* fixed possible Set search race condition (initiated from LuCI frontend)
* fixed the "no result" Set search problem in LuCI
* removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Bump to latest 2.0.25.1 release
Drop upstream PCRE2 patch and alarm memory leak fix.
Rework and refresh patch due to release bump.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* added a DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
* the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
* block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
* it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
* filter/convert possible windows line endings of external feeds during processing
* the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
* set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
* update readme
* a couple of bugfixes & performance improvements
* removed abandoned feeds: darklist, ipblackhole
* added new feeds: becyber, ipsum, pallebone, debl (changed URL)
* requires a LuCI frontend update as well (separate PR/commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Remove the unnecessary 'r' from PKG_RELEASE as it is
added automatically by the build system to the final versioning.
(Current version leads into 'geoip-shell_0.5-rr2_all.ipk')
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* make PKG_RELEASE numeric again
* made a release bump due to a newly added patch (see de4ef9d169 for details)
* remove maintainer (as requested in #23890
Signed-off-by: Dirk Brenken <dev@brenken.org>
Generates git tarballs in the new APK style format:
Note that `SOURCE_DATE` was added and need to be updated
as the commit date of the commit hash
Before:
```
nginx-mod-geoip2-1cabd8a1f68ea3998f94e9f3504431970f848fbf.tar.xz
nginx-mod-headers-more-bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0.tar.xz
nginx-mod-brotli-25f86f0bac1101b6512135eac5f93c49c63609e3.tar.xz
nginx-mod-rtmp-f0ea62342a4eca504b311cd5df910d026c3ea4cf.tar.xz
nginx-mod-ts-ef2f874d95cc75747eb625a292524a702aefb0fd.tar.xz
nginx-mod-naxsi-d714f1636ea49a9a9f4f06dba14aee003e970834.tar.xz
nginx-mod-lua-c89469e920713d17d703a5f3736c9335edac22bf.tar.xz
nginx-mod-lua-resty-core-2e2b2adaa61719972fe4275fa4c3585daa0dcd84.tar.xz
nginx-mod-lua-resty-lrucache-52f5d00403c8b7aa8a4d4f3779681976b10a18c1.tar.xz
nginx-mod-dav-ext-f5e30888a256136d9c550bf1ada77d6ea78a48af.tar.xz
nginx-mod-ubus-b2d7260dcb428b2fb65540edb28d7538602b4a26.tar.xz
```
After:
```
nginx-mod-geoip2-2020.01.22~1cabd8a1.tar.zst
nginx-mod-headers-more-2022.07.17~bea1be3b.tar.zst
nginx-mod-brotli-2020.04.23~25f86f0b.tar.zst
nginx-mod-rtmp-2018.12.07~f0ea6234.tar.zst
nginx-mod-ts-2017.12.04~ef2f874d.tar.zst
nginx-mod-naxsi-2022.09.14~d714f163.tar.zst
nginx-mod-lua-2023.08.19~c89469e9.tar.zst
nginx-mod-lua-resty-core-2023.09.09~2e2b2ada.tar.zst
nginx-mod-lua-resty-lrucache-2023.08.06~52f5d004.tar.zst
nginx-mod-dav-ext-2018.12.17~f5e30888.tar.zst
nginx-mod-ubus-2020.09.06~b2d7260d.tar.zst
```
Run tested: aarch64, Dynalink DL-WRX36, Master Branch
Signed-off-by: Sean Khan <datapronix@protonmail.com>
In current setup, dynamic modules are not autoloaded, requiring users
to create and load additional config files.
We should assume that if a user installs additional modules, they want
them 'on' by default.
This commit does the following:
1.) generates a module load config in '/etc/nginx/modules.d' with the
format '${module_name}'.module
(i.e. /etc/nginx/modules.d/ngx_http_geoip2.module)
2.) deletes previous module conf for 'luci'
/etc/nginx/modules.d/luci.module if it exists, this will prevent
'module already loaded' errors.
The following is a portion of the final output when using the
default uci template `/etc/nginx/uci.conf.template` (via nginx-util):
```
nginx -T -c '/etc/nginx/uci.conf'
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
load_module /usr/lib/nginx/modules/ngx_http_dav_ext_module.so;
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
load_module /usr/lib/nginx/modules/ngx_http_naxsi_module.so;
load_module /usr/lib/nginx/modules/ngx_http_ts_module.so;
load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so;
load_module /usr/lib/nginx/modules/ngx_rtmp_module.so;
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Since the geoip2 package contains both `http` and `stream` versions. It
requires the module `ngx_stream` be installed and loaded and produces
the error:
```
2024/04/12 18:38:18 [emerg] 4402#0: dlopen()
"/usr/lib/nginx/modules/ngx_stream_geoip2_module.so" failed (Error
relocating /usr/lib/nginx/modules/ngx_stream_geoip2_module.so:
ngx_stream_complex_value: symbol not found) in
/etc/nginx/module.d/ngx_stream_geoip2.module:1 nginx: configuration file
/etc/nginx/uci.conf test failed
```
Add dependency so it's built at build time and installed automatically
by `opkg`
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Adds the geoip-shell package to OpenWrt.
geoip-shell is a flexible geoip blocker for Linux with a user-friendly command-line interface.
Signed-off-by: Anton Khazan <antonk.d3v@gmail.com>
* update license to AGPL-3.0-or-later
* rename pbr_get_gateway to pbr_get_gateway4 for better readability
* improve IPv6 "gateway" detection/display on start
* prevent IPv6 interface errors on start
* revert release format
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Version 6.3.4 has some important fixes for the OpenWrt community.
This version properly supports Big-Endian systems (which are many); the previous OpenWrt packaged version crashed on such systems.
Signed-off-by: dracode <github@dragonbyte.org>
1. Update to latest version
2. Remove redundant section in Makefile
Changelog: https://github.com/snort3/snort3/releases/tag/3.1.84.0
,,_ -*> Snort++ <*-
o" )~ Version 3.1.84.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.14
Using LuaJIT version 2.1.0-beta3
Using OpenSSL 3.0.13 30 Jan 2024
Using libpcap version 1.10.4 (with TPACKET_V3)
Using PCRE version 8.45 2021-06-15
Using ZLIB version 1.3.1
Using Hyperscan version 5.4.2 2024-04-10
Using LZMA version 5.4.6
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne
Signed-off-by: John Audia <therealgraysky@proton.me>
* delete obsolete files/etc/init.d/pbr.init
* add files/etc/uci-defaults/91-pbr-iptables to help update from older OpenWrt
* add files/etc/uci-defaults/91-pbr-nft to help update from older OpenWrt
* update files/etc/uci-defaults/91-pbr-netifd to only add tables to supported ifaces
* re-organize variants in the Makefile so that they hopefull work this time
* update prerm for all variants for better user experience
* update the -netifd prerm to remove leftofver entries from network and rt_tables file
In the init script:
* add decorations for netifd-interfaces related operations (blue ticks)
* add rtTablesFile variables instead of hard-coding the rt_tables file
* add function to check if the table is netifd-derived
* add error messages/hints for failed interface setup and failed WAN discovery
* make cleanup_rt_tables the netifd-compatible
* streamline interface_process function with a clearer case statement
* rename the interface_process `pre-init` option to `pre_init` to conform to the other
functions options naming style
Signed-off-by: Stan Grishin <stangri@melmac.ca>
This can be useful for things like making the interface on the peer side
fixed with value like `ifname xx`
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
