* currently the package is build with the latest kernel version in a branch
* if package version is bumped if can no longer be installed on older point releases as userland and kmod does not match
Signed-off-by: Goetz Goerisch <ggoerisch@gmail.com>
GNUnet 0.25 dropped the autotools based build system and now requires
being built with Meson. As expected there are some cross-compiling
related issues which have been fixed using downstream patches by now.
v0.25.1:
- transport: hotfix incorrect communicator key derivations
- tests: make failing tests work again
- util: Change to assigned HPKE codepoint for DHKEM+Elligator. See https://www.iana.org/assignments/hpke/
- fs: service failed to start because of PILS addition
v0.25.0:
- util: Removed authkem from HPKE implementation as it is going to be removed from the RFC9180bis spec and is unused in GNUnet anyway.
- core: New AKE implementation.
- pils: New service.
- gns: Various improvements to performance and DNS migration tooling.
- build: Retired autotools.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The gperftools and vectorscan packages have been simplified by removing
their -runtime and -headers splits. Update snort3 to use the new package
names.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* bugfix: remove IPKG_INSTROOT check
* bugfix: do not attempt to download config update if package is disabled
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Makefile:
* stop shipping/dealing with the firewall hotplug (obsolete)
* install a third user-script (dnsprefetch) by @betonmischer
Config:
* remove obsolete options
* include the new user script
Init-script:
* start much earlier so that on boot, the procd_add_raw_trigger works on all systems
* create a ubus() helper function so that service delete does not produce "Command not found"
* rename options to better reflect their function:
* procd_lan_device to lan_device
* procd_wan_interface to uplink_interface
* procd_wan6_interface to uplink_interface6
* procd_wan6_metric to uplink_interface6_metric
* wan_ip_rules_priority to uplink_ip_rules_priority
* wan_mark to uplink_mark
* visually separate run-time variables from variables loaded from config options
* use ${IPKG_INSTROOT} when sourcing files
* fix typo in str_to_dnsmasq_nftset()
* use pidof to kill dnsmasq in dnsmasq_kill()
* add helper function uci_add_list_if_new()
* add helper function uci_changes()
* add helper function ubus() so that service delete does not produce "Command not found"
* implement the dnsmasq features check similar to dnsmasq init script
* add get_url() function similar to luci package
* add/modify error and warning messages
* change how mktemp is used for more reliable file creation
* unset non-true boolean package config options on load for easier checks later
* improve handling of nft/nft set options
* fewer calls to resolver() and resolver() optimization to speed up the service
* use softlinks instead of duplicating dnsmasq nftset files into each instance
* prevent duplication of dnsmasq nftset elements
* option to target a specific dest dns port in DNS policies
* bugfix: more reliable interface reloads
* display README links to errors/warnings sections if any errors/warnings discovered
Uci-defaults:
* transition from old options to new ones
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This simplifies checks enabling/disabling features, if packages are present
instead of having checks for specific architectures.
TCMALLOC_LIBRARIES is removed as it's auto-detected, unlike vectorscan
which requires explicit HS_INCLUDE_DIRS.
Fixes: 126364e105 ("snort3: refactor architecture-specific dependencies and CMake options")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Makefile:
* update to latest upstream: 7b27ecd559
* update version, release
* drop CONFIGURE_ARGS as the build is curl-independent
* update the link to the documentation
README:
* add small README with the link to documentation
Config:
* rename procd_fw_src_interfaces to force_dns_src_interface to better reflect meaning
* add heartbeat_domain, heartbeat_sleep_timeout, heartbeat_wait_timeout options
* add default user, group and listen_addr options to the main config
* drop the user, group and listen_addr options from the instance configs
Init-script:
* start much earlier so that on boot, the procd_add_raw_trigger works on all systems
* create a ubus() helper function so that service delete does not produce "Command not found"
* new options handling where the global config options can be used for instance options
* some renaming of global/instance variables due to abovementioned redesign
* new open port detection, no longer relying on netstat
* new uci_changes() logic where it returns 0 or 1 instead of text
* new append_parm logic for not adding default value options to CLI
* new boolean options handling logic
* move config loading to load_package_config() function
* new logic for calling procd_set_config_changed firewall based solely on "$force_dns"
* source network.sh based on "${IPKG_INSTROOT}" path
* rename procd_fw_src_interfaces to force_dns_src_interface to better reflect meaning
* rename use_http1 to force_http1
* rename use_ipv6_resolvers_only to force_ipv6_resolvers
Uci-defaults:
* migrate to new option names
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Config/uci files were not being included in -full variant.
Config files were also being lost in firmware upgrades for all variants.
Both issues fixed, including correct file permissions for config files.
Signed-off-by: Antonio Pastor <antonio.pastor@gmail.com>
Config file:
* add debug_init_script and debug_performance options
* remove led (default should be empty) option
* remove procd_boot_delay (obsolete) option
Init Script:
* reinstate IPKG_INSTROOT check
* change capitalization in status messages
* unset default value for led option on load_package_config
* bugfix: unset bool options which are later checked for non-empty
* bugfix: create compressed cache only if block-file exists
* adjust errors output/storing errors for later display in multuple cases
* produce information about cache/compressed cache files in service
status output when service is stopped
* attempt to create compressed cache in service_started only if block-
file exists
* bugfix: run service_started from the dl command (to create compressed
cache file)
* rename StripToDomains variables for readability
* improve open port detection
Uci-Defaults:
* improve readability of debug options migration
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* Bump acme-common to 1.5.0
* New `abort` command added and logging behaviour improved
* Bump acme-acmesh to 3.1.1-r4
* Fix logging and support killing from procd (`stop` and `abort`) via SIGTERM
Signed-off-by: Aditya Bhargava <rightaditya@gmail.com>
For runs started interactively, improve messaging and allow a run to be
aborted with `service acme abort`.
Signed-off-by: Aditya Bhargava <rightaditya@gmail.com>
acme.sh error output never made it to the syslog, so:
* Add procd setup to catch stderr
* Make sure a message goes to syslog if acme.sh dies due to SIGINT
Signed-off-by: Aditya Bhargava <rightaditya@gmail.com>
The libtirpc package is only needed when building with musl, as glibc
includes the required RPC functionality. This change makes libtirpc a
conditional dependency and adjusts the build flags accordingly.
Building with x86_64-glibc:
...
Feature options:
DAQ Modules: Dynamic
libatomic: User-specified
Hyperscan: ON
ICONV: ON
Libunwind: OFF
LZMA: ON
RPC DB: Built-in
SafeC: OFF
TCMalloc: ON
JEMalloc: OFF
UUID: ON
NUMA: OFF
LibML: OFF
...
Building with aarch64_cortex-a76_musl:
...
Feature options:
DAQ Modules: Dynamic
libatomic: User-specified
Hyperscan: ON
ICONV: ON
Libunwind: OFF
LZMA: ON
RPC DB: TIRPC
SafeC: OFF
TCMalloc: ON
JEMalloc: OFF
UUID: ON
NUMA: OFF
LibML: OFF
...
Build system: x86/64
Build-tested: x86/64-glibc, bcm27flogic/xiaomi_redmi-router-ax6000-ubootmod (for musl)
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
New cmake versions require at least 3.5 as 'cmake_minimum_required'
in CMakeLists.txt. In future 3.10 will be required.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
OVH changed its API to update DNS records. It now requires HTTP Basic
Authorization header. As such the default ddns-script method to update
the DNS record is failing. The fix is to move DNS record updates into
its own script/package.
Signed-off-by: David Andreoletti <david@andreoletti.net>
adjust comments documenting the already supported API Token auth
adjust comments with URLs that changed in the meantime
adjust comment regarding CF API documentation URL, points to the scripts relevant DNS section
Signed-off-by: Dominic Greenberg <daroel@riseup.net>
e218150979b4 remote: close file on usteer_init_local_id fread fail
1d6524c6e6b5 build: require CMake >= 3.10 due to dropped legacy support
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The major changes are:
- Add max ip connections parameter. (ready for future upstream fix) at the moment is reverted by: 18bdeda011
- unlock follow symlinks parameter to support symlink.
- send bind_interfaces_only parameter to ksmbd.
Signed-off-by: Andrea Pesaresi <andreapesaresi82@gmail.com>
1. Enabled hyperscan/vectorscan together with adding dependency only for x86_64 and aarch64.
2. Disabled tmalloc (from gperftools package) for powerpc and mips.
By doing this refactor, snort3 is going to be available for more OpenWrt devices
(as it was in the past) as currently it was compiled only for x86_x64 and aarch64 by mistake.
Fixes: 257e2fc38a ("snort3: fix logic in gpertools-runtime depends")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Gate all parameters behind -n, a not-empty check. Prevents failed starts
where daemons expect a value for a parameter.
Closes#27430
Tested-on: 24.10.3
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
This lets the --peer-fingerprint openvpn option be parsed which requires
a client TLS certificate fingerprint (colon separated SHA256 hash) to
match one specified in the option argument, during authentication.
Signed-off-by: Ben Kibbey <bjk@luxsci.net>
acme.sh supports --httpport and --tlsport options to be used
together with --standalone and --alpn modes respectively.
This is useful if we're behind a reverse proxy or smth like that
or if we cannot bind to standard 80 or 443 port for some other
reason.
This change makes listen_port from configuration to be passed as
either --httpport or --tlsport
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
It's possible that staging_moved variable is undeclared while being
accessed. Lets explicitly declare it.
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
listen_port option allows to redefine the default 80/443 port
used in standalone/alpn challenges.
It's also useful for other types of challenges which require
accepting a connection on some TCP port so we need to expose
it via nft as well.
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
Makefile changes
----------------
1. The location of uMurmur binary was changed to /sbin
in release 0.3.1. See release notes [1]
2. I need to specify location of the library file instead of
the directory.
Fixes:
CMake Warning at src/CMakeLists.txt:44 (target_link_libraries):
Target "umurmurd" requests linking to directory
"/build/staging_dir/target-powerpc_8548_musl/usr/lib".
Targets may link only to libraries. CMake is dropping the item.
CMake Warning at src/CMakeLists.txt:44 (target_link_libraries):
Target "umurmurd" requests linking to directory
"/build/staging_dir/target-powerpc_8548_musl/usr/lib".
Targets may link only to libraries. CMake is dropping the item.
Because of these two warnings, the build fails with
undefined references to
protobuf-c symbols (e.g. protobuf_c_message_get_packed_size).
Patches
-------
Removed all of them, because they are included in
the upstream source code.
[1] https://github.com/umurmur/umurmur/releases/tag/v0.3.1
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Move CONFLICTS definition to the respective v4 packages to avoid
creating a recursive dependency.
Fixes: ee3b06e42 ("nfs-kernel-server: provide a NFSv3 and NFSv4 daemon")
Fixes: #27555
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This resolves this failure observed when building on a 6.12 kernel:
Package kmod-openvswitch is missing dependencies for the following libraries:
psample.ko
The psample module is provided by kmod-sched-act-sample.
Closes: https://github.com/openwrt/packages/issues/26571
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Makefile:
* update version/release
Init Script:
* boot up reliability improvements:
- change START from 50 to 20 to ensure procd_add_raw_trigger works on boot
- better logic of checking/using the cache/compressed cache on boot
* new dnsmasq handling/integration logic:
- new logic for checking dnsmasq functionality (similar to dnsmasq init script)
- instead of copying/duplicating adblock-fast files per specified dnsmasq instance, create one file
and add softlinks to it for specified dnsmasq instances and make sure it's in the instance's addnmounts
- update dnsmasqConfFile, dnsmasqIpsetFile and dnsmasqNftsetFile to point to the same filename as the
logic for integrating with dnsmasq is the same for those options
- get the confdir for specified dnsmasq instances via ubus info/config file since the config_get is broken
between releases by https://github.com/openwrt/openwrt/pull/14975
- update clean-up procedures for other dns backend settings to properly clean up when switching away from
dnsmasq.conf, dnsmasq.ipset, dnsmasq.nftset where the new logic is used
- remove obsolete outputDnsmasqFileList variable and logic of building and using it
- only create compressed cache in service_started after successful resolver restart with the block-file
* new package config / environment loading logic
- switch away from using `load_validate_config` to start functions to loading package config "manually"
- unset boolean variables which are non-true on package config load
- switch checking values of such variables from `-eq 0` to empty/non-empty
* debugging improvements:
- rename debug option to debug_init_script and proc_debug to debug_performance
- output performance debug info to log only when debug_performance is set
* miscellaneous changes:
- move best dl tool detection into its own function for reuse in adb_config_update
- change uci_changes function to return 0/1 instead of the text of changes
- improve mktemp calls reliability by creating the file and not using `-u` anymore
- add remove_cache/remove_gzip calls to adb_file function
- better readability of the start_serice logic determining the action
- change flock value from 207 to 209 to avoid collisions with pbr
- temporarily switch namespaces when using jshn functions to avoid collisions with PROCD
- move from using spaces to tabs in indentation in code
- prevent Command Not Found message on uninstall
- remove unneeded IPKG_INSTROOT check in the init script
- update all sourcing instructions to include IPKG_INSTROOT in the path
Uci-defaults script:
* transition old debug and proc_debug options to debug_init_script/debug_performance
Signed-off-by: Stan Grishin <stangri@melmac.ca>
fail2ban changes:
- nftables support (iptables dependency removed)
- python3 support (old package patches removed)
- Upstream patches backports:
- filter.d/dropbear.conf: failregex extended to match different format of "Exit before auth" message
- cherry-pick from debian: debian default banactions are nftables, systemd backend for sshd
- Removed unresponsive/unreachable maintainer.
Fixes: https://github.com/openwrt/packages/issues/23015 ("fail2ban: very old version")
Signed-off-by: Andrey Zotikov <andrey.zotikov@gmail.com>
Summary:
The current build does not produce an NFSV4 capable package. This commit
fixes that providing a v3 and v4 variant to empower users to have either.
Approx. size differences between v3 and v4:
The v4 variant is approximately 16 MiB larger than the v3 variant
due to additional dependencies, kernel modules, etc.[1]
Detailed changes:
1. Split into a v3 and v4 version series of packages. In doing
this, the build-time V4 options are removed which is a major "win"
from a user's perspective because it means that for both release and
for snapshot builds, both options will be available to users of the
binary hosted packages.
2. Since V3 and V4 require different init processes, we should simplify
daemon management by providing a single init script unique to each
variant.
3. Added CPE_ID and PKG_LICENSE and also added myself as the Makefile
MAINTAINER.
Discussion about the v4 initd script:
It should be noted that mimicking the systemd implementation in an init.d
script with procd was not straight forward. There are some quirks
associated with the interplay of the five executables (listed below)
with procd, but despite of them, the init script works reliably based
on my somewhat extensive testing.
My observations and justification for the script as-is:
1a. procd_set_param command /usr/sbin/nfsdcld cannot be started with an
appended -F as doing so will somehow cause the executable to never
connect to the communication pipe: /var/lib/nfs/rpc_pipefs/nfsd/cld.
In fact, if you run `watch -n 1 tree /var/lib/nfs/rpc_pipefs` while
calling the init.d script to start, this pipe will quickly disappear
resulting in nfsdcld being unable to find it and thus fail to track
clients. On the other hand, starting it as I have in the init.d
script works as expected.
1b. Starting /usr/sbin/nfsdcld even with the -F arg outside of procd
also results in the communication pipe quickly disappearing.
2. Even though rpc.nfsd is a user space util, and even though it runs
and then exits, it must be started by procd with the procd_set_param
or else, the communication pipe: /var/lib/nfs/rpc_pipefs/nfsd/cld
will again quickly disappear breaking client tracking.
3. The addition of the umountem function keeps syslog output cleaner as
a shutdown of rpc.idmapd will cause the following to be logged:
daemon.warn rpc.idmapd[xxxxx]: dirscancb: scandir(/var/lib/nfs/rpc_pipefs//nfs): No such file or directory
Adding a 1 sec delay allows procd to kill it before we umount the
nfs related mounts to prevent that warning.
4. I can find no way to suppress rpc.idmapd and nfsv4.exportd reporting
that they received a SIGTERM (signal 15). The syslog will contain
two lines on exit, e.g.:
daemon.warn rpc.idmapd[1894]: exiting on signal 15
daemon.notice nfsv4.exportd[1893]: Caught signal 15, exiting.
The result of points 1 and 2 mean that if a users queries the status of
the daemon when running, (ie /etc/init.d/nfsv4d status), it will show:
running (2/4) despite the kernel serving up NFSV4 mounts 100% correctly.
I am unaware of a more perfect approximation of the systemd units.
List of the five needed calls:
* /usr/sbin/nfsv4.exportd (run once then quit)
* /usr/sbin/rpc.idmapd (needs to continue running)
* /usr/sbin/nfsdcld (needs to continue running)
* /usr/sbin/exportfs -r (run once then quit)
* /usr/sbin/rpc.nfsd -N 3 (run once then quit)
1. As assessed by comparing the uncompressed img files from a build of a
minimal image for x86/64 with the v3 variant vs with the v4.
Both variants have been tested and work.
v3:
On a network node, the NFSV3 export is fully functional:
% mount -t nfs -o vers=3 10.9.8.1:/mnt/data/nfs/misc ok
% mount | grep ok
10.9.8.1:/mnt/data/nfs/misc on /home/facade/ok type nfs (rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.9.8.1,mountvers=3,mountport=32780,mountproto=udp,local_lock=none,addr=10.9.8.1)
v4:
On a network node, the NFSV4 export is fully functional:
% mount 10.9.8.1:/misc ok
% mount | grep ok
10.9.8.1:/mnt/data/nfs/misc on /home/facade/ok type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.9.8.102,local_lock=none,addr=10.9.8.1)
Finally, added 240-fix-cleanup_lockfiles-function-linkage-in-exportd.patch[1]
1. https://marc.info/?l=linux-nfs&m=175604879721922&w=2
From commit msg therein:
The cleanup_lockfiles function in utils/exportd/exportd.c was declared
as 'inline void' without a proper function prototype, causing linker
errors during the build process:
exportd.c:(.text+0x5a): undefined reference to `cleanup_lockfiles'
exportd.c:(.text.startup+0x317): undefined reference to `cleanup_lockfiles'
This occurred because:
1. The inline keyword prevented the compiler from generating a callable
function symbol in some build configurations
2. The function lacked a proper prototype declaration, triggering
-Werror=missing-prototypes
The fix changes the function to:
- Remove the 'inline' keyword to ensure symbol generation
- Add a proper static function prototype
- Make the function 'static' since it's only used within exportd.c
This resolves both the linking error and the missing prototype warning,
allowing exportd to build successfully in OpenWrt's cross-compilation
environment.
Co-authored-by: Maxim Storchak <m.storchak@gmail.com>
Co-authored-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: John Audia <therealgraysky@proton.me>
