This resolves this failure observed when building on a 6.12 kernel:
Package kmod-openvswitch is missing dependencies for the following libraries:
psample.ko
The psample module is provided by kmod-sched-act-sample.
Closes: https://github.com/openwrt/packages/issues/26571
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Makefile:
* update version/release
Init Script:
* boot up reliability improvements:
- change START from 50 to 20 to ensure procd_add_raw_trigger works on boot
- better logic of checking/using the cache/compressed cache on boot
* new dnsmasq handling/integration logic:
- new logic for checking dnsmasq functionality (similar to dnsmasq init script)
- instead of copying/duplicating adblock-fast files per specified dnsmasq instance, create one file
and add softlinks to it for specified dnsmasq instances and make sure it's in the instance's addnmounts
- update dnsmasqConfFile, dnsmasqIpsetFile and dnsmasqNftsetFile to point to the same filename as the
logic for integrating with dnsmasq is the same for those options
- get the confdir for specified dnsmasq instances via ubus info/config file since the config_get is broken
between releases by https://github.com/openwrt/openwrt/pull/14975
- update clean-up procedures for other dns backend settings to properly clean up when switching away from
dnsmasq.conf, dnsmasq.ipset, dnsmasq.nftset where the new logic is used
- remove obsolete outputDnsmasqFileList variable and logic of building and using it
- only create compressed cache in service_started after successful resolver restart with the block-file
* new package config / environment loading logic
- switch away from using `load_validate_config` to start functions to loading package config "manually"
- unset boolean variables which are non-true on package config load
- switch checking values of such variables from `-eq 0` to empty/non-empty
* debugging improvements:
- rename debug option to debug_init_script and proc_debug to debug_performance
- output performance debug info to log only when debug_performance is set
* miscellaneous changes:
- move best dl tool detection into its own function for reuse in adb_config_update
- change uci_changes function to return 0/1 instead of the text of changes
- improve mktemp calls reliability by creating the file and not using `-u` anymore
- add remove_cache/remove_gzip calls to adb_file function
- better readability of the start_serice logic determining the action
- change flock value from 207 to 209 to avoid collisions with pbr
- temporarily switch namespaces when using jshn functions to avoid collisions with PROCD
- move from using spaces to tabs in indentation in code
- prevent Command Not Found message on uninstall
- remove unneeded IPKG_INSTROOT check in the init script
- update all sourcing instructions to include IPKG_INSTROOT in the path
Uci-defaults script:
* transition old debug and proc_debug options to debug_init_script/debug_performance
Signed-off-by: Stan Grishin <stangri@melmac.ca>
fail2ban changes:
- nftables support (iptables dependency removed)
- python3 support (old package patches removed)
- Upstream patches backports:
- filter.d/dropbear.conf: failregex extended to match different format of "Exit before auth" message
- cherry-pick from debian: debian default banactions are nftables, systemd backend for sshd
- Removed unresponsive/unreachable maintainer.
Fixes: https://github.com/openwrt/packages/issues/23015 ("fail2ban: very old version")
Signed-off-by: Andrey Zotikov <andrey.zotikov@gmail.com>
Summary:
The current build does not produce an NFSV4 capable package. This commit
fixes that providing a v3 and v4 variant to empower users to have either.
Approx. size differences between v3 and v4:
The v4 variant is approximately 16 MiB larger than the v3 variant
due to additional dependencies, kernel modules, etc.[1]
Detailed changes:
1. Split into a v3 and v4 version series of packages. In doing
this, the build-time V4 options are removed which is a major "win"
from a user's perspective because it means that for both release and
for snapshot builds, both options will be available to users of the
binary hosted packages.
2. Since V3 and V4 require different init processes, we should simplify
daemon management by providing a single init script unique to each
variant.
3. Added CPE_ID and PKG_LICENSE and also added myself as the Makefile
MAINTAINER.
Discussion about the v4 initd script:
It should be noted that mimicking the systemd implementation in an init.d
script with procd was not straight forward. There are some quirks
associated with the interplay of the five executables (listed below)
with procd, but despite of them, the init script works reliably based
on my somewhat extensive testing.
My observations and justification for the script as-is:
1a. procd_set_param command /usr/sbin/nfsdcld cannot be started with an
appended -F as doing so will somehow cause the executable to never
connect to the communication pipe: /var/lib/nfs/rpc_pipefs/nfsd/cld.
In fact, if you run `watch -n 1 tree /var/lib/nfs/rpc_pipefs` while
calling the init.d script to start, this pipe will quickly disappear
resulting in nfsdcld being unable to find it and thus fail to track
clients. On the other hand, starting it as I have in the init.d
script works as expected.
1b. Starting /usr/sbin/nfsdcld even with the -F arg outside of procd
also results in the communication pipe quickly disappearing.
2. Even though rpc.nfsd is a user space util, and even though it runs
and then exits, it must be started by procd with the procd_set_param
or else, the communication pipe: /var/lib/nfs/rpc_pipefs/nfsd/cld
will again quickly disappear breaking client tracking.
3. The addition of the umountem function keeps syslog output cleaner as
a shutdown of rpc.idmapd will cause the following to be logged:
daemon.warn rpc.idmapd[xxxxx]: dirscancb: scandir(/var/lib/nfs/rpc_pipefs//nfs): No such file or directory
Adding a 1 sec delay allows procd to kill it before we umount the
nfs related mounts to prevent that warning.
4. I can find no way to suppress rpc.idmapd and nfsv4.exportd reporting
that they received a SIGTERM (signal 15). The syslog will contain
two lines on exit, e.g.:
daemon.warn rpc.idmapd[1894]: exiting on signal 15
daemon.notice nfsv4.exportd[1893]: Caught signal 15, exiting.
The result of points 1 and 2 mean that if a users queries the status of
the daemon when running, (ie /etc/init.d/nfsv4d status), it will show:
running (2/4) despite the kernel serving up NFSV4 mounts 100% correctly.
I am unaware of a more perfect approximation of the systemd units.
List of the five needed calls:
* /usr/sbin/nfsv4.exportd (run once then quit)
* /usr/sbin/rpc.idmapd (needs to continue running)
* /usr/sbin/nfsdcld (needs to continue running)
* /usr/sbin/exportfs -r (run once then quit)
* /usr/sbin/rpc.nfsd -N 3 (run once then quit)
1. As assessed by comparing the uncompressed img files from a build of a
minimal image for x86/64 with the v3 variant vs with the v4.
Both variants have been tested and work.
v3:
On a network node, the NFSV3 export is fully functional:
% mount -t nfs -o vers=3 10.9.8.1:/mnt/data/nfs/misc ok
% mount | grep ok
10.9.8.1:/mnt/data/nfs/misc on /home/facade/ok type nfs (rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.9.8.1,mountvers=3,mountport=32780,mountproto=udp,local_lock=none,addr=10.9.8.1)
v4:
On a network node, the NFSV4 export is fully functional:
% mount 10.9.8.1:/misc ok
% mount | grep ok
10.9.8.1:/mnt/data/nfs/misc on /home/facade/ok type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.9.8.102,local_lock=none,addr=10.9.8.1)
Finally, added 240-fix-cleanup_lockfiles-function-linkage-in-exportd.patch[1]
1. https://marc.info/?l=linux-nfs&m=175604879721922&w=2
From commit msg therein:
The cleanup_lockfiles function in utils/exportd/exportd.c was declared
as 'inline void' without a proper function prototype, causing linker
errors during the build process:
exportd.c:(.text+0x5a): undefined reference to `cleanup_lockfiles'
exportd.c:(.text.startup+0x317): undefined reference to `cleanup_lockfiles'
This occurred because:
1. The inline keyword prevented the compiler from generating a callable
function symbol in some build configurations
2. The function lacked a proper prototype declaration, triggering
-Werror=missing-prototypes
The fix changes the function to:
- Remove the 'inline' keyword to ensure symbol generation
- Add a proper static function prototype
- Make the function 'static' since it's only used within exportd.c
This resolves both the linking error and the missing prototype warning,
allowing exportd to build successfully in OpenWrt's cross-compilation
environment.
Co-authored-by: Maxim Storchak <m.storchak@gmail.com>
Co-authored-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: John Audia <therealgraysky@proton.me>
fixes CVE-2025-4820, CVE-2025-4821, CVE-2025-7054
adds python-yaml/host build dep as the dnsdist configuration handling
is now (since 2.0.0) generated at build time
Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
It was discovered that even while using ``--enable-redis=no``
and ``--disable-redis`` that it was still linking with libhiredis.
This avoids to picking up libhiredis as dependency:
```
Package knot is missing dependencies for the following libraries:
libhiredis.so.1.1.0
```
Fixes: cbbd2b5b3b ("knot: disable redis as it was enabled since 3.5.0 by default")
Signed-off-by: Jan Hák <jan.hak@nic.cz>
This change adds an ability to invoke acme.sh with --alpn option
invoking a TLS-ALPN-01 challenge on the 443 port.
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
Netatalk 4.3.x adds the option to use sqlite as a CNID DB. This
is now a config option for the full package.
(mysql is also an option but this has not been included here yet).
As CNID DB backends are now managed by the netatalk meta-daemon
the init script has been updated to use it instead of starting
afpd & dbd manually.
Cleaned up tab/space issues here and there.
Signed-off-by: Antonio Pastor <antonio.pastor@gmail.com>
This reverts commit 366629b117.
It has been determined that the URL currently in use points to v1. The
previously used URL remains valid and is correct. If someone requires the
v1 URL, a new provider must be created.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Calculating the next check time based on the last update time is not
very accurate if the next check is a large multiple forwards from the
last update time because the cumulative sleeps and wake times are not
exact but best effort of the OS. Other factors including clock-drift
give rise to a larger time discrepancy the further the next update is in
the future.
Stash the next check time which should be quite accurate since it's
only one sleep instance away. This is also for use in the GUI.
Tested on 24.10.2
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Using the broker_selection param makes it possible to decide by use (default),
always use the first available broker to connect or select a random broker
See also: 51a5e46ad1/client/l2tp_client.c (L1331-L1333)
Signed-off-by: Florian Maurer <f.maurer@outlook.de>
* add adblock-fast to the Ad Blocking segment
* fix grammar (Its -> It's)
* modify last paragraph of the instructions as they are specific to adblock
Signed-off-by: Stan Grishin <stangri@melmac.ca>
When snort is run with the --version option, it advertises components'
versions in the output. Add a patch to modify the output to clearly
show vectorscan is in use.
Signed-off-by: John Audia <therealgraysky@proton.me>
* Replacement of hyperscan-runtime reference with vectorscan-runtime
* Added support for all aarch64 targets which I believe is exhaustive
For x86 and x86/64, I found that vectorscan is truly a drop-in
replacement for hyperscan as assessed by speedtests with snort3 running
on my Intel N150 PC. CPU load during the test with each condition was
nearly saturating on a single core for both cases on a symmetrical
Gbps line.
Using: https://www.waveform.com/tools/bufferbloat in IPS mode:
Download speed w/ hyperscan: 950-960 Mbit/s (n=2)
Download speed w/ vectorscan: 942-960 Mbit/s (n=2)
Using: https://www.speedtest.net in IPS mode:
Download speed w/ hyperscan: 996-1002 Mbit/s (n=2)
Download speed w/ vectorscan: 993-988 Mbit/s (n=2)
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc (Intel N150 based box running snort3)
Signed-off-by: John Audia <therealgraysky@proton.me>
Drop 100-remove-HAVE_HS_COMPILE_LIT-to-work-around-upstream-b.patch as
it was only needed to fix the build against hyperscan. Vectorscan
builds fine without it.
Signed-off-by: John Audia <therealgraysky@proton.me>
What started in #20183 as a attempt to clean up noise in the logfiles,
turned out to be causing denial-of-service for dual-stack and especially
IPv6-only environments.
Breaking core network functionality cannot possibly be less important
than cosmetic issues, and those affected by log spam can avoid it via
other means (e.g. "query-source-v6 none;" in named.conf).
There's no reliable heuristic for determining whether there's IPv6
connectivity at the time bind is started which will catch any and all
corner cases, as discussed in #26327.
So, remove this logic for now. If a suitable heuristic can be devised,
it can always be added in a subsequent patch, but I have my doubts.
(Also, quote one variable to make shellcheck happy)
Closes: #26327Closes: #20468
Signed-off-by: David Härdeman <david@hardeman.nu>
- The project was archived on Mar 22, 2024.
- The maintainer of the package and the upstream maintainer are the
same person, who has expressed their intention not to maintain the
package/project. See the quote[1] below:
> I haven't been maintaining this and I don't plan to spend any more
> time on it. Happy to hand it off, if someone is willing to take it on.
- The latest significant commit for the package (no treewide changes)
is commit 2c71d5bcd4 from Mar 29, 2020.
- The latest upstream commit[2] is from Mar 22, 2024, but it is a
documentation or cosmetic change. After this, the latest commits[3]
are from Apr 6, 2019.
[1]: https://github.com/openwrt/packages/pull/27398#issuecomment-3250671659
[2]: 776fe2bb48
[3]: dcce6aeb0a
Closes: https://github.com/openwrt/packages/issues/27394
Signed-off-by: Wesley Gimenes <wehagy@proton.me>
Update to v2.8.4
Shortlog:
Anna Schumaker (4):
rpcctl: Add support for `rpcctl switch add-xprt`
rpcctl: Display new rpc_clnt sysfs attributes
rpcctl: Add support for the xprtsec sysfs attribute
rpcctl: Rename {read,write}_addr_file()
Antonio Alvarez Feijoo (3):
nfsroot-generator: do not fail if nfsroot is not configured
systemd: Add a generator to mount /sysroot via NFSv4 in the initrd
systemd: Allow nfs-idmapd.service to be started without the server
Scott Mayhew (3):
rpc-statd.service: define dependency on both rpcbind.service and rpcbind.socket
nfsdctl: fix lockd config during autostart
nfsdctl: debug logging fixups
Steve Dickson (3):
Release: 2.8.4
configure.ac: AC_PROG_GCC_TRADITIONAL is obsolete.
nfsdctl: Warning Clean Up
zhangyaqi (2):
gssd:fix the possible buffer overflow in get_full_hostname
nfsdcld:Fix a memory leak
Thiago Becker (1):
nfsrahead: modify get_device_info logic
Yaakov Selkowitz (1):
Fix build with glibc-2.42
Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
