patches implemented which should eventually roll out to the distributions. This mostly matters for embedded hardware with less than 512MB of memory. geoip-shell works around these bugs as much as possible. One of the workarounds is to avoid using the atomic replacement feature for nftables sets. Instead, when updating sets, geoip-shell first adds new sets one by one, then atomically applies all other changes, including rules changes and removing the old sets. In case of an error during any stage of this process, all changes get cancelled, old rules and sets remain in place and geoip-shell then destroys the new sets. This is less efficient but with current versions of nftables, this actually lowers the minimum memory bar for the embedded devices. Once a new version of nftables will be rolled out to the distros, geoip-shell will adapt the algorithm accordingly.
### **nftables and iptables**
- With both **nftables** and **iptables**, geoip-shell goes a long way to make sure that firewall rules and ip sets are correct and matching the user-defined config. Automatic corrective mechanisms are implemented which should restore geoip-shell firewall rules in case they do not match the config (which normally should never happen).
- geoip-shell implements rules and ip sets "tagging" to distinguish between its own rules and other rules and sets. This way, geoip-shell never makes any changes to any rules or sets which geoip-shell did not create.
- When uninstalling, geoip-shell removes all its rules, chains and ip sets.
</details>
3) geoip-shell uses RIPE as the default source for ip lists. RIPE is a regional registry, and as such, is expected to stay online and free for the foreseeable future. However, RIPE may be fairly slow in some regions. For that reason, I implemented support for fetching ip lists from ipdeny. ipdeny provides aggregated ip lists, meaning in short that there are less entries for same effective geoip blocking, so the machine which these lists are installed on has to do less work when processing incoming connection requests. All ip lists the suite fetches from ipdeny are aggregated lists.
4) The script intended as user interface is **geoip-shell-manage.sh** (also called by running **geoip-shell**).
5) How to manually check firewall rules created by geoip-shell:
- With nftables: `nft -t list table inet geoip-shell`. This will display all geoip-shell rules and sets.
- With iptables: `iptables -vL -t mangle` and `ip6tables -vL -t mangle`. This will report all geoip-shell rules. To check ipsets created by geoip-shell, use `ipset list -n | grep geoip-shell`. For a more detailed view, use this command: `ipset list -t`.
6) The run, fetch and apply scripts write to syslog in case an error occurs. The run and fetch scripts also write to syslog upon success. To verify that cron jobs ran successfully, on Debian and derivatives run `cat /var/log/syslog | grep geoip-shell`. On other distributions, you may need to figure out how to access the syslog.
7) These scripts will not run in the background consuming resources (except for a short time when triggered by the cron jobs). All the actual blocking is done by the netfilter component in the kernel. The scripts offer an easy and relatively fool-proof interface with netfilter, config persistence, automated ip lists fetching and auto-update.
8) Sometimes ip list source servers are temporarily unavailable and if you're unlucky enough to attempt installation during that time frame, the fetch script will fail which will cause the installation to fail as well. Try again after some time or use another source. Once the installation succeeds, an occasional fetch failure during autoupdate won't cause any issues as last successfully fetched ip list will be used until the next autoupdate cycle succeeds.
9) How to geoblock or allow specific ports (applies to the _-install_ and _-manage_ scripts).
The general syntax is: `-p <[tcp|udp]:[allow|block]:[all|<ports>]>`
Where `ports` may be any combination of comma-separated individual ports or port ranges (for example: `125-130` or `5,6` or `3,140-145,8`).
You can use the `-p` option twice to cover both tcp and udp, for example: `-p tcp:allow:22,23 -p udp:block:128-256,3`
Examples with the -install script:
`sh geoip-shell-install -c de -m whitelist -p tcp:allow:125-135,7` - for tcp, allow incoming traffic on ports 125-135 and 7, geoblock incoming traffic on other tcp ports (doesn't affect UDP traffic)
`sh geoip-shell-install -c de -m blacklist -p udp:allow:3,15-20,1024-2048` - for udp, allow incoming traffic on ports 15-20 and 3, geoblock all other incoming udp traffic (doesn't affect TCP traffic)
Examples with the -manage script (also called via 'geoip-shell' after installation) :
`geoip-shell configure -p tcp:block:all` - for tcp, geoblock all ports (default behavior)
`geoip-shell configure -p udp:allow:all` - for udp, don't geoblock any ports (completely disables geoblocking for udp)
`geoip-shell configure -p tcp:block:125-135,7` - for tcp, only geoblock incoming traffic on ports 125-135 and 7, allow incoming traffic on all other tcp ports
10) How to remove specific ports assignment:
use `-p [tcp|udp]:block:all`.
Example: `geoip-shell configure -p tcp:block:all` will remove prior port-specific rules for the tcp protocol. All tcp packets on all ports will now go through geoip filter.
11) How to make all packets for a specific protocol bypass geoip blocking:
use `p [tcp|udp]:allow:all`
Example: `geoip-shell configure -p udp:allow:all` will allow all udp packets on all ports to bypass the geoip filter.
12) Firewall rules persistence, as well as automatic list updates, is implemented via cron jobs: a periodic job running by default on a daily schedule, and a job that runs at system reboot (after 30 seconds delay). Either or both cron jobs can be disabled (run the *install script with the -h option to find out how, or read [DETAILS.md](DETAILS.md)). On OpenWrt, persistence is implemented via an init script and a firewall include rather than via a cron job.
13) You can specify a custom schedule for the periodic cron job by passing an argument to the install script. Run it with the '-h' option for more info.
14) If you want to change the autoumatic update schedule but you don't know the crontab expression syntax, check out https://crontab.guru/ (no affiliation). geoip-shell includes a script which validates cron expressions you request, so don't worry about making a mistake.
15) Note that cron jobs will be run as root.
16) If you have nftables installed but for some reason you are using iptables rules (via the nft_compat kernel module which is provided by packages like nft-iptables etc), you can and probably should install geoip-shell with the option `-w ipt` which will force it to use iptables+ipset. For example: `geoip-shell install -w ipt`.
17) If you upgrade your system from iptables to nftables, you can either re-install geoip-shell and it will then automatically use nftables, or you can use this command without reinstalling: `geoip-shell configure -w nft`, which will remove all iptables rules and ipsets and re-create nftables rules and sets based on your existing config. If you are on OpenWrt, this does not apply: instead, you will need to install the geoip-shell package for nftables-based OpenWrt.
18) To test before deployment:
<details> <summary>Read more:</summary>
- You can run the install script with the "-N true" (N stands for noblock) option to apply all actions and create all firewall rules except the geoip-shell "enable" rule. This way you can make sure that no errors are encountered and check the resulting firewall rules before committing to actual blocking. To enable blocking later, use the command `geoip-shell on`.
- You can run the install script with the "-n true" (n stands for nopersistence) option to skip creating the reboot cron job which implements persistence and with the '-s disable' option to skip creating the autoupdate cron job. This way, a simple machine restart should undo all changes made to the firewall (unless you have some software which restores firewall settings after reboot). For example: `sh geoip-shell-install -c <country_code> -m whitelist -n true -s disable`. To enable persistence and automatic updates later, reinstall without both options.
</details>
19) How to get yourself locked out of your remote server and how to prevent this:
<details> <summary>Read more:</summary>
There are 4 scenarios where you can lock yourself out of your remote server with this suite:
- install in whitelist mode without including your country in the whitelist
- install in whitelist mode and later remove your country from the whitelist
- blacklist your country (either during installation or later)
- your remote machine has no dedicated WAN interfaces (it is behind a router) and you incorrectly specified LAN subnets the machine belongs to
As to the first 3 scenarios, the -manage script will warn you in each of these situations and wait for your input (you can press Y and do it anyway), but that depends on you correctly specifying your country code during installation. The -install script will ask you about it. If you prefer, you can skip by pressing Enter - that will disable this feature. If you do provide the -install script your country code, it will be added to the config file on your machine and the -manage script will read the value and perform the necessary checks, during installation or later when you want to make changes to the blacklist/whitelist.
As to the 4th scenario, geoip-shell implements LAN subnets automatic detection and asks you to verify that the detected LAN subnets are correct. If you are not sure how to verify this, reading the [SETUP.md](SETUP.md) file should help. Read the documentation, follow it and you should be fine. If you specify your own LAN ip addresses or subnets (rather than using the automatically detected ones), geoip-shell validates them, meaning it makes sure that they appear to be valid by checking them with regex, and asking the kernel. This does not prevent a situation where you provide technically valid ip's/subnets which however are not actually used in the LAN your machine belongs to. So double-check. Also note that LAN subnets **may** change in the future, for example if someone changes some config in the router or replaces the router etc. For this reason, when installing the suite for **all** network interfaces, the -install script offers to enable automatic detection of LAN subnets at each periodic update. If for some reason you do not enable this feature, you will need to make the necessary precautions when changing LAN subnets your remote machine belongs to.
As an additional measure, during installation you can specify trusted ip addresses anywhere on the Internet which will not be geoblocked, so in case something goes very wrong, you will be able to regain access to the remote machine. This does require to have a known static public ip address or subnet. To specify ip's, call the install script with this option: `-t <"[trusted_ips]">`.
</details>

52
net/geoip-shell/OpenWrt-README.md Normal file
View File

@ -0,0 +1,52 @@
## geoip-shell on OpenWrt
Currently geoip-shell fully supports OpenWrt, both with firewall3 + iptables and with firewall4 + nftables, while providing the same user interface and features as on any other Linux system. So usage is the same as described in the main [README.md](README.md) file, while some parts of the backend (namely persistence implementation), some defaults and the location of the data directory are different.
The _geoip-shell-iptables_ package is for firewall3+iptables OpenWrt systems, while the _geoip-shell_ package is for firewall4+nftables OpenWrt systems.
A LuCi interface has not been implemented (yet). As on any other Linux system, all user interface is via a command line (but my goal is to make this an easy experience regardless). If this discourages you from using geoip-shell, please let me know. A few people asking for this feature may motivate me to prioritize it.
## Usage after installation via ipk
After installing the ipk package, geoip-shell will be inactive until you configure it. To do so, run `geoip-shell configure` and follow the interactive setup. You can also run `geoip-shell -h` before that to find out about configuration options and then append certain options after the `configure` action, for example: `geoip-shell configure -c "de nl" -m whitelist` to configure geoip-shell in whitelist mode for countries Germany and Netherlands. The interactive setup will ask you about all the important options but some niche options are only available non-interactively (for example if you want to configure geoblocking for certain selection of ports). You can always change these settings after initial configuration via the same `geoip-shell configure` command.
## Uninstallation of geoip-shell if installed via ipk
- For nftables-based systems: `opkg remove geoip-shell`
- For iptables-based systems: `opkg remove geoip-shell-iptables`
## Resources management on OpenWrt
Because OpenWrt typically runs on embedded devices with limited memory and very small flash storage, geoip-shell implements some techniques to conserve these resources as much as possible:
- During installation on OpenWrt, comments and the debug code are stripped from the scripts to reduce their size.
- Only the required modules are installed, depending on the system (iptables- or nftables- based).
- I've researched the most memory-efficient way for loading ip lists into nftables sets. Currently, nftables has some bugs related to this process which may cause unnecessarily high memory consumption. geoip-shell works around these bugs as much as possible.
- To avoid unnecessary flash storage wear, all filesystem-related tasks geoip-shell does which do not require permanent storage are done in the /tmp directory which in the typical OpenWrt installation is mounted on the ramdisk.
- Some defaults on OpenWrt are different to further minimize flash storage wear (read below).
### Scripts size
Typical geoip-shell installation on an OpenWrt system currently consumes around 120kB. The distribution folder itself weighs quite a bit more (mainly because of documentation) but you can install via an ipk which doesn't remain in storage after installation, or if installing via the -install script, delete the distribution folder and free up space taken by it. geoip-shell does not install its documentation into the system.
I have some plans to reduce that size by compressing certain scripts which provide user interface and implementing automatic extraction to /tmp when the user wants to access them, but this is not yet implemented.
To view all installed geoip-shell scripts in your system and their sizes, run `ls -lh /usr/bin/geoip-shell-* /usr/lib/geoip-shell/*`.
## Persistence on OpenWrt
- Persistence of geoip firewall rules and ip sets works differenetly on OpenWrt than on other Linuxes, since geoip-shell has an OpenWrt-specific procd init script.
- The cron job which implements persistence on other Linuxes and runs at reboot is not created on OpenWrt.
- geoip-shell integrates into firewall3 or firewall4 via what's called a "firewall include". On OpenWrt, a firewall include is a setting which tells firewall3 or firewall4 to do something specific in response to certain events.
- The only task of the init script for geoip-shell is to call the geoip-shell-mk-fw-include.sh script, which makes sure that the firewall include exists and is correct, if not then creates the include.
- The firewall include is what does the actual persistence work. geoip-shell firewall include triggers on firewall reload (which happens either at reboot or when the system decides that a reload of the firewall is necessary, or when initiated by the user).
- When triggered, the include script calls the -run script with the "restore" action.
- The -run script verifies that geoip nftables/iptables rules and ip sets exist, and if not then it restores them from backup, or (if backup doesn't exist) initiates re-fetch of the ip lists and then re-creates the rules and the ip sets.
- By default, geoip-shell does not create backups on OpenWrt because typically the permanent storage is very small and prone to wear.
- Automatic updates of ip lists on OpenWrt are triggered from a cron job like on other Linuxes.
## Defaults for OpenWrt
Generally the defaults are the same as for other systems, except:
- the data directory which geoip-shell uses to store the status file and the backups is by default in `/tmp/geoip-shell-data`, rather than in `/var/lib/geoip-shell` as on other Linux systems. This is to avoid flash wear. You can change this by running the install script with the `-a <path>` option, or after installation via the command `geoip-shell configure -a <path>`.
- the 'nobackup' option is set to 'true', which configures geoip-shell to not create backups of the ip lists. With this option, geoip-shell will work as usual, except after reboot (and for iptables-based systems, after firewall restart) it will re-fetch the ip lists, rather than loading them from backup. You can change this by running the -install script with the `-o false` option (`-o` stands for nobackup), or after installation via the command `geoip-shell configure -o false`. To have persistent ip list backups, you will also need to change the data directory path as explained above.
- if using geoip-shell on a router with just a few MB of embedded flash storage, consider either leaving the nobackup and datadir path defaults as is, or connecting an external storage device to your router (preferably formatted to ext4) and configuring a directory on it as your geoip-shell data directory, then enabling automatic backups. For example, if your external storage device is mounted on _/mnt/somedevice_, you can do all this via this command: `geoip-shell configure -a /mnt/somedevice/geoip-shell-data -o false`.
- the default ip lists source for OpenWrt is ipdeny (rather than ripe). While ipdeny is a 3rd party, they provide aggregated lists which consume less memory (on nftables-based systems the ip lists are automatically optimized after loading into memory, so there the source does not matter, but a smaller initial ip lists size will cause a smaller memory consumption spike while loading the ip list).
This is about it for this document. Much more information is available in the main [README.md](README.md) and in the extra _.md_ files inside the Documentation directory. If you have any questions, contact me in this thread:
https://forum.openwrt.org/t/geoip-shell-flexible-geoip-blocker-for-linux-now-supports-openwrt/189611
If you use this project, I will be happy to hear about your experience in the above thread. If for some reason geoip-shell is not working for you, I will want to know that as well so I can improve it.

144
net/geoip-shell/README.md Normal file
View File

@ -0,0 +1,144 @@
# **geoip-shell**
Geoip blocker for Linux. Supports both **nftables** and **iptables** firewall management utilities.
The idea of this project is making geoip blocking easy on (almost) any Linux system, no matter which hardware, including desktop, server, VPS or router, while also being reliable and providing flexible configuration options for the advanced users.
Supports running on OpenWrt. Supports ipv4 and ipv6.
## Table of contents
- [Main Features](#main-features)
- [Usage](#usage)
- [Pre-requisites](#pre-requisites)
- [Notes](#notes)
- [In detail](#in-detail)
- [OpenWrt](#openwrt)
- [Privacy](#privacy)
## **Main Features**
* Core functionality is creating either a whitelist or a blacklist in the firewall using automatically downloaded ip lists for user-specified countries.
* ip lists are fetched either from **RIPE** (regional Internet registry for Europe, the Middle East and parts of Central Asia) or from **ipdeny**. Both sources provide updated ip lists for all regions.
* All firewall rules and ip sets required for geoip blocking to work are created automatically during installation or setup.
* Implements optional (enabled by default) persistence of geoip blocking across system reboots and automatic updates of the ip lists.
* After installation, a utility is provided to check geoip status and firewall rules or change country codes and geoip-related config.
### **Reliability**:
- Downloaded ip lists go through validation which safeguards against application of corrupted or incomplete lists to the firewall.
<details> <summary>Read more:</summary>
- With nftables, utilizes nftables atomic rules replacement to make the interaction with the system firewall fault-tolerant and to completely eliminate time when geoip is disabled during an automatic update.
- All scripts perform extensive error detection and handling.
- All user input is validated to reduce the chance of accidental mistakes.
- Verifies firewall rules coherence after each action.
- Automatic backup of geoip-shell state (optional, enabled by default except on OpenWrt).
- Automatic recovery of geoip-shell firewall rules after a reboot (a.k.a persistence) or in case of unexpected errors.
- Supports specifying trusted ip addresses anywhere on the Internet which will bypass geoip blocking to make it easier to regain access to the machine if something goes wrong.
</details>
### **Efficiency**:
- Utilizes the native nftables sets (or, with iptables, the ipset utility) which allows to create efficient firewall rules with thousands of ip ranges.
<details><summary>Read more:</summary>
- With nftables, optimizes geoip blocking for low memory consumption or for performance, depending on the RAM capacity of the machine and on user preference. With iptables, automatic optimization is implemented.
- Ip list parsing and validation are implemented through efficient regex processing which is very quick even on slow embedded CPU's.
- Implements smart update of ip lists via data timestamp checks, which avoids unnecessary downloads and reconfiguration of the firewall.
- Uses the "prerouting" hook in kernel's netfilter component which shortens the path unwanted packets travel in the system and may reduce the CPU load if any additional firewall rules process incoming traffic down the line.
- Supports the 'ipdeny' source which provides aggregated ip lists (useful for embedded devices with limited memory).
- Scripts are only active for a short time when invoked either directly by the user or by the init script/reboot cron job/update cron job.
</details>
### **User-friendliness**:
- Good command line interface and useful console messages.
<details><summary>Read more:</summary>
- Extensive and (usually) up-to-date documentation.
- Sane settings are applied during installation by default, but also lots of command-line options for advanced users or for special corner cases are provided.
- Provides a utility (symlinked to _'geoip-shell'_) for the user to change geoip config (turn geoip on or off, change country codes, change geoip blocking mode, change ip lists source, change the cron schedule etc).
- Provides a command _('geoip-shell status')_ to check geoip blocking status, which also reports if there are any issues.
- In case of an error or invalid user input, provides useful error messages to help with troubleshooting.
- All main scripts display detailed 'usage' info when executed with the '-h' option.
- The code should be fairly easy to read and includes a healthy amount of comments.
</details>
### **Compatibility**:
- Since the project is written in POSIX-compliant shell code, it is compatible with virtually every Linux system (as long as it has the [pre-requisites](#pre-requisites)). It even works well on simple embedded routers with 8MB of flash storage and 128MB of memory (for nftables, 256MB is recommended if using large ip lists such as the one for US until the nftables team releases a fix reducing memory consumption).
<details><summary>Read more:</summary>
- Supports running on OpenWrt.
- The project avoids using non-common utilities by implementing their functionality in custom shell code, which makes it faster and compatible with a wider range of systems.
</details>
## **Usage**
If you want to change geoip blocking config or check geoip blocking status, you can do that via the provided utilities.
A selection of options is given here, for additional options run `geoip-shell -h` or read [NOTES.md](NOTES.md)and [DETAILS.md](DETAILS.md).
**To check current geoip blocking status:** `geoip-shell status`. For a list of all firewall rules in the geoip chain and for a detailed count of ip ranges in each ip list: `geoip-shell status -v`.
**To add or remove ip lists for countries:** `geoip-shell <add|remove> -c <"country_codes">`
_<details><summary>Examples:</summary>_
- example (to add ip lists for Germany and Netherlands): `geoip-shell add -c "DE NL"`
- example (to remove the ip list for Germany): `geoip-shell remove -c DE`
</details>
**To enable or disable geoip blocking:** `geoip-shell <on|off>`
**To change ip lists source:** `geoip-shell configure -u <ripe|ipdeny>`
**To change geoip blocking mode:** `geoip-shell configure -m <whitelist|blacklist>`
**To have certain trusted ip addresses or subnets bypass geoip blocking:** `geoip-shell configure -t <["ip_addresses"]|none>`. `none` removes previously set trusted ip addresses.
**To have certain LAN ip addresses or subnets bypass geoip blocking:** `geoip-shell configure -l <["ip_addresses"]|auto|none>`. `auto` will automatically detect LAN subnets (only use this if the machine has no dedicated WAN interfaces). `none` removes previously set LAN ip addresses. This is only needed when using geoip-shell in whitelist mode, and typically only if the machine has no dedicated WAN network interfaces. Otherwise you should apply geoip blocking only to those WAN interfaces, so traffic from your LAN to the machine will bypass the geoip filter.
**To change protocols and ports geoblocking applies to:** `geoip-shell configure -p <[tcp|udp]:[allow|block]:[all|<ports>]>`
_(for detailed description of this feature, read [NOTES.md](NOTES.md), sections 9-11)_
**To enable or change the automatic update schedule:** `geoip-shell configure -s <"schedule_expression">`
_<details><summary>Example</summary>_
`geoip-shell configure -s "1 4 * * *"`
</details>
**To disable automatic updates of ip lists:** `geoip-shell configure -s disable`
**To update or re-install geoip-shell:** run the -install script from the (updated) distribution directory. It will first run the -uninstall script of the older/existing version, then install the new version.
On OpenWrt, if installed via an ipk package: `opkg uninstall <geoip-shell|geoip-shell-iptables>`
## **Pre-requisites**
- **Linux**. Tested on Debian-like systems and on OPENWRT, should work on any desktop/server distribution and possibly on some other embedded distributions.
- **POSIX-compliant shell**. Works on most relatively modern shells, including **bash**, **dash**, **ksh93**, **yash** and **ash** (including Busybox **ash**). Likely works on **mksh** and **lksh**. Other flavors of **ksh** may or may not work _(please let me know if you try them)_. Does **not** work on **tcsh** and **zsh**.
- **nftables** - firewall management utility. Supports nftables 1.0.2 and higher (may work with earlier versions but I do not test with them).
- OR **iptables** - firewall management utility. Should work with any relatively modern version.
- for **iptables**, requires the **ipset** utility - install it using your distribution's package manager
- standard Unix utilities including **tr**, **cut**, **sort**, **wc**, **awk**, **sed**, **grep**, **pgrep**, **pidof** and **logger** which are included with every server/desktop linux distribution (and with OpenWrt). Both GNU and non-GNU versions are supported, including BusyBox implementation.
- **wget** or **curl** or **uclient-fetch** (OpenWRT-specific utility).
- for the autoupdate functionality, requires the **cron** service to be enabled.
## **Notes**
For some helpful notes about using this suite, read [NOTES.md](NOTES.md).
## **In detail**
For specifics about each script, read [DETAILS.md](DETAILS.md).
## **OpenWrt**
For information about OpenWrt support, read the [OpenWrt README](OpenWrt-README.md).
## **Privacy**
geoip-shell does not share your data with anyone.
If you are using the ipdeny source then note that they are a 3rd party which has its own data privacy policy.

60
net/geoip-shell/SETUP.md Normal file
View File

@ -0,0 +1,60 @@
## Notes about questions asked during the initial setup
### **'Please enter your country code':**
If you answer this question, the _-manage_ script will check that changes in ip lists which you request to make will not block your own country and warn you if they will. This applies both to the initial setup, and to any subsequent changes to the ip lists which you may want to make in the future. The idea behind this is to make this tool as fool-proof as possible. This information is written to the geoip-shell config file (only readable by root) on your device and geoip-shell does not send it anywhere. You can remove this config entry any time via the command `geoip-shell configure -r none`. You can skip the question by pressing Enter if you wish.
### **'Does this machine have dedicated WAN interface(s)? [y|n]':**
Answering this question is mandatory because the firewall is configured differently, depending on the answer. Answering it incorrectly may cause unexpected results, including having no geoip blocking or losing remote access to your machine.
A machine may have dedicated WAN network interfaces if it's a router or in certain cases a VPS (virtual private server). When geoip-shell is configured to work with certain network interfaces, geoip firewall rules are applied only to traffic arriving from these interfaces, and all other traffic is left alone.
Otherwise, geoip rules are applied to traffic arriving from all network interfaces, except the loopback interface. Besides that, when geoip-shell is installed in whitelist mode and you picked `n` in this question, additional firewall rules may be created which add LAN subnets or ip's to the whitelist in order to avoid blocking them (you can approve or configure that on the next step of the installation). This does not guarantee that your LAN subnets will not be blocked by another rule in another table, and in fact, if you prefer to block some of them then having them in whitelist will not matter. This is because while the 'drop' verdict is final, the 'accept' verdict is not.
### **'Autodetected ipvX LAN subnets: ... [c]onfirm, c[h]ange, [s]kip or [a]bort?'**
You will see this question if installing the suite in whitelist mode and you chose `n` in the previous question. The reason why under these conditions this question is asked is to avoid blocking your LAN from accessing your machine.
If you are absolutely sure that you will not need to access the machine from the LAN then you can type in 's' to skip.
Otherwise I recommend to add LAN subnets to the whitelist. You can either confirm the automatically detected subnets, or specify any combination of ip's and subnets on your LAN which you wish to allow connections from.
The autodetection code should, in most cases, detect correct LAN subnets. However, it is up to you to verify that it's done its job correctly.
One way to do that is by typing in 'c' to confirm and once installation completes, verifying that you can still access the machine from LAN (note that if you have an active connection to that machine, for example through SSH, it will likely continue to work until disconnection even if autodetection of LAN subnets did not work out correctly).
Of course, this is risky in cases where you do not have physical access to the machine.
Another way to do that is by checking which ip address you need to access the machine from, and then verifying that said ip address is included in one of the autodetected subnets. For example, if your other machine's ip is `192.168.1.5` and one of the autodetected subnets is `192.168.1.0/24` then you will want to check that `192.168.1.5` is included in subnet `192.168.1.0/24`. Provided you don't know how to make this calculation manually, you can use the `grepcidr` tool this way:
`echo "192.168.1.5" | grepcidr "192.168.1.0/24"`
The syntax to check in multiple subnets (note the double quotes):
`echo "[ip]" | grepcidr "[subnet1] [subnet2] ... [subnetN]"`
(also works for ipv6 addresses)
If the ip address is in range, grepcidr will print it, otherwise it will not. You may need to install grepcidr using your distribution's package manager.
Alternatively, you can use an online service which will do the same check for you. There are multiple services providing this functionality. To find them, look up 'IP Address In CIDR Range Check' in your preferred online search engine.
A third way to do that is by examining your network configuration (in your router) and making sure that the autodetected subnets match those in the configuration.
If you find out that the subnets were detected incorrectly, you can type in 'h' and manually enter the correct subnets or ip addresses which you want to allow connections from.
### **'A[u]to-detect LAN subnets when updating ip lists or keep this config c[o]nstant?'**
As the above question, you will see this one if installing the suite in whitelist mode and you answered `n` to the question about WAN interfaces. You will not see this question if you specified custom subnets or ips in the previous question.
The rationale for this question is that network configuration may change, and if it does then previously correctly configured LAN subnets may become irrelevant.
If you type in 'a', each time geoip firewall rules are initialized or updated, LAN subnets will be re-detected.
If you type in 'c' then whatever subnets have been detected during installation will be kept forever (until you re-install geoip-shell).
Generally if automatic detection worked as expected during initial setup, most likely it will work correctly every time, so it is a good idea to allow auto-detection with each update. If not then, well, not.
### **Extra options**
- geoip-shell supports an additional setting: trusted ip's or subnets. Currently this is only configurable by running the -install script with the option `-t <"[trusted_ips]">` (or after installation via the `geoip-shell configure -t <"[trusted_ips]">` command). You can specify trusted ip addresses or subnets anywhere on the LAN or on the Internet. To remove this setting later, run `geoip-shell configure -t none`.
- geoip-shell supports lots of additional command-line options. You can find out more by running `geoip-shell -h`, or by reading [NOTES.md](NOTES.md) and [DETAILS.md](DETAILS.md).

39
net/jool/files/readme.md
View File

@ -1,28 +1,35 @@
# [Jool](https://www.jool.mx)
# [Jool](https://nicmx.github.io/Jool/en/index.html)
## Documentation
[See here](https://www.jool.mx/en/documentation.html).
[See here](https://nicmx.github.io/Jool/en/documentation.html).
You might also want to see [contact info](https://www.jool.mx/en/contact.html).
You might also want to see [contact info](https://nicmx.github.io/Jool/en/contact.html).
## Usage
### Start script
This package includes a start script that will:
1. Read the configuration file `/etc/config/jool`
2. Determine what services are active
3. Run jool with procd
For now this means that:
* The services will be disabled by default in the uci config `(/etc/config/jool)`
* The only uci configuration support available for the package is to enable or disable each instance or the entire deamon
* There is no uci support and configuration will be saved at `/etc/jool/*
* Only one instance of jool(nat64) can run with the boot script
* Only one instance of jool(siit) can run with the boot script
* For now there is no way of overriding of the configuration file's paths
1. Read the configuration file `/etc/config/jool`
2. Determine what services are active
3. Run `jool` with procd
The configuration files the startup script useses for each jool instance are:
* jool(nat64): `/etc/jool/jool-nat64.conf.json`
* jool(siit): `/etc/jool/jool-siit.conf.json`
### For now this means that
- The services will be disabled by default in the uci config `(/etc/config/jool)`
- The only uci configuration support available for the package is to enable or disable each instance or the entire deamon
- There is no uci support and configuration will be saved at `/etc/jool/`
- Only one instance of jool(nat64) can run with the boot script
- Only one instance of jool(siit) can run with the boot script
- For now there is no way of overriding of the configuration file's paths
The configuration files the startup script uses for each jool instance are:
- jool(nat64): `/etc/jool/jool-nat64.conf.json`
- jool(siit): `/etc/jool/jool-siit.conf.json`
### OpenWrt tutorial
For a more detailed tutorial refer to this [wiki page](https://openwrt.org/docs/guide-user/network/ipv6/nat64).

5
net/modemmanager/Makefile
View File

@ -8,11 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=modemmanager
PKG_SOURCE_VERSION:=1.22.0
PKG_RELEASE:=12
PKG_VERSION:=1.22.0
PKG_RELEASE:=13
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git
PKG_SOURCE_VERSION:=$(PKG_VERSION)
PKG_MIRROR_HASH:=cd67d0833481146cc630299ffd2e7afdedb2c90f9d8ce3cc348af1fffacc87de
PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>

2
net/natmap/Makefile
View File

@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=natmap
PKG_VERSION:=20240303
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/heiher/natmap/releases/download/$(PKG_VERSION)

2
net/natmap/files/natmap.config
View File

@ -10,4 +10,6 @@ config natmap
option forward_target ''
option forward_port ''
option notify_script ''
option log_stdout '1'
option log_stderr '1'

8
net/natmap/files/natmap.init
View File

@ -27,7 +27,9 @@ validate_section_natmap() {
'port:port' \
'forward_target:host' \
'forward_port:port' \
'notify_script:file'
'notify_script:file' \
'log_stdout:bool:1' \
'log_stderr:bool:1'
}
natmap_instance() {
@ -63,8 +65,8 @@ natmap_instance() {
procd_append_param command -e /usr/lib/natmap/update.sh
procd_set_param respawn
procd_set_param stdout 1
procd_set_param stderr 1
procd_set_param stdout "${log_stdout}"
procd_set_param stderr "${log_stderr}"
procd_close_instance
}

2
net/nebula/Makefile
View File

@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=nebula
PKG_VERSION:=1.8.2
PKG_RELEASE:=r2
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/slackhq/nebula/tar.gz/v$(PKG_VERSION)?

58
net/nginx/Makefile
View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=nginx
PKG_VERSION:=1.25.4
PKG_RELEASE:=2
PKG_VERSION:=1.25.5
PKG_RELEASE:=1
PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://nginx.org/download/
PKG_HASH:=760729901acbaa517996e681ee6ea259032985e37c2768beef80df3a877deed9
PKG_HASH:=2fe2294f8af4144e7e842eaea884182a84ee7970e11046ba98194400902bbec0
PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de> \
Christian Marangi <ansuelsmth@gmail.com>
@ -195,6 +195,15 @@ define Package/nginx-mod-luci/description
Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi.
endef
define Package/nginx-mod-luci/preinst
#!/bin/sh
grep -r -l ngx_http_ubus_module.so /etc/nginx/module.d | grep -v ngx_http_ubus.module | while read file; do
echo "Removing old LuCI module load file for 'ngx_http_ubus.so' in $$file."
rm -f $$file
done
exit 0
endef
define Package/nginx-mod-luci/install
$(INSTALL_DIR) $(1)/etc/nginx/conf.d
$(INSTALL_CONF) ./files-luci-support/luci.locations $(1)/etc/nginx/conf.d/
@ -203,9 +212,10 @@ define Package/nginx-mod-luci/install
endef
define Download/nginx-mod-geoip2
SOURCE_DATE:=2020-01-22
VERSION:=1cabd8a1f68ea3998f94e9f3504431970f848fbf
URL:=https://github.com/leev/ngx_http_geoip2_module.git
MIRROR_HASH:=b4bd8517f6595f28e9cea5370045df476e0f7fa9ca3611d71ba85c518f1a7eda
MIRROR_HASH:=f3d2a1af5c34812b5a34453457ba6a4d8093c92085aa7f76c46a1c4185c9735c
PROTO:=git
endef
@ -237,73 +247,83 @@ define Package/nginx-mod-lua-resty-core/install
endef
define Download/nginx-mod-headers-more
SOURCE_DATE:=2022-07-17
VERSION:=bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0
URL:=https://github.com/openresty/headers-more-nginx-module.git
MIRROR_HASH:=3617bbf7a935208a1d8d5f86a8f9b770f6987e4d2b5663a9ab1b777217e3066b
MIRROR_HASH:=569abadc137b5b52bdcc33b00aa21f6d266cb84fb891795da2c4e101c4898abe
PROTO:=git
endef
define Download/nginx-mod-brotli
SOURCE_DATE:=2020-04-23
VERSION:=25f86f0bac1101b6512135eac5f93c49c63609e3
URL:=https://github.com/google/ngx_brotli.git
MIRROR_HASH:=c85cdcfd76703c95aa4204ee4c2e619aa5b075cac18f428202f65552104add3b
MIRROR_HASH:=680c56be79e7327cb8df271646119333d2f6965a3472bc7043721625fa4488f5
PROTO:=git
endef
define Download/nginx-mod-rtmp
SOURCE_DATE:=2018-12-07
VERSION:=f0ea62342a4eca504b311cd5df910d026c3ea4cf
URL:=https://github.com/ut0mt8/nginx-rtmp-module.git
MIRROR_HASH:=d3f58066f0f858ed79f7f2b0c9b89de2ccc512c94ab3d0625f6dcff3df0b72c1
MIRROR_HASH:=9c98d886ae4ea3708bb0bca55f8df803418a407e0ffc6df56341bd76ad39cba8
PROTO:=git
endef
define Download/nginx-mod-ts
SOURCE_DATE:=2017-12-04
VERSION:=ef2f874d95cc75747eb625a292524a702aefb0fd
URL:=https://github.com/arut/nginx-ts-module.git
MIRROR_HASH:=73938950bb286d40d9e54b0994d1a63827340c1156c72eb04d7041b25b20ec18
MIRROR_HASH:=3f144d4615a4aaa1215435cd06ae4054ea12206d5b38306321420f7acc62aca8
PROTO:=git
endef
define Download/nginx-mod-naxsi
SOURCE_DATE:=2022-09-14
VERSION:=d714f1636ea49a9a9f4f06dba14aee003e970834
URL:=https://github.com/nbs-system/naxsi.git
MIRROR_HASH:=bd006686721a68d43f052f0a4f00e9ff99fb2abfbc4dcf8194a3562fe4e5c08b
MIRROR_HASH:=b0cef5fbf842f283eb5f0686ddd1afcd07d83abd7027c8cfb3e84a2223a34797
PROTO:=git
endef
define Download/nginx-mod-lua
SOURCE_DATE:=2023-08-19
VERSION:=c89469e920713d17d703a5f3736c9335edac22bf
URL:=https://github.com/openresty/lua-nginx-module.git
MIRROR_HASH:=dd66465f65c094a1ddfff2035bff4da870b7c6b7e033d307a9806a6df290a1a5
MIRROR_HASH:=c3bdf1b23f0a63991b5dcbd1f8ee150e6f893b43278e8600e4e0bb42a6572db4
PROTO:=git
endef
define Download/nginx-mod-lua-resty-core
SOURCE_DATE:=2023-09-09
VERSION:=2e2b2adaa61719972fe4275fa4c3585daa0dcd84
URL:=https://github.com/openresty/lua-resty-core.git
MIRROR_HASH:=4bfc267fd027161f88fcbeacce38e6bd13ba894a581c2d6dfe78ee270b1a473c
MIRROR_HASH:=c5f3df92fd72eac5b54497c039aca0f0d9ea1d87223f1e3a54365ba565991874
PROTO:=git
endef
define Download/nginx-mod-lua-resty-lrucache
SOURCE_DATE:=2023-08-06
VERSION:=52f5d00403c8b7aa8a4d4f3779681976b10a18c1
URL:=https://github.com/openresty/lua-resty-lrucache.git
MIRROR_HASH:=618a972574b6b1db1eebf4046d9a471ac03ec092bb825136ba975928d4af2351
MIRROR_HASH:=0833e0114948af4edb216c5c34b3f1919f534b298f4fa29739544f7c9bb8a08d
PROTO:=git
endef
define Download/nginx-mod-dav-ext
SOURCE_DATE:=2018-12-17
VERSION:=f5e30888a256136d9c550bf1ada77d6ea78a48af
URL:=https://github.com/arut/nginx-dav-ext-module.git
MIRROR_HASH:=70bb4c3907f4b783605500ba494e907aede11f8505702e370012abb3c177dc5b
MIRROR_HASH:=c574e60ffab5f6e5d8bea18aab0799c19cd9a84f3d819b787e9af4f0e7867b52
PROTO:=git
endef
define Download/nginx-mod-ubus
SOURCE_DATE:=2020-09-06
VERSION:=b2d7260dcb428b2fb65540edb28d7538602b4a26
URL:=https://github.com/Ansuel/nginx-ubus-module.git
MIRROR_HASH:=472cef416d25effcac66c85417ab6596e634a7a64d45b709bb090892d567553c
MIRROR_HASH:=515bb9d355ad80916f594046a45c190a68fb6554d6795a54ca15cab8bdd12fda
PROTO:=git
endef
@ -311,7 +331,7 @@ define Module/Download
define Download/nginx-mod-$(1) +=
SUBDIR:=nginx-mod-$(1)
FILE:=nginx-mod-$(1)-$$$$(VERSION).tar.xz
FILE:=nginx-mod-$(1)-$$$$(subst -,.,$$$$(SOURCE_DATE))~$$$$(call version_abbrev,$$$$(VERSION)).tar.zst
endef
endef
$(foreach m,$(PKG_MOD_EXTRA),$(eval $(call Module/Download,$(m))))
@ -341,7 +361,7 @@ define Module/Build/Prepare
$(eval $(call Download,nginx-mod-$(1)))
$(eval $(Download/nginx-mod-$(1)))
mkdir -p $(PKG_BUILD_DIR)/nginx-mod-$(1)
xzcat $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR)/nginx-mod-$(1) $(TAR_OPTIONS) --strip-components 1
zstdcat $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR)/nginx-mod-$(1) $(TAR_OPTIONS) --strip-components 1
endef
define Build/Prepare
@ -375,8 +395,10 @@ define BuildModule
define Package/nginx-mod-$(1)/install
$(INSTALL_DIR) $$(1)/usr/lib/nginx/modules
$(INSTALL_DIR) $$(1)/etc/nginx/module.d
$(foreach m,$(3),
$(CP) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(m)_module.so $$(1)/usr/lib/nginx/modules
$(CP) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(m)_module.so $$(1)/usr/lib/nginx/modules && \
echo "load_module /usr/lib/nginx/modules/$(m)_module.so;" > $$(1)/etc/nginx/module.d/$(m).module
)
$(call Module/nginx-mod-$(1)/install,$$(1))
endef
@ -477,7 +499,7 @@ $(eval $(call BuildModule,brotli,,ngx_http_brotli_filter ngx_http_brotli_static,
Add support for brotli compression module.))
$(eval $(call BuildModule,naxsi,,ngx_http_naxsi, \
Enable NAXSI module.))
$(eval $(call BuildModule,geoip2,+@NGINX_STREAM_CORE_MODULE +libmaxminddb,ngx_http_geoip2 ngx_stream_geoip2, \
$(eval $(call BuildModule,geoip2,+@NGINX_STREAM_CORE_MODULE +nginx-mod-stream +libmaxminddb,ngx_http_geoip2 ngx_stream_geoip2, \
Enable MaxMind GeoIP2 module.))
# TODO: remove after a transition period (together with pkg nginx-util):

4
net/nginx/files-luci-support/60_nginx-luci-support
View File

@ -12,8 +12,8 @@ location /ubus {
EOT
fi
if [ ! -f "/etc/nginx/module.d/luci.module" ]; then
cat <<EOT >> /etc/nginx/module.d/luci.module
if [ ! -f "/etc/nginx/module.d/ngx_http_ubus.module" ]; then
cat <<EOT > /etc/nginx/module.d/ngx_http_ubus.module
load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so;
EOT
fi

2
net/nginx/patches/nginx/201-ignore-invalid-options.patch
View File

@ -1,6 +1,6 @@
--- a/auto/options
+++ b/auto/options
@@ -411,8 +411,7 @@ $0: warning: the \"--with-sha1-asm\" opt
@@ -413,8 +413,7 @@ $0: warning: the \"--with-sha1-asm\" opt
--test-build-solaris-sendfilev) NGX_TEST_BUILD_SOLARIS_SENDFILEV=YES ;;
*)

6
net/ntpd/Makefile
View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=ntp
PKG_VERSION:=4.2.8p15
PKG_RELEASE:=4
PKG_VERSION:=4.2.8p17
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/
PKG_HASH:=f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19
PKG_HASH:=103dd272e6a66c5b8df07dce5e9a02555fcd6f1397bdfb782237328e89d3a866
PKG_LICENSE:=NTP
PKG_LICENSE_FILES:=COPYRIGHT html/copyright.html

8
net/ntpd/README.md
View File

@ -36,7 +36,7 @@ The parameter(s) `server` enumerate a list of servers to be used for
reference NTP servers by the local daemon. At least one is required,
and two or more are recommended (unless you have an extremely available
local server). They should be picked to be geographically divergent,
and preferrably reachable via different network carriers to protect
and preferably reachable via different network carriers to protect
against network partitions, etc. They should also be high-quality
time providers (i.e. having stable, accurate clock sources).
@ -71,10 +71,10 @@ As a result, the NTP servers that your ISP may point you at are
often of unknown/unverified quality, and you use them at your own
risk.
Early millenial versions of Windows (2000, XP, etc) used NTP only
Early millennial versions of Windows (2000, XP, etc) used NTP only
to _initially set_ the clock to approximately 100ms accuracy (and
not maintain sychronization), so the bar wasn't set very high.
Since then, requirements for higher-qualty timekeeping have
not maintain synchronization), so the bar wasn't set very high.
Since then, requirements for higher-quality timekeeping have
arisen (e.g. multi-master SQL database replication), but most ISPs
have not kept up with the needs of their users.

27
net/ntpd/patches/0001-libntp-Do-not-use-PTHREAD_STACK_MIN-on-glibc.patch
View File

@ -1,27 +0,0 @@
From 082a504cfcc046c3d8adaae1164268bc94e5108a Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Sat, 31 Jul 2021 10:51:41 -0700
Subject: [PATCH] libntp: Do not use PTHREAD_STACK_MIN on glibc
In glibc 2.34+ PTHREAD_STACK_MIN is not a compile-time constant which
could mean different stack sizes at runtime on different architectures
and it also causes compile failure. Default glibc thread stack size
or 64Kb set by ntp should be good in glibc these days.
Upstream-Status: Pending
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
libntp/work_thread.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/libntp/work_thread.c
+++ b/libntp/work_thread.c
@@ -41,7 +41,7 @@
#ifndef THREAD_MINSTACKSIZE
# define THREAD_MINSTACKSIZE (64U * 1024)
#endif
-#ifndef __sun
+#if !defined(__sun) && !defined(__GLIBC__)
#if defined(PTHREAD_STACK_MIN) && THREAD_MINSTACKSIZE < PTHREAD_STACK_MIN
# undef THREAD_MINSTACKSIZE
# define THREAD_MINSTACKSIZE PTHREAD_STACK_MIN

10
net/rsync/Config.in
View File

@ -17,4 +17,14 @@ if PACKAGE_rsync
prompt "Enable zstd stream compression"
default n
config RSYNC_lz4
bool
prompt "Enable lz4, extremely fast compression"
default n
config RSYNC_xxhash
bool
prompt "Enable xxhash, extremely fast hash"
default n
endif

10
net/rsync/Makefile
View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=rsync
PKG_VERSION:=3.3.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://download.samba.org/pub/$(PKG_NAME)/src
@ -30,8 +30,8 @@ define Package/rsync
SECTION:=net
CATEGORY:=Network
SUBMENU:=File Transfer
TITLE:=Fast remote file copy program (like rcp)
DEPENDS:=+libpopt +zlib +RSYNC_xattr:libattr +RSYNC_acl:libacl +RSYNC_zstd:libzstd $(ICONV_DEPENDS)
TITLE:=an open source utility that provides fast incremental file transfer
DEPENDS:=+libpopt +zlib +RSYNC_xattr:libattr +RSYNC_acl:libacl +RSYNC_zstd:libzstd +RSYNC_xxhash:libxxhash +RSYNC_lz4:liblz4 $(ICONV_DEPENDS)
URL:=https://rsync.samba.org/
MENU:=1
endef
@ -47,18 +47,18 @@ CONFIGURE_ARGS += \
--without-included-zlib \
--disable-debug \
--disable-asm \
--disable-lz4 \
--disable-locale \
--disable-md2man \
--disable-openssl \
--disable-simd \
--disable-roll-simd \
--disable-xxhash \
--$(if $(CONFIG_BUILD_NLS),en,dis)able-iconv \
--$(if $(CONFIG_BUILD_NLS),en,dis)able-iconv-open \
--$(if $(CONFIG_RSYNC_zstd),en,dis)able-zstd \
--$(if $(CONFIG_RSYNC_lz4),en,dis)able-lz4 \
--$(if $(CONFIG_RSYNC_xattr),en,dis)able-xattr-support \
--$(if $(CONFIG_RSYNC_acl),en,dis)able-acl-support \
--$(if $(CONFIG_RSYNC_xxhash),en,dis)able-xxhash \
$(if $(CONFIG_IPV6),,--disable-ipv6)
define Package/rsyncd

7
net/snort3/Makefile
View File

@ -9,9 +9,10 @@ PKG_NAME:=snort3
PKG_VERSION:=3.1.84.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/
PKG_HASH:=dca1707a66f6ca56ddd526163b2d951cefdb168bddc162c791adc74c0d226c7f
PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=$(PKG_VERSION)
PKG_SOURCE_URL:=https://github.com/snort3/snort3
PKG_MIRROR_HASH:=ffa69fdd95c55a943ab4dd782923caf31937dd8ad29e202d7fe781373ed84444
PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>, John Audia <therealgraysky@proton.me>
PKG_LICENSE:=GPL-2.0-only

5
net/socat/Makefile
View File

@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=socat
PKG_VERSION:=1.8.0.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.dest-unreach.org/socat/download
@ -58,6 +58,9 @@ CONFIGURE_ARGS += \
--disable-readline \
--enable-termios
## procan.c fails to compile when ccache is enabled
MAKE_FLAGS += CC="$(TARGET_CC_NOCACHE)"
ifneq ($(CONFIG_SOCAT_SSL),y)
CONFIGURE_ARGS+= --disable-openssl
endif

4
net/tailscale/Makefile
View File

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=tailscale
PKG_VERSION:=1.62.1
PKG_VERSION:=1.64.2
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=22737fae37e971fecdf49d6b741b99988868aa3f1e683e67e14b872a2c49ca1c
PKG_HASH:=e5e46f6b6b716b2c4696dce0b92dc2e36f02b06b7ad9f055042a820ad61b2a47
PKG_MAINTAINER:=Jan Pavlinec <jan.pavlinec1@gmail.com>
PKG_LICENSE:=BSD-3-Clause

4
net/tor/Makefile
View File

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=tor
PKG_VERSION:=0.4.8.10
PKG_VERSION:=0.4.8.11
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://dist.torproject.org/ \
https://archive.torproject.org/tor-package-archive
PKG_HASH:=e628b4fab70edb4727715b23cf2931375a9f7685ac08f2c59ea498a178463a86
PKG_HASH:=8f2bdf90e63380781235aa7d604e159570f283ecee674670873d8bb7052c8e07
PKG_MAINTAINER:=Hauke Mehrtens <hauke@hauke-m.de> \
Peter Wagner <tripolar@gmx.at>
PKG_LICENSE:=BSD-3-Clause

12
net/udpspeeder/Makefile
View File

@ -9,11 +9,12 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=UDPspeeder
PKG_VERSION:=20230206.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/wangyu-/$(PKG_NAME)/tar.gz/$(PKG_VERSION)?
PKG_HASH:=c6b0c45e971360b25cd49be0369e94b2fb12f649d39c7e60c172c14a9e3a4e0d
PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=$(PKG_VERSION)
PKG_SOURCE_URL:=https://github.com/wangyu-/UDPspeeder
PKG_MIRROR_HASH:=8196a07089112a164ea07cc95806f79075bd1b12cc7af5316e2793421bb2cfbf
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE
@ -38,11 +39,10 @@ endef
MAKE_FLAGS += cross
define Build/Prepare
$(PKG_UNPACK)
$(Build/Prepare/Default)
sed -i 's/cc_cross=.*/cc_cross=$(TARGET_CXX)/g' $(PKG_BUILD_DIR)/makefile
sed -i '/\gitversion/d' $(PKG_BUILD_DIR)/makefile
echo 'const char * const gitversion = "$(PKG_VERSION)";' > $(PKG_BUILD_DIR)/git_version.h
$(Build/Patch)
endef
define Package/UDPspeeder/install

6
net/uwsgi/Makefile
View File

@ -1,16 +1,16 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=uwsgi
PKG_VERSION:=2.0.22
PKG_VERSION:=2.0.25.1
PKG_RELEASE:=1
PYPI_NAME:=uWSGI
PYPI_SOURCE_NAME:=uwsgi
PKG_HASH:=4cc4727258671ac5fa17ab422155e9aaef8a2008ebb86e4404b66deaae965db2
PKG_HASH:=d653d2d804c194c8cbe2585fa56efa2650313ae75c686a9d7931374d4dfbfc6e
PKG_LICENSE:=GPL-2.0-or-later
PKG_LICENSE_FILES:=LICENSE
PKG_MAINTAINER:=Ansuel Smith <ansuelsmth@gmail.com>
PKG_MAINTAINER:=Christian Marangi <ansuelsmth@gmail.com>
PKG_BUILD_DEPENDS:=python3/host
PYTHON3_PKG_BUILD:=0

2
net/uwsgi/patches/001-dont-hardcode-zlib.patch
View File

@ -1,6 +1,6 @@
--- a/uwsgiconfig.py
+++ b/uwsgiconfig.py
@@ -859,11 +859,11 @@ class uConf(object):
@@ -863,11 +863,11 @@ class uConf(object):
self.cflags.append('-DUWSGI_HAS_EXECINFO')
report['execinfo'] = True

13
net/uwsgi/patches/002-dont-override-toolchain-optimization.patch
View File

@ -1,11 +1,10 @@
--- a/uwsgiconfig.py
+++ b/uwsgiconfig.py
@@ -688,7 +688,7 @@ class uConf(object):
@@ -684,7 +684,6 @@ class uConf(object):
self.include_path += os.environ['UWSGI_INCLUDES'].split(',')
- self.cflags = ['-O2', '-I.', '-Wall', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64'] + os.environ.get("CFLAGS", "").split() + self.get('cflags','').split()
+ self.cflags = ['-I.', '-Wall', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64'] + os.environ.get("CFLAGS", "").split() + self.get('cflags','').split()
report['kernel'] = uwsgi_os
cflags = [
- '-O2',
'-I.',
'-Wall',
'-D_LARGEFILE_SOURCE',

2
net/uwsgi/patches/003-hard-code-Linux-as-compilation-os.patch
View File

@ -1,6 +1,6 @@
--- a/uwsgiconfig.py
+++ b/uwsgiconfig.py
@@ -5,9 +5,9 @@ uwsgi_version = '2.0.22'
@@ -5,9 +5,9 @@ uwsgi_version = '2.0.25.1'
import os
import re
import time

20
net/uwsgi/patches/004-core-alarm_fix_memory_leak.patch
View File

@ -1,20 +0,0 @@
From bad0edfc10a80de908a3d83c7f075eff8df3a691 Mon Sep 17 00:00:00 2001
From: Riccardo Magliocchetti <riccardo.magliocchetti@gmail.com>
Date: Wed, 14 Jan 2015 21:19:24 +0100
Subject: [PATCH] core/alarm: fix memory leak
Reported by Coverity as CID #971006
---
core/alarm.c | 1 +
1 file changed, 1 insertion(+)
--- a/core/alarm.c
+++ b/core/alarm.c
@@ -171,6 +171,7 @@ static int uwsgi_alarm_log_add(char *ala
ual = uwsgi_calloc(sizeof(struct uwsgi_alarm_log));
if (uwsgi_regexp_build(regexp, &ual->pattern, &ual->pattern_extra)) {
+ free(ual);
return -1;
}
ual->negate = negate;

2
net/uwsgi/patches/005-ssl-option-can_t-be-set.patch
View File

@ -18,6 +18,6 @@ Given the changeset which introduced this option with the ssl-enable3 option whi
{"ssl-enable-tlsv1", no_argument, 0, "enable TLSv1 (insecure)", uwsgi_opt_true, &uwsgi.tlsv1, 0},
- {"ssl-option", no_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0},
+ {"ssl-option", required_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0},
#ifdef UWSGI_PCRE
#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
{"sni-regexp", required_argument, 0, "add an SNI-governed SSL context (the key is a regexp)", uwsgi_opt_sni, NULL, 0},
#endif

2
net/uwsgi/patches/010-uclibc-ng.patch
View File

@ -1,6 +1,6 @@
--- a/core/uwsgi.c
+++ b/core/uwsgi.c
@@ -1825,7 +1825,7 @@ void uwsgi_plugins_atexit(void) {
@@ -1794,7 +1794,7 @@ void uwsgi_plugins_atexit(void) {
void uwsgi_backtrace(int depth) {

887
net/uwsgi/patches/020-add-pcre2-support.patch
View File

@ -1,887 +0,0 @@
From 7835662f76831a76e4cc04791fcf2ee1ea725931 Mon Sep 17 00:00:00 2001
From: Riccardo Magliocchetti <riccardo.magliocchetti@gmail.com>
Date: Tue, 25 Jul 2023 16:17:52 +0200
Subject: [PATCH 01/12] uwsgiconfig: prepare for pcre2
---
uwsgiconfig.py | 45 ++++++++++++++++++++++-----------------------
1 file changed, 22 insertions(+), 23 deletions(-)
--- a/uwsgiconfig.py
+++ b/uwsgiconfig.py
@@ -1079,30 +1079,29 @@ class uConf(object):
has_pcre = False
- # re-enable after pcre fix
- if self.get('pcre'):
- if self.get('pcre') == 'auto':
- pcreconf = spcall('pcre-config --libs')
- if pcreconf:
- self.libs.append(pcreconf)
- pcreconf = spcall("pcre-config --cflags")
- self.cflags.append(pcreconf)
- self.gcc_list.append('core/regexp')
- self.cflags.append("-DUWSGI_PCRE")
- has_pcre = True
-
+ required_pcre = self.get('pcre')
+ if required_pcre:
+ pcre_libs = spcall('pcre2-config --libs8')
+ if pcre_libs:
+ pcre_cflags = spcall("pcre2-config --cflags")
+ pcre_define = "-DUWSGI_PCRE2"
else:
- pcreconf = spcall('pcre-config --libs')
- if pcreconf is None:
- print("*** libpcre headers unavailable. uWSGI build is interrupted. You have to install pcre development package or disable pcre")
- sys.exit(1)
- else:
- self.libs.append(pcreconf)
- pcreconf = spcall("pcre-config --cflags")
- self.cflags.append(pcreconf)
- self.gcc_list.append('core/regexp')
- self.cflags.append("-DUWSGI_PCRE")
- has_pcre = True
+ pcre_libs = spcall('pcre-config --libs')
+ pcre_cflags = spcall("pcre-config --cflags")
+ pcre_define = "-DUWSGI_PCRE"
+ else:
+ pcre_libs = None
+
+ if required_pcre:
+ if required_pcre != 'auto' and pcre_libs is None:
+ print("*** libpcre headers unavailable. uWSGI build is interrupted. You have to install pcre development package or disable pcre")
+ sys.exit(1)
+
+ self.libs.append(pcre_libs)
+ self.cflags.append(pcre_cflags)
+ self.gcc_list.append('core/regexp')
+ self.cflags.append(pcre_define)
+ has_pcre = True
if has_pcre:
report['pcre'] = True
--- a/core/alarm.c
+++ b/core/alarm.c
@@ -160,7 +160,7 @@ static struct uwsgi_alarm_instance *uwsg
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
static int uwsgi_alarm_log_add(char *alarms, char *regexp, int negate) {
struct uwsgi_alarm_log *old_ual = NULL, *ual = uwsgi.alarm_logs;
@@ -170,7 +170,7 @@ static int uwsgi_alarm_log_add(char *ala
}
ual = uwsgi_calloc(sizeof(struct uwsgi_alarm_log));
- if (uwsgi_regexp_build(regexp, &ual->pattern, &ual->pattern_extra)) {
+ if (uwsgi_regexp_build(regexp, &ual->pattern)) {
free(ual);
return -1;
}
@@ -331,7 +331,7 @@ void uwsgi_alarms_init() {
usl = usl->next;
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
// then map log-alarm
usl = uwsgi.alarm_logs_list;
while (usl) {
@@ -377,14 +377,14 @@ void uwsgi_alarm_trigger_uai(struct uwsg
}
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
// check if a log should raise an alarm
void uwsgi_alarm_log_check(char *msg, size_t len) {
if (!uwsgi_strncmp(msg, len, "[uwsgi-alarm", 12))
return;
struct uwsgi_alarm_log *ual = uwsgi.alarm_logs;
while (ual) {
- if (uwsgi_regexp_match(ual->pattern, ual->pattern_extra, msg, len) >= 0) {
+ if (uwsgi_regexp_match(ual->pattern, msg, len) >= 0) {
if (!ual->negate) {
struct uwsgi_alarm_ll *uall = ual->alarms;
while (uall) {
--- a/core/logging.c
+++ b/core/logging.c
@@ -414,7 +414,7 @@ void uwsgi_setup_log_master(void) {
usl = usl->next;
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
// set logger by its id
struct uwsgi_regexp_list *url = uwsgi.log_route;
while (url) {
@@ -1398,11 +1398,11 @@ int uwsgi_master_log(void) {
ssize_t rlen = read(uwsgi.shared->worker_log_pipe[0], uwsgi.log_master_buf, uwsgi.log_master_bufsize);
if (rlen > 0) {
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
uwsgi_alarm_log_check(uwsgi.log_master_buf, rlen);
struct uwsgi_regexp_list *url = uwsgi.log_drain_rules;
while (url) {
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
return 0;
}
url = url->next;
@@ -1411,7 +1411,7 @@ int uwsgi_master_log(void) {
int show = 0;
url = uwsgi.log_filter_rules;
while (url) {
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
show = 1;
break;
}
@@ -1424,7 +1424,7 @@ int uwsgi_master_log(void) {
url = uwsgi.log_route;
int finish = 0;
while (url) {
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
struct uwsgi_logger *ul_route = (struct uwsgi_logger *) url->custom_ptr;
if (ul_route) {
uwsgi_log_func_do(uwsgi.requested_log_encoders, ul_route, uwsgi.log_master_buf, rlen);
@@ -1464,11 +1464,11 @@ int uwsgi_master_req_log(void) {
ssize_t rlen = read(uwsgi.shared->worker_req_log_pipe[0], uwsgi.log_master_buf, uwsgi.log_master_bufsize);
if (rlen > 0) {
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
struct uwsgi_regexp_list *url = uwsgi.log_req_route;
int finish = 0;
while (url) {
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
struct uwsgi_logger *ul_route = (struct uwsgi_logger *) url->custom_ptr;
if (ul_route) {
uwsgi_log_func_do(uwsgi.requested_log_req_encoders, ul_route, uwsgi.log_master_buf, rlen);
--- a/core/regexp.c
+++ b/core/regexp.c
@@ -1,4 +1,4 @@
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
#include "uwsgi.h"
extern struct uwsgi_server uwsgi;
@@ -13,48 +13,110 @@ void uwsgi_opt_pcre_jit(char *opt, char
#endif
}
-int uwsgi_regexp_build(char *re, pcre ** pattern, pcre_extra ** pattern_extra) {
+int uwsgi_regexp_build(char *re, uwsgi_pcre ** pattern) {
+#ifdef UWSGI_PCRE2
+ int errnbr;
+ long unsigned int erroff;
+
+ *pattern = pcre2_compile((const unsigned char *) re, PCRE2_ZERO_TERMINATED, 0, &errnbr, &erroff, NULL);
+#else
const char *errstr;
int erroff;
- *pattern = pcre_compile((const char *) re, 0, &errstr, &erroff, NULL);
- if (!*pattern) {
+ *pattern = uwsgi_malloc(sizeof(uwsgi_pcre));
+ (*pattern)->p = pcre_compile((const char *) re, 0, &errstr, &erroff, NULL);
+#endif
+#ifdef UWSGI_PCRE2
+ if (!(*pattern)) {
+ uwsgi_log("pcre error: code %d at offset %d\n", errnbr, erroff);
+#else
+ if (!((*pattern)->p)) {
uwsgi_log("pcre error: %s at offset %d\n", errstr, erroff);
+#endif
return -1;
}
+#ifdef UWSGI_PCRE2
+ if (uwsgi.pcre_jit) {
+ errnbr = pcre2_jit_compile(*pattern, PCRE2_JIT_COMPLETE);
+ if (errnbr) {
+ pcre2_code_free(*pattern);
+ uwsgi_log("pcre JIT compile error code %d\n", errnbr);
+ return -1;
+ }
+#else
int opt = uwsgi.pcre_jit;
- *pattern_extra = (pcre_extra *) pcre_study((const pcre *) *pattern, opt, &errstr);
- if (*pattern_extra == NULL && errstr != NULL) {
- pcre_free(*pattern);
+ (*pattern)->extra = (pcre_extra *) pcre_study((const pcre *) (*pattern)->p, opt, &errstr);
+ if ((*pattern)->extra == NULL && errstr != NULL) {
+ pcre_free((*pattern)->p);
+ free(*pattern);
uwsgi_log("pcre (study) error: %s\n", errstr);
return -1;
+#endif
}
return 0;
}
-int uwsgi_regexp_match(pcre * pattern, pcre_extra * pattern_extra, char *subject, int length) {
-
- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, NULL, 0);
+int uwsgi_regexp_match(uwsgi_pcre *pattern, const char *subject, int length) {
+#ifdef UWSGI_PCRE2
+ return pcre2_match(pattern, (const unsigned char *)subject, length, 0, 0, NULL, NULL);
+#else
+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, NULL, 0);
+#endif
}
-int uwsgi_regexp_match_ovec(pcre * pattern, pcre_extra * pattern_extra, char *subject, int length, int *ovec, int n) {
+int uwsgi_regexp_match_ovec(uwsgi_pcre *pattern, const char *subject, int length, int *ovec, int n) {
+
+#ifdef UWSGI_PCRE2
+ int rc;
+ int i;
+ pcre2_match_data *match_data;
+ size_t *pcre2_ovec;
+
+ match_data = pcre2_match_data_create_from_pattern(pattern, NULL);
+ rc = pcre2_match(pattern, (const unsigned char *)subject, length, 0, 0, match_data, NULL);
+ /*
+ * Quoting PCRE{,2} spec, "The first pair of integers, ovector[0]
+ * and ovector[1], identify the portion of the subject string matched
+ * by the entire pattern. The next pair is used for the first capturing
+ * subpattern, and so on." Therefore, the ovector size is the number of
+ * capturing subpatterns (INFO_CAPTURECOUNT), from uwsgi_regexp_ovector(),
+ * as matching pairs, plus room for the first pair.
+ */
if (n > 0) {
- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, ovec, (n + 1) * 3);
+ // copy pcre2 output vector to uwsgi output vector
+ pcre2_ovec = pcre2_get_ovector_pointer(match_data);
+ for (i=0;i<(n+1)*2;i++) {
+ ovec[i] = pcre2_ovec[i];
+ }
+#else
+ if (n > 0) {
+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, ovec, PCRE_OVECTOR_BYTESIZE(n));
+#endif
}
- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, NULL, 0);
+
+#ifdef UWSGI_PCRE2
+ pcre2_match_data_free(match_data);
+
+ return rc;
+#else
+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, NULL, 0);
+#endif
}
-int uwsgi_regexp_ovector(pcre * pattern, pcre_extra * pattern_extra) {
+int uwsgi_regexp_ovector(const uwsgi_pcre *pattern) {
int n;
-
- if (pcre_fullinfo((const pcre *) pattern, (const pcre_extra *) pattern_extra, PCRE_INFO_CAPTURECOUNT, &n))
+#ifdef UWSGI_PCRE2
+ if (pcre2_pattern_info(pattern, PCRE2_INFO_CAPTURECOUNT, &n))
+#else
+ if (pcre_fullinfo((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, PCRE_INFO_CAPTURECOUNT, &n))
+#endif
return 0;
return n;
@@ -66,7 +128,7 @@ char *uwsgi_regexp_apply_ovec(char *src,
int dollar = 0;
size_t dollars = n;
-
+
for(i=0;i<dst_n;i++) {
if (dst[i] == '$') {
dollars++;
--- a/core/routing.c
+++ b/core/routing.c
@@ -211,7 +211,7 @@ int uwsgi_apply_routes_do(struct uwsgi_r
subject = *subject2 ;
subject_len = *subject_len2;
}
- n = uwsgi_regexp_match_ovec(routes->pattern, routes->pattern_extra, subject, subject_len, routes->ovector[wsgi_req->async_id], routes->ovn[wsgi_req->async_id]);
+ n = uwsgi_regexp_match_ovec(routes->pattern, subject, subject_len, routes->ovector[wsgi_req->async_id], routes->ovn[wsgi_req->async_id]);
}
else {
int ret = routes->if_func(wsgi_req, routes);
@@ -506,15 +506,15 @@ void uwsgi_fixup_routes(struct uwsgi_rou
// fill them if needed... (this is an optimization for route with a static subject)
if (ur->subject && ur->subject_len) {
- if (uwsgi_regexp_build(ur->orig_route, &ur->pattern, &ur->pattern_extra)) {
+ if (uwsgi_regexp_build(ur->orig_route, &ur->pattern)) {
exit(1);
}
int i;
for(i=0;i<uwsgi.cores;i++) {
- ur->ovn[i] = uwsgi_regexp_ovector(ur->pattern, ur->pattern_extra);
+ ur->ovn[i] = uwsgi_regexp_ovector(ur->pattern);
if (ur->ovn[i] > 0) {
- ur->ovector[i] = uwsgi_calloc(sizeof(int) * (3 * (ur->ovn[i] + 1)));
+ ur->ovector[i] = uwsgi_calloc(sizeof(int) * PCRE_OVECTOR_BYTESIZE(ur->ovn[i]));
}
}
}
@@ -1484,38 +1484,47 @@ static int uwsgi_route_condition_regexp(
ur->condition_ub[wsgi_req->async_id] = uwsgi_routing_translate(wsgi_req, ur, NULL, 0, ur->subject_str, semicolon - ur->subject_str);
if (!ur->condition_ub[wsgi_req->async_id]) return -1;
- pcre *pattern;
- pcre_extra *pattern_extra;
+ uwsgi_pcre *pattern;
char *re = uwsgi_concat2n(semicolon+1, ur->subject_str_len - ((semicolon+1) - ur->subject_str), "", 0);
- if (uwsgi_regexp_build(re, &pattern, &pattern_extra)) {
+ if (uwsgi_regexp_build(re, &pattern)) {
free(re);
return -1;
}
free(re);
// a condition has no initialized vectors, let's create them
- ur->ovn[wsgi_req->async_id] = uwsgi_regexp_ovector(pattern, pattern_extra);
+ ur->ovn[wsgi_req->async_id] = uwsgi_regexp_ovector(pattern);
if (ur->ovn[wsgi_req->async_id] > 0) {
ur->ovector[wsgi_req->async_id] = uwsgi_calloc(sizeof(int) * (3 * (ur->ovn[wsgi_req->async_id] + 1)));
}
- if (uwsgi_regexp_match_ovec(pattern, pattern_extra, ur->condition_ub[wsgi_req->async_id]->buf, ur->condition_ub[wsgi_req->async_id]->pos, ur->ovector[wsgi_req->async_id], ur->ovn[wsgi_req->async_id] ) >= 0) {
- pcre_free(pattern);
+ if (uwsgi_regexp_match_ovec(pattern, ur->condition_ub[wsgi_req->async_id]->buf, ur->condition_ub[wsgi_req->async_id]->pos, ur->ovector[wsgi_req->async_id], ur->ovn[wsgi_req->async_id] ) >= 0) {
+#ifdef UWSGI_PCRE2
+ pcre2_code_free(pattern);
+#else
+ pcre_free(pattern->p);
#ifdef PCRE_STUDY_JIT_COMPILE
- pcre_free_study(pattern_extra);
+ pcre_free_study(pattern->extra);
#else
- pcre_free(pattern_extra);
+ pcre_free(pattern->extra);
+#endif
+ free(pattern);
#endif
return 1;
}
- pcre_free(pattern);
+#ifdef UWSGI_PCRE2
+ pcre2_code_free(pattern);
+#else
+ pcre_free(pattern->p);
#ifdef PCRE_STUDY_JIT_COMPILE
- pcre_free_study(pattern_extra);
+ pcre_free_study(pattern->extra);
#else
- pcre_free(pattern_extra);
+ pcre_free(pattern->extra);
#endif
- return 0;
+ free(pattern);
+#endif
+ return 0;
}
static int uwsgi_route_condition_empty(struct wsgi_request *wsgi_req, struct uwsgi_route *ur) {
--- a/core/ssl.c
+++ b/core/ssl.c
@@ -145,10 +145,10 @@ static int uwsgi_sni_cb(SSL *ssl, int *a
if (uwsgi.subscription_dotsplit) goto end;
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
struct uwsgi_regexp_list *url = uwsgi.sni_regexp;
while(url) {
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, (char *)servername, servername_len) >= 0) {
+ if (uwsgi_regexp_match(url->pattern, (char *)servername, servername_len) >= 0) {
SSL_set_SSL_CTX(ssl, url->custom_ptr);
return SSL_TLSEXT_ERR_OK;
}
@@ -621,7 +621,7 @@ void uwsgi_opt_sni(char *opt, char *valu
return;
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
if (!strcmp(opt, "sni-regexp")) {
struct uwsgi_regexp_list *url = uwsgi_regexp_new_list(&uwsgi.sni_regexp, v);
url->custom_ptr = ctx;
@@ -630,7 +630,7 @@ void uwsgi_opt_sni(char *opt, char *valu
#endif
struct uwsgi_string_list *usl = uwsgi_string_new_list(&uwsgi.sni, v);
usl->custom_ptr = ctx;
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
}
#endif
--- a/core/static.c
+++ b/core/static.c
@@ -35,11 +35,11 @@ int uwsgi_static_want_gzip(struct wsgi_r
usl = usl->next;
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
// check for regexp
struct uwsgi_regexp_list *url = uwsgi.static_gzip;
while(url) {
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, filename, *filename_len) >= 0) {
+ if (uwsgi_regexp_match(url->pattern, filename, *filename_len) >= 0) {
goto gzip;
}
url = url->next;
@@ -216,7 +216,7 @@ int uwsgi_add_expires_type(struct wsgi_r
return 0;
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
int uwsgi_add_expires(struct wsgi_request *wsgi_req, char *filename, int filename_len, struct stat *st) {
struct uwsgi_dyn_dict *udd = uwsgi.static_expires;
@@ -225,7 +225,7 @@ int uwsgi_add_expires(struct wsgi_reques
char expires[31];
while (udd) {
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, filename, filename_len) >= 0) {
+ if (uwsgi_regexp_match(udd->pattern, filename, filename_len) >= 0) {
int delta = uwsgi_str_num(udd->value, udd->vallen);
int size = uwsgi_http_date(now + delta, expires);
if (size > 0) {
@@ -238,7 +238,7 @@ int uwsgi_add_expires(struct wsgi_reques
udd = uwsgi.static_expires_mtime;
while (udd) {
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, filename, filename_len) >= 0) {
+ if (uwsgi_regexp_match(udd->pattern, filename, filename_len) >= 0) {
int delta = uwsgi_str_num(udd->value, udd->vallen);
int size = uwsgi_http_date(st->st_mtime + delta, expires);
if (size > 0) {
@@ -260,7 +260,7 @@ int uwsgi_add_expires_path_info(struct w
char expires[31];
while (udd) {
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
int delta = uwsgi_str_num(udd->value, udd->vallen);
int size = uwsgi_http_date(now + delta, expires);
if (size > 0) {
@@ -273,7 +273,7 @@ int uwsgi_add_expires_path_info(struct w
udd = uwsgi.static_expires_path_info_mtime;
while (udd) {
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
int delta = uwsgi_str_num(udd->value, udd->vallen);
int size = uwsgi_http_date(st->st_mtime + delta, expires);
if (size > 0) {
@@ -295,7 +295,7 @@ int uwsgi_add_expires_uri(struct wsgi_re
char expires[31];
while (udd) {
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
int delta = uwsgi_str_num(udd->value, udd->vallen);
int size = uwsgi_http_date(now + delta, expires);
if (size > 0) {
@@ -308,7 +308,7 @@ int uwsgi_add_expires_uri(struct wsgi_re
udd = uwsgi.static_expires_uri_mtime;
while (udd) {
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
int delta = uwsgi_str_num(udd->value, udd->vallen);
int size = uwsgi_http_date(st->st_mtime + delta, expires);
if (size > 0) {
@@ -507,7 +507,7 @@ int uwsgi_real_file_serve(struct wsgi_re
if (uwsgi_response_prepare_headers(wsgi_req, "200 OK", 6)) return -1;
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
uwsgi_add_expires(wsgi_req, real_filename, real_filename_len, st);
uwsgi_add_expires_path_info(wsgi_req, st);
uwsgi_add_expires_uri(wsgi_req, st);
--- a/core/utils.c
+++ b/core/utils.c
@@ -2301,7 +2301,7 @@ struct uwsgi_string_list *uwsgi_string_n
return uwsgi_string;
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
struct uwsgi_regexp_list *uwsgi_regexp_custom_new_list(struct uwsgi_regexp_list **list, char *value, char *custom) {
struct uwsgi_regexp_list *url = *list, *old_url;
@@ -2320,7 +2320,7 @@ struct uwsgi_regexp_list *uwsgi_regexp_c
old_url->next = url;
}
- if (uwsgi_regexp_build(value, &url->pattern, &url->pattern_extra)) {
+ if (uwsgi_regexp_build(value, &url->pattern)) {
exit(1);
}
url->next = NULL;
@@ -2333,14 +2333,13 @@ struct uwsgi_regexp_list *uwsgi_regexp_c
int uwsgi_regexp_match_pattern(char *pattern, char *str) {
- pcre *regexp;
- pcre_extra *regexp_extra;
+ uwsgi_pcre *regexp;
- if (uwsgi_regexp_build(pattern, &regexp, &regexp_extra))
+ if (uwsgi_regexp_build(pattern, &regexp))
return 1;
- return !uwsgi_regexp_match(regexp, regexp_extra, str, strlen(str));
-}
+ return !uwsgi_regexp_match(regexp, str, strlen(str));
+}
#endif
--- a/core/uwsgi.c
+++ b/core/uwsgi.c
@@ -130,7 +130,7 @@ static struct uwsgi_option uwsgi_base_op
{"if-hostname", required_argument, 0, "(opt logic) check for hostname", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_hostname, UWSGI_OPT_IMMEDIATE},
{"if-not-hostname", required_argument, 0, "(opt logic) check for hostname", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_not_hostname, UWSGI_OPT_IMMEDIATE},
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
{"if-hostname-match", required_argument, 0, "(opt logic) try to match hostname against a regular expression", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_hostname_match, UWSGI_OPT_IMMEDIATE},
{"if-not-hostname-match", required_argument, 0, "(opt logic) try to match hostname against a regular expression", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_not_hostname_match, UWSGI_OPT_IMMEDIATE},
#endif
@@ -548,7 +548,7 @@ static struct uwsgi_option uwsgi_base_op
{"ksm", optional_argument, 0, "enable Linux KSM", uwsgi_opt_set_int, &uwsgi.linux_ksm, 0},
#endif
#endif
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
{"pcre-jit", no_argument, 0, "enable pcre jit (if available)", uwsgi_opt_pcre_jit, NULL, UWSGI_OPT_IMMEDIATE},
#endif
{"never-swap", no_argument, 0, "lock all memory pages avoiding swapping", uwsgi_opt_true, &uwsgi.never_swap, 0},
@@ -679,7 +679,7 @@ static struct uwsgi_option uwsgi_base_op
{"ssl-enable-sslv3", no_argument, 0, "enable SSLv3 (insecure)", uwsgi_opt_true, &uwsgi.sslv3, 0},
{"ssl-enable-tlsv1", no_argument, 0, "enable TLSv1 (insecure)", uwsgi_opt_true, &uwsgi.tlsv1, 0},
{"ssl-option", required_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0},
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
{"sni-regexp", required_argument, 0, "add an SNI-governed SSL context (the key is a regexp)", uwsgi_opt_sni, NULL, 0},
#endif
{"ssl-tmp-dir", required_argument, 0, "store ssl-related temp files in the specified directory", uwsgi_opt_set_str, &uwsgi.ssl_tmp_dir, 0},
@@ -715,7 +715,7 @@ static struct uwsgi_option uwsgi_base_op
{"log-req-encoder", required_argument, 0, "add an item in the log req encoder chain", uwsgi_opt_add_string_list, &uwsgi.requested_log_req_encoders, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
{"log-drain", required_argument, 0, "drain (do not show) log lines matching the specified regexp", uwsgi_opt_add_regexp_list, &uwsgi.log_drain_rules, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
{"log-filter", required_argument, 0, "show only log lines matching the specified regexp", uwsgi_opt_add_regexp_list, &uwsgi.log_filter_rules, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
{"log-route", required_argument, 0, "log to the specified named logger if regexp applied on logline matches", uwsgi_opt_add_regexp_custom_list, &uwsgi.log_route, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
@@ -736,7 +736,7 @@ static struct uwsgi_option uwsgi_base_op
{"alarm-lq", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER},
{"alarm-listen-queue", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER},
{"listen-queue-alarm", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER},
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
{"log-alarm", required_argument, 0, "raise the specified alarm when a log line matches the specified regexp, syntax: <alarm>[,alarm...] <regexp>", uwsgi_opt_add_string_list, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
{"alarm-log", required_argument, 0, "raise the specified alarm when a log line matches the specified regexp, syntax: <alarm>[,alarm...] <regexp>", uwsgi_opt_add_string_list, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
{"not-log-alarm", required_argument, 0, "skip the specified alarm when a log line matches the specified regexp, syntax: <alarm>[,alarm...] <regexp>", uwsgi_opt_add_string_list_custom, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
@@ -915,7 +915,7 @@ static struct uwsgi_option uwsgi_base_op
{"static-expires-type", required_argument, 0, "set the Expires header based on content type", uwsgi_opt_add_dyn_dict, &uwsgi.static_expires_type, UWSGI_OPT_MIME},
{"static-expires-type-mtime", required_argument, 0, "set the Expires header based on content type and file mtime", uwsgi_opt_add_dyn_dict, &uwsgi.static_expires_type_mtime, UWSGI_OPT_MIME},
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
{"static-expires", required_argument, 0, "set the Expires header based on filename regexp", uwsgi_opt_add_regexp_dyn_dict, &uwsgi.static_expires, UWSGI_OPT_MIME},
{"static-expires-mtime", required_argument, 0, "set the Expires header based on filename regexp and file mtime", uwsgi_opt_add_regexp_dyn_dict, &uwsgi.static_expires_mtime, UWSGI_OPT_MIME},
@@ -2424,7 +2424,7 @@ void uwsgi_setup(int argc, char *argv[],
}
uwsgi_log_initial("clock source: %s\n", uwsgi.clock->name);
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
if (uwsgi.pcre_jit) {
uwsgi_log_initial("pcre jit enabled\n");
}
@@ -4186,7 +4186,7 @@ void uwsgi_opt_add_string_list_custom(ch
usl->custom = 1;
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
void uwsgi_opt_add_regexp_list(char *opt, char *value, void *list) {
struct uwsgi_regexp_list **ptr = (struct uwsgi_regexp_list **) list;
uwsgi_regexp_new_list(ptr, value);
@@ -4452,7 +4452,7 @@ void uwsgi_opt_add_dyn_dict(char *opt, c
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
void uwsgi_opt_add_regexp_dyn_dict(char *opt, char *value, void *dict) {
char *space = strchr(value, ' ');
@@ -4467,7 +4467,7 @@ void uwsgi_opt_add_regexp_dyn_dict(char
char *regexp = uwsgi_concat2n(value, space - value, "", 0);
- if (uwsgi_regexp_build(regexp, &new_udd->pattern, &new_udd->pattern_extra)) {
+ if (uwsgi_regexp_build(regexp, &new_udd->pattern)) {
exit(1);
}
--- a/uwsgi.h
+++ b/uwsgi.h
@@ -438,8 +438,26 @@ struct uwsgi_lock_ops {
#define uwsgi_wait_read_req(x) uwsgi.wait_read_hook(x->fd, uwsgi.socket_timeout) ; x->switches++
#define uwsgi_wait_write_req(x) uwsgi.wait_write_hook(x->fd, uwsgi.socket_timeout) ; x->switches++
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
+#ifdef UWSGI_PCRE2
+
+#define PCRE2_CODE_UNIT_WIDTH 8
+#include <pcre2.h>
+#define PCRE_OVECTOR_BYTESIZE(n) (n+1)*2
+
+typedef pcre2_code uwsgi_pcre;
+
+#else
+
#include <pcre.h>
+#define PCRE_OVECTOR_BYTESIZE(n) (n+1)*3
+
+typedef struct {
+ pcre *p;
+ pcre_extra *extra;
+} uwsgi_pcre;
+
+#endif
#endif
struct uwsgi_dyn_dict {
@@ -455,9 +473,8 @@ struct uwsgi_dyn_dict {
struct uwsgi_dyn_dict *prev;
struct uwsgi_dyn_dict *next;
-#ifdef UWSGI_PCRE
- pcre *pattern;
- pcre_extra *pattern_extra;
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
+ uwsgi_pcre *pattern;
#endif
};
@@ -468,11 +485,10 @@ struct uwsgi_hook {
struct uwsgi_hook *next;
};
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
struct uwsgi_regexp_list {
- pcre *pattern;
- pcre_extra *pattern_extra;
+ uwsgi_pcre *pattern;
uint64_t custom;
char *custom_str;
@@ -1089,11 +1105,11 @@ struct uwsgi_plugin {
void (*post_uwsgi_fork) (int);
};
-#ifdef UWSGI_PCRE
-int uwsgi_regexp_build(char *, pcre **, pcre_extra **);
-int uwsgi_regexp_match(pcre *, pcre_extra *, char *, int);
-int uwsgi_regexp_match_ovec(pcre *, pcre_extra *, char *, int, int *, int);
-int uwsgi_regexp_ovector(pcre *, pcre_extra *);
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
+int uwsgi_regexp_build(char *, uwsgi_pcre **);
+int uwsgi_regexp_match(uwsgi_pcre *, const char *, int);
+int uwsgi_regexp_match_ovec(uwsgi_pcre *, const char *, int, int *, int);
+int uwsgi_regexp_ovector(const uwsgi_pcre *);
char *uwsgi_regexp_apply_ovec(char *, int, char *, int, int *, int);
int uwsgi_regexp_match_pattern(char *pattern, char *str);
@@ -1182,8 +1198,7 @@ struct uwsgi_spooler {
struct uwsgi_route {
- pcre *pattern;
- pcre_extra *pattern_extra;
+ uwsgi_pcre *pattern;
char *orig_route;
@@ -1292,15 +1307,14 @@ struct uwsgi_alarm_fd {
struct uwsgi_alarm_fd *uwsgi_add_alarm_fd(int, char *, size_t, char *, size_t);
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
struct uwsgi_alarm_ll {
struct uwsgi_alarm_instance *alarm;
struct uwsgi_alarm_ll *next;
};
struct uwsgi_alarm_log {
- pcre *pattern;
- pcre_extra *pattern_extra;
+ uwsgi_pcre *pattern;
int negate;
struct uwsgi_alarm_ll *alarms;
struct uwsgi_alarm_log *next;
@@ -2234,7 +2248,7 @@ struct uwsgi_server {
struct uwsgi_string_list *requested_log_encoders;
struct uwsgi_string_list *requested_log_req_encoders;
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
int pcre_jit;
struct uwsgi_regexp_list *log_drain_rules;
struct uwsgi_regexp_list *log_filter_rules;
@@ -2316,7 +2330,7 @@ struct uwsgi_server {
int static_gzip_all;
struct uwsgi_string_list *static_gzip_dir;
struct uwsgi_string_list *static_gzip_ext;
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
struct uwsgi_regexp_list *static_gzip;
#endif
@@ -2715,7 +2729,7 @@ struct uwsgi_server {
int ssl_sessions_timeout;
struct uwsgi_cache *ssl_sessions_cache;
char *ssl_tmp_dir;
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
struct uwsgi_regexp_list *sni_regexp;
#endif
struct uwsgi_string_list *sni;
@@ -3584,7 +3598,7 @@ void uwsgi_shutdown_all_sockets(void);
void uwsgi_close_all_unshared_sockets(void);
struct uwsgi_string_list *uwsgi_string_new_list(struct uwsgi_string_list **, char *);
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
struct uwsgi_regexp_list *uwsgi_regexp_custom_new_list(struct uwsgi_regexp_list **, char *, char *);
#define uwsgi_regexp_new_list(x, y) uwsgi_regexp_custom_new_list(x, y, NULL);
#endif
@@ -3838,7 +3852,7 @@ void uwsgi_opt_add_addr_list(char *, cha
void uwsgi_opt_add_string_list_custom(char *, char *, void *);
void uwsgi_opt_add_dyn_dict(char *, char *, void *);
void uwsgi_opt_binary_append_data(char *, char *, void *);
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
void uwsgi_opt_pcre_jit(char *, char *, void *);
void uwsgi_opt_add_regexp_dyn_dict(char *, char *, void *);
void uwsgi_opt_add_regexp_list(char *, char *, void *);
--- a/.github/workflows/compile-test.yml
+++ b/.github/workflows/compile-test.yml
@@ -9,6 +9,10 @@ on:
jobs:
build:
+ strategy:
+ matrix:
+ libpcre: [libpcre3-dev, libpcre2-dev]
+
runs-on: ubuntu-20.04
steps:
@@ -20,7 +24,7 @@ jobs:
run: |
sudo apt update -qq
sudo apt install --no-install-recommends -qqyf python3.8-dev \
- libxml2-dev libpcre3-dev libcap2-dev \
+ libxml2-dev ${{ matrix.libpcre }} libcap2-dev \
libargon2-0-dev libsodium-dev \
php7.4-dev libphp7.4-embed \
liblua5.1-0-dev ruby2.7-dev \
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ jobs:
run: |
sudo apt update -qq
sudo apt install --no-install-recommends -qqyf python${{ matrix.python-version }}-dev \
- libpcre3-dev libjansson-dev libcap2-dev \
+ libpcre2-dev libjansson-dev libcap2-dev \
curl check
- name: Install distutils
if: contains(fromJson('["3.6","3.7","3.8","3.9","3.10","3.11"]'), matrix.python-version)
--- a/plugins/php/php_plugin.c
+++ b/plugins/php/php_plugin.c
@@ -16,7 +16,7 @@ struct uwsgi_php {
struct uwsgi_string_list *index;
struct uwsgi_string_list *set;
struct uwsgi_string_list *append_config;
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
struct uwsgi_regexp_list *app_bypass;
#endif
struct uwsgi_string_list *vars;
@@ -63,7 +63,7 @@ struct uwsgi_option uwsgi_php_options[]
{"php-fallback", required_argument, 0, "run the specified php script when the requested one does not exist", uwsgi_opt_set_str, &uphp.fallback, 0},
{"php-fallback2", required_argument, 0, "run the specified php script relative to the document root when the requested one does not exist", uwsgi_opt_set_str, &uphp.fallback2, 0},
{"php-fallback-qs", required_argument, 0, "php-fallback with QUERY_STRING set", uwsgi_opt_set_str, &uphp.fallback_qs, 0},
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
{"php-app-bypass", required_argument, 0, "if the regexp matches the uri the --php-app is bypassed", uwsgi_opt_add_regexp_list, &uphp.app_bypass, 0},
#endif
{"php-var", required_argument, 0, "add/overwrite a CGI variable at each request", uwsgi_opt_add_string_list, &uphp.vars, 0},
@@ -810,10 +810,14 @@ int uwsgi_php_request(struct wsgi_reques
wsgi_req->document_root_len = strlen(wsgi_req->document_root);
if (uphp.app) {
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
struct uwsgi_regexp_list *bypass = uphp.app_bypass;
while (bypass) {
+#ifdef UWSGI_PCRE2
+ if (uwsgi_regexp_match(bypass->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
+#else
if (uwsgi_regexp_match(bypass->pattern, bypass->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
+#endif
goto oldstyle;
}
bypass = bypass->next;
@@ -849,7 +853,7 @@ appready:
goto secure2;
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
oldstyle:
#endif
--- a/core/config.c
+++ b/core/config.c
@@ -314,7 +314,7 @@ int uwsgi_logic_opt_if_not_hostname(char
return 0;
}
-#ifdef UWSGI_PCRE
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
int uwsgi_logic_opt_if_hostname_match(char *key, char *value) {
if (uwsgi_regexp_match_pattern(uwsgi.logic_opt_data, uwsgi.hostname)) {
add_exported_option(key, uwsgi_substitute(value, "%(_)", uwsgi.logic_opt_data), 0);

4
net/v2ray-core/Makefile
View File

@ -5,12 +5,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=v2ray-core
PKG_VERSION:=5.15.1
PKG_VERSION:=5.15.3
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/v2fly/v2ray-core/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=461a65a1675f17ad95a2a5ddf0b016247a34aa376ed1738c143e7c6603ab4abd
PKG_HASH:=32b325e54ee93fb3563c33d3c097592aa857370055d8ef1c50fd2387678843df
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE

20
net/v2ray-geodata/Makefile
View File

@ -5,38 +5,38 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=v2ray-geodata
PKG_RELEASE:=r1
PKG_RELEASE:=1
PKG_LICENSE_FILES:=LICENSE
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
include $(INCLUDE_DIR)/package.mk
GEOIP_VER:=202404040040
GEOIP_VER:=202404110039
GEOIP_FILE:=geoip.dat.$(GEOIP_VER)
define Download/geoip
URL:=https://github.com/v2fly/geoip/releases/download/$(GEOIP_VER)/
URL_FILE:=geoip.dat
FILE:=$(GEOIP_FILE)
HASH:=492a0af649accb4e9ae91f80a272e295ce6444489f6d85b389cdc635234c6ddf
HASH:=d4a2e3666139dc98b76f1b0bc7db6b9dd9b35a5d2b0aecb5943e4211c1ebd026
endef
GEOSITE_VER:=20240403140129
GEOSITE_VER:=20240410101316
GEOSITE_FILE:=dlc.dat.$(GEOSITE_VER)
define Download/geosite
URL:=https://github.com/v2fly/domain-list-community/releases/download/$(GEOSITE_VER)/
URL_FILE:=dlc.dat
FILE:=$(GEOSITE_FILE)
HASH:=bcae4b8ff409117b8f24e6c62c0d5c8c9d4dca75d335e12f8ac3a22331a81c52
HASH:=e74d3da9d4db57fba399f9093ffabbc6630a7cf10965ebcde07725a0f00e24d7
endef
GEOSITE_IRAN_VER:=202404010028
GEOSITE_IRAN_VER:=202404150255
GEOSITE_IRAN_FILE:=iran.dat.$(GEOSITE_IRAN_VER)
define Download/geosite-ir
URL:=https://github.com/bootmortis/iran-hosted-domains/releases/download/$(GEOSITE_IRAN_VER)/
URL_FILE:=iran.dat
FILE:=$(GEOSITE_IRAN_FILE)
HASH:=322d972bfb3f6bb5d960c6d7e14a732d75f0a32ad59ce609a1a9843eef51e257
HASH:=7b29fd53c2a25c6d79eeb6f76cc4b0a0770fe00eee1ea4d7a4a9f77d49ca44ad
endef
define Package/v2ray-geodata/template
@ -51,7 +51,7 @@ define Package/v2ray-geoip
$(call Package/v2ray-geodata/template)
TITLE:=GeoIP List for V2Ray
PROVIDES:=v2ray-geodata xray-geodata xray-geoip
VERSION:=$(GEOIP_VER)-$(PKG_RELEASE)
VERSION:=$(GEOIP_VER)-r$(PKG_RELEASE)
LICENSE:=CC-BY-SA-4.0
endef
@ -59,7 +59,7 @@ define Package/v2ray-geosite
$(call Package/v2ray-geodata/template)
TITLE:=Geosite List for V2Ray
PROVIDES:=v2ray-geodata xray-geodata xray-geosite
VERSION:=$(GEOSITE_VER)-$(PKG_RELEASE)
VERSION:=$(GEOSITE_VER)-r$(PKG_RELEASE)
LICENSE:=MIT
endef
@ -67,7 +67,7 @@ define Package/v2ray-geosite-ir
$(call Package/v2ray-geodata/template)
TITLE:=Iran Geosite List for V2Ray
PROVIDES:=xray-geosite-ir
VERSION:=$(GEOSITE_IRAN_VER)-$(PKG_RELEASE)
VERSION:=$(GEOSITE_IRAN_VER)-r$(PKG_RELEASE)
LICENSE:=MIT
endef

10
net/xtables-addons/Makefile
View File

@ -41,15 +41,6 @@ CONFIGURE_ARGS+= \
--with-kbuild="$(LINUX_DIR)" \
--with-xtlibdir="/usr/lib/iptables"
ifdef CONFIG_EXTERNAL_TOOLCHAIN
MAKE_FLAGS:= \
$(patsubst ARCH=%,ARCH=$(LINUX_KARCH),$(MAKE_FLAGS)) \
DEPMOD="/bin/true"
MAKE_INSTALL_FLAGS:= \
$(patsubst ARCH=%,ARCH=$(LINUX_KARCH),$(MAKE_FLAGS)) \
DEPMOD="/bin/true"
else
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
$(KERNEL_MAKE_FLAGS) \
@ -65,7 +56,6 @@ define Build/Install
DEPMOD="/bin/true" \
install
endef
endif
# 1: extension/module suffix used in package name
# 2: extension/module display name used in package title/description

5
sound/shairport-sync/Makefile
View File

@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=shairport-sync
PKG_VERSION:=4.3.2
PKG_RELEASE:=3
PKG_RELEASE:=5
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/mikebrady/shairport-sync/tar.gz/$(PKG_VERSION)?
@ -29,7 +29,7 @@ define Package/shairport-sync/default
SECTION:=sound
CATEGORY:=Sound
TITLE:=AirPlay compatible audio player
DEPENDS:=@AUDIO_SUPPORT +libpthread +alsa-lib +libconfig +libdaemon +libpopt +libplist +libsodium +libgcrypt +libffmpeg-full +libuuid +nqptp
DEPENDS:=@AUDIO_SUPPORT +libpthread +alsa-lib +libconfig +libdaemon +libpopt +libplist +libsodium +libgcrypt +libffmpeg-full +libuuid +nqptp +libmosquitto
PROVIDES:=shairport-sync
URL:=https://github.com/mikebrady/shairport-sync
endef
@ -80,6 +80,7 @@ CONFIGURE_ARGS += \
--with-libdaemon \
--with-airplay-2 \
--with-pipe \
--with-mqtt-client \
--with-metadata
ifeq ($(BUILD_VARIANT),openssl)

15
sound/shairport-sync/files/shairport-sync.config
View File

@ -37,6 +37,10 @@ config shairport-sync 'shairport_sync'
# Session Control
option sesctl_run_before_play_begins '' # /etc/shairport-sync-start.sh
option sesctl_run_after_play_ends '' # /etc/shairport-sync-stop.sh
option sesctl_run_before_entering_active_state '' # /path/to/script.sh
option sesctl_run_after_exiting_active_state '' # /path/to/script.sh
option sesctl_run_if_an_unfixable_error_is_detected '' # /path/to/script.sh
option sesctl_run_when_volume_is_set '' # /path/to/script.sh
option sesctl_wait_for_completion '' # no/yes
option sesctl_session_interruption '' # no/yes
option sesctl_session_timeout '' # 120
@ -56,6 +60,17 @@ config shairport-sync 'shairport_sync'
# Stdout
option stdout_latency_offset '' # 0
option stdout_buffer_length '' # 44100
# MQTT: https://github.com/mikebrady/shairport-sync/blob/master/MQTT.md
option mqtt_enabled 'no'
option mqtt_hostname '127.0.0.1'
option mqtt_port '1883'
option mqtt_username '' # empty = no authentication
option mqtt_password '' # empty = no authentication
option mqtt_topic 'shairport'
option mqtt_publish_raw 'no'
option mqtt_publish_parsed 'no'
option mqtt_publish_cover 'no'
option mqtt_enable_remote 'no'
# AO
option ao_latency_offset '' # 0
option ao_buffer_length '' # 44100

19
sound/shairport-sync/files/shairport-sync.init
View File

@ -83,6 +83,10 @@ start_instance() {
printf "{\n"
append_str "$cfg" sesctl_run_before_play_begins "run_this_before_play_begins"
append_str "$cfg" sesctl_run_after_play_ends "run_this_after_play_ends"
append_str "$cfg" sesctl_run_before_entering_active_state "run_this_before_entering_active_state"
append_str "$cfg" sesctl_run_after_exiting_active_state "run_this_after_exiting_active_state"
append_str "$cfg" sesctl_run_if_an_unfixable_error_is_detected "run_this_if_an_unfixable_error_is_detected"
append_str "$cfg" sesctl_run_when_volume_is_set "run_this_when_volume_is_set"
append_str "$cfg" sesctl_wait_for_completion "wait_for_completion"
append_str "$cfg" sesctl_session_interruption "allow_session_interruption"
append_num "$cfg" sesctl_session_timeout "session_timeout"
@ -116,6 +120,21 @@ start_instance() {
append_num "$cfg" stdout_buffer_length "audio_backend_buffer_desired_length"
printf "};\n\n"
# MQTT
printf "mqtt =\n"
printf "{\n"
append_str "$cfg" mqtt_enabled "enabled"
append_str "$cfg" mqtt_hostname "hostname"
append_num "$cfg" mqtt_port "port"
append_str "$cfg" mqtt_username "username"
append_str "$cfg" mqtt_password "password"
append_str "$cfg" mqtt_topic "topic"
append_str "$cfg" mqtt_publish_raw "publish_raw"
append_str "$cfg" mqtt_publish_parsed "publish_parsed"
append_str "$cfg" mqtt_publish_cover "publish_cover"
append_str "$cfg" mqtt_enable_remote "enable_remote"
printf "};\n\n"
# AO audio back end
printf "ao =\n"
printf "{\n"

143
utils/audit/Makefile
View File

@ -1,143 +0,0 @@
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=audit
PKG_VERSION:=2.8.5
PKG_RELEASE:=7
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://people.redhat.com/sgrubb/audit
PKG_HASH:=0e5d4103646e00f8d1981e1cd2faea7a2ae28e854c31a803e907a383c5e2ecb7
PKG_MAINTAINER:=Thomas Petazzoni <thomas.petazzoni@bootlin.com>
PKG_LICENSE:=GPL-2.0-or-later
PKG_LICENSE_FILES:=COPYING
PKG_CPE_ID:=cpe:/a:linux_audit_project:linux_audit
PKG_FIXUP:=autoreconf
PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-packages/$(PKG_NAME)-$(PKG_VERSION)
PKG_BUILD_FLAGS:=no-mips16
include $(INCLUDE_DIR)/package.mk
define Package/audit/Default
TITLE:=Audit Daemon
URL:=http://people.redhat.com/sgrubb/audit/
endef
define Package/audit/Default/description
The audit package contains the user space utilities for
storing and searching the audit records generated by
the audit subsystem in the Linux 2.6 kernel
endef
define Package/libauparse
$(call Package/audit/Default)
SECTION:=libs
CATEGORY:=Libraries
TITLE+= (parsing shared library)
DEPENDS:= +libaudit
endef
define Package/libauparse/description
$(call Package/audit/Default/description)
This package contains the audit parsing shared library.
endef
define Package/audit-utils
$(call Package/audit/Default)
SECTION:=utils
CATEGORY:=Utilities
TITLE+= (utilities)
DEPENDS:= +libaudit +libauparse
endef
define Package/audit-utils/description
$(call Package/audit/Default/description)
This package contains the audit utilities.
endef
define Package/audit
$(call Package/audit/Default)
SECTION:=utils
CATEGORY:=Utilities
TITLE+= (daemon)
DEPENDS:= +libaudit +libauparse +audit-utils +libev
endef
define Package/audit/description
$(call Package/audit/Default/description)
This package contains the audit daemon.
endef
CONFIGURE_VARS += \
LDFLAGS_FOR_BUILD="$(HOST_LDFLAGS)" \
CPPFLAGS_FOR_BUILD="$(HOST_CPPFLAGS)" \
CFLAGS_FOR_BUILD="$(HOST_CFLAGS)" \
CC_FOR_BUILD="$(HOSTCC)"
CONFIGURE_ARGS += \
--without-libcap-ng \
--disable-systemd \
--without-python \
--without-python3 \
--disable-zos-remote
ifeq ($(ARCH),aarch64)
CONFIGURE_ARGS += --with-aarch64
else ifeq ($(ARCH),arm)
CONFIGURE_ARGS += --with-arm
endif
# We can't use the default, as the default passes $(MAKE_ARGS), which
# overrides CC, CFLAGS, etc. and defeats the *_FOR_BUILD definitions
# passed in CONFIGURE_VARS
define Build/Compile
$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(MAKE_PATH)
endef
define Build/Install
$(call Build/Install/Default,install)
$(SED) 's%^dispatcher *=.*%dispatcher = /usr/sbin/audispd%' $(PKG_INSTALL_DIR)/etc/audit/auditd.conf
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/*.pc $(1)/usr/lib/pkgconfig/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/
endef
define Package/libauparse/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libauparse.so.* $(1)/usr/lib/
endef
define Package/audit-utils/install
$(INSTALL_DIR) $(1)/usr/bin
$(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) \
$(PKG_INSTALL_DIR)/usr/sbin/{augenrules,audispd,audisp-remote,auditctl,autrace,aureport,ausearch} \
$(1)/usr/sbin/
endef
define Package/audit/install
$(INSTALL_DIR) $(1)/etc/audit
$(CP) $(PKG_INSTALL_DIR)/etc/audit/* $(1)/etc/audit/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/audit.init $(1)/etc/init.d/audit
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/auditd $(1)/usr/sbin/
endef
$(eval $(call BuildPackage,libauparse))
$(eval $(call BuildPackage,audit-utils))
$(eval $(call BuildPackage,audit))

16
utils/audit/files/audit.init
View File

@ -1,16 +0,0 @@
#!/bin/sh /etc/rc.common
# Copyright (c) 2014 OpenWrt.org
START=11
USE_PROCD=1
PROG=/usr/sbin/auditd
start_service() {
mkdir -p /var/log/audit
procd_open_instance
procd_set_param command "$PROG" -n
procd_set_param respawn
procd_close_instance
test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -R /etc/audit/rules.d/audit.rules
}

122
utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch
View File

@ -1,122 +0,0 @@
From c39a071e7c021f6ff3554aca2758e97b47a9777c Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 26 Feb 2019 18:33:33 -0500
Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
(cherry picked from commit d579a08bb1cde71f939c13ac6b2261052ae9f77e)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
auparse/auparse.c | 12 +++++++++++-
auparse/interpret.c | 9 ++++++++-
configure.ac | 14 +++++++++++++-
src/ausearch-lol.c | 12 +++++++++++-
4 files changed, 43 insertions(+), 4 deletions(-)
--- a/auparse/auparse.c
+++ b/auparse/auparse.c
@@ -1,5 +1,5 @@
/* auparse.c --
- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t
return 0;
}
+#ifndef HAVE_STRNDUPA
+static inline char *strndupa(const char *old, size_t n)
+{
+ size_t len = strnlen(old, n);
+ char *tmp = alloca(len + 1);
+ tmp[len] = 0;
+ return memcpy(tmp, old, len);
+}
+#endif
+
/* Returns 0 on success and 1 on error */
static int extract_timestamp(const char *b, au_event_t *e)
{
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -853,6 +853,13 @@ err_out:
return print_escaped(id->val);
}
+// rawmemchr is faster. Let's use it if we have it.
+#ifdef HAVE_RAWMEMCHR
+#define STRCHR rawmemchr
+#else
+#define STRCHR strchr
+#endif
+
static const char *print_proctitle(const char *val)
{
char *out = (char *)print_escaped(val);
@@ -863,7 +870,7 @@ static const char *print_proctitle(const
// Proctitle has arguments separated by NUL bytes
// We need to write over the NUL bytes with a space
// so that we can see the arguments
- while ((ptr = rawmemchr(ptr, '\0'))) {
+ while ((ptr = STRCHR(ptr, '\0'))) {
if (ptr >= end)
break;
*ptr = ' ';
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
dnl
define([AC_INIT_NOTICE],
[### Generated automatically using autoconf version] AC_ACVERSION [
-### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com>
+### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com>
###
### Permission is hereby granted, free of charge, to any person obtaining a
### copy of this software and associated documentation files (the "Software"),
@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-r
AC_CHECK_FUNCS([posix_fallocate])
dnl; signalfd is needed for libev
AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ])
+dnl; check if rawmemchr is available
+AC_CHECK_FUNCS([rawmemchr])
+dnl; check if strndupa is available
+AC_LINK_IFELSE(
+ [AC_LANG_SOURCE(
+ [[
+ #define _GNU_SOURCE
+ #include <string.h>
+ int main() { (void) strndupa("test", 10); return 0; }]])],
+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])],
+ []
+)
ALLWARNS=""
ALLDEBUG="-g"
--- a/src/ausearch-lol.c
+++ b/src/ausearch-lol.c
@@ -1,6 +1,6 @@
/*
* ausearch-lol.c - linked list of linked lists library
-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This software may be freely redistributed and/or modified under the
@@ -152,6 +152,16 @@ static int compare_event_time(event *e1,
return 0;
}
+#ifndef HAVE_STRNDUPA
+static inline char *strndupa(const char *old, size_t n)
+{
+ size_t len = strnlen(old, n);
+ char *tmp = alloca(len + 1);
+ tmp[len] = 0;
+ return memcpy(tmp, old, len);
+}
+#endif
+
/*
* This function will look at the line and pick out pieces of it.
*/

21
utils/audit/patches/0002-fix-gcc-10.patch
View File

@ -1,21 +0,0 @@
From 017e6c6ab95df55f34e339d2139def83e5dada1f Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Fri, 10 Jan 2020 21:13:50 -0500
Subject: [PATCH 01/30] Header definitions need to be external when building
with -fno-common (which is default in GCC 10) - Tony Jones
---
src/ausearch-common.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/ausearch-common.h
+++ b/src/ausearch-common.h
@@ -50,7 +50,7 @@ extern pid_t event_pid;
extern int event_exact_match;
extern uid_t event_uid, event_euid, event_loginuid;
extern const char *event_tuid, *event_teuid, *event_tauid;
-slist *event_node_list;
+extern slist *event_node_list;
extern const char *event_comm;
extern const char *event_filename;
extern const char *event_hostname;

52
utils/audit/patches/0003-Make-IPX-packet-interpretation-dependent-on-th.patch
View File

@ -1,52 +0,0 @@
From 6b09724c69d91668418ddb3af00da6db6755208c Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 2 Sep 2021 15:01:12 -0400
Subject: [PATCH] Make IPX packet interpretation dependent on the ipx header
file existing
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -44,8 +44,10 @@
#include <linux/ax25.h>
#include <linux/atm.h>
#include <linux/x25.h>
-#include <linux/if.h> // FIXME: remove when ipx.h is fixed
-#include <linux/ipx.h>
+#ifdef HAVE_IPX_HEADERS
+ #include <linux/if.h> // FIXME: remove when ipx.h is fixed
+ #include <linux/ipx.h>
+#endif
#include <linux/capability.h>
#include <sys/personality.h>
#include <sys/prctl.h>
@@ -1158,6 +1160,7 @@ static const char *print_sockaddr(const
x->sax25_call.ax25_call[6]);
}
break;
+#ifdef HAVE_IPX_HEADERS
case AF_IPX:
{
const struct sockaddr_ipx *ip =
@@ -1167,6 +1170,7 @@ static const char *print_sockaddr(const
str, ip->sipx_port, ip->sipx_network);
}
break;
+#endif
case AF_ATMPVC:
{
const struct sockaddr_atmpvc* at =
--- a/configure.ac
+++ b/configure.ac
@@ -414,6 +414,12 @@ if test x"$LIBWRAP_LIBS" != "x"; then
AC_DEFINE_UNQUOTED(HAVE_LIBWRAP, [], Define if tcp_wrappers support is enabled )
fi
+# linux/ipx.h - deprecated in 2018
+AC_CHECK_HEADER(linux/ipx.h, ipx_headers=yes, ipx_headers=no)
+if test $ipx_headers = yes ; then
+ AC_DEFINE(HAVE_IPX_HEADERS,1,[IPX packet interpretation])
+fi
+
# See if we want to support lower capabilities for plugins
LIBCAP_NG_PATH

11
utils/cni-plugins-nft/Makefile
View File

@ -2,11 +2,12 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=cni-plugins-nft
PKG_VERSION:=1.0.12
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/greenpau/cni-plugins/archive/v$(PKG_VERSION)
PKG_HASH:=51c4b41c61f46c7dfc691d52dba301e7d8189589e1a625772f761ea3ae804fb3
PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
PKG_SOURCE_URL:=https://github.com/greenpau/cni-plugins
PKG_MIRROR_HASH:=3bb778c8f48261eaaee8b14b9219f1730967ef16158b5b540d45da54ef580e53
PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com>
PKG_LICENSE:=Apache-2.0
@ -23,8 +24,6 @@ GO_PKG_BUILD_PKG:=github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap \
include $(INCLUDE_DIR)/package.mk
include ../../lang/golang/golang-package.mk
PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
define Package/cni-plugins-nft
SECTION:=utils
CATEGORY:=Utilities

15
utils/cni-plugins/Makefile
View File

@ -2,15 +2,16 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=cni-plugins
PKG_VERSION:=1.1.1
PKG_RELEASE:=1
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/containernetworking/plugins/archive/v$(PKG_VERSION)
PKG_HASH:=c86c44877c47f69cd23611e22029ab26b613f620195b76b3ec20f589367a7962
PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
PKG_SOURCE_URL:=https://github.com/containernetworking/plugins
PKG_MIRROR_HASH:=4372700fa1fb159235586432800f228d92246d13571f5a29aa9bc58291eac6d9
PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>, Paul Spooren <mail@aparcar.org>
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE
PKG_BUILD_DEPENDS:=golang/host
PKG_BUILD_PARALLEL:=1
@ -24,8 +25,6 @@ GO_PKG_BUILD_PKG:=github.com/containernetworking/plugins/plugins/main/... \
include $(INCLUDE_DIR)/package.mk
include ../../lang/golang/golang-package.mk
PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
define Package/cni-plugins
SECTION:=utils
CATEGORY:=Utilities

6
utils/docker-compose/Makefile
View File

@ -1,14 +1,14 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=compose
PKG_VERSION:=2.26.1
PKG_RELEASE:=2
PKG_VERSION:=2.27.0
PKG_RELEASE:=1
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE
PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/docker/compose/tar.gz/v${PKG_VERSION}?
PKG_HASH:=081ad40241f8e144cad088a65e6fd0ec588e3d36931e5baabb3dc5ab068ceb60
PKG_HASH:=29b2232d1609dff03db74188a7944c85ba8b612f47a7e39938a43db8fb7d7067
PKG_MAINTAINER:=Javier Marcet <javier@marcet.info>

2
utils/dockerd/Makefile
View File

@ -47,7 +47,7 @@ define Package/dockerd
+kmod-veth \
+tini \
+uci-firewall \
@!(mips||mipsel)
@!(mips||mips64||mipsel)
USERID:=docker:docker
MENU:=1
endef

4
utils/eza/Makefile
View File

@ -1,12 +1,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=eza
PKG_VERSION:=0.18.9
PKG_VERSION:=0.18.11
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/eza-community/eza/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=917736591429813ef4cfce47bb2d3d87e9f1e142b2a6ebf74a345c3a15894918
PKG_HASH:=92d810c36ac67038e2ed3c421087de8793eb0b9de332c9239096df9d52eb30e3
PKG_MAINTAINER:=Jonas Jelonek <jelonek.jonas@gmail.com>
PKG_LICENSE:=MIT

2
utils/mstflint/Makefile
View File

@ -31,7 +31,7 @@ define Package/mstflint
CATEGORY:=Utilities
TITLE:=Mellanox Firmware Burning and Diagnostics Tools
URL:=https://github.com/Mellanox/mstflint
DEPENDS:=@!(mips||mipsel) \
DEPENDS:=@!(mips||mips64||mipsel) \
+libcurl +liblzma +libopenssl +libsqlite3 \
+libstdcpp +libxml2 +python3-ctypes \
+python3-urllib +python3-xml +zlib

91
utils/rtty/patches/0001-Support-POSIX-basename-from-musl-libc.patch Normal file
View File

@ -0,0 +1,91 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hauke Mehrtens <hauke@hauke-m.de>
Date: Sun, 14 Apr 2024 16:06:15 +0200
Subject: Support POSIX basename() from musl libc
Musl libc 1.2.5 removed the definition of the basename() function from
string.h and only provides it in libgen.h as the POSIX standard
defines it.
This change fixes compilation with musl libc 1.2.5.
````
build_dir/target-mips_24kc_musl/rtty-mbedtls/rtty-8.1.1/src/file.c:156:24: error: implicit declaration of function 'basename' [-Werror=implicit-function-declaration]
156 | const char *name = basename(path);
| ^~~~~~~~
````
basename() modifies the input string, copy it first with strdup(), If
strdup() returns NULL the code will handle it.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---
src/file.c | 8 +++++++-
src/filectl.c | 6 +++++-
2 files changed, 12 insertions(+), 2 deletions(-)
--- a/src/file.c
+++ b/src/file.c
@@ -29,6 +29,7 @@
#include <unistd.h>
#include <mntent.h>
#include <inttypes.h>
+#include <libgen.h>
#include <sys/statvfs.h>
#include <linux/limits.h>
#include <sys/sysinfo.h>
@@ -153,13 +154,17 @@ static int start_upload_file(struct file
{
struct tty *tty = container_of(ctx, struct tty, file);
struct rtty *rtty = tty->rtty;
- const char *name = basename(path);
+ const char *name;
struct stat st;
int fd;
+ char *dirc;
+ dirc = strdup(path);
+ name = basename(dirc);
fd = open(path, O_RDONLY);
if (fd < 0) {
log_err("open '%s' fail: %s\n", path, strerror(errno));
+ free(dirc);
return -1;
}
@@ -177,6 +182,7 @@ static int start_upload_file(struct file
ctx->remain_size = st.st_size;
log_info("upload file: %s, size: %" PRIu64 "\n", path, (uint64_t)st.st_size);
+ free(dirc);
return 0;
}
--- a/src/filectl.c
+++ b/src/filectl.c
@@ -30,6 +30,7 @@
#include <errno.h>
#include <stdio.h>
#include <fcntl.h>
+#include <libgen.h>
#include "utils.h"
#include "file.h"
@@ -75,6 +76,7 @@ static void handle_file_control_msg(int
{
struct file_control_msg msg;
struct buffer b = {};
+ char *dirc;
while (true) {
if (buffer_put_fd(&b, fd, -1, NULL) < 0)
@@ -90,7 +92,9 @@ static void handle_file_control_msg(int
if (sfd > -1) {
close(sfd);
gettimeofday(&start_time, NULL);
- printf("Transferring '%s'...Press Ctrl+C to cancel\n", basename(path));
+ dirc = strdup(path);
+ printf("Transferring '%s'...Press Ctrl+C to cancel\n", basename(dirc));
+ free(dirc);
if (total_size == 0) {
printf(" 100%% 0 B 0s\n");

72
utils/tini/patches/002-Support-POSIX-basename-from-musl-libc.patch Normal file
View File

@ -0,0 +1,72 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hauke Mehrtens <hauke@hauke-m.de>
Date: Sun, 14 Apr 2024 15:33:51 +0200
Subject: Support POSIX basename() from musl libc
Musl libc 1.2.5 removed the definition of the basename() function from
string.h and only provides it in libgen.h as the POSIX standard
defines it.
This change fixes compilation with musl libc 1.2.5.
````
build_dir/target-mips_24kc_musl/tini-0.19.0/src/tini.c:227:36: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
227 | fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
build_dir/target-mips_24kc_musl/tini-0.19.0/src/tini.c:227:25: error: format '%s' expects argument of type 'char *', but argument 3 has type 'int' [-Werror=format=]
227 | fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
| ~^ ~~~~~~~~~~~~~~
| | |
| char * int
| %d
````
basename() modifies the input string, copy it first with strdup(), If
strdup() returns NULL the code will handle it.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---
src/tini.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/src/tini.c
+++ b/src/tini.c
@@ -14,6 +14,7 @@
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
+#include <libgen.h>
#include "tiniConfig.h"
#include "tiniLicense.h"
@@ -224,14 +225,19 @@ int spawn(const signal_configuration_t*
}
void print_usage(char* const name, FILE* const file) {
- fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
+ char *dirc, *bname;
+
+ dirc = strdup(name);
+ bname = basename(dirc);
+
+ fprintf(file, "%s (%s)\n", bname, TINI_VERSION_STRING);
#if TINI_MINIMAL
- fprintf(file, "Usage: %s PROGRAM [ARGS] | --version\n\n", basename(name));
+ fprintf(file, "Usage: %s PROGRAM [ARGS] | --version\n\n", bname);
#else
- fprintf(file, "Usage: %s [OPTIONS] PROGRAM -- [ARGS] | --version\n\n", basename(name));
+ fprintf(file, "Usage: %s [OPTIONS] PROGRAM -- [ARGS] | --version\n\n", bname);
#endif
- fprintf(file, "Execute a program under the supervision of a valid init process (%s)\n\n", basename(name));
+ fprintf(file, "Execute a program under the supervision of a valid init process (%s)\n\n", bname);
fprintf(file, "Command line options:\n\n");
@@ -261,6 +267,7 @@ void print_usage(char* const name, FILE*
fprintf(file, " %s: Send signals to the child's process group.\n", KILL_PROCESS_GROUP_GROUP_ENV_VAR);
fprintf(file, "\n");
+ free(dirc);
}
void print_license(FILE* const file) {

6
utils/usbmuxd/Makefile
View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=usbmuxd
PKG_VERSION:=1.1.1
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://www.libimobiledevice.org/downloads
@ -31,7 +31,7 @@ define Package/usbmuxd
SUBMENU:=libimobiledevice
TITLE:=USB multiplexing daemon
URL:=https://www.libimobiledevice.org/
DEPENDS:=+librt +libusb-1.0 +libusbmuxd +libopenssl +libimobiledevice
DEPENDS:=+libusb-1.0 +libusbmuxd +libopenssl +libimobiledevice +usbutils
endef
define Package/usbmuxd/description
@ -50,7 +50,9 @@ endef
CONFIGURE_ARGS += --with-systemd
define Package/usbmuxd/install
$(INSTALL_DIR) $(1)/etc/hotplug.d/usb
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/usbmuxd.hotplug $(1)/etc/hotplug.d/usb/40-usbmuxd
$(INSTALL_BIN) ./files/usbmuxd.init $(1)/etc/init.d/usbmuxd
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/usbmuxd $(1)/usr/sbin/

24
utils/usbmuxd/files/usbmuxd.hotplug Normal file
View File

@ -0,0 +1,24 @@
case "$ACTION" in
bind)
dev=/sys$DEVPATH
[ ! -f /tmp/iPhone.lock ] && [ -d ${dev}/net ] &&
{
readlink ${dev}/driver | grep -q ipheth &&
{
sleep 5
carrier_path=${dev}/net/*/carrier
carrier=`cat ${carrier_path}`
[ "${carrier}" = "0" ] &&
{
touch /tmp/iPhone.lock
logger -p daemon.error -t iPhone ${carrier_path} = ${carrier}
logger -p daemon.error -t iPhone `/usr/bin/usbreset iPhone`
/etc/init.d/usbmuxd restart
sleep 5 && rm -f /tmp/iPhone.lock &
}
}
}
;;
esac

16
utils/xxhash/Makefile
View File

@ -12,11 +12,12 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=xxhash
PKG_VERSION:=0.8.2
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/Cyan4973/xxHash/archive/v$(PKG_VERSION)
PKG_HASH:=baee0c6afd4f03165de7a4e67988d16f0f2b257b51d0e3cb91909302a26a79c4
PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
PKG_SOURCE_URL:=https://github.com/Cyan4973/xxHash
PKG_MIRROR_HASH:=0602a12e9ecd009f97a2a845fb5e46af69a60f96547952e5b00228f33bed5cdd
# The source for the library (xxhash.c and xxhash.h) is BSD
# The source for the command line tool (xxhsum.c) is GPLv2+
@ -24,11 +25,10 @@ PKG_LICENSE:=BSD-2-Clause GPL-2.0-or-later
PKG_LICENSE_FILES:=LICENSE cli/COPYING
PKG_MAINTAINER:=Julien Malik <julien.malik@paraiso.me>
PKG_INSTALL:=1
CMAKE_SOURCE_SUBDIR:=cmake_unofficial
include $(INCLUDE_DIR)/package.mk
PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
include $(INCLUDE_DIR)/cmake.mk
define Package/xxhash/Default
TITLE:=Extremely fast hash algorithm
@ -74,7 +74,7 @@ define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/include/*.h $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxxhash.{a,so*} $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxxhash.so* $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libxxhash.pc $(1)/usr/lib/pkgconfig/
endef

Some files were not shown because too many files have changed in this diff Show More