Compare commits
89 Commits
a32bdd33da
...
81adfd9ec3
Author | SHA1 | Date |
---|---|---|
Marius Dinu | 81adfd9ec3 | |
Dirk Brenken | 2c6d5adac0 | |
Josef Schlehofer | 9d49df0dab | |
Josef Schlehofer | 6d5e404a0c | |
Paul Spooren | 26c101edc3 | |
Goetz Goerisch | 8b08b29271 | |
Stan Grishin | f471b6b459 | |
Javier Marcet | bb5e6e15ef | |
Dirk Brenken | 1721f4fb79 | |
Florian Eckert | cb9fcdab8a | |
Florian Eckert | 6efdaecf5b | |
Jianhui Zhao | e35b92835e | |
Stan Grishin | 74ce7e5707 | |
Stan Grishin | 22094a65b6 | |
Stan Grishin | 988a533153 | |
David Andreoletti | 13bcb52870 | |
Ray Wang | 5abbd3bcb2 | |
Hirokazu MORIKAWA | de361e98d0 | |
Georgi Valkov | 847a535a3b | |
Rosen Penev | 70a44730fd | |
Rosen Penev | ed50df97f7 | |
Rosen Penev | 47d91a4c09 | |
Rosen Penev | 7ee33e792e | |
Rosen Penev | 2fa8485ed8 | |
Rosen Penev | 4f09c95ee2 | |
Florian Eckert | 22f8fd5c5b | |
Anton Khazan | 199bd03b33 | |
Christian Marangi | 466ed55d59 | |
krant | 38560743c4 | |
David Andreoletti | 459fa7625c | |
Jianhui Zhao | 99bc6b2782 | |
Tianling Shen | e4e861e08d | |
Tianling Shen | ebed42fcb0 | |
Alexandru Ardelean | 2dc22d4a0c | |
Zephyr Lykos | 8b100c8dd1 | |
Eneas U de Queiroz | df6d6a4284 | |
Alexandru Ardelean | f5f0a4e868 | |
Georgi Valkov | a0c4d8a6fb | |
Rosen Penev | 66c237a78f | |
Dirk Brenken | ad755e0c4d | |
Christian Marangi | 2750b16b47 | |
Christian Marangi | fbb7ad4d10 | |
Christian Marangi | a9371952c9 | |
Stan Grishin | 474587a1f4 | |
Rosen Penev | 75f971407d | |
Jonas Jelonek | bf1b907d12 | |
Hauke Mehrtens | 9447654b6b | |
Rosen Penev | 72a6e17d49 | |
Rosen Penev | db07f86c35 | |
Hauke Mehrtens | ddd379416e | |
krant | 116bbd9359 | |
Josef Schlehofer | 46c8b621b0 | |
Dirk Brenken | d5a13478eb | |
Dirk Brenken | fa80fefe22 | |
Hannu Nyman | 767b3f2ea8 | |
Dirk Brenken | afae2776e9 | |
Paul Donald | b2742ed05d | |
Rosen Penev | 1bac5b386d | |
Hauke Mehrtens | 577259cfb9 | |
Hauke Mehrtens | b20e69d765 | |
Rosen Penev | 55440f2ac7 | |
Zephyr Lykos | 8982c3e61a | |
krant | 2650de4686 | |
Rosen Penev | bfb5d820bf | |
Maxim Storchak | 8951378aec | |
Rui Salvaterra | a7172aec50 | |
Jo-Philipp Wich | 3d99f1d2f1 | |
Alexandru Ardelean | c789bcefb1 | |
Michael Heimpold | b459d2e798 | |
Tianling Shen | c1e6fbbcb0 | |
Tianling Shen | d7e63d4e24 | |
Felix Fietkau | de4ef9d169 | |
Felix Fietkau | 23bd17806b | |
Josef Schlehofer | 4e20600abf | |
Marcus Folkesson | eb35a3be13 | |
Marcus Folkesson | 436e462c64 | |
Sean Khan | 660aa8091f | |
Sean Khan | caffa410ed | |
Sean Khan | 4cc682c8a4 | |
Michael Heimpold | 2682b28cb3 | |
Alexandru Ardelean | e3ed196f20 | |
Anton Khazan | fc35918026 | |
Alexandru Ardelean | 0592f27d99 | |
Alexandru Ardelean | 1a51bd18ac | |
Rui Salvaterra | 570ee10a13 | |
Sean Khan | 3cbb7474c3 | |
Sean Khan | fbf350d5e1 | |
Sean Khan | 43e924bacc | |
Marius Dinu | e87d89da2e |
|
@ -1,93 +0,0 @@
|
|||
FROM debian:10
|
||||
|
||||
|
||||
# Configuration version history
|
||||
# v1.0 - Initial version by Etienne Champetier
|
||||
# v1.0.1 - Run as non-root, add unzip, xz-utils
|
||||
# v1.0.2 - Add bzr
|
||||
# v1.0.3 - Verify usign signatures
|
||||
# v1.0.4 - Add support for Python3
|
||||
# v1.0.5 - Add 19.07 public keys, verify keys
|
||||
# v1.0.6 - Add 21.02 public keys, update Debian image to version 10, add rsync
|
||||
# v1.0.7 - Add 22.03 public keys, 18.06 v2 gpg key, 18.06 usign key
|
||||
|
||||
RUN apt update && apt install -y \
|
||||
build-essential \
|
||||
bzr \
|
||||
curl \
|
||||
jq \
|
||||
gawk \
|
||||
gettext \
|
||||
git \
|
||||
libncurses5-dev \
|
||||
libssl-dev \
|
||||
python \
|
||||
python3 \
|
||||
signify-openbsd \
|
||||
subversion \
|
||||
rsync \
|
||||
time \
|
||||
unzip \
|
||||
wget \
|
||||
xz-utils \
|
||||
zlib1g-dev \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
RUN useradd -c "OpenWrt Builder" -m -d /home/build -s /bin/bash build
|
||||
USER build
|
||||
ENV HOME /home/build
|
||||
|
||||
# OpenWrt Build System (PGP key for unattended snapshot builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/626471F1.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-snapshots@openwrt.org>' | grep '^fpr:::::::::54CC74307A2C6DC9CE618269CD84BCED626471F1:$' \
|
||||
&& echo '54CC74307A2C6DC9CE618269CD84BCED626471F1:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Build System (PGP key for 17.01 "Reboot" release builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/D52BBB6B.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-17.01@openwrt.org>' | grep '^fpr:::::::::B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:$' \
|
||||
&& echo 'B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Release Builder (18.06 Signing Key)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/17E1CE16.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<openwrt-devel@lists.openwrt.org>' | grep '^fpr:::::::::6768C55E79B032D77A28DA5F0F20257417E1CE16:$' \
|
||||
&& echo '6768C55E79B032D77A28DA5F0F20257417E1CE16:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Build System (PGP key for 18.06 release builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/15807931.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-18.06@openwrt.org>' | grep '^fpr:::::::::AD0507363D2BCE9C9E36CEC4FBCB78F015807931:$' \
|
||||
&& echo 'AD0507363D2BCE9C9E36CEC4FBCB78F015807931:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Build System (PGP key for 19.07 release builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/2074BE7A.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-19.07@openwrt.org>' | grep '^fpr:::::::::D9C6901F45C9B86858687DFF28A39BC32074BE7A:$' \
|
||||
&& echo 'D9C6901F45C9B86858687DFF28A39BC32074BE7A:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Build System (PGP key for 21.02 release builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/88CA59E8.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-21.02@openwrt.org>' | grep '^fpr:::::::::667205E379BAF348863A5C6688CA59E88F681580:$' \
|
||||
&& echo '667205E379BAF348863A5C6688CA59E88F681580:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Build System (GnuPGP key for 22.03 release builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CD54E82DADB3684D.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-22.03@openwrt.org>' | grep '^fpr:::::::::BF856781A01293C8409ABE72CD54E82DADB3684D:$' \
|
||||
&& echo 'BF856781A01293C8409ABE72CD54E82DADB3684D:6:' | gpg --import-ownertrust
|
||||
|
||||
# untrusted comment: Public usign key for unattended snapshot builds
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/b5043e70f9a75cde' --create-dirs -o /home/build/usign/b5043e70f9a75cde \
|
||||
&& echo 'd7ac10f9ed1b38033855f3d27c9327d558444fca804c685b17d9dcfb0648228f */home/build/usign/b5043e70f9a75cde' | sha256sum --check
|
||||
|
||||
# untrusted comment: Public usign key for 18.06 release builds
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/1035ac73cc4e59e3' --create-dirs -o /home/build/usign/1035ac73cc4e59e3 \
|
||||
&& echo '8dc2e7f5c4e634437e6641f4df77a18bf59f0c8e9016c8ba4be5d4a0111e68c2 */home/build/usign/1035ac73cc4e59e3' | sha256sum --check
|
||||
|
||||
# untrusted comment: Public usign key for 19.07 release builds
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/f94b9dd6febac963' --create-dirs -o /home/build/usign/f94b9dd6febac963 \
|
||||
&& echo 'b1d09457cfbc36fccfe18382d65c54a2ade3e7fd3902da490a53aa517b512755 */home/build/usign/f94b9dd6febac963' | sha256sum --check
|
||||
|
||||
# untrusted comment: Public usign key for 21.02 release builds
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/2f8b0b98e08306bf' --create-dirs -o /home/build/usign/2f8b0b98e08306bf \
|
||||
&& echo 'd102bdd75421c62490b97f520f9db06aadb44ad408b244755d26e96ea5cd3b7f */home/build/usign/2f8b0b98e08306bf' | sha256sum --check
|
||||
|
||||
# untrusted comment: Public usign key for 22.03 release builds
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/4d017e6f1ed5d616' --create-dirs -o /home/build/usign/4d017e6f1ed5d616 \
|
||||
&& echo 'f3c5fdf447d7c2743442e68077d60acc7c3e91754849e1f4b6be837b4204b7e2 */home/build/usign/4d017e6f1ed5d616' | sha256sum --check
|
|
@ -1,6 +0,0 @@
|
|||
# Build/update the docker image
|
||||
|
||||
docker pull debian:10
|
||||
docker build --rm -t docker.io/openwrtorg/packages-cci:latest .
|
||||
docker tag <IMAGE ID> docker.io/openwrtorg/packages-cci:<VERSION-TAG>
|
||||
docker push docker.io/openwrtorg/packages-cci
|
|
@ -1,182 +0,0 @@
|
|||
version: 2.0
|
||||
jobs:
|
||||
build:
|
||||
docker:
|
||||
- image: docker.io/openwrtorg/packages-cci:v1.0.7
|
||||
environment:
|
||||
- SDK_HOST: "downloads.openwrt.org"
|
||||
- SDK_PATH: "snapshots/targets/ath79/generic"
|
||||
- SDK_FILE: "openwrt-sdk-ath79-generic_*.Linux-x86_64.tar.xz"
|
||||
- BRANCH: "master"
|
||||
steps:
|
||||
- checkout:
|
||||
path: ~/openwrt_packages
|
||||
|
||||
- run:
|
||||
name: Check changes / verify commits
|
||||
working_directory: ~/openwrt_packages
|
||||
command: |
|
||||
cat >> $BASH_ENV <<EOF
|
||||
echo_red() { printf "\033[1;31m\$*\033[m\n"; }
|
||||
echo_green() { printf "\033[1;32m\$*\033[m\n"; }
|
||||
echo_blue() { printf "\033[1;34m\$*\033[m\n"; }
|
||||
EOF
|
||||
source $BASH_ENV
|
||||
|
||||
RET=0
|
||||
for commit in $(git rev-list HEAD ^origin/$BRANCH); do
|
||||
echo_blue "=== Checking commit '$commit'"
|
||||
if git show --format='%P' -s $commit | grep -qF ' '; then
|
||||
echo_red "Pull request should not include merge commits"
|
||||
RET=1
|
||||
fi
|
||||
|
||||
author="$(git show -s --format=%aN $commit)"
|
||||
if echo $author | grep -q '\S\+\s\+\S\+'; then
|
||||
echo_green "Author name ($author) seems ok"
|
||||
else
|
||||
echo_red "Author name ($author) need to be your real name 'firstname lastname'"
|
||||
RET=1
|
||||
fi
|
||||
|
||||
subject="$(git show -s --format=%s $commit)"
|
||||
if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_-]\+: ' -e '^Revert '; then
|
||||
echo_green "Commit subject line seems ok ($subject)"
|
||||
else
|
||||
echo_red "Commit subject line MUST start with '<package name>: ' ($subject)"
|
||||
RET=1
|
||||
fi
|
||||
|
||||
body="$(git show -s --format=%b $commit)"
|
||||
sob="$(git show -s --format='Signed-off-by: %aN <%aE>' $commit)"
|
||||
if echo "$body" | grep -qF "$sob"; then
|
||||
echo_green "Signed-off-by match author"
|
||||
else
|
||||
echo_red "Signed-off-by is missing or doesn't match author (should be '$sob')"
|
||||
RET=1
|
||||
fi
|
||||
done
|
||||
|
||||
exit $RET
|
||||
|
||||
- run:
|
||||
name: Download the SDK
|
||||
working_directory: ~/sdk
|
||||
command: |
|
||||
curl "https://$SDK_HOST/$SDK_PATH/sha256sums" -sS -o sha256sums
|
||||
curl "https://$SDK_HOST/$SDK_PATH/sha256sums.asc" -fs -o sha256sums.asc || true
|
||||
curl "https://$SDK_HOST/$SDK_PATH/sha256sums.sig" -fs -o sha256sums.sig || true
|
||||
if [ ! -f sha256sums.asc ] && [ ! -f sha256sums.sig ]; then
|
||||
echo_red "Missing sha256sums signature files"
|
||||
exit 1
|
||||
fi
|
||||
[ ! -f sha256sums.asc ] || gpg --with-fingerprint --verify sha256sums.asc sha256sums
|
||||
if [ -f sha256sums.sig ]; then
|
||||
VERIFIED=
|
||||
for KEY in ~/usign/*; do
|
||||
echo "Trying $KEY..."
|
||||
if signify-openbsd -V -q -p "$KEY" -x sha256sums.sig -m sha256sums; then
|
||||
echo "...verified"
|
||||
VERIFIED=1
|
||||
break
|
||||
fi
|
||||
done
|
||||
if [ -z "$VERIFIED" ]; then
|
||||
echo_red "Could not verify usign signature"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
rsync -av "$SDK_HOST::downloads/$SDK_PATH/$SDK_FILE" .
|
||||
sha256sum -c --ignore-missing sha256sums
|
||||
|
||||
- run:
|
||||
name: Prepare build_dir
|
||||
working_directory: ~/build_dir
|
||||
command: |
|
||||
tar Jxf ~/sdk/$SDK_FILE --strip=1
|
||||
touch .config
|
||||
make prepare-tmpinfo scripts/config/conf
|
||||
./scripts/config/conf --defconfig=.config Config.in
|
||||
make prereq
|
||||
rm .config
|
||||
cat > feeds.conf <<EOF
|
||||
src-git base https://github.com/openwrt/openwrt.git;$BRANCH
|
||||
src-link packages $HOME/openwrt_packages
|
||||
src-git luci https://github.com/openwrt/luci.git;$BRANCH
|
||||
EOF
|
||||
cat feeds.conf
|
||||
./scripts/feeds update -a > /dev/null
|
||||
make defconfig > /dev/null
|
||||
# enable BUILD_LOG
|
||||
sed -i 's/# CONFIG_BUILD_LOG is not set/CONFIG_BUILD_LOG=y/' .config
|
||||
|
||||
- run:
|
||||
name: Install & download source, check package, compile
|
||||
working_directory: ~/build_dir
|
||||
command: |
|
||||
set +o pipefail
|
||||
PKGS=$(cd ~/openwrt_packages; git diff --diff-filter=d --name-only "origin/$BRANCH..." | grep 'Makefile$' | grep -Ev '/files/|/src/' | awk -F/ '{ print $(NF-1) }')
|
||||
if [ -z "$PKGS" ] ; then
|
||||
echo_blue "WARNING: No new or modified packages found!"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo_blue "=== Found new/modified packages: $PKGS"
|
||||
for PKG in $PKGS ; do
|
||||
echo_blue "===+ Install: $PKG"
|
||||
./scripts/feeds install "$PKG"
|
||||
|
||||
echo_blue "===+ Download: $PKG"
|
||||
make "package/$PKG/download" V=s
|
||||
|
||||
echo_blue "===+ Check package: $PKG"
|
||||
make "package/$PKG/check" V=s 2>&1 | tee logtmp
|
||||
RET=${PIPESTATUS[0]}
|
||||
|
||||
if [ $RET -ne 0 ]; then
|
||||
echo_red "=> Package check failed: $RET)"
|
||||
exit $RET
|
||||
fi
|
||||
|
||||
badhash_msg="HASH does not match "
|
||||
badhash_msg+="|HASH uses deprecated hash,"
|
||||
badhash_msg+="|HASH is missing,"
|
||||
if grep -qE "$badhash_msg" logtmp; then
|
||||
echo_red "=> Package HASH check failed"
|
||||
exit 1
|
||||
fi
|
||||
echo_green "=> Package check OK"
|
||||
done
|
||||
|
||||
make \
|
||||
-f .config \
|
||||
-f tmp/.packagedeps \
|
||||
-f <(echo '$(info $(sort $(package-y) $(package-m)))'; echo -en 'a:\n\t@:') \
|
||||
| tr ' ' '\n' >enabled-package-subdirs.txt
|
||||
for PKG in $PKGS ; do
|
||||
if ! grep -m1 -qE "(^|/)$PKG$" enabled-package-subdirs.txt; then
|
||||
echo_red "===+ Building: $PKG skipped. It cannot be enabled with $SDK_FILE"
|
||||
continue
|
||||
fi
|
||||
echo_blue "===+ Building: $PKG"
|
||||
make "package/$PKG/compile" -j3 V=s || {
|
||||
RET=$?
|
||||
echo_red "===+ Building: $PKG failed, rebuilding with -j1 for human readable error log"
|
||||
make "package/$PKG/compile" -j1 V=s; exit $RET
|
||||
}
|
||||
done
|
||||
|
||||
- store_artifacts:
|
||||
path: ~/build_dir/logs
|
||||
|
||||
- store_artifacts:
|
||||
path: ~/build_dir/bin
|
||||
|
||||
workflows:
|
||||
version: 2
|
||||
buildpr:
|
||||
jobs:
|
||||
- build:
|
||||
filters:
|
||||
branches:
|
||||
ignore: master
|
|
@ -1,8 +1,8 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=syslog-ng
|
||||
PKG_VERSION:=4.6.0
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=4.7.1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_MAINTAINER:=Josef Schlehofer <pepe.schlehofer@gmail.com>
|
||||
PKG_LICENSE:=LGPL-2.1-or-later GPL-2.0-or-later
|
||||
|
@ -11,7 +11,7 @@ PKG_CPE_ID:=cpe:/a:balabit:syslog-ng
|
|||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/syslog-ng/syslog-ng/releases/download/$(PKG_NAME)-$(PKG_VERSION)/
|
||||
PKG_HASH:=b69e3360dfb96a754a4e1cbead4daef37128b1152a23572356db4ab64a475d4f
|
||||
PKG_HASH:=5477189a2d12325aa4faebfcf59f5bdd9084234732f0c3ec16dd253847dacf1c
|
||||
|
||||
PKG_BUILD_PARALLEL:=1
|
||||
PKG_INSTALL:=1
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Collect all local logs into a single file /var/log/messages.
|
||||
# See https://www.syslog-ng.com/technical-documents/list/syslog-ng-open-source-edition
|
||||
|
||||
@version: 4.6
|
||||
@version: 4.7
|
||||
@include "scl.conf"
|
||||
|
||||
options {
|
||||
|
|
|
@ -9,14 +9,13 @@ include $(TOPDIR)/rules.mk
|
|||
include $(INCLUDE_DIR)/kernel.mk
|
||||
|
||||
PKG_NAME:=mtd-rw
|
||||
PKG_RELEASE:=2
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_MIRROR_HASH:=c44db17c3e05079116a1704f277642c9ce6f5ca4fa380c60f7e6d44509dc16be
|
||||
PKG_SOURCE_URL:=https://github.com/jclehner/mtd-rw.git
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_SUBDIR=$(PKG_NAME)-$(PKG_VERSION)
|
||||
PKG_SOURCE_VERSION:=7e8562067d6a366c8cbaa8084396c33b7e12986b
|
||||
PKG_SOURCE_URL:=https://github.com/jclehner/mtd-rw
|
||||
PKG_SOURCE_DATE:=2021-02-28
|
||||
PKG_SOURCE_VERSION:=e87767395a6d27380196702f5f7bf98e92774f3f
|
||||
PKG_MIRROR_HASH:=984218d7a8e1252419c45ef313f23fb6e5edfa83088f68a4a356b795444ab381
|
||||
|
||||
PKG_MAINTAINER:=Joseph C. Lehner <joseph.c.lehner@gmail.com>
|
||||
PKG_LICENSE=GPL-2.0
|
||||
|
|
|
@ -1,24 +0,0 @@
|
|||
--- a/mtd-rw.c
|
||||
+++ b/mtd-rw.c
|
||||
@@ -54,7 +54,11 @@ MODULE_PARM_DESC(i_want_a_brick, "Make a
|
||||
|
||||
static int set_writeable(unsigned n, bool w)
|
||||
{
|
||||
+#ifndef CONFIG_MTD
|
||||
+ struct mtd_info *mtd = -ENOSYS;
|
||||
+#else
|
||||
struct mtd_info *mtd = get_mtd_device(NULL, n);
|
||||
+#endif
|
||||
int err;
|
||||
|
||||
if (IS_ERR(mtd)) {
|
||||
@@ -76,7 +80,9 @@ static int set_writeable(unsigned n, boo
|
||||
err = 0;
|
||||
}
|
||||
|
||||
+#ifdef CONFIG_MTD
|
||||
put_mtd_device(mtd);
|
||||
+#endif
|
||||
return err;
|
||||
}
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=lua-eco
|
||||
PKG_VERSION:=3.3.0
|
||||
PKG_VERSION:=3.4.1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL=https://github.com/zhaojh329/lua-eco/releases/download/v$(PKG_VERSION)
|
||||
PKG_HASH:=597c3edbb20c35f638b26b4fa7a02638c48f96f0330758a7ac1c44079b2170a3
|
||||
PKG_HASH:=6b28cf832d7427dd5106750814de65b2d9796669e6efacdfa14277c85fcb3b01
|
||||
|
||||
PKG_MAINTAINER:=Jianhui Zhao <zhaojh329@gmail.com>
|
||||
PKG_LICENSE:=MIT
|
||||
|
|
|
@ -11,9 +11,10 @@ PKG_NAME:=luaexpat
|
|||
PKG_VERSION:=1.5.1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/lunarmodules/luaexpat/archive/refs/tags
|
||||
PKG_HASH:=7d455f154de59eb0b073c3620bc8b873f7f697b3f21a112e6ff8dc9fca6d0826
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_VERSION:=$(PKG_VERSION)
|
||||
PKG_SOURCE_URL:=https://github.com/lunarmodules/luaexpat
|
||||
PKG_MIRROR_HASH:=7e370d47e947a1acfeb4d00df012f47116fe7971f5b12033e92666e37a9312a1
|
||||
|
||||
PKG_CPE_ID:=cpe:/a:matthewwild:luaexpat
|
||||
|
||||
|
|
|
@ -11,9 +11,10 @@ PKG_NAME:=luasocket
|
|||
PKG_VERSION:=3.1.0
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=v$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/lunarmodules/luasocket/archive/refs/tags
|
||||
PKG_HASH:=bf033aeb9e62bcaa8d007df68c119c966418e8c9ef7e4f2d7e96bddeca9cca6e
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
|
||||
PKG_SOURCE_URL:=https://github.com/lunarmodules/luasocket
|
||||
PKG_MIRROR_HASH:=1ee81f1f5a63d0d14c8c8571e8940604cbf1443c3b18ee7d3d1bac6791f853fc
|
||||
|
||||
PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>
|
||||
PKG_LICENSE:=MIT
|
||||
|
|
|
@ -8,12 +8,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=node
|
||||
PKG_VERSION:=v20.12.1
|
||||
PKG_VERSION:=v20.12.2
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION)
|
||||
PKG_HASH:=b9bef0314e12773ef004368ee56a2db509a948d4170b9efb07441bac1f1407a0
|
||||
PKG_HASH:=bc57ee721a12cc8be55bb90b4a9a2f598aed5581d5199ec3bd171a4781bfecda
|
||||
|
||||
PKG_MAINTAINER:=Hirokazu MORIKAWA <morikw2@gmail.com>, Adrian Panella <ianchi74@outlook.com>
|
||||
PKG_LICENSE:=MIT
|
||||
|
|
|
@ -11,7 +11,7 @@ include perlver.mk
|
|||
|
||||
PKG_NAME:=perl
|
||||
PKG_VERSION:=$(PERL_VERSION)
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE_URL:=https://www.cpan.org/src/5.0
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
|
||||
|
|
|
@ -0,0 +1,114 @@
|
|||
From 002d6666a3ed5bc9c360c1f91116ebbf0c5ef57c Mon Sep 17 00:00:00 2001
|
||||
From: Georgi Valkov <gvalkov@gmail.com>
|
||||
Date: Sat, 20 Apr 2024 16:18:37 +0300
|
||||
Subject: [PATCH] revert 88efce38149481334db7ddb932f9b74eaaa9765b
|
||||
|
||||
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
|
||||
---
|
||||
Makefile.SH | 35 ++---------------------------------
|
||||
installperl | 25 -------------------------
|
||||
2 files changed, 2 insertions(+), 58 deletions(-)
|
||||
|
||||
--- a/Makefile.SH
|
||||
+++ b/Makefile.SH
|
||||
@@ -61,16 +61,8 @@ true)
|
||||
-compatibility_version \
|
||||
${api_revision}.${api_version}.${api_subversion} \
|
||||
-current_version \
|
||||
- ${revision}.${patchlevel}.${subversion}"
|
||||
- case "$osvers" in
|
||||
- 1[5-9]*|[2-9]*)
|
||||
- shrpldflags="$shrpldflags -install_name `pwd`/\$@ -Xlinker -headerpad_max_install_names"
|
||||
- exeldflags="-Xlinker -headerpad_max_install_names"
|
||||
- ;;
|
||||
- *)
|
||||
- shrpldflags="$shrpldflags -install_name \$(shrpdir)/\$@"
|
||||
- ;;
|
||||
- esac
|
||||
+ ${revision}.${patchlevel}.${subversion} \
|
||||
+ -install_name \$(shrpdir)/\$@"
|
||||
;;
|
||||
cygwin*)
|
||||
shrpldflags="$shrpldflags -Wl,--out-implib=libperl.dll.a"
|
||||
@@ -353,14 +345,6 @@ MANIFEST_SRT = MANIFEST.srt
|
||||
|
||||
!GROK!THIS!
|
||||
|
||||
-case "$useshrplib$osname" in
|
||||
-truedarwin)
|
||||
- $spitshell >>$Makefile <<!GROK!THIS!
|
||||
-PERL_EXE_LDFLAGS=$exeldflags
|
||||
-!GROK!THIS!
|
||||
- ;;
|
||||
-esac
|
||||
-
|
||||
$spitshell >>$Makefile <<!GROK!THIS!
|
||||
# Macros to invoke a copy of our fully operational perl during the build.
|
||||
PERL_EXE = perl\$(EXE_EXT)
|
||||
@@ -1040,20 +1024,6 @@ $(PERL_EXE): $& $(perlmain_dep) $(LIBPER
|
||||
$(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(LLIBPERL) $(static_ext) `cat ext.libs` $(libs)
|
||||
!NO!SUBS!
|
||||
;;
|
||||
-
|
||||
- darwin)
|
||||
- case "$useshrplib$osvers" in
|
||||
- true1[5-9]*|true[2-9]*) $spitshell >>$Makefile <<'!NO!SUBS!'
|
||||
- $(SHRPENV) $(CC) -o perl $(PERL_EXE_LDFLAGS) $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs)
|
||||
-!NO!SUBS!
|
||||
- ;;
|
||||
- *) $spitshell >>$Makefile <<'!NO!SUBS!'
|
||||
- $(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs)
|
||||
-!NO!SUBS!
|
||||
- ;;
|
||||
- esac
|
||||
- ;;
|
||||
-
|
||||
*) $spitshell >>$Makefile <<'!NO!SUBS!'
|
||||
$(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs)
|
||||
!NO!SUBS!
|
||||
--- a/installperl
|
||||
+++ b/installperl
|
||||
@@ -282,7 +282,6 @@ else {
|
||||
safe_unlink("$installbin/$perl_verbase$ver$exe_ext");
|
||||
copy("perl$exe_ext", "$installbin/$perl_verbase$ver$exe_ext");
|
||||
strip("$installbin/$perl_verbase$ver$exe_ext");
|
||||
- fix_dep_names("$installbin/$perl_verbase$ver$exe_ext");
|
||||
chmod(0755, "$installbin/$perl_verbase$ver$exe_ext");
|
||||
`chtag -r "$installbin/$perl_verbase$ver$exe_ext"` if ($^O eq 'os390');
|
||||
}
|
||||
@@ -350,7 +349,6 @@ foreach my $file (@corefiles) {
|
||||
if (copy_if_diff($file,"$installarchlib/CORE/$file")) {
|
||||
if ($file =~ /\.(\Q$so\E|\Q$dlext\E)$/) {
|
||||
strip("-S", "$installarchlib/CORE/$file") if $^O eq 'darwin';
|
||||
- fix_dep_names("$installarchlib/CORE/$file");
|
||||
chmod($SO_MODE, "$installarchlib/CORE/$file");
|
||||
} else {
|
||||
chmod($NON_SO_MODE, "$installarchlib/CORE/$file");
|
||||
@@ -749,27 +747,4 @@ sub strip
|
||||
}
|
||||
}
|
||||
|
||||
-sub fix_dep_names {
|
||||
- my $file = shift;
|
||||
-
|
||||
- $^O eq "darwin" && $Config{osvers} =~ /^(1[5-9]|[2-9])/
|
||||
- && $Config{useshrplib}
|
||||
- or return;
|
||||
-
|
||||
- my @opts;
|
||||
- my $so = $Config{so};
|
||||
- my $libperl = "$Config{archlibexp}/CORE/libperl.$Config{so}";
|
||||
- if ($file =~ /\blibperl.\Q$Config{so}\E$/a) {
|
||||
- push @opts, -id => $libperl;
|
||||
- }
|
||||
- else {
|
||||
- push @opts, -change => getcwd . "/libperl.$so", $libperl;
|
||||
- }
|
||||
- push @opts, $file;
|
||||
-
|
||||
- $opts{verbose} and print " install_name_tool @opts\n";
|
||||
- system "install_name_tool", @opts
|
||||
- and die "Cannot update $file dependency paths\n";
|
||||
-}
|
||||
-
|
||||
# ex: set ts=8 sts=4 sw=4 et:
|
|
@ -6,7 +6,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=php
|
||||
PKG_VERSION:=8.3.4
|
||||
PKG_VERSION:=8.3.6
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_MAINTAINER:=Michael Heimpold <mhei@heimpold.de>
|
||||
|
@ -16,7 +16,7 @@ PKG_CPE_ID:=cpe:/a:php:php
|
|||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
|
||||
PKG_SOURCE_URL:=https://www.php.net/distributions/
|
||||
PKG_HASH:=39a337036a546e5c28aea76cf424ac172db5156bd8a8fd85252e389409a5ba63
|
||||
PKG_HASH:=53c8386b2123af97626d3438b3e4058e0c5914cb74b048a6676c57ac647f5eae
|
||||
|
||||
PKG_BUILD_PARALLEL:=1
|
||||
PKG_BUILD_FLAGS:=no-mips16
|
||||
|
|
|
@ -8,11 +8,11 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=django-restframework
|
||||
PKG_VERSION:=3.14.0
|
||||
PKG_VERSION:=3.15.1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PYPI_NAME:=djangorestframework
|
||||
PKG_HASH:=579a333e6256b09489cbe0a067e66abe55c6595d8926be6b99423786334350c8
|
||||
PKG_HASH:=f88fad74183dfc7144b2756d0d2ac716ea5b4c7c9840995ac3bfd8ec034333c1
|
||||
|
||||
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
|
||||
PKG_LICENSE:=BSD-3-Clause
|
||||
|
|
|
@ -8,11 +8,11 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=django
|
||||
PKG_VERSION:=5.0.3
|
||||
PKG_VERSION:=5.0.4
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PYPI_NAME:=Django
|
||||
PKG_HASH:=5fb37580dcf4a262f9258c1f4373819aacca906431f505e4688e37f3a99195df
|
||||
PKG_HASH:=4bd01a8c830bb77a8a3b0e7d8b25b887e536ad17a81ba2dce5476135c73312bd
|
||||
|
||||
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>, Peter Stadler <peter.stadler@student.uibk.ac.at>
|
||||
PKG_LICENSE:=BSD-3-Clause
|
||||
|
|
|
@ -8,11 +8,11 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=python-cython
|
||||
PKG_VERSION:=3.0.7
|
||||
PKG_VERSION:=3.0.10
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PYPI_NAME:=Cython
|
||||
PKG_HASH:=fb299acf3a578573c190c858d49e0cf9d75f4bc49c3f24c5a63804997ef09213
|
||||
PKG_HASH:=dcc96739331fb854dcf503f94607576cfe8488066c61ca50dfd55836f132de99
|
||||
|
||||
PKG_LICENSE:=Apache-2.0
|
||||
PKG_LICENSE_FILES:=LICENSE.txt
|
||||
|
|
|
@ -15,10 +15,13 @@ PKG_MAINTAINER:=Michal Vasilek <michal.vasilek@nic.cz>
|
|||
PKG_LICENSE:=BSD-3-Clause
|
||||
PKG_LICENSE_FILES:=LICENSE.rst
|
||||
PKG_CPE_ID:=cpe:/a:pocoo:jinja2
|
||||
HOST_BUILD_DEPENDS:= python-markupsafe/host
|
||||
|
||||
include ../pypi.mk
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
include $(INCLUDE_DIR)/host-build.mk
|
||||
include ../python3-package.mk
|
||||
include ../python3-host-build.mk
|
||||
|
||||
define Package/python3-jinja2
|
||||
SECTION:=lang
|
||||
|
@ -43,3 +46,4 @@ endef
|
|||
$(eval $(call Py3Package,python3-jinja2))
|
||||
$(eval $(call BuildPackage,python3-jinja2))
|
||||
$(eval $(call BuildPackage,python3-jinja2-src))
|
||||
$(eval $(call HostBuild))
|
||||
|
|
|
@ -8,17 +8,19 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=python-lxml
|
||||
PKG_VERSION:=5.1.0
|
||||
PKG_VERSION:=5.2.1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PYPI_NAME:=lxml
|
||||
PKG_HASH:=3eea6ed6e6c918e468e693c41ef07f3c3acc310b70ddd9cc72d9ef84bc9564ca
|
||||
PKG_HASH:=3f7765e69bbce0906a7c74d5fe46d2c7a7596147318dbc08e4a2431f3060e306
|
||||
|
||||
PKG_LICENSE:=BSD-3-Clause
|
||||
PKG_LICENSE_FILES:=LICENSES.txt
|
||||
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
|
||||
PKG_CPE_ID:=cpe:/a:lxml:lxml
|
||||
|
||||
PKG_BUILD_DEPENDS:=python-cython/host
|
||||
|
||||
include ../pypi.mk
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
include ../python3-package.mk
|
||||
|
|
|
@ -20,10 +20,13 @@ PKG_LICENSE_FILES:=LICENSE
|
|||
PKG_CPE_ID:=cpe:/a:pyyaml:pyyaml
|
||||
|
||||
PKG_BUILD_DEPENDS:=python-cython/host
|
||||
HOST_BUILD_DEPENDS:=python-cython/host
|
||||
|
||||
include ../pypi.mk
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
include $(INCLUDE_DIR)/host-build.mk
|
||||
include ../python3-package.mk
|
||||
include ../python3-host-build.mk
|
||||
|
||||
define Package/python3-yaml
|
||||
SECTION:=lang
|
||||
|
@ -43,3 +46,4 @@ PYTHON3_PKG_BUILD_VARS:=PYYAML_FORCE_LIBYAML=1
|
|||
$(eval $(call Py3Package,python3-yaml))
|
||||
$(eval $(call BuildPackage,python3-yaml))
|
||||
$(eval $(call BuildPackage,python3-yaml-src))
|
||||
$(eval $(call HostBuild))
|
||||
|
|
|
@ -3,21 +3,20 @@ include $(INCLUDE_DIR)/openssl-module.mk
|
|||
|
||||
PKG_NAME:=gost_engine
|
||||
PKG_VERSION:=3.0.3
|
||||
PKG_HASH:=8cf888333d08b8bbcc12e4e8c0d8b258c74dbd67941286ffbcc648c6d3d66735
|
||||
PKG_LICENSE:=Apache-2.0
|
||||
PKG_RELEASE:=9
|
||||
PKG_RELEASE:=10
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/gost-engine/engine/archive/v$(PKG_VERSION)
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
|
||||
PKG_SOURCE_URL:=https://github.com/gost-engine/engine
|
||||
PKG_MIRROR_HASH:=ad88b0bc4ede265bc91757f0bb9777a381f8e271faa43992a054ddd5f435ad88
|
||||
|
||||
PKG_MAINTAINER:=Artur Petrov <github@phpchain.ru>
|
||||
PKG_LICENSE:=Apache-2.0
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
include $(INCLUDE_DIR)/cmake.mk
|
||||
|
||||
PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
|
||||
PKG_INSTALL:=
|
||||
|
||||
define Package/gost_engine/Default
|
||||
$(call Package/openssl/engine/Default)
|
||||
TITLE:=GOST engine for OpenSSL
|
||||
|
@ -49,7 +48,7 @@ define Package/gost_engine-util
|
|||
$(call Package/gost_engine/Default)
|
||||
SECTION:=utils
|
||||
CATEGORY:=Utilities
|
||||
DEPENDS:=libopenssl-gost_engine
|
||||
DEPENDS:=+libopenssl-gost_engine
|
||||
TITLE+= (utilities)
|
||||
endef
|
||||
|
||||
|
@ -61,15 +60,17 @@ endef
|
|||
CMAKE_OPTIONS += -DOPENSSL_ENGINES_DIR=/usr/lib/$(ENGINES_DIR)
|
||||
|
||||
define Package/libopenssl-gost_engine/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) $(1)/etc/ssl/engines.cnf.d
|
||||
$(INSTALL_DATA) $(PKG_BUILD_DIR)/bin/gost.so \
|
||||
$(INSTALL_DIR) $(1)/usr/lib $(1)/usr/lib/$(ENGINES_DIR) $(1)/etc/ssl/engines.cnf.d
|
||||
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libgost.so \
|
||||
$(1)/usr/lib/
|
||||
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/gost.so \
|
||||
$(1)/usr/lib/$(ENGINES_DIR)/
|
||||
$(INSTALL_DATA) ./files/gost.cnf $(1)/etc/ssl/engines.cnf.d/
|
||||
endef
|
||||
|
||||
define Package/gost_engine-util/install
|
||||
$(INSTALL_DIR) $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/bin/{gost12sum,gostsum} \
|
||||
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/{gost12sum,gostsum} \
|
||||
$(1)/usr/bin/
|
||||
endef
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@ define Package/gperftools-headers
|
|||
SECTION:=libs
|
||||
TITLE:=Gperftools Headers
|
||||
URL:=https://github.com/gperftools/gperftools
|
||||
DEPENDS:= @!mips @!mipsel @!powerpc
|
||||
DEPENDS:= @!(mips||mips64||mipsel||powerpc)
|
||||
endef
|
||||
|
||||
define Package/gperftools-runtime
|
||||
|
@ -34,7 +34,7 @@ define Package/gperftools-runtime
|
|||
CATEGORY:=Libraries
|
||||
TITLE:=Gperftools Runtime
|
||||
URL:=https://github.com/gperftools/gperftools
|
||||
DEPENDS:= +libunwind +libstdcpp @!mips @!mipsel @!powerpc
|
||||
DEPENDS:= +libunwind +libstdcpp @!(mips||mips64||mipsel||powerpc)
|
||||
endef
|
||||
|
||||
define Package/gperftools-headers/description
|
||||
|
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=ibrcommon
|
||||
PKG_VERSION:=1.0.1
|
||||
PKG_RELEASE:=9
|
||||
PKG_RELEASE:=10
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=http://www.ibr.cs.tu-bs.de/projects/ibr-dtn/releases
|
||||
|
|
|
@ -1,21 +1,33 @@
|
|||
--- a/ibrcommon/data/File.cpp
|
||||
+++ b/ibrcommon/data/File.cpp
|
||||
@@ -35,9 +35,7 @@
|
||||
@@ -35,10 +35,6 @@
|
||||
#include <cerrno>
|
||||
#include <fstream>
|
||||
|
||||
-#if !defined(HAVE_FEATURES_H) || defined(ANDROID)
|
||||
#include <libgen.h>
|
||||
-#include <libgen.h>
|
||||
-#endif
|
||||
|
||||
-
|
||||
#ifdef __WIN32__
|
||||
#include <io.h>
|
||||
@@ -226,7 +224,7 @@ namespace ibrcommon
|
||||
#define FILE_DELIMITER_CHAR '\\'
|
||||
@@ -225,14 +221,11 @@ namespace ibrcommon
|
||||
|
||||
std::string File::getBasename() const
|
||||
{
|
||||
#if !defined(ANDROID) && defined(HAVE_FEATURES_H)
|
||||
-#if !defined(ANDROID) && defined(HAVE_FEATURES_H)
|
||||
- return std::string(basename(_path.c_str()));
|
||||
+ return std::string(basename((char *)_path.c_str()));
|
||||
#else
|
||||
char path[_path.length()+1];
|
||||
::memcpy(&path, _path.c_str(), _path.length()+1);
|
||||
-#else
|
||||
- char path[_path.length()+1];
|
||||
- ::memcpy(&path, _path.c_str(), _path.length()+1);
|
||||
-
|
||||
- return std::string(basename(path));
|
||||
-#endif
|
||||
+ size_t found = _path.find_last_of('/');
|
||||
+ if (found != std::string::npos)
|
||||
+ return _path.substr(found + 1);
|
||||
+ else
|
||||
+ return _path;
|
||||
}
|
||||
|
||||
File File::get(const std::string &filename) const
|
||||
|
|
|
@ -8,11 +8,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=libmbim
|
||||
PKG_SOURCE_VERSION:=1.30.0
|
||||
PKG_RELEASE:=1
|
||||
PKG_VERSION:=1.30.0
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libmbim.git
|
||||
PKG_SOURCE_VERSION:=$(PKG_VERSION)
|
||||
PKG_MIRROR_HASH:=792c2310290ac3a2ee690e25eda7c79c1e982aa41b3bff2be7454f3505a09827
|
||||
|
||||
PKG_BUILD_FLAGS:=gc-sections
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
From 47c3850cddd63cebd9dc48e411963314449118f1 Mon Sep 17 00:00:00 2001
|
||||
From: Khem Raj <raj.khem@gmail.com>
|
||||
Date: Sun, 31 Dec 2023 19:16:35 -0800
|
||||
Subject: [PATCH] mraa: Use posix basename
|
||||
|
||||
Musl has removed the declaration from string.h [1] which exposes the
|
||||
problem especially with clang-17+ compiler where implicit function
|
||||
declaration is flagged as error. Use posix basename and make a copy of
|
||||
string to operate on to emulate GNU basename behaviour.
|
||||
|
||||
[1] https://git.musl-libc.org/cgit/musl/commit/?id=725e17ed6dff4d0cd22487bb64470881e86a92e7
|
||||
|
||||
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
||||
---
|
||||
src/mraa.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/src/mraa.c
|
||||
+++ b/src/mraa.c
|
||||
@@ -12,6 +12,7 @@
|
||||
#endif
|
||||
|
||||
#include <dlfcn.h>
|
||||
+#include <libgen.h>
|
||||
#include <pwd.h>
|
||||
#include <sched.h>
|
||||
#include <stddef.h>
|
||||
@@ -338,9 +339,11 @@ static int
|
||||
mraa_count_iio_devices(const char* path, const struct stat* sb, int flag, struct FTW* ftwb)
|
||||
{
|
||||
// we are only interested in files with specific names
|
||||
- if (fnmatch(IIO_DEVICE_WILDCARD, basename(path), 0) == 0) {
|
||||
+ char* tmp = strdup(path);
|
||||
+ if (fnmatch(IIO_DEVICE_WILDCARD, basename(tmp), 0) == 0) {
|
||||
num_iio_devices++;
|
||||
}
|
||||
+ free(tmp);
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -8,11 +8,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=libqmi
|
||||
PKG_SOURCE_VERSION:=1.34.0
|
||||
PKG_RELEASE:=1
|
||||
PKG_VERSION:=1.34.0
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/libqmi.git
|
||||
PKG_SOURCE_VERSION:=$(PKG_VERSION)
|
||||
PKG_MIRROR_HASH:=05211a43de53b7bf967fe29ca62dbe8332f42748dbfc8d32880cda765d00020c
|
||||
|
||||
PKG_BUILD_FLAGS:=gc-sections
|
||||
|
|
|
@ -8,12 +8,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=libssh
|
||||
PKG_VERSION:=0.10.4
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=0.10.6
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
|
||||
PKG_SOURCE_URL:=https://www.libssh.org/files/0.10/
|
||||
PKG_HASH:=07392c54ab61476288d1c1f0a7c557b50211797ad00c34c3af2bbc4dbc4bd97d
|
||||
PKG_HASH:=1861d498f5b6f1741b6abc73e608478491edcf9c9d4b6630eef6e74596de9dc1
|
||||
|
||||
PKG_MAINTAINER:=Mislav Novakovic <mislav.novakovic@sartura.hr>
|
||||
PKG_LICENSE:=LGPL-2.1-or-later BSD-2-Clause
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
--- a/cmake/Modules/FindMbedTLS.cmake
|
||||
+++ b/cmake/Modules/FindMbedTLS.cmake
|
||||
@@ -34,7 +34,7 @@ set(_MBEDTLS_ROOT_HINTS_AND_PATHS
|
||||
|
||||
find_path(MBEDTLS_INCLUDE_DIR
|
||||
NAMES
|
||||
- mbedtls/config.h
|
||||
+ mbedtls/version.h
|
||||
HINTS
|
||||
${_MBEDTLS_ROOT_HINTS_AND_PATHS}
|
||||
PATH_SUFFIXES
|
||||
@@ -72,7 +72,13 @@ find_library(MBEDTLS_X509_LIBRARY
|
||||
set(MBEDTLS_LIBRARIES ${MBEDTLS_SSL_LIBRARY} ${MBEDTLS_CRYPTO_LIBRARY}
|
||||
${MBEDTLS_X509_LIBRARY})
|
||||
|
||||
-if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
|
||||
+if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")
|
||||
+ file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h" _mbedtls_version_str REGEX
|
||||
+ "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
|
||||
+
|
||||
+ string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+.[0-9]+.[0-9]+).*"
|
||||
+ "\\1" MBEDTLS_VERSION "${_mbedtls_version_str}")
|
||||
+elseif (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
|
||||
file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" _mbedtls_version_str REGEX
|
||||
"^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
|
||||
|
||||
@@ -93,7 +99,7 @@ if (MBEDTLS_VERSION)
|
||||
in the system variable MBEDTLS_ROOT_DIR"
|
||||
)
|
||||
else (MBEDTLS_VERSION)
|
||||
- find_package_handle_standard_args(MBedTLS
|
||||
+ find_package_handle_standard_args(MbedTLS
|
||||
"Could NOT find mbedTLS, try to set the path to mbedLS root folder in
|
||||
the system variable MBEDTLS_ROOT_DIR"
|
||||
MBEDTLS_INCLUDE_DIR
|
||||
--- a/src/libmbedcrypto.c
|
||||
+++ b/src/libmbedcrypto.c
|
||||
@@ -118,8 +118,14 @@ int hmac_update(HMACCTX c, const void *d
|
||||
|
||||
int hmac_final(HMACCTX c, unsigned char *hashmacbuf, size_t *len)
|
||||
{
|
||||
+ const mbedtls_md_info_t *md_info;
|
||||
int rc;
|
||||
- *len = (unsigned int)mbedtls_md_get_size(c->md_info);
|
||||
+#if MBEDTLS_VERSION_MAJOR >= 3
|
||||
+ md_info = mbedtls_md_info_from_ctx(c);
|
||||
+#else
|
||||
+ md_info = c->md_info;
|
||||
+#endif
|
||||
+ *len = (unsigned int)mbedtls_md_get_size(md_info);
|
||||
rc = !mbedtls_md_hmac_finish(c, hashmacbuf);
|
||||
mbedtls_md_free(c);
|
||||
SAFE_FREE(c);
|
|
@ -1,12 +1,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=libwebp
|
||||
PKG_VERSION:=1.3.2
|
||||
PKG_VERSION:=1.4.0
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://storage.googleapis.com/downloads.webmproject.org/releases/webp
|
||||
PKG_HASH:=2a499607df669e40258e53d0ade8035ba4ec0175244869d1025d460562aa09b4
|
||||
PKG_HASH:=61f873ec69e3be1b99535634340d5bde750b2e4447caa1db9f61be3fd49ab1e5
|
||||
|
||||
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
|
||||
PKG_LICENSE:=BSD-3-Clause
|
||||
|
|
|
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=nghttp3
|
||||
PKG_VERSION:=1.2.0
|
||||
PKG_RELEASE:=r1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
|
||||
PKG_SOURCE_URL:=https://github.com/ngtcp2/$(PKG_NAME)/releases/download/v$(PKG_VERSION)/
|
||||
|
|
|
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=ngtcp2
|
||||
PKG_VERSION:=1.4.0
|
||||
PKG_RELEASE:=r1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
|
||||
PKG_SOURCE_URL:=https://github.com/ngtcp2/$(PKG_NAME)/releases/download/v$(PKG_VERSION)/
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=imagemagick
|
||||
PKG_VERSION:=7.1.1.30
|
||||
PKG_VERSION:=7.1.1.31
|
||||
PKG_RELEASE:=1
|
||||
PKG_MAINTAINER:=Aleksey Vasilenko <aleksey.vasilenko@gmail.com>
|
||||
|
||||
|
@ -15,7 +15,7 @@ _PKGREV:=$(_PKGVER)-$(subst .,,$(suffix $(PKG_VERSION)))
|
|||
|
||||
PKG_SOURCE:=ImageMagick-$(_PKGREV).tar.xz
|
||||
PKG_SOURCE_URL:=https://imagemagick.org/archive
|
||||
PKG_HASH:=ec192780d09da7d7b1e7a374a19f97d69cceb4e5e83057515cd595eda233a891
|
||||
PKG_HASH:=7e5c8db53dd90a0cfc5cc7ca6d34728ed86054b4bc86e9787902285fec1107a8
|
||||
PKG_BUILD_DIR:=$(BUILD_DIR)/ImageMagick-$(_PKGREV)
|
||||
PKG_FIXUP:=autoreconf
|
||||
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
# Copyright 2023 MOSSDeF, Stan Grishin (stangri@melmac.ca)
|
||||
# TLD optimization written by Dirk Brenken (dev@brenken.org)
|
||||
# This is free software, licensed under the GNU General Public License v3.
|
||||
# Copyright 2023-2024 MOSSDeF, Stan Grishin (stangri@melmac.ca).
|
||||
# TLD optimization written by Dirk Brenken (dev@brenken.org).
|
||||
# This is free software, licensed under AGPL-3.0-or-later.
|
||||
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=adblock-fast
|
||||
PKG_VERSION:=1.1.1
|
||||
PKG_RELEASE:=r8
|
||||
PKG_RELEASE:=11
|
||||
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
|
||||
PKG_LICENSE:=GPL-3.0-or-later
|
||||
PKG_LICENSE:=AGPL-3.0-or-later
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
|
|
|
@ -52,7 +52,7 @@ readonly smartdnsNftsetFilter=';'
|
|||
readonly unboundFile="/var/lib/unbound/adb_list.${packageName}"
|
||||
readonly unboundCache="/var/run/${packageName}/unbound.cache"
|
||||
readonly unboundGzip="${packageName}.unbound.gz"
|
||||
readonly unboundFilter='s|^|local-zone: "|;s|$|" static|'
|
||||
readonly unboundFilter='s|^|local-zone: "|;s|$|." always_nxdomain|'
|
||||
readonly A_TMP="/var/${packageName}.a.tmp"
|
||||
readonly B_TMP="/var/${packageName}.b.tmp"
|
||||
readonly SED_TMP="/var/${packageName}.sed.tmp"
|
||||
|
@ -267,7 +267,7 @@ dns_set_output_values() {
|
|||
outputFilter="$unboundFilter"
|
||||
outputFile="$unboundFile"
|
||||
outputCache="$unboundCache"
|
||||
outputGzip="$unboundGzip"
|
||||
outputGzip="${compressed_cache_dir}/${unboundGzip}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
@ -757,7 +757,7 @@ load_environment() {
|
|||
[ "$dns" = 'smartdns.domainset' ] || rm -f "$smartdnsDomainSetFile" "$smartdnsDomainSetCache" "${compressed_cache_dir}/${smartdnsDomainSetGzip}" "$smartdnsDomainSetConfig"
|
||||
[ "$dns" = 'smartdns.ipset' ] || rm -f "$smartdnsIpsetFile" "$smartdnsIpsetCache" "${compressed_cache_dir}/${smartdnsIpsetGzip}" "$smartdnsIpsetConfig"
|
||||
[ "$dns" = 'smartdns.nftset' ] || rm -f "$smartdnsNftsetFile" "$smartdnsNftsetCache" "${compressed_cache_dir}/${smartdnsNftsetGzip}" "$smartdnsNftsetConfig"
|
||||
[ "$dns" = 'unbound.adb_list' ] || rm -f "$unboundFile" "$unboundCache" "$unboundGzip"
|
||||
[ "$dns" = 'unbound.adb_list' ] || rm -f "$unboundFile" "$unboundCache" "${compressed_cache_dir}/${unboundGzip}"
|
||||
|
||||
for i in "$runningConfigFile" "$runningErrorFile" "$runningStatusFile" "$outputFile" "$outputCache" "$outputGzip" "$outputConfig"; do
|
||||
[ -n "$i" ] || continue
|
||||
|
@ -892,7 +892,7 @@ resolver() {
|
|||
rm -f "$smartdnsDomainSetFile" "$smartdnsDomainSetCache" "${compressed_cache_dir}/${smartdnsDomainSetGzip}" "$smartdnsDomainSetConfig"
|
||||
rm -f "$smartdnsIpsetFile" "$smartdnsIpsetCache" "${compressed_cache_dir}/${smartdnsIpsetGzip}" "$smartdnsIpsetConfig"
|
||||
rm -f "$smartdnsNftsetFile" "$smartdnsNftsetCache" "${compressed_cache_dir}/${smartdnsNftsetGzip}" "$smartdnsNftsetConfig"
|
||||
rm -f "$unboundFile" "$unboundCache" "$unboundGzip"
|
||||
rm -f "$unboundFile" "$unboundCache" "${compressed_cache_dir}/${unboundGzip}"
|
||||
if [ -s "/etc/config/dhcp" ]; then
|
||||
config_load 'dhcp'
|
||||
config_foreach _dnsmasq_instance_config 'dnsmasq' 'cleanup'
|
||||
|
@ -932,19 +932,19 @@ resolver() {
|
|||
case "$dns" in
|
||||
dnsmasq.*)
|
||||
chmod 660 "$outputFile"
|
||||
chown root:dnsmasq "$outputFile"
|
||||
chown root:dnsmasq "$outputFile" >/dev/null 2>/dev/null
|
||||
param='dnsmasq_restart'
|
||||
output_text='Restarting dnsmasq'
|
||||
;;
|
||||
smartdns.*)
|
||||
chmod 660 "$outputFile" "$outputConfig"
|
||||
chown root:root "$outputFile" "$outputConfig"
|
||||
chown root:root "$outputFile" "$outputConfig" >/dev/null 2>/dev/null
|
||||
param='smartdns_restart'
|
||||
output_text='Restarting SmartDNS'
|
||||
;;
|
||||
unbound.*)
|
||||
chmod 660 "$outputFile"
|
||||
chown root:unbound "$outputFile"
|
||||
chown root:unbound "$outputFile" >/dev/null 2>/dev/null
|
||||
param='unbound_restart'
|
||||
output_text='Restarting Unbound'
|
||||
;;
|
||||
|
@ -1036,7 +1036,7 @@ cache() {
|
|||
return $?
|
||||
;;
|
||||
test_gzip)
|
||||
[ -s "$outputGzip" ] && gzip -t -c "$outputGzip"
|
||||
[ -s "$outputGzip" ] && gzip -t -c "$outputGzip" >/dev/null 2>/dev/null
|
||||
return $?
|
||||
;;
|
||||
create_gzip)
|
||||
|
@ -1412,6 +1412,11 @@ $(sed '/^[[:space:]]*$/d' "$A_TMP")"
|
|||
output_failn
|
||||
json add error 'errorMovingDataFile'
|
||||
fi
|
||||
case "$dns" in
|
||||
unbound.adb_list)
|
||||
sed -i '1 i\server:' "$outputFile"
|
||||
;;
|
||||
esac
|
||||
if [ "$compressed_cache" -gt 0 ]; then
|
||||
output 2 'Creating compressed cache '
|
||||
json set message "$(get_text 'statusProcessing'): creating compressed cache"
|
||||
|
@ -1596,7 +1601,7 @@ adb_check() {
|
|||
smartdns.*)
|
||||
grep "$string" "$outputFile";;
|
||||
unbound.adb_list)
|
||||
grep "$string" "$outputFile" | sed 's|^local-zone: "||;s|" static$||;';;
|
||||
grep "$string" "$outputFile" | sed 's|^local-zone: "||;s|." always_nxdomain$||;';;
|
||||
esac
|
||||
fi
|
||||
else
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=banip
|
||||
PKG_VERSION:=0.9.4
|
||||
PKG_VERSION:=0.9.5
|
||||
PKG_RELEASE:=3
|
||||
PKG_LICENSE:=GPL-3.0-or-later
|
||||
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
||||
|
|
|
@ -15,14 +15,14 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
| adguard | adguard IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| adguardtrackers | adguardtracker IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| asn | ASN segments | | | x | tcp: 80, 443 | [Link](https://asn.ipinfo.app) |
|
||||
| asn | ASN segments | x | x | x | | [Link](https://asn.ipinfo.app) |
|
||||
| backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
|
||||
| becyber | malicious attacker IPs | x | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) |
|
||||
| binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
|
||||
| bogon | bogon prefixes | x | x | | | [Link](https://team-cymru.com) |
|
||||
| bruteforceblock | bruteforceblocker IPs | x | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
|
||||
| country | country blocks | x | x | | | [Link](https://www.ipdeny.com/ipblocks) |
|
||||
| cinsscore | suspicious attacker IPs | x | x | | | [Link](https://cinsscore.com/#list) |
|
||||
| darklist | blocks suspicious attacker IPs | x | x | | | [Link](https://darklist.de) |
|
||||
| debl | fail2ban IP blacklist | x | x | | | [Link](https://www.blocklist.de) |
|
||||
| doh | public DoH-Provider | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
|
||||
| drop | spamhaus drop compilation | x | x | | | [Link](https://www.spamhaus.org) |
|
||||
|
@ -37,14 +37,15 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
| greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) |
|
||||
| iblockads | Advertising IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
|
||||
| iblockspy | Malicious spyware IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
|
||||
| ipblackhole | blackhole IPs | x | x | | | [Link](https://ip.blackhole.monster) |
|
||||
| ipsum | malicious IPs | x | x | | | [Link](https://github.com/stamparm/ipsum) |
|
||||
| ipthreat | hacker and botnet TPs | x | x | | | [Link](https://ipthreat.net) |
|
||||
| myip | real-time IP blocklist | x | x | | | [Link](https://myip.ms) |
|
||||
| nixspam | iX spam protection | x | x | | | [Link](http://www.nixspam.org) |
|
||||
| oisdbig | OISD-big IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| oisdnsfw | OISD-nsfw IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| oisdsmall | OISD-small IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| proxy | open proxies | x | | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
|
||||
| pallebone | curated IP blocklist | x | x | | | [Link](https://github.com/pallebone/StrictBlockPAllebone) |
|
||||
| proxy | open proxies | x | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
|
||||
| ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) |
|
||||
| stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) |
|
||||
|
@ -66,10 +67,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
* Full IPv4 and IPv6 support
|
||||
* Supports nft atomic Set loading
|
||||
* Supports blocking by ASN numbers and by iso country codes
|
||||
* Block countries dynamically by Regional Internet Registry (RIR), e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE
|
||||
* Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names
|
||||
* Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments
|
||||
* All local input types support ranges in CIDR notation
|
||||
* Auto-add the uplink subnet or uplink IP to the local allowlist
|
||||
* Prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets (DDoS attacks) in an additional prerouting chain
|
||||
* Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.)
|
||||
* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
|
||||
* Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
|
||||
|
@ -80,6 +83,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
* Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
|
||||
* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
|
||||
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
|
||||
* Optionally always allow certain protocols/destination ports in wan-input and wan-forward chains
|
||||
* Deduplicate IPs accross all Sets (single IPs only, no intervals)
|
||||
* Provides comprehensive runtime information
|
||||
* Provides a detailed Set report
|
||||
|
@ -110,7 +114,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
|
||||
* If you're using a complex network setup, e.g. special tunnel interfaces, than untick the 'Auto Detection' option under the 'General Settings' tab and set the required options manually
|
||||
* Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status' and also check the 'Firewall Log' and 'Processing Log' tabs
|
||||
* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
|
||||
* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs, see the options reference table below
|
||||
|
||||
## banIP CLI interface
|
||||
* All important banIP functions are accessible via CLI.
|
||||
|
@ -149,14 +153,19 @@ Available commands:
|
|||
| ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
|
||||
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
|
||||
| ban_debug | option | 0 | enable banIP related debug logging |
|
||||
| ban_loginput | option | 1 | log drops in the wan-input chain |
|
||||
| ban_logforwardwan | option | 1 | log drops in the wan-forward chain |
|
||||
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
|
||||
| ban_icmplimit | option | 10 | treshold in number of packets to detect icmp DDoS in prerouting chain |
|
||||
| ban_synlimit | option | 10 | treshold in number of packets to detect syn DDoS in prerouting chain |
|
||||
| ban_udplimit | option | 100 | treshold in number of packets to detect udp DDoS in prerouting chain |
|
||||
| ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain |
|
||||
| ban_loginput | option | 0 | log supsicious packets in the wan-input chain |
|
||||
| ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain |
|
||||
| ban_logforwardlan | option | 0 | log supsicious packets in the lan-forward chain |
|
||||
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
|
||||
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
|
||||
| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
|
||||
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
|
||||
| ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments |
|
||||
| ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' |
|
||||
| ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists |
|
||||
| ban_basedir | option | /tmp | base working directory while banIP processing |
|
||||
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
|
||||
|
@ -174,11 +183,12 @@ Available commands:
|
|||
| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
|
||||
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
|
||||
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
|
||||
| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
|
||||
| ban_nftpriority | option | -100 | nft priority for the banIP table (the prerouting table is fixed to priority -150) |
|
||||
| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
|
||||
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
|
||||
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
|
||||
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
|
||||
| ban_region | list | - | Regional Internet Registry (RIR) country selection. Supported regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE |
|
||||
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
|
||||
| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' |
|
||||
| ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic |
|
||||
|
@ -206,39 +216,46 @@ Available commands:
|
|||
:::
|
||||
::: banIP Set Statistics
|
||||
:::
|
||||
Timestamp: 2024-03-02 07:38:28
|
||||
Timestamp: 2024-04-17 23:02:15
|
||||
------------------------------
|
||||
auto-added to allowlist today: 0
|
||||
auto-added to blocklist today: 0
|
||||
blocked syn-flood packets in prerouting : 5
|
||||
blocked udp-flood packets in prerouting : 11
|
||||
blocked icmp-flood packets in prerouting : 6
|
||||
blocked invalid ct packets in prerouting : 277
|
||||
blocked invalid tcp packets in prerouting: 0
|
||||
----------
|
||||
auto-added IPs to allowlist today: 0
|
||||
auto-added IPs to blocklist today: 0
|
||||
|
||||
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit
|
||||
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
|
||||
allowlistv4MAC | 0 | - | - | OK: 0 | -
|
||||
allowlistv6MAC | 0 | - | - | OK: 0 | -
|
||||
allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0 | -
|
||||
allowlistv6 | 2 | OK: 0 | OK: 0 | OK: 0 | -
|
||||
adguardtrackersv6 | 74 | - | - | OK: 0 | tcp: 80, 443
|
||||
adguardtrackersv4 | 883 | - | - | OK: 0 | tcp: 80, 443
|
||||
cinsscorev4 | 12053 | OK: 25 | OK: 0 | - | -
|
||||
countryv4 | 37026 | OK: 14 | OK: 0 | - | -
|
||||
deblv4 | 13592 | OK: 0 | OK: 0 | - | -
|
||||
countryv6 | 38139 | OK: 0 | OK: 0 | - | -
|
||||
deblv6 | 82 | OK: 0 | OK: 0 | - | -
|
||||
dohv6 | 837 | - | - | OK: 0 | tcp: 80, 443
|
||||
dohv4 | 1240 | - | - | OK: 0 | tcp: 80, 443
|
||||
dropv6 | 51 | OK: 0 | OK: 0 | - | -
|
||||
dropv4 | 592 | OK: 0 | OK: 0 | - | -
|
||||
firehol1v4 | 906 | OK: 1 | OK: 0 | - | -
|
||||
firehol2v4 | 2105 | OK: 0 | OK: 0 | OK: 0 | -
|
||||
threatv4 | 55 | OK: 0 | OK: 0 | - | -
|
||||
ipthreatv4 | 2042 | OK: 0 | OK: 0 | - | -
|
||||
turrisv4 | 6433 | OK: 0 | OK: 0 | - | -
|
||||
blocklistv4MAC | 0 | - | - | OK: 0 | -
|
||||
blocklistv6MAC | 0 | - | - | OK: 0 | -
|
||||
blocklistv4 | 0 | OK: 0 | OK: 0 | OK: 0 | -
|
||||
blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0 | -
|
||||
allowlistv4MAC | 0 | - | - | ON: 0 | -
|
||||
allowlistv6MAC | 0 | - | - | ON: 0 | -
|
||||
allowlistv4 | 1 | ON: 0 | ON: 0 | ON: 0 | -
|
||||
allowlistv6 | 2 | ON: 0 | ON: 0 | ON: 0 | -
|
||||
adguardtrackersv6 | 105 | - | - | ON: 0 | tcp: 80, 443
|
||||
adguardtrackersv4 | 816 | - | - | ON: 0 | tcp: 80, 443
|
||||
becyberv4 | 229006 | ON: 2254 | ON: 0 | - | -
|
||||
cinsscorev4 | 7135 | ON: 1630 | ON: 2 | - | -
|
||||
deblv4 | 10191 | ON: 23 | ON: 0 | - | -
|
||||
countryv6 | 38233 | ON: 7 | ON: 0 | - | -
|
||||
countryv4 | 37169 | ON: 2323 | ON: 0 | - | -
|
||||
deblv6 | 65 | ON: 0 | ON: 0 | - | -
|
||||
dropv6 | 66 | ON: 0 | ON: 0 | - | -
|
||||
dohv4 | 1219 | - | - | ON: 0 | tcp: 80, 443
|
||||
dropv4 | 895 | ON: 75 | ON: 0 | - | -
|
||||
dohv6 | 832 | - | - | ON: 0 | tcp: 80, 443
|
||||
threatv4 | 20 | ON: 0 | ON: 0 | - | -
|
||||
firehol1v4 | 753 | ON: 1 | ON: 0 | - | -
|
||||
ipthreatv4 | 1369 | ON: 20 | ON: 0 | - | -
|
||||
firehol2v4 | 2216 | ON: 1 | ON: 0 | - | -
|
||||
turrisv4 | 5613 | ON: 179 | ON: 0 | - | -
|
||||
blocklistv4MAC | 0 | - | - | ON: 0 | -
|
||||
blocklistv6MAC | 0 | - | - | ON: 0 | -
|
||||
blocklistv4 | 0 | ON: 0 | ON: 0 | ON: 0 | -
|
||||
blocklistv6 | 0 | ON: 0 | ON: 0 | ON: 0 | -
|
||||
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
|
||||
24 | 116113 | 16 (40) | 16 (0) | 13 (0)
|
||||
25 | 335706 | 17 (6513) | 17 (2) | 12 (0)
|
||||
```
|
||||
|
||||
**banIP runtime information**
|
||||
|
@ -246,16 +263,16 @@ Available commands:
|
|||
~# /etc/init.d/banip status
|
||||
::: banIP runtime information
|
||||
+ status : active (nft: ✔, monitor: ✔)
|
||||
+ version : 0.9.4-1
|
||||
+ element_count : 116113
|
||||
+ active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, cinsscorev4, countryv4, deblv4, countryv6, deblv6, dohv6, dohv4, dropv6, dropv4, firehol1v4, firehol2v4, threatv4, ipthreatv4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
|
||||
+ version : 0.9.5-r1
|
||||
+ element_count : 335706
|
||||
+ active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, becyberv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dohv4, dropv4, dohv6, threatv4, firehol1v4, ipthreatv4, firehol2v4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
|
||||
+ active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: -
|
||||
+ active_uplink : 217.89.211.113, fe80::2c35:fb80:e78c:cf71, 2003:ed:b5ff:2338:2c15:fb80:e78c:cf71
|
||||
+ nft_info : priority: -200, policy: performance, loglevel: warn, expiry: 2h
|
||||
+ active_uplink : 217.83.205.130, fe80::9cd6:12e9:c4df:75d3, 2003:ed:b5ff:43bd:9cd5:12e7:c3ef:75d8
|
||||
+ nft_info : priority: 0, policy: performance, loglevel: warn, expiry: 2h
|
||||
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report
|
||||
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
|
||||
+ last_run : action: reload, log: logread, fetch: curl, duration: 0m 50s, date: 2024-03-02 07:35:01
|
||||
+ system_info : cores: 4, memory: 1685, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25356-09be63de70
|
||||
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/inp/fwd/lan): ✔/✘/✘/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
|
||||
+ last_run : action: reload, log: logread, fetch: curl, duration: 2m 33s, date: 2024-04-17 05:57:56
|
||||
+ system_info : cores: 4, memory: 1573, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25932-338b463e1e
|
||||
```
|
||||
|
||||
**banIP search information**
|
||||
|
@ -315,11 +332,14 @@ Both local lists also accept domain names as input to allow IP filtering based o
|
|||
banIP supports an "allowlist only" mode. This option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments - and block access to the rest of the internet. All IPs which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
|
||||
|
||||
**MAC/IP-binding**
|
||||
banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
|
||||
banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
|
||||
```
|
||||
MAC-address only:
|
||||
C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
|
||||
|
||||
MAC-address range:
|
||||
C8:C2:9B:F7:80:12/24 => this populate the MAC-range C8:C2:9B:00:00:00", "C8:C2:9B:FF:FF:FF to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
|
||||
|
||||
MAC-address with IPv4 concatenation:
|
||||
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set
|
||||
|
||||
|
@ -334,6 +354,7 @@ MAC-address with IPv4 and IPv6 wildcard concatenation:
|
|||
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
|
||||
C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
|
||||
```
|
||||
|
||||
**enable the cgi interface to receive remote logging events**
|
||||
banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options:
|
||||
|
||||
|
@ -407,12 +428,12 @@ A valid JSON source object contains the following information, e.g.:
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "tor exit nodes",
|
||||
"flag": "80-89 443 tcp"
|
||||
"flag": "gz tcp 80-88 udp 50000"
|
||||
},
|
||||
[...]
|
||||
```
|
||||
Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.
|
||||
Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, port numbers (plus ranges) for destination port limitations with 'tcp' (default) or 'udp' as protocol variants.
|
||||
Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations - multiple definitions are possible.
|
||||
|
||||
## Support
|
||||
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
|
||||
|
|
|
@ -16,6 +16,7 @@ ban_basedir="/tmp"
|
|||
ban_backupdir="/tmp/banIP-backup"
|
||||
ban_reportdir="/tmp/banIP-report"
|
||||
ban_feedfile="/etc/banip/banip.feeds"
|
||||
ban_countryfile="/etc/banip/banip.countries"
|
||||
ban_customfeedfile="/etc/banip/banip.custom.feeds"
|
||||
ban_allowlist="/etc/banip/banip.allowlist"
|
||||
ban_blocklist="/etc/banip/banip.blocklist"
|
||||
|
@ -36,18 +37,24 @@ ban_reportelements="1"
|
|||
ban_remotelog="0"
|
||||
ban_remotetoken=""
|
||||
ban_nftloglevel="warn"
|
||||
ban_nftpriority="-200"
|
||||
ban_nftpriority="-100"
|
||||
ban_nftpolicy="memory"
|
||||
ban_nftexpiry=""
|
||||
ban_loglimit="100"
|
||||
ban_icmplimit="10"
|
||||
ban_synlimit="10"
|
||||
ban_udplimit="100"
|
||||
ban_logcount="1"
|
||||
ban_logterm=""
|
||||
ban_region=""
|
||||
ban_country=""
|
||||
ban_asn=""
|
||||
ban_loginput="1"
|
||||
ban_logforwardwan="1"
|
||||
ban_logprerouting="0"
|
||||
ban_loginput="0"
|
||||
ban_logforwardwan="0"
|
||||
ban_logforwardlan="0"
|
||||
ban_allowurl=""
|
||||
ban_allowflag=""
|
||||
ban_allowlistonly="0"
|
||||
ban_autoallowlist="1"
|
||||
ban_autoallowuplink="subnet"
|
||||
|
@ -104,6 +111,7 @@ f_system() {
|
|||
[ "${cpu}" = "0" ] && cpu="1"
|
||||
[ "${core}" = "0" ] && core="1"
|
||||
ban_cores="$((cpu * core))"
|
||||
[ "${ban_cores}" -gt "16" ] && ban_cores="16"
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -211,8 +219,7 @@ f_rmpid() {
|
|||
kill -INT "${pid}" >/dev/null 2>&1
|
||||
done
|
||||
fi
|
||||
: >"${ban_rdapfile}"
|
||||
: >"${ban_pidfile}"
|
||||
: >"${ban_rdapfile}" >"${ban_pidfile}"
|
||||
}
|
||||
|
||||
# write log messages
|
||||
|
@ -247,7 +254,9 @@ f_log() {
|
|||
# load config
|
||||
#
|
||||
f_conf() {
|
||||
unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
|
||||
local rir ccode region country
|
||||
|
||||
unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_region ban_country ban_asn
|
||||
config_cb() {
|
||||
option_cb() {
|
||||
local option="${1}"
|
||||
|
@ -294,6 +303,9 @@ f_conf() {
|
|||
"ban_logterm")
|
||||
eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\""
|
||||
;;
|
||||
"ban_region")
|
||||
eval "${option}=\"$(printf "%s" "${ban_region}")${value} \""
|
||||
;;
|
||||
"ban_country")
|
||||
eval "${option}=\"$(printf "%s" "${ban_country}")${value} \""
|
||||
;;
|
||||
|
@ -305,6 +317,14 @@ f_conf() {
|
|||
}
|
||||
config_load banip
|
||||
[ -f "${ban_logreadfile}" ] && ban_logreadcmd="$(command -v tail)" || ban_logreadcmd="$(command -v logread)"
|
||||
|
||||
for rir in ${ban_region}; do
|
||||
while read -r ccode region country; do
|
||||
if [ "${rir}" = "${region}" ] && ! printf "%s" "${ban_country}" | "${ban_grepcmd}" -qw "${ccode}"; then
|
||||
ban_country="${ban_country} ${ccode}"
|
||||
fi
|
||||
done < "${ban_countryfile}"
|
||||
done
|
||||
}
|
||||
|
||||
# get nft/monitor actuals
|
||||
|
@ -575,12 +595,39 @@ f_etag() {
|
|||
# build initial nft file with base table, chains and rules
|
||||
#
|
||||
f_nftinit() {
|
||||
local wan_dev vlan_allow vlan_block feed_log feed_rc file="${1}"
|
||||
local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc flag tmp_proto tmp_port allow_dport file="${1}"
|
||||
|
||||
wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
||||
[ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
||||
[ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
||||
|
||||
for flag in ${ban_allowflag}; do
|
||||
if [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then
|
||||
if [ -z "${tmp_proto}" ]; then
|
||||
tmp_proto="${flag}"
|
||||
elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
tmp_proto="${tmp_proto}, ${flag}"
|
||||
fi
|
||||
elif [ -n "${flag//[![:digit]-]/}" ]; then
|
||||
if [ -z "${tmp_port}" ]; then
|
||||
tmp_port="${flag}"
|
||||
elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
tmp_port="${tmp_port}, ${flag}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then
|
||||
allow_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }"
|
||||
fi
|
||||
|
||||
if [ "${ban_logprerouting}" = "1" ]; then
|
||||
log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \""
|
||||
log_syn="log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \""
|
||||
log_udp="log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \""
|
||||
log_tcp="log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \""
|
||||
log_ct="log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \""
|
||||
fi
|
||||
|
||||
{
|
||||
# nft header (tables and chains)
|
||||
#
|
||||
|
@ -589,36 +636,55 @@ f_nftinit() {
|
|||
printf "%s\n" "delete table inet banIP"
|
||||
fi
|
||||
printf "%s\n" "add table inet banIP"
|
||||
printf "%s\n" "add counter inet banIP cnt-icmpflood"
|
||||
printf "%s\n" "add counter inet banIP cnt-udpflood"
|
||||
printf "%s\n" "add counter inet banIP cnt-synflood"
|
||||
printf "%s\n" "add counter inet banIP cnt-tcpinvalid"
|
||||
printf "%s\n" "add counter inet banIP cnt-ctinvalid"
|
||||
printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -150; policy accept; }"
|
||||
printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
|
||||
printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
|
||||
printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
|
||||
printf "%s\n" "add chain inet banIP reject-chain"
|
||||
|
||||
# default reject rules
|
||||
# default reject chain rules
|
||||
#
|
||||
printf "%s\n" "add rule inet banIP reject-chain meta l4proto tcp reject with tcp reset"
|
||||
printf "%s\n" "add rule inet banIP reject-chain reject"
|
||||
|
||||
# default pre-routing rules
|
||||
#
|
||||
printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept"
|
||||
printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop"
|
||||
printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
|
||||
printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
|
||||
printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop"
|
||||
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop"
|
||||
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop"
|
||||
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop"
|
||||
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop"
|
||||
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp} counter name cnt-tcpinvalid drop"
|
||||
|
||||
# default wan-input rules
|
||||
#
|
||||
printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input iifname != { ${wan_dev} } counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 1 counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 255 counter accept"
|
||||
[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept"
|
||||
|
||||
# default wan-forward rules
|
||||
#
|
||||
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
|
||||
[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-forward ${allow_dport} counter accept"
|
||||
|
||||
# default lan-forward rules
|
||||
#
|
||||
printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
|
||||
printf "%s\n" "add rule inet banIP lan-forward oifname != { ${wan_dev} } counter accept"
|
||||
printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
|
||||
[ -n "${vlan_allow}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_allow} } counter accept"
|
||||
[ -n "${vlan_block}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_block} } counter goto reject-chain"
|
||||
} >"${file}"
|
||||
|
@ -628,7 +694,8 @@ f_nftinit() {
|
|||
feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
|
||||
feed_rc="${?}"
|
||||
|
||||
f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
|
||||
f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, allowed_dports: ${allow_dport:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
|
||||
: >"${file}"
|
||||
return "${feed_rc}"
|
||||
}
|
||||
|
||||
|
@ -636,7 +703,7 @@ f_nftinit() {
|
|||
#
|
||||
f_down() {
|
||||
local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc
|
||||
local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport flag
|
||||
local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_target feed_dport tmp_proto tmp_port flag
|
||||
local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
|
||||
|
||||
start_ts="$(date +%s)"
|
||||
|
@ -653,6 +720,14 @@ f_down() {
|
|||
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/${ban_blocktype}/${feed}: \""
|
||||
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/reject/${feed}: \""
|
||||
|
||||
# set feed target
|
||||
#
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
feed_target="goto reject-chain"
|
||||
else
|
||||
feed_target="drop"
|
||||
fi
|
||||
|
||||
# set feed block direction
|
||||
#
|
||||
if [ "${ban_blockpolicy}" = "input" ]; then
|
||||
|
@ -687,19 +762,25 @@ f_down() {
|
|||
# prepare feed flags
|
||||
#
|
||||
for flag in ${feed_flag}; do
|
||||
if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
if [ "${flag}" = "gz" ]; then
|
||||
feed_comp="${flag}"
|
||||
elif { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; } && ! printf "%s" "${feed_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
feed_proto="${flag}"
|
||||
elif [ -n "${flag//[![:digit]]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
if [ -z "${feed_dport}" ]; then
|
||||
feed_dport="${flag}"
|
||||
else
|
||||
feed_dport="${feed_dport}, ${flag}"
|
||||
elif [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then
|
||||
if [ -z "${tmp_proto}" ]; then
|
||||
tmp_proto="${flag}"
|
||||
elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
tmp_proto="${tmp_proto}, ${flag}"
|
||||
fi
|
||||
elif [ -n "${flag//[![:digit]-]/}" ]; then
|
||||
if [ -z "${tmp_port}" ]; then
|
||||
tmp_port="${flag}"
|
||||
elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
tmp_port="${tmp_port}, ${flag}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
[ -n "${feed_dport}" ] && feed_dport="${feed_proto:-"tcp"} dport { ${feed_dport} }"
|
||||
if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then
|
||||
feed_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }"
|
||||
fi
|
||||
|
||||
# chain/rule maintenance
|
||||
#
|
||||
|
@ -732,7 +813,7 @@ f_down() {
|
|||
done
|
||||
elif [ "${feed%v*}" = "asn" ]; then
|
||||
for asn in ${ban_asn}; do
|
||||
f_etag "${feed}" "${feed_url}AS${asn}" ".{asn}"
|
||||
f_etag "${feed}" "${feed_url}AS${asn}" ".${asn}"
|
||||
rc="${?}"
|
||||
[ "${rc}" = "4" ] && break
|
||||
etag_rc="$((etag_rc + rc))"
|
||||
|
@ -768,6 +849,7 @@ f_down() {
|
|||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "${feed_rc}" = "0" ]; then
|
||||
f_backup "allowlist" "${tmp_allow}"
|
||||
elif [ -z "${restore_rc}" ] && [ "${feed_rc}" != "0" ]; then
|
||||
|
@ -795,22 +877,14 @@ f_down() {
|
|||
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
||||
if [ -z "${feed_direction##*input*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter goto reject-chain"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
|
||||
fi
|
||||
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter ${feed_target}"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept"
|
||||
fi
|
||||
fi
|
||||
if [ -z "${feed_direction##*forwardwan*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter goto reject-chain"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop"
|
||||
fi
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept"
|
||||
fi
|
||||
|
@ -828,35 +902,28 @@ f_down() {
|
|||
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
||||
if [ -z "${feed_direction##*input*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter goto reject-chain"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
|
||||
fi
|
||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter ${feed_target}"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept"
|
||||
fi
|
||||
fi
|
||||
if [ -z "${feed_direction##*forwardwan*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter goto reject-chain"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop"
|
||||
fi
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept"
|
||||
fi
|
||||
fi
|
||||
if [ -z "${feed_direction##*forwardlan*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter ${feed_target}"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
} >"${tmp_nft}"
|
||||
: >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}"
|
||||
feed_rc="0"
|
||||
elif [ "${feed%v*}" = "blocklist" ]; then
|
||||
{
|
||||
|
@ -881,13 +948,8 @@ f_down() {
|
|||
fi
|
||||
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
|
||||
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
||||
else
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
|
||||
fi
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter ${feed_target}"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||
elif [ "${proto}" = "6" ]; then
|
||||
if [ "${ban_deduplicate}" = "1" ]; then
|
||||
|
@ -902,16 +964,12 @@ f_down() {
|
|||
fi
|
||||
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
|
||||
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
||||
else
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
|
||||
fi
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter ${feed_target}"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||
fi
|
||||
} >"${tmp_nft}"
|
||||
: >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}"
|
||||
feed_rc="0"
|
||||
|
||||
# handle external feeds
|
||||
|
@ -925,7 +983,7 @@ f_down() {
|
|||
feed_rc="${?}"
|
||||
[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
|
||||
done
|
||||
rm -f "${tmp_raw}"
|
||||
: >"${tmp_raw}"
|
||||
|
||||
# handle asn downloads
|
||||
#
|
||||
|
@ -935,7 +993,7 @@ f_down() {
|
|||
feed_rc="${?}"
|
||||
[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
|
||||
done
|
||||
rm -f "${tmp_raw}"
|
||||
: >"${tmp_raw}"
|
||||
|
||||
# handle compressed downloads
|
||||
#
|
||||
|
@ -943,7 +1001,7 @@ f_down() {
|
|||
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)"
|
||||
feed_rc="${?}"
|
||||
[ "${feed_rc}" = "0" ] && "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}"
|
||||
rm -f "${tmp_raw}"
|
||||
: >"${tmp_raw}"
|
||||
|
||||
# handle normal downloads
|
||||
#
|
||||
|
@ -970,27 +1028,28 @@ f_down() {
|
|||
# deduplicate Sets
|
||||
#
|
||||
if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then
|
||||
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}"
|
||||
"${ban_awkcmd}" '{sub("\r$", ""); print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_raw}"
|
||||
"${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}"
|
||||
else
|
||||
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}"
|
||||
"${ban_awkcmd}" '{sub("\r$", ""); print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_split}"
|
||||
fi
|
||||
feed_rc="${?}"
|
||||
|
||||
# split Sets
|
||||
#
|
||||
if [ "${feed_rc}" = "0" ]; then
|
||||
if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then
|
||||
if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "512" ]; then
|
||||
if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then
|
||||
rm -f "${tmp_file}".*
|
||||
f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'"
|
||||
rm -f "${tmp_file}".*
|
||||
fi
|
||||
else
|
||||
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
|
||||
fi
|
||||
feed_rc="${?}"
|
||||
fi
|
||||
rm -f "${tmp_raw}" "${tmp_load}"
|
||||
: >"${tmp_raw}" >"${tmp_load}"
|
||||
|
||||
if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then
|
||||
{
|
||||
# nft header (IPv4 Set)
|
||||
|
@ -1001,13 +1060,8 @@ f_down() {
|
|||
|
||||
# input and forward rules
|
||||
#
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
||||
else
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter drop"
|
||||
fi
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter ${feed_target}"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||
} >"${tmp_nft}"
|
||||
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
|
||||
|
@ -1020,16 +1074,12 @@ f_down() {
|
|||
|
||||
# input and forward rules
|
||||
#
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
||||
else
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter drop"
|
||||
fi
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter ${feed_target}"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||
} >"${tmp_nft}"
|
||||
fi
|
||||
: >"${tmp_flush}" >"${tmp_file}.1"
|
||||
fi
|
||||
|
||||
# load generated nft file in banIP table
|
||||
|
@ -1039,6 +1089,7 @@ f_down() {
|
|||
cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_allow}" 2>/dev/null)"
|
||||
else
|
||||
cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_split}" 2>/dev/null)"
|
||||
: >"${tmp_split}"
|
||||
fi
|
||||
if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then
|
||||
feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)"
|
||||
|
@ -1048,15 +1099,13 @@ f_down() {
|
|||
#
|
||||
if [ "${feed_rc}" = "0" ]; then
|
||||
for split_file in "${tmp_file}".*; do
|
||||
[ ! -f "${split_file}" ] && break
|
||||
if [ "${split_file##*.}" = "1" ]; then
|
||||
rm -f "${split_file}"
|
||||
continue
|
||||
fi
|
||||
if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $("${ban_catcmd}" "${split_file}") }" >/dev/null 2>&1; then
|
||||
[ ! -s "${split_file}" ] && continue
|
||||
"${ban_sedcmd}" -i "1 i #!/usr/sbin/nft -f\nadd element inet banIP "${feed}" { " "${split_file}"
|
||||
printf "%s\n" "}" >> "${split_file}"
|
||||
if ! "${ban_nftcmd}" -f "${split_file}" >/dev/null 2>&1; then
|
||||
f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'"
|
||||
fi
|
||||
rm -f "${split_file}"
|
||||
: >"${split_file}"
|
||||
done
|
||||
if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
|
||||
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
||||
|
@ -1066,7 +1115,7 @@ f_down() {
|
|||
f_log "info" "skip empty feed '${feed}'"
|
||||
fi
|
||||
fi
|
||||
rm -f "${tmp_split}" "${tmp_nft}"
|
||||
: >"${tmp_nft}"
|
||||
end_ts="$(date +%s)"
|
||||
|
||||
f_log "debug" "f_down ::: feed: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
|
||||
|
@ -1110,7 +1159,7 @@ f_rmset() {
|
|||
json_get_keys feedlist
|
||||
tmp_del="${ban_tmpfile}.final.delete"
|
||||
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
||||
table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
|
||||
table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
|
||||
{
|
||||
printf "%s\n\n" "#!/usr/sbin/nft -f"
|
||||
for item in ${table_sets}; do
|
||||
|
@ -1137,7 +1186,7 @@ f_rmset() {
|
|||
feed_log="$("${ban_nftcmd}" -f "${tmp_del}" 2>&1)"
|
||||
feed_rc="${?}"
|
||||
fi
|
||||
rm -f "${tmp_del}"
|
||||
: >"${tmp_del}"
|
||||
|
||||
f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
|
||||
}
|
||||
|
@ -1153,7 +1202,7 @@ f_genstatus() {
|
|||
end_time="$(date "+%s")"
|
||||
duration="$(((end_time - ban_starttime) / 60))m $(((end_time - ban_starttime) % 60))s"
|
||||
fi
|
||||
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
|
||||
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
|
||||
if [ "${ban_reportelements}" = "1" ]; then
|
||||
for object in ${table_sets}; do
|
||||
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
|
||||
|
@ -1202,7 +1251,7 @@ f_genstatus() {
|
|||
json_close_array
|
||||
json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}"
|
||||
json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}"
|
||||
json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})"
|
||||
json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (pre/inp/fwd/lan): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})"
|
||||
json_add_string "last_run" "${runtime:-"-"}"
|
||||
json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
|
||||
json_dump >"${ban_rtfile}"
|
||||
|
@ -1284,12 +1333,12 @@ f_lookup() {
|
|||
cnt_domain="$((cnt_domain + 1))"
|
||||
done
|
||||
if [ -n "${elementsv4}" ]; then
|
||||
if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then
|
||||
if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" { ${elementsv4} } >/dev/null 2>&1; then
|
||||
f_log "info" "can't add lookup file to Set '${feed}v4'"
|
||||
fi
|
||||
fi
|
||||
if [ -n "${elementsv6}" ]; then
|
||||
if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then
|
||||
if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" { ${elementsv6} } >/dev/null 2>&1; then
|
||||
f_log "info" "can't add lookup file to Set '${feed}v6'"
|
||||
fi
|
||||
fi
|
||||
|
@ -1303,8 +1352,8 @@ f_lookup() {
|
|||
#
|
||||
f_report() {
|
||||
local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan set_proto set_dport set_details
|
||||
local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan output="${1}"
|
||||
|
||||
local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
|
||||
local sum_synflood sum_udpflood sum_icmpflood sum_ctinvalid sum_tcpinvalid output="${1}"
|
||||
[ -z "${ban_dev}" ] && f_conf
|
||||
f_mkdir "${ban_reportdir}"
|
||||
report_jsn="${ban_reportdir}/ban_report.jsn"
|
||||
|
@ -1313,7 +1362,7 @@ f_report() {
|
|||
# json output preparation
|
||||
#
|
||||
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
||||
table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
|
||||
table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
|
||||
sum_sets="0"
|
||||
sum_setinput="0"
|
||||
sum_setforwardwan="0"
|
||||
|
@ -1322,6 +1371,11 @@ f_report() {
|
|||
sum_cntinput="0"
|
||||
sum_cntforwardwan="0"
|
||||
sum_cntforwardlan="0"
|
||||
sum_synflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-synflood"].*.packets')"
|
||||
sum_udpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-udpflood"].*.packets')"
|
||||
sum_icmpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-icmpflood"].*.packets')"
|
||||
sum_ctinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-ctinvalid"].*.packets')"
|
||||
sum_tcpinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-tcpinvalid"].*.packets')"
|
||||
timestamp="$(date "+%Y-%m-%d %H:%M:%S")"
|
||||
: >"${report_jsn}"
|
||||
{
|
||||
|
@ -1344,12 +1398,6 @@ f_report() {
|
|||
[ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")"
|
||||
[ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")"
|
||||
done
|
||||
if [ -n "${set_dport}" ]; then
|
||||
set_dport="${set_dport//[\{\}\":]/}"
|
||||
set_dport="${set_dport#\[ *}"
|
||||
set_dport="${set_dport%* \]}"
|
||||
set_dport="${set_proto}: $(f_trim "${set_dport}")"
|
||||
fi
|
||||
if [ "${ban_reportelements}" = "1" ]; then
|
||||
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
||||
sum_setelements="$((sum_setelements + set_cnt))"
|
||||
|
@ -1357,8 +1405,14 @@ f_report() {
|
|||
set_cnt=""
|
||||
sum_setelements="n/a"
|
||||
fi
|
||||
if [ -n "${set_dport}" ]; then
|
||||
set_dport="${set_dport//[\{\}\":]/}"
|
||||
set_dport="${set_dport#\[ *}"
|
||||
set_dport="${set_dport%* \]}"
|
||||
set_dport="${set_proto}: $(f_trim "${set_dport}")"
|
||||
fi
|
||||
if [ -n "${set_cntinput}" ]; then
|
||||
set_input="OK"
|
||||
set_input="ON"
|
||||
sum_setinput="$((sum_setinput + 1))"
|
||||
sum_cntinput="$((sum_cntinput + set_cntinput))"
|
||||
else
|
||||
|
@ -1366,7 +1420,7 @@ f_report() {
|
|||
set_cntinput=""
|
||||
fi
|
||||
if [ -n "${set_cntforwardwan}" ]; then
|
||||
set_forwardwan="OK"
|
||||
set_forwardwan="ON"
|
||||
sum_setforwardwan="$((sum_setforwardwan + 1))"
|
||||
sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))"
|
||||
else
|
||||
|
@ -1374,7 +1428,7 @@ f_report() {
|
|||
set_cntforwardwan=""
|
||||
fi
|
||||
if [ -n "${set_cntforwardlan}" ]; then
|
||||
set_forwardlan="OK"
|
||||
set_forwardlan="ON"
|
||||
sum_setforwardlan="$((sum_setforwardlan + 1))"
|
||||
sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))"
|
||||
else
|
||||
|
@ -1398,6 +1452,11 @@ f_report() {
|
|||
printf "\t%s\n" "\"timestamp\": \"${timestamp}\","
|
||||
printf "\t%s\n" "\"autoadd_allow\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_allowlist}")\","
|
||||
printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\","
|
||||
printf "\t%s\n" "\"sum_synflood\": \"${sum_synflood}\","
|
||||
printf "\t%s\n" "\"sum_udpflood\": \"${sum_udpflood}\","
|
||||
printf "\t%s\n" "\"sum_icmpflood\": \"${sum_icmpflood}\","
|
||||
printf "\t%s\n" "\"sum_ctinvalid\": \"${sum_ctinvalid}\","
|
||||
printf "\t%s\n" "\"sum_tcpinvalid\": \"${sum_tcpinvalid}\","
|
||||
printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\","
|
||||
printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\","
|
||||
printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\","
|
||||
|
@ -1418,6 +1477,11 @@ f_report() {
|
|||
json_get_var timestamp "timestamp" >/dev/null 2>&1
|
||||
json_get_var autoadd_allow "autoadd_allow" >/dev/null 2>&1
|
||||
json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1
|
||||
json_get_var sum_synflood "sum_synflood" >/dev/null 2>&1
|
||||
json_get_var sum_udpflood "sum_udpflood" >/dev/null 2>&1
|
||||
json_get_var sum_icmpflood "sum_icmpflood" >/dev/null 2>&1
|
||||
json_get_var sum_ctinvalid "sum_ctinvalid" >/dev/null 2>&1
|
||||
json_get_var sum_tcpinvalid "sum_tcpinvalid" >/dev/null 2>&1
|
||||
json_get_var sum_sets "sum_sets" >/dev/null 2>&1
|
||||
json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1
|
||||
json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1
|
||||
|
@ -1430,8 +1494,14 @@ f_report() {
|
|||
printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::"
|
||||
printf "%s\n" " Timestamp: ${timestamp}"
|
||||
printf "%s\n" " ------------------------------"
|
||||
printf "%s\n" " auto-added to allowlist today: ${autoadd_allow}"
|
||||
printf "%s\n\n" " auto-added to blocklist today: ${autoadd_block}"
|
||||
printf "%s\n" " blocked syn-flood packets : ${sum_synflood}"
|
||||
printf "%s\n" " blocked udp-flood packets : ${sum_udpflood}"
|
||||
printf "%s\n" " blocked icmp-flood packets : ${sum_icmpflood}"
|
||||
printf "%s\n" " blocked invalid ct packets : ${sum_ctinvalid}"
|
||||
printf "%s\n" " blocked invalid tcp packets: ${sum_tcpinvalid}"
|
||||
printf "%s\n" " ----------"
|
||||
printf "%s\n" " auto-added IPs to allowlist: ${autoadd_allow}"
|
||||
printf "%s\n\n" " auto-added IPs to blocklist: ${autoadd_block}"
|
||||
json_select "sets" >/dev/null 2>&1
|
||||
json_get_keys table_sets >/dev/null 2>&1
|
||||
if [ -n "${table_sets}" ]; then
|
||||
|
@ -1488,10 +1558,10 @@ f_search() {
|
|||
local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}"
|
||||
|
||||
if [ -n "${input}" ]; then
|
||||
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')"
|
||||
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')"
|
||||
[ -n "${ip}" ] && proto="v4"
|
||||
if [ -z "${proto}" ]; then
|
||||
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')"
|
||||
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')"
|
||||
[ -n "${ip}" ] && proto="v6"
|
||||
fi
|
||||
fi
|
||||
|
@ -1501,14 +1571,14 @@ f_search() {
|
|||
printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::"
|
||||
return
|
||||
fi
|
||||
printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
|
||||
printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
|
||||
printf " %s\n" "---"
|
||||
cnt="1"
|
||||
for item in ${table_sets}; do
|
||||
[ -f "${result_flag}" ] && break
|
||||
(
|
||||
if "${ban_nftcmd}" get element inet banIP "${item}" "{ ${ip} }" >/dev/null 2>&1; then
|
||||
printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
|
||||
printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
|
||||
printf " %s\n" "---"
|
||||
printf " %s\n" "IP found in Set '${item}'"
|
||||
: >"${result_flag}"
|
||||
fi
|
||||
|
@ -1518,7 +1588,14 @@ f_search() {
|
|||
cnt="$((cnt + 1))"
|
||||
done
|
||||
wait
|
||||
[ -f "${result_flag}" ] && rm -f "${result_flag}" || printf " %s\n" "IP not found"
|
||||
if [ -f "${result_flag}" ]; then
|
||||
rm -f "${result_flag}"
|
||||
else
|
||||
printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
|
||||
printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
|
||||
printf " %s\n" "---"
|
||||
printf " %s\n" "IP not found"
|
||||
fi
|
||||
}
|
||||
|
||||
# Set survey
|
||||
|
@ -1564,7 +1641,7 @@ f_mail() {
|
|||
# log monitor
|
||||
#
|
||||
f_monitor() {
|
||||
local daemon logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info
|
||||
local daemon logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_prefix rdap_length rdap_info
|
||||
|
||||
if [ -f "${ban_logreadfile}" ]; then
|
||||
logread_cmd="${ban_logreadcmd} -qf ${ban_logreadfile} 2>/dev/null | ${ban_grepcmd} -e \"${ban_logterm%%??}\" 2>/dev/null"
|
||||
|
@ -1609,19 +1686,22 @@ f_monitor() {
|
|||
rdap_log="$("${ban_fetchcmd}" ${ban_rdapparm} "${ban_rdapfile}" "${ban_rdapurl}${ip}" 2>&1)"
|
||||
rdap_rc="${?}"
|
||||
if [ "${rdap_rc}" = "0" ] && [ -s "${ban_rdapfile}" ]; then
|
||||
rdap_elements="$(jsonfilter -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*' | awk 'BEGIN{FS="[\" ]"}{printf "%s/%s, ",$6,$11}')"
|
||||
rdap_info="$(jsonfilter -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
|
||||
if [ -n "${rdap_elements//\/*/}" ]; then
|
||||
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${rdap_elements%%??} ${nft_expiry} }" >/dev/null 2>&1; then
|
||||
f_log "info" "add IP range '${rdap_elements%%??}' (source: ${rdap_info:-"-"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
||||
[ "${proto}" = "v4" ] && rdap_prefix="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.v4prefix')"
|
||||
[ "${proto}" = "v6" ] && rdap_prefix="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.v6prefix')"
|
||||
rdap_length="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.length')"
|
||||
rdap_info="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
|
||||
[ -z "${rdap_info}" ] && rdap_info="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.notices[0].links[0].value' | awk 'BEGIN{FS="[/.]"}{printf"%s, %s","n/a",toupper($4)}')"
|
||||
if [ -n "${rdap_prefix}" ] && [ -n "${rdap_length}" ]; then
|
||||
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${rdap_prefix}/${rdap_length} ${nft_expiry} } >/dev/null 2>&1; then
|
||||
f_log "info" "add IP range '${rdap_prefix}/${rdap_length}' (source: ${rdap_info:-"n/a"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
f_log "info" "rdap request failed (rc: ${rdap_rc:-"-"}/log: ${rdap_log})"
|
||||
fi
|
||||
fi
|
||||
if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_elements//\/*/}" ]; then
|
||||
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
|
||||
if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_prefix}" ] || [ -z "${rdap_length}" ]; then
|
||||
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${ip} ${nft_expiry} } >/dev/null 2>&1; then
|
||||
f_log "info" "add IP '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
#!/bin/sh
|
||||
# banIP main service script - ban incoming and outgoing IPs via named nftables Sets
|
||||
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
|
||||
# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org)
|
||||
# This is free software, licensed under the GNU General Public License v3.
|
||||
|
||||
# (s)hellcheck exceptions
|
||||
|
@ -24,8 +24,8 @@ f_getif
|
|||
f_getdev
|
||||
f_getuplink
|
||||
f_mkdir "${ban_backupdir}"
|
||||
f_mkfile "${ban_blocklist}"
|
||||
f_mkfile "${ban_allowlist}"
|
||||
f_mkfile "${ban_blocklist}"
|
||||
|
||||
# firewall check
|
||||
#
|
||||
|
@ -44,13 +44,13 @@ if [ "${ban_action}" != "reload" ]; then
|
|||
fi
|
||||
fi
|
||||
|
||||
# init nft namespace
|
||||
# init banIP nftables namespace
|
||||
#
|
||||
if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then
|
||||
if f_nftinit "${ban_tmpfile}".init.nft; then
|
||||
f_log "info" "initialize nft namespace"
|
||||
f_log "info" "initialize banIP nftables namespace"
|
||||
else
|
||||
f_log "err" "can't initialize nft namespace"
|
||||
f_log "err" "can't initialize banIP nftables namespace"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -99,7 +99,7 @@ for feed in allowlist ${ban_feed} blocklist; do
|
|||
continue
|
||||
fi
|
||||
|
||||
# handle IPv4/IPv6 feeds with the same/single download URL
|
||||
# handle IPv4/IPv6 feeds with a single download URL
|
||||
#
|
||||
if [ "${feed_url_4}" = "${feed_url_6}" ]; then
|
||||
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
|
||||
|
@ -115,7 +115,8 @@ for feed in allowlist ${ban_feed} blocklist; do
|
|||
fi
|
||||
continue
|
||||
fi
|
||||
# handle IPv4/IPv6 feeds with separated download URLs
|
||||
|
||||
# handle IPv4/IPv6 feeds with separate download URLs
|
||||
#
|
||||
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
|
||||
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
|
||||
|
|
|
@ -1,249 +1,249 @@
|
|||
af;Afghanistan
|
||||
ax;Åland Islands
|
||||
al;Albania
|
||||
dz;Algeria
|
||||
as;American Samoa
|
||||
ad;Andorra
|
||||
ao;Angola
|
||||
ai;Anguilla
|
||||
aq;Antarctica
|
||||
ag;Antigua & Barbuda
|
||||
ar;Argentina
|
||||
am;Armenia
|
||||
aw;Aruba
|
||||
au;Australia
|
||||
at;Austria
|
||||
az;Azerbaijan
|
||||
bs;Bahamas
|
||||
bh;Bahrain
|
||||
bd;Bangladesh
|
||||
bb;Barbados
|
||||
by;Belarus
|
||||
be;Belgium
|
||||
bz;Belize
|
||||
bj;Benin
|
||||
bm;Bermuda
|
||||
bt;Bhutan
|
||||
bo;Bolivia
|
||||
ba;Bosnia
|
||||
bw;Botswana
|
||||
bv;Bouvet Island
|
||||
br;Brazil
|
||||
io;British Indian Ocean Territory
|
||||
vg;British Virgin Islands
|
||||
bn;Brunei
|
||||
bg;Bulgaria
|
||||
bf;Burkina Faso
|
||||
bi;Burundi
|
||||
kh;Cambodia
|
||||
cm;Cameroon
|
||||
ca;Canada
|
||||
cv;Cape Verde
|
||||
bq;Caribbean Netherlands
|
||||
ky;Cayman Islands
|
||||
cf;Central African Republic
|
||||
td;Chad
|
||||
cl;Chile
|
||||
cn;China
|
||||
cx;Christmas Island
|
||||
cc;Cocos (Keeling) Islands
|
||||
co;Colombia
|
||||
km;Comoros
|
||||
cg;Congo - Brazzaville
|
||||
cd;Congo - Kinshasa
|
||||
ck;Cook Islands
|
||||
cr;Costa Rica
|
||||
ci;Côte d’Ivoire
|
||||
hr;Croatia
|
||||
cu;Cuba
|
||||
cw;Curaçao
|
||||
cy;Cyprus
|
||||
cz;Czechia
|
||||
dk;Denmark
|
||||
dj;Djibouti
|
||||
dm;Dominica
|
||||
do;Dominican Republic
|
||||
ec;Ecuador
|
||||
eg;Egypt
|
||||
sv;El Salvador
|
||||
gq;Equatorial Guinea
|
||||
er;Eritrea
|
||||
ee;Estonia
|
||||
sz;Eswatini
|
||||
et;Ethiopia
|
||||
fk;Falkland Islands
|
||||
fo;Faroe Islands
|
||||
fj;Fiji
|
||||
fi;Finland
|
||||
fr;France
|
||||
gf;French Guiana
|
||||
pf;French Polynesia
|
||||
tf;French Southern Territories
|
||||
ga;Gabon
|
||||
gm;Gambia
|
||||
ge;Georgia
|
||||
de;Germany
|
||||
gh;Ghana
|
||||
gi;Gibraltar
|
||||
gr;Greece
|
||||
gl;Greenland
|
||||
gd;Grenada
|
||||
gp;Guadeloupe
|
||||
gu;Guam
|
||||
gt;Guatemala
|
||||
gg;Guernsey
|
||||
gn;Guinea
|
||||
gw;Guinea-Bissau
|
||||
gy;Guyana
|
||||
ht;Haiti
|
||||
hm;Heard & McDonald Islands
|
||||
hn;Honduras
|
||||
hk;Hong Kong
|
||||
hu;Hungary
|
||||
is;Iceland
|
||||
in;India
|
||||
id;Indonesia
|
||||
ir;Iran
|
||||
iq;Iraq
|
||||
ie;Ireland
|
||||
im;Isle of Man
|
||||
il;Israel
|
||||
it;Italy
|
||||
jm;Jamaica
|
||||
jp;Japan
|
||||
je;Jersey
|
||||
jo;Jordan
|
||||
kz;Kazakhstan
|
||||
ke;Kenya
|
||||
ki;Kiribati
|
||||
kw;Kuwait
|
||||
kg;Kyrgyzstan
|
||||
la;Laos
|
||||
lv;Latvia
|
||||
lb;Lebanon
|
||||
ls;Lesotho
|
||||
lr;Liberia
|
||||
ly;Libya
|
||||
li;Liechtenstein
|
||||
lt;Lithuania
|
||||
lu;Luxembourg
|
||||
mo;Macau
|
||||
mg;Madagascar
|
||||
mw;Malawi
|
||||
my;Malaysia
|
||||
mv;Maldives
|
||||
ml;Mali
|
||||
mt;Malta
|
||||
mh;Marshall Islands
|
||||
mq;Martinique
|
||||
mr;Mauritania
|
||||
mu;Mauritius
|
||||
yt;Mayotte
|
||||
mx;Mexico
|
||||
fm;Micronesia
|
||||
md;Moldova
|
||||
mc;Monaco
|
||||
mn;Mongolia
|
||||
me;Montenegro
|
||||
ms;Montserrat
|
||||
ma;Morocco
|
||||
mz;Mozambique
|
||||
mm;Myanmar
|
||||
na;Namibia
|
||||
nr;Nauru
|
||||
np;Nepal
|
||||
nl;Netherlands
|
||||
nc;New Caledonia
|
||||
nz;New Zealand
|
||||
ni;Nicaragua
|
||||
ne;Niger
|
||||
ng;Nigeria
|
||||
nu;Niue
|
||||
nf;Norfolk Island
|
||||
mp;Northern Mariana Islands
|
||||
kp;North Korea
|
||||
mk;North Macedonia
|
||||
no;Norway
|
||||
om;Oman
|
||||
pk;Pakistan
|
||||
pw;Palau
|
||||
ps;Palestine
|
||||
pa;Panama
|
||||
pg;Papua New Guinea
|
||||
py;Paraguay
|
||||
pe;Peru
|
||||
ph;Philippines
|
||||
pn;Pitcairn Islands
|
||||
pl;Poland
|
||||
pt;Portugal
|
||||
pr;Puerto Rico
|
||||
qa;Qatar
|
||||
re;Réunion
|
||||
ro;Romania
|
||||
ru;Russia
|
||||
rw;Rwanda
|
||||
ws;Samoa
|
||||
sm;San Marino
|
||||
st;São Tomé & Príncipe
|
||||
sa;Saudi Arabia
|
||||
sn;Senegal
|
||||
rs;Serbia
|
||||
sc;Seychelles
|
||||
sl;Sierra Leone
|
||||
sg;Singapore
|
||||
sx;Sint Maarten
|
||||
sk;Slovakia
|
||||
si;Slovenia
|
||||
sb;Solomon Islands
|
||||
so;Somalia
|
||||
za;South Africa
|
||||
gs;South Georgia & South Sandwich Islands
|
||||
kr;South Korea
|
||||
ss;South Sudan
|
||||
es;Spain
|
||||
lk;Sri Lanka
|
||||
bl;St. Barthélemy
|
||||
sh;St. Helena
|
||||
kn;St. Kitts & Nevis
|
||||
lc;St. Lucia
|
||||
mf;St. Martin
|
||||
pm;St. Pierre & Miquelon
|
||||
vc;St. Vincent & Grenadines
|
||||
sd;Sudan
|
||||
sr;Suriname
|
||||
sj;Svalbard & Jan Mayen
|
||||
se;Sweden
|
||||
ch;Switzerland
|
||||
sy;Syria
|
||||
tw;Taiwan
|
||||
tj;Tajikistan
|
||||
tz;Tanzania
|
||||
th;Thailand
|
||||
tl;Timor-Leste
|
||||
tg;Togo
|
||||
tk;Tokelau
|
||||
to;Tonga
|
||||
tt;Trinidad & Tobago
|
||||
tn;Tunisia
|
||||
tr;Turkey
|
||||
tm;Turkmenistan
|
||||
tc;Turks & Caicos Islands
|
||||
tv;Tuvalu
|
||||
ug;Uganda
|
||||
ua;Ukraine
|
||||
ae;United Arab Emirates
|
||||
gb;United Kingdom
|
||||
us;United States
|
||||
uy;Uruguay
|
||||
um;U.S. Outlying Islands
|
||||
vi;U.S. Virgin Islands
|
||||
uz;Uzbekistan
|
||||
vu;Vanuatu
|
||||
va;Vatican City
|
||||
ve;Venezuela
|
||||
vn;Vietnam
|
||||
wf;Wallis & Futuna
|
||||
eh;Western Sahara
|
||||
ye;Yemen
|
||||
zm;Zambia
|
||||
zw;Zimbabwe
|
||||
af APNIC Afghanistan
|
||||
ax RIPE Åland Islands
|
||||
al RIPE Albania
|
||||
dz AFRINIC Algeria
|
||||
as APNIC American Samoa
|
||||
ad RIPE Andorra
|
||||
ao AFRINIC Angola
|
||||
ai ARIN Anguilla
|
||||
aq ARIN Antarctica
|
||||
ag ARIN Antigua & Barbuda
|
||||
ar LACNIC Argentina
|
||||
am RIPE Armenia
|
||||
aw LACNIC Aruba
|
||||
au APNIC Australia
|
||||
at RIPE Austria
|
||||
az RIPE Azerbaijan
|
||||
bs ARIN Bahamas
|
||||
bh RIPE Bahrain
|
||||
bd APNIC Bangladesh
|
||||
bb ARIN Barbados
|
||||
by RIPE Belarus
|
||||
be RIPE Belgium
|
||||
bz LACNIC Belize
|
||||
bj AFRINIC Benin
|
||||
bm ARIN Bermuda
|
||||
bt APNIC Bhutan
|
||||
bo LACNIC Bolivia
|
||||
bq LACNIC Bonaire
|
||||
ba RIPE Bosnia & Herzegowina
|
||||
bw AFRINIC Botswana
|
||||
bv ARIN Bouvet Island
|
||||
br LACNIC Brazil
|
||||
io APNIC British Indian Ocean Territory
|
||||
bn APNIC Brunei
|
||||
bg RIPE Bulgaria
|
||||
bf AFRINIC Burkina Faso
|
||||
bi AFRINIC Burundi
|
||||
kh APNIC Cambodia
|
||||
cm AFRINIC Cameroon
|
||||
ca ARIN Canada
|
||||
cv AFRINIC Cape Verde
|
||||
ky ARIN Cayman Islands
|
||||
cf AFRINIC Central African Republic
|
||||
td AFRINIC Chad
|
||||
cl LACNIC Chile
|
||||
cn APNIC China
|
||||
cx APNIC Christmas Island
|
||||
cc APNIC Cocos Islands
|
||||
co LACNIC Colombia
|
||||
km AFRINIC Comoros
|
||||
cg AFRINIC Congo - Brazzaville
|
||||
cd AFRINIC Congo - Kinshasa
|
||||
ck APNIC Cook Islands
|
||||
cr LACNIC Costa Rica
|
||||
ci AFRINIC Côte D'ivoire
|
||||
hr RIPE Croatia
|
||||
cu LACNIC Cuba
|
||||
cw LACNIC Curaçao
|
||||
cy RIPE Cyprus
|
||||
cz RIPE Czechia
|
||||
dk RIPE Denmark
|
||||
dj AFRINIC Djibouti
|
||||
dm ARIN Dominica
|
||||
do LACNIC Dominican Republic
|
||||
ec LACNIC Ecuador
|
||||
eg AFRINIC Egypt
|
||||
sv LACNIC El Salvador
|
||||
gq AFRINIC Equatorial Guinea
|
||||
er AFRINIC Eritrea
|
||||
ee RIPE Estonia
|
||||
sz AFRINIC Eswatini
|
||||
et AFRINIC Ethiopia
|
||||
fk LACNIC Falkland Islands
|
||||
fo RIPE Faroe Islands
|
||||
fj APNIC Fiji
|
||||
fi RIPE Finland
|
||||
fr RIPE France
|
||||
gf LACNIC French Guiana
|
||||
pf APNIC French Polynesia
|
||||
tf APNIC French Southern Territories
|
||||
ga AFRINIC Gabon
|
||||
gm AFRINIC Gambia
|
||||
ge RIPE Georgia
|
||||
de RIPE Germany
|
||||
gh AFRINIC Ghana
|
||||
gi RIPE Gibraltar
|
||||
gr RIPE Greece
|
||||
gl RIPE Greenland
|
||||
gd ARIN Grenada
|
||||
gp ARIN Guadeloupe
|
||||
gu APNIC Guam
|
||||
gt LACNIC Guatemala
|
||||
gg RIPE Guernsey
|
||||
gn AFRINIC Guinea
|
||||
gw AFRINIC Guinea-Bissau
|
||||
gy LACNIC Guyana
|
||||
ht LACNIC Haiti
|
||||
hm ARIN Heard & McDonald Islands
|
||||
hn LACNIC Honduras
|
||||
hk APNIC Hong Kong
|
||||
hu RIPE Hungary
|
||||
is RIPE Iceland
|
||||
in APNIC India
|
||||
id APNIC Indonesia
|
||||
ir RIPE Iran
|
||||
iq RIPE Iraq
|
||||
ie RIPE Ireland
|
||||
im RIPE Isle of Man
|
||||
il RIPE Israel
|
||||
it RIPE Italy
|
||||
jm ARIN Jamaica
|
||||
jp APNIC Japan
|
||||
je RIPE Jersey
|
||||
jo RIPE Jordan
|
||||
kz RIPE Kazakhstan
|
||||
ke AFRINIC Kenya
|
||||
ki APNIC Kiribati
|
||||
kw RIPE Kuwait
|
||||
kg RIPE Kyrgyzstan
|
||||
la APNIC Lao
|
||||
lv RIPE Latvia
|
||||
lb RIPE Lebanon
|
||||
ls AFRINIC Lesotho
|
||||
lr AFRINIC Liberia
|
||||
ly AFRINIC Libya
|
||||
li RIPE Liechtenstein
|
||||
lt RIPE Lithuania
|
||||
lu RIPE Luxembourg
|
||||
mo APNIC Macao
|
||||
mg AFRINIC Madagascar
|
||||
mw AFRINIC Malawi
|
||||
my APNIC Malaysia
|
||||
mv APNIC Maldives
|
||||
ml AFRINIC Mali
|
||||
mt RIPE Malta
|
||||
mh APNIC Marshall Islands
|
||||
ma AFRINIC Marocco
|
||||
mq ARIN Martinique
|
||||
mr AFRINIC Mauritania
|
||||
mu AFRINIC Mauritius
|
||||
yt AFRINIC Mayotte
|
||||
mx LACNIC Mexico
|
||||
fm APNIC Micronesia
|
||||
md RIPE Moldova
|
||||
mc RIPE Monaco
|
||||
mn APNIC Mongolia
|
||||
me RIPE Montenegro
|
||||
ms ARIN Montserrat
|
||||
mz AFRINIC Mozambique
|
||||
mm APNIC Myanmar
|
||||
na AFRINIC Namibia
|
||||
nr APNIC Nauru
|
||||
np APNIC Nepal
|
||||
nl RIPE Netherlands
|
||||
nc APNIC New Caledonia
|
||||
nz APNIC New Zealand
|
||||
ni LACNIC Nicaragua
|
||||
ne AFRINIC Niger
|
||||
ng AFRINIC Nigeria
|
||||
nu APNIC Niue
|
||||
nf APNIC Norfolk Island
|
||||
kp APNIC North Korea
|
||||
mk RIPE North Macedonia
|
||||
mp APNIC Northern Mariana Islands
|
||||
no RIPE Norway
|
||||
om RIPE Oman
|
||||
pk APNIC Pakistan
|
||||
pw APNIC Palau
|
||||
ps RIPE Palestine
|
||||
pa LACNIC Panama
|
||||
pg APNIC Papua New Guinea
|
||||
py LACNIC Paraguay
|
||||
pe LACNIC Peru
|
||||
ph APNIC Philippines
|
||||
pn APNIC Pitcairn
|
||||
pl RIPE Poland
|
||||
pt RIPE Portugal
|
||||
pr ARIN Puerto Rico
|
||||
qa RIPE Qatar
|
||||
re AFRINIC Reunion
|
||||
ro RIPE Romania
|
||||
ru RIPE Russian Federation
|
||||
rw AFRINIC Rwanda
|
||||
sh ARIN Saint Helena
|
||||
bl ARIN Saint Barthélemy
|
||||
kn ARIN Saint Kitts & Nevis
|
||||
lc ARIN Saint Lucia
|
||||
mf ARIN Saint Martin
|
||||
pm ARIN Saint Pierre & Miquelon
|
||||
vc ARIN Saint Vincent & the Grenadines
|
||||
ws APNIC Samoa
|
||||
sm RIPE San Marino
|
||||
st AFRINIC Sao Tome & Principe
|
||||
sa RIPE Saudi Arabia
|
||||
sn AFRINIC Senegal
|
||||
rs RIPE Serbia
|
||||
sc AFRINIC Seychelles
|
||||
sl AFRINIC Sierra Leone
|
||||
sg APNIC Singapore
|
||||
sx LACNIC Sint Maarten
|
||||
sk RIPE Slovakia
|
||||
si RIPE Slovenia
|
||||
sb APNIC Solomon Islands
|
||||
so AFRINIC Somalia
|
||||
za AFRINIC South Africa
|
||||
gs LACNIC South Georgia
|
||||
kr APNIC South Korea
|
||||
ss AFRINIC South Sudan
|
||||
es RIPE Spain
|
||||
lk APNIC Sri Lanka
|
||||
sd AFRINIC Sudan
|
||||
sr LACNIC Suriname
|
||||
sj RIPE Svalbard & Jan Mayen Islands
|
||||
se RIPE Sweden
|
||||
ch RIPE Switzerland
|
||||
sy RIPE Syrian
|
||||
tw APNIC Taiwan
|
||||
tj RIPE Tajikistan
|
||||
tz AFRINIC Tanzania
|
||||
th APNIC Thailand
|
||||
tl APNIC Timor-Leste
|
||||
tg AFRINIC Togo
|
||||
tk APNIC Tokelau
|
||||
to APNIC Tonga
|
||||
tt LACNIC Trinidad & Tobago
|
||||
tn AFRINIC Tunisia
|
||||
tr RIPE Türkey
|
||||
tm RIPE Turkmenistan
|
||||
tc ARIN Turks & Caicos Islands
|
||||
tv APNIC Tuvalu
|
||||
ug AFRINIC Uganda
|
||||
ua RIPE Ukraine
|
||||
ae RIPE United Arab Emirates
|
||||
gb RIPE United Kingdom
|
||||
us ARIN United States
|
||||
um ARIN United States Minor Outlying Islands
|
||||
uy LACNIC Uruguay
|
||||
uz RIPE Uzbekistan
|
||||
vu APNIC Vanuatu
|
||||
va RIPE Vatikan City
|
||||
ve LACNIC Venezuela
|
||||
vn APNIC Vietnam
|
||||
vg ARIN Virgin Islands (British)
|
||||
vi ARIN Virgin Islands (U.S.)
|
||||
wf APNIC Wallis & Futuna Islands
|
||||
eh AFRINIC Western Sahara
|
||||
ye RIPE Yemen
|
||||
zm AFRINIC Zambia
|
||||
zw AFRINIC Zimbabwe
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "adaway IPs",
|
||||
"flag": "80 443"
|
||||
"flag": "tcp 80 443"
|
||||
},
|
||||
"adguard":{
|
||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt",
|
||||
|
@ -13,7 +13,7 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "adguard IPs",
|
||||
"flag": "80 443"
|
||||
"flag": "tcp 80 443"
|
||||
},
|
||||
"adguardtrackers":{
|
||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt",
|
||||
|
@ -21,7 +21,7 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "adguardtracker IPs",
|
||||
"flag": "80 443"
|
||||
"flag": "tcp 80 443"
|
||||
},
|
||||
"antipopads":{
|
||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt",
|
||||
|
@ -29,15 +29,14 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "antipopads IPs",
|
||||
"flag": "80 443"
|
||||
"flag": "tcp 80 443"
|
||||
},
|
||||
"asn":{
|
||||
"url_4": "https://asn.ipinfo.app/api/text/list/",
|
||||
"url_6": "https://asn.ipinfo.app/api/text/list/",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "ASN IP segments",
|
||||
"flag": "80 443"
|
||||
"descr": "ASN IP segments"
|
||||
},
|
||||
"backscatterer":{
|
||||
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",
|
||||
|
@ -45,6 +44,13 @@
|
|||
"descr": "backscatterer IPs",
|
||||
"flag": "gz"
|
||||
},
|
||||
"becyber":{
|
||||
"url_4": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips.txt",
|
||||
"url_6": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips_ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "malicious attacker IPs"
|
||||
},
|
||||
"binarydefense":{
|
||||
"url_4": "https://iplists.firehol.org/files/bds_atif.ipset",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
|
@ -74,14 +80,9 @@
|
|||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "country blocks"
|
||||
},
|
||||
"darklist":{
|
||||
"url_4": "https://darklist.de/raw.php",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "suspicious attacker IPs"
|
||||
},
|
||||
"debl":{
|
||||
"url_4": "https://www.blocklist.de/downloads/export-ips_all.txt",
|
||||
"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
|
||||
"url_4": "https://lists.blocklist.de/lists/all.txt",
|
||||
"url_6": "https://lists.blocklist.de/lists/all.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "fail2ban IP blocklist"
|
||||
|
@ -92,7 +93,7 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "public DoH-Provider",
|
||||
"flag": "80 443"
|
||||
"flag": "tcp 80 443"
|
||||
},
|
||||
"drop":{
|
||||
"url_4": "https://www.spamhaus.org/drop/drop.txt",
|
||||
|
@ -106,11 +107,6 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}",
|
||||
"descr": "dshield IP blocklist"
|
||||
},
|
||||
"edrop":{
|
||||
"url_4": "https://www.spamhaus.org/drop/edrop.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "spamhaus edrop compilation"
|
||||
},
|
||||
"etcompromised":{
|
||||
"url_4": "https://iplists.firehol.org/files/et_compromised.ipset",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
|
@ -150,18 +146,18 @@
|
|||
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "advertising IPs",
|
||||
"flag": "gz 80 443"
|
||||
"flag": "gz tcp 80 443"
|
||||
},
|
||||
"iblockspy":{
|
||||
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "malicious spyware IPs",
|
||||
"flag": "gz 80 443"
|
||||
"flag": "gz tcp 80 443"
|
||||
},
|
||||
"ipblackhole":{
|
||||
"url_4": "https://ip.blackhole.monster/blackhole-today",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "blackhole IP blocklist"
|
||||
"ipsum":{
|
||||
"url_4": "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}",
|
||||
"descr": "malicious IPs"
|
||||
},
|
||||
"ipthreat":{
|
||||
"url_4": "https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-30.txt.gz",
|
||||
|
@ -188,7 +184,7 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "OISD-big IPs",
|
||||
"flag": "80 443"
|
||||
"flag": "tcp 80 443"
|
||||
},
|
||||
"oisdnsfw":{
|
||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt",
|
||||
|
@ -196,7 +192,7 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "OISD-nsfw IPs",
|
||||
"flag": "80 443"
|
||||
"flag": "tcp 80 443"
|
||||
},
|
||||
"oisdsmall":{
|
||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt",
|
||||
|
@ -204,7 +200,12 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "OISD-small IPs",
|
||||
"flag": "80 443"
|
||||
"flag": "tcp 80 443"
|
||||
},
|
||||
"pallebone":{
|
||||
"url_4": "https://raw.githubusercontent.com/pallebone/StrictBlockPAllebone/master/BlockIP.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "curated IP blocklist"
|
||||
},
|
||||
"proxy":{
|
||||
"url_4": "https://iplists.firehol.org/files/proxylists.ipset",
|
||||
|
@ -222,7 +223,7 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "stevenblack IPs",
|
||||
"flag": "80 443"
|
||||
"flag": "tcp 80 443"
|
||||
},
|
||||
"talos":{
|
||||
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
|
||||
|
@ -295,6 +296,6 @@
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "yoyo IPs",
|
||||
"flag": "80 443"
|
||||
"flag": "tcp 80 443"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -23,10 +23,10 @@ ban_lock="/var/run/banip.lock"
|
|||
[ "${action}" = "boot" ] && "${ban_init}" running && exit 0
|
||||
{ [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
|
||||
[ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
|
||||
[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
|
||||
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && mkdir -p "${ban_lock}"
|
||||
[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
|
||||
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && mkdir -p "${ban_lock}"
|
||||
{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}"
|
||||
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
|
||||
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
|
||||
|
||||
boot() {
|
||||
: >"${ban_pidfile}"
|
||||
|
@ -81,6 +81,7 @@ report() {
|
|||
|
||||
search() {
|
||||
f_search "${1}"
|
||||
rm -rf "${ban_lock}"
|
||||
}
|
||||
|
||||
survey() {
|
||||
|
|
|
@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/nls.mk
|
|||
|
||||
PKG_NAME:=curl
|
||||
PKG_VERSION:=8.7.1
|
||||
PKG_RELEASE:=r1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||
PKG_SOURCE_URL:=https://github.com/curl/curl/releases/download/curl-$(subst .,_,$(PKG_VERSION))/ \
|
||||
|
@ -81,7 +81,7 @@ define Package/curl/Default
|
|||
SECTION:=net
|
||||
CATEGORY:=Network
|
||||
URL:=http://curl.se/
|
||||
MAINTAINER:=Stan Grishin <stangri@melmac.ca>
|
||||
MAINTAINER:=
|
||||
endef
|
||||
|
||||
define Package/curl
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
From: Kailun Qin <kailun.qin@intel.com>
|
||||
Date: Mon, 8 Apr 2024 05:13:56 -0400
|
||||
Subject: [PATCH] mbedtls: call mbedtls_ssl_setup() after RNG callback is set
|
||||
|
||||
Since mbedTLS v3.6.0, the RNG check added in ssl_conf_check() will fail
|
||||
if no RNG is provided when calling mbedtls_ssl_setup().
|
||||
|
||||
Therefore, mbedtls_ssl_conf_rng() needs to be called before the SSL
|
||||
context is passed to mbedtls_ssl_setup().
|
||||
|
||||
Ref: https://github.com/Mbed-TLS/mbedtls/commit/b422cab052b51ec84758638d6783d6ba4fc60613
|
||||
|
||||
Signed-off-by: Kailun Qin <kailun.qin@intel.com>
|
||||
Closes #13314
|
||||
---
|
||||
|
||||
--- a/lib/vtls/mbedtls.c
|
||||
+++ b/lib/vtls/mbedtls.c
|
||||
@@ -602,10 +602,6 @@ mbed_connect_step1(struct Curl_cfilter *
|
||||
}
|
||||
|
||||
mbedtls_ssl_init(&backend->ssl);
|
||||
- if(mbedtls_ssl_setup(&backend->ssl, &backend->config)) {
|
||||
- failf(data, "mbedTLS: ssl_init failed");
|
||||
- return CURLE_SSL_CONNECT_ERROR;
|
||||
- }
|
||||
|
||||
/* new profile with RSA min key len = 1024 ... */
|
||||
mbedtls_ssl_conf_cert_profile(&backend->config,
|
||||
@@ -639,6 +635,15 @@ mbed_connect_step1(struct Curl_cfilter *
|
||||
|
||||
mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random,
|
||||
&backend->ctr_drbg);
|
||||
+
|
||||
+ ret = mbedtls_ssl_setup(&backend->ssl, &backend->config);
|
||||
+ if(ret) {
|
||||
+ mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
|
||||
+ failf(data, "ssl_setup failed - mbedTLS: (-0x%04X) %s",
|
||||
+ -ret, errorbuf);
|
||||
+ return CURLE_SSL_CONNECT_ERROR;
|
||||
+ }
|
||||
+
|
||||
mbedtls_ssl_set_bio(&backend->ssl, cf,
|
||||
mbedtls_bio_cf_write,
|
||||
mbedtls_bio_cf_read,
|
|
@ -5,12 +5,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=dnsproxy
|
||||
PKG_VERSION:=0.69.2
|
||||
PKG_VERSION:=0.70.0
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
|
||||
PKG_HASH:=aa1cea0eea683bde017acbb30c09c96b24b30133e157e743666be900ad7560ea
|
||||
PKG_HASH:=a78ce398f2019e7a3a57e7ffcb06ecfb6d08e36e0a07c58ada4ac4871cecd677
|
||||
|
||||
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
|
||||
PKG_LICENSE:=Apache-2.0
|
||||
|
|
|
@ -0,0 +1,165 @@
|
|||
## **Prelude**
|
||||
- This document only covers scripts installed on OpenWrt systems and only options available on OpenWrt.
|
||||
- geoip-shell supports a numer of different use cases, many different platforms, and 2 backend firewall utilities (nftables and iptables). For this reason I designed it to be modular rather than monolithic. In this design, the functionality is split between few main scripts. Each main script performs specific tasks and utilizes library scripts which are required for the task with the given platform and firewall utility.
|
||||
- This document provides some info on the purpose and core options of the main scripts and how they work in tandem.
|
||||
- The main scripts display "usage" when called with the "-h" option. You can find out about some additional options specific to each script by running it with that option.
|
||||
|
||||
## **Overview**
|
||||
|
||||
### Main Scripts
|
||||
- geoip-shell-manage.sh
|
||||
- geoip-shell-run.sh
|
||||
- geoip-shell-fetch.sh
|
||||
- geoip-shell-apply.sh
|
||||
- geoip-shell-backup.sh
|
||||
- geoip-shell-cronsetup.sh
|
||||
|
||||
### Helper Scripts
|
||||
**geoip-shell-geoinit.sh**
|
||||
- This script is sourced from all main scripts. It sets some essential variables, checks for compatible shell, then sources the -lib-common script, then sources the /etc/geoip-shell/geoip-shell.const file which stores some system-specific constants.
|
||||
|
||||
**geoip-shell-detect-lan.sh**
|
||||
This script is only used under specific conditions:
|
||||
- During initial setup, with whitelist mode, and only if wan interfaces were set to 'all', and LAN subnets were not specified via command line args. geoip-shell then assumes that it is being configured on a host behind a router and firewall, uses this script to detect the LAN subnets and offers the user to add them to the whitelist, and to enable automatic detection of LAN subnets in the future.
|
||||
- At the time of creating/updating firewall rules, and only if LAN subnets automatic detection is enabled. geoip-shell then re-detects LAN subnets automatically.
|
||||
|
||||
### Library Scripts
|
||||
- lib/geoip-shell-lib-common.sh
|
||||
- lib/geoip-shell-lib-setup.sh
|
||||
- lib/geoip-shell-lib-ipt.sh
|
||||
- lib/geoip-shell-lib-nft.sh
|
||||
- lib/geoip-shell-lib-status.sh
|
||||
- lib/geoip-shell-lib-arrays.sh
|
||||
- lib/geoip-shell-lib-uninstall.sh
|
||||
|
||||
The -lib-common script includes a large number of functions used throughout the suite, and assigns some essential variables.
|
||||
|
||||
The lib-setup script implements CLI interactive and noninteractive setup and arguments parsing. It is used in the -manage script.
|
||||
|
||||
The -lib-status script implements the status report which you can get by issuing the `geoip-shell status` command.
|
||||
|
||||
The -ipt and -nft scripts implement support for iptables and nftables, respectively. They are sourced from other scripts which need to interact with the firewall utility directly.
|
||||
|
||||
|
||||
The -lib-arrays script implements a minimal subset of functions emulating the functionality of associative arrays in POSIX-compliant shell. It is used in the -fetch script. It is a part of a larger project implementing much more of the arrays functionality. You can check my other repositories if you are interested.
|
||||
|
||||
The -lib-uninstall script has some functions which are used both for uninstallation and for reset if required.
|
||||
|
||||
### OpenWrt-specific scripts
|
||||
- geoip-shell-lib-owrt-common.sh
|
||||
- geoip-shell-init
|
||||
- geoip-shell-mk-fw-include.sh
|
||||
- geoip-shell-fw-include.sh
|
||||
- geoip-shell-owrt-uninstall.sh
|
||||
|
||||
For more information about integration with OpenWrt, read [OpenWrt-README.md](OpenWrt-README.md)
|
||||
|
||||
### User interface
|
||||
After installation, the user interface is provided by running "geoip-shell", which is a symlink to the -manage script.
|
||||
|
||||
## **Main scripts in detail**
|
||||
**geoip-shell-manage.sh**: serves as the main user interface to configure geoip after installation. You can also call it by simply typing `geoip-shell`. As most scripts in this suite, it requires root privileges because it needs to interact with the netfilter kernel component and access the data folder which is only readable and writable by root. Since it serves as the main user interface, it contains a lot of logic to generate a report, parse, validate and initiate actions requested by the user (by calling other scripts as required), check for possible remote machine lockout and warn the user about it, check actions result, update the config and take corrective actions in case of an error. Describing all this is beyond the scope of this document but you can read the code. Sources the lib-status script when generating a status report. Sources lib-setup for some of the arguments parsing logic and interactive dialogs implementation.
|
||||
|
||||
`geoip-shell <on|off>` : Enable or disable the geoip blocking chain (via a rule in the base geoip chain)
|
||||
|
||||
`geoip-shell <add|remove> [-c <"country_codes">]` :
|
||||
* Adds or removes the specified country codes to/from the config file.
|
||||
* Calls the -run script to fetch the ip lists for specified countries and apply them to the firewall (or to remove them).
|
||||
|
||||
`geoip-shell status`
|
||||
* Displays information on the current state of geoip blocking
|
||||
* For a list of all firewall rules in the geoip chain and for detailed count of ip ranges, run `geoip-shell status -v`.
|
||||
|
||||
`geoip-shell restore` : re-fetches and re-applies geoip firewall rules and ip lists as per the config.
|
||||
|
||||
`geoip-shell showconfig` : prints the contents of the config file.
|
||||
|
||||
`geoip-shell configure [options]` : changes geoip-shell configuration.
|
||||
|
||||
Initial configuration is possible either fully interactively (the -manage script gathers all important config via dialog with the user), partially interactively (you provide some command line arguments, the -manage script processes them and if needed, asks you additional questions), or completely non-interactively by calling the -manage script with the `-z` option which will force setup to fail if any required options are missing or invalid. Any sensible combination of the following options is allowed in one command.
|
||||
|
||||
**Options for the `geoip-shell configure` command:**
|
||||
|
||||
`-m [whitelist|blacklist]`: Change geoip blocking mode.
|
||||
|
||||
`-c <"country codes">`: Change which country codes are included in the whitelist/blacklist (this command replaces all country codes with newly specified ones).
|
||||
|
||||
`-f <ipv4|ipv6|"ipv4 ipv6">`: Families (defaults to 'ipv4 ipv6'). Use double quotes for multiple families.
|
||||
|
||||
`-u [ripe|ipdeny]`: Change ip lists source.
|
||||
|
||||
`-i <[ifaces]|auto|all>`: Change which network interfaces geoip firewall rules are applied to. `auto` will attempt to automatically detect WAN network interfaces. `auto` works correctly in **most** cases but not in **every** case. Don't use `auto` if the machine has no dedicated WAN network interfaces. The automatic detection occurs only when manually triggered by the user via this command.
|
||||
|
||||
`-l <"[lan_ips]"|auto|none>`: Specify LAN ip's or subnets to exclude from blocking (both ipv4 and ipv6). `auto` will trigger LAN subnets re-detection at every update of the ip lists. When specifying custom ip's or subnets, automatic detection is disabled. This option is only avaiable when using geoip-shell in whitelist mode.
|
||||
|
||||
`-t <"[trusted_ips]|none">`: Specify trusted ip's or subnets (anywhere on the Internet) to exclude from geoip blocking (both ipv4 and ipv6).
|
||||
|
||||
`-p <[tcp|udp]:[allow|block]:[all|<ports>]>`: Specify ports geoip blocking will apply (or not apply) to, for tcp or udp. To specify ports for both tcp and udp, use the `-p` option twice. For more details, read [NOTES.md](NOTES.md), sections 9-11.
|
||||
|
||||
`-r <[user_country_code]|none>` : Specify user's country code. Used to prevent accidental lockout of a remote machine. `none` disables this feature.
|
||||
|
||||
`-s <"schedule_expression"|disable>` : Enables automatic ip lists updates and configures the schedule for the periodic cron job which implements this feature. `disable` disables automatic ip lists updates.
|
||||
|
||||
`-o <true|false>` : No backup. If set to 'true', geoip-shell will not create a backup of ip lists and firewall rules after applying changes, and will automatically re-fetch ip lists after each reboot. Default is 'true' for OpenWrt, 'false' for all other systems.
|
||||
|
||||
`-a <path>` : Set custom path to directory where backups and the status file will be stored. Default is '/tmp/geoip-shell-data' for OpenWrt, '/var/lib/geoip-shell' for all other systems.
|
||||
|
||||
|
||||
`-O <memory|performance>`: Specify optimization policy for nftables sets. By default optimizes for low memory consumption if system RAM is less than 2GiB, otherwise optimizes for performance. This option doesn't work with iptables.
|
||||
|
||||
`-z`: Non-interactive setup.
|
||||
|
||||
|
||||
**geoip-shell-run.sh**: Serves as a proxy to call the -fetch, -apply and -backup scripts with arguments required for each action. Executes the requested actions, depending on the config and the command line options, and writes to system log when starting and on action completion (or if any errors encountered). If persistence or autoupdates are enabled, the cron jobs (or on OpenWrt, the firewall include script) call this script with the necessary options. If a non-fatal error is encountered during an automatic update function, the script enters sort of a temporary daemon mode where it will re-try the action (up to a certain number of retries) with increasing time intervals. It also implements some logic to account for unexpected issues encountered during the 'restore' action which runs after system reboot to impelement persistnece, such as a missing backup, and in this situation will automatically change its action from 'restore' to 'update' and try to re-fetch and re-apply the ip lists.
|
||||
|
||||
`geoip-shell-run.sh add -l <"list_id [list_id] ... [list_id]">` : Fetches ip lists, loads them into ip sets and applies firewall rules for specified list id's.
|
||||
A list id has the format of `<country_code>_<family>`. For example, **US_ipv4** and **GB_ipv6** are valid list id's.
|
||||
|
||||
`geoip-shell-run.sh remove -l <"list_ids">` : Removes iplists and firewall rules for specified list id's.
|
||||
|
||||
`geoip-shell-run.sh update` : Updates the ip sets for list id's that had been previously configured. Intended for triggering from periodic cron jobs.
|
||||
|
||||
`geoip-shell-run.sh restore` : Restore previously downloaded lists from backup (skip fetching). Used by the reboot cron job (or by the firewall include on OpenWrt) to implement persistence.
|
||||
|
||||
**geoip-shell-fetch.sh**
|
||||
- Fetches ip lists for given list id's from RIPE or from ipdeny.
|
||||
- Parses, validates, compiles the downloaded lists, and saves each one to a separate file.
|
||||
- Implements extensive sanity checks at each stage (fetching, parsing, validating and saving) and handles errors if they occur.
|
||||
|
||||
Options:
|
||||
|
||||
`-l <"list_ids">` : ip list id's in the format <country_code>_<family> (if specifying multiple list id's, use double quotes)
|
||||
|
||||
`-p <path>` : Path to directory where downloaded and compiled subnet lists will be stored.
|
||||
|
||||
`-o <output_file>` : Path to output file where fetched list will be stored.
|
||||
|
||||
`-s <status_file>` : Path to a status file to register fetch results in.
|
||||
|
||||
`-u <ripe|ipdeny>` : Use this ip list source for download. Supported sources: ripe, ipdeny.
|
||||
|
||||
Extra options:
|
||||
|
||||
`-r` : Raw mode (outputs newline-delimited ip lists rather than nftables-ready ones).
|
||||
|
||||
`-f` : Force using fetched lists even if list timestamp didn't change compared to existing list.
|
||||
|
||||
|
||||
**geoip-shell-apply.sh**: directly interfaces with the firewall. Creates or removes ip sets and firewall rules for specified list id's. Sources the lib-ipt or lib-nft library script.
|
||||
|
||||
`geoip-shell-apply.sh add -l <"list_ids">` :
|
||||
- Loads ip list files for specified list id's into ip sets and applies firewall rules required for geoip blocking.
|
||||
|
||||
List id has the format of `<country_code>_<family>`. For example, **US_ipv4** and **GB_ipv6** are valid list id's.
|
||||
|
||||
`geoip-shell-apply.sh remove -l <"list_ids">` :
|
||||
- removes ip sets and geoip firewall rules for specified list id's.
|
||||
|
||||
**geoip-shell-cronsetup.sh** manages all the cron-related logic and actions. Called by the -manage script. Cron jobs are created based on the settings stored in the config file. Also used to validate cron schedule specified by the user.
|
||||
|
||||
**geoip-shell-backup.sh**: Creates backup of current geoip-shell firewall rules and ip sets and current geoip-shell config, or restores them from backup. By default (if you didn't configure geoip-shell with the '-o' option), backup will be created after every change to ip sets in the firewall. Backups are automatically compressed and de-compressed with the best utility available to the system, in this order "bzip2, xz, gzip", or simply "cat" as a fallback if neither is available (which generally should never happen on Linux). Only one backup copy is kept. Sources the lib-ipt or the lib-nft library script.
|
||||
|
||||
`geoip-shell-backup.sh create-backup` : Creates backup of geoip-shell ip sets and config.
|
||||
|
||||
`geoip-shell-backup.sh restore` : Restores geoip-shell state and config from backup. Used by the *run script to implement persistence. Can be manually used for recovery from fault conditions. If run with option `-n`, does not restore the config and the status files.
|
||||
|
|
@ -0,0 +1,162 @@
|
|||
# Copyright 2024 friendly-bits, antonk (antonk.d3v@gmail.com)
|
||||
# This is free software, licensed under the GNU General Public License v3.
|
||||
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=geoip-shell
|
||||
PKG_VERSION:=0.5.2
|
||||
PKG_RELEASE:=1
|
||||
PKG_LICENSE:=GPL-3.0-or-later
|
||||
PKG_MAINTAINER:=antonk <antonk.d3v@gmail.com>
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_VERSION:=db8bbf4ce04094843beea1b1aa4fbceb0d35688d
|
||||
PKG_SOURCE_URL:=https://github.com/friendly-bits/geoip-shell-openwrt.git
|
||||
PKG_MIRROR_HASH:=4b0b90a936b8e9b476a0b85bd2100fcc4d1da25cd6929c0bcc282ae7ff137e9f
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
define Package/geoip-shell/Default
|
||||
CATEGORY:=Network
|
||||
TITLE:=Flexible geoip blocker
|
||||
URL:=https://github.com/friendly-bits/geoip-shell
|
||||
MAINTAINER:=antonk <antonk.d3v@gmail.com>
|
||||
DEPENDS:=+ca-bundle
|
||||
PROVIDES:=geoip-shell
|
||||
PKGARCH:=all
|
||||
endef
|
||||
|
||||
define Package/geoip-shell
|
||||
$(call Package/geoip-shell/Default)
|
||||
TITLE+= with nftables support
|
||||
DEPENDS+= +kmod-nft-core +nftables +firewall4
|
||||
DEFAULT_VARIANT:=1
|
||||
VARIANT:=nftables
|
||||
endef
|
||||
|
||||
define Package/geoip-shell-iptables
|
||||
$(call Package/geoip-shell/Default)
|
||||
TITLE+= with iptables support
|
||||
DEPENDS+= +kmod-ipt-ipset +IPV6:ip6tables +iptables +ipset
|
||||
VARIANT:=iptables
|
||||
CONFLICTS:=geoip-shell firewall4
|
||||
endef
|
||||
|
||||
define Package/geoip-shell/description/Default
|
||||
Flexible geoip blocker with a user-friendly command line interface (currently no LuCi interface).
|
||||
For readme, please see
|
||||
https://github.com/openwrt/packages/blob/master/net/geoip-shell/OpenWrt-README.md
|
||||
endef
|
||||
|
||||
define Package/geoip-shell/description
|
||||
$(call Package/geoip-shell/description/Default)
|
||||
endef
|
||||
|
||||
define Package/geoip-shell-iptables/description
|
||||
$(call Package/geoip-shell/description/Default)
|
||||
endef
|
||||
|
||||
define Package/geoip-shell/postinst/Default
|
||||
#!/bin/sh
|
||||
rm "/usr/bin/geoip-shell" 2>/dev/null
|
||||
ln -s "/usr/bin/geoip-shell-manage.sh" "/usr/bin/geoip-shell"
|
||||
[ -s "/etc/geoip-shell/geoip-shell.conf" ] && /usr/bin/geoip-shell configure -z && exit 0
|
||||
logger -s -t "geoip-shell" "Please run 'geoip-shell configure' to complete the setup."
|
||||
exit 0
|
||||
endef
|
||||
|
||||
define Package/geoip-shell/postinst
|
||||
$(call Package/geoip-shell/postinst/Default)
|
||||
endef
|
||||
|
||||
define Package/geoip-shell-iptables/postinst
|
||||
$(call Package/geoip-shell/postinst/Default)
|
||||
endef
|
||||
|
||||
define Package/geoip-shell/prerm/Default
|
||||
#!/bin/sh
|
||||
sh /usr/lib/geoip-shell/geoip-shell-owrt-uninstall.sh
|
||||
exit 0
|
||||
endef
|
||||
|
||||
define Package/geoip-shell/prerm
|
||||
$(call Package/geoip-shell/prerm/Default)
|
||||
endef
|
||||
|
||||
define Package/geoip-shell-iptables/prerm
|
||||
$(call Package/geoip-shell/prerm/Default)
|
||||
endef
|
||||
|
||||
define Package/geoip-shell/postrm
|
||||
#!/bin/sh
|
||||
sleep 1
|
||||
echo "Reloading the firewall..."
|
||||
fw4 -q reload
|
||||
exit 0
|
||||
endef
|
||||
|
||||
define Package/geoip-shell-iptables/postrm
|
||||
#!/bin/sh
|
||||
sleep 1
|
||||
echo "Reloading the firewall..."
|
||||
fw3 -q reload
|
||||
exit 0
|
||||
endef
|
||||
|
||||
define Build/Configure
|
||||
endef
|
||||
|
||||
define Build/Compile
|
||||
endef
|
||||
|
||||
define Package/geoip-shell/install/Default
|
||||
|
||||
$(INSTALL_DIR) $(1)/etc/init.d
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/etc/init.d/geoip-shell-init $(1)/etc/init.d
|
||||
|
||||
$(INSTALL_DIR) $(1)/etc/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/etc/geoip-shell/cca2.list $(1)/etc/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/etc/geoip-shell/geoip-shell.const $(1)/etc/geoip-shell
|
||||
|
||||
$(INSTALL_DIR) $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-fetch.sh $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-fw-include.sh $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-backup.sh $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-geoinit.sh $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-run.sh $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-mk-fw-include.sh $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-manage.sh $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-apply.sh $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-detect-lan.sh $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-cronsetup.sh $(1)/usr/bin
|
||||
|
||||
$(INSTALL_DIR) $(1)/usr/lib/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-status.sh $(1)/usr/lib/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-owrt-common.sh $(1)/usr/lib/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-common.sh $(1)/usr/lib/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-owrt-uninstall.sh $(1)/usr/lib/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-arrays.sh $(1)/usr/lib/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-setup.sh $(1)/usr/lib/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-uninstall.sh $(1)/usr/lib/geoip-shell
|
||||
|
||||
endef
|
||||
|
||||
|
||||
define Package/geoip-shell/install
|
||||
$(call Package/geoip-shell/install/Default,$(1))
|
||||
$(INSTALL_DIR) $(1)/usr/lib/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-nft.sh $(1)/usr/lib/geoip-shell
|
||||
|
||||
endef
|
||||
|
||||
|
||||
define Package/geoip-shell-iptables/install
|
||||
$(call Package/geoip-shell/install/Default,$(1))
|
||||
$(INSTALL_DIR) $(1)/usr/lib/geoip-shell
|
||||
$(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-ipt.sh $(1)/usr/lib/geoip-shell
|
||||
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackage,geoip-shell))
|
||||
$(eval $(call BuildPackage,geoip-shell-iptables))
|
||||
|
||||
|
|
@ -0,0 +1,108 @@
|
|||
## **Notes**
|
||||
1) On OpenWrt, geoip-shell expects that the default shell (called by the `sh` command) is _ash_, and the automatic shell detection feature implemented for other platforms is disabled on OpenWrt.
|
||||
|
||||
2) Firewall rules structure created by geoip-shell:
|
||||
<details> <summary>Read more:</summary>
|
||||
|
||||
### **iptables**
|
||||
- With **iptables**, all firewall rules created by geoip-shell are in the table `mangle`. The reason to use `mangle` is that this table has a built-in chain called `PREROUTING` which is attached to the `prerouting` hook in the netfilter kernel component. Via a rule in this chain, geoip-shell creates one set of rules which applies to all ingress traffic for a given ip family, rather than having to create and maintain separate rules for chains INPUT and FORWARDING which would be possible in the default `filter` table.
|
||||
- This also means that any rules you might have in the `filter` table will only see traffic which is allowed by geoip-shell rules, which may reduce the CPU load as a side-effect.
|
||||
- Note that **iptables** features separate tables for ipv4 and ipv6, hence geoip-shell creates separate rules for each family (unless the user restricts geoip-shell to a certain family during installation).
|
||||
- Inside the table `mangle`, geoip-shell creates the custom chain `GEOIP-SHELL` and redirects traffic to it via a rule in the `PREROUTING` chain. geoip-shell calls that rule the "enable" rule which can be removed or re-added on-demand with the commands `geoip-shell on` and `geoip-shell off`. If the "enable" rule is not present, system firewall will act as if all other geoip-shell rules (for a given ip family) are not present.
|
||||
- If specific network interfaces were set during installation, the "enable" rule directs traffic to a 2nd custom chain `GEOIP-SHELL_WAN` rather than to the `GEOIP-SHELL` chain. geoip-shell creates rules in the `GEOIP-SHELL_WAN` chain which selectively direct traffic only from the specified network interfaces to the `GEOIP-SHELL` chain.
|
||||
- With iptables, geoip-shell removes the "enable" rule before making any changes to the ip sets and rules, and re-adds it once the changes have been successfully made. This is a precaution measure intended to minimize any chance of potential problems. Typically ip list updates do not take more than a few seconds, and on reasonably fast systems less than a second, so the time when geoip blocking is not enabled is typically very brief.
|
||||
|
||||
### **nftables**
|
||||
- With **nftables**, all firewall rules created by geoip-shell are in the table named `geoip-shell`, family "inet", which is a term nftables uses for tables applying to both ip families. The `geoip-shell` table includes rules for both ip families and any nftables sets geoip-shell creates. geoip-shell creates 2 chains in that table: `GEOIP-BASE` and `GEOIP-SHELL`. The base chain attaches to netfilter's `prerouting` hook and has a rule which directs traffic to the `GEOIP-SHELL` chain. That rule is the geoip-shell "enable" rule for nftables-based systems which acts exactly like the "enable" rule in the iptables-based systems, except it applies to both ip families.
|
||||
- **nftables** allows for more control over which network interfaces each rule applies to, so when certain network interfaces are specified during initial setup, geoip-shell specifies these interfaces directly in the rules inside the `GEOIP-SHELL` chain, and so (contrary to iptables-based systems) there is no need in an additional chain.
|
||||
- **nftables** features atomic rules updates, meaning that when issuing multiple nftables commands at once, if any command fails, all changes get cancelled and the system remains in the same state as before. geoip-shell utilizes this feature for fault-tolerance and to completely eliminate time when geoip blocking is disabled during an update of the sets or rules.
|
||||
- **nftables** current version (up to 1.0.8 and probably 1.0.9) has some bugs related to unnecessarily high transient memory consumption when performing certain actions, including adding new sets. These bugs are known and for the most part, already have patches implemented which should eventually roll out to the distributions. This mostly matters for embedded hardware with less than 512MB of memory. geoip-shell works around these bugs as much as possible. One of the workarounds is to avoid using the atomic replacement feature for nftables sets. Instead, when updating sets, geoip-shell first adds new sets one by one, then atomically applies all other changes, including rules changes and removing the old sets. In case of an error during any stage of this process, all changes get cancelled, old rules and sets remain in place and geoip-shell then destroys the new sets. This is less efficient but with current versions of nftables, this actually lowers the minimum memory bar for the embedded devices. Once a new version of nftables will be rolled out to the distros, geoip-shell will adapt the algorithm accordingly.
|
||||
|
||||
### **nftables and iptables**
|
||||
- With both **nftables** and **iptables**, geoip-shell goes a long way to make sure that firewall rules and ip sets are correct and matching the user-defined config. Automatic corrective mechanisms are implemented which should restore geoip-shell firewall rules in case they do not match the config (which normally should never happen).
|
||||
- geoip-shell implements rules and ip sets "tagging" to distinguish between its own rules and other rules and sets. This way, geoip-shell never makes any changes to any rules or sets which geoip-shell did not create.
|
||||
- When uninstalling, geoip-shell removes all its rules, chains and ip sets.
|
||||
|
||||
</details>
|
||||
|
||||
3) geoip-shell uses RIPE as the default source for ip lists. RIPE is a regional registry, and as such, is expected to stay online and free for the foreseeable future. However, RIPE may be fairly slow in some regions. For that reason, I implemented support for fetching ip lists from ipdeny. ipdeny provides aggregated ip lists, meaning in short that there are less entries for same effective geoip blocking, so the machine which these lists are installed on has to do less work when processing incoming connection requests. All ip lists the suite fetches from ipdeny are aggregated lists.
|
||||
|
||||
4) The script intended as user interface is **geoip-shell-manage.sh** (also called by running **geoip-shell**).
|
||||
|
||||
5) How to manually check firewall rules created by geoip-shell:
|
||||
- With nftables: `nft -t list table inet geoip-shell`. This will display all geoip-shell rules and sets.
|
||||
- With iptables: `iptables -vL -t mangle` and `ip6tables -vL -t mangle`. This will report all geoip-shell rules. To check ipsets created by geoip-shell, use `ipset list -n | grep geoip-shell`. For a more detailed view, use this command: `ipset list -t`.
|
||||
|
||||
6) The run, fetch and apply scripts write to syslog in case an error occurs. The run and fetch scripts also write to syslog upon success. To verify that cron jobs ran successfully, on Debian and derivatives run `cat /var/log/syslog | grep geoip-shell`. On other distributions, you may need to figure out how to access the syslog.
|
||||
|
||||
7) These scripts will not run in the background consuming resources (except for a short time when triggered by the cron jobs). All the actual blocking is done by the netfilter component in the kernel. The scripts offer an easy and relatively fool-proof interface with netfilter, config persistence, automated ip lists fetching and auto-update.
|
||||
|
||||
8) Sometimes ip list source servers are temporarily unavailable and if you're unlucky enough to attempt installation during that time frame, the fetch script will fail which will cause the installation to fail as well. Try again after some time or use another source. Once the installation succeeds, an occasional fetch failure during autoupdate won't cause any issues as last successfully fetched ip list will be used until the next autoupdate cycle succeeds.
|
||||
|
||||
9) How to geoblock or allow specific ports (applies to the _-install_ and _-manage_ scripts).
|
||||
The general syntax is: `-p <[tcp|udp]:[allow|block]:[all|<ports>]>`
|
||||
Where `ports` may be any combination of comma-separated individual ports or port ranges (for example: `125-130` or `5,6` or `3,140-145,8`).
|
||||
You can use the `-p` option twice to cover both tcp and udp, for example: `-p tcp:allow:22,23 -p udp:block:128-256,3`
|
||||
|
||||
Examples with the -install script:
|
||||
|
||||
`sh geoip-shell-install -c de -m whitelist -p tcp:allow:125-135,7` - for tcp, allow incoming traffic on ports 125-135 and 7, geoblock incoming traffic on other tcp ports (doesn't affect UDP traffic)
|
||||
|
||||
`sh geoip-shell-install -c de -m blacklist -p udp:allow:3,15-20,1024-2048` - for udp, allow incoming traffic on ports 15-20 and 3, geoblock all other incoming udp traffic (doesn't affect TCP traffic)
|
||||
|
||||
Examples with the -manage script (also called via 'geoip-shell' after installation) :
|
||||
|
||||
`geoip-shell configure -p tcp:block:all` - for tcp, geoblock all ports (default behavior)
|
||||
|
||||
`geoip-shell configure -p udp:allow:all` - for udp, don't geoblock any ports (completely disables geoblocking for udp)
|
||||
|
||||
`geoip-shell configure -p tcp:block:125-135,7` - for tcp, only geoblock incoming traffic on ports 125-135 and 7, allow incoming traffic on all other tcp ports
|
||||
|
||||
10) How to remove specific ports assignment:
|
||||
|
||||
use `-p [tcp|udp]:block:all`.
|
||||
|
||||
Example: `geoip-shell configure -p tcp:block:all` will remove prior port-specific rules for the tcp protocol. All tcp packets on all ports will now go through geoip filter.
|
||||
|
||||
11) How to make all packets for a specific protocol bypass geoip blocking:
|
||||
|
||||
use `p [tcp|udp]:allow:all`
|
||||
|
||||
Example: `geoip-shell configure -p udp:allow:all` will allow all udp packets on all ports to bypass the geoip filter.
|
||||
|
||||
12) Firewall rules persistence, as well as automatic list updates, is implemented via cron jobs: a periodic job running by default on a daily schedule, and a job that runs at system reboot (after 30 seconds delay). Either or both cron jobs can be disabled (run the *install script with the -h option to find out how, or read [DETAILS.md](DETAILS.md)). On OpenWrt, persistence is implemented via an init script and a firewall include rather than via a cron job.
|
||||
|
||||
13) You can specify a custom schedule for the periodic cron job by passing an argument to the install script. Run it with the '-h' option for more info.
|
||||
|
||||
14) If you want to change the autoumatic update schedule but you don't know the crontab expression syntax, check out https://crontab.guru/ (no affiliation). geoip-shell includes a script which validates cron expressions you request, so don't worry about making a mistake.
|
||||
|
||||
15) Note that cron jobs will be run as root.
|
||||
|
||||
16) If you have nftables installed but for some reason you are using iptables rules (via the nft_compat kernel module which is provided by packages like nft-iptables etc), you can and probably should install geoip-shell with the option `-w ipt` which will force it to use iptables+ipset. For example: `geoip-shell install -w ipt`.
|
||||
|
||||
17) If you upgrade your system from iptables to nftables, you can either re-install geoip-shell and it will then automatically use nftables, or you can use this command without reinstalling: `geoip-shell configure -w nft`, which will remove all iptables rules and ipsets and re-create nftables rules and sets based on your existing config. If you are on OpenWrt, this does not apply: instead, you will need to install the geoip-shell package for nftables-based OpenWrt.
|
||||
|
||||
18) To test before deployment:
|
||||
<details> <summary>Read more:</summary>
|
||||
|
||||
- You can run the install script with the "-N true" (N stands for noblock) option to apply all actions and create all firewall rules except the geoip-shell "enable" rule. This way you can make sure that no errors are encountered and check the resulting firewall rules before committing to actual blocking. To enable blocking later, use the command `geoip-shell on`.
|
||||
- You can run the install script with the "-n true" (n stands for nopersistence) option to skip creating the reboot cron job which implements persistence and with the '-s disable' option to skip creating the autoupdate cron job. This way, a simple machine restart should undo all changes made to the firewall (unless you have some software which restores firewall settings after reboot). For example: `sh geoip-shell-install -c <country_code> -m whitelist -n true -s disable`. To enable persistence and automatic updates later, reinstall without both options.
|
||||
|
||||
</details>
|
||||
|
||||
19) How to get yourself locked out of your remote server and how to prevent this:
|
||||
<details> <summary>Read more:</summary>
|
||||
|
||||
There are 4 scenarios where you can lock yourself out of your remote server with this suite:
|
||||
- install in whitelist mode without including your country in the whitelist
|
||||
- install in whitelist mode and later remove your country from the whitelist
|
||||
- blacklist your country (either during installation or later)
|
||||
- your remote machine has no dedicated WAN interfaces (it is behind a router) and you incorrectly specified LAN subnets the machine belongs to
|
||||
|
||||
As to the first 3 scenarios, the -manage script will warn you in each of these situations and wait for your input (you can press Y and do it anyway), but that depends on you correctly specifying your country code during installation. The -install script will ask you about it. If you prefer, you can skip by pressing Enter - that will disable this feature. If you do provide the -install script your country code, it will be added to the config file on your machine and the -manage script will read the value and perform the necessary checks, during installation or later when you want to make changes to the blacklist/whitelist.
|
||||
|
||||
As to the 4th scenario, geoip-shell implements LAN subnets automatic detection and asks you to verify that the detected LAN subnets are correct. If you are not sure how to verify this, reading the [SETUP.md](SETUP.md) file should help. Read the documentation, follow it and you should be fine. If you specify your own LAN ip addresses or subnets (rather than using the automatically detected ones), geoip-shell validates them, meaning it makes sure that they appear to be valid by checking them with regex, and asking the kernel. This does not prevent a situation where you provide technically valid ip's/subnets which however are not actually used in the LAN your machine belongs to. So double-check. Also note that LAN subnets **may** change in the future, for example if someone changes some config in the router or replaces the router etc. For this reason, when installing the suite for **all** network interfaces, the -install script offers to enable automatic detection of LAN subnets at each periodic update. If for some reason you do not enable this feature, you will need to make the necessary precautions when changing LAN subnets your remote machine belongs to.
|
||||
|
||||
As an additional measure, during installation you can specify trusted ip addresses anywhere on the Internet which will not be geoblocked, so in case something goes very wrong, you will be able to regain access to the remote machine. This does require to have a known static public ip address or subnet. To specify ip's, call the install script with this option: `-t <"[trusted_ips]">`.
|
||||
|
||||
</details>
|
|
@ -0,0 +1,52 @@
|
|||
## geoip-shell on OpenWrt
|
||||
|
||||
Currently geoip-shell fully supports OpenWrt, both with firewall3 + iptables and with firewall4 + nftables, while providing the same user interface and features as on any other Linux system. So usage is the same as described in the main [README.md](README.md) file, while some parts of the backend (namely persistence implementation), some defaults and the location of the data directory are different.
|
||||
|
||||
The _geoip-shell-iptables_ package is for firewall3+iptables OpenWrt systems, while the _geoip-shell_ package is for firewall4+nftables OpenWrt systems.
|
||||
|
||||
A LuCi interface has not been implemented (yet). As on any other Linux system, all user interface is via a command line (but my goal is to make this an easy experience regardless). If this discourages you from using geoip-shell, please let me know. A few people asking for this feature may motivate me to prioritize it.
|
||||
|
||||
## Usage after installation via ipk
|
||||
After installing the ipk package, geoip-shell will be inactive until you configure it. To do so, run `geoip-shell configure` and follow the interactive setup. You can also run `geoip-shell -h` before that to find out about configuration options and then append certain options after the `configure` action, for example: `geoip-shell configure -c "de nl" -m whitelist` to configure geoip-shell in whitelist mode for countries Germany and Netherlands. The interactive setup will ask you about all the important options but some niche options are only available non-interactively (for example if you want to configure geoblocking for certain selection of ports). You can always change these settings after initial configuration via the same `geoip-shell configure` command.
|
||||
|
||||
## Uninstallation of geoip-shell if installed via ipk
|
||||
- For nftables-based systems: `opkg remove geoip-shell`
|
||||
- For iptables-based systems: `opkg remove geoip-shell-iptables`
|
||||
|
||||
## Resources management on OpenWrt
|
||||
Because OpenWrt typically runs on embedded devices with limited memory and very small flash storage, geoip-shell implements some techniques to conserve these resources as much as possible:
|
||||
- During installation on OpenWrt, comments and the debug code are stripped from the scripts to reduce their size.
|
||||
- Only the required modules are installed, depending on the system (iptables- or nftables- based).
|
||||
- I've researched the most memory-efficient way for loading ip lists into nftables sets. Currently, nftables has some bugs related to this process which may cause unnecessarily high memory consumption. geoip-shell works around these bugs as much as possible.
|
||||
- To avoid unnecessary flash storage wear, all filesystem-related tasks geoip-shell does which do not require permanent storage are done in the /tmp directory which in the typical OpenWrt installation is mounted on the ramdisk.
|
||||
- Some defaults on OpenWrt are different to further minimize flash storage wear (read below).
|
||||
|
||||
### Scripts size
|
||||
Typical geoip-shell installation on an OpenWrt system currently consumes around 120kB. The distribution folder itself weighs quite a bit more (mainly because of documentation) but you can install via an ipk which doesn't remain in storage after installation, or if installing via the -install script, delete the distribution folder and free up space taken by it. geoip-shell does not install its documentation into the system.
|
||||
I have some plans to reduce that size by compressing certain scripts which provide user interface and implementing automatic extraction to /tmp when the user wants to access them, but this is not yet implemented.
|
||||
|
||||
To view all installed geoip-shell scripts in your system and their sizes, run `ls -lh /usr/bin/geoip-shell-* /usr/lib/geoip-shell/*`.
|
||||
|
||||
## Persistence on OpenWrt
|
||||
- Persistence of geoip firewall rules and ip sets works differenetly on OpenWrt than on other Linuxes, since geoip-shell has an OpenWrt-specific procd init script.
|
||||
- The cron job which implements persistence on other Linuxes and runs at reboot is not created on OpenWrt.
|
||||
- geoip-shell integrates into firewall3 or firewall4 via what's called a "firewall include". On OpenWrt, a firewall include is a setting which tells firewall3 or firewall4 to do something specific in response to certain events.
|
||||
- The only task of the init script for geoip-shell is to call the geoip-shell-mk-fw-include.sh script, which makes sure that the firewall include exists and is correct, if not then creates the include.
|
||||
- The firewall include is what does the actual persistence work. geoip-shell firewall include triggers on firewall reload (which happens either at reboot or when the system decides that a reload of the firewall is necessary, or when initiated by the user).
|
||||
- When triggered, the include script calls the -run script with the "restore" action.
|
||||
- The -run script verifies that geoip nftables/iptables rules and ip sets exist, and if not then it restores them from backup, or (if backup doesn't exist) initiates re-fetch of the ip lists and then re-creates the rules and the ip sets.
|
||||
- By default, geoip-shell does not create backups on OpenWrt because typically the permanent storage is very small and prone to wear.
|
||||
- Automatic updates of ip lists on OpenWrt are triggered from a cron job like on other Linuxes.
|
||||
|
||||
## Defaults for OpenWrt
|
||||
Generally the defaults are the same as for other systems, except:
|
||||
- the data directory which geoip-shell uses to store the status file and the backups is by default in `/tmp/geoip-shell-data`, rather than in `/var/lib/geoip-shell` as on other Linux systems. This is to avoid flash wear. You can change this by running the install script with the `-a <path>` option, or after installation via the command `geoip-shell configure -a <path>`.
|
||||
- the 'nobackup' option is set to 'true', which configures geoip-shell to not create backups of the ip lists. With this option, geoip-shell will work as usual, except after reboot (and for iptables-based systems, after firewall restart) it will re-fetch the ip lists, rather than loading them from backup. You can change this by running the -install script with the `-o false` option (`-o` stands for nobackup), or after installation via the command `geoip-shell configure -o false`. To have persistent ip list backups, you will also need to change the data directory path as explained above.
|
||||
- if using geoip-shell on a router with just a few MB of embedded flash storage, consider either leaving the nobackup and datadir path defaults as is, or connecting an external storage device to your router (preferably formatted to ext4) and configuring a directory on it as your geoip-shell data directory, then enabling automatic backups. For example, if your external storage device is mounted on _/mnt/somedevice_, you can do all this via this command: `geoip-shell configure -a /mnt/somedevice/geoip-shell-data -o false`.
|
||||
- the default ip lists source for OpenWrt is ipdeny (rather than ripe). While ipdeny is a 3rd party, they provide aggregated lists which consume less memory (on nftables-based systems the ip lists are automatically optimized after loading into memory, so there the source does not matter, but a smaller initial ip lists size will cause a smaller memory consumption spike while loading the ip list).
|
||||
|
||||
This is about it for this document. Much more information is available in the main [README.md](README.md) and in the extra _.md_ files inside the Documentation directory. If you have any questions, contact me in this thread:
|
||||
https://forum.openwrt.org/t/geoip-shell-flexible-geoip-blocker-for-linux-now-supports-openwrt/189611
|
||||
|
||||
If you use this project, I will be happy to hear about your experience in the above thread. If for some reason geoip-shell is not working for you, I will want to know that as well so I can improve it.
|
||||
|
|
@ -0,0 +1,144 @@
|
|||
# **geoip-shell**
|
||||
Geoip blocker for Linux. Supports both **nftables** and **iptables** firewall management utilities.
|
||||
|
||||
The idea of this project is making geoip blocking easy on (almost) any Linux system, no matter which hardware, including desktop, server, VPS or router, while also being reliable and providing flexible configuration options for the advanced users.
|
||||
|
||||
Supports running on OpenWrt. Supports ipv4 and ipv6.
|
||||
|
||||
## Table of contents
|
||||
- [Main Features](#main-features)
|
||||
- [Usage](#usage)
|
||||
- [Pre-requisites](#pre-requisites)
|
||||
- [Notes](#notes)
|
||||
- [In detail](#in-detail)
|
||||
- [OpenWrt](#openwrt)
|
||||
- [Privacy](#privacy)
|
||||
|
||||
## **Main Features**
|
||||
* Core functionality is creating either a whitelist or a blacklist in the firewall using automatically downloaded ip lists for user-specified countries.
|
||||
|
||||
* ip lists are fetched either from **RIPE** (regional Internet registry for Europe, the Middle East and parts of Central Asia) or from **ipdeny**. Both sources provide updated ip lists for all regions.
|
||||
|
||||
* All firewall rules and ip sets required for geoip blocking to work are created automatically during installation or setup.
|
||||
|
||||
* Implements optional (enabled by default) persistence of geoip blocking across system reboots and automatic updates of the ip lists.
|
||||
|
||||
* After installation, a utility is provided to check geoip status and firewall rules or change country codes and geoip-related config.
|
||||
|
||||
### **Reliability**:
|
||||
- Downloaded ip lists go through validation which safeguards against application of corrupted or incomplete lists to the firewall.
|
||||
|
||||
<details> <summary>Read more:</summary>
|
||||
|
||||
- With nftables, utilizes nftables atomic rules replacement to make the interaction with the system firewall fault-tolerant and to completely eliminate time when geoip is disabled during an automatic update.
|
||||
- All scripts perform extensive error detection and handling.
|
||||
- All user input is validated to reduce the chance of accidental mistakes.
|
||||
- Verifies firewall rules coherence after each action.
|
||||
- Automatic backup of geoip-shell state (optional, enabled by default except on OpenWrt).
|
||||
- Automatic recovery of geoip-shell firewall rules after a reboot (a.k.a persistence) or in case of unexpected errors.
|
||||
- Supports specifying trusted ip addresses anywhere on the Internet which will bypass geoip blocking to make it easier to regain access to the machine if something goes wrong.
|
||||
</details>
|
||||
|
||||
### **Efficiency**:
|
||||
- Utilizes the native nftables sets (or, with iptables, the ipset utility) which allows to create efficient firewall rules with thousands of ip ranges.
|
||||
|
||||
<details><summary>Read more:</summary>
|
||||
|
||||
- With nftables, optimizes geoip blocking for low memory consumption or for performance, depending on the RAM capacity of the machine and on user preference. With iptables, automatic optimization is implemented.
|
||||
- Ip list parsing and validation are implemented through efficient regex processing which is very quick even on slow embedded CPU's.
|
||||
- Implements smart update of ip lists via data timestamp checks, which avoids unnecessary downloads and reconfiguration of the firewall.
|
||||
- Uses the "prerouting" hook in kernel's netfilter component which shortens the path unwanted packets travel in the system and may reduce the CPU load if any additional firewall rules process incoming traffic down the line.
|
||||
- Supports the 'ipdeny' source which provides aggregated ip lists (useful for embedded devices with limited memory).
|
||||
- Scripts are only active for a short time when invoked either directly by the user or by the init script/reboot cron job/update cron job.
|
||||
|
||||
</details>
|
||||
|
||||
### **User-friendliness**:
|
||||
- Good command line interface and useful console messages.
|
||||
|
||||
<details><summary>Read more:</summary>
|
||||
|
||||
- Extensive and (usually) up-to-date documentation.
|
||||
- Sane settings are applied during installation by default, but also lots of command-line options for advanced users or for special corner cases are provided.
|
||||
- Provides a utility (symlinked to _'geoip-shell'_) for the user to change geoip config (turn geoip on or off, change country codes, change geoip blocking mode, change ip lists source, change the cron schedule etc).
|
||||
- Provides a command _('geoip-shell status')_ to check geoip blocking status, which also reports if there are any issues.
|
||||
- In case of an error or invalid user input, provides useful error messages to help with troubleshooting.
|
||||
- All main scripts display detailed 'usage' info when executed with the '-h' option.
|
||||
- The code should be fairly easy to read and includes a healthy amount of comments.
|
||||
</details>
|
||||
|
||||
### **Compatibility**:
|
||||
- Since the project is written in POSIX-compliant shell code, it is compatible with virtually every Linux system (as long as it has the [pre-requisites](#pre-requisites)). It even works well on simple embedded routers with 8MB of flash storage and 128MB of memory (for nftables, 256MB is recommended if using large ip lists such as the one for US until the nftables team releases a fix reducing memory consumption).
|
||||
|
||||
<details><summary>Read more:</summary>
|
||||
|
||||
- Supports running on OpenWrt.
|
||||
- The project avoids using non-common utilities by implementing their functionality in custom shell code, which makes it faster and compatible with a wider range of systems.
|
||||
</details>
|
||||
|
||||
## **Usage**
|
||||
|
||||
If you want to change geoip blocking config or check geoip blocking status, you can do that via the provided utilities.
|
||||
A selection of options is given here, for additional options run `geoip-shell -h` or read [NOTES.md](NOTES.md)and [DETAILS.md](DETAILS.md).
|
||||
|
||||
**To check current geoip blocking status:** `geoip-shell status`. For a list of all firewall rules in the geoip chain and for a detailed count of ip ranges in each ip list: `geoip-shell status -v`.
|
||||
|
||||
**To add or remove ip lists for countries:** `geoip-shell <add|remove> -c <"country_codes">`
|
||||
|
||||
_<details><summary>Examples:</summary>_
|
||||
- example (to add ip lists for Germany and Netherlands): `geoip-shell add -c "DE NL"`
|
||||
- example (to remove the ip list for Germany): `geoip-shell remove -c DE`
|
||||
</details>
|
||||
|
||||
**To enable or disable geoip blocking:** `geoip-shell <on|off>`
|
||||
|
||||
**To change ip lists source:** `geoip-shell configure -u <ripe|ipdeny>`
|
||||
|
||||
**To change geoip blocking mode:** `geoip-shell configure -m <whitelist|blacklist>`
|
||||
|
||||
**To have certain trusted ip addresses or subnets bypass geoip blocking:** `geoip-shell configure -t <["ip_addresses"]|none>`. `none` removes previously set trusted ip addresses.
|
||||
|
||||
**To have certain LAN ip addresses or subnets bypass geoip blocking:** `geoip-shell configure -l <["ip_addresses"]|auto|none>`. `auto` will automatically detect LAN subnets (only use this if the machine has no dedicated WAN interfaces). `none` removes previously set LAN ip addresses. This is only needed when using geoip-shell in whitelist mode, and typically only if the machine has no dedicated WAN network interfaces. Otherwise you should apply geoip blocking only to those WAN interfaces, so traffic from your LAN to the machine will bypass the geoip filter.
|
||||
|
||||
**To change protocols and ports geoblocking applies to:** `geoip-shell configure -p <[tcp|udp]:[allow|block]:[all|<ports>]>`
|
||||
|
||||
_(for detailed description of this feature, read [NOTES.md](NOTES.md), sections 9-11)_
|
||||
|
||||
**To enable or change the automatic update schedule:** `geoip-shell configure -s <"schedule_expression">`
|
||||
|
||||
_<details><summary>Example</summary>_
|
||||
|
||||
`geoip-shell configure -s "1 4 * * *"`
|
||||
|
||||
</details>
|
||||
|
||||
**To disable automatic updates of ip lists:** `geoip-shell configure -s disable`
|
||||
|
||||
**To update or re-install geoip-shell:** run the -install script from the (updated) distribution directory. It will first run the -uninstall script of the older/existing version, then install the new version.
|
||||
|
||||
On OpenWrt, if installed via an ipk package: `opkg uninstall <geoip-shell|geoip-shell-iptables>`
|
||||
|
||||
## **Pre-requisites**
|
||||
- **Linux**. Tested on Debian-like systems and on OPENWRT, should work on any desktop/server distribution and possibly on some other embedded distributions.
|
||||
- **POSIX-compliant shell**. Works on most relatively modern shells, including **bash**, **dash**, **ksh93**, **yash** and **ash** (including Busybox **ash**). Likely works on **mksh** and **lksh**. Other flavors of **ksh** may or may not work _(please let me know if you try them)_. Does **not** work on **tcsh** and **zsh**.
|
||||
|
||||
- **nftables** - firewall management utility. Supports nftables 1.0.2 and higher (may work with earlier versions but I do not test with them).
|
||||
- OR **iptables** - firewall management utility. Should work with any relatively modern version.
|
||||
- for **iptables**, requires the **ipset** utility - install it using your distribution's package manager
|
||||
- standard Unix utilities including **tr**, **cut**, **sort**, **wc**, **awk**, **sed**, **grep**, **pgrep**, **pidof** and **logger** which are included with every server/desktop linux distribution (and with OpenWrt). Both GNU and non-GNU versions are supported, including BusyBox implementation.
|
||||
- **wget** or **curl** or **uclient-fetch** (OpenWRT-specific utility).
|
||||
- for the autoupdate functionality, requires the **cron** service to be enabled.
|
||||
|
||||
## **Notes**
|
||||
For some helpful notes about using this suite, read [NOTES.md](NOTES.md).
|
||||
|
||||
## **In detail**
|
||||
For specifics about each script, read [DETAILS.md](DETAILS.md).
|
||||
|
||||
## **OpenWrt**
|
||||
For information about OpenWrt support, read the [OpenWrt README](OpenWrt-README.md).
|
||||
|
||||
## **Privacy**
|
||||
geoip-shell does not share your data with anyone.
|
||||
If you are using the ipdeny source then note that they are a 3rd party which has its own data privacy policy.
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
## Notes about questions asked during the initial setup
|
||||
|
||||
|
||||
### **'Please enter your country code':**
|
||||
|
||||
If you answer this question, the _-manage_ script will check that changes in ip lists which you request to make will not block your own country and warn you if they will. This applies both to the initial setup, and to any subsequent changes to the ip lists which you may want to make in the future. The idea behind this is to make this tool as fool-proof as possible. This information is written to the geoip-shell config file (only readable by root) on your device and geoip-shell does not send it anywhere. You can remove this config entry any time via the command `geoip-shell configure -r none`. You can skip the question by pressing Enter if you wish.
|
||||
|
||||
### **'Does this machine have dedicated WAN interface(s)? [y|n]':**
|
||||
|
||||
Answering this question is mandatory because the firewall is configured differently, depending on the answer. Answering it incorrectly may cause unexpected results, including having no geoip blocking or losing remote access to your machine.
|
||||
|
||||
A machine may have dedicated WAN network interfaces if it's a router or in certain cases a VPS (virtual private server). When geoip-shell is configured to work with certain network interfaces, geoip firewall rules are applied only to traffic arriving from these interfaces, and all other traffic is left alone.
|
||||
|
||||
Otherwise, geoip rules are applied to traffic arriving from all network interfaces, except the loopback interface. Besides that, when geoip-shell is installed in whitelist mode and you picked `n` in this question, additional firewall rules may be created which add LAN subnets or ip's to the whitelist in order to avoid blocking them (you can approve or configure that on the next step of the installation). This does not guarantee that your LAN subnets will not be blocked by another rule in another table, and in fact, if you prefer to block some of them then having them in whitelist will not matter. This is because while the 'drop' verdict is final, the 'accept' verdict is not.
|
||||
|
||||
### **'Autodetected ipvX LAN subnets: ... [c]onfirm, c[h]ange, [s]kip or [a]bort?'**
|
||||
|
||||
You will see this question if installing the suite in whitelist mode and you chose `n` in the previous question. The reason why under these conditions this question is asked is to avoid blocking your LAN from accessing your machine.
|
||||
|
||||
If you are absolutely sure that you will not need to access the machine from the LAN then you can type in 's' to skip.
|
||||
Otherwise I recommend to add LAN subnets to the whitelist. You can either confirm the automatically detected subnets, or specify any combination of ip's and subnets on your LAN which you wish to allow connections from.
|
||||
|
||||
The autodetection code should, in most cases, detect correct LAN subnets. However, it is up to you to verify that it's done its job correctly.
|
||||
|
||||
One way to do that is by typing in 'c' to confirm and once installation completes, verifying that you can still access the machine from LAN (note that if you have an active connection to that machine, for example through SSH, it will likely continue to work until disconnection even if autodetection of LAN subnets did not work out correctly).
|
||||
Of course, this is risky in cases where you do not have physical access to the machine.
|
||||
|
||||
Another way to do that is by checking which ip address you need to access the machine from, and then verifying that said ip address is included in one of the autodetected subnets. For example, if your other machine's ip is `192.168.1.5` and one of the autodetected subnets is `192.168.1.0/24` then you will want to check that `192.168.1.5` is included in subnet `192.168.1.0/24`. Provided you don't know how to make this calculation manually, you can use the `grepcidr` tool this way:
|
||||
`echo "192.168.1.5" | grepcidr "192.168.1.0/24"`
|
||||
|
||||
The syntax to check in multiple subnets (note the double quotes):
|
||||
`echo "[ip]" | grepcidr "[subnet1] [subnet2] ... [subnetN]"`
|
||||
|
||||
(also works for ipv6 addresses)
|
||||
|
||||
If the ip address is in range, grepcidr will print it, otherwise it will not. You may need to install grepcidr using your distribution's package manager.
|
||||
|
||||
Alternatively, you can use an online service which will do the same check for you. There are multiple services providing this functionality. To find them, look up 'IP Address In CIDR Range Check' in your preferred online search engine.
|
||||
|
||||
A third way to do that is by examining your network configuration (in your router) and making sure that the autodetected subnets match those in the configuration.
|
||||
|
||||
If you find out that the subnets were detected incorrectly, you can type in 'h' and manually enter the correct subnets or ip addresses which you want to allow connections from.
|
||||
|
||||
### **'A[u]to-detect LAN subnets when updating ip lists or keep this config c[o]nstant?'**
|
||||
|
||||
As the above question, you will see this one if installing the suite in whitelist mode and you answered `n` to the question about WAN interfaces. You will not see this question if you specified custom subnets or ips in the previous question.
|
||||
|
||||
The rationale for this question is that network configuration may change, and if it does then previously correctly configured LAN subnets may become irrelevant.
|
||||
|
||||
If you type in 'a', each time geoip firewall rules are initialized or updated, LAN subnets will be re-detected.
|
||||
|
||||
If you type in 'c' then whatever subnets have been detected during installation will be kept forever (until you re-install geoip-shell).
|
||||
|
||||
Generally if automatic detection worked as expected during initial setup, most likely it will work correctly every time, so it is a good idea to allow auto-detection with each update. If not then, well, not.
|
||||
|
||||
### **Extra options**
|
||||
|
||||
- geoip-shell supports an additional setting: trusted ip's or subnets. Currently this is only configurable by running the -install script with the option `-t <"[trusted_ips]">` (or after installation via the `geoip-shell configure -t <"[trusted_ips]">` command). You can specify trusted ip addresses or subnets anywhere on the LAN or on the Internet. To remove this setting later, run `geoip-shell configure -t none`.
|
||||
|
||||
- geoip-shell supports lots of additional command-line options. You can find out more by running `geoip-shell -h`, or by reading [NOTES.md](NOTES.md) and [DETAILS.md](DETAILS.md).
|
|
@ -1,28 +1,35 @@
|
|||
# [Jool](https://www.jool.mx)
|
||||
# [Jool](https://nicmx.github.io/Jool/en/index.html)
|
||||
|
||||
## Documentation
|
||||
|
||||
[See here](https://www.jool.mx/en/documentation.html).
|
||||
[See here](https://nicmx.github.io/Jool/en/documentation.html).
|
||||
|
||||
You might also want to see [contact info](https://www.jool.mx/en/contact.html).
|
||||
You might also want to see [contact info](https://nicmx.github.io/Jool/en/contact.html).
|
||||
|
||||
## Usage
|
||||
|
||||
### Start script
|
||||
|
||||
This package includes a start script that will:
|
||||
1. Read the configuration file `/etc/config/jool`
|
||||
2. Determine what services are active
|
||||
3. Run jool with procd
|
||||
|
||||
For now this means that:
|
||||
* The services will be disabled by default in the uci config `(/etc/config/jool)`
|
||||
* The only uci configuration support available for the package is to enable or disable each instance or the entire deamon
|
||||
* There is no uci support and configuration will be saved at `/etc/jool/*
|
||||
* Only one instance of jool(nat64) can run with the boot script
|
||||
* Only one instance of jool(siit) can run with the boot script
|
||||
* For now there is no way of overriding of the configuration file's paths
|
||||
1. Read the configuration file `/etc/config/jool`
|
||||
2. Determine what services are active
|
||||
3. Run `jool` with procd
|
||||
|
||||
The configuration files the startup script useses for each jool instance are:
|
||||
* jool(nat64): `/etc/jool/jool-nat64.conf.json`
|
||||
* jool(siit): `/etc/jool/jool-siit.conf.json`
|
||||
### For now this means that
|
||||
|
||||
- The services will be disabled by default in the uci config `(/etc/config/jool)`
|
||||
- The only uci configuration support available for the package is to enable or disable each instance or the entire deamon
|
||||
- There is no uci support and configuration will be saved at `/etc/jool/`
|
||||
- Only one instance of jool(nat64) can run with the boot script
|
||||
- Only one instance of jool(siit) can run with the boot script
|
||||
- For now there is no way of overriding of the configuration file's paths
|
||||
|
||||
The configuration files the startup script uses for each jool instance are:
|
||||
|
||||
- jool(nat64): `/etc/jool/jool-nat64.conf.json`
|
||||
- jool(siit): `/etc/jool/jool-siit.conf.json`
|
||||
|
||||
### OpenWrt tutorial
|
||||
|
||||
For a more detailed tutorial refer to this [wiki page](https://openwrt.org/docs/guide-user/network/ipv6/nat64).
|
||||
|
|
|
@ -8,11 +8,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=modemmanager
|
||||
PKG_SOURCE_VERSION:=1.22.0
|
||||
PKG_RELEASE:=12
|
||||
PKG_VERSION:=1.22.0
|
||||
PKG_RELEASE:=13
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git
|
||||
PKG_SOURCE_VERSION:=$(PKG_VERSION)
|
||||
PKG_MIRROR_HASH:=cd67d0833481146cc630299ffd2e7afdedb2c90f9d8ce3cc348af1fffacc87de
|
||||
|
||||
PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>
|
||||
|
|
|
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=natmap
|
||||
PKG_VERSION:=20240303
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/heiher/natmap/releases/download/$(PKG_VERSION)
|
||||
|
|
|
@ -10,4 +10,6 @@ config natmap
|
|||
option forward_target ''
|
||||
option forward_port ''
|
||||
option notify_script ''
|
||||
option log_stdout '1'
|
||||
option log_stderr '1'
|
||||
|
||||
|
|
|
@ -27,7 +27,9 @@ validate_section_natmap() {
|
|||
'port:port' \
|
||||
'forward_target:host' \
|
||||
'forward_port:port' \
|
||||
'notify_script:file'
|
||||
'notify_script:file' \
|
||||
'log_stdout:bool:1' \
|
||||
'log_stderr:bool:1'
|
||||
}
|
||||
|
||||
natmap_instance() {
|
||||
|
@ -63,8 +65,8 @@ natmap_instance() {
|
|||
procd_append_param command -e /usr/lib/natmap/update.sh
|
||||
|
||||
procd_set_param respawn
|
||||
procd_set_param stdout 1
|
||||
procd_set_param stderr 1
|
||||
procd_set_param stdout "${log_stdout}"
|
||||
procd_set_param stderr "${log_stderr}"
|
||||
|
||||
procd_close_instance
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=nebula
|
||||
PKG_VERSION:=1.8.2
|
||||
PKG_RELEASE:=r2
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/slackhq/nebula/tar.gz/v$(PKG_VERSION)?
|
||||
|
|
|
@ -8,12 +8,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=nginx
|
||||
PKG_VERSION:=1.25.4
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=1.25.5
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://nginx.org/download/
|
||||
PKG_HASH:=760729901acbaa517996e681ee6ea259032985e37c2768beef80df3a877deed9
|
||||
PKG_HASH:=2fe2294f8af4144e7e842eaea884182a84ee7970e11046ba98194400902bbec0
|
||||
|
||||
PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de> \
|
||||
Christian Marangi <ansuelsmth@gmail.com>
|
||||
|
@ -195,6 +195,15 @@ define Package/nginx-mod-luci/description
|
|||
Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi.
|
||||
endef
|
||||
|
||||
define Package/nginx-mod-luci/preinst
|
||||
#!/bin/sh
|
||||
grep -r -l ngx_http_ubus_module.so /etc/nginx/module.d | grep -v ngx_http_ubus.module | while read file; do
|
||||
echo "Removing old LuCI module load file for 'ngx_http_ubus.so' in $$file."
|
||||
rm -f $$file
|
||||
done
|
||||
exit 0
|
||||
endef
|
||||
|
||||
define Package/nginx-mod-luci/install
|
||||
$(INSTALL_DIR) $(1)/etc/nginx/conf.d
|
||||
$(INSTALL_CONF) ./files-luci-support/luci.locations $(1)/etc/nginx/conf.d/
|
||||
|
@ -203,9 +212,10 @@ define Package/nginx-mod-luci/install
|
|||
endef
|
||||
|
||||
define Download/nginx-mod-geoip2
|
||||
SOURCE_DATE:=2020-01-22
|
||||
VERSION:=1cabd8a1f68ea3998f94e9f3504431970f848fbf
|
||||
URL:=https://github.com/leev/ngx_http_geoip2_module.git
|
||||
MIRROR_HASH:=b4bd8517f6595f28e9cea5370045df476e0f7fa9ca3611d71ba85c518f1a7eda
|
||||
MIRROR_HASH:=f3d2a1af5c34812b5a34453457ba6a4d8093c92085aa7f76c46a1c4185c9735c
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
|
@ -237,73 +247,83 @@ define Package/nginx-mod-lua-resty-core/install
|
|||
endef
|
||||
|
||||
define Download/nginx-mod-headers-more
|
||||
SOURCE_DATE:=2022-07-17
|
||||
VERSION:=bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0
|
||||
URL:=https://github.com/openresty/headers-more-nginx-module.git
|
||||
MIRROR_HASH:=3617bbf7a935208a1d8d5f86a8f9b770f6987e4d2b5663a9ab1b777217e3066b
|
||||
MIRROR_HASH:=569abadc137b5b52bdcc33b00aa21f6d266cb84fb891795da2c4e101c4898abe
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
|
||||
define Download/nginx-mod-brotli
|
||||
SOURCE_DATE:=2020-04-23
|
||||
VERSION:=25f86f0bac1101b6512135eac5f93c49c63609e3
|
||||
URL:=https://github.com/google/ngx_brotli.git
|
||||
MIRROR_HASH:=c85cdcfd76703c95aa4204ee4c2e619aa5b075cac18f428202f65552104add3b
|
||||
MIRROR_HASH:=680c56be79e7327cb8df271646119333d2f6965a3472bc7043721625fa4488f5
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
define Download/nginx-mod-rtmp
|
||||
SOURCE_DATE:=2018-12-07
|
||||
VERSION:=f0ea62342a4eca504b311cd5df910d026c3ea4cf
|
||||
URL:=https://github.com/ut0mt8/nginx-rtmp-module.git
|
||||
MIRROR_HASH:=d3f58066f0f858ed79f7f2b0c9b89de2ccc512c94ab3d0625f6dcff3df0b72c1
|
||||
MIRROR_HASH:=9c98d886ae4ea3708bb0bca55f8df803418a407e0ffc6df56341bd76ad39cba8
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
define Download/nginx-mod-ts
|
||||
SOURCE_DATE:=2017-12-04
|
||||
VERSION:=ef2f874d95cc75747eb625a292524a702aefb0fd
|
||||
URL:=https://github.com/arut/nginx-ts-module.git
|
||||
MIRROR_HASH:=73938950bb286d40d9e54b0994d1a63827340c1156c72eb04d7041b25b20ec18
|
||||
MIRROR_HASH:=3f144d4615a4aaa1215435cd06ae4054ea12206d5b38306321420f7acc62aca8
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
define Download/nginx-mod-naxsi
|
||||
SOURCE_DATE:=2022-09-14
|
||||
VERSION:=d714f1636ea49a9a9f4f06dba14aee003e970834
|
||||
URL:=https://github.com/nbs-system/naxsi.git
|
||||
MIRROR_HASH:=bd006686721a68d43f052f0a4f00e9ff99fb2abfbc4dcf8194a3562fe4e5c08b
|
||||
MIRROR_HASH:=b0cef5fbf842f283eb5f0686ddd1afcd07d83abd7027c8cfb3e84a2223a34797
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
define Download/nginx-mod-lua
|
||||
SOURCE_DATE:=2023-08-19
|
||||
VERSION:=c89469e920713d17d703a5f3736c9335edac22bf
|
||||
URL:=https://github.com/openresty/lua-nginx-module.git
|
||||
MIRROR_HASH:=dd66465f65c094a1ddfff2035bff4da870b7c6b7e033d307a9806a6df290a1a5
|
||||
MIRROR_HASH:=c3bdf1b23f0a63991b5dcbd1f8ee150e6f893b43278e8600e4e0bb42a6572db4
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
define Download/nginx-mod-lua-resty-core
|
||||
SOURCE_DATE:=2023-09-09
|
||||
VERSION:=2e2b2adaa61719972fe4275fa4c3585daa0dcd84
|
||||
URL:=https://github.com/openresty/lua-resty-core.git
|
||||
MIRROR_HASH:=4bfc267fd027161f88fcbeacce38e6bd13ba894a581c2d6dfe78ee270b1a473c
|
||||
MIRROR_HASH:=c5f3df92fd72eac5b54497c039aca0f0d9ea1d87223f1e3a54365ba565991874
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
define Download/nginx-mod-lua-resty-lrucache
|
||||
SOURCE_DATE:=2023-08-06
|
||||
VERSION:=52f5d00403c8b7aa8a4d4f3779681976b10a18c1
|
||||
URL:=https://github.com/openresty/lua-resty-lrucache.git
|
||||
MIRROR_HASH:=618a972574b6b1db1eebf4046d9a471ac03ec092bb825136ba975928d4af2351
|
||||
MIRROR_HASH:=0833e0114948af4edb216c5c34b3f1919f534b298f4fa29739544f7c9bb8a08d
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
define Download/nginx-mod-dav-ext
|
||||
SOURCE_DATE:=2018-12-17
|
||||
VERSION:=f5e30888a256136d9c550bf1ada77d6ea78a48af
|
||||
URL:=https://github.com/arut/nginx-dav-ext-module.git
|
||||
MIRROR_HASH:=70bb4c3907f4b783605500ba494e907aede11f8505702e370012abb3c177dc5b
|
||||
MIRROR_HASH:=c574e60ffab5f6e5d8bea18aab0799c19cd9a84f3d819b787e9af4f0e7867b52
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
define Download/nginx-mod-ubus
|
||||
SOURCE_DATE:=2020-09-06
|
||||
VERSION:=b2d7260dcb428b2fb65540edb28d7538602b4a26
|
||||
URL:=https://github.com/Ansuel/nginx-ubus-module.git
|
||||
MIRROR_HASH:=472cef416d25effcac66c85417ab6596e634a7a64d45b709bb090892d567553c
|
||||
MIRROR_HASH:=515bb9d355ad80916f594046a45c190a68fb6554d6795a54ca15cab8bdd12fda
|
||||
PROTO:=git
|
||||
endef
|
||||
|
||||
|
@ -311,7 +331,7 @@ define Module/Download
|
|||
define Download/nginx-mod-$(1) +=
|
||||
|
||||
SUBDIR:=nginx-mod-$(1)
|
||||
FILE:=nginx-mod-$(1)-$$$$(VERSION).tar.xz
|
||||
FILE:=nginx-mod-$(1)-$$$$(subst -,.,$$$$(SOURCE_DATE))~$$$$(call version_abbrev,$$$$(VERSION)).tar.zst
|
||||
endef
|
||||
endef
|
||||
$(foreach m,$(PKG_MOD_EXTRA),$(eval $(call Module/Download,$(m))))
|
||||
|
@ -341,7 +361,7 @@ define Module/Build/Prepare
|
|||
$(eval $(call Download,nginx-mod-$(1)))
|
||||
$(eval $(Download/nginx-mod-$(1)))
|
||||
mkdir -p $(PKG_BUILD_DIR)/nginx-mod-$(1)
|
||||
xzcat $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR)/nginx-mod-$(1) $(TAR_OPTIONS) --strip-components 1
|
||||
zstdcat $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR)/nginx-mod-$(1) $(TAR_OPTIONS) --strip-components 1
|
||||
endef
|
||||
|
||||
define Build/Prepare
|
||||
|
@ -375,8 +395,10 @@ define BuildModule
|
|||
|
||||
define Package/nginx-mod-$(1)/install
|
||||
$(INSTALL_DIR) $$(1)/usr/lib/nginx/modules
|
||||
$(INSTALL_DIR) $$(1)/etc/nginx/module.d
|
||||
$(foreach m,$(3),
|
||||
$(CP) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(m)_module.so $$(1)/usr/lib/nginx/modules
|
||||
$(CP) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(m)_module.so $$(1)/usr/lib/nginx/modules && \
|
||||
echo "load_module /usr/lib/nginx/modules/$(m)_module.so;" > $$(1)/etc/nginx/module.d/$(m).module
|
||||
)
|
||||
$(call Module/nginx-mod-$(1)/install,$$(1))
|
||||
endef
|
||||
|
@ -477,7 +499,7 @@ $(eval $(call BuildModule,brotli,,ngx_http_brotli_filter ngx_http_brotli_static,
|
|||
Add support for brotli compression module.))
|
||||
$(eval $(call BuildModule,naxsi,,ngx_http_naxsi, \
|
||||
Enable NAXSI module.))
|
||||
$(eval $(call BuildModule,geoip2,+@NGINX_STREAM_CORE_MODULE +libmaxminddb,ngx_http_geoip2 ngx_stream_geoip2, \
|
||||
$(eval $(call BuildModule,geoip2,+@NGINX_STREAM_CORE_MODULE +nginx-mod-stream +libmaxminddb,ngx_http_geoip2 ngx_stream_geoip2, \
|
||||
Enable MaxMind GeoIP2 module.))
|
||||
|
||||
# TODO: remove after a transition period (together with pkg nginx-util):
|
||||
|
|
|
@ -12,8 +12,8 @@ location /ubus {
|
|||
EOT
|
||||
fi
|
||||
|
||||
if [ ! -f "/etc/nginx/module.d/luci.module" ]; then
|
||||
cat <<EOT >> /etc/nginx/module.d/luci.module
|
||||
if [ ! -f "/etc/nginx/module.d/ngx_http_ubus.module" ]; then
|
||||
cat <<EOT > /etc/nginx/module.d/ngx_http_ubus.module
|
||||
load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so;
|
||||
EOT
|
||||
fi
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
--- a/auto/options
|
||||
+++ b/auto/options
|
||||
@@ -411,8 +411,7 @@ $0: warning: the \"--with-sha1-asm\" opt
|
||||
@@ -413,8 +413,7 @@ $0: warning: the \"--with-sha1-asm\" opt
|
||||
--test-build-solaris-sendfilev) NGX_TEST_BUILD_SOLARIS_SENDFILEV=YES ;;
|
||||
|
||||
*)
|
||||
|
|
|
@ -8,12 +8,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=ntp
|
||||
PKG_VERSION:=4.2.8p15
|
||||
PKG_RELEASE:=4
|
||||
PKG_VERSION:=4.2.8p17
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/
|
||||
PKG_HASH:=f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19
|
||||
PKG_HASH:=103dd272e6a66c5b8df07dce5e9a02555fcd6f1397bdfb782237328e89d3a866
|
||||
|
||||
PKG_LICENSE:=NTP
|
||||
PKG_LICENSE_FILES:=COPYRIGHT html/copyright.html
|
||||
|
|
|
@ -36,7 +36,7 @@ The parameter(s) `server` enumerate a list of servers to be used for
|
|||
reference NTP servers by the local daemon. At least one is required,
|
||||
and two or more are recommended (unless you have an extremely available
|
||||
local server). They should be picked to be geographically divergent,
|
||||
and preferrably reachable via different network carriers to protect
|
||||
and preferably reachable via different network carriers to protect
|
||||
against network partitions, etc. They should also be high-quality
|
||||
time providers (i.e. having stable, accurate clock sources).
|
||||
|
||||
|
@ -71,10 +71,10 @@ As a result, the NTP servers that your ISP may point you at are
|
|||
often of unknown/unverified quality, and you use them at your own
|
||||
risk.
|
||||
|
||||
Early millenial versions of Windows (2000, XP, etc) used NTP only
|
||||
Early millennial versions of Windows (2000, XP, etc) used NTP only
|
||||
to _initially set_ the clock to approximately 100ms accuracy (and
|
||||
not maintain sychronization), so the bar wasn't set very high.
|
||||
Since then, requirements for higher-qualty timekeeping have
|
||||
not maintain synchronization), so the bar wasn't set very high.
|
||||
Since then, requirements for higher-quality timekeeping have
|
||||
arisen (e.g. multi-master SQL database replication), but most ISPs
|
||||
have not kept up with the needs of their users.
|
||||
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
From 082a504cfcc046c3d8adaae1164268bc94e5108a Mon Sep 17 00:00:00 2001
|
||||
From: Khem Raj <raj.khem@gmail.com>
|
||||
Date: Sat, 31 Jul 2021 10:51:41 -0700
|
||||
Subject: [PATCH] libntp: Do not use PTHREAD_STACK_MIN on glibc
|
||||
|
||||
In glibc 2.34+ PTHREAD_STACK_MIN is not a compile-time constant which
|
||||
could mean different stack sizes at runtime on different architectures
|
||||
and it also causes compile failure. Default glibc thread stack size
|
||||
or 64Kb set by ntp should be good in glibc these days.
|
||||
|
||||
Upstream-Status: Pending
|
||||
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
||||
---
|
||||
libntp/work_thread.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/libntp/work_thread.c
|
||||
+++ b/libntp/work_thread.c
|
||||
@@ -41,7 +41,7 @@
|
||||
#ifndef THREAD_MINSTACKSIZE
|
||||
# define THREAD_MINSTACKSIZE (64U * 1024)
|
||||
#endif
|
||||
-#ifndef __sun
|
||||
+#if !defined(__sun) && !defined(__GLIBC__)
|
||||
#if defined(PTHREAD_STACK_MIN) && THREAD_MINSTACKSIZE < PTHREAD_STACK_MIN
|
||||
# undef THREAD_MINSTACKSIZE
|
||||
# define THREAD_MINSTACKSIZE PTHREAD_STACK_MIN
|
|
@ -17,4 +17,14 @@ if PACKAGE_rsync
|
|||
prompt "Enable zstd stream compression"
|
||||
default n
|
||||
|
||||
config RSYNC_lz4
|
||||
bool
|
||||
prompt "Enable lz4, extremely fast compression"
|
||||
default n
|
||||
|
||||
config RSYNC_xxhash
|
||||
bool
|
||||
prompt "Enable xxhash, extremely fast hash"
|
||||
default n
|
||||
|
||||
endif
|
||||
|
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=rsync
|
||||
PKG_VERSION:=3.3.0
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://download.samba.org/pub/$(PKG_NAME)/src
|
||||
|
@ -30,8 +30,8 @@ define Package/rsync
|
|||
SECTION:=net
|
||||
CATEGORY:=Network
|
||||
SUBMENU:=File Transfer
|
||||
TITLE:=Fast remote file copy program (like rcp)
|
||||
DEPENDS:=+libpopt +zlib +RSYNC_xattr:libattr +RSYNC_acl:libacl +RSYNC_zstd:libzstd $(ICONV_DEPENDS)
|
||||
TITLE:=an open source utility that provides fast incremental file transfer
|
||||
DEPENDS:=+libpopt +zlib +RSYNC_xattr:libattr +RSYNC_acl:libacl +RSYNC_zstd:libzstd +RSYNC_xxhash:libxxhash +RSYNC_lz4:liblz4 $(ICONV_DEPENDS)
|
||||
URL:=https://rsync.samba.org/
|
||||
MENU:=1
|
||||
endef
|
||||
|
@ -47,18 +47,18 @@ CONFIGURE_ARGS += \
|
|||
--without-included-zlib \
|
||||
--disable-debug \
|
||||
--disable-asm \
|
||||
--disable-lz4 \
|
||||
--disable-locale \
|
||||
--disable-md2man \
|
||||
--disable-openssl \
|
||||
--disable-simd \
|
||||
--disable-roll-simd \
|
||||
--disable-xxhash \
|
||||
--$(if $(CONFIG_BUILD_NLS),en,dis)able-iconv \
|
||||
--$(if $(CONFIG_BUILD_NLS),en,dis)able-iconv-open \
|
||||
--$(if $(CONFIG_RSYNC_zstd),en,dis)able-zstd \
|
||||
--$(if $(CONFIG_RSYNC_lz4),en,dis)able-lz4 \
|
||||
--$(if $(CONFIG_RSYNC_xattr),en,dis)able-xattr-support \
|
||||
--$(if $(CONFIG_RSYNC_acl),en,dis)able-acl-support \
|
||||
--$(if $(CONFIG_RSYNC_xxhash),en,dis)able-xxhash \
|
||||
$(if $(CONFIG_IPV6),,--disable-ipv6)
|
||||
|
||||
define Package/rsyncd
|
||||
|
|
|
@ -9,9 +9,10 @@ PKG_NAME:=snort3
|
|||
PKG_VERSION:=3.1.84.0
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/
|
||||
PKG_HASH:=dca1707a66f6ca56ddd526163b2d951cefdb168bddc162c791adc74c0d226c7f
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_VERSION:=$(PKG_VERSION)
|
||||
PKG_SOURCE_URL:=https://github.com/snort3/snort3
|
||||
PKG_MIRROR_HASH:=ffa69fdd95c55a943ab4dd782923caf31937dd8ad29e202d7fe781373ed84444
|
||||
|
||||
PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>, John Audia <therealgraysky@proton.me>
|
||||
PKG_LICENSE:=GPL-2.0-only
|
||||
|
|
|
@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=socat
|
||||
PKG_VERSION:=1.8.0.0
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||
PKG_SOURCE_URL:=http://www.dest-unreach.org/socat/download
|
||||
|
@ -58,6 +58,9 @@ CONFIGURE_ARGS += \
|
|||
--disable-readline \
|
||||
--enable-termios
|
||||
|
||||
## procan.c fails to compile when ccache is enabled
|
||||
MAKE_FLAGS += CC="$(TARGET_CC_NOCACHE)"
|
||||
|
||||
ifneq ($(CONFIG_SOCAT_SSL),y)
|
||||
CONFIGURE_ARGS+= --disable-openssl
|
||||
endif
|
||||
|
|
|
@ -8,12 +8,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=tailscale
|
||||
PKG_VERSION:=1.62.1
|
||||
PKG_VERSION:=1.64.2
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)?
|
||||
PKG_HASH:=22737fae37e971fecdf49d6b741b99988868aa3f1e683e67e14b872a2c49ca1c
|
||||
PKG_HASH:=e5e46f6b6b716b2c4696dce0b92dc2e36f02b06b7ad9f055042a820ad61b2a47
|
||||
|
||||
PKG_MAINTAINER:=Jan Pavlinec <jan.pavlinec1@gmail.com>
|
||||
PKG_LICENSE:=BSD-3-Clause
|
||||
|
|
|
@ -8,13 +8,13 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=tor
|
||||
PKG_VERSION:=0.4.8.10
|
||||
PKG_VERSION:=0.4.8.11
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://dist.torproject.org/ \
|
||||
https://archive.torproject.org/tor-package-archive
|
||||
PKG_HASH:=e628b4fab70edb4727715b23cf2931375a9f7685ac08f2c59ea498a178463a86
|
||||
PKG_HASH:=8f2bdf90e63380781235aa7d604e159570f283ecee674670873d8bb7052c8e07
|
||||
PKG_MAINTAINER:=Hauke Mehrtens <hauke@hauke-m.de> \
|
||||
Peter Wagner <tripolar@gmx.at>
|
||||
PKG_LICENSE:=BSD-3-Clause
|
||||
|
|
|
@ -9,11 +9,12 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=UDPspeeder
|
||||
PKG_VERSION:=20230206.0
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/wangyu-/$(PKG_NAME)/tar.gz/$(PKG_VERSION)?
|
||||
PKG_HASH:=c6b0c45e971360b25cd49be0369e94b2fb12f649d39c7e60c172c14a9e3a4e0d
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_VERSION:=$(PKG_VERSION)
|
||||
PKG_SOURCE_URL:=https://github.com/wangyu-/UDPspeeder
|
||||
PKG_MIRROR_HASH:=8196a07089112a164ea07cc95806f79075bd1b12cc7af5316e2793421bb2cfbf
|
||||
|
||||
PKG_LICENSE:=MIT
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
|
@ -38,11 +39,10 @@ endef
|
|||
MAKE_FLAGS += cross
|
||||
|
||||
define Build/Prepare
|
||||
$(PKG_UNPACK)
|
||||
$(Build/Prepare/Default)
|
||||
sed -i 's/cc_cross=.*/cc_cross=$(TARGET_CXX)/g' $(PKG_BUILD_DIR)/makefile
|
||||
sed -i '/\gitversion/d' $(PKG_BUILD_DIR)/makefile
|
||||
echo 'const char * const gitversion = "$(PKG_VERSION)";' > $(PKG_BUILD_DIR)/git_version.h
|
||||
$(Build/Patch)
|
||||
endef
|
||||
|
||||
define Package/UDPspeeder/install
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=uwsgi
|
||||
PKG_VERSION:=2.0.22
|
||||
PKG_VERSION:=2.0.25.1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PYPI_NAME:=uWSGI
|
||||
PYPI_SOURCE_NAME:=uwsgi
|
||||
PKG_HASH:=4cc4727258671ac5fa17ab422155e9aaef8a2008ebb86e4404b66deaae965db2
|
||||
PKG_HASH:=d653d2d804c194c8cbe2585fa56efa2650313ae75c686a9d7931374d4dfbfc6e
|
||||
|
||||
PKG_LICENSE:=GPL-2.0-or-later
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
PKG_MAINTAINER:=Ansuel Smith <ansuelsmth@gmail.com>
|
||||
PKG_MAINTAINER:=Christian Marangi <ansuelsmth@gmail.com>
|
||||
|
||||
PKG_BUILD_DEPENDS:=python3/host
|
||||
PYTHON3_PKG_BUILD:=0
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
--- a/uwsgiconfig.py
|
||||
+++ b/uwsgiconfig.py
|
||||
@@ -859,11 +859,11 @@ class uConf(object):
|
||||
@@ -863,11 +863,11 @@ class uConf(object):
|
||||
self.cflags.append('-DUWSGI_HAS_EXECINFO')
|
||||
report['execinfo'] = True
|
||||
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
--- a/uwsgiconfig.py
|
||||
+++ b/uwsgiconfig.py
|
||||
@@ -688,7 +688,7 @@ class uConf(object):
|
||||
@@ -684,7 +684,6 @@ class uConf(object):
|
||||
self.include_path += os.environ['UWSGI_INCLUDES'].split(',')
|
||||
|
||||
|
||||
- self.cflags = ['-O2', '-I.', '-Wall', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64'] + os.environ.get("CFLAGS", "").split() + self.get('cflags','').split()
|
||||
+ self.cflags = ['-I.', '-Wall', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64'] + os.environ.get("CFLAGS", "").split() + self.get('cflags','').split()
|
||||
|
||||
report['kernel'] = uwsgi_os
|
||||
|
||||
cflags = [
|
||||
- '-O2',
|
||||
'-I.',
|
||||
'-Wall',
|
||||
'-D_LARGEFILE_SOURCE',
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
--- a/uwsgiconfig.py
|
||||
+++ b/uwsgiconfig.py
|
||||
@@ -5,9 +5,9 @@ uwsgi_version = '2.0.22'
|
||||
@@ -5,9 +5,9 @@ uwsgi_version = '2.0.25.1'
|
||||
import os
|
||||
import re
|
||||
import time
|
||||
|
|
|
@ -1,20 +0,0 @@
|
|||
From bad0edfc10a80de908a3d83c7f075eff8df3a691 Mon Sep 17 00:00:00 2001
|
||||
From: Riccardo Magliocchetti <riccardo.magliocchetti@gmail.com>
|
||||
Date: Wed, 14 Jan 2015 21:19:24 +0100
|
||||
Subject: [PATCH] core/alarm: fix memory leak
|
||||
|
||||
Reported by Coverity as CID #971006
|
||||
---
|
||||
core/alarm.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/core/alarm.c
|
||||
+++ b/core/alarm.c
|
||||
@@ -171,6 +171,7 @@ static int uwsgi_alarm_log_add(char *ala
|
||||
|
||||
ual = uwsgi_calloc(sizeof(struct uwsgi_alarm_log));
|
||||
if (uwsgi_regexp_build(regexp, &ual->pattern, &ual->pattern_extra)) {
|
||||
+ free(ual);
|
||||
return -1;
|
||||
}
|
||||
ual->negate = negate;
|
|
@ -18,6 +18,6 @@ Given the changeset which introduced this option with the ssl-enable3 option whi
|
|||
{"ssl-enable-tlsv1", no_argument, 0, "enable TLSv1 (insecure)", uwsgi_opt_true, &uwsgi.tlsv1, 0},
|
||||
- {"ssl-option", no_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0},
|
||||
+ {"ssl-option", required_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0},
|
||||
#ifdef UWSGI_PCRE
|
||||
#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
{"sni-regexp", required_argument, 0, "add an SNI-governed SSL context (the key is a regexp)", uwsgi_opt_sni, NULL, 0},
|
||||
#endif
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
--- a/core/uwsgi.c
|
||||
+++ b/core/uwsgi.c
|
||||
@@ -1825,7 +1825,7 @@ void uwsgi_plugins_atexit(void) {
|
||||
@@ -1794,7 +1794,7 @@ void uwsgi_plugins_atexit(void) {
|
||||
|
||||
void uwsgi_backtrace(int depth) {
|
||||
|
||||
|
|
|
@ -1,887 +0,0 @@
|
|||
From 7835662f76831a76e4cc04791fcf2ee1ea725931 Mon Sep 17 00:00:00 2001
|
||||
From: Riccardo Magliocchetti <riccardo.magliocchetti@gmail.com>
|
||||
Date: Tue, 25 Jul 2023 16:17:52 +0200
|
||||
Subject: [PATCH 01/12] uwsgiconfig: prepare for pcre2
|
||||
|
||||
---
|
||||
uwsgiconfig.py | 45 ++++++++++++++++++++++-----------------------
|
||||
1 file changed, 22 insertions(+), 23 deletions(-)
|
||||
|
||||
--- a/uwsgiconfig.py
|
||||
+++ b/uwsgiconfig.py
|
||||
@@ -1079,30 +1079,29 @@ class uConf(object):
|
||||
|
||||
has_pcre = False
|
||||
|
||||
- # re-enable after pcre fix
|
||||
- if self.get('pcre'):
|
||||
- if self.get('pcre') == 'auto':
|
||||
- pcreconf = spcall('pcre-config --libs')
|
||||
- if pcreconf:
|
||||
- self.libs.append(pcreconf)
|
||||
- pcreconf = spcall("pcre-config --cflags")
|
||||
- self.cflags.append(pcreconf)
|
||||
- self.gcc_list.append('core/regexp')
|
||||
- self.cflags.append("-DUWSGI_PCRE")
|
||||
- has_pcre = True
|
||||
-
|
||||
+ required_pcre = self.get('pcre')
|
||||
+ if required_pcre:
|
||||
+ pcre_libs = spcall('pcre2-config --libs8')
|
||||
+ if pcre_libs:
|
||||
+ pcre_cflags = spcall("pcre2-config --cflags")
|
||||
+ pcre_define = "-DUWSGI_PCRE2"
|
||||
else:
|
||||
- pcreconf = spcall('pcre-config --libs')
|
||||
- if pcreconf is None:
|
||||
- print("*** libpcre headers unavailable. uWSGI build is interrupted. You have to install pcre development package or disable pcre")
|
||||
- sys.exit(1)
|
||||
- else:
|
||||
- self.libs.append(pcreconf)
|
||||
- pcreconf = spcall("pcre-config --cflags")
|
||||
- self.cflags.append(pcreconf)
|
||||
- self.gcc_list.append('core/regexp')
|
||||
- self.cflags.append("-DUWSGI_PCRE")
|
||||
- has_pcre = True
|
||||
+ pcre_libs = spcall('pcre-config --libs')
|
||||
+ pcre_cflags = spcall("pcre-config --cflags")
|
||||
+ pcre_define = "-DUWSGI_PCRE"
|
||||
+ else:
|
||||
+ pcre_libs = None
|
||||
+
|
||||
+ if required_pcre:
|
||||
+ if required_pcre != 'auto' and pcre_libs is None:
|
||||
+ print("*** libpcre headers unavailable. uWSGI build is interrupted. You have to install pcre development package or disable pcre")
|
||||
+ sys.exit(1)
|
||||
+
|
||||
+ self.libs.append(pcre_libs)
|
||||
+ self.cflags.append(pcre_cflags)
|
||||
+ self.gcc_list.append('core/regexp')
|
||||
+ self.cflags.append(pcre_define)
|
||||
+ has_pcre = True
|
||||
|
||||
if has_pcre:
|
||||
report['pcre'] = True
|
||||
--- a/core/alarm.c
|
||||
+++ b/core/alarm.c
|
||||
@@ -160,7 +160,7 @@ static struct uwsgi_alarm_instance *uwsg
|
||||
}
|
||||
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
static int uwsgi_alarm_log_add(char *alarms, char *regexp, int negate) {
|
||||
|
||||
struct uwsgi_alarm_log *old_ual = NULL, *ual = uwsgi.alarm_logs;
|
||||
@@ -170,7 +170,7 @@ static int uwsgi_alarm_log_add(char *ala
|
||||
}
|
||||
|
||||
ual = uwsgi_calloc(sizeof(struct uwsgi_alarm_log));
|
||||
- if (uwsgi_regexp_build(regexp, &ual->pattern, &ual->pattern_extra)) {
|
||||
+ if (uwsgi_regexp_build(regexp, &ual->pattern)) {
|
||||
free(ual);
|
||||
return -1;
|
||||
}
|
||||
@@ -331,7 +331,7 @@ void uwsgi_alarms_init() {
|
||||
usl = usl->next;
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
// then map log-alarm
|
||||
usl = uwsgi.alarm_logs_list;
|
||||
while (usl) {
|
||||
@@ -377,14 +377,14 @@ void uwsgi_alarm_trigger_uai(struct uwsg
|
||||
}
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
// check if a log should raise an alarm
|
||||
void uwsgi_alarm_log_check(char *msg, size_t len) {
|
||||
if (!uwsgi_strncmp(msg, len, "[uwsgi-alarm", 12))
|
||||
return;
|
||||
struct uwsgi_alarm_log *ual = uwsgi.alarm_logs;
|
||||
while (ual) {
|
||||
- if (uwsgi_regexp_match(ual->pattern, ual->pattern_extra, msg, len) >= 0) {
|
||||
+ if (uwsgi_regexp_match(ual->pattern, msg, len) >= 0) {
|
||||
if (!ual->negate) {
|
||||
struct uwsgi_alarm_ll *uall = ual->alarms;
|
||||
while (uall) {
|
||||
--- a/core/logging.c
|
||||
+++ b/core/logging.c
|
||||
@@ -414,7 +414,7 @@ void uwsgi_setup_log_master(void) {
|
||||
usl = usl->next;
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
// set logger by its id
|
||||
struct uwsgi_regexp_list *url = uwsgi.log_route;
|
||||
while (url) {
|
||||
@@ -1398,11 +1398,11 @@ int uwsgi_master_log(void) {
|
||||
|
||||
ssize_t rlen = read(uwsgi.shared->worker_log_pipe[0], uwsgi.log_master_buf, uwsgi.log_master_bufsize);
|
||||
if (rlen > 0) {
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
uwsgi_alarm_log_check(uwsgi.log_master_buf, rlen);
|
||||
struct uwsgi_regexp_list *url = uwsgi.log_drain_rules;
|
||||
while (url) {
|
||||
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
|
||||
+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
|
||||
return 0;
|
||||
}
|
||||
url = url->next;
|
||||
@@ -1411,7 +1411,7 @@ int uwsgi_master_log(void) {
|
||||
int show = 0;
|
||||
url = uwsgi.log_filter_rules;
|
||||
while (url) {
|
||||
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
|
||||
+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
|
||||
show = 1;
|
||||
break;
|
||||
}
|
||||
@@ -1424,7 +1424,7 @@ int uwsgi_master_log(void) {
|
||||
url = uwsgi.log_route;
|
||||
int finish = 0;
|
||||
while (url) {
|
||||
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
|
||||
+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
|
||||
struct uwsgi_logger *ul_route = (struct uwsgi_logger *) url->custom_ptr;
|
||||
if (ul_route) {
|
||||
uwsgi_log_func_do(uwsgi.requested_log_encoders, ul_route, uwsgi.log_master_buf, rlen);
|
||||
@@ -1464,11 +1464,11 @@ int uwsgi_master_req_log(void) {
|
||||
|
||||
ssize_t rlen = read(uwsgi.shared->worker_req_log_pipe[0], uwsgi.log_master_buf, uwsgi.log_master_bufsize);
|
||||
if (rlen > 0) {
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
struct uwsgi_regexp_list *url = uwsgi.log_req_route;
|
||||
int finish = 0;
|
||||
while (url) {
|
||||
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
|
||||
+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
|
||||
struct uwsgi_logger *ul_route = (struct uwsgi_logger *) url->custom_ptr;
|
||||
if (ul_route) {
|
||||
uwsgi_log_func_do(uwsgi.requested_log_req_encoders, ul_route, uwsgi.log_master_buf, rlen);
|
||||
--- a/core/regexp.c
|
||||
+++ b/core/regexp.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
#include "uwsgi.h"
|
||||
|
||||
extern struct uwsgi_server uwsgi;
|
||||
@@ -13,48 +13,110 @@ void uwsgi_opt_pcre_jit(char *opt, char
|
||||
#endif
|
||||
}
|
||||
|
||||
-int uwsgi_regexp_build(char *re, pcre ** pattern, pcre_extra ** pattern_extra) {
|
||||
+int uwsgi_regexp_build(char *re, uwsgi_pcre ** pattern) {
|
||||
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+ int errnbr;
|
||||
+ long unsigned int erroff;
|
||||
+
|
||||
+ *pattern = pcre2_compile((const unsigned char *) re, PCRE2_ZERO_TERMINATED, 0, &errnbr, &erroff, NULL);
|
||||
+#else
|
||||
const char *errstr;
|
||||
int erroff;
|
||||
|
||||
- *pattern = pcre_compile((const char *) re, 0, &errstr, &erroff, NULL);
|
||||
- if (!*pattern) {
|
||||
+ *pattern = uwsgi_malloc(sizeof(uwsgi_pcre));
|
||||
+ (*pattern)->p = pcre_compile((const char *) re, 0, &errstr, &erroff, NULL);
|
||||
+#endif
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+ if (!(*pattern)) {
|
||||
+ uwsgi_log("pcre error: code %d at offset %d\n", errnbr, erroff);
|
||||
+#else
|
||||
+ if (!((*pattern)->p)) {
|
||||
uwsgi_log("pcre error: %s at offset %d\n", errstr, erroff);
|
||||
+#endif
|
||||
return -1;
|
||||
}
|
||||
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+ if (uwsgi.pcre_jit) {
|
||||
+ errnbr = pcre2_jit_compile(*pattern, PCRE2_JIT_COMPLETE);
|
||||
+ if (errnbr) {
|
||||
+ pcre2_code_free(*pattern);
|
||||
+ uwsgi_log("pcre JIT compile error code %d\n", errnbr);
|
||||
+ return -1;
|
||||
+ }
|
||||
+#else
|
||||
int opt = uwsgi.pcre_jit;
|
||||
|
||||
- *pattern_extra = (pcre_extra *) pcre_study((const pcre *) *pattern, opt, &errstr);
|
||||
- if (*pattern_extra == NULL && errstr != NULL) {
|
||||
- pcre_free(*pattern);
|
||||
+ (*pattern)->extra = (pcre_extra *) pcre_study((const pcre *) (*pattern)->p, opt, &errstr);
|
||||
+ if ((*pattern)->extra == NULL && errstr != NULL) {
|
||||
+ pcre_free((*pattern)->p);
|
||||
+ free(*pattern);
|
||||
uwsgi_log("pcre (study) error: %s\n", errstr);
|
||||
return -1;
|
||||
+#endif
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
}
|
||||
|
||||
-int uwsgi_regexp_match(pcre * pattern, pcre_extra * pattern_extra, char *subject, int length) {
|
||||
-
|
||||
- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, NULL, 0);
|
||||
+int uwsgi_regexp_match(uwsgi_pcre *pattern, const char *subject, int length) {
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+ return pcre2_match(pattern, (const unsigned char *)subject, length, 0, 0, NULL, NULL);
|
||||
+#else
|
||||
+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, NULL, 0);
|
||||
+#endif
|
||||
}
|
||||
|
||||
-int uwsgi_regexp_match_ovec(pcre * pattern, pcre_extra * pattern_extra, char *subject, int length, int *ovec, int n) {
|
||||
+int uwsgi_regexp_match_ovec(uwsgi_pcre *pattern, const char *subject, int length, int *ovec, int n) {
|
||||
+
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+ int rc;
|
||||
+ int i;
|
||||
+ pcre2_match_data *match_data;
|
||||
+ size_t *pcre2_ovec;
|
||||
+
|
||||
+ match_data = pcre2_match_data_create_from_pattern(pattern, NULL);
|
||||
+ rc = pcre2_match(pattern, (const unsigned char *)subject, length, 0, 0, match_data, NULL);
|
||||
|
||||
+ /*
|
||||
+ * Quoting PCRE{,2} spec, "The first pair of integers, ovector[0]
|
||||
+ * and ovector[1], identify the portion of the subject string matched
|
||||
+ * by the entire pattern. The next pair is used for the first capturing
|
||||
+ * subpattern, and so on." Therefore, the ovector size is the number of
|
||||
+ * capturing subpatterns (INFO_CAPTURECOUNT), from uwsgi_regexp_ovector(),
|
||||
+ * as matching pairs, plus room for the first pair.
|
||||
+ */
|
||||
if (n > 0) {
|
||||
- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, ovec, (n + 1) * 3);
|
||||
+ // copy pcre2 output vector to uwsgi output vector
|
||||
+ pcre2_ovec = pcre2_get_ovector_pointer(match_data);
|
||||
+ for (i=0;i<(n+1)*2;i++) {
|
||||
+ ovec[i] = pcre2_ovec[i];
|
||||
+ }
|
||||
+#else
|
||||
+ if (n > 0) {
|
||||
+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, ovec, PCRE_OVECTOR_BYTESIZE(n));
|
||||
+#endif
|
||||
}
|
||||
- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, NULL, 0);
|
||||
+
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+ pcre2_match_data_free(match_data);
|
||||
+
|
||||
+ return rc;
|
||||
+#else
|
||||
+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, NULL, 0);
|
||||
+#endif
|
||||
}
|
||||
|
||||
-int uwsgi_regexp_ovector(pcre * pattern, pcre_extra * pattern_extra) {
|
||||
+int uwsgi_regexp_ovector(const uwsgi_pcre *pattern) {
|
||||
|
||||
int n;
|
||||
-
|
||||
- if (pcre_fullinfo((const pcre *) pattern, (const pcre_extra *) pattern_extra, PCRE_INFO_CAPTURECOUNT, &n))
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+ if (pcre2_pattern_info(pattern, PCRE2_INFO_CAPTURECOUNT, &n))
|
||||
+#else
|
||||
+ if (pcre_fullinfo((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, PCRE_INFO_CAPTURECOUNT, &n))
|
||||
+#endif
|
||||
return 0;
|
||||
|
||||
return n;
|
||||
@@ -66,7 +128,7 @@ char *uwsgi_regexp_apply_ovec(char *src,
|
||||
int dollar = 0;
|
||||
|
||||
size_t dollars = n;
|
||||
-
|
||||
+
|
||||
for(i=0;i<dst_n;i++) {
|
||||
if (dst[i] == '$') {
|
||||
dollars++;
|
||||
--- a/core/routing.c
|
||||
+++ b/core/routing.c
|
||||
@@ -211,7 +211,7 @@ int uwsgi_apply_routes_do(struct uwsgi_r
|
||||
subject = *subject2 ;
|
||||
subject_len = *subject_len2;
|
||||
}
|
||||
- n = uwsgi_regexp_match_ovec(routes->pattern, routes->pattern_extra, subject, subject_len, routes->ovector[wsgi_req->async_id], routes->ovn[wsgi_req->async_id]);
|
||||
+ n = uwsgi_regexp_match_ovec(routes->pattern, subject, subject_len, routes->ovector[wsgi_req->async_id], routes->ovn[wsgi_req->async_id]);
|
||||
}
|
||||
else {
|
||||
int ret = routes->if_func(wsgi_req, routes);
|
||||
@@ -506,15 +506,15 @@ void uwsgi_fixup_routes(struct uwsgi_rou
|
||||
|
||||
// fill them if needed... (this is an optimization for route with a static subject)
|
||||
if (ur->subject && ur->subject_len) {
|
||||
- if (uwsgi_regexp_build(ur->orig_route, &ur->pattern, &ur->pattern_extra)) {
|
||||
+ if (uwsgi_regexp_build(ur->orig_route, &ur->pattern)) {
|
||||
exit(1);
|
||||
}
|
||||
|
||||
int i;
|
||||
for(i=0;i<uwsgi.cores;i++) {
|
||||
- ur->ovn[i] = uwsgi_regexp_ovector(ur->pattern, ur->pattern_extra);
|
||||
+ ur->ovn[i] = uwsgi_regexp_ovector(ur->pattern);
|
||||
if (ur->ovn[i] > 0) {
|
||||
- ur->ovector[i] = uwsgi_calloc(sizeof(int) * (3 * (ur->ovn[i] + 1)));
|
||||
+ ur->ovector[i] = uwsgi_calloc(sizeof(int) * PCRE_OVECTOR_BYTESIZE(ur->ovn[i]));
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1484,38 +1484,47 @@ static int uwsgi_route_condition_regexp(
|
||||
ur->condition_ub[wsgi_req->async_id] = uwsgi_routing_translate(wsgi_req, ur, NULL, 0, ur->subject_str, semicolon - ur->subject_str);
|
||||
if (!ur->condition_ub[wsgi_req->async_id]) return -1;
|
||||
|
||||
- pcre *pattern;
|
||||
- pcre_extra *pattern_extra;
|
||||
+ uwsgi_pcre *pattern;
|
||||
char *re = uwsgi_concat2n(semicolon+1, ur->subject_str_len - ((semicolon+1) - ur->subject_str), "", 0);
|
||||
- if (uwsgi_regexp_build(re, &pattern, &pattern_extra)) {
|
||||
+ if (uwsgi_regexp_build(re, &pattern)) {
|
||||
free(re);
|
||||
return -1;
|
||||
}
|
||||
free(re);
|
||||
|
||||
// a condition has no initialized vectors, let's create them
|
||||
- ur->ovn[wsgi_req->async_id] = uwsgi_regexp_ovector(pattern, pattern_extra);
|
||||
+ ur->ovn[wsgi_req->async_id] = uwsgi_regexp_ovector(pattern);
|
||||
if (ur->ovn[wsgi_req->async_id] > 0) {
|
||||
ur->ovector[wsgi_req->async_id] = uwsgi_calloc(sizeof(int) * (3 * (ur->ovn[wsgi_req->async_id] + 1)));
|
||||
}
|
||||
|
||||
- if (uwsgi_regexp_match_ovec(pattern, pattern_extra, ur->condition_ub[wsgi_req->async_id]->buf, ur->condition_ub[wsgi_req->async_id]->pos, ur->ovector[wsgi_req->async_id], ur->ovn[wsgi_req->async_id] ) >= 0) {
|
||||
- pcre_free(pattern);
|
||||
+ if (uwsgi_regexp_match_ovec(pattern, ur->condition_ub[wsgi_req->async_id]->buf, ur->condition_ub[wsgi_req->async_id]->pos, ur->ovector[wsgi_req->async_id], ur->ovn[wsgi_req->async_id] ) >= 0) {
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+ pcre2_code_free(pattern);
|
||||
+#else
|
||||
+ pcre_free(pattern->p);
|
||||
#ifdef PCRE_STUDY_JIT_COMPILE
|
||||
- pcre_free_study(pattern_extra);
|
||||
+ pcre_free_study(pattern->extra);
|
||||
#else
|
||||
- pcre_free(pattern_extra);
|
||||
+ pcre_free(pattern->extra);
|
||||
+#endif
|
||||
+ free(pattern);
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
- pcre_free(pattern);
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+ pcre2_code_free(pattern);
|
||||
+#else
|
||||
+ pcre_free(pattern->p);
|
||||
#ifdef PCRE_STUDY_JIT_COMPILE
|
||||
- pcre_free_study(pattern_extra);
|
||||
+ pcre_free_study(pattern->extra);
|
||||
#else
|
||||
- pcre_free(pattern_extra);
|
||||
+ pcre_free(pattern->extra);
|
||||
#endif
|
||||
- return 0;
|
||||
+ free(pattern);
|
||||
+#endif
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static int uwsgi_route_condition_empty(struct wsgi_request *wsgi_req, struct uwsgi_route *ur) {
|
||||
--- a/core/ssl.c
|
||||
+++ b/core/ssl.c
|
||||
@@ -145,10 +145,10 @@ static int uwsgi_sni_cb(SSL *ssl, int *a
|
||||
|
||||
if (uwsgi.subscription_dotsplit) goto end;
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
struct uwsgi_regexp_list *url = uwsgi.sni_regexp;
|
||||
while(url) {
|
||||
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, (char *)servername, servername_len) >= 0) {
|
||||
+ if (uwsgi_regexp_match(url->pattern, (char *)servername, servername_len) >= 0) {
|
||||
SSL_set_SSL_CTX(ssl, url->custom_ptr);
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
}
|
||||
@@ -621,7 +621,7 @@ void uwsgi_opt_sni(char *opt, char *valu
|
||||
return;
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
if (!strcmp(opt, "sni-regexp")) {
|
||||
struct uwsgi_regexp_list *url = uwsgi_regexp_new_list(&uwsgi.sni_regexp, v);
|
||||
url->custom_ptr = ctx;
|
||||
@@ -630,7 +630,7 @@ void uwsgi_opt_sni(char *opt, char *valu
|
||||
#endif
|
||||
struct uwsgi_string_list *usl = uwsgi_string_new_list(&uwsgi.sni, v);
|
||||
usl->custom_ptr = ctx;
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
}
|
||||
#endif
|
||||
|
||||
--- a/core/static.c
|
||||
+++ b/core/static.c
|
||||
@@ -35,11 +35,11 @@ int uwsgi_static_want_gzip(struct wsgi_r
|
||||
usl = usl->next;
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
// check for regexp
|
||||
struct uwsgi_regexp_list *url = uwsgi.static_gzip;
|
||||
while(url) {
|
||||
- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, filename, *filename_len) >= 0) {
|
||||
+ if (uwsgi_regexp_match(url->pattern, filename, *filename_len) >= 0) {
|
||||
goto gzip;
|
||||
}
|
||||
url = url->next;
|
||||
@@ -216,7 +216,7 @@ int uwsgi_add_expires_type(struct wsgi_r
|
||||
return 0;
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
int uwsgi_add_expires(struct wsgi_request *wsgi_req, char *filename, int filename_len, struct stat *st) {
|
||||
|
||||
struct uwsgi_dyn_dict *udd = uwsgi.static_expires;
|
||||
@@ -225,7 +225,7 @@ int uwsgi_add_expires(struct wsgi_reques
|
||||
char expires[31];
|
||||
|
||||
while (udd) {
|
||||
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, filename, filename_len) >= 0) {
|
||||
+ if (uwsgi_regexp_match(udd->pattern, filename, filename_len) >= 0) {
|
||||
int delta = uwsgi_str_num(udd->value, udd->vallen);
|
||||
int size = uwsgi_http_date(now + delta, expires);
|
||||
if (size > 0) {
|
||||
@@ -238,7 +238,7 @@ int uwsgi_add_expires(struct wsgi_reques
|
||||
|
||||
udd = uwsgi.static_expires_mtime;
|
||||
while (udd) {
|
||||
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, filename, filename_len) >= 0) {
|
||||
+ if (uwsgi_regexp_match(udd->pattern, filename, filename_len) >= 0) {
|
||||
int delta = uwsgi_str_num(udd->value, udd->vallen);
|
||||
int size = uwsgi_http_date(st->st_mtime + delta, expires);
|
||||
if (size > 0) {
|
||||
@@ -260,7 +260,7 @@ int uwsgi_add_expires_path_info(struct w
|
||||
char expires[31];
|
||||
|
||||
while (udd) {
|
||||
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
|
||||
+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
|
||||
int delta = uwsgi_str_num(udd->value, udd->vallen);
|
||||
int size = uwsgi_http_date(now + delta, expires);
|
||||
if (size > 0) {
|
||||
@@ -273,7 +273,7 @@ int uwsgi_add_expires_path_info(struct w
|
||||
|
||||
udd = uwsgi.static_expires_path_info_mtime;
|
||||
while (udd) {
|
||||
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
|
||||
+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
|
||||
int delta = uwsgi_str_num(udd->value, udd->vallen);
|
||||
int size = uwsgi_http_date(st->st_mtime + delta, expires);
|
||||
if (size > 0) {
|
||||
@@ -295,7 +295,7 @@ int uwsgi_add_expires_uri(struct wsgi_re
|
||||
char expires[31];
|
||||
|
||||
while (udd) {
|
||||
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
|
||||
+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
|
||||
int delta = uwsgi_str_num(udd->value, udd->vallen);
|
||||
int size = uwsgi_http_date(now + delta, expires);
|
||||
if (size > 0) {
|
||||
@@ -308,7 +308,7 @@ int uwsgi_add_expires_uri(struct wsgi_re
|
||||
|
||||
udd = uwsgi.static_expires_uri_mtime;
|
||||
while (udd) {
|
||||
- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
|
||||
+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
|
||||
int delta = uwsgi_str_num(udd->value, udd->vallen);
|
||||
int size = uwsgi_http_date(st->st_mtime + delta, expires);
|
||||
if (size > 0) {
|
||||
@@ -507,7 +507,7 @@ int uwsgi_real_file_serve(struct wsgi_re
|
||||
if (uwsgi_response_prepare_headers(wsgi_req, "200 OK", 6)) return -1;
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
uwsgi_add_expires(wsgi_req, real_filename, real_filename_len, st);
|
||||
uwsgi_add_expires_path_info(wsgi_req, st);
|
||||
uwsgi_add_expires_uri(wsgi_req, st);
|
||||
--- a/core/utils.c
|
||||
+++ b/core/utils.c
|
||||
@@ -2301,7 +2301,7 @@ struct uwsgi_string_list *uwsgi_string_n
|
||||
return uwsgi_string;
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
struct uwsgi_regexp_list *uwsgi_regexp_custom_new_list(struct uwsgi_regexp_list **list, char *value, char *custom) {
|
||||
|
||||
struct uwsgi_regexp_list *url = *list, *old_url;
|
||||
@@ -2320,7 +2320,7 @@ struct uwsgi_regexp_list *uwsgi_regexp_c
|
||||
old_url->next = url;
|
||||
}
|
||||
|
||||
- if (uwsgi_regexp_build(value, &url->pattern, &url->pattern_extra)) {
|
||||
+ if (uwsgi_regexp_build(value, &url->pattern)) {
|
||||
exit(1);
|
||||
}
|
||||
url->next = NULL;
|
||||
@@ -2333,14 +2333,13 @@ struct uwsgi_regexp_list *uwsgi_regexp_c
|
||||
|
||||
int uwsgi_regexp_match_pattern(char *pattern, char *str) {
|
||||
|
||||
- pcre *regexp;
|
||||
- pcre_extra *regexp_extra;
|
||||
+ uwsgi_pcre *regexp;
|
||||
|
||||
- if (uwsgi_regexp_build(pattern, ®exp, ®exp_extra))
|
||||
+ if (uwsgi_regexp_build(pattern, ®exp))
|
||||
return 1;
|
||||
- return !uwsgi_regexp_match(regexp, regexp_extra, str, strlen(str));
|
||||
-}
|
||||
|
||||
+ return !uwsgi_regexp_match(regexp, str, strlen(str));
|
||||
+}
|
||||
|
||||
#endif
|
||||
|
||||
--- a/core/uwsgi.c
|
||||
+++ b/core/uwsgi.c
|
||||
@@ -130,7 +130,7 @@ static struct uwsgi_option uwsgi_base_op
|
||||
{"if-hostname", required_argument, 0, "(opt logic) check for hostname", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_hostname, UWSGI_OPT_IMMEDIATE},
|
||||
{"if-not-hostname", required_argument, 0, "(opt logic) check for hostname", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_not_hostname, UWSGI_OPT_IMMEDIATE},
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
{"if-hostname-match", required_argument, 0, "(opt logic) try to match hostname against a regular expression", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_hostname_match, UWSGI_OPT_IMMEDIATE},
|
||||
{"if-not-hostname-match", required_argument, 0, "(opt logic) try to match hostname against a regular expression", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_not_hostname_match, UWSGI_OPT_IMMEDIATE},
|
||||
#endif
|
||||
@@ -548,7 +548,7 @@ static struct uwsgi_option uwsgi_base_op
|
||||
{"ksm", optional_argument, 0, "enable Linux KSM", uwsgi_opt_set_int, &uwsgi.linux_ksm, 0},
|
||||
#endif
|
||||
#endif
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
{"pcre-jit", no_argument, 0, "enable pcre jit (if available)", uwsgi_opt_pcre_jit, NULL, UWSGI_OPT_IMMEDIATE},
|
||||
#endif
|
||||
{"never-swap", no_argument, 0, "lock all memory pages avoiding swapping", uwsgi_opt_true, &uwsgi.never_swap, 0},
|
||||
@@ -679,7 +679,7 @@ static struct uwsgi_option uwsgi_base_op
|
||||
{"ssl-enable-sslv3", no_argument, 0, "enable SSLv3 (insecure)", uwsgi_opt_true, &uwsgi.sslv3, 0},
|
||||
{"ssl-enable-tlsv1", no_argument, 0, "enable TLSv1 (insecure)", uwsgi_opt_true, &uwsgi.tlsv1, 0},
|
||||
{"ssl-option", required_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0},
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
{"sni-regexp", required_argument, 0, "add an SNI-governed SSL context (the key is a regexp)", uwsgi_opt_sni, NULL, 0},
|
||||
#endif
|
||||
{"ssl-tmp-dir", required_argument, 0, "store ssl-related temp files in the specified directory", uwsgi_opt_set_str, &uwsgi.ssl_tmp_dir, 0},
|
||||
@@ -715,7 +715,7 @@ static struct uwsgi_option uwsgi_base_op
|
||||
{"log-req-encoder", required_argument, 0, "add an item in the log req encoder chain", uwsgi_opt_add_string_list, &uwsgi.requested_log_req_encoders, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
|
||||
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
{"log-drain", required_argument, 0, "drain (do not show) log lines matching the specified regexp", uwsgi_opt_add_regexp_list, &uwsgi.log_drain_rules, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
|
||||
{"log-filter", required_argument, 0, "show only log lines matching the specified regexp", uwsgi_opt_add_regexp_list, &uwsgi.log_filter_rules, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
|
||||
{"log-route", required_argument, 0, "log to the specified named logger if regexp applied on logline matches", uwsgi_opt_add_regexp_custom_list, &uwsgi.log_route, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
|
||||
@@ -736,7 +736,7 @@ static struct uwsgi_option uwsgi_base_op
|
||||
{"alarm-lq", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER},
|
||||
{"alarm-listen-queue", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER},
|
||||
{"listen-queue-alarm", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER},
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
{"log-alarm", required_argument, 0, "raise the specified alarm when a log line matches the specified regexp, syntax: <alarm>[,alarm...] <regexp>", uwsgi_opt_add_string_list, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
|
||||
{"alarm-log", required_argument, 0, "raise the specified alarm when a log line matches the specified regexp, syntax: <alarm>[,alarm...] <regexp>", uwsgi_opt_add_string_list, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
|
||||
{"not-log-alarm", required_argument, 0, "skip the specified alarm when a log line matches the specified regexp, syntax: <alarm>[,alarm...] <regexp>", uwsgi_opt_add_string_list_custom, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
|
||||
@@ -915,7 +915,7 @@ static struct uwsgi_option uwsgi_base_op
|
||||
{"static-expires-type", required_argument, 0, "set the Expires header based on content type", uwsgi_opt_add_dyn_dict, &uwsgi.static_expires_type, UWSGI_OPT_MIME},
|
||||
{"static-expires-type-mtime", required_argument, 0, "set the Expires header based on content type and file mtime", uwsgi_opt_add_dyn_dict, &uwsgi.static_expires_type_mtime, UWSGI_OPT_MIME},
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
{"static-expires", required_argument, 0, "set the Expires header based on filename regexp", uwsgi_opt_add_regexp_dyn_dict, &uwsgi.static_expires, UWSGI_OPT_MIME},
|
||||
{"static-expires-mtime", required_argument, 0, "set the Expires header based on filename regexp and file mtime", uwsgi_opt_add_regexp_dyn_dict, &uwsgi.static_expires_mtime, UWSGI_OPT_MIME},
|
||||
|
||||
@@ -2424,7 +2424,7 @@ void uwsgi_setup(int argc, char *argv[],
|
||||
}
|
||||
|
||||
uwsgi_log_initial("clock source: %s\n", uwsgi.clock->name);
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
if (uwsgi.pcre_jit) {
|
||||
uwsgi_log_initial("pcre jit enabled\n");
|
||||
}
|
||||
@@ -4186,7 +4186,7 @@ void uwsgi_opt_add_string_list_custom(ch
|
||||
usl->custom = 1;
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
void uwsgi_opt_add_regexp_list(char *opt, char *value, void *list) {
|
||||
struct uwsgi_regexp_list **ptr = (struct uwsgi_regexp_list **) list;
|
||||
uwsgi_regexp_new_list(ptr, value);
|
||||
@@ -4452,7 +4452,7 @@ void uwsgi_opt_add_dyn_dict(char *opt, c
|
||||
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
void uwsgi_opt_add_regexp_dyn_dict(char *opt, char *value, void *dict) {
|
||||
|
||||
char *space = strchr(value, ' ');
|
||||
@@ -4467,7 +4467,7 @@ void uwsgi_opt_add_regexp_dyn_dict(char
|
||||
|
||||
char *regexp = uwsgi_concat2n(value, space - value, "", 0);
|
||||
|
||||
- if (uwsgi_regexp_build(regexp, &new_udd->pattern, &new_udd->pattern_extra)) {
|
||||
+ if (uwsgi_regexp_build(regexp, &new_udd->pattern)) {
|
||||
exit(1);
|
||||
}
|
||||
|
||||
--- a/uwsgi.h
|
||||
+++ b/uwsgi.h
|
||||
@@ -438,8 +438,26 @@ struct uwsgi_lock_ops {
|
||||
#define uwsgi_wait_read_req(x) uwsgi.wait_read_hook(x->fd, uwsgi.socket_timeout) ; x->switches++
|
||||
#define uwsgi_wait_write_req(x) uwsgi.wait_write_hook(x->fd, uwsgi.socket_timeout) ; x->switches++
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+
|
||||
+#define PCRE2_CODE_UNIT_WIDTH 8
|
||||
+#include <pcre2.h>
|
||||
+#define PCRE_OVECTOR_BYTESIZE(n) (n+1)*2
|
||||
+
|
||||
+typedef pcre2_code uwsgi_pcre;
|
||||
+
|
||||
+#else
|
||||
+
|
||||
#include <pcre.h>
|
||||
+#define PCRE_OVECTOR_BYTESIZE(n) (n+1)*3
|
||||
+
|
||||
+typedef struct {
|
||||
+ pcre *p;
|
||||
+ pcre_extra *extra;
|
||||
+} uwsgi_pcre;
|
||||
+
|
||||
+#endif
|
||||
#endif
|
||||
|
||||
struct uwsgi_dyn_dict {
|
||||
@@ -455,9 +473,8 @@ struct uwsgi_dyn_dict {
|
||||
struct uwsgi_dyn_dict *prev;
|
||||
struct uwsgi_dyn_dict *next;
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
- pcre *pattern;
|
||||
- pcre_extra *pattern_extra;
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
+ uwsgi_pcre *pattern;
|
||||
#endif
|
||||
|
||||
};
|
||||
@@ -468,11 +485,10 @@ struct uwsgi_hook {
|
||||
struct uwsgi_hook *next;
|
||||
};
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
struct uwsgi_regexp_list {
|
||||
|
||||
- pcre *pattern;
|
||||
- pcre_extra *pattern_extra;
|
||||
+ uwsgi_pcre *pattern;
|
||||
|
||||
uint64_t custom;
|
||||
char *custom_str;
|
||||
@@ -1089,11 +1105,11 @@ struct uwsgi_plugin {
|
||||
void (*post_uwsgi_fork) (int);
|
||||
};
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
-int uwsgi_regexp_build(char *, pcre **, pcre_extra **);
|
||||
-int uwsgi_regexp_match(pcre *, pcre_extra *, char *, int);
|
||||
-int uwsgi_regexp_match_ovec(pcre *, pcre_extra *, char *, int, int *, int);
|
||||
-int uwsgi_regexp_ovector(pcre *, pcre_extra *);
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
+int uwsgi_regexp_build(char *, uwsgi_pcre **);
|
||||
+int uwsgi_regexp_match(uwsgi_pcre *, const char *, int);
|
||||
+int uwsgi_regexp_match_ovec(uwsgi_pcre *, const char *, int, int *, int);
|
||||
+int uwsgi_regexp_ovector(const uwsgi_pcre *);
|
||||
char *uwsgi_regexp_apply_ovec(char *, int, char *, int, int *, int);
|
||||
|
||||
int uwsgi_regexp_match_pattern(char *pattern, char *str);
|
||||
@@ -1182,8 +1198,7 @@ struct uwsgi_spooler {
|
||||
|
||||
struct uwsgi_route {
|
||||
|
||||
- pcre *pattern;
|
||||
- pcre_extra *pattern_extra;
|
||||
+ uwsgi_pcre *pattern;
|
||||
|
||||
char *orig_route;
|
||||
|
||||
@@ -1292,15 +1307,14 @@ struct uwsgi_alarm_fd {
|
||||
|
||||
struct uwsgi_alarm_fd *uwsgi_add_alarm_fd(int, char *, size_t, char *, size_t);
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
struct uwsgi_alarm_ll {
|
||||
struct uwsgi_alarm_instance *alarm;
|
||||
struct uwsgi_alarm_ll *next;
|
||||
};
|
||||
|
||||
struct uwsgi_alarm_log {
|
||||
- pcre *pattern;
|
||||
- pcre_extra *pattern_extra;
|
||||
+ uwsgi_pcre *pattern;
|
||||
int negate;
|
||||
struct uwsgi_alarm_ll *alarms;
|
||||
struct uwsgi_alarm_log *next;
|
||||
@@ -2234,7 +2248,7 @@ struct uwsgi_server {
|
||||
struct uwsgi_string_list *requested_log_encoders;
|
||||
struct uwsgi_string_list *requested_log_req_encoders;
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
int pcre_jit;
|
||||
struct uwsgi_regexp_list *log_drain_rules;
|
||||
struct uwsgi_regexp_list *log_filter_rules;
|
||||
@@ -2316,7 +2330,7 @@ struct uwsgi_server {
|
||||
int static_gzip_all;
|
||||
struct uwsgi_string_list *static_gzip_dir;
|
||||
struct uwsgi_string_list *static_gzip_ext;
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
struct uwsgi_regexp_list *static_gzip;
|
||||
#endif
|
||||
|
||||
@@ -2715,7 +2729,7 @@ struct uwsgi_server {
|
||||
int ssl_sessions_timeout;
|
||||
struct uwsgi_cache *ssl_sessions_cache;
|
||||
char *ssl_tmp_dir;
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
struct uwsgi_regexp_list *sni_regexp;
|
||||
#endif
|
||||
struct uwsgi_string_list *sni;
|
||||
@@ -3584,7 +3598,7 @@ void uwsgi_shutdown_all_sockets(void);
|
||||
void uwsgi_close_all_unshared_sockets(void);
|
||||
|
||||
struct uwsgi_string_list *uwsgi_string_new_list(struct uwsgi_string_list **, char *);
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
struct uwsgi_regexp_list *uwsgi_regexp_custom_new_list(struct uwsgi_regexp_list **, char *, char *);
|
||||
#define uwsgi_regexp_new_list(x, y) uwsgi_regexp_custom_new_list(x, y, NULL);
|
||||
#endif
|
||||
@@ -3838,7 +3852,7 @@ void uwsgi_opt_add_addr_list(char *, cha
|
||||
void uwsgi_opt_add_string_list_custom(char *, char *, void *);
|
||||
void uwsgi_opt_add_dyn_dict(char *, char *, void *);
|
||||
void uwsgi_opt_binary_append_data(char *, char *, void *);
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
void uwsgi_opt_pcre_jit(char *, char *, void *);
|
||||
void uwsgi_opt_add_regexp_dyn_dict(char *, char *, void *);
|
||||
void uwsgi_opt_add_regexp_list(char *, char *, void *);
|
||||
--- a/.github/workflows/compile-test.yml
|
||||
+++ b/.github/workflows/compile-test.yml
|
||||
@@ -9,6 +9,10 @@ on:
|
||||
jobs:
|
||||
build:
|
||||
|
||||
+ strategy:
|
||||
+ matrix:
|
||||
+ libpcre: [libpcre3-dev, libpcre2-dev]
|
||||
+
|
||||
runs-on: ubuntu-20.04
|
||||
|
||||
steps:
|
||||
@@ -20,7 +24,7 @@ jobs:
|
||||
run: |
|
||||
sudo apt update -qq
|
||||
sudo apt install --no-install-recommends -qqyf python3.8-dev \
|
||||
- libxml2-dev libpcre3-dev libcap2-dev \
|
||||
+ libxml2-dev ${{ matrix.libpcre }} libcap2-dev \
|
||||
libargon2-0-dev libsodium-dev \
|
||||
php7.4-dev libphp7.4-embed \
|
||||
liblua5.1-0-dev ruby2.7-dev \
|
||||
--- a/.github/workflows/test.yml
|
||||
+++ b/.github/workflows/test.yml
|
||||
@@ -21,7 +21,7 @@ jobs:
|
||||
run: |
|
||||
sudo apt update -qq
|
||||
sudo apt install --no-install-recommends -qqyf python${{ matrix.python-version }}-dev \
|
||||
- libpcre3-dev libjansson-dev libcap2-dev \
|
||||
+ libpcre2-dev libjansson-dev libcap2-dev \
|
||||
curl check
|
||||
- name: Install distutils
|
||||
if: contains(fromJson('["3.6","3.7","3.8","3.9","3.10","3.11"]'), matrix.python-version)
|
||||
--- a/plugins/php/php_plugin.c
|
||||
+++ b/plugins/php/php_plugin.c
|
||||
@@ -16,7 +16,7 @@ struct uwsgi_php {
|
||||
struct uwsgi_string_list *index;
|
||||
struct uwsgi_string_list *set;
|
||||
struct uwsgi_string_list *append_config;
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
struct uwsgi_regexp_list *app_bypass;
|
||||
#endif
|
||||
struct uwsgi_string_list *vars;
|
||||
@@ -63,7 +63,7 @@ struct uwsgi_option uwsgi_php_options[]
|
||||
{"php-fallback", required_argument, 0, "run the specified php script when the requested one does not exist", uwsgi_opt_set_str, &uphp.fallback, 0},
|
||||
{"php-fallback2", required_argument, 0, "run the specified php script relative to the document root when the requested one does not exist", uwsgi_opt_set_str, &uphp.fallback2, 0},
|
||||
{"php-fallback-qs", required_argument, 0, "php-fallback with QUERY_STRING set", uwsgi_opt_set_str, &uphp.fallback_qs, 0},
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
{"php-app-bypass", required_argument, 0, "if the regexp matches the uri the --php-app is bypassed", uwsgi_opt_add_regexp_list, &uphp.app_bypass, 0},
|
||||
#endif
|
||||
{"php-var", required_argument, 0, "add/overwrite a CGI variable at each request", uwsgi_opt_add_string_list, &uphp.vars, 0},
|
||||
@@ -810,10 +810,14 @@ int uwsgi_php_request(struct wsgi_reques
|
||||
wsgi_req->document_root_len = strlen(wsgi_req->document_root);
|
||||
|
||||
if (uphp.app) {
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
struct uwsgi_regexp_list *bypass = uphp.app_bypass;
|
||||
while (bypass) {
|
||||
+#ifdef UWSGI_PCRE2
|
||||
+ if (uwsgi_regexp_match(bypass->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
|
||||
+#else
|
||||
if (uwsgi_regexp_match(bypass->pattern, bypass->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
|
||||
+#endif
|
||||
goto oldstyle;
|
||||
}
|
||||
bypass = bypass->next;
|
||||
@@ -849,7 +853,7 @@ appready:
|
||||
goto secure2;
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
oldstyle:
|
||||
#endif
|
||||
|
||||
--- a/core/config.c
|
||||
+++ b/core/config.c
|
||||
@@ -314,7 +314,7 @@ int uwsgi_logic_opt_if_not_hostname(char
|
||||
return 0;
|
||||
}
|
||||
|
||||
-#ifdef UWSGI_PCRE
|
||||
+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
|
||||
int uwsgi_logic_opt_if_hostname_match(char *key, char *value) {
|
||||
if (uwsgi_regexp_match_pattern(uwsgi.logic_opt_data, uwsgi.hostname)) {
|
||||
add_exported_option(key, uwsgi_substitute(value, "%(_)", uwsgi.logic_opt_data), 0);
|
|
@ -5,12 +5,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=v2ray-core
|
||||
PKG_VERSION:=5.15.1
|
||||
PKG_VERSION:=5.15.3
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/v2fly/v2ray-core/tar.gz/v$(PKG_VERSION)?
|
||||
PKG_HASH:=461a65a1675f17ad95a2a5ddf0b016247a34aa376ed1738c143e7c6603ab4abd
|
||||
PKG_HASH:=32b325e54ee93fb3563c33d3c097592aa857370055d8ef1c50fd2387678843df
|
||||
|
||||
PKG_LICENSE:=MIT
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
|
|
|
@ -5,38 +5,38 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=v2ray-geodata
|
||||
PKG_RELEASE:=r1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
GEOIP_VER:=202404040040
|
||||
GEOIP_VER:=202404110039
|
||||
GEOIP_FILE:=geoip.dat.$(GEOIP_VER)
|
||||
define Download/geoip
|
||||
URL:=https://github.com/v2fly/geoip/releases/download/$(GEOIP_VER)/
|
||||
URL_FILE:=geoip.dat
|
||||
FILE:=$(GEOIP_FILE)
|
||||
HASH:=492a0af649accb4e9ae91f80a272e295ce6444489f6d85b389cdc635234c6ddf
|
||||
HASH:=d4a2e3666139dc98b76f1b0bc7db6b9dd9b35a5d2b0aecb5943e4211c1ebd026
|
||||
endef
|
||||
|
||||
GEOSITE_VER:=20240403140129
|
||||
GEOSITE_VER:=20240410101316
|
||||
GEOSITE_FILE:=dlc.dat.$(GEOSITE_VER)
|
||||
define Download/geosite
|
||||
URL:=https://github.com/v2fly/domain-list-community/releases/download/$(GEOSITE_VER)/
|
||||
URL_FILE:=dlc.dat
|
||||
FILE:=$(GEOSITE_FILE)
|
||||
HASH:=bcae4b8ff409117b8f24e6c62c0d5c8c9d4dca75d335e12f8ac3a22331a81c52
|
||||
HASH:=e74d3da9d4db57fba399f9093ffabbc6630a7cf10965ebcde07725a0f00e24d7
|
||||
endef
|
||||
|
||||
GEOSITE_IRAN_VER:=202404010028
|
||||
GEOSITE_IRAN_VER:=202404150255
|
||||
GEOSITE_IRAN_FILE:=iran.dat.$(GEOSITE_IRAN_VER)
|
||||
define Download/geosite-ir
|
||||
URL:=https://github.com/bootmortis/iran-hosted-domains/releases/download/$(GEOSITE_IRAN_VER)/
|
||||
URL_FILE:=iran.dat
|
||||
FILE:=$(GEOSITE_IRAN_FILE)
|
||||
HASH:=322d972bfb3f6bb5d960c6d7e14a732d75f0a32ad59ce609a1a9843eef51e257
|
||||
HASH:=7b29fd53c2a25c6d79eeb6f76cc4b0a0770fe00eee1ea4d7a4a9f77d49ca44ad
|
||||
endef
|
||||
|
||||
define Package/v2ray-geodata/template
|
||||
|
@ -51,7 +51,7 @@ define Package/v2ray-geoip
|
|||
$(call Package/v2ray-geodata/template)
|
||||
TITLE:=GeoIP List for V2Ray
|
||||
PROVIDES:=v2ray-geodata xray-geodata xray-geoip
|
||||
VERSION:=$(GEOIP_VER)-$(PKG_RELEASE)
|
||||
VERSION:=$(GEOIP_VER)-r$(PKG_RELEASE)
|
||||
LICENSE:=CC-BY-SA-4.0
|
||||
endef
|
||||
|
||||
|
@ -59,7 +59,7 @@ define Package/v2ray-geosite
|
|||
$(call Package/v2ray-geodata/template)
|
||||
TITLE:=Geosite List for V2Ray
|
||||
PROVIDES:=v2ray-geodata xray-geodata xray-geosite
|
||||
VERSION:=$(GEOSITE_VER)-$(PKG_RELEASE)
|
||||
VERSION:=$(GEOSITE_VER)-r$(PKG_RELEASE)
|
||||
LICENSE:=MIT
|
||||
endef
|
||||
|
||||
|
@ -67,7 +67,7 @@ define Package/v2ray-geosite-ir
|
|||
$(call Package/v2ray-geodata/template)
|
||||
TITLE:=Iran Geosite List for V2Ray
|
||||
PROVIDES:=xray-geosite-ir
|
||||
VERSION:=$(GEOSITE_IRAN_VER)-$(PKG_RELEASE)
|
||||
VERSION:=$(GEOSITE_IRAN_VER)-r$(PKG_RELEASE)
|
||||
LICENSE:=MIT
|
||||
endef
|
||||
|
||||
|
|
|
@ -41,15 +41,6 @@ CONFIGURE_ARGS+= \
|
|||
--with-kbuild="$(LINUX_DIR)" \
|
||||
--with-xtlibdir="/usr/lib/iptables"
|
||||
|
||||
ifdef CONFIG_EXTERNAL_TOOLCHAIN
|
||||
MAKE_FLAGS:= \
|
||||
$(patsubst ARCH=%,ARCH=$(LINUX_KARCH),$(MAKE_FLAGS)) \
|
||||
DEPMOD="/bin/true"
|
||||
|
||||
MAKE_INSTALL_FLAGS:= \
|
||||
$(patsubst ARCH=%,ARCH=$(LINUX_KARCH),$(MAKE_FLAGS)) \
|
||||
DEPMOD="/bin/true"
|
||||
else
|
||||
define Build/Compile
|
||||
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
|
||||
$(KERNEL_MAKE_FLAGS) \
|
||||
|
@ -65,7 +56,6 @@ define Build/Install
|
|||
DEPMOD="/bin/true" \
|
||||
install
|
||||
endef
|
||||
endif
|
||||
|
||||
# 1: extension/module suffix used in package name
|
||||
# 2: extension/module display name used in package title/description
|
||||
|
|
|
@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=shairport-sync
|
||||
PKG_VERSION:=4.3.2
|
||||
PKG_RELEASE:=3
|
||||
PKG_RELEASE:=5
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/mikebrady/shairport-sync/tar.gz/$(PKG_VERSION)?
|
||||
|
@ -29,7 +29,7 @@ define Package/shairport-sync/default
|
|||
SECTION:=sound
|
||||
CATEGORY:=Sound
|
||||
TITLE:=AirPlay compatible audio player
|
||||
DEPENDS:=@AUDIO_SUPPORT +libpthread +alsa-lib +libconfig +libdaemon +libpopt +libplist +libsodium +libgcrypt +libffmpeg-full +libuuid +nqptp
|
||||
DEPENDS:=@AUDIO_SUPPORT +libpthread +alsa-lib +libconfig +libdaemon +libpopt +libplist +libsodium +libgcrypt +libffmpeg-full +libuuid +nqptp +libmosquitto
|
||||
PROVIDES:=shairport-sync
|
||||
URL:=https://github.com/mikebrady/shairport-sync
|
||||
endef
|
||||
|
@ -80,6 +80,7 @@ CONFIGURE_ARGS += \
|
|||
--with-libdaemon \
|
||||
--with-airplay-2 \
|
||||
--with-pipe \
|
||||
--with-mqtt-client \
|
||||
--with-metadata
|
||||
|
||||
ifeq ($(BUILD_VARIANT),openssl)
|
||||
|
|
|
@ -37,6 +37,10 @@ config shairport-sync 'shairport_sync'
|
|||
# Session Control
|
||||
option sesctl_run_before_play_begins '' # /etc/shairport-sync-start.sh
|
||||
option sesctl_run_after_play_ends '' # /etc/shairport-sync-stop.sh
|
||||
option sesctl_run_before_entering_active_state '' # /path/to/script.sh
|
||||
option sesctl_run_after_exiting_active_state '' # /path/to/script.sh
|
||||
option sesctl_run_if_an_unfixable_error_is_detected '' # /path/to/script.sh
|
||||
option sesctl_run_when_volume_is_set '' # /path/to/script.sh
|
||||
option sesctl_wait_for_completion '' # no/yes
|
||||
option sesctl_session_interruption '' # no/yes
|
||||
option sesctl_session_timeout '' # 120
|
||||
|
@ -56,6 +60,17 @@ config shairport-sync 'shairport_sync'
|
|||
# Stdout
|
||||
option stdout_latency_offset '' # 0
|
||||
option stdout_buffer_length '' # 44100
|
||||
# MQTT: https://github.com/mikebrady/shairport-sync/blob/master/MQTT.md
|
||||
option mqtt_enabled 'no'
|
||||
option mqtt_hostname '127.0.0.1'
|
||||
option mqtt_port '1883'
|
||||
option mqtt_username '' # empty = no authentication
|
||||
option mqtt_password '' # empty = no authentication
|
||||
option mqtt_topic 'shairport'
|
||||
option mqtt_publish_raw 'no'
|
||||
option mqtt_publish_parsed 'no'
|
||||
option mqtt_publish_cover 'no'
|
||||
option mqtt_enable_remote 'no'
|
||||
# AO
|
||||
option ao_latency_offset '' # 0
|
||||
option ao_buffer_length '' # 44100
|
||||
|
|
|
@ -83,6 +83,10 @@ start_instance() {
|
|||
printf "{\n"
|
||||
append_str "$cfg" sesctl_run_before_play_begins "run_this_before_play_begins"
|
||||
append_str "$cfg" sesctl_run_after_play_ends "run_this_after_play_ends"
|
||||
append_str "$cfg" sesctl_run_before_entering_active_state "run_this_before_entering_active_state"
|
||||
append_str "$cfg" sesctl_run_after_exiting_active_state "run_this_after_exiting_active_state"
|
||||
append_str "$cfg" sesctl_run_if_an_unfixable_error_is_detected "run_this_if_an_unfixable_error_is_detected"
|
||||
append_str "$cfg" sesctl_run_when_volume_is_set "run_this_when_volume_is_set"
|
||||
append_str "$cfg" sesctl_wait_for_completion "wait_for_completion"
|
||||
append_str "$cfg" sesctl_session_interruption "allow_session_interruption"
|
||||
append_num "$cfg" sesctl_session_timeout "session_timeout"
|
||||
|
@ -116,6 +120,21 @@ start_instance() {
|
|||
append_num "$cfg" stdout_buffer_length "audio_backend_buffer_desired_length"
|
||||
printf "};\n\n"
|
||||
|
||||
# MQTT
|
||||
printf "mqtt =\n"
|
||||
printf "{\n"
|
||||
append_str "$cfg" mqtt_enabled "enabled"
|
||||
append_str "$cfg" mqtt_hostname "hostname"
|
||||
append_num "$cfg" mqtt_port "port"
|
||||
append_str "$cfg" mqtt_username "username"
|
||||
append_str "$cfg" mqtt_password "password"
|
||||
append_str "$cfg" mqtt_topic "topic"
|
||||
append_str "$cfg" mqtt_publish_raw "publish_raw"
|
||||
append_str "$cfg" mqtt_publish_parsed "publish_parsed"
|
||||
append_str "$cfg" mqtt_publish_cover "publish_cover"
|
||||
append_str "$cfg" mqtt_enable_remote "enable_remote"
|
||||
printf "};\n\n"
|
||||
|
||||
# AO audio back end
|
||||
printf "ao =\n"
|
||||
printf "{\n"
|
||||
|
|
|
@ -1,143 +0,0 @@
|
|||
#
|
||||
# This is free software, licensed under the GNU General Public License v2.
|
||||
# See /LICENSE for more information.
|
||||
#
|
||||
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=audit
|
||||
PKG_VERSION:=2.8.5
|
||||
PKG_RELEASE:=7
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=http://people.redhat.com/sgrubb/audit
|
||||
PKG_HASH:=0e5d4103646e00f8d1981e1cd2faea7a2ae28e854c31a803e907a383c5e2ecb7
|
||||
|
||||
PKG_MAINTAINER:=Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
PKG_LICENSE:=GPL-2.0-or-later
|
||||
PKG_LICENSE_FILES:=COPYING
|
||||
PKG_CPE_ID:=cpe:/a:linux_audit_project:linux_audit
|
||||
|
||||
PKG_FIXUP:=autoreconf
|
||||
PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-packages/$(PKG_NAME)-$(PKG_VERSION)
|
||||
|
||||
PKG_BUILD_FLAGS:=no-mips16
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
define Package/audit/Default
|
||||
TITLE:=Audit Daemon
|
||||
URL:=http://people.redhat.com/sgrubb/audit/
|
||||
endef
|
||||
|
||||
define Package/audit/Default/description
|
||||
The audit package contains the user space utilities for
|
||||
storing and searching the audit records generated by
|
||||
the audit subsystem in the Linux 2.6 kernel
|
||||
endef
|
||||
|
||||
define Package/libauparse
|
||||
$(call Package/audit/Default)
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE+= (parsing shared library)
|
||||
DEPENDS:= +libaudit
|
||||
endef
|
||||
|
||||
define Package/libauparse/description
|
||||
$(call Package/audit/Default/description)
|
||||
This package contains the audit parsing shared library.
|
||||
endef
|
||||
|
||||
define Package/audit-utils
|
||||
$(call Package/audit/Default)
|
||||
SECTION:=utils
|
||||
CATEGORY:=Utilities
|
||||
TITLE+= (utilities)
|
||||
DEPENDS:= +libaudit +libauparse
|
||||
endef
|
||||
|
||||
define Package/audit-utils/description
|
||||
$(call Package/audit/Default/description)
|
||||
This package contains the audit utilities.
|
||||
endef
|
||||
|
||||
define Package/audit
|
||||
$(call Package/audit/Default)
|
||||
SECTION:=utils
|
||||
CATEGORY:=Utilities
|
||||
TITLE+= (daemon)
|
||||
DEPENDS:= +libaudit +libauparse +audit-utils +libev
|
||||
endef
|
||||
|
||||
define Package/audit/description
|
||||
$(call Package/audit/Default/description)
|
||||
This package contains the audit daemon.
|
||||
endef
|
||||
|
||||
CONFIGURE_VARS += \
|
||||
LDFLAGS_FOR_BUILD="$(HOST_LDFLAGS)" \
|
||||
CPPFLAGS_FOR_BUILD="$(HOST_CPPFLAGS)" \
|
||||
CFLAGS_FOR_BUILD="$(HOST_CFLAGS)" \
|
||||
CC_FOR_BUILD="$(HOSTCC)"
|
||||
|
||||
CONFIGURE_ARGS += \
|
||||
--without-libcap-ng \
|
||||
--disable-systemd \
|
||||
--without-python \
|
||||
--without-python3 \
|
||||
--disable-zos-remote
|
||||
|
||||
ifeq ($(ARCH),aarch64)
|
||||
CONFIGURE_ARGS += --with-aarch64
|
||||
else ifeq ($(ARCH),arm)
|
||||
CONFIGURE_ARGS += --with-arm
|
||||
endif
|
||||
|
||||
# We can't use the default, as the default passes $(MAKE_ARGS), which
|
||||
# overrides CC, CFLAGS, etc. and defeats the *_FOR_BUILD definitions
|
||||
# passed in CONFIGURE_VARS
|
||||
define Build/Compile
|
||||
$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(MAKE_PATH)
|
||||
endef
|
||||
|
||||
define Build/Install
|
||||
$(call Build/Install/Default,install)
|
||||
$(SED) 's%^dispatcher *=.*%dispatcher = /usr/sbin/audispd%' $(PKG_INSTALL_DIR)/etc/audit/auditd.conf
|
||||
endef
|
||||
|
||||
define Build/InstallDev
|
||||
$(INSTALL_DIR) $(1)/usr/include
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
|
||||
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
|
||||
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/*.pc $(1)/usr/lib/pkgconfig/
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
define Package/libauparse/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libauparse.so.* $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
define Package/audit-utils/install
|
||||
$(INSTALL_DIR) $(1)/usr/bin
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/
|
||||
$(INSTALL_DIR) $(1)/usr/sbin
|
||||
$(CP) \
|
||||
$(PKG_INSTALL_DIR)/usr/sbin/{augenrules,audispd,audisp-remote,auditctl,autrace,aureport,ausearch} \
|
||||
$(1)/usr/sbin/
|
||||
endef
|
||||
|
||||
define Package/audit/install
|
||||
$(INSTALL_DIR) $(1)/etc/audit
|
||||
$(CP) $(PKG_INSTALL_DIR)/etc/audit/* $(1)/etc/audit/
|
||||
$(INSTALL_DIR) $(1)/etc/init.d
|
||||
$(INSTALL_BIN) ./files/audit.init $(1)/etc/init.d/audit
|
||||
$(INSTALL_DIR) $(1)/usr/sbin
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/auditd $(1)/usr/sbin/
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackage,libauparse))
|
||||
$(eval $(call BuildPackage,audit-utils))
|
||||
$(eval $(call BuildPackage,audit))
|
|
@ -1,16 +0,0 @@
|
|||
#!/bin/sh /etc/rc.common
|
||||
# Copyright (c) 2014 OpenWrt.org
|
||||
|
||||
START=11
|
||||
|
||||
USE_PROCD=1
|
||||
PROG=/usr/sbin/auditd
|
||||
|
||||
start_service() {
|
||||
mkdir -p /var/log/audit
|
||||
procd_open_instance
|
||||
procd_set_param command "$PROG" -n
|
||||
procd_set_param respawn
|
||||
procd_close_instance
|
||||
test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -R /etc/audit/rules.d/audit.rules
|
||||
}
|
|
@ -1,122 +0,0 @@
|
|||
From c39a071e7c021f6ff3554aca2758e97b47a9777c Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Tue, 26 Feb 2019 18:33:33 -0500
|
||||
Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
|
||||
|
||||
(cherry picked from commit d579a08bb1cde71f939c13ac6b2261052ae9f77e)
|
||||
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
||||
---
|
||||
auparse/auparse.c | 12 +++++++++++-
|
||||
auparse/interpret.c | 9 ++++++++-
|
||||
configure.ac | 14 +++++++++++++-
|
||||
src/ausearch-lol.c | 12 +++++++++++-
|
||||
4 files changed, 43 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/auparse/auparse.c
|
||||
+++ b/auparse/auparse.c
|
||||
@@ -1,5 +1,5 @@
|
||||
/* auparse.c --
|
||||
- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina.
|
||||
+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina.
|
||||
* All Rights Reserved.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifndef HAVE_STRNDUPA
|
||||
+static inline char *strndupa(const char *old, size_t n)
|
||||
+{
|
||||
+ size_t len = strnlen(old, n);
|
||||
+ char *tmp = alloca(len + 1);
|
||||
+ tmp[len] = 0;
|
||||
+ return memcpy(tmp, old, len);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/* Returns 0 on success and 1 on error */
|
||||
static int extract_timestamp(const char *b, au_event_t *e)
|
||||
{
|
||||
--- a/auparse/interpret.c
|
||||
+++ b/auparse/interpret.c
|
||||
@@ -853,6 +853,13 @@ err_out:
|
||||
return print_escaped(id->val);
|
||||
}
|
||||
|
||||
+// rawmemchr is faster. Let's use it if we have it.
|
||||
+#ifdef HAVE_RAWMEMCHR
|
||||
+#define STRCHR rawmemchr
|
||||
+#else
|
||||
+#define STRCHR strchr
|
||||
+#endif
|
||||
+
|
||||
static const char *print_proctitle(const char *val)
|
||||
{
|
||||
char *out = (char *)print_escaped(val);
|
||||
@@ -863,7 +870,7 @@ static const char *print_proctitle(const
|
||||
// Proctitle has arguments separated by NUL bytes
|
||||
// We need to write over the NUL bytes with a space
|
||||
// so that we can see the arguments
|
||||
- while ((ptr = rawmemchr(ptr, '\0'))) {
|
||||
+ while ((ptr = STRCHR(ptr, '\0'))) {
|
||||
if (ptr >= end)
|
||||
break;
|
||||
*ptr = ' ';
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1,7 +1,7 @@
|
||||
dnl
|
||||
define([AC_INIT_NOTICE],
|
||||
[### Generated automatically using autoconf version] AC_ACVERSION [
|
||||
-### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com>
|
||||
+### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com>
|
||||
###
|
||||
### Permission is hereby granted, free of charge, to any person obtaining a
|
||||
### copy of this software and associated documentation files (the "Software"),
|
||||
@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-r
|
||||
AC_CHECK_FUNCS([posix_fallocate])
|
||||
dnl; signalfd is needed for libev
|
||||
AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ])
|
||||
+dnl; check if rawmemchr is available
|
||||
+AC_CHECK_FUNCS([rawmemchr])
|
||||
+dnl; check if strndupa is available
|
||||
+AC_LINK_IFELSE(
|
||||
+ [AC_LANG_SOURCE(
|
||||
+ [[
|
||||
+ #define _GNU_SOURCE
|
||||
+ #include <string.h>
|
||||
+ int main() { (void) strndupa("test", 10); return 0; }]])],
|
||||
+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])],
|
||||
+ []
|
||||
+)
|
||||
|
||||
ALLWARNS=""
|
||||
ALLDEBUG="-g"
|
||||
--- a/src/ausearch-lol.c
|
||||
+++ b/src/ausearch-lol.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* ausearch-lol.c - linked list of linked lists library
|
||||
-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina.
|
||||
+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina.
|
||||
* All Rights Reserved.
|
||||
*
|
||||
* This software may be freely redistributed and/or modified under the
|
||||
@@ -152,6 +152,16 @@ static int compare_event_time(event *e1,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifndef HAVE_STRNDUPA
|
||||
+static inline char *strndupa(const char *old, size_t n)
|
||||
+{
|
||||
+ size_t len = strnlen(old, n);
|
||||
+ char *tmp = alloca(len + 1);
|
||||
+ tmp[len] = 0;
|
||||
+ return memcpy(tmp, old, len);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/*
|
||||
* This function will look at the line and pick out pieces of it.
|
||||
*/
|
|
@ -1,21 +0,0 @@
|
|||
From 017e6c6ab95df55f34e339d2139def83e5dada1f Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Fri, 10 Jan 2020 21:13:50 -0500
|
||||
Subject: [PATCH 01/30] Header definitions need to be external when building
|
||||
with -fno-common (which is default in GCC 10) - Tony Jones
|
||||
|
||||
---
|
||||
src/ausearch-common.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/src/ausearch-common.h
|
||||
+++ b/src/ausearch-common.h
|
||||
@@ -50,7 +50,7 @@ extern pid_t event_pid;
|
||||
extern int event_exact_match;
|
||||
extern uid_t event_uid, event_euid, event_loginuid;
|
||||
extern const char *event_tuid, *event_teuid, *event_tauid;
|
||||
-slist *event_node_list;
|
||||
+extern slist *event_node_list;
|
||||
extern const char *event_comm;
|
||||
extern const char *event_filename;
|
||||
extern const char *event_hostname;
|
|
@ -1,52 +0,0 @@
|
|||
From 6b09724c69d91668418ddb3af00da6db6755208c Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Thu, 2 Sep 2021 15:01:12 -0400
|
||||
Subject: [PATCH] Make IPX packet interpretation dependent on the ipx header
|
||||
file existing
|
||||
|
||||
--- a/auparse/interpret.c
|
||||
+++ b/auparse/interpret.c
|
||||
@@ -44,8 +44,10 @@
|
||||
#include <linux/ax25.h>
|
||||
#include <linux/atm.h>
|
||||
#include <linux/x25.h>
|
||||
-#include <linux/if.h> // FIXME: remove when ipx.h is fixed
|
||||
-#include <linux/ipx.h>
|
||||
+#ifdef HAVE_IPX_HEADERS
|
||||
+ #include <linux/if.h> // FIXME: remove when ipx.h is fixed
|
||||
+ #include <linux/ipx.h>
|
||||
+#endif
|
||||
#include <linux/capability.h>
|
||||
#include <sys/personality.h>
|
||||
#include <sys/prctl.h>
|
||||
@@ -1158,6 +1160,7 @@ static const char *print_sockaddr(const
|
||||
x->sax25_call.ax25_call[6]);
|
||||
}
|
||||
break;
|
||||
+#ifdef HAVE_IPX_HEADERS
|
||||
case AF_IPX:
|
||||
{
|
||||
const struct sockaddr_ipx *ip =
|
||||
@@ -1167,6 +1170,7 @@ static const char *print_sockaddr(const
|
||||
str, ip->sipx_port, ip->sipx_network);
|
||||
}
|
||||
break;
|
||||
+#endif
|
||||
case AF_ATMPVC:
|
||||
{
|
||||
const struct sockaddr_atmpvc* at =
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -414,6 +414,12 @@ if test x"$LIBWRAP_LIBS" != "x"; then
|
||||
AC_DEFINE_UNQUOTED(HAVE_LIBWRAP, [], Define if tcp_wrappers support is enabled )
|
||||
fi
|
||||
|
||||
+# linux/ipx.h - deprecated in 2018
|
||||
+AC_CHECK_HEADER(linux/ipx.h, ipx_headers=yes, ipx_headers=no)
|
||||
+if test $ipx_headers = yes ; then
|
||||
+ AC_DEFINE(HAVE_IPX_HEADERS,1,[IPX packet interpretation])
|
||||
+fi
|
||||
+
|
||||
# See if we want to support lower capabilities for plugins
|
||||
LIBCAP_NG_PATH
|
||||
|
|
@ -2,11 +2,12 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=cni-plugins-nft
|
||||
PKG_VERSION:=1.0.12
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/greenpau/cni-plugins/archive/v$(PKG_VERSION)
|
||||
PKG_HASH:=51c4b41c61f46c7dfc691d52dba301e7d8189589e1a625772f761ea3ae804fb3
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
|
||||
PKG_SOURCE_URL:=https://github.com/greenpau/cni-plugins
|
||||
PKG_MIRROR_HASH:=3bb778c8f48261eaaee8b14b9219f1730967ef16158b5b540d45da54ef580e53
|
||||
|
||||
PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com>
|
||||
PKG_LICENSE:=Apache-2.0
|
||||
|
@ -23,8 +24,6 @@ GO_PKG_BUILD_PKG:=github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap \
|
|||
include $(INCLUDE_DIR)/package.mk
|
||||
include ../../lang/golang/golang-package.mk
|
||||
|
||||
PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
|
||||
|
||||
define Package/cni-plugins-nft
|
||||
SECTION:=utils
|
||||
CATEGORY:=Utilities
|
||||
|
|
|
@ -2,15 +2,16 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=cni-plugins
|
||||
PKG_VERSION:=1.1.1
|
||||
PKG_RELEASE:=1
|
||||
PKG_LICENSE:=Apache-2.0
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/containernetworking/plugins/archive/v$(PKG_VERSION)
|
||||
PKG_HASH:=c86c44877c47f69cd23611e22029ab26b613f620195b76b3ec20f589367a7962
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
|
||||
PKG_SOURCE_URL:=https://github.com/containernetworking/plugins
|
||||
PKG_MIRROR_HASH:=4372700fa1fb159235586432800f228d92246d13571f5a29aa9bc58291eac6d9
|
||||
|
||||
PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>, Paul Spooren <mail@aparcar.org>
|
||||
PKG_LICENSE:=Apache-2.0
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
|
||||
PKG_BUILD_DEPENDS:=golang/host
|
||||
PKG_BUILD_PARALLEL:=1
|
||||
|
@ -24,8 +25,6 @@ GO_PKG_BUILD_PKG:=github.com/containernetworking/plugins/plugins/main/... \
|
|||
include $(INCLUDE_DIR)/package.mk
|
||||
include ../../lang/golang/golang-package.mk
|
||||
|
||||
PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
|
||||
|
||||
define Package/cni-plugins
|
||||
SECTION:=utils
|
||||
CATEGORY:=Utilities
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=compose
|
||||
PKG_VERSION:=2.26.1
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=2.27.0
|
||||
PKG_RELEASE:=1
|
||||
PKG_LICENSE:=Apache-2.0
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/docker/compose/tar.gz/v${PKG_VERSION}?
|
||||
PKG_HASH:=081ad40241f8e144cad088a65e6fd0ec588e3d36931e5baabb3dc5ab068ceb60
|
||||
PKG_HASH:=29b2232d1609dff03db74188a7944c85ba8b612f47a7e39938a43db8fb7d7067
|
||||
|
||||
PKG_MAINTAINER:=Javier Marcet <javier@marcet.info>
|
||||
|
||||
|
|
|
@ -47,7 +47,7 @@ define Package/dockerd
|
|||
+kmod-veth \
|
||||
+tini \
|
||||
+uci-firewall \
|
||||
@!(mips||mipsel)
|
||||
@!(mips||mips64||mipsel)
|
||||
USERID:=docker:docker
|
||||
MENU:=1
|
||||
endef
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=eza
|
||||
PKG_VERSION:=0.18.9
|
||||
PKG_VERSION:=0.18.11
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/eza-community/eza/tar.gz/v$(PKG_VERSION)?
|
||||
PKG_HASH:=917736591429813ef4cfce47bb2d3d87e9f1e142b2a6ebf74a345c3a15894918
|
||||
PKG_HASH:=92d810c36ac67038e2ed3c421087de8793eb0b9de332c9239096df9d52eb30e3
|
||||
|
||||
PKG_MAINTAINER:=Jonas Jelonek <jelonek.jonas@gmail.com>
|
||||
PKG_LICENSE:=MIT
|
||||
|
|
|
@ -31,7 +31,7 @@ define Package/mstflint
|
|||
CATEGORY:=Utilities
|
||||
TITLE:=Mellanox Firmware Burning and Diagnostics Tools
|
||||
URL:=https://github.com/Mellanox/mstflint
|
||||
DEPENDS:=@!(mips||mipsel) \
|
||||
DEPENDS:=@!(mips||mips64||mipsel) \
|
||||
+libcurl +liblzma +libopenssl +libsqlite3 \
|
||||
+libstdcpp +libxml2 +python3-ctypes \
|
||||
+python3-urllib +python3-xml +zlib
|
||||
|
|
|
@ -0,0 +1,91 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hauke Mehrtens <hauke@hauke-m.de>
|
||||
Date: Sun, 14 Apr 2024 16:06:15 +0200
|
||||
Subject: Support POSIX basename() from musl libc
|
||||
|
||||
Musl libc 1.2.5 removed the definition of the basename() function from
|
||||
string.h and only provides it in libgen.h as the POSIX standard
|
||||
defines it.
|
||||
|
||||
This change fixes compilation with musl libc 1.2.5.
|
||||
````
|
||||
build_dir/target-mips_24kc_musl/rtty-mbedtls/rtty-8.1.1/src/file.c:156:24: error: implicit declaration of function 'basename' [-Werror=implicit-function-declaration]
|
||||
156 | const char *name = basename(path);
|
||||
| ^~~~~~~~
|
||||
````
|
||||
|
||||
basename() modifies the input string, copy it first with strdup(), If
|
||||
strdup() returns NULL the code will handle it.
|
||||
|
||||
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
||||
---
|
||||
src/file.c | 8 +++++++-
|
||||
src/filectl.c | 6 +++++-
|
||||
2 files changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/src/file.c
|
||||
+++ b/src/file.c
|
||||
@@ -29,6 +29,7 @@
|
||||
#include <unistd.h>
|
||||
#include <mntent.h>
|
||||
#include <inttypes.h>
|
||||
+#include <libgen.h>
|
||||
#include <sys/statvfs.h>
|
||||
#include <linux/limits.h>
|
||||
#include <sys/sysinfo.h>
|
||||
@@ -153,13 +154,17 @@ static int start_upload_file(struct file
|
||||
{
|
||||
struct tty *tty = container_of(ctx, struct tty, file);
|
||||
struct rtty *rtty = tty->rtty;
|
||||
- const char *name = basename(path);
|
||||
+ const char *name;
|
||||
struct stat st;
|
||||
int fd;
|
||||
+ char *dirc;
|
||||
|
||||
+ dirc = strdup(path);
|
||||
+ name = basename(dirc);
|
||||
fd = open(path, O_RDONLY);
|
||||
if (fd < 0) {
|
||||
log_err("open '%s' fail: %s\n", path, strerror(errno));
|
||||
+ free(dirc);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -177,6 +182,7 @@ static int start_upload_file(struct file
|
||||
ctx->remain_size = st.st_size;
|
||||
|
||||
log_info("upload file: %s, size: %" PRIu64 "\n", path, (uint64_t)st.st_size);
|
||||
+ free(dirc);
|
||||
|
||||
return 0;
|
||||
}
|
||||
--- a/src/filectl.c
|
||||
+++ b/src/filectl.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <fcntl.h>
|
||||
+#include <libgen.h>
|
||||
|
||||
#include "utils.h"
|
||||
#include "file.h"
|
||||
@@ -75,6 +76,7 @@ static void handle_file_control_msg(int
|
||||
{
|
||||
struct file_control_msg msg;
|
||||
struct buffer b = {};
|
||||
+ char *dirc;
|
||||
|
||||
while (true) {
|
||||
if (buffer_put_fd(&b, fd, -1, NULL) < 0)
|
||||
@@ -90,7 +92,9 @@ static void handle_file_control_msg(int
|
||||
if (sfd > -1) {
|
||||
close(sfd);
|
||||
gettimeofday(&start_time, NULL);
|
||||
- printf("Transferring '%s'...Press Ctrl+C to cancel\n", basename(path));
|
||||
+ dirc = strdup(path);
|
||||
+ printf("Transferring '%s'...Press Ctrl+C to cancel\n", basename(dirc));
|
||||
+ free(dirc);
|
||||
|
||||
if (total_size == 0) {
|
||||
printf(" 100%% 0 B 0s\n");
|
|
@ -0,0 +1,72 @@
|
|||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Hauke Mehrtens <hauke@hauke-m.de>
|
||||
Date: Sun, 14 Apr 2024 15:33:51 +0200
|
||||
Subject: Support POSIX basename() from musl libc
|
||||
|
||||
Musl libc 1.2.5 removed the definition of the basename() function from
|
||||
string.h and only provides it in libgen.h as the POSIX standard
|
||||
defines it.
|
||||
|
||||
This change fixes compilation with musl libc 1.2.5.
|
||||
````
|
||||
build_dir/target-mips_24kc_musl/tini-0.19.0/src/tini.c:227:36: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
|
||||
227 | fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
|
||||
build_dir/target-mips_24kc_musl/tini-0.19.0/src/tini.c:227:25: error: format '%s' expects argument of type 'char *', but argument 3 has type 'int' [-Werror=format=]
|
||||
227 | fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
|
||||
| ~^ ~~~~~~~~~~~~~~
|
||||
| | |
|
||||
| char * int
|
||||
| %d
|
||||
|
||||
````
|
||||
|
||||
basename() modifies the input string, copy it first with strdup(), If
|
||||
strdup() returns NULL the code will handle it.
|
||||
|
||||
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
||||
---
|
||||
src/tini.c | 15 +++++++++++----
|
||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/src/tini.c
|
||||
+++ b/src/tini.c
|
||||
@@ -14,6 +14,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stdbool.h>
|
||||
+#include <libgen.h>
|
||||
|
||||
#include "tiniConfig.h"
|
||||
#include "tiniLicense.h"
|
||||
@@ -224,14 +225,19 @@ int spawn(const signal_configuration_t*
|
||||
}
|
||||
|
||||
void print_usage(char* const name, FILE* const file) {
|
||||
- fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
|
||||
+ char *dirc, *bname;
|
||||
+
|
||||
+ dirc = strdup(name);
|
||||
+ bname = basename(dirc);
|
||||
+
|
||||
+ fprintf(file, "%s (%s)\n", bname, TINI_VERSION_STRING);
|
||||
|
||||
#if TINI_MINIMAL
|
||||
- fprintf(file, "Usage: %s PROGRAM [ARGS] | --version\n\n", basename(name));
|
||||
+ fprintf(file, "Usage: %s PROGRAM [ARGS] | --version\n\n", bname);
|
||||
#else
|
||||
- fprintf(file, "Usage: %s [OPTIONS] PROGRAM -- [ARGS] | --version\n\n", basename(name));
|
||||
+ fprintf(file, "Usage: %s [OPTIONS] PROGRAM -- [ARGS] | --version\n\n", bname);
|
||||
#endif
|
||||
- fprintf(file, "Execute a program under the supervision of a valid init process (%s)\n\n", basename(name));
|
||||
+ fprintf(file, "Execute a program under the supervision of a valid init process (%s)\n\n", bname);
|
||||
|
||||
fprintf(file, "Command line options:\n\n");
|
||||
|
||||
@@ -261,6 +267,7 @@ void print_usage(char* const name, FILE*
|
||||
fprintf(file, " %s: Send signals to the child's process group.\n", KILL_PROCESS_GROUP_GROUP_ENV_VAR);
|
||||
|
||||
fprintf(file, "\n");
|
||||
+ free(dirc);
|
||||
}
|
||||
|
||||
void print_license(FILE* const file) {
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=usbmuxd
|
||||
PKG_VERSION:=1.1.1
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||
PKG_SOURCE_URL:=https://www.libimobiledevice.org/downloads
|
||||
|
@ -31,7 +31,7 @@ define Package/usbmuxd
|
|||
SUBMENU:=libimobiledevice
|
||||
TITLE:=USB multiplexing daemon
|
||||
URL:=https://www.libimobiledevice.org/
|
||||
DEPENDS:=+librt +libusb-1.0 +libusbmuxd +libopenssl +libimobiledevice
|
||||
DEPENDS:=+libusb-1.0 +libusbmuxd +libopenssl +libimobiledevice +usbutils
|
||||
endef
|
||||
|
||||
define Package/usbmuxd/description
|
||||
|
@ -50,7 +50,9 @@ endef
|
|||
CONFIGURE_ARGS += --with-systemd
|
||||
|
||||
define Package/usbmuxd/install
|
||||
$(INSTALL_DIR) $(1)/etc/hotplug.d/usb
|
||||
$(INSTALL_DIR) $(1)/etc/init.d
|
||||
$(INSTALL_BIN) ./files/usbmuxd.hotplug $(1)/etc/hotplug.d/usb/40-usbmuxd
|
||||
$(INSTALL_BIN) ./files/usbmuxd.init $(1)/etc/init.d/usbmuxd
|
||||
$(INSTALL_DIR) $(1)/usr/sbin
|
||||
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/usbmuxd $(1)/usr/sbin/
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
case "$ACTION" in
|
||||
bind)
|
||||
dev=/sys$DEVPATH
|
||||
|
||||
[ ! -f /tmp/iPhone.lock ] && [ -d ${dev}/net ] &&
|
||||
{
|
||||
readlink ${dev}/driver | grep -q ipheth &&
|
||||
{
|
||||
sleep 5
|
||||
carrier_path=${dev}/net/*/carrier
|
||||
carrier=`cat ${carrier_path}`
|
||||
|
||||
[ "${carrier}" = "0" ] &&
|
||||
{
|
||||
touch /tmp/iPhone.lock
|
||||
logger -p daemon.error -t iPhone ${carrier_path} = ${carrier}
|
||||
logger -p daemon.error -t iPhone `/usr/bin/usbreset iPhone`
|
||||
/etc/init.d/usbmuxd restart
|
||||
sleep 5 && rm -f /tmp/iPhone.lock &
|
||||
}
|
||||
}
|
||||
}
|
||||
;;
|
||||
esac
|
|
@ -12,11 +12,12 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=xxhash
|
||||
PKG_VERSION:=0.8.2
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=2
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/Cyan4973/xxHash/archive/v$(PKG_VERSION)
|
||||
PKG_HASH:=baee0c6afd4f03165de7a4e67988d16f0f2b257b51d0e3cb91909302a26a79c4
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
|
||||
PKG_SOURCE_URL:=https://github.com/Cyan4973/xxHash
|
||||
PKG_MIRROR_HASH:=0602a12e9ecd009f97a2a845fb5e46af69a60f96547952e5b00228f33bed5cdd
|
||||
|
||||
# The source for the library (xxhash.c and xxhash.h) is BSD
|
||||
# The source for the command line tool (xxhsum.c) is GPLv2+
|
||||
|
@ -24,11 +25,10 @@ PKG_LICENSE:=BSD-2-Clause GPL-2.0-or-later
|
|||
PKG_LICENSE_FILES:=LICENSE cli/COPYING
|
||||
PKG_MAINTAINER:=Julien Malik <julien.malik@paraiso.me>
|
||||
|
||||
PKG_INSTALL:=1
|
||||
CMAKE_SOURCE_SUBDIR:=cmake_unofficial
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
|
||||
include $(INCLUDE_DIR)/cmake.mk
|
||||
|
||||
define Package/xxhash/Default
|
||||
TITLE:=Extremely fast hash algorithm
|
||||
|
@ -74,7 +74,7 @@ define Build/InstallDev
|
|||
$(INSTALL_DIR) $(1)/usr/include
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/include/*.h $(1)/usr/include/
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxxhash.{a,so*} $(1)/usr/lib/
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxxhash.so* $(1)/usr/lib/
|
||||
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libxxhash.pc $(1)/usr/lib/pkgconfig/
|
||||
endef
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue