Compare commits
7 Commits
d6af88c0f6
...
14f58f4b5e
Author | SHA1 | Date |
---|---|---|
qosmio | 14f58f4b5e | |
Dirk Brenken | 2c6d5adac0 | |
Josef Schlehofer | 9d49df0dab | |
Josef Schlehofer | 6d5e404a0c | |
Paul Spooren | 26c101edc3 | |
Goetz Goerisch | 8b08b29271 | |
Sean Khan | 9ec1a42420 |
|
@ -1,93 +0,0 @@
|
|||
FROM debian:10
|
||||
|
||||
|
||||
# Configuration version history
|
||||
# v1.0 - Initial version by Etienne Champetier
|
||||
# v1.0.1 - Run as non-root, add unzip, xz-utils
|
||||
# v1.0.2 - Add bzr
|
||||
# v1.0.3 - Verify usign signatures
|
||||
# v1.0.4 - Add support for Python3
|
||||
# v1.0.5 - Add 19.07 public keys, verify keys
|
||||
# v1.0.6 - Add 21.02 public keys, update Debian image to version 10, add rsync
|
||||
# v1.0.7 - Add 22.03 public keys, 18.06 v2 gpg key, 18.06 usign key
|
||||
|
||||
RUN apt update && apt install -y \
|
||||
build-essential \
|
||||
bzr \
|
||||
curl \
|
||||
jq \
|
||||
gawk \
|
||||
gettext \
|
||||
git \
|
||||
libncurses5-dev \
|
||||
libssl-dev \
|
||||
python \
|
||||
python3 \
|
||||
signify-openbsd \
|
||||
subversion \
|
||||
rsync \
|
||||
time \
|
||||
unzip \
|
||||
wget \
|
||||
xz-utils \
|
||||
zlib1g-dev \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
RUN useradd -c "OpenWrt Builder" -m -d /home/build -s /bin/bash build
|
||||
USER build
|
||||
ENV HOME /home/build
|
||||
|
||||
# OpenWrt Build System (PGP key for unattended snapshot builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/626471F1.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-snapshots@openwrt.org>' | grep '^fpr:::::::::54CC74307A2C6DC9CE618269CD84BCED626471F1:$' \
|
||||
&& echo '54CC74307A2C6DC9CE618269CD84BCED626471F1:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Build System (PGP key for 17.01 "Reboot" release builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/D52BBB6B.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-17.01@openwrt.org>' | grep '^fpr:::::::::B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:$' \
|
||||
&& echo 'B09BE781AE8A0CD4702FDCD3833C6010D52BBB6B:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Release Builder (18.06 Signing Key)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/17E1CE16.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<openwrt-devel@lists.openwrt.org>' | grep '^fpr:::::::::6768C55E79B032D77A28DA5F0F20257417E1CE16:$' \
|
||||
&& echo '6768C55E79B032D77A28DA5F0F20257417E1CE16:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Build System (PGP key for 18.06 release builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/15807931.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-18.06@openwrt.org>' | grep '^fpr:::::::::AD0507363D2BCE9C9E36CEC4FBCB78F015807931:$' \
|
||||
&& echo 'AD0507363D2BCE9C9E36CEC4FBCB78F015807931:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Build System (PGP key for 19.07 release builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/2074BE7A.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-19.07@openwrt.org>' | grep '^fpr:::::::::D9C6901F45C9B86858687DFF28A39BC32074BE7A:$' \
|
||||
&& echo 'D9C6901F45C9B86858687DFF28A39BC32074BE7A:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Build System (PGP key for 21.02 release builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/88CA59E8.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-21.02@openwrt.org>' | grep '^fpr:::::::::667205E379BAF348863A5C6688CA59E88F681580:$' \
|
||||
&& echo '667205E379BAF348863A5C6688CA59E88F681580:6:' | gpg --import-ownertrust
|
||||
|
||||
# OpenWrt Build System (GnuPGP key for 22.03 release builds)
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=gpg/CD54E82DADB3684D.asc' | gpg --import \
|
||||
&& gpg --fingerprint --with-colons '<pgpsign-22.03@openwrt.org>' | grep '^fpr:::::::::BF856781A01293C8409ABE72CD54E82DADB3684D:$' \
|
||||
&& echo 'BF856781A01293C8409ABE72CD54E82DADB3684D:6:' | gpg --import-ownertrust
|
||||
|
||||
# untrusted comment: Public usign key for unattended snapshot builds
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/b5043e70f9a75cde' --create-dirs -o /home/build/usign/b5043e70f9a75cde \
|
||||
&& echo 'd7ac10f9ed1b38033855f3d27c9327d558444fca804c685b17d9dcfb0648228f */home/build/usign/b5043e70f9a75cde' | sha256sum --check
|
||||
|
||||
# untrusted comment: Public usign key for 18.06 release builds
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/1035ac73cc4e59e3' --create-dirs -o /home/build/usign/1035ac73cc4e59e3 \
|
||||
&& echo '8dc2e7f5c4e634437e6641f4df77a18bf59f0c8e9016c8ba4be5d4a0111e68c2 */home/build/usign/1035ac73cc4e59e3' | sha256sum --check
|
||||
|
||||
# untrusted comment: Public usign key for 19.07 release builds
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/f94b9dd6febac963' --create-dirs -o /home/build/usign/f94b9dd6febac963 \
|
||||
&& echo 'b1d09457cfbc36fccfe18382d65c54a2ade3e7fd3902da490a53aa517b512755 */home/build/usign/f94b9dd6febac963' | sha256sum --check
|
||||
|
||||
# untrusted comment: Public usign key for 21.02 release builds
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/2f8b0b98e08306bf' --create-dirs -o /home/build/usign/2f8b0b98e08306bf \
|
||||
&& echo 'd102bdd75421c62490b97f520f9db06aadb44ad408b244755d26e96ea5cd3b7f */home/build/usign/2f8b0b98e08306bf' | sha256sum --check
|
||||
|
||||
# untrusted comment: Public usign key for 22.03 release builds
|
||||
RUN curl 'https://git.openwrt.org/?p=keyring.git;a=blob_plain;f=usign/4d017e6f1ed5d616' --create-dirs -o /home/build/usign/4d017e6f1ed5d616 \
|
||||
&& echo 'f3c5fdf447d7c2743442e68077d60acc7c3e91754849e1f4b6be837b4204b7e2 */home/build/usign/4d017e6f1ed5d616' | sha256sum --check
|
|
@ -1,6 +0,0 @@
|
|||
# Build/update the docker image
|
||||
|
||||
docker pull debian:10
|
||||
docker build --rm -t docker.io/openwrtorg/packages-cci:latest .
|
||||
docker tag <IMAGE ID> docker.io/openwrtorg/packages-cci:<VERSION-TAG>
|
||||
docker push docker.io/openwrtorg/packages-cci
|
|
@ -1,182 +0,0 @@
|
|||
version: 2.0
|
||||
jobs:
|
||||
build:
|
||||
docker:
|
||||
- image: docker.io/openwrtorg/packages-cci:v1.0.7
|
||||
environment:
|
||||
- SDK_HOST: "downloads.openwrt.org"
|
||||
- SDK_PATH: "snapshots/targets/ath79/generic"
|
||||
- SDK_FILE: "openwrt-sdk-ath79-generic_*.Linux-x86_64.tar.xz"
|
||||
- BRANCH: "master"
|
||||
steps:
|
||||
- checkout:
|
||||
path: ~/openwrt_packages
|
||||
|
||||
- run:
|
||||
name: Check changes / verify commits
|
||||
working_directory: ~/openwrt_packages
|
||||
command: |
|
||||
cat >> $BASH_ENV <<EOF
|
||||
echo_red() { printf "\033[1;31m\$*\033[m\n"; }
|
||||
echo_green() { printf "\033[1;32m\$*\033[m\n"; }
|
||||
echo_blue() { printf "\033[1;34m\$*\033[m\n"; }
|
||||
EOF
|
||||
source $BASH_ENV
|
||||
|
||||
RET=0
|
||||
for commit in $(git rev-list HEAD ^origin/$BRANCH); do
|
||||
echo_blue "=== Checking commit '$commit'"
|
||||
if git show --format='%P' -s $commit | grep -qF ' '; then
|
||||
echo_red "Pull request should not include merge commits"
|
||||
RET=1
|
||||
fi
|
||||
|
||||
author="$(git show -s --format=%aN $commit)"
|
||||
if echo $author | grep -q '\S\+\s\+\S\+'; then
|
||||
echo_green "Author name ($author) seems ok"
|
||||
else
|
||||
echo_red "Author name ($author) need to be your real name 'firstname lastname'"
|
||||
RET=1
|
||||
fi
|
||||
|
||||
subject="$(git show -s --format=%s $commit)"
|
||||
if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_-]\+: ' -e '^Revert '; then
|
||||
echo_green "Commit subject line seems ok ($subject)"
|
||||
else
|
||||
echo_red "Commit subject line MUST start with '<package name>: ' ($subject)"
|
||||
RET=1
|
||||
fi
|
||||
|
||||
body="$(git show -s --format=%b $commit)"
|
||||
sob="$(git show -s --format='Signed-off-by: %aN <%aE>' $commit)"
|
||||
if echo "$body" | grep -qF "$sob"; then
|
||||
echo_green "Signed-off-by match author"
|
||||
else
|
||||
echo_red "Signed-off-by is missing or doesn't match author (should be '$sob')"
|
||||
RET=1
|
||||
fi
|
||||
done
|
||||
|
||||
exit $RET
|
||||
|
||||
- run:
|
||||
name: Download the SDK
|
||||
working_directory: ~/sdk
|
||||
command: |
|
||||
curl "https://$SDK_HOST/$SDK_PATH/sha256sums" -sS -o sha256sums
|
||||
curl "https://$SDK_HOST/$SDK_PATH/sha256sums.asc" -fs -o sha256sums.asc || true
|
||||
curl "https://$SDK_HOST/$SDK_PATH/sha256sums.sig" -fs -o sha256sums.sig || true
|
||||
if [ ! -f sha256sums.asc ] && [ ! -f sha256sums.sig ]; then
|
||||
echo_red "Missing sha256sums signature files"
|
||||
exit 1
|
||||
fi
|
||||
[ ! -f sha256sums.asc ] || gpg --with-fingerprint --verify sha256sums.asc sha256sums
|
||||
if [ -f sha256sums.sig ]; then
|
||||
VERIFIED=
|
||||
for KEY in ~/usign/*; do
|
||||
echo "Trying $KEY..."
|
||||
if signify-openbsd -V -q -p "$KEY" -x sha256sums.sig -m sha256sums; then
|
||||
echo "...verified"
|
||||
VERIFIED=1
|
||||
break
|
||||
fi
|
||||
done
|
||||
if [ -z "$VERIFIED" ]; then
|
||||
echo_red "Could not verify usign signature"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
rsync -av "$SDK_HOST::downloads/$SDK_PATH/$SDK_FILE" .
|
||||
sha256sum -c --ignore-missing sha256sums
|
||||
|
||||
- run:
|
||||
name: Prepare build_dir
|
||||
working_directory: ~/build_dir
|
||||
command: |
|
||||
tar Jxf ~/sdk/$SDK_FILE --strip=1
|
||||
touch .config
|
||||
make prepare-tmpinfo scripts/config/conf
|
||||
./scripts/config/conf --defconfig=.config Config.in
|
||||
make prereq
|
||||
rm .config
|
||||
cat > feeds.conf <<EOF
|
||||
src-git base https://github.com/openwrt/openwrt.git;$BRANCH
|
||||
src-link packages $HOME/openwrt_packages
|
||||
src-git luci https://github.com/openwrt/luci.git;$BRANCH
|
||||
EOF
|
||||
cat feeds.conf
|
||||
./scripts/feeds update -a > /dev/null
|
||||
make defconfig > /dev/null
|
||||
# enable BUILD_LOG
|
||||
sed -i 's/# CONFIG_BUILD_LOG is not set/CONFIG_BUILD_LOG=y/' .config
|
||||
|
||||
- run:
|
||||
name: Install & download source, check package, compile
|
||||
working_directory: ~/build_dir
|
||||
command: |
|
||||
set +o pipefail
|
||||
PKGS=$(cd ~/openwrt_packages; git diff --diff-filter=d --name-only "origin/$BRANCH..." | grep 'Makefile$' | grep -Ev '/files/|/src/' | awk -F/ '{ print $(NF-1) }')
|
||||
if [ -z "$PKGS" ] ; then
|
||||
echo_blue "WARNING: No new or modified packages found!"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo_blue "=== Found new/modified packages: $PKGS"
|
||||
for PKG in $PKGS ; do
|
||||
echo_blue "===+ Install: $PKG"
|
||||
./scripts/feeds install "$PKG"
|
||||
|
||||
echo_blue "===+ Download: $PKG"
|
||||
make "package/$PKG/download" V=s
|
||||
|
||||
echo_blue "===+ Check package: $PKG"
|
||||
make "package/$PKG/check" V=s 2>&1 | tee logtmp
|
||||
RET=${PIPESTATUS[0]}
|
||||
|
||||
if [ $RET -ne 0 ]; then
|
||||
echo_red "=> Package check failed: $RET)"
|
||||
exit $RET
|
||||
fi
|
||||
|
||||
badhash_msg="HASH does not match "
|
||||
badhash_msg+="|HASH uses deprecated hash,"
|
||||
badhash_msg+="|HASH is missing,"
|
||||
if grep -qE "$badhash_msg" logtmp; then
|
||||
echo_red "=> Package HASH check failed"
|
||||
exit 1
|
||||
fi
|
||||
echo_green "=> Package check OK"
|
||||
done
|
||||
|
||||
make \
|
||||
-f .config \
|
||||
-f tmp/.packagedeps \
|
||||
-f <(echo '$(info $(sort $(package-y) $(package-m)))'; echo -en 'a:\n\t@:') \
|
||||
| tr ' ' '\n' >enabled-package-subdirs.txt
|
||||
for PKG in $PKGS ; do
|
||||
if ! grep -m1 -qE "(^|/)$PKG$" enabled-package-subdirs.txt; then
|
||||
echo_red "===+ Building: $PKG skipped. It cannot be enabled with $SDK_FILE"
|
||||
continue
|
||||
fi
|
||||
echo_blue "===+ Building: $PKG"
|
||||
make "package/$PKG/compile" -j3 V=s || {
|
||||
RET=$?
|
||||
echo_red "===+ Building: $PKG failed, rebuilding with -j1 for human readable error log"
|
||||
make "package/$PKG/compile" -j1 V=s; exit $RET
|
||||
}
|
||||
done
|
||||
|
||||
- store_artifacts:
|
||||
path: ~/build_dir/logs
|
||||
|
||||
- store_artifacts:
|
||||
path: ~/build_dir/bin
|
||||
|
||||
workflows:
|
||||
version: 2
|
||||
buildpr:
|
||||
jobs:
|
||||
- build:
|
||||
filters:
|
||||
branches:
|
||||
ignore: master
|
|
@ -1,8 +1,8 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=syslog-ng
|
||||
PKG_VERSION:=4.6.0
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=4.7.1
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_MAINTAINER:=Josef Schlehofer <pepe.schlehofer@gmail.com>
|
||||
PKG_LICENSE:=LGPL-2.1-or-later GPL-2.0-or-later
|
||||
|
@ -11,7 +11,7 @@ PKG_CPE_ID:=cpe:/a:balabit:syslog-ng
|
|||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/syslog-ng/syslog-ng/releases/download/$(PKG_NAME)-$(PKG_VERSION)/
|
||||
PKG_HASH:=b69e3360dfb96a754a4e1cbead4daef37128b1152a23572356db4ab64a475d4f
|
||||
PKG_HASH:=5477189a2d12325aa4faebfcf59f5bdd9084234732f0c3ec16dd253847dacf1c
|
||||
|
||||
PKG_BUILD_PARALLEL:=1
|
||||
PKG_INSTALL:=1
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Collect all local logs into a single file /var/log/messages.
|
||||
# See https://www.syslog-ng.com/technical-documents/list/syslog-ng-open-source-edition
|
||||
|
||||
@version: 4.6
|
||||
@version: 4.7
|
||||
@include "scl.conf"
|
||||
|
||||
options {
|
||||
|
|
|
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=banip
|
||||
PKG_VERSION:=0.9.5
|
||||
PKG_RELEASE:=2
|
||||
PKG_RELEASE:=3
|
||||
PKG_LICENSE:=GPL-3.0-or-later
|
||||
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
| adguard | adguard IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| adguardtrackers | adguardtracker IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| asn | ASN segments | | | x | tcp: 80, 443 | [Link](https://asn.ipinfo.app) |
|
||||
| asn | ASN segments | x | x | x | | [Link](https://asn.ipinfo.app) |
|
||||
| backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
|
||||
| becyber | malicious attacker IPs | x | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) |
|
||||
| binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
|
||||
|
@ -114,7 +114,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
|
||||
* If you're using a complex network setup, e.g. special tunnel interfaces, than untick the 'Auto Detection' option under the 'General Settings' tab and set the required options manually
|
||||
* Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status' and also check the 'Firewall Log' and 'Processing Log' tabs
|
||||
* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
|
||||
* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs, see the options reference table below
|
||||
|
||||
## banIP CLI interface
|
||||
* All important banIP functions are accessible via CLI.
|
||||
|
@ -428,12 +428,12 @@ A valid JSON source object contains the following information, e.g.:
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "tor exit nodes",
|
||||
"flag": "tcp 80-89 443"
|
||||
"flag": "gz tcp 80-88 udp 50000"
|
||||
},
|
||||
[...]
|
||||
```
|
||||
Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.
|
||||
Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations.
|
||||
Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations - multiple definitions are possible.
|
||||
|
||||
## Support
|
||||
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
|
||||
|
|
|
@ -595,24 +595,30 @@ f_etag() {
|
|||
# build initial nft file with base table, chains and rules
|
||||
#
|
||||
f_nftinit() {
|
||||
local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc allow_proto allow_dport flag file="${1}"
|
||||
local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc flag tmp_proto tmp_port allow_dport file="${1}"
|
||||
|
||||
wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
||||
[ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
||||
[ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
||||
|
||||
for flag in ${ban_allowflag}; do
|
||||
if [ -z "${allow_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then
|
||||
allow_proto="${flag}"
|
||||
elif [ -n "${allow_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${allow_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
if [ -z "${allow_dport}" ]; then
|
||||
allow_dport="${flag}"
|
||||
else
|
||||
allow_dport="${allow_dport}, ${flag}"
|
||||
if [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then
|
||||
if [ -z "${tmp_proto}" ]; then
|
||||
tmp_proto="${flag}"
|
||||
elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
tmp_proto="${tmp_proto}, ${flag}"
|
||||
fi
|
||||
elif [ -n "${flag//[![:digit]-]/}" ]; then
|
||||
if [ -z "${tmp_port}" ]; then
|
||||
tmp_port="${flag}"
|
||||
elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
tmp_port="${tmp_port}, ${flag}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
[ -n "${allow_dport}" ] && allow_dport="${allow_proto} dport { ${allow_dport} }"
|
||||
if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then
|
||||
allow_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }"
|
||||
fi
|
||||
|
||||
if [ "${ban_logprerouting}" = "1" ]; then
|
||||
log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \""
|
||||
|
@ -697,7 +703,7 @@ f_nftinit() {
|
|||
#
|
||||
f_down() {
|
||||
local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc
|
||||
local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport feed_target
|
||||
local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_target feed_dport tmp_proto tmp_port flag
|
||||
local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
|
||||
|
||||
start_ts="$(date +%s)"
|
||||
|
@ -756,19 +762,25 @@ f_down() {
|
|||
# prepare feed flags
|
||||
#
|
||||
for flag in ${feed_flag}; do
|
||||
if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
if [ "${flag}" = "gz" ]; then
|
||||
feed_comp="${flag}"
|
||||
elif [ -z "${feed_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then
|
||||
feed_proto="${flag}"
|
||||
elif [ -n "${feed_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
if [ -z "${feed_dport}" ]; then
|
||||
feed_dport="${flag}"
|
||||
else
|
||||
feed_dport="${feed_dport}, ${flag}"
|
||||
elif [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then
|
||||
if [ -z "${tmp_proto}" ]; then
|
||||
tmp_proto="${flag}"
|
||||
elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
tmp_proto="${tmp_proto}, ${flag}"
|
||||
fi
|
||||
elif [ -n "${flag//[![:digit]-]/}" ]; then
|
||||
if [ -z "${tmp_port}" ]; then
|
||||
tmp_port="${flag}"
|
||||
elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
tmp_port="${tmp_port}, ${flag}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
[ -n "${feed_dport}" ] && feed_dport="${feed_proto} dport { ${feed_dport} }"
|
||||
if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then
|
||||
feed_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }"
|
||||
fi
|
||||
|
||||
# chain/rule maintenance
|
||||
#
|
||||
|
|
|
@ -36,8 +36,7 @@
|
|||
"url_6": "https://asn.ipinfo.app/api/text/list/",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "ASN IP segments",
|
||||
"flag": "tcp 80 443"
|
||||
"descr": "ASN IP segments"
|
||||
},
|
||||
"backscatterer":{
|
||||
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",
|
||||
|
|
|
@ -1,28 +1,35 @@
|
|||
# [Jool](https://www.jool.mx)
|
||||
# [Jool](https://nicmx.github.io/Jool/en/index.html)
|
||||
|
||||
## Documentation
|
||||
|
||||
[See here](https://www.jool.mx/en/documentation.html).
|
||||
[See here](https://nicmx.github.io/Jool/en/documentation.html).
|
||||
|
||||
You might also want to see [contact info](https://www.jool.mx/en/contact.html).
|
||||
You might also want to see [contact info](https://nicmx.github.io/Jool/en/contact.html).
|
||||
|
||||
## Usage
|
||||
|
||||
### Start script
|
||||
|
||||
This package includes a start script that will:
|
||||
1. Read the configuration file `/etc/config/jool`
|
||||
2. Determine what services are active
|
||||
3. Run jool with procd
|
||||
|
||||
For now this means that:
|
||||
* The services will be disabled by default in the uci config `(/etc/config/jool)`
|
||||
* The only uci configuration support available for the package is to enable or disable each instance or the entire deamon
|
||||
* There is no uci support and configuration will be saved at `/etc/jool/*
|
||||
* Only one instance of jool(nat64) can run with the boot script
|
||||
* Only one instance of jool(siit) can run with the boot script
|
||||
* For now there is no way of overriding of the configuration file's paths
|
||||
1. Read the configuration file `/etc/config/jool`
|
||||
2. Determine what services are active
|
||||
3. Run `jool` with procd
|
||||
|
||||
The configuration files the startup script useses for each jool instance are:
|
||||
* jool(nat64): `/etc/jool/jool-nat64.conf.json`
|
||||
* jool(siit): `/etc/jool/jool-siit.conf.json`
|
||||
### For now this means that
|
||||
|
||||
- The services will be disabled by default in the uci config `(/etc/config/jool)`
|
||||
- The only uci configuration support available for the package is to enable or disable each instance or the entire deamon
|
||||
- There is no uci support and configuration will be saved at `/etc/jool/`
|
||||
- Only one instance of jool(nat64) can run with the boot script
|
||||
- Only one instance of jool(siit) can run with the boot script
|
||||
- For now there is no way of overriding of the configuration file's paths
|
||||
|
||||
The configuration files the startup script uses for each jool instance are:
|
||||
|
||||
- jool(nat64): `/etc/jool/jool-nat64.conf.json`
|
||||
- jool(siit): `/etc/jool/jool-siit.conf.json`
|
||||
|
||||
### OpenWrt tutorial
|
||||
|
||||
For a more detailed tutorial refer to this [wiki page](https://openwrt.org/docs/guide-user/network/ipv6/nat64).
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
--- a/src/event/quic/ngx_event_quic_protection.c
|
||||
+++ b/src/event/quic/ngx_event_quic_protection.c
|
||||
@@ -510,7 +510,7 @@ ngx_quic_crypto_common(ngx_quic_secret_t
|
||||
}
|
||||
}
|
||||
|
||||
- if (EVP_CIPHER_mode(EVP_CIPHER_CTX_cipher(ctx)) == EVP_CIPH_CCM_MODE
|
||||
+ if (EVP_CIPHER_mode(EVP_CIPHER_CTX_get0_cipher(ctx)) == EVP_CIPH_CCM_MODE
|
||||
&& EVP_CipherUpdate(ctx, NULL, &len, NULL, in->len) != 1)
|
||||
{
|
||||
ngx_ssl_error(NGX_LOG_INFO, log, 0, "EVP_CipherUpdate() failed");
|
||||
|
Loading…
Reference in New Issue