* hardened the uci config parsing
* added a fast, flexible & secure IPv4/IPv6 validator function, it eliminates > 99 % of garbage inputs
Please note: The ‘rule’ in the feed file now only contains parameters for the IP validator;
details can be found in the readme file. Old custom feed files are not compatible and will be
backed up/removed via the uci-defaults script
* added BCP38 support: to block packets with spoofed source IP addresses in all supported chains
* optimized the log monitor plus performance improvements
* removed the pallebone feed (discontinued)
* added the ipexdbl feed
* various small improvements
* LuCI: add the BC38 option under Table/Chain Settings
* LuCI: updating the custom feed editor
* LuCI: small usability improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 396c65e670)
This package is not compiled due to this build log failure:
```
adding 'radicale-2.1.12.dist-info/RECORD'
removing build/bdist.linux-aarch64/wheel
Successfully built radicale-2.1.12-py3-none-any.whl
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/builder/shared-workdir/build/sdk/staging_dir/hostpkg/lib/python3.13/site-packages/installer/__main__.py", line 98, in <module>
_main(sys.argv[1:], "python -m installer")
~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/builder/shared-workdir/build/sdk/staging_dir/hostpkg/lib/python3.13/site-packages/installer/__main__.py", line 86, in _main
with WheelFile.open(args.wheel) as source:
~~~~~~~~~~~~~~^^^^^^^^^^^^
File "/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a53_musl/usr/lib/python3.13/contextlib.py", line 141, in __enter__
return next(self.gen)
File "/builder/shared-workdir/build/sdk/staging_dir/hostpkg/lib/python3.13/site-packages/installer/sources.py", line 162, in open
with zipfile.ZipFile(path) as f:
~~~~~~~~~~~~~~~^^^^^^
File "/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a53_musl/usr/lib/python3.13/zipfile/__init__.py", line 1367, in __init__
self.fp = io.open(file, filemode)
~~~~~~~^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a53_musl/pypi/Radicale-2.1.12//openwrt-build/Radicale-2.1.12-*.whl'
```
This occurred due to PEP 625, which requires wheel filenames in lowercase.
The local build produces lowercase-compliant names (radicale-2.1.12-*.whl),
but the script searches for uppercase (Radicale-2.1.12-*.whl).
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 2f1a3a1f29)
Pika is a pure-Python implementation of the AMQP 0-9-1 protocol that
tries to stay fairly independent of the underlying network support
library.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit d8437af213)
Radicale is a small but powerful CalDAV (calendars, to-do lists) and
CardDAV (contacts) server.
This package provides the latest 3.x series, which succeeds radicale2.
This is replacament for recently dropped radicale2 and radicale1.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 16b5a43e39)
Makefile:
* remove traces of variants and simplify
* more sensible DEPENDS section (thanks @BKPepe)
Init-script:
* introduce prefixlength option to speed up tables operations (thanks @egc112)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 1b81a99d3d)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bump binary to 2025.12.29 with support for -S
* update README and delete README in files/
* bugfix: properly load global option for `force_ipv6_resolvers`
* add global and per-instance `source_addr` option
Thanks to @karl82 for adding source_addr support upstream.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit c7eb47657e)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
To check if the update was successful.
Not all DDNS implementations have such huge latencies updating their services.
nsupdate for example, updates immediately and the update is immediately checkable.
Add new check_interval_min value to be able to set a check interval lower than the
previously hard-coded 5 minutes.
Fixes: #20564
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
(cherry picked from commit 63308ab213)
Makefile:
* nicer DEPENDS
Init Script:
* ensure resolver config is reverted and resolver is restarted on
service fail
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 1e7cc76e91)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Sort EXTRA_DEPENDS after DEPENDS and remove whitespace in the version requirement.
Fixes missing version during building:
```
uspot fused dependencies: ucode (>=, libc,..
uspotfilter fused dependencies: ucode (>=, libc,...
```
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit e9125d9376)
Refactor package variants definition to be cleaner and more robust.
E.g.:
- Remove redundant PROVIDES:=jq from the main 'jq' package (it provides
itself automatically).
- Keep PROVIDES:=jq only on the 'jq-full' variant so it can serve as a
drop-in replacement.
- Use $(CP) macro rather than $(INSTALL_BIN) to preserve symlinks on shared objects
INSTALL_BIN turns all of the symlinks to files, increasing size.
Fixes: 711a19c4b2 ("jq: provide regex support in additional package jq-full")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 142331bdb8)
Obsolete use of $(SDK) in configure conditionals can result in
dependency errors when building a subset of packages for packages which
have multiple sub-packages.
The reason it causes dependency issues is that (using libdbi-drivers as
an example) lines like:
ifneq ($(SDK)$(CONFIG_PACKAGE_libdbd-sqlite3),)
always evaluate to true if you are compiling in the SDK. So for a user
compiling from the SDK, the configure arguments are always added to the package build.
In the case of libdbi-drivers:
CONFIGURE_ARGS += \
--with-sqlite3 \
--with-sqlite3-incdir=$(STAGING_DIR)/usr/include \
-with-sqlite3-libdir=$(STAGING_DIR)/usr/lib
is always added even if PACKAGE_libdbd-sqlite3 is deselected. When
libdbd-sqlite3 is deselected, this dependency:
DEPENDS:=libdbi +libsqlite3
is not present, so when configure tries to find sqlite3 it fails.
Closes#28173 "tree-wide: obsolete $(SDK) in conditionals"
See also:
* "include: remove SDK exception from package install targets"
openwrt/openwrt@28f44a4
Performed tree-wide to ease revert if necessary, per:
https://github.com/openwrt/packages/issues/28173#issuecomment-3694615980
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 73d8b6c6f3)
The quoting added in r18 for pinghosts is not needed. Multi-host support
remains fully functional, but the extra quotes caused inconsistent argument
handling between /etc/init.d/watchcat and /usr/bin/watchcat.sh,
especially for single-IP configurations.
This revert removes the unnecessary quoting in the init script and LUCI,
restoring consistent behavior while keeping multiple ping hosts supported.
Fixes: #28100 (watchcat: error if only one address is specified in pinghosts)
Signed-off-by: Ivan Diaz <diaz.it@icloud.com>
(cherry picked from commit 407617b786)
Although the watchcat_ping function also checked the iface variable, that
variable was never populated. As a result we could not check if there was
connectivity via a specific interface.
Signed-off-by: Vasileios Anagnostopoulos <anagnwstopoulos@hotmail.com>
(cherry picked from commit 3f52746c79)
$(INSTALL_BIN) follows symlinks, causing the .so to be copied multiple times.
Use $(CP) instead to preserve symlinks and cut package size by ~2/3.
OpenWrt libraries don’t need to be executable, so $(INSTALL_BIN) isn’t required.
Signed-off-by: Jordan Ngako <jordanfalken@gmx.de>
(cherry picked from commit 1c1af85fc5)
commit ea66e463cf added a new config
option LIBCURL_HTTP_AUTH to enable or disable HTTP_AUTH support in
cURL. It defaulted the option to n (disabled).
However, prior to this change HTTP_AUTH was enabled for cURL, as the
configure script defaults to HTTP_AUTH enabled when it is not
explicitly disabled.
This impacts any consumer of cURL that uses HTTP_AUTH, including
authentication by username and password in the URL. (Confirmed via
run testing).
So we set the default for the option to y (enabled).
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 57e6f89c02)
- Update daemon to 2.3.9 to fix removal of nftables rules in
`upnp_forward` and return the correct internal port; also resulted in
the excessive opening of new ports. Accept interface names starting
with digits
- Build from GitHub releases to get a reliable HTTPS server, as the
HTTP-only/HTTPS mirror were only available ~85%/77% over 3 months
https://redirect.github.com/miniupnp/miniupnp/issues/770https://stats.uptimerobot.com/DwGDxUB914
- Build daemon with `--disable-pppconn` to remove the old/IGDv1-only
extra WANPPPConnection SSDP announcements workaround not included in
other implementations since >15y
- Build daemon with `--vendorcfg` to allow customisation of the
router/friendly name (+5 potential options) displayed in Windows
Explorer, 384 bytes extra required on ARMv7 (binary)
- Remove old (iptables variant only) patches, as no longer needed
- Remove `clean_ruleset_interval/threshold` UCI config options as not
standard/working since OpenWrt 22.03, as nftables not supported
Fixes: https://github.com/openwrt/openwrt/issues/18011
Fixes: https://github.com/openwrt/luci/issues/7759
Fixes: https://github.com/openwrt/packages/issues/26352
Signed-off-by: Self-Hosting-Group <selfhostinggroup-git+openwrt@shost.ing>
[update fixes tag]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 70ce349f1c)
For zabbix-server-frontend, the absence of php8-mod-filter results in
many of the frontend's pages failing to render. Therefore add this
module as a frontend dependency.
Without php8-mod-openssl the frontend fails with:
[13-Dec-2025 18:47:25 UTC] PHP Fatal error: Uncaught Error: Call to
undefined function openssl_random_pseudo_bytes() in
/www/zabbix/include/classes/helpers/CEncryptHelper.php:89
Stack trace:
CEncryptHelper::generateKey()
thrown in /www/zabbix/include/classes/helpers/CEncryptHelper.php on
line 89
Therefore add php8-mod-openssl as a frontend dependency.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 33b868d540)
Due to the incorrect DEPENDS configuration, the vim-full and vim-fuller
packages won't show up in menuconfig if the vim-runtime package is not
selected. This happens because these packages depend on vim-runtime.
To fix this, add the '+' symbol to the DEPENDS line. This ensures that
when either vim-full or vim-fuller is selected, the vim-runtime package
(which is a dependency) will also be selected automatically.
Fixes: d1351b3 ("vim: fix config and runtime")
Signed-off-by: TeleostNaCl Dai <teleostnacl@gmail.com>
(cherry picked from commit 639fdb4008)
Signed-off-by: George Sapkin <george@sapk.in>
nginx modules must not provide nginx which causes them to not be able
to be installed alongside nginx due to the new apk provide fixes.
Remove PROVIDES from modules.
Remove nginx-ssl from PROVIDES as there is no non-ssl variant, i.e. all
version provide ssl.
Set nginx-ssl as the default variant.
Remove non-existent config value.
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit 63a666bd05)
tar depended both on xz and xz-utils which xz already depended on.
Coupled with if PACKAGE_tar check it caused all packages that depended
on tar to have a circular Kconfig dependency. Remove the check and
dependency on xz-utils and leave xz one only.
Move libzstd dependency into DEPENDS.
Fixes: ad82c17 ("tar: fix EXTRA_DEPENDS")
Fixes: https://github.com/openwrt/packages/issues/28141
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit 3dcc4f1d3f)
EXTRA_DEPENDS should be used for version constraints. Change to DEPENDS.
Fixes: 6a559a9 ("chicken-scheme: version 5.2.0; include compiler")
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit 970416925c)
EXTRA_DEPENDS should be used for version constraints. Change to DEPENDS.
Fixes: 488be84 ("utils/tar: Make compression, acl, and xattr support configuration options")
Fixes: 7a49296 ("utils/tar: Fix defaulting to selecting dependencies")
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit ad82c17f71)
When PHP8_DOM is enabled then xmlreader automatically gains a
dependency to php8-mod-dom, not only when the dom module
is actually built.
So fix it by declaring this dependency.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit e6c59b5188)
As with gettext modules described in #28078 and #28075, xml and dom
related module selection affects the dependencies of other packages.
Therefore, we invert the dependency logic:
PHP8_LIBXML and PHP8_DOM are are enabled by default and packages
which depend on libxml2 and --enable-dom=shared are not shown (and
the related configure args are disabled) if the config options are
not enabled.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit f9591b8518)
Fixes: php8: global package dependency changes based on module
selection
Fixes: #28078
As described in #28078 and #28075,
Some binaries gain a dependency on libstdcpp when mod-gettext is included
in the build, however this was not explicitly declared, so packaging
fails with (e.g.):
Package php8-cgi is missing dependencies for the following libraries:
libstdc++.so.6
In contrast to #28075, this commit takes the approach:
* Make use of --with-gettext depend on a configure flag (enabled by
default, since that matches current full build behaviour)
* Make sub-packages which require --with-gettext depend on the
configure flag
This means that e.g. php-cgi would not have gettext support if the
configure flag was disabled, and e.g. php-mod-gettext and php-mod-intl
would not be selectable.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 6d6233b6b7)
This package is only used by `fail2ban`. After updating `fail2ban` to
`1.1.0` (2a202b2091), the `2to3` package
is no longer needed. If required, anyone can reintroduce the package.
Signed-off-by: Wesley Gimenes <wehagy@proton.me>
(cherry picked from commit df05c12089)
Eric Fahlgren
Dirk Brenken
xiao bo
Josef Schlehofer
Wei-Ting Yang
Stan Grishin
Daniel F. Dickinson
Vladimir Tkachev
Brian J. Murrell
Niklas Thorild
Ivan Diaz
Vasileios Anagnostopoulos
Jordan Ngako
Ivan Belokobylskiy
Paul Donald
Tianling Shen
Self-Hosting-Group
TeleostNaCl Dai
George Sapkin
Michael Heimpold
Wesley Gimenes